Edit tour

Windows Analysis Report
zPJUOck9wt.exe

Overview

General Information

Sample name:	zPJUOck9wt.exe renamed because original name is a hash value
Original sample name:	1bf851229cdc8a1b97523ed4fa48b977.exe
Analysis ID:	1581726
MD5:	1bf851229cdc8a1b97523ed4fa48b977
SHA1:	037c0db18b290df45a54ff23556516b24206173d
SHA256:	ce6667acf10faea38244c15da512a68d09725f9e21bb5edc6b22d1048ddc552f
Tags:	exeValleyRATuser-abuse_ch
Infos:

Detection

GhostRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GhostRat

AI detected suspicious sample

Bypasses PowerShell execution policy

Connects to many ports of the same IP (likely port scanning)

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Loading BitLocker PowerShell Module

Sigma detected: Execution from Suspicious Folder

Sigma detected: Parent in Public Folder Suspicious Process

Sigma detected: Suspicious Program Location with Network Connections

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after accessing registry keys)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Installs a global mouse hook

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sleep loop found (likely to delay execution)

Stores large binary data to the registry

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

zPJUOck9wt.exe (PID: 7348 cmdline: "C:\Users\user\Desktop\zPJUOck9wt.exe" MD5: 1BF851229CDC8A1B97523ED4FA48B977)

cmd.exe (PID: 7448 cmdline: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Update.exe (PID: 7492 cmdline: C:\Users\Public\Bilite\Axialis\Update.exe MD5: FB325C945A08D06FE91681179BDCCC66)

cmd.exe (PID: 8036 cmdline: cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 8100 cmdline: tasklist /FI "IMAGENAME eq Update.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 8116 cmdline: findstr /I "Update.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 8144 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 5776 cmdline: tasklist /FI "IMAGENAME eq Update.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 1272 cmdline: findstr /I "Update.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 2844 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 1020 cmdline: tasklist /FI "IMAGENAME eq Update.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 6032 cmdline: findstr /I "Update.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 7760 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 1364 cmdline: tasklist /FI "IMAGENAME eq Update.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 4296 cmdline: findstr /I "Update.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 3488 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cmd.exe (PID: 8160 cmdline: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1772 cmdline: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cmd.exe (PID: 8168 cmdline: cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2056 cmdline: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: Update.exe PID: 7492	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Bilite\Axialis\Update.exe, CommandLine: C:\Users\Public\Bilite\Axialis\Update.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Bilite\Axialis\Update.exe, NewProcessName: C:\Users\Public\Bilite\Axialis\Update.exe, OriginalFileName: C:\Users\Public\Bilite\Axialis\Update.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7448, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Bilite\Axialis\Update.exe, ProcessId: 7492, ProcessName: Update.exe

Sigma detected: Parent in Public Folder Suspicious Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\Public\Bilite\Axialis\Update.exe, ParentImage: C:\Users\Public\Bilite\Axialis\Update.exe, ParentProcessId: 7492, ParentProcessName: Update.exe, ProcessCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 8160, ProcessName: cmd.exe

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 206.238.198.14, DestinationIsIpv6: false, DestinationPort: 18852, EventID: 3, Image: C:\Users\Public\Bilite\Axialis\Update.exe, Initiated: true, ProcessId: 7492, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49771

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1, CommandLine: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8168, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1, ProcessId: 2056, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1, CommandLine: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8168, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1, ProcessId: 2056, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Anonymous RAT CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T21:02:32.186144+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49782	206.238.198.14	9091	TCP
2024-12-28T21:03:47.041658+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49793	206.238.198.14	9091	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Bilite\Axialis\Update.dll	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\backup.dll	ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: zPJUOck9wt.exe	ReversingLabs: Detection: 40%
Source: zPJUOck9wt.exe	Virustotal: Detection: 48%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.5% probability

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C8A9FF0 CryptAcquireContextW,std::bad_exception::bad_exception,CryptImportKey,CryptReleaseContext,std::bad_exception::bad_exception,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,std::bad_exception::bad_exception,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,std::bad_exception::bad_exception,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,std::bad_exception::bad_exception,CryptDestroyKey,CryptReleaseContext,	3_2_6C8A9FF0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C8A9A10 CryptAcquireContextW,std::bad_exception::bad_exception,CryptCreateHash,CryptReleaseContext,std::bad_exception::bad_exception,CryptHashData,CryptDestroyHash,CryptReleaseContext,std::bad_exception::bad_exception,CryptHashData,CryptDestroyHash,CryptReleaseContext,std::bad_exception::bad_exception,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,std::bad_exception::bad_exception,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,std::bad_exception::bad_exception,CryptDestroyHash,CryptReleaseContext,	3_2_6C8A9A10
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C8A98F0 CryptStringToBinaryA,std::bad_exception::bad_exception,CryptStringToBinaryA,std::bad_exception::bad_exception,	3_2_6C8A98F0

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Unpacked PE file: 3.2.Update.exe.3520000.6.unpack

Source: zPJUOck9wt.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: \YSS\Release\Update.pdb source: zPJUOck9wt.exe, 00000000.00000003.1704517965.0000000002B8B000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2410518673.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmp, Update.dll.0.dr
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000010.00000002.2534470086.000000000796B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2535107741.00000000079D4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb` source: powershell.exe, 00000010.00000002.2535107741.0000000007A0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Morpheme.pdb source: zPJUOck9wt.exe, 00000000.00000003.1704517965.0000000002DB7000.00000004.00000020.00020000.00000000.sdmp, install_flash_player_ppapi.exe.0.dr
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000010.00000002.2535107741.0000000007A0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb source: zPJUOck9wt.exe, 00000000.00000003.1704517965.0000000002B8B000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000000.1708161152.0000000000582000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000003.00000002.3530302410.0000000000582000.00000002.00000001.01000000.00000005.sdmp, Update.exe.0.dr, backup.exe.3.dr
Source:	Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000010.00000002.2539091194.0000000008AB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb((& source: zPJUOck9wt.exe, 00000000.00000003.1704517965.0000000002B8B000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000000.1708161152.0000000000582000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000003.00000002.3530302410.0000000000582000.00000002.00000001.01000000.00000005.sdmp, Update.exe.0.dr, backup.exe.3.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb[~ source: powershell.exe, 00000010.00000002.2535107741.0000000007A0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbB source: powershell.exe, 00000010.00000002.2535107741.0000000007A0E000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: z:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: x:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: v:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: t:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: r:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: p:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: n:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: l:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: j:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: h:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: f:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: b:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: y:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: w:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: u:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: s:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: q:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: o:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: m:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: k:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: i:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: g:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: c:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: [:	Jump to behavior

Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Code function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_0040301A
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Code function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402B79
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C8EEB8C __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,	3_2_6C8EEB8C

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_035280F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,

3_2_035280F0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49782 -> 206.238.198.14:9091
Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49793 -> 206.238.198.14:9091

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 206.238.198.14 ports 18852,1,2,5,9091,8

Source: global traffic

TCP traffic: 192.168.2.4:49771 -> 206.238.198.14:18852

Source: Joe Sandbox View

ASN Name: COGENT-174US COGENT-174US

Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.198.14

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_03523360 recv,timeGetTime,_memmove,

3_2_03523360

Source: zPJUOck9wt.exe, 00000000.00000003.1704517965.0000000002DB7000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, backup.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: zPJUOck9wt.exe, 00000000.00000003.1705906510.0000000000750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: zPJUOck9wt.exe, 00000000.00000003.1705906510.0000000000750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: zPJUOck9wt.exe, 00000000.00000003.1704517965.0000000002DB7000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, backup.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: zPJUOck9wt.exe, 00000000.00000003.1704517965.0000000002DB7000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, backup.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: zPJUOck9wt.exe, 00000000.00000003.1704517965.0000000002DB7000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, backup.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: zPJUOck9wt.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000010.00000002.2527468673.0000000003355000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2527848024.0000000003078000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: zPJUOck9wt.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: zPJUOck9wt.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: zPJUOck9wt.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: zPJUOck9wt.exe, 00000000.00000003.1704517965.0000000002DB7000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, backup.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: zPJUOck9wt.exe, 00000000.00000003.1705906510.0000000000750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: zPJUOck9wt.exe, 00000000.00000003.1704517965.0000000002DB7000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, backup.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: zPJUOck9wt.exe, 00000000.00000003.1704517965.0000000002DB7000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, backup.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: backup.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: zPJUOck9wt.exe, 00000000.00000003.1705906510.0000000000750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: zPJUOck9wt.exe, 00000000.00000003.1705906510.0000000000750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: zPJUOck9wt.exe, 00000000.00000003.1704517965.0000000002DB7000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, backup.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: zPJUOck9wt.exe, 00000000.00000003.1705906510.0000000000750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: zPJUOck9wt.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: zPJUOck9wt.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: zPJUOck9wt.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: powershell.exe, 00000010.00000002.2531199719.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2535009180.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: zPJUOck9wt.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: zPJUOck9wt.exe, 00000000.00000003.1704517965.0000000002DB7000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, backup.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: zPJUOck9wt.exe, 00000000.00000003.1704517965.0000000002DB7000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, backup.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: zPJUOck9wt.exe, 00000000.00000003.1704517965.0000000002DB7000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, backup.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: zPJUOck9wt.exe, 00000000.00000003.1705906510.0000000000750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: zPJUOck9wt.exe, 00000000.00000003.1705906510.0000000000750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: zPJUOck9wt.exe, 00000000.00000003.1704517965.0000000002DB7000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, backup.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: zPJUOck9wt.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000011.00000002.2529008184.0000000004EA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: zPJUOck9wt.exe, 00000000.00000003.1705906510.0000000000750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: zPJUOck9wt.exe, 00000000.00000003.1705906510.0000000000750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 00000010.00000002.2528899366.0000000004F06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2529008184.0000000004EA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2529008184.000000000550E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000010.00000002.2528899366.0000000004DB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2529008184.0000000004D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000010.00000002.2528899366.0000000004F06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2529008184.0000000004EA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2529008184.000000000550E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: zPJUOck9wt.exe, 00000000.00000003.1705906510.0000000000750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: zPJUOck9wt.exe, 00000000.00000003.1705906510.0000000000750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: zPJUOck9wt.exe, 00000000.00000003.1705906510.0000000000750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 00000011.00000002.2529008184.0000000004EA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: zPJUOck9wt.exe, 00000000.00000003.1704517965.0000000002DB7000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, backup.exe.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: zPJUOck9wt.exe, 00000000.00000003.1705906510.0000000000750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: zPJUOck9wt.exe, 00000000.00000003.1704517965.0000000002DB7000.00000004.00000020.00020000.00000000.sdmp, install_flash_player_ppapi.exe.0.dr	String found in binary or memory: https://://fpdownload.macromedia.com/get/flashplayer/update/current/install/install_all_win_install_
Source: powershell.exe, 00000010.00000002.2528899366.0000000004DB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2529008184.0000000004D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000010.00000002.2528899366.0000000004F06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000011.00000002.2535009180.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000011.00000002.2535009180.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000011.00000002.2535009180.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: zPJUOck9wt.exe, 00000000.00000003.1705906510.0000000000750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: zPJUOck9wt.exe, 00000000.00000003.1705906510.0000000000750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: zPJUOck9wt.exe, 00000000.00000003.1705906510.0000000000750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: powershell.exe, 00000011.00000002.2529008184.0000000004EA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000011.00000002.2538521216.00000000074E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ion=v4.5
Source: powershell.exe, 00000010.00000002.2531199719.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2535009180.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: zPJUOck9wt.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: zPJUOck9wt.exe, 00000000.00000003.1705906510.0000000000750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture and log keystrokes

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: [esc]	3_2_0352E850
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: [esc]	3_2_0352E850
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: [esc]	3_2_0352E850
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: [esc]	3_2_0352E850

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_0352E850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,

3_2_0352E850

Source: C:\Users\Public\Bilite\Axialis\Update.exe

3_2_0352E850

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_0352BC70 GetDesktopWindow,GetDC,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,_memset,GetDIBits,_memset,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,

3_2_0352BC70

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_6C902969 GetAsyncKeyState,SendMessageW,GetClientRect,SetScrollPos,

3_2_6C902969

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_0352E4F0 Sleep,CreateMutexW,GetLastError,SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,

3_2_0352E4F0

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C8E7757 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,		3_2_6C8E7757
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C8C51AD GetKeyState,GetKeyState,GetKeyState,SendMessageW,		3_2_6C8C51AD

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_6C8A9FF0 CryptAcquireContextW,std::bad_exception::bad_exception,CryptImportKey,CryptReleaseContext,std::bad_exception::bad_exception,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,std::bad_exception::bad_exception,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,std::bad_exception::bad_exception,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,std::bad_exception::bad_exception,CryptDestroyKey,CryptReleaseContext,

3_2_6C8A9FF0

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0352B463 ExitWindowsEx,	3_2_0352B463
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0352B41B ExitWindowsEx,	3_2_0352B41B
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0352B43F ExitWindowsEx,	3_2_0352B43F

Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Code function: 0_2_00404FAA	0_2_00404FAA
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Code function: 0_2_0041206B	0_2_0041206B
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Code function: 0_2_0041022D	0_2_0041022D
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Code function: 0_2_00411F91	0_2_00411F91
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03526EE0	3_2_03526EE0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03526C50	3_2_03526C50
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0353E341	3_2_0353E341
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03538381	3_2_03538381
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0353EA1D	3_2_0353EA1D
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03528900	3_2_03528900
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0353F9FF	3_2_0353F9FF
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0353D89F	3_2_0353D89F
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0353DDF0	3_2_0353DDF0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_035224B0	3_2_035224B0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C8F4EAB	3_2_6C8F4EAB
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C8E0AA6	3_2_6C8E0AA6
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CA04590	3_2_6CA04590
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C8FE6EA	3_2_6C8FE6EA
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CA2408E	3_2_6CA2408E
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C8D00CD	3_2_6C8D00CD
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CA18068	3_2_6CA18068
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C8D62D4	3_2_6C8D62D4
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CA002D4	3_2_6CA002D4
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CA0BCBF	3_2_6CA0BCBF
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CA0DCF0	3_2_6CA0DCF0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C8C5898	3_2_6C8C5898
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C8D58FE	3_2_6C8D58FE
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CA09435	3_2_6CA09435
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C8D51A8	3_2_6C8D51A8
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C8D33A6	3_2_6C8D33A6
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_1001122F	3_2_1001122F
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_100024B0	3_2_100024B0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_1000B66A	3_2_1000B66A
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_10011780	3_2_10011780
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_10010CDE	3_2_10010CDE
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_10012D91	3_2_10012D91
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_10011E5C	3_2_10011E5C
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_02DC0032	3_2_02DC0032
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_02DD1206	3_2_02DD1206
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_02DCB641	3_2_02DCB641
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_02DD1757	3_2_02DD1757
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_02DC2487	3_2_02DC2487
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_02DD0CB5	3_2_02DD0CB5
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_02DD2D68	3_2_02DD2D68
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_033BF3BE	3_2_033BF3BE
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_033BD25E	3_2_033BD25E
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_033A82BF	3_2_033A82BF
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_033A689F	3_2_033A689F
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_033BD7AF	3_2_033BD7AF
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_033A660F	3_2_033A660F
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_033A1E6F	3_2_033A1E6F
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_033BDD00	3_2_033BDD00
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_033B7D40	3_2_033B7D40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_04D91CA1	16_2_04D91CA1

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Bilite\Axialis\Update.exe 0C2CC4513EC9101A28A7988C72A46175EFD82F387BB3BCFB2612E808804282B5

Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Code function: String function: 0040243B appears 37 times
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: String function: 03534300 appears 32 times
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: String function: 6C9FFB70 appears 66 times
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: String function: 6C9FF6A7 appears 64 times
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: String function: 6C9FFA8E appears 199 times
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: String function: 6C8DB869 appears 44 times
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: String function: 6C9FFAC1 appears 64 times
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: String function: 6C8BFF40 appears 39 times

Source: zPJUOck9wt.exe

Static PE information: invalid certificate

Source: zPJUOck9wt.exe, 00000000.00000000.1670790997.0000000000432000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs zPJUOck9wt.exe
Source: zPJUOck9wt.exe, 00000000.00000000.1670790997.0000000000432000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7zSfxNew.exe< vs zPJUOck9wt.exe
Source: zPJUOck9wt.exe, 00000000.00000003.1705906510.0000000000750000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFlashUtil.exev+ vs zPJUOck9wt.exe
Source: zPJUOck9wt.exe, 00000000.00000003.1671779792.000000000254D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs zPJUOck9wt.exe
Source: zPJUOck9wt.exe, 00000000.00000003.1671779792.000000000254D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7zSfxNew.exe< vs zPJUOck9wt.exe
Source: zPJUOck9wt.exe, 00000000.00000003.1704517965.0000000002B8B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamensdksetupJ vs zPJUOck9wt.exe
Source: zPJUOck9wt.exe, 00000000.00000003.1704517965.0000000002B8B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUpdate.exe vs zPJUOck9wt.exe
Source: zPJUOck9wt.exe	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs zPJUOck9wt.exe
Source: zPJUOck9wt.exe	Binary or memory string: OriginalFilename7zSfxNew.exe< vs zPJUOck9wt.exe

Source: zPJUOck9wt.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@43/28@0/1

Source: C:\Users\user\Desktop\zPJUOck9wt.exe

Code function: 0_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_00407776

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03527B70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	3_2_03527B70
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03527740 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,	3_2_03527740
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03527620 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,	3_2_03527620

Source: C:\Users\user\Desktop\zPJUOck9wt.exe

Code function: 0_2_0040118A GetDiskFreeSpaceExW,SendMessageW,

0_2_0040118A

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_03526050 _memset,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,CloseHandle,

3_2_03526050

Source: C:\Users\user\Desktop\zPJUOck9wt.exe

Code function: 0_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_004034C1

Source: C:\Users\user\Desktop\zPJUOck9wt.exe

Code function: 0_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,

0_2_00401BDF

Source: C:\Users\user\Desktop\zPJUOck9wt.exe

File created: C:\Users\Public\Bilite

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8176:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Mutant created: \Sessions\1\BaseNamedObjects\2024.12.12
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7456:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03

Source: C:\Users\Public\Bilite\Axialis\Update.exe

File created: C:\Users\user\AppData\Local\Temp\monitor.bat

Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"

Source: zPJUOck9wt.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'UPDATE.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'UPDATE.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'UPDATE.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'UPDATE.EXE'

Source: C:\Users\user\Desktop\zPJUOck9wt.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\zPJUOck9wt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: zPJUOck9wt.exe	ReversingLabs: Detection: 40%
Source: zPJUOck9wt.exe	Virustotal: Detection: 48%

Source: C:\Users\user\Desktop\zPJUOck9wt.exe

File read: C:\Users\user\Desktop\zPJUOck9wt.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\zPJUOck9wt.exe "C:\Users\user\Desktop\zPJUOck9wt.exe"
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Bilite\Axialis\Update.exe C:\Users\Public\Bilite\Axialis\Update.exe
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Bilite\Axialis\Update.exe C:\Users\Public\Bilite\Axialis\Update.exe	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1	Jump to behavior

Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: update.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: dinput8.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"

Source: install_flash_player_ppapi.exe.lnk.3.dr

LNK file: ..\..\Public\Bilite\install_flash_player_ppapi.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: zPJUOck9wt.exe

Static file information: File size 21615909 > 1048576

Source:	Binary string: \YSS\Release\Update.pdb source: zPJUOck9wt.exe, 00000000.00000003.1704517965.0000000002B8B000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2410518673.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmp, Update.dll.0.dr
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000010.00000002.2534470086.000000000796B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2535107741.00000000079D4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb` source: powershell.exe, 00000010.00000002.2535107741.0000000007A0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Morpheme.pdb source: zPJUOck9wt.exe, 00000000.00000003.1704517965.0000000002DB7000.00000004.00000020.00020000.00000000.sdmp, install_flash_player_ppapi.exe.0.dr
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000010.00000002.2535107741.0000000007A0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb source: zPJUOck9wt.exe, 00000000.00000003.1704517965.0000000002B8B000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000000.1708161152.0000000000582000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000003.00000002.3530302410.0000000000582000.00000002.00000001.01000000.00000005.sdmp, Update.exe.0.dr, backup.exe.3.dr
Source:	Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000010.00000002.2539091194.0000000008AB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb((& source: zPJUOck9wt.exe, 00000000.00000003.1704517965.0000000002B8B000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000000.1708161152.0000000000582000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000003.00000002.3530302410.0000000000582000.00000002.00000001.01000000.00000005.sdmp, Update.exe.0.dr, backup.exe.3.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb[~ source: powershell.exe, 00000010.00000002.2535107741.0000000007A0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbB source: powershell.exe, 00000010.00000002.2535107741.0000000007A0E000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Unpacked PE file: 3.2.Update.exe.3520000.6.unpack

Source: C:\Users\user\Desktop\zPJUOck9wt.exe

Code function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

0_2_00406D5D

Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Code function: 0_2_00411C20 push eax; ret	0_2_00411C4E
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03534345 push ecx; ret	3_2_03534358
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0354A168 push eax; ret	3_2_0354A119
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0354A0B8 push eax; ret	3_2_0354A119
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03542450 push ebp; retf	3_2_03542474
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03542470 push ebp; retf	3_2_03542474
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C9FFA5C push ecx; ret	3_2_6C9FFA6F
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_10009DF5 push ecx; ret	3_2_10009E08
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_1001FE9A push ecx; ret	3_2_1001FEBF
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_02DCCAFF push eax; retf	3_2_02DCCB00
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_02DCCB61 pushfd ; retf	3_2_02DCCB64
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_02DCCB0B push 701000CBh; retf	3_2_02DCCB10
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_02DCCB07 pushad ; retf	3_2_02DCCB08
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_02DC9DCC push ecx; ret	3_2_02DC9DDF
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_033B3D04 push ecx; ret	3_2_033B3D17

Source: C:\Users\Public\Bilite\Axialis\Update.exe	File created: C:\Users\user\AppData\Local\Temp\backup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	File created: C:\Users\Public\Bilite\Axialis\Update.dll	Jump to dropped file
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	File created: C:\Users\Public\Bilite\Axialis\Update.exe	Jump to dropped file
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File created: C:\Users\user\AppData\Local\Temp\backup.dll	Jump to dropped file
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	File created: C:\Users\Public\Bilite\install_flash_player_ppapi.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C8C68AC IsIconic,	3_2_6C8C68AC
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C8C99DC IsWindowVisible,IsIconic,	3_2_6C8C99DC
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C8E5ACD GetParent,IsIconic,GetParent,	3_2_6C8E5ACD
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C8CF4BA SendMessageW,IsIconic,IsWindowVisible,	3_2_6C8CF4BA
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C8F7012 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	3_2_6C8F7012

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_0352B3C0 OpenEventLogW,OpenEventLogW,ClearEventLogW,CloseEventLog,

3_2_0352B3C0

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Key value created or modified: HKEY_CURRENT_USER\Console\0 9e9e85e05ee16fc372a0c7df6549fbd4

Jump to behavior

Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Window / User API: threadDelayed 5586	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7982	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1536	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3434	Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\backup.dll			Jump to dropped file
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Dropped PE file which has not been started: C:\Users\Public\Bilite\install_flash_player_ppapi.exe			Jump to dropped file

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Evasive API call chain: RegQueryValue,DecisionNodes,Sleep			graph_3-105557
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep			graph_3-105556

Source: C:\Users\Public\Bilite\Axialis\Update.exe

API coverage: 10.0 %

Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 7520	Thread sleep time: -73000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 7516	Thread sleep time: -63000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 8052	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 7404	Thread sleep count: 300 > 30	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 7364	Thread sleep count: 5586 > 30	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 7364	Thread sleep time: -55860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 8148	Thread sleep count: 239 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7244	Thread sleep count: 7982 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3128	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5928	Thread sleep count: 1536 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6572	Thread sleep count: 3434 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2344	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1396	Thread sleep count: 197 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2640	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 4364	Thread sleep count: 261 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 7768	Thread sleep count: 266 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 3720	Thread sleep count: 177 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Last function: Thread delayed
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe	Last function: Thread delayed

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Thread sleep count: Count: 5586 delay: -10

Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\Update.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Code function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_0040301A
Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Code function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402B79
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C8EEB8C __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,	3_2_6C8EEB8C

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_035280F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,

3_2_035280F0

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_03527410 GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

3_2_03527410

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Thread delayed: delay time: 73000	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: powershell.exe, 00000010.00000002.2528899366.0000000004F06000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000010.00000002.2528899366.0000000004F06000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000010.00000002.2528899366.0000000004F06000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: Update.exe, 00000003.00000002.3530589772.00000000006B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\Public\Bilite\Axialis\Update.exe

API call chain: ExitProcess graph end node

graph_3-105054

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_005815D0 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_005815D0

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_0353054D VirtualProtect ?,-00000001,00000104,?

3_2_0353054D

Source: C:\Users\user\Desktop\zPJUOck9wt.exe

Code function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

0_2_00406D5D

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_02DC0AE4 mov eax, dword ptr fs:[00000030h]		3_2_02DC0AE4
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_033A00CD mov eax, dword ptr fs:[00000030h]		3_2_033A00CD

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_03526790 wsprintfW,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,LookupAccountSidW,GetLastError,GetProcessHeap,HeapFree,

3_2_03526790

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_005815D0 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_005815D0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_00581764 SetUnhandledExceptionFilter,	3_2_00581764
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_00581A8F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00581A8F
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0352DF10 Sleep,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,Sleep,RegOpenKeyExW,RegQueryValueExW,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,	3_2_0352DF10
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0352F00A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0352F00A
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03531F67 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_03531F67
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CA0A83C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6CA0A83C
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CA0060D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6CA0060D
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C9FFE55 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6C9FFE55
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_10008587 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_10008587
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_10006815 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_10006815
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_02DC67EC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_02DC67EC

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1

Contains functionality to inject code into remote processes

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_035277E0 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,

3_2_035277E0

Contains functionality to inject threads in other processes

Source: C:\Users\Public\Bilite\Axialis\Update.exe

3_2_035277E0

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\SysWOW64\svchost.exe		3_2_035277E0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe		3_2_035277E0

Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Bilite\Axialis\Update.exe C:\Users\Public\Bilite\Axialis\Update.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1	Jump to behavior

Source: Update.exe, 00000003.00000002.3531690068.00000000046C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: inProgram Manager
Source: Update.exe, 00000003.00000003.3047408565.00000000046C3000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.3375985632.00000000046C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0 minProgram ManagerD

Source: C:\Users\user\Desktop\zPJUOck9wt.exe

Code function: 0_2_0040D72E cpuid

0_2_0040D72E

Source: C:\Users\user\Desktop\zPJUOck9wt.exe	Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,	0_2_00401F9D
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,	3_2_03525430
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,	3_2_6CA26DC7
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoW,	3_2_6C8DEDE4
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: EnumSystemLocalesW,	3_2_6CA26EB9
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: EnumSystemLocalesW,	3_2_6CA26E6E
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_6CA26FDF
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: EnumSystemLocalesW,	3_2_6CA26F54
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,	3_2_6CA1C911
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	3_2_6CA26BC2
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: EnumSystemLocalesW,	3_2_6CA1C3A5
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,	3_2_6CA27461
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_6CA27537
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,	3_2_6CA27232
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_6CA2735B

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\zPJUOck9wt.exe

Code function: 0_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_00401626

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_03535D22 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

3_2_03535D22

Source: C:\Users\user\Desktop\zPJUOck9wt.exe

Code function: 0_2_00404FAA GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

0_2_00404FAA

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Update.exe	Binary or memory string: acs.exe
Source: Update.exe	Binary or memory string: vsserv.exe
Source: Update.exe	Binary or memory string: kxetray.exe
Source: Update.exe	Binary or memory string: avcenter.exe
Source: Update.exe	Binary or memory string: KSafeTray.exe
Source: Update.exe	Binary or memory string: cfp.exe
Source: Update.exe	Binary or memory string: avp.exe
Source: Update.exe	Binary or memory string: 360Safe.exe
Source: Update.exe	Binary or memory string: rtvscan.exe
Source: Update.exe	Binary or memory string: 360tray.exe
Source: Update.exe	Binary or memory string: ashDisp.exe
Source: Update.exe	Binary or memory string: TMBMSRV.exe
Source: Update.exe	Binary or memory string: 360Tray.exe
Source: Update.exe	Binary or memory string: avgwdsvc.exe
Source: Update.exe	Binary or memory string: AYAgent.aye
Source: Update.exe	Binary or memory string: RavMonD.exe
Source: Update.exe	Binary or memory string: QUHLPSVC.EXE
Source: Update.exe	Binary or memory string: Mcshield.exe
Source: Update.exe	Binary or memory string: K7TSecurity.exe

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match

File source: Process Memory Space: Update.exe PID: 7492, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match

File source: Process Memory Space: Update.exe PID: 7492, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Replication Through Removable Media	1 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	141 Input Capture	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	1 System Shutdown/Reboot
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	222 Process Injection	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	141 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	38 System Information Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	222 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Indicator Removal	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
zPJUOck9wt.exe	41%	ReversingLabs	Win32.Ransomware.Generic
zPJUOck9wt.exe	49%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\Bilite\Axialis\Update.dll	48%	ReversingLabs	Win32.Trojan.Generic
C:\Users\Public\Bilite\Axialis\Update.exe	0%	ReversingLabs
C:\Users\Public\Bilite\install_flash_player_ppapi.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\backup.dll	48%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\backup.exe	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://://fpdownload.macromedia.com/get/flashplayer/update/current/install/install_all_win_install_	0%	Avira URL Cloud	safe
https://ion=v4.5	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	zPJUOck9wt.exe	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000010.00000002.2531199719.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2535009180.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000010.00000002.2528899366.0000000004F06000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	zPJUOck9wt.exe	false		high
https://://fpdownload.macromedia.com/get/flashplayer/update/current/install/install_all_win_install_	zPJUOck9wt.exe, 00000000.00000003.1704517965.0000000002DB7000.00000004.00000020.00020000.00000000.sdmp, install_flash_player_ppapi.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	zPJUOck9wt.exe	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	zPJUOck9wt.exe	false		high
http://ocsp.sectigo.com0	zPJUOck9wt.exe	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000011.00000002.2529008184.0000000004EA6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000010.00000002.2528899366.0000000004F06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2529008184.0000000004EA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2529008184.000000000550E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000010.00000002.2528899366.0000000004DB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2529008184.0000000004D51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000011.00000002.2529008184.0000000004EA6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ion=v4.5	powershell.exe, 00000011.00000002.2538521216.00000000074E1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	zPJUOck9wt.exe	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000010.00000002.2528899366.0000000004F06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2529008184.0000000004EA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2529008184.000000000550E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000011.00000002.2535009180.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000010.00000002.2531199719.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2535009180.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000011.00000002.2535009180.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000011.00000002.2535009180.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	zPJUOck9wt.exe	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	zPJUOck9wt.exe	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000010.00000002.2528899366.0000000004DB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2529008184.0000000004D51000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000011.00000002.2529008184.0000000004EA6000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
206.238.198.14	unknown	United States		174	COGENT-174US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581726
Start date and time:	2024-12-28 21:00:22 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	zPJUOck9wt.exe renamed because original name is a hash value
Original Sample Name:	1bf851229cdc8a1b97523ed4fa48b977.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@43/28@0/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 161 Number of non-executed functions: 239
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 1772 because it is empty
Execution Graph export aborted for target powershell.exe, PID 2056 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COGENT-174US	db0fa4b8db0333367e9bda3ab68b8042.spc.elf	Get hash	malicious	Mirai, Gafgyt	Browse	167.141.254.58
	db0fa4b8db0333367e9bda3ab68b8042.i686.elf	Get hash	malicious	Mirai, Gafgyt	Browse	216.28.86.0
	db0fa4b8db0333367e9bda3ab68b8042.m68k.elf	Get hash	malicious	Mirai, Gafgyt	Browse	38.51.219.172
	db0fa4b8db0333367e9bda3ab68b8042.spc.elf	Get hash	malicious	Mirai, Gafgyt	Browse	38.10.253.126
	6ee7HCp9cD.exe	Get hash	malicious	Quasar	Browse	149.50.108.116
	xd.arm7.elf	Get hash	malicious	Mirai	Browse	38.190.108.87
	xd.sh4.elf	Get hash	malicious	Mirai	Browse	38.4.108.178
	xd.mpsl.elf	Get hash	malicious	Mirai	Browse	38.93.54.69
	armv6l.elf	Get hash	malicious	Mirai	Browse	38.225.230.112
	telnet.x86.elf	Get hash	malicious	Unknown	Browse	38.162.177.172

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\Public\Bilite\Axialis\Update.exe	MEuu1a2o6n.exe	Get hash	malicious	GhostRat	Browse
C:\Users\Public\Bilite\Axialis\Update.exe	MEuu1a2o6n.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\Public\Bilite\Axialis\IiViS

Download File

Process:	C:\Users\user\Desktop\zPJUOck9wt.exe
File Type:	openssl enc'd data with salted password, base64 encoded
Category:	dropped
Size (bytes):	64
Entropy (8bit):	5.265319531114784
Encrypted:	false
SSDEEP:	3:iqkdd0LEgncgVjfkbRn:ilfwBctn
MD5:	E6A32CA4BF503C5CA8A78E2F5472A4DF
SHA1:	5D3E6DF8AA7FA052F7CB212B08A1801C5A6561B1
SHA-256:	D23108539C9A78F5FBC141FB1AE2A980967E188BF693DFF1055F83028D29833D
SHA-512:	0E39657A57D3813FB441EB1FB5280AF573CE717D13178FAEC2F4B4DFBD605BEA5658A6A35FFB29B2EDA9BB0F7D24EE51286A66E509A1A9CD8ADBE2514C4CEB93
Malicious:	false
Preview:	U2FsdGVkX19I8ZtoqW93Fj6yeovix5itQRtgLoSHjApm80LQ/4FyDlKt1AiPVRRD

C:\Users\Public\Bilite\Axialis\Update.dll

Download File

Process:	C:\Users\user\Desktop\zPJUOck9wt.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2214912
Entropy (8bit):	6.635782448765808
Encrypted:	false
SSDEEP:	49152:6WProiAXfi2iG9bcEaU0yl0bZU4yBhQV2bYQKabQQ4o5gnKqxSpkDUC:6WPrZAXfPiG9bKU0FlU4ybpPKabQg5gD
MD5:	9939E9DDC47F7DC405A107DC882126E3
SHA1:	2EF13A0ECC77F7FA6578FC04D8F913759808881D
SHA-256:	037929DF4F79A5060FDB189A9248C22A926D937018E52FB8BA36FA2AFB05404C
SHA-512:	753FBBC04C52391C0815D94BB101FF585DD72FF643CDA09BF0F72ADC80AB667ADB9F19299357743B1905DE38EB9D75D4D2BD30E7AC57F9DF7E1DBDA782B3AF81
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 48%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3i{.R.(.R.(.R.(..).R.(..).R.(..)wR.(..).R.(..).R.(.R.(.Q.(...).R.(...).R.(...)&S.( ..).R.( ..).R.( ..(.R.( ..).R.(Rich.R.(........................PE..L...B.kg...........!........2......+........................................@"...........@.............................P.......h........H.................... .0....8..p....................9.......7..@............................................text.............................. ..`.rdata..p].......^..................@..@.data...........\..................@....rsrc....H.......H...T..............@..@.reloc..0..... ..0..................@..B................................................................................................................................................................................................................................................................................

C:\Users\Public\Bilite\Axialis\Update.exe

Download File

Process:	C:\Users\user\Desktop\zPJUOck9wt.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	395368
Entropy (8bit):	5.090673225697451
Encrypted:	false
SSDEEP:	6144:I0acLF3rgypB1Grf/TRfiJ7BePaEvLJggZy:Y/TRfi3ePtJRg
MD5:	FB325C945A08D06FE91681179BDCCC66
SHA1:	F5D91B7D75D34E156066AB4099E0FD0DF9227B32
SHA-256:	0C2CC4513EC9101A28A7988C72A46175EFD82F387BB3BCFB2612E808804282B5
SHA-512:	2BB588EBE2FA35D03652AEC4E5D51DABD3A24E996336A4D5EC9C762D6084862D5CD5F530F1DA0B98D2887BA88F4E077697D128071FF497D2967F9F42ADC2F533
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: MEuu1a2o6n.exe, Detection: malicious, Browse Filename: MEuu1a2o6n.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:..[...[...[...#l..[.......[.......[.......[.......[..b....[..e....[...0...[...[...[..e....[..e....[...[h..[..e....[..Rich.[..........................PE..L...X..e............................\........ ....@..................................8....@.................................D(.......@..................h(...........!..T............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0.......$..............@....rsrc........@.......&..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

C:\Users\Public\Bilite\install_flash_player_ppapi.exe

Download File

Process:	C:\Users\user\Desktop\zPJUOck9wt.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20846560
Entropy (8bit):	7.987627287733052
Encrypted:	false
SSDEEP:	393216:zaD7gW+8fh6K6SHC17vRtYHL6pvUBIl2vnhbGwxi:zEnwK6Si9vo6JUE41Gb
MD5:	3CBDCE6D8C779406AC208A16E4953D10
SHA1:	60A251BC7383443131C4C58DF9081B73009AA955
SHA-256:	6B0CC56214DBB2199DABF5CD7D60C6A07EF418342E9343EDCA12F8ABA1061A72
SHA-512:	7E76B71B5BF7DE40D0174AC8B73ED7EA3E7D957CEEE7989A655E48EE8AF56533D721195DB500200DA4BCAC3690921DF821E4C58EB2C92CC554CAFA40ECFA2383
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........N...........W....W.E......F.....T......T..............W.......P.G.....G.....D......B....Rich...........................PE..L...8g.Z......................:...................@..........................@>.....Pj>...@.................................l........0....8...........=.......=..-.....................................@............................................text............................... ..`.rdata..............................@..@.data...$8..........................@....rsrc.....8..0....8.................@..@.reloc..zA....=..B....=.............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	5.408561183929901
Encrypted:	false
SSDEEP:	24:3IWSKco4KmZjKbmOIKod6emN1s4RPQoU99tXt/NK3R88bJ02iaEW3b5:YWSU4xympjms4RIoU99tlNWR832qab5
MD5:	594515724C3EB1FB28C9C53581FC31E4
SHA1:	4AF95DD8EF82C1AE41CB4B7AC5E6840738CD1597
SHA-256:	4187AFF70A1CEBC1BFC095F94EEF324C92CEF540EA103389DF2DF80242972A24
SHA-512:	9557F9100EA7387D8C5EEF1BEE1C81A40A897305998D8308DA6493EDAED4F4BAC6432A4391C333B688869B6CF46F745D9001A156D39CC10395ACA99A94E0A5D5
Malicious:	false
Preview:	@...e...........................................................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

C:\Users\user\AppData\Local\PolicyManagement.xml

Download File

Process:	C:\Users\Public\Bilite\Axialis\Update.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1893
Entropy (8bit):	5.212287775015203
Encrypted:	false
SSDEEP:	48:c55XzDl4Q2ZbXL6Q0QFdOFQOzN33O4OiDdKrKsTLXbGMv:O5XzDl4Q2ZbGQhFdOFQOzBdKrKsTLXbV
MD5:	E3FB2ECD2AD10C30913339D97E0E9042
SHA1:	A004CE2B3D398312B80E2955E76BDA69EF9B7203
SHA-256:	1BD6DB55FFF870C9DF7A0AAC11B895B50F57774F20A5744E63BBC3BD40D11F28
SHA-512:	9D6F0C1E344F1DC5A0EF4CAAD86281F92A6C108E1085BACD8D6143F9C742198C2F759CA5BDFFAD4D9E40203E6B0460E84896D1C6B8B1759350452E1DE809B716
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2006-11-10T14:29:55.5851926</Date>. <Author>Microsoft Corporation</Author>. <Description>????? AD RMS ?????????????????? Web ?????????,???????????</Description>. <URI>\AS AMD updata</URI>. <SecurityDescriptor>D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;WD)</SecurityDescriptor>. </RegistrationInfo>. <Triggers>. <LogonTrigger id="06b3f632-87ad-4ac0-9737-48ea5ddbaf11">. <Enabled>true</Enabled>. <Delay>PT30S</Delay>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="AllUsers">. <GroupId>S-1-1-0</GroupId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3322gm14.ao5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ovkdsoq.vvi.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4u2emuuk.cte.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_523ue3du.aco.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dpxgv1sa.aak.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fiil12dg.yiv.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kqu3hwdc.k11.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_smi1dxsr.vyt.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\backup.dll

Download File

Process:	C:\Users\Public\Bilite\Axialis\Update.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2214912
Entropy (8bit):	6.635782448765808
Encrypted:	false
SSDEEP:	49152:6WProiAXfi2iG9bcEaU0yl0bZU4yBhQV2bYQKabQQ4o5gnKqxSpkDUC:6WPrZAXfPiG9bKU0FlU4ybpPKabQg5gD
MD5:	9939E9DDC47F7DC405A107DC882126E3
SHA1:	2EF13A0ECC77F7FA6578FC04D8F913759808881D
SHA-256:	037929DF4F79A5060FDB189A9248C22A926D937018E52FB8BA36FA2AFB05404C
SHA-512:	753FBBC04C52391C0815D94BB101FF585DD72FF643CDA09BF0F72ADC80AB667ADB9F19299357743B1905DE38EB9D75D4D2BD30E7AC57F9DF7E1DBDA782B3AF81
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 48%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3i{.R.(.R.(.R.(..).R.(..).R.(..)wR.(..).R.(..).R.(.R.(.Q.(...).R.(...).R.(...)&S.( ..).R.( ..).R.( ..(.R.( ..).R.(Rich.R.(........................PE..L...B.kg...........!........2......+........................................@"...........@.............................P.......h........H.................... .0....8..p....................9.......7..@............................................text.............................. ..`.rdata..p].......^..................@..@.data...........\..................@....rsrc....H.......H...T..............@..@.reloc..0..... ..0..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\backup.exe

Download File

Process:	C:\Users\Public\Bilite\Axialis\Update.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	395368
Entropy (8bit):	5.090673225697451
Encrypted:	false
SSDEEP:	6144:I0acLF3rgypB1Grf/TRfiJ7BePaEvLJggZy:Y/TRfi3ePtJRg
MD5:	FB325C945A08D06FE91681179BDCCC66
SHA1:	F5D91B7D75D34E156066AB4099E0FD0DF9227B32
SHA-256:	0C2CC4513EC9101A28A7988C72A46175EFD82F387BB3BCFB2612E808804282B5
SHA-512:	2BB588EBE2FA35D03652AEC4E5D51DABD3A24E996336A4D5EC9C762D6084862D5CD5F530F1DA0B98D2887BA88F4E077697D128071FF497D2967F9F42ADC2F533
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:..[...[...[...#l..[.......[.......[.......[.......[..b....[..e....[...0...[...[...[..e....[..e....[...[h..[..e....[..Rich.[..........................PE..L...X..e............................\........ ....@..................................8....@.................................D(.......@..................h(...........!..T............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0.......$..............@....rsrc........@.......&..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\monitor.bat

Download File

Process:	C:\Users\Public\Bilite\Axialis\Update.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	769
Entropy (8bit):	5.113976261619789
Encrypted:	false
SSDEEP:	24:NFW/WAW/WAWE3fzWcWrfZKx31SIYaYZLZ6y:NFVAVAjvz6ZKx31SIYN/6y
MD5:	F7F23953F7C236A0F12AE4848F174480
SHA1:	E222C191BE437B39FB294EDD1FCCAF961B1F7265
SHA-256:	0CD1B31F9AA2F089BD33331B172CD4813167BD59F889EFDC7EB2ADAA71F3D9CC
SHA-512:	2790AFD071756E25FF408426E0D40879603EBCBC23C1D98AD891017237A2930F27CC19F28C38C5BAB5221E828B0B08727EDCEC1D2AA528FCCED0B7EE576836B8
Malicious:	false
Preview:	@echo off..:CheckProcess..set "ProcessName=Update.exe"..set "ProcessPath=C:\Users\Public\Bilite\Axialis\Update.exe"..set "BackupProcessPath=C:\Users\user\AppData\Local\Temp\\backup.exe"..set "DLLPath=C:\Users\Public\Bilite\Axialis\Update.dll"..set "BackupDLLPath=C:\Users\user\AppData\Local\Temp\\backup.dll"..if not exist "%ProcessPath%" (.. echo Process file not found, restoring from backup..... copy /Y "%BackupProcessPath%" "%ProcessPath%"..)..if not exist "%DLLPath%" (.. echo DLL file not found, restoring from backup..... copy /Y "%BackupDLLPath%" "%DLLPath%"..)..tasklist /FI "IMAGENAME eq %ProcessName%" \| findstr /I "%ProcessName%" >nul..if %ERRORLEVEL% neq 0 (.. start "" "%ProcessPath%"..)..timeout /t 30 /nobreak >nul..goto CheckProcess..

C:\Users\user\AppData\Local\Temp\monitor.pid

Download File

Process:	C:\Users\Public\Bilite\Axialis\Update.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:GT:GT
MD5:	750263DBB2FB8547BDD810EE11A08C7A
SHA1:	BF590744DC010583D09358575E1347C2B76531E8
SHA-256:	19EEFFC3C1EB7DD8E27C9781FECEEB02E6D6153F9F257899CA0B1BCFBE436B20
SHA-512:	DFCE2010909C626F8CB4799090A2522BA7B1B359B3AA2F595A4A1912335A09010A193A5EA00CC8E8AF89641C3E1392FEDDC323267B6B9146DD43CB43B401D90F
Malicious:	false
Preview:	8036

C:\Users\user\AppData\Local\updated.ps1

Download File

Process:	C:\Users\Public\Bilite\Axialis\Update.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.741657013789009
Encrypted:	false
SSDEEP:	3:41Ai+PBoAwnLFsI2FIERMJyjqLWAfXIhS/ytIEFMEQVGdAn:4yi+5dwnLFsI2F5KJy0fXnMFFQhn
MD5:	AA0E1012D3B7C24FAD1BE4806756C2CF
SHA1:	FE0D130AF9105D9044FF3D657D1ABEAF0B750516
SHA-256:	FC47E1FA89397C3139D9047DC667531A9153A339F8E29AC713E518D51A995897
SHA-512:	15FAE192951747A0C71059F608700F88548F3E60BB5C708B206BF793A7E3D059A278F2058D4AC86B86781B202037401A29602EE4D6C0CBAAFF532CEF311975F4
Malicious:	true
Preview:	$xmlPath = "XML??".$taskName = "????".$xmlContent = Get-Content -Path $xmlPath \| Out-String.Register-ScheduledTask -Xml $xmlContent -TaskName $taskName

C:\Users\user\Desktop\install_flash_player_ppapi.exe.lnk

Download File

Process:	C:\Users\Public\Bilite\Axialis\Update.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 28 19:01:13 2024, mtime=Sat Dec 28 19:01:15 2024, atime=Sun Jun 21 05:05:14 2020, length=20846560, window=hide
Category:	dropped
Size (bytes):	1131
Entropy (8bit):	4.7242476859082
Encrypted:	false
SSDEEP:	12:81OUlGIcCICHqXL2SX+vACmqyFyzN9zY2ojAaX0ncG/Y2zavlxSjP44t2YZ/elFM:8ZGPCn8gBsAaX0J2vjSjIqyFm
MD5:	FA5979F8F7C1177A4710C7822D400251
SHA1:	43CFFED1832EC8AE782FDE51B6C460F363F47A84
SHA-256:	17705D297F8DF8BBAA97F6D9834B5E98F2CF627B8B092BCD1C5A4F862B8E4F03
SHA-512:	59482EADC67BE1A1CFE59E98323EDF98A80AF38DD334A96A199205BA0F8A0EB46BE2313A3887E516E366DAD7EFD8333A3B8760C7E394DBD3F4B34A66B0DD0A5F
Malicious:	false
Preview:	L..................F.... ...~h.>cY..s.l@cY.....G....>..........................P.O. .:i.....+00.../C:\...................x.1.....CW;^..Users.d......OwH.Y&.....................:.....K...U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....\|.1......Y'...Public..f......O.I.Y).....+...............<......N..P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....T.1......Y'...Bilite..>......Y'..Y'............................x..B.i.l.i.t.e.......2...>..P.0 .INSTAL~1.EXE..n......Y'..Y(...........................".#.i.n.s.t.a.l.l._.f.l.a.s.h._.p.l.a.y.e.r._.p.p.a.p.i...e.x.e.......d...............-.......c...........-."......C:\Users\Public\Bilite\install_flash_player_ppapi.exe..2.....\.....\.P.u.b.l.i.c.\.B.i.l.i.t.e.\.i.n.s.t.a.l.l._.f.l.a.s.h._.p.l.a.y.e.r._.p.p.a.p.i...e.x.e..........v..*.cM.jVD.Es.!...`.......X.......358075...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	134
Entropy (8bit):	4.078552106113438
Encrypted:	false
SSDEEP:	3:hYFRZARcWmFsFJQZ/ctXvY/4to/9uF8cttEfYhnQUqg2Htm:hYFRamFSQZ0lv5y/9JctESnQUq3tm
MD5:	5410B2A3CD92E086498679B0501DEDDD
SHA1:	6C1EA996851C4ADF951301E0614F745718879914
SHA-256:	0C938B9F17B65DC2A1C8BF357CB8EBC4DCCCFEFA66C35C9FBA3D57FAE4FD77D5
SHA-512:	4FE30CD3C50771A995DE8EFD81A5613D2AC3F589DE22FBD316F13905C59393CFBC091F8430B6427803B8087035B34F7628B7E36CE70FD3F486FAA38CA5F5384D
Malicious:	false
Preview:	..Waiting for 30 seconds, press CTRL+C to quit .....29..28..27..26..25..24..23..22..21..20..19..18..17..16..15..14..13..12..11..10.. 9

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.998823108737483
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	zPJUOck9wt.exe
File size:	21'615'909 bytes
MD5:	1bf851229cdc8a1b97523ed4fa48b977
SHA1:	037c0db18b290df45a54ff23556516b24206173d
SHA256:	ce6667acf10faea38244c15da512a68d09725f9e21bb5edc6b22d1048ddc552f
SHA512:	8e8aca3ccd5b9cde98255c2bf7fa95f75c9c3cb575c91e3304a7a90bb0a1ea0b98eacde725809c4b201288fb280045efd02518fc379a4322725cd5cdad32c2ce
SSDEEP:	393216:Hpd0SoUNyS1eey9cLBzAAua7MdTlBW9F9CxkmjjzomHA3YvwFBNZ3laN4z:JaSoiy19cduakTlQ9q2mjjzHgIvMBNZx
TLSH:	B22733C2F78467F4C2B2A1BAD9555BB38973CB42E6051988DE3949172F4A4F2810B1FF
File Content Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................................0....@..........................@...............................................P........................I..).

File Icon


Icon Hash:	01e0f2ccd4d4c400

Static PE Info

General

Entrypoint:	0x411def
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4C26F87E [Sun Jun 27 07:06:38 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b5a014d7eeb4c2042897567e1288a095

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	17/07/2022 20:00:00 17/07/2024 19:59:59
Subject Chain	CN=Incredibuild Software Ltd., O=Incredibuild Software Ltd., S=Tel Aviv, C=IL
Version:	3
Thumbprint MD5:	8164525B12F9B6829CCD5054865F2D41
Thumbprint SHA-1:	583F01EE72450A9945FB1CFA539BAAB983D3F1D9
Thumbprint SHA-256:	2EBD549CFBD28201F8773F370E920A21BB010F577BA74B4726332D2CE7836F69
Serial:	7098774ED29B0565AB114EF2F2871CF7

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00414C50h
push 00411F80h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [00413184h]
pop ecx
or dword ptr [00419924h], FFFFFFFFh
or dword ptr [00419928h], FFFFFFFFh
call dword ptr [00413188h]
mov ecx, dword ptr [0041791Ch]
mov dword ptr [eax], ecx
call dword ptr [0041318Ch]
mov ecx, dword ptr [00417918h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00413190h]
mov eax, dword ptr [eax]
mov dword ptr [00419920h], eax
call 00007F17287F9CB2h
cmp dword ptr [00417710h], ebx
jne 00007F17287F9B9Eh
push 00411F78h
call dword ptr [00413194h]
pop ecx
call 00007F17287F9C84h
push 00417048h
push 00417044h
call 00007F17287F9C6Fh
mov eax, dword ptr [00417914h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00417910h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0041319Ch]
push 00417040h
push 00417000h
call 00007F17287F9C3Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x150dc	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0x190d7	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x149ac0d	0x2918
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13000	0x310	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11317	0x11400	797279c5ab1a163aed1f2a528f9fe3ce	False	0.6174988677536232	data	6.576987441854239	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x30ea	0x3200	1359639b02bcb8f0a8743e6ead1c0030	False	0.43828125	data	5.549434098115495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x17000	0x292c	0x800	9415c9c8dea3245d6d73c23393e27d8e	False	0.431640625	data	3.6583182363171756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1a000	0x190d7	0x19200	aedf42f084dabb70902985d8cb8d4f42	False	0.14223802860696516	data	4.481844282645869	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1a208	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Russian	Russia	0.42819148936170215
RT_ICON	0x1a670	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Russian	Russia	0.2767354596622889
RT_ICON	0x1b718	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Russian	Russia	0.2513485477178423
RT_ICON	0x1dcc0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	Russian	Russia	0.17170524326877656
RT_ICON	0x21ee8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	Russian	Russia	0.09922512717378446
RT_GROUP_ICON	0x32710	0x4c	data	Russian	Russia	0.7763157894736842
RT_VERSION	0x3275c	0x350	data	English	United States	0.47523584905660377
RT_VERSION	0x32aac	0x3b0	data	Chinese	China	0.4523305084745763
RT_MANIFEST	0x32e5c	0x27b	ASCII text, with very long lines (635), with no line terminators	English	United States	0.5118110236220472

Imports

DLL	Import
COMCTL32.dll
KERNEL32.dll	GetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceExA, MulDiv, GlobalFree, GlobalAlloc, lstrcmpiA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrlenA, lstrcmpiW, GetEnvironmentVariableW, lstrcmpW, GlobalMemoryStatusEx, VirtualAlloc, WideCharToMultiByte, ExpandEnvironmentStringsW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, SetThreadLocale, GetLocalTime, GetSystemTimeAsFileTime, lstrlenW, GetTempPathW, SetEnvironmentVariableW, CloseHandle, CreateFileW, GetDriveTypeW, SetCurrentDirectoryW, GetModuleFileNameW, GetCommandLineW, GetVersionExW, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, TerminateThread, ResumeThread, SuspendThread, IsBadReadPtr, LocalFree, lstrcpyW, FormatMessageW, GetSystemDirectoryW, DeleteCriticalSection, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetModuleHandleA, SystemTimeToFileTime, GetLastError, CreateThread, WaitForSingleObject, GetExitCodeThread, Sleep, SetLastError, SetFileAttributesW, GetDiskFreeSpaceExW, lstrcatW, ExitProcess, CompareFileTime, GetStartupInfoA
USER32.dll	CharUpperW, EndDialog, DestroyWindow, KillTimer, ReleaseDC, DispatchMessageW, GetMessageW, SetTimer, CreateWindowExW, ScreenToClient, GetWindowRect, wsprintfW, GetParent, GetSystemMenu, EnableMenuItem, EnableWindow, MessageBeep, LoadIconW, LoadImageW, wvsprintfW, IsWindow, DefWindowProcW, CallWindowProcW, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, DrawTextW, ShowWindow, SystemParametersInfoW, SetFocus, SetWindowLongW, GetSystemMetrics, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, wsprintfA, SetWindowTextW, GetSysColor, GetWindowTextLengthW, GetWindowTextW, GetClassNameA, GetWindowLongW, GetMenu, SetWindowPos, CopyImage, SendMessageW, GetWindowDC
GDI32.dll	GetCurrentObject, StretchBlt, SetStretchBltMode, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetObjectW, GetDeviceCaps, DeleteObject, CreateFontIndirectW, DeleteDC
SHELL32.dll	SHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, SHGetSpecialFolderPathW, ShellExecuteW
ole32.dll	CoInitialize, CreateStreamOnHGlobal, CoCreateInstance
OLEAUT32.dll	VariantClear, OleLoadPicture, SysAllocString
MSVCRT.dll	__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, memset, _wcsnicmp, strncmp, malloc, memmove, _wtol, memcpy, free, memcmp, _purecall, ??2@YAPAXI@Z, ??3@YAXPAX@Z, _except_handler3, _controlfp

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States
Chinese	China

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-28T21:02:32.186144+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.4	49782	206.238.198.14	9091	TCP
2024-12-28T21:03:47.041658+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.4	49793	206.238.198.14	9091	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 21:02:27.363368034 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:27.483714104 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:27.483819008 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:28.880294085 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:28.880374908 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:28.880407095 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:28.880455017 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:28.880522013 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:28.880558014 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:28.880593061 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:28.880613089 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:28.884444952 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.096543074 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.096602917 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.096640110 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.096683979 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.096730947 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.099595070 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.105031967 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.107954979 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.107991934 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.108022928 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.116276979 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.116420031 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.116421938 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.124644041 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.124726057 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.312625885 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.312812090 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.312891960 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.316721916 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.316803932 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.316874981 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.325078964 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.325233936 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.325313091 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.333542109 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.333683014 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.333755970 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.341851950 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.342004061 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.342081070 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.350274086 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.350392103 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.350466013 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.358637094 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.358690023 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.358792067 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.522944927 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.528687000 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.528757095 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.528858900 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.533093929 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.533144951 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.534607887 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.534714937 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.534771919 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.542943001 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.543057919 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.543122053 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.551259041 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.551409960 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.551460028 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.559506893 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.559573889 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.559640884 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.567837954 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.567991972 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.568053961 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.576232910 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.576417923 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.576479912 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.584434032 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.584536076 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.584595919 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.592722893 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.592849970 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.592912912 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.601927042 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.602093935 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.602157116 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.609319925 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.609441996 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.609496117 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.617537975 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.666371107 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.744638920 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.744729042 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.744791031 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.747570992 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.747672081 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.747746944 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.752244949 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.752388954 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.752465963 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.758232117 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.758369923 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.758418083 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.764260054 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.764388084 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.764440060 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.770292044 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.770405054 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.770459890 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.776262999 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.776395082 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.776463032 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.782355070 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.782449961 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.782504082 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.788347960 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.788575888 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.788628101 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.794321060 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.794471979 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.794527054 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.800323009 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.800451994 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.800508022 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.806364059 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.806477070 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.806526899 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.812366009 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.812581062 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.812638998 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.818371058 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.818490028 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.818548918 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.824384928 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.824485064 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.824533939 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.830389023 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.830519915 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.830579042 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.836364031 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.885123014 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.960690022 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.960705042 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.960760117 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.961985111 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.962045908 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.962111950 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.966691017 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.966777086 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.966840982 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.971332073 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.971386909 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.971441984 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.975971937 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.976083040 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.976140022 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.980712891 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.980910063 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.980964899 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:29.985300064 CET	18852	49771	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:29.985358000 CET	49771	18852	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:32.050251007 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:32.169785976 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:32.169939995 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:32.186144114 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:32.305907965 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:33.718786955 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:33.723629951 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:33.843234062 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:33.843251944 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:33.843262911 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.257911921 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.258085966 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.258099079 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.258234978 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.258246899 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.258348942 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:34.258348942 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:34.307101011 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:34.468441010 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.468455076 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.468466043 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.468554020 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.468624115 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:34.468624115 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:34.476627111 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.476732016 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.476778984 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:34.485034943 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.485096931 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.485141993 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:34.493371010 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.541394949 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:34.679171085 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.679210901 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.679253101 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:34.683249950 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.683383942 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.683419943 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:34.691700935 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.694756985 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.694797039 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:34.694878101 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.703586102 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.703634024 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.703644037 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:34.711404085 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.711442947 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:34.711504936 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.719805002 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.719851971 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:34.720096111 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.728157997 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.728212118 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:34.889775038 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.889825106 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.889879942 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:34.892277002 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.892442942 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.892486095 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:34.900648117 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.900728941 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.900773048 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:34.908998966 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.909121990 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.909173965 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:34.917489052 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.917553902 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.917602062 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:34.925779104 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.925858021 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.925894976 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:34.934132099 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.934302092 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.934350014 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:34.942512989 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.942631960 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.942676067 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:34.950936079 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.951031923 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:34.951075077 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:34.959235907 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.010128021 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.100934982 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.101072073 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.101124048 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.104231119 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.104343891 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.104386091 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.111288071 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.111357927 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.111404896 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.118263006 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.118402004 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.118452072 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.125413895 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.125474930 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.125523090 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.132355928 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.132597923 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.132639885 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.139594078 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.139643908 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.139698982 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.146543980 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.146562099 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.146610975 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.153490067 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.153537989 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.153593063 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.160473108 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.160612106 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.160659075 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.167579889 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.167623997 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.167663097 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.174521923 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.228880882 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.312855005 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.313021898 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.313170910 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.316088915 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.317414999 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.317426920 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.317451000 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.324069977 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.324081898 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.324119091 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.330658913 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.330693960 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.330722094 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.337263107 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.337316036 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.337368965 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.343898058 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.343930006 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.343949080 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.350452900 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.350497961 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.350574017 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.357177019 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.357230902 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.357286930 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.363739014 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.363785028 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.363794088 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.370306015 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.370347977 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.370404959 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.376974106 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.377021074 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.377063036 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.383573055 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.383615017 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.383687019 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.390232086 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.390300035 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.390317917 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.396883011 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.396902084 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.396924019 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.404366016 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.404411077 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.404535055 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.410149097 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.410161972 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.410195112 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.463241100 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.524657011 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.524756908 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.524806976 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.527355909 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.528275967 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.528307915 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.528326988 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.531467915 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.531508923 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.531539917 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.536792040 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.536839962 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.536895990 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.542197943 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.542246103 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.542340994 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.547333956 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.547384024 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.547389030 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.552494049 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.552540064 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.552680969 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.557646036 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.557693005 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.557732105 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.562854052 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.562894106 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.562952042 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.567892075 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.567935944 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.568001032 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.573074102 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.573122025 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.573178053 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.578218937 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.578270912 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.578283072 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.583476067 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.583523035 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.583559036 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.588550091 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.588603973 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.588655949 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.593755007 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.593827963 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.593846083 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.598696947 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.598747969 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.598759890 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.603650093 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.603696108 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.603795052 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.608628035 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.608685017 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.608716011 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.613637924 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.613692045 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.613730907 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.618680000 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.618743896 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.618805885 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.623627901 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.623672962 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.726262093 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.735429049 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.735471964 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.735622883 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.737344980 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.737390041 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.737426996 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.741080999 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.741173983 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.742424011 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.742549896 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.742607117 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.746186972 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.746308088 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.746342897 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.749923944 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.750036001 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.750081062 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.753634930 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.753722906 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.753763914 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.757189989 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.757289886 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.757332087 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.760680914 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.760792017 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.760831118 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.764235973 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.764347076 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.764384985 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.767801046 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.767884016 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.767920971 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.771358967 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.771473885 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.771512985 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.775018930 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.775077105 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.775116920 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:35.778860092 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.779036045 CET	9091	49782	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:35.779077053 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:36.823335886 CET	49793	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:36.977755070 CET	9091	49793	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:36.978888035 CET	49793	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:38.794481993 CET	49782	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:42.842478037 CET	49793	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:42.962230921 CET	9091	49793	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:42.962249041 CET	9091	49793	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:42.962274075 CET	9091	49793	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:42.962304115 CET	9091	49793	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:43.369801044 CET	9091	49793	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:43.370564938 CET	49793	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:43.490178108 CET	9091	49793	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:56.260330915 CET	49793	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:56.380039930 CET	9091	49793	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:56.781418085 CET	9091	49793	206.238.198.14	192.168.2.4
Dec 28, 2024 21:02:56.822905064 CET	49793	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:57.111896992 CET	49793	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:02:57.231515884 CET	9091	49793	206.238.198.14	192.168.2.4
Dec 28, 2024 21:03:14.213407993 CET	49793	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:03:14.332947016 CET	9091	49793	206.238.198.14	192.168.2.4
Dec 28, 2024 21:03:14.734524965 CET	9091	49793	206.238.198.14	192.168.2.4
Dec 28, 2024 21:03:14.775898933 CET	49793	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:03:14.820529938 CET	49793	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:03:14.940257072 CET	9091	49793	206.238.198.14	192.168.2.4
Dec 28, 2024 21:03:30.354074955 CET	49793	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:03:30.473643064 CET	9091	49793	206.238.198.14	192.168.2.4
Dec 28, 2024 21:03:30.875005960 CET	9091	49793	206.238.198.14	192.168.2.4
Dec 28, 2024 21:03:30.916553974 CET	49793	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:03:30.943861008 CET	49793	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:03:31.063513041 CET	9091	49793	206.238.198.14	192.168.2.4
Dec 28, 2024 21:03:47.041657925 CET	49793	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:03:47.161261082 CET	9091	49793	206.238.198.14	192.168.2.4
Dec 28, 2024 21:03:47.562722921 CET	9091	49793	206.238.198.14	192.168.2.4
Dec 28, 2024 21:03:47.604113102 CET	49793	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:03:47.636337996 CET	49793	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:03:47.755860090 CET	9091	49793	206.238.198.14	192.168.2.4
Dec 28, 2024 21:04:03.197958946 CET	49793	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:04:03.317686081 CET	9091	49793	206.238.198.14	192.168.2.4
Dec 28, 2024 21:04:03.719039917 CET	9091	49793	206.238.198.14	192.168.2.4
Dec 28, 2024 21:04:03.760427952 CET	49793	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:04:03.809001923 CET	49793	9091	192.168.2.4	206.238.198.14
Dec 28, 2024 21:04:03.928663015 CET	9091	49793	206.238.198.14	192.168.2.4

Target ID:	0
Start time:	15:01:12
Start date:	28/12/2024
Path:	C:\Users\user\Desktop\zPJUOck9wt.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\zPJUOck9wt.exe"
Imagebase:	0x400000
File size:	21'615'909 bytes
MD5 hash:	1BF851229CDC8A1B97523ED4FA48B977
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:01:16
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:01:16
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:01:16
Start date:	28/12/2024
Path:	C:\Users\Public\Bilite\Axialis\Update.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Bilite\Axialis\Update.exe
Imagebase:	0x580000
File size:	395'368 bytes
MD5 hash:	FB325C945A08D06FE91681179BDCCC66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	15:02:26
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	15:02:26
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	15:02:26
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq Update.exe"
Imagebase:	0x2d0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:02:26
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "Update.exe"
Imagebase:	0xb0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:02:26
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0x110000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:02:27
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:02:27
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	15:02:27
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	15:02:27
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	15:02:27
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Imagebase:	0x2e0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	15:02:27
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Imagebase:	0x2e0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	15:02:57
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq Update.exe"
Imagebase:	0x2d0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	15:02:57
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "Update.exe"
Imagebase:	0xb0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	15:02:57
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0x110000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	15:03:27
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq Update.exe"
Imagebase:	0x2d0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	15:03:27
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "Update.exe"
Imagebase:	0xb0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	15:03:27
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0x110000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	15:03:57
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq Update.exe"
Imagebase:	0x2d0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	15:03:57
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "Update.exe"
Imagebase:	0xb0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	15:03:57
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0x110000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	18%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	26.8%
Total number of Nodes:	1423
Total number of Limit Nodes:	15

Executed Functions

Function 00404FAA Relevance: 250.2, APIs: 103, Strings: 39, Instructions: 1671keyboardsynchronizationwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B37: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
Part of subcall function 00401B37: CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
Part of subcall function 00401B37: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
Part of subcall function 00401B37: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
Part of subcall function 00401B37: DispatchMessageW.USER32(?), ref: 00401B89
Part of subcall function 00401B37: KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
Part of subcall function 00401B37: KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99

GetVersionExW.KERNEL32(?,?,?,00000000), ref: 00404FCE
GetCommandLineW.KERNEL32(?,00000020,?,?,00000000), ref: 0040505C

Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F

Part of subcall function 00403D71: lstrlenW.KERNEL32(?,00000000,00000020,?,0040508F,?,?,00000000,?,00000000), ref: 00403DA5
Part of subcall function 00403D71: lstrlenW.KERNEL32(?,?,00000000), ref: 00403DAD

_wtol.MSVCRT ref: 0040509F
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004050F1
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405102
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040510A
GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,?,00000000), ref: 00405138
_wtol.MSVCRT ref: 00405217
??2@YAPAXI@Z.MSVCRT(00000010,004177C4,004177C4,?,00000000), ref: 0040538F

Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
Part of subcall function 00404E3F: wsprintfA.USER32 ref: 00404EBC

Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
Part of subcall function 00402844: memcmp.MSVCRT(?,?,?), ref: 004028E4
Part of subcall function 00402844: memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
Part of subcall function 00402844: memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953

??3@YAXPAX@Z.MSVCRT(?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405453
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040545B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405463
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054DD
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054E5
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054ED
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405509
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405511
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405519

Part of subcall function 00403093: ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405559
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405561
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405569

Part of subcall function 00403B94: lstrlenW.KERNEL32(?,00000020,?,?,00405650,?,00414668,?,00000000,?), ref: 00403BA1
Part of subcall function 00403B94: lstrlenW.KERNEL32(?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00403BAA
Part of subcall function 00403B94: _wcsnicmp.MSVCRT ref: 00403BB6

wsprintfW.USER32 ref: 00405595
_wtol.MSVCRT ref: 004057DE
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040587B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00405883
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040588B
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,0000003D,00000000,00000000,?,?,00000000,?), ref: 00405913
??3@YAXPAX@Z.MSVCRT(?,0000003D,00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4), ref: 00405938
??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059AA
??3@YAXPAX@Z.MSVCRT(?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059B2
??3@YAXPAX@Z.MSVCRT(?,?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059BA
CoInitialize.OLE32(00000000), ref: 004059E9
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405A30
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405A38
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405A40
GetKeyState.USER32(00000010), ref: 00405AA1
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405BCD
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BDB
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BE3
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C16
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C1E
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C26
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C2E
memset.MSVCRT ref: 004060AE
ShellExecuteExW.SHELL32(?), ref: 0040617E
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 0040619A
CloseHandle.KERNEL32(?,?,?,?), ref: 004061A6
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004061D4
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004061DC
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 004061E4
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 004061EA
??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 004061FD
??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00406205
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406222
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040622A
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406232
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040623A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406242
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 0040624A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 00406252
??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 0040626E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00406276
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BEB

Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405C4A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405C52
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C5A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C62
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C94
??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405CD4
??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D41
??3@YAXPAX@Z.MSVCRT(?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D49
??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D51
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D59
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E20
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E28
GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E32
??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405EEC
??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00405EF4
_wtol.MSVCRT ref: 00405F65
??3@YAXPAX@Z.MSVCRT(?,00000001,00000010,?,?,?,?), ref: 00406294
??3@YAXPAX@Z.MSVCRT(?,?,00000001,00000010,?,?,?,?), ref: 0040629C
??3@YAXPAX@Z.MSVCRT(?,?,?,00000001,00000010,?,?,?,?), ref: 004062A4
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062AA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062B2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062BA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062C2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062CA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062D2
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004062F1
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004062F9
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 00406301
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 00406307
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406343
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040636D
??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,?,?,?,?,?,?,00000000,?,?,?), ref: 004063E6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040643D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,?,?,?), ref: 00406445
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,?,?,?), ref: 0040644D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406455
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040646A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040647B
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406483
MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 0040649C

Strings

FinishMessage, xrefs: 00406399
HelpText, xrefs: 0040595E
del, xrefs: 00405F9A
ExecuteParameters, xrefs: 0040605D
AutoInstall, xrefs: 00405AC1, 00405B1C, 00405ECC
RunProgram, xrefs: 00405A66, 00405B6B, 00405B79
;!@InstallEnd@!, xrefs: 00405431
amd64, xrefs: 00405FE4
forcenowait, xrefs: 00405F25
IA, xrefs: 004055D2, 004058FB
hidcon, xrefs: 00405E5E
shc, xrefs: 00405F7A
SelfDelete, xrefs: 0040577C, 0040640B
OverwriteMode, xrefs: 004056BB
Delete, xrefs: 00406352
4DA, xrefs: 00406034
x86, xrefs: 00405FBE
i386, xrefs: 00405FD1
7-Zip SFX, xrefs: 00406490
InstallPath, xrefs: 004059F3
7zSfxString%d, xrefs: 0040558F
GUIMode, xrefs: 004056FF
;!@Install@!UTF-8!, xrefs: 00405436
SetEnvironment, xrefs: 0040586E, 0040591F
GUIFlags, xrefs: 0040571F
@DA, xrefs: 00405699
BeginPrompt, xrefs: 00405A71
ExecuteFile, xrefs: 00405A61, 00405B47, 00405B55
MiscFlags, xrefs: 0040573F
nowait, xrefs: 00405F03
Shortcut, xrefs: 0040632A
XpA, xrefs: 00405581
sfxconfig, xrefs: 0040527C, 00405488
x64, xrefs: 00405FF7
sfxversion, xrefs: 004050D6
Sorry, this program requires Microsoft Windows 2000 or later., xrefs: 00406495
setup.exe, xrefs: 00405DE5, 00405DEA, 00405E45
7ZipSfx.%03x, xrefs: 00405C77
4AA, xrefs: 0040504C

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ??3@$lstrlen$Message$_wtol$??2@FileFormatHandleModuleTimerlstrcpymemcmpwsprintf$AttributesCallbackCloseCommandCreateCurrentDirectoryDispatchDispatcherErrorExecuteFreeInitializeKillLastLineLocalNameObjectShellSingleStateUserVersionWaitWindow_wcsnicmpmemmovememsetwvsprintf
String ID: 4AA$4DA$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$;!@Install@!UTF-8!$;!@InstallEnd@!$@DA$AutoInstall$BeginPrompt$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$XpA$amd64$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxversion$shc$x64$x86$IA
API String ID: 154539431-3058303289
Opcode ID: cabb4e2e52945036c720e1880f7d789d9992fedd99c9f327f88584105f760328
Instruction ID: bd55e9a5e2f2b8c77b34d16bce6880ff8bafa7c96c93ceffa7f521d25999041e
Opcode Fuzzy Hash: cabb4e2e52945036c720e1880f7d789d9992fedd99c9f327f88584105f760328
Instruction Fuzzy Hash: 65C2E231904619AADF21AF61DC45AEF3769EF00708F54403BF906B61E2EB7C9981CB5D

Function 00401626 Relevance: 22.8, APIs: 15, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f637a799f1653e3b63fa741730d3cbaf64608c0369243d42a1217ae41316ed6c
Instruction ID: 8ae67fe93764504dd4472983a8ee98937692ca3eac7777145cc28303e79798ac
Opcode Fuzzy Hash: f637a799f1653e3b63fa741730d3cbaf64608c0369243d42a1217ae41316ed6c
Instruction Fuzzy Hash: 8DB17C71900205EFCB14EFA5D8849AEB7B5FF44304B24842BF512BB2F1EB39A945CB58

Function 0040301A Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403028
SetLastError.KERNEL32(00000010), ref: 0040303D

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
Instruction ID: 32a2c072cbeca167af0ba40feded167abd8377b8b15159977275e4e23b0806bf
Opcode Fuzzy Hash: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
Instruction Fuzzy Hash: 42018B30102004AADF206F749C4CAAB3BACAB0136BF108632F621F11D8D738DB46965E

Function 0040118A Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011A6
SendMessageW.USER32(00008001,00000000,?), ref: 004011FF

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: DiskFreeMessageSendSpace
String ID:
API String ID: 696007252-0
Opcode ID: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
Instruction ID: 9edb1a80411cac00ba33afe52a6c86c35bfa08927eae57e7515b94cd88b359ae
Opcode Fuzzy Hash: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
Instruction Fuzzy Hash: 1C014B30654209ABEB18EB90DD85F9A3BE9EB05704F108436F611F91F0CB79BA408B1D

Function 00411DEF Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00411E1C
__p__fmode.MSVCRT ref: 00411E31
__p__commode.MSVCRT ref: 00411E3F
__setusermatherr.MSVCRT ref: 00411E6B
_initterm.MSVCRT ref: 00411E81
__getmainargs.MSVCRT ref: 00411EA4
_initterm.MSVCRT ref: 00411EB4
GetStartupInfoA.KERNEL32(?), ref: 00411EF3
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00411F17
exit.KERNELBASE ref: 00411F27
_XcptFilter.MSVCRT ref: 00411F39

Strings

HpA, xrefs: 00411E9C, 00411E9F

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID: HpA
API String ID: 801014965-2938899866
Opcode ID: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
Instruction ID: 158ffaedae0d42993a529c42e252781da09b2560f8e529a8c548a3e081932a5e
Opcode Fuzzy Hash: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
Instruction Fuzzy Hash: 254192B0944344AFDB20DFA4DC45AEA7BB8FB09711F20452FFA51973A1D7784981CB58

Function 00401B37 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47
timewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
DispatchMessageW.USER32(?), ref: 00401B89
KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99

Strings

Static, xrefs: 00401B5A

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: MessageTimer$CallbackCreateDispatchDispatcherHandleKillModuleUserWindow
String ID: Static
API String ID: 2479445380-2272013587
Opcode ID: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
Instruction ID: f02a6d563a0a994406544e3b77250aae51f77c8b940714b819f60fd1d37dc764
Opcode Fuzzy Hash: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
Instruction Fuzzy Hash: 10F03C3250212476CA203FA69C4DEEF7E6CDB86BA2F008160B615A10D1DAB88241C6B9

Function 0040B163 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT(00000000,?,0000001F,00010000), ref: 0040B1C5
memmove.MSVCRT(00000000,-000000C1,00000020,?,00010000), ref: 0040B289
??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040B298

Strings

, xrefs: 0040B22D

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ??3@memcpymemmove
String ID:
API String ID: 3549172513-3916222277
Opcode ID: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
Instruction ID: 201babb0cc669d9fea5df8a163075e687156198648327345136f7fe875bf0058
Opcode Fuzzy Hash: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
Instruction Fuzzy Hash: 495181B1A00205ABDF14DB95C889AAE7BB4EF49354F1441BAE905B7381D338DD81CB9D

Function 00403354 Relevance: 10.6, APIs: 7, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D

Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

memcpy.MSVCRT(-00000001,00404AC6,?,?,?,?,?,00404AC6,?), ref: 0040342F
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 0040346C
??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,00404AC6,00404AC6,?,?,?,?,00404AC6,?), ref: 004034B2

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
String ID:
API String ID: 846840743-0
Opcode ID: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
Instruction ID: c1b9adc2f16cc45d244a7c0b75b8b4a4f89234fa72cd4c12ee41ca3d86f3c48f
Opcode Fuzzy Hash: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
Instruction Fuzzy Hash: 8F41C836904611AADB216F998881ABF7F6CEF40716F80403BED01B61D5DB3C9B4282DD

Function 00404405 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401F47: GetUserDefaultUILanguage.KERNEL32(00404416,00000000,00000020,?), ref: 00401F51

Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119

Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
Part of subcall function 00401F9D: _wtol.MSVCRT ref: 0040212A
Part of subcall function 00401F9D: MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,?,?,00000000,00000020,?), ref: 0040448C
wsprintfW.USER32 ref: 004044A7

Part of subcall function 00402F6C: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71

#17.COMCTL32(?,?,?,?,00000000,00000020,?), ref: 00404533

Strings

7zSfxFolder%02d, xrefs: 004044A1
IA, xrefs: 0040447B

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
String ID: 7zSfxFolder%02d$IA
API String ID: 3387708999-1317665167
Opcode ID: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
Instruction ID: c443879f351b6d6d2b07c84fde6f3777072453d7374e8d7fc75fcfd2f507d9dd
Opcode Fuzzy Hash: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
Instruction Fuzzy Hash: E03140B19042199BDB10FFA2DC86AEE7B78EB44308F40407FF619B21E1EB785644DB58

Function 00408EA4 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 464
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000018,?,?,00000000,?), ref: 00408F0F
??2@YAPAXI@Z.MSVCRT(00000028,00000000,?,?,00000000,?), ref: 00408F59

Strings

IA, xrefs: 00409391
IA, xrefs: 00409225

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ??2@
String ID: IA$IA
API String ID: 1033339047-1400641299
Opcode ID: 6a22e71803ea0f4d69e2f58a84b042c4ce0c016d1f42beed39b79896576e25f5
Instruction ID: ddcf9de22f7a46eeefc4975c1fab543939f34ce9f972055b0c78c556d294e1f5
Opcode Fuzzy Hash: 6a22e71803ea0f4d69e2f58a84b042c4ce0c016d1f42beed39b79896576e25f5
Instruction Fuzzy Hash: EF123671A00209DFCB14EFA5C98489ABBB5FF48304B10456EF95AA7392DB39ED85CF44

Function 00410CD0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 23
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00410D0D

Strings

HKA, xrefs: 00410CE9
$KA, xrefs: 00410CF7
4KA, xrefs: 00410CF0
\KA, xrefs: 00410CE2

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: free
String ID: $KA$4KA$HKA$\KA
API String ID: 1294909896-3316857779
Opcode ID: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
Instruction ID: 889df95fe732b3a4b2d84b4ab476e7a54c7f97cead7299b76f73e2708a1c6c0a
Opcode Fuzzy Hash: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
Instruction Fuzzy Hash: C5F09271409B109FC7319F55E405AC6B7F4AE447183058A2EA89A5BA11D3B8F989CB9C

Function 004096C7 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 004096D0
??2@YAPAXI@Z.MSVCRT(00000038,00000001), ref: 0040986E
??2@YAPAXI@Z.MSVCRT(00000038,?,00000000,00000000,00000001), ref: 00409941

Part of subcall function 00409C13: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,?,00409952,?,00000000,00000000,00000001), ref: 00409C3B

Strings

HIA, xrefs: 0040978B

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ??2@$H_prolog
String ID: HIA
API String ID: 3431946709-2712174624
Opcode ID: 3a91edc2a80342029bdf13785710b8021a7be55c7c109f54d8d38dfd795fbdbc
Instruction ID: da3614a8b55b1d80bdf53177d95d0cff5abf3d9c279f99a440b99522f39c568d
Opcode Fuzzy Hash: 3a91edc2a80342029bdf13785710b8021a7be55c7c109f54d8d38dfd795fbdbc
Instruction Fuzzy Hash: 53F13971610249DFCB24DF69C884AAA77F4BF48314F24416AF829AB392DB39ED41CF54

Function 00402844 Relevance: 6.4, APIs: 5, Instructions: 118
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
memcmp.MSVCRT(?,?,?), ref: 004028E4
memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: lstrlenmemcmp$memmove
String ID:
API String ID: 3251180759-0
Opcode ID: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
Instruction ID: d4955105e7b234ce255a009ef61331e6eb412850de833d0a73495bfba1f32545
Opcode Fuzzy Hash: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
Instruction Fuzzy Hash: 4A417F72E00209AFCF01DFA4C9889EEBBB5EF08344F04447AE945B3291D3B49E55CB55

Function 0040150B Relevance: 6.1, APIs: 4, Instructions: 100
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,0040129C,00000000,00000000,?), ref: 0040154F
WaitForSingleObject.KERNEL32(000000FF,?,00404AFB,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401570

Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
String ID:
API String ID: 359084233-0
Opcode ID: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
Instruction ID: 87277f5b9ffc23463226fd0df2644328d4cfb3d5af9d6e9341eee715f5e270ad
Opcode Fuzzy Hash: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
Instruction Fuzzy Hash: 8231F171644200BBDA305B15DC86EBB37B9EBC5350F24843BF522F92F0CA79A941DA5E

Function 00401986 Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(004033CE,00000000,-00000001,004033CE,?,00404AC6,?,?,?,?,00404AC6,?), ref: 0040198D
GetLastError.KERNEL32(?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401997
SetLastError.KERNEL32(000000B7,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019A7
GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019B5

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ErrorLast$AttributesCreateDirectoryFile
String ID:
API String ID: 635176117-0
Opcode ID: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
Instruction ID: 5ae0be16486f509c6b40768ba71a6c1c2cea9be4331c5fc90c1b41dbeb0419e3
Opcode Fuzzy Hash: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
Instruction Fuzzy Hash: D5E09AB0518250AFDE142BB4BD187DB3AA5AF46362F508932F495E02F0C33888428A89

Function 00404A44 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(000001E8,00000000,?,ExecuteFile,00000015,?,00405D20,?,00417788,00417788), ref: 00404A5A
??2@YAPAXI@Z.MSVCRT(00000040,?,?,?,?,?,?,?,?,00000000,?), ref: 00404ADC

Strings

ExecuteFile, xrefs: 00404A48

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ??2@
String ID: ExecuteFile
API String ID: 1033339047-323923146
Opcode ID: 612dc6f8e3fe8df0745ed42aa02adea807ab2e0a0b71f5bf8dc2b3d1454147a6
Instruction ID: 446d0bd8c70a379003bbf02419fa435b46014474c8a02eb0da5acec479ce97d7
Opcode Fuzzy Hash: 612dc6f8e3fe8df0745ed42aa02adea807ab2e0a0b71f5bf8dc2b3d1454147a6
Instruction Fuzzy Hash: EA1184B5340104BFD710AB659C85D6B73A8EF80355724443FF602B72D1DA789D418A6D

Function 0040ADC3 Relevance: 4.5, APIs: 3, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ??2@??3@memmove
String ID:
API String ID: 3828600508-0
Opcode ID: 2c1e852e3357fe345785b0ad8426fcfe448c8ec3a37487201466d82e595bf6a2
Instruction ID: a8ce0a3cb4653ecb547b1a3698f229d81d6147035ad3680bc60947505803a3f4
Opcode Fuzzy Hash: 2c1e852e3357fe345785b0ad8426fcfe448c8ec3a37487201466d82e595bf6a2
Instruction Fuzzy Hash: 74F089763047016FC3205B1ADC80857BBABDFC4715311883FE55E93A50D634F891965A

Function 0040245A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 0040247E

Strings

@, xrefs: 00402471

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
Instruction ID: 9ce3ff159218229c34eda893c3d8d64f83397f3f2cddac743d7c565554413103
Opcode Fuzzy Hash: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
Instruction Fuzzy Hash: AAF0AF30A042048ADF15AB719E8DA5A37A4BB00348F10853AF516F52D4D7BCE9048B5D

Function 0040C9FC Relevance: 3.2, APIs: 2, Instructions: 184COMMON

Download Yara Rule

APIs

Part of subcall function 0040AAAB: _CxxThrowException.MSVCRT(?,00414EF8), ref: 0040AAC5

Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

??3@YAXPAX@Z.MSVCRT(?,?,?,?,004149F0,?,004149B0), ref: 0040CAF2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,004149F0,?,004149B0), ref: 0040CC4A

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ??3@$??2@ExceptionThrowmemmove
String ID:
API String ID: 4269121280-0
Opcode ID: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
Instruction ID: 88480e7f7e551c391a26326ce122d220a9eefc885560dc6ed21150e7f5ba8ef6
Opcode Fuzzy Hash: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
Instruction Fuzzy Hash: 00712571A00209EFCB24DFA5C8D1AAEBBB1FF08314F10463AE545A3291D739A945CF99

Function 0040A62F Relevance: 3.1, APIs: 2, Instructions: 135COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A634
??3@YAXPAX@Z.MSVCRT(?), ref: 0040A729

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ??3@H_prolog
String ID:
API String ID: 1329742358-0
Opcode ID: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
Instruction ID: 956102545b91a7c0cba0a64d671320761176ea25dc816e9057e3d4af94f09eda
Opcode Fuzzy Hash: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
Instruction Fuzzy Hash: 0D411F32800204AFCB09DB65CD45EBE7B35EF50304B18883BF402B72E2D63E9E21965B

Function 0040112B Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: ebac23084a16b944365a47061f6b21e986bd860b63916dd214b45b095081060c
Instruction ID: 063e94d8e06ff9613a5b681c15dc067c338ae4066a9753272274ce5f9f11bd0f
Opcode Fuzzy Hash: ebac23084a16b944365a47061f6b21e986bd860b63916dd214b45b095081060c
Instruction Fuzzy Hash: 71F0A476210612ABC334DF2DC581867B3E4EF88711710893FE6C7C72B1DA31A881C754

Function 0040D9F0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040DA0B
GetLastError.KERNEL32(?,?,?,?), ref: 0040DA19

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
Instruction ID: d86f9e507f4e039952bd1031b0dc001be1b0661bb6f0ed5f18f0f7cd7a7605a3
Opcode Fuzzy Hash: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
Instruction Fuzzy Hash: FCF0B2B8A04208FFCB04CFA8D8448AE7BB9EB49314B2085A9F815A7390D735DA04DF64

Function 0040ECED Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0040ED05
_CxxThrowException.MSVCRT(?,00415010), ref: 0040ED28

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: AllocExceptionStringThrow
String ID:
API String ID: 3773818493-0
Opcode ID: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
Instruction ID: 896a1b371a95ab63a3f889c911e7bff8eb1facf706b7c8fcc1dab20228dace7a
Opcode Fuzzy Hash: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
Instruction Fuzzy Hash: CDE06D71600309ABDB10AF66D8419D67BE8EF00380B00C83FF948CA250E779E590C7D9

Function 0040E73A Relevance: 2.5, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0040E745
LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040E764

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
Instruction ID: 086d926b78662e0ab04275255430a857868cdabe8091615e808f779c17768b54
Opcode Fuzzy Hash: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
Instruction Fuzzy Hash: 76F05436200214FBCB119F95DC08E9BBBB9FF49761F14842AF945E7260C771E821DBA4

Function 0040A7DE Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A7E3

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
Instruction ID: 39d544f4fee3d18347c8ea8d59cce7c7d4ef222c74644271f89bd24cd9d44c54
Opcode Fuzzy Hash: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
Instruction Fuzzy Hash: 4B2180316003099BCB14EFA5C945AAE73B5EF40344F14843EF806BB291DB38DD16CB1A

Function 0040120B Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 0040124F

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
Instruction ID: 5817d5120c2da98d16edaa91ace5ca285f5b3ff1e58b2ffd557e42fef7bfdc6e
Opcode Fuzzy Hash: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
Instruction Fuzzy Hash: 66F05E72100201DBC720AF98C840BA777F5BB84314F04483EE583F2AA0D778B885CB59

Function 00411A2D Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00411A32

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 05aa82fd4493c2954843b58147a6e12e638aaadf2772ca9641b0bace8f10624d
Instruction ID: 375caa893e42e0daca7b158ffe4b4b415bc54d3572d418f3e5e61c8e5be1c541
Opcode Fuzzy Hash: 05aa82fd4493c2954843b58147a6e12e638aaadf2772ca9641b0bace8f10624d
Instruction Fuzzy Hash: 30F0F272500109BBCF029F85D901AEEBB36EB48354F00811ABA1161160D33A9961AB99

Function 0040DA56 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D985: CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990

CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50), ref: 0040DA78

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
Instruction ID: 040011ad7fb3de3f437c6c7e3ebc1dcda5640d8293b7e84d035d3e38099293ab
Opcode Fuzzy Hash: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
Instruction Fuzzy Hash: A1E04F32140219ABCF215FA49C01BCA7B96AF09760F144526BE11A61E0C672D465AF94

Function 0040DB97 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040DD78,00000001,00000000,00000000,00413330,?,00404D94,?,?), ref: 0040DBBA

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
Instruction ID: ec3d056ad33d5175d1bee219b94afd5900c8108b90431a53c6143dcb1d381838
Opcode Fuzzy Hash: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
Instruction Fuzzy Hash: D7E0C275600208FBCB00CF95C801B9E7BBABB49755F10C069F918AA2A0D739AA10DF54

Function 0040653F Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_beginthreadex.MSVCRT ref: 00406552

Part of subcall function 00406501: GetLastError.KERNEL32(00406563,00000000), ref: 004064F5

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ErrorLast_beginthreadex
String ID:
API String ID: 4034172046-0
Opcode ID: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
Instruction ID: fe95790bd269afcad05a26a3721163fc0b830ac61c9b3c5b6bbddf8a66cf2d64
Opcode Fuzzy Hash: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
Instruction Fuzzy Hash: 12D05EF6400208BFDF01DFE0DC05CAB3BADEB08204B004464FD05C2150E632DA108B60

Function 0040CC59 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040CC5E

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
Instruction ID: 312fbe8762c42e8d4a239ae194adb86e93363bc1e5443e54fb58aca6058f63a2
Opcode Fuzzy Hash: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
Instruction Fuzzy Hash: 70D05EB2A04108FBE7109F85D946BEEFB78EB80399F10823FB506B1150D7BC5A0196AD

Function 0040DADC Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040DAF2

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
Instruction ID: c05821c64f4412cbb188b0f884d423eaa3d686fb1c941f6ac6705c8b1bb703da
Opcode Fuzzy Hash: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
Instruction Fuzzy Hash: 58E0EC75211208FFDB01CF90CD01FDE7BBDFB49755F208058E90596160C7759A10EB54

Function 0040DB6A Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE(?,?,?,?,0040DB94,00000000,00000000,?,0040123C,?), ref: 0040DB78

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
Instruction ID: c6000770aa4fb4c72b4925fc402daec6625791e8065b7518697746b49206ca3e
Opcode Fuzzy Hash: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
Instruction Fuzzy Hash: 40C04C3A199105FF8F020F70CD04C1ABBA2AB95722F10C918B199C4070CB328424EB02

Function 0040E9F7 Relevance: 1.3, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

memmove.MSVCRT(?,?,?), ref: 0040EA24

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 97bd8de7a7fe9ad43a3345e9333d2138b4beb196f0434672ce39f7d09e0e15cd
Instruction ID: f56dbf57367ec124b55c1fed62106b1dafce564086f6503587e0b0fbfa293862
Opcode Fuzzy Hash: 97bd8de7a7fe9ad43a3345e9333d2138b4beb196f0434672ce39f7d09e0e15cd
Instruction Fuzzy Hash: EA21A271A00B009FC724CFAAC88485BF7F9FF88724764896EE49A93A40E774B945CB54

Function 0040E5D3 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(?,00414F84), ref: 0040E616

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ExceptionThrow
String ID:
API String ID: 432778473-0
Opcode ID: 85c4e5dde0f8cee934fbe77132b2d5831568e55a053817787dcfc8e06ea2b7f6
Instruction ID: f2b552c6dcb6979234feea5fe890f572eb9d388e9264680fa6f26452196acfb0
Opcode Fuzzy Hash: 85c4e5dde0f8cee934fbe77132b2d5831568e55a053817787dcfc8e06ea2b7f6
Instruction Fuzzy Hash: 20017171600701AFDB28CFBAD805997BBF8EF85314704496EE482D3651E374F946CB50

Function 0040F42D Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040F446

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
Instruction ID: 8ccd5c106adaedd21fdabd868c2a091acccb285e2c6396e7c66228af9079aab7
Opcode Fuzzy Hash: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
Instruction Fuzzy Hash: 68E0ED311087008BEB74DA38A941F97B3DAAB14314F15893FE89AE7690EB74FC448A59

Function 00402F6C Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 76c2607c9262a084594b8968e60506e1095ba5b3921c342d3f15f01c827a8030
Instruction ID: 194059228ff5733793a196764ebf5a0b63d959e09992ce12dff2d54d27d13516
Opcode Fuzzy Hash: 76c2607c9262a084594b8968e60506e1095ba5b3921c342d3f15f01c827a8030
Instruction Fuzzy Hash: 67D0A9313083121ADA5432320A09AAF84848B503A0F10083FB800A32D1DCBE8C81A299

Function 0040D985 Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
Instruction ID: 71cfb53d0268b44c797f7400575dcc0518408263689e7c465582b3111ebcfb94
Opcode Fuzzy Hash: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
Instruction Fuzzy Hash: 95D0127251422156CF646E7CB8849C277D85A06334335176AF0B4E32E4D3749DCB5698

Function 004024C4 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040E4D6,00020000,00000000,?,00000000,?,0040D92B,?,?,00000000,?,0040D96E), ref: 004024E0

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
Instruction ID: 23ad038ad5ccaf642d49e1102795c1c714580f299e31bec6e074b0e2bc220d86
Opcode Fuzzy Hash: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
Instruction Fuzzy Hash: D3C080301443007DED115F505E06B463A916B44717F508065F344540D0C7F484009509

Function 00411388 Relevance: 1.3, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(000000D0), ref: 0041138D

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 08d588780a3caab37cf70573278ad1822b03e6a84bf609910ea5ba04e31b1b9c
Instruction ID: d5b8b2b556814232dc2945b8f7e5995fed121ff751d048b21687cc00dda573f5
Opcode Fuzzy Hash: 08d588780a3caab37cf70573278ad1822b03e6a84bf609910ea5ba04e31b1b9c
Instruction Fuzzy Hash: B4B0123438914504FE5413B208013FB01800F40303F10087B5B02E4DF9FD0884805139

Function 00401B1F Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,0040E561,?,00000004,0040E5B0,?,?,004117E5,?), ref: 00401B2A

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
Instruction ID: 5381ed20748db0b7fd93371e38984c83fa4171db9cf80dc6a42123bab5888d64
Opcode Fuzzy Hash: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
Instruction Fuzzy Hash: 45A002305446007ADE515B10DD05F457F516744B11F20C5547155540E586755654DA09

Function 0040F3FC Relevance: 1.3, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040F400

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
Instruction ID: 7baee4be7330d58fba6a4d3e6254b3dabd4481adb37f3967e502ba2394f26960
Opcode Fuzzy Hash: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
Instruction Fuzzy Hash:

Non-executed Functions

Function 004034C1 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290comCOMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 004034E5
SHGetSpecialFolderPathW.SHELL32(00000000,?,CC5BE863,00000000,004177A0,00000000,00417794), ref: 00403588
??3@YAXPAX@Z.MSVCRT(?,?), ref: 004035F9
??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 00403601
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00403609
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 00403611
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 00403619
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00403621
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403629
_wtol.MSVCRT ref: 0040367F
CoCreateInstance.OLE32(00414BF4,00000000,00000001,00414BE4,00404F9B,.lnk,?,0000005C), ref: 00403720
??3@YAXPAX@Z.MSVCRT(?,0000005C), ref: 004037B8
??3@YAXPAX@Z.MSVCRT(?,?,0000005C), ref: 004037C0
??3@YAXPAX@Z.MSVCRT(?,?,?,0000005C), ref: 004037C8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,0000005C), ref: 004037D0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0000005C), ref: 004037D8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,0000005C), ref: 004037E0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,0000005C), ref: 004037E8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,0000005C), ref: 004037EE
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0000005C), ref: 004037F6

Strings

.lnk, xrefs: 004036FF

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
String ID: .lnk
API String ID: 408529070-24824748
Opcode ID: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
Instruction ID: c4a1d47ac56633071a1bd2db01059e5edb54ffe0bccc65637149caefe5d2277b
Opcode Fuzzy Hash: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
Instruction Fuzzy Hash: 8EA18A71910219ABDF04EFA1CC46DEEBB79EF44705F50442AF502B71A1EB79AA81CB18

Function 00401F9D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 150stringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
wsprintfW.USER32 ref: 00401FFD
GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
GetLastError.KERNEL32 ref: 00402017
??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
GetLastError.KERNEL32 ref: 0040204C
lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
SetLastError.KERNEL32(00000000), ref: 00402098
lstrlenA.KERNEL32(00413FD0), ref: 004020CC
??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
_wtol.MSVCRT ref: 0040212A
MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A

Strings

7zSfxString%d, xrefs: 00401FF7
\3A, xrefs: 00401FDB
XpA, xrefs: 00401FB4

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
String ID: 7zSfxString%d$XpA$\3A
API String ID: 2117570002-3108448011
Opcode ID: 332d11925e247980b34bd098e8b038dc96ba1155979fc83484f9ac8f636b93aa
Instruction ID: 5c0681f152172bce6659d4e02be164ba9bb36eab7c70e8d4f1a0ed4420d73572
Opcode Fuzzy Hash: 332d11925e247980b34bd098e8b038dc96ba1155979fc83484f9ac8f636b93aa
Instruction Fuzzy Hash: 11518471604305AFDB209F74DD899DBBBB9EB08345B11407AF646E62E0E774AA44CB18

Function 00401BDF Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
LockResource.KERNEL32(00000000), ref: 00401C41
LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401C6D
GetProcAddress.KERNEL32(00000000), ref: 00401C76
wsprintfW.USER32 ref: 00401C95
LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401CAA
GetProcAddress.KERNEL32(00000000), ref: 00401CAD

Strings

SetThreadPreferredUILanguages, xrefs: 00401CA4
SetProcessPreferredUILanguages, xrefs: 00401C58
%04X%c%04X%c, xrefs: 00401C8F
kernel32, xrefs: 00401C5D, 00401C62, 00401CA9

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
API String ID: 2639302590-365843014
Opcode ID: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
Instruction ID: 1b367ad183524107b1556f539f271e2bfa11f4d2ebd4ebc35158efee647c5c94
Opcode Fuzzy Hash: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
Instruction Fuzzy Hash: 002153B1944318BBDB109FA59D48F9B7FBCEB48751F118036FA05B72D1D678DA008BA8

Function 00407776 Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON

Download Yara Rule

APIs

wvsprintfW.USER32(?,00000000,?), ref: 0040779A
GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
String ID:
API String ID: 829399097-0
Opcode ID: bf60f95a6a1f59c2bb6c04e2e113b9a1b5cd8de0030c6a868400c9436056581d
Instruction ID: 98041b7e574f1f1c61a73cce3db0a13ad597614178cae5aaf21d0c5f67190c53
Opcode Fuzzy Hash: bf60f95a6a1f59c2bb6c04e2e113b9a1b5cd8de0030c6a868400c9436056581d
Instruction Fuzzy Hash: 85218172804209BEDF14AFA0DC85CEB7BACEB04355B10847BF506A7150EB34EE848BA4

Function 00402B79 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00413454,?,?,?,00000000), ref: 00402BA8
lstrcmpW.KERNEL32(?,00413450,?,0000005C,?,?,?,00000000), ref: 00402BFB
lstrcmpW.KERNEL32(?,00413448,?,?,00000000), ref: 00402C11
SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402C27
DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402C2E
FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402C40
FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402C4F
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402C5A
RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402C63
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C6E
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C79

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 1862581289-0
Opcode ID: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
Instruction ID: 7ffcf375551190f92b7aba4ef5ef3cd4ed0286f9dec59b0789af02bc25bdcc12
Opcode Fuzzy Hash: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
Instruction Fuzzy Hash: A321A230500209BAEB10AF61DE4CFBF7B7C9B0470AF14417AB505B11E0EB78DB459A6C

Function 00406D5D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme,?,00407F57,000004B1,00000000,?,?,?,?,?,0040803E), ref: 00406D65
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00406D76
GetWindow.USER32(?,00000005), ref: 00406D8F
GetWindow.USER32(00000000,00000002), ref: 00406DA5

Strings

SetWindowTheme, xrefs: 00406D70
uxtheme, xrefs: 00406D5E
\EA, xrefs: 00406D98

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: Window$AddressLibraryLoadProc
String ID: SetWindowTheme$\EA$uxtheme
API String ID: 324724604-1613512829
Opcode ID: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
Instruction ID: f2e0bdee1e376373ef12be0a37c87caa708c4cf78f5ebad58458586032015049
Opcode Fuzzy Hash: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
Instruction Fuzzy Hash: 47F0A73274172537C6312A6A6C4CF9B6B9C9FC6B51B070176B905F7280DA6CCD0045BC

Function 0041022D Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
Instruction ID: 2cf66fefa79674a345482580870fbecf2b771b639b37e27eb1fc897e4fc9b441
Opcode Fuzzy Hash: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
Instruction Fuzzy Hash: 44126E31E00129DFDF08CF68C6945ECBBB2EF85345F2585AAD856AB280D6749EC1DF84

Function 0041206B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
Instruction ID: 8743f1180a29be23716da9caa70fae7f7856ace610ba4dfa2102d12747f13ae8
Opcode Fuzzy Hash: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
Instruction Fuzzy Hash: D12129725104255BC711DF1DE8887B7B3E1FFC4319F678A36DA81CB281C629D894C6A0

Function 00411F91 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction ID: 7cc7f0f00d3fdf34bc0739e2af2c3edfb6ca911da6c9eaecf720caf4c907201e
Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction Fuzzy Hash: 0621F53290062587CB12CE6EE4845A7F392FBC436AF134727EE84A3291C62CA855C6A0

Function 0040D72E Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
Instruction ID: 0032c0c3dd355d3b1328166acc4be040b7821e5e83bc1fe28c274bced218c28f
Opcode Fuzzy Hash: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
Instruction Fuzzy Hash: 4EF074B5A05209EFCB09CFA9C49199EFBF5FF48304B1084A9E819E7350E731AA11CF50

Function 00404AFF Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?,?,?), ref: 00404B46
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404B77
WriteFile.KERNEL32(004177C4,?,?,00406437,00000000,del ",:Repeat,00000000), ref: 00404C2C
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C37
CloseHandle.KERNEL32(004177C4), ref: 00404C40
SetFileAttributesW.KERNEL32(00406437,00000000), ref: 00404C57
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00404C69
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C72
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C7E
??3@YAXPAX@Z.MSVCRT(00406437,?), ref: 00404C84
??3@YAXPAX@Z.MSVCRT(00406437,?,?,?,?,?,?,?,?,?,?,?,?,?,00406437,004177C4), ref: 00404CB2

Strings

open, xrefs: 00404C63
del ", xrefs: 00404B9F, 00404BA4, 00404BED
", xrefs: 00404BB9, 00404BBE, 00404C02
if exist ", xrefs: 00404BC7
7ZSfx%03x.cmd, xrefs: 00404B58
" goto Repeat, xrefs: 00404BE0
:Repeat, xrefs: 00404B92

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
API String ID: 3007203151-3467708659
Opcode ID: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
Instruction ID: 7a4c4b622d76ac6c1822c64a370ea4e05d699ec4102568342bfcf68b8c9639ad
Opcode Fuzzy Hash: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
Instruction Fuzzy Hash: DE416171D01119BADB00EBA5ED85DEEBB78EF44358F50803AF511720E1EB78AE85CB58

Function 00404603 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 207stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,0041442C,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004046DF

Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119

_wtol.MSVCRT ref: 004047DC
_wtol.MSVCRT ref: 004047F8

Strings

Title, xrefs: 00404611
|wA, xrefs: 0040464B
ExtractPathTitle, xrefs: 00404801
GUIMode, xrefs: 004046F4
GUIFlags, xrefs: 0040473E, 00404743, 0040475F
Progress, xrefs: 004046C7
ExtractPathWidth, xrefs: 004047E5
WarningTitle, xrefs: 00404697
ExtractPathText, xrefs: 00404819
ErrorTitle, xrefs: 0040467F
CancelPrompt, xrefs: 00404831
MiscFlags, xrefs: 00404771, 00404776, 00404792
ExtractDialogText, xrefs: 004047AD
ExtractTitle, xrefs: 004046AF
ExtractDialogWidth, xrefs: 004047BE
OverwriteMode, xrefs: 00404721
ExtractCancelText, xrefs: 004047A1

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle$|wA
API String ID: 2725485552-3187639848
Opcode ID: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
Instruction ID: a5d789275b7dd46d140941e9fd319bf554fc7ea6ad5da08365fcb0f0a182a74d
Opcode Fuzzy Hash: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
Instruction Fuzzy Hash: 4251B5F1A402047EDB10BB619D86EFF36ACDA85308B64443BF904F32C1E6BC5E854A6D

Function 00402DC0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00402DD3
lstrcmpiA.KERNEL32(?,STATIC), ref: 00402DE6
GetWindowLongW.USER32(?,000000F0), ref: 00402DF3

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

Part of subcall function 00401A85: CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF

??3@YAXPAX@Z.MSVCRT(?), ref: 00402E20
GetParent.USER32(?), ref: 00402E2E
LoadLibraryA.KERNEL32(riched20), ref: 00402E42
GetMenu.USER32(?), ref: 00402E55
SetThreadLocale.KERNEL32(00000419), ref: 00402E62
CreateWindowExW.USER32(00000000,RichEdit20W,0041335C,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 00402E92
DestroyWindow.USER32(?), ref: 00402EA3
SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00402EB8
GetSysColor.USER32(0000000F), ref: 00402EBC
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00402ECA
SendMessageW.USER32(00000000,00000461,?,?), ref: 00402EF5
??3@YAXPAX@Z.MSVCRT(?), ref: 00402EFA
??3@YAXPAX@Z.MSVCRT(?,?), ref: 00402F02

Strings

riched20, xrefs: 00402E3D
STATIC, xrefs: 00402DDD
{\rtf, xrefs: 00402E09
RichEdit20W, xrefs: 00402E8C

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: Window$??3@MessageSend$CharTextUpper$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
String ID: RichEdit20W$STATIC$riched20${\rtf
API String ID: 1731037045-2281146334
Opcode ID: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
Instruction ID: c7c9ca1f65d7473fe19c29f8272bdbb18bb8b251efb89c9ee4785ec66c96c850
Opcode Fuzzy Hash: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
Instruction Fuzzy Hash: FE316072A40119BFDB01AFA5DD49DEF7BBCEF08745F104036F601B21D1DA789A008B68

Function 00401CC8 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON

Download Yara Rule

APIs

GetWindowDC.USER32(00000000), ref: 00401CD4
GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
GetObjectW.GDI32(?,00000018,?), ref: 00401D28
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
CreateCompatibleDC.GDI32(?), ref: 00401D4B
CreateCompatibleDC.GDI32(?), ref: 00401D52
SelectObject.GDI32(00000000,?), ref: 00401D60
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
SelectObject.GDI32(00000000,00000000), ref: 00401D76
SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
SelectObject.GDI32(00000000,?), ref: 00401DB3
SelectObject.GDI32(00000000,?), ref: 00401DB9
DeleteDC.GDI32(00000000), ref: 00401DC2
DeleteDC.GDI32(00000000), ref: 00401DC5
ReleaseDC.USER32(00000000,?), ref: 00401DCC
ReleaseDC.USER32(00000000,?), ref: 00401DDB
CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401DE8

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
String ID:
API String ID: 3462224810-0
Opcode ID: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
Instruction ID: 24730f8ff9b6a3f8d7f0600a39c6f646a54ca28d21b12e05547a6914d757f366
Opcode Fuzzy Hash: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
Instruction Fuzzy Hash: 00313976D00208BBDF215FA19C48EEFBFBDEB48752F108066F604B21A0C6758A50EB64

Function 00401DF3 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00401E05
lstrcmpiA.KERNEL32(?,STATIC), ref: 00401E1C
GetWindowLongW.USER32(?,000000F0), ref: 00401E2F
GetMenu.USER32(?), ref: 00401E44

Part of subcall function 00401BDF: GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
Part of subcall function 00401BDF: SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
Part of subcall function 00401BDF: LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
Part of subcall function 00401BDF: LockResource.KERNEL32(00000000), ref: 00401C41

GlobalAlloc.KERNEL32(00000040,00000010), ref: 00401E76
memcpy.MSVCRT(00000000,00000000,00000010), ref: 00401E83
CoInitialize.OLE32(00000000), ref: 00401E8C
CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00401E98
OleLoadPicture.OLEAUT32(?,00000000,00000000,00414C14,?), ref: 00401EBD
GlobalFree.KERNEL32(00000000), ref: 00401ECD

Part of subcall function 00401CC8: GetWindowDC.USER32(00000000), ref: 00401CD4
Part of subcall function 00401CC8: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
Part of subcall function 00401CC8: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
Part of subcall function 00401CC8: GetObjectW.GDI32(?,00000018,?), ref: 00401D28
Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D4B
Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D52
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401D60
Part of subcall function 00401CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,00000000), ref: 00401D76
Part of subcall function 00401CC8: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
Part of subcall function 00401CC8: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
Part of subcall function 00401CC8: GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB3
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB9
Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC2
Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC5
Part of subcall function 00401CC8: ReleaseDC.USER32(00000000,?), ref: 00401DCC

GetObjectW.GDI32(00000000,00000018,?), ref: 00401EFF
SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 00401F13
SendMessageW.USER32(00000010,00000172,00000000,?), ref: 00401F25
GlobalFree.KERNEL32(00000000), ref: 00401F3A

Strings

STATIC, xrefs: 00401E13
IMAGES, xrefs: 00401E4E

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
String ID: IMAGES$STATIC
API String ID: 4202116410-1168396491
Opcode ID: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
Instruction ID: 08c73d75f8249df6a552952f3d33af28cabbedea74541c6d0cfd8ce2793c0c4e
Opcode Fuzzy Hash: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
Instruction Fuzzy Hash: C7417C71A00218BFCB11DFA1DC49DEEBF7DEF08742B008076FA05A61A0DB758A41DB68

Function 0040813D Relevance: 27.1, APIs: 18, Instructions: 147windowcomtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

GetDlgItem.USER32(?,000004B8), ref: 0040816A
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408179
GetDlgItem.USER32(?,000004B5), ref: 004081C0
GetWindowLongW.USER32(00000000,000000F0), ref: 004081C5
GetDlgItem.USER32(?,000004B5), ref: 004081D5
SetWindowLongW.USER32(00000000), ref: 004081D8
GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 004081FE
EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408210
GetDlgItem.USER32(?,000004B4), ref: 0040821A
SetFocus.USER32(00000000), ref: 0040821D
SetTimer.USER32(?,00000001,00000000,00000000), ref: 0040824C
CoCreateInstance.OLE32(00414C34,00000000,00000001,00414808,00000000), ref: 00408277
GetDlgItem.USER32(?,00000002), ref: 00408294
IsWindow.USER32(00000000), ref: 00408297
GetDlgItem.USER32(?,00000002), ref: 004082A7
EnableWindow.USER32(00000000), ref: 004082AA
GetDlgItem.USER32(?,000004B5), ref: 004082BE
ShowWindow.USER32(00000000), ref: 004082C1

Part of subcall function 00407134: GetDlgItem.USER32(?,000004B6), ref: 00407142

Part of subcall function 00407B33: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
Part of subcall function 00407B33: GetDlgItem.USER32(?,000004B8), ref: 00407B8B
Part of subcall function 00407B33: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
Part of subcall function 00407B33: wsprintfW.USER32 ref: 00407BBB
Part of subcall function 00407B33: ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53

Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: Item$Window$MessageSend$System$EnableHandleLoadLongMenuMetricsModuleShow$??3@CreateFocusIconImageInstanceTimerUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID:
API String ID: 855516470-0
Opcode ID: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
Instruction ID: 3ce0214ef3d03b0ee840dd4ab9c121ae631e901bc0d6870238ad5b6e85178a64
Opcode Fuzzy Hash: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
Instruction Fuzzy Hash: 014174B0644748ABDA206F65DD49F5B7BADEB40B05F00847DF552A62E1CB79B800CA1C

Function 00403093 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 244stringCOMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,hAA,00000000), ref: 004030F6
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,hAA,00000000), ref: 004030FE
strncmp.MSVCRT ref: 004031F1
??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00403255
lstrcmpW.KERNEL32(?,SetEnvironment,00000000), ref: 00403273
??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347

Strings

MiscFlags, xrefs: 004032C0
{\rtf, xrefs: 004031D6, 004031EB
SetEnvironment, xrefs: 0040326B
hAA, xrefs: 0040309E
GUIFlags, xrefs: 004032B2

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ??3@$lstrcmpstrncmp
String ID: GUIFlags$MiscFlags$SetEnvironment$hAA${\rtf
API String ID: 2881732429-172299233
Opcode ID: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
Instruction ID: da55d09168dcf28f6e950782b6654b171f18f9ca5632fa18d2c46afc5d57570a
Opcode Fuzzy Hash: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
Instruction Fuzzy Hash: 23819D31900218ABDF11DFA1CD55BEE7B78AF14305F1040ABE8017B2E6DB78AB05DB59

Function 00406A47 Relevance: 24.3, APIs: 16, Instructions: 270COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 00406A69
GetWindowLongW.USER32(00000000,000000F0), ref: 00406A6E
GetDlgItem.USER32(?,000004B4), ref: 00406AA5
GetWindowLongW.USER32(00000000,000000F0), ref: 00406AAA
GetSystemMetrics.USER32(00000010), ref: 00406B0B
GetSystemMetrics.USER32(00000011), ref: 00406B11
GetSystemMetrics.USER32(00000008), ref: 00406B18
GetSystemMetrics.USER32(00000007), ref: 00406B1F
GetParent.USER32(?), ref: 00406B43
GetClientRect.USER32(00000000,?), ref: 00406B55
ClientToScreen.USER32(?,?), ref: 00406B68
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00406BCE
GetClientRect.USER32(?,?), ref: 00406C55
ClientToScreen.USER32(?,?), ref: 00406B71

Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B

GetSystemMetrics.USER32(00000008), ref: 00406CD6
GetSystemMetrics.USER32(00000007), ref: 00406CDD

Part of subcall function 00406A18: GetDlgItem.USER32(?,?), ref: 00406A36
Part of subcall function 00406A18: SetWindowPos.USER32(00000000), ref: 00406A3D

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
String ID:
API String ID: 747815384-0
Opcode ID: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
Instruction ID: 701d8c843d4ec3579feae24e97f284edc15b0bac0439a5efdbaa5111af673c9b
Opcode Fuzzy Hash: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
Instruction Fuzzy Hash: 7B912D71A00209AFDB14DFB9CD85AEEB7F9EF48704F148529E642F6290D778E9008B64

Function 00407D06 Relevance: 22.7, APIs: 15, Instructions: 231windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
LoadIconW.USER32(00000000), ref: 00407D33
GetSystemMetrics.USER32(00000032), ref: 00407D43
GetSystemMetrics.USER32(00000031), ref: 00407D48
GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
LoadImageW.USER32(00000000), ref: 00407D54
SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
GetWindow.USER32(?,00000005), ref: 00407E76
GetWindow.USER32(?,00000005), ref: 00407E92
GetWindow.USER32(?,00000005), ref: 00407EAA
GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,0040803E), ref: 00407F0A
LoadIconW.USER32(00000000), ref: 00407F0D
GetDlgItem.USER32(?,000004B1), ref: 00407F28
SendMessageW.USER32(00000000), ref: 00407F2F

Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: Window$HandleItemLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
String ID:
API String ID: 1889686859-0
Opcode ID: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
Instruction ID: b6a50195b8a608de49edc5b96f3e83ee8a9b90890169e94b1220211b89b9884f
Opcode Fuzzy Hash: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
Instruction Fuzzy Hash: E861D47064C7096AE9257B61DC4AF3B3699AB40B05F10447FF642B92D2DBBCBC0056AF

Function 00406F37 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00406F45
GetWindowLongW.USER32(00000000), ref: 00406F4C
DefWindowProcW.USER32(?,?,?,?), ref: 00406F62
CallWindowProcW.USER32(?,?,?,?,?), ref: 00406F7F
GetSystemMetrics.USER32(00000031), ref: 00406F91
GetSystemMetrics.USER32(00000032), ref: 00406F98
GetWindowDC.USER32(?), ref: 00406FAA
GetWindowRect.USER32(?,?), ref: 00406FB7
DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 00406FEB
ReleaseDC.USER32(?,00000000), ref: 00406FF3

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
String ID:
API String ID: 2586545124-0
Opcode ID: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
Instruction ID: b1ff7c23223d170b9333fa97acec74f2c9230ee3eabfe87d0be763292bfdf634
Opcode Fuzzy Hash: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
Instruction Fuzzy Hash: 8E210C7650021ABFCF01AFA8DD48DDF7F69FB08351F008565FA15E21A0C775EA209B64

Function 0040677A Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 0040678E
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067A1
GetDlgItem.USER32(?,000004B4), ref: 004067AB
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067B3
SendMessageW.USER32(?,00000401,?,00000000), ref: 004067C3
GetDlgItem.USER32(?,?), ref: 004067CC
SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 004067D4
GetDlgItem.USER32(?,?), ref: 004067DD
SetFocus.USER32(00000000,?,000004B4,74DF0E50,00407E06,000004B4,000004B3,00000000,000004B4,00000000,000004B2,?,000004B7), ref: 004067E0

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ItemMessageSend$Focus
String ID:
API String ID: 3946207451-0
Opcode ID: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
Instruction ID: e7a8c5b21de344c7c4c5496bf688f1d5cc3ba414acf11b32f4788b893cc62525
Opcode Fuzzy Hash: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
Instruction Fuzzy Hash: 6FF04F712403087BEA212B61DD86F5BBA6EEF81B45F018425F340650F0CBF7EC109A28

Function 0040C3D8 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 480COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,00000000), ref: 0040C603

Strings

IA, xrefs: 0040C4D9
IA, xrefs: 0040C66E
IA, xrefs: 0040C4AF
IA, xrefs: 0040C65E
IA, xrefs: 0040C4C6
IA, xrefs: 0040C74D

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ??3@
String ID: IA$IA$IA$IA$IA$IA
API String ID: 613200358-3743982587
Opcode ID: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
Instruction ID: 4cebfcab61734def35128a955d6a3e34031d8899c11ca8f9bd2aeb72941b6852
Opcode Fuzzy Hash: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
Instruction Fuzzy Hash: D2221671900248DFCB24EF65C8D09EEBBB5FF48304F50852EE91AA7291DB38A945CF58

Function 004083B6 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 196COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,00417788,00000000,SetEnvironment), ref: 00408479

Strings

ErrorTitle, xrefs: 00408511
FinishMessage, xrefs: 00408417, 00408433
HelpText, xrefs: 00408598
SetEnvironment, xrefs: 004083BC
WarningTitle, xrefs: 0040853A
BeginPrompt, xrefs: 004084A4, 004084A9

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ??3@
String ID: BeginPrompt$ErrorTitle$FinishMessage$HelpText$SetEnvironment$WarningTitle
API String ID: 613200358-994561823
Opcode ID: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
Instruction ID: 5566f9f9667118f06bc812855c9affabb63102f3a10b3971892d5eca1131561f
Opcode Fuzzy Hash: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
Instruction Fuzzy Hash: CA51D47080420AAACF24AB559E85AFB7774EB20348F54443FF881722E1EF7D5D82D64E

Function 00406DB2 Relevance: 12.1, APIs: 8, Instructions: 69COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,00417410,00000160), ref: 00406DD1
SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 00406DF0
GetDC.USER32(00000000), ref: 00406DFB
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00406E07
MulDiv.KERNEL32(?,00000048,00000000), ref: 00406E16
ReleaseDC.USER32(00000000,?), ref: 00406E24
GetModuleHandleW.KERNEL32(00000000), ref: 00406E4C
DialogBoxIndirectParamW.USER32(00000000,?,?,Function_0000667A), ref: 00406E81

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
String ID:
API String ID: 2693764856-0
Opcode ID: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
Instruction ID: b2c1943609947f3a034a1f42a4fd453b3666a2b5c4d4ccfd9a1c2059c5c1cb6f
Opcode Fuzzy Hash: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
Instruction Fuzzy Hash: C32184B5500218BFDB215F61DC45EEB7B7CFB08746F0040B6F609A1190D7748E948B65

Function 0040695E Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 0040696E
GetSystemMetrics.USER32(0000000B), ref: 0040698A
GetSystemMetrics.USER32(0000003D), ref: 00406993
GetSystemMetrics.USER32(0000003E), ref: 0040699B
SelectObject.GDI32(?,?), ref: 004069B8
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004069D3
SelectObject.GDI32(?,?), ref: 004069F9
ReleaseDC.USER32(?,?), ref: 00406A08

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: MetricsSystem$ObjectSelect$DrawReleaseText
String ID:
API String ID: 2466489532-0
Opcode ID: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
Instruction ID: 7c755332e1b278278a0584394201b19561512224090c74d51841a9ad660c27ee
Opcode Fuzzy Hash: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
Instruction Fuzzy Hash: 6B216871900209EFCB119F65DD84A8EBFF4EF08321F10C46AE559A72A0C7359A50DF40

Function 00407B33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
GetDlgItem.USER32(?,000004B8), ref: 00407B8B
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
wsprintfW.USER32 ref: 00407BBB
??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53

Strings

%d%%, xrefs: 00407BB5

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ??3@ItemMessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID: %d%%
API String ID: 3753976982-1518462796
Opcode ID: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
Instruction ID: b955b8041d8a67620c3180d4911c799512bd6939d195f5b55c3092177650065a
Opcode Fuzzy Hash: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
Instruction Fuzzy Hash: 1D31D371904208BBDB11AFA0CC45EDA7BB9EF48708F10847AFA42B61E1D779B904CB59

Function 0040408B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(hAA,00000020,?,?,00405838,?,?,?,00000000,?), ref: 004040A4

Part of subcall function 00401A85: CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404156
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040415E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 0040416D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404175

Strings

hAA, xrefs: 00404091, 0040409B, 004040A2, 004040B0

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ??3@$CharUpper$lstrlen
String ID: hAA
API String ID: 2587799592-1362906312
Opcode ID: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
Instruction ID: 7f7e13310b21401de90169bcc26cd057e2afddf23eedd5de54135d69024cf91c
Opcode Fuzzy Hash: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
Instruction Fuzzy Hash: D7212772D40215AACF20ABA4CC46AEB77B9DF90354F10407BEB41BB2E1E7789D848658

Function 00404CBC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000001,00000000,00000000,00000001,?,00000000), ref: 00404D3E
??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DA0
??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DB8

Part of subcall function 00403354: lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
Part of subcall function 00403354: GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
Part of subcall function 00403354: GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
Part of subcall function 00403354: ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D

Strings

03A, xrefs: 00404CCF
;!@Install@!UTF-8!, xrefs: 00404D59
;!@InstallEnd@!, xrefs: 00404D73

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ??3@$FileTime$AttributesSystemlstrlen
String ID: 03A$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 4038993085-2279431206
Opcode ID: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
Instruction ID: 637b7b13a9bcd1d52ea1019587bfa2fb4435f6835f564ae220b3123002230846
Opcode Fuzzy Hash: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
Instruction Fuzzy Hash: CE312D71D0021EEACF05EF92CD429EEBBB4BF44318F10042BE911762E1DB785649DB98

Function 0040755F Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000000), ref: 00407579
KillTimer.USER32(?,00000001), ref: 0040758A
SetTimer.USER32(?,00000001,00000000,00000000), ref: 004075B4
SuspendThread.KERNEL32(00000284), ref: 004075CD
ResumeThread.KERNEL32(00000284), ref: 004075EA
EndDialog.USER32(?,00000000), ref: 0040760C

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: DialogThreadTimer$KillResumeSuspend
String ID:
API String ID: 4151135813-0
Opcode ID: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
Instruction ID: ebb94c5c4675b2e6542c2b2cb7d5652cccd5624f9a00d71f737e39ca63bd9789
Opcode Fuzzy Hash: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
Instruction Fuzzy Hash: 9811BF70A08618BBD7212F15EE849E77BBDFB00756B00843AF523A05A0CB39BD00DA1D

Function 00404E3F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85

Part of subcall function 00404343: ??3@YAXPAX@Z.MSVCRT(?,?,?,004177C4,004177C4,?,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 004043B6

??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
wsprintfA.USER32 ref: 00404EBC

Strings

:Language:%u!, xrefs: 00404EB6
;!@Install@!UTF-8!, xrefs: 00404E4A
;!@InstallEnd@!, xrefs: 00404E59

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ??3@$wsprintf
String ID: :Language:%u!$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 2704270482-1550708412
Opcode ID: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
Instruction ID: afe26c372a183c0ca4a1b7edc16cb7be903c3e4040aad79e05e22cec791dc9d0
Opcode Fuzzy Hash: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
Instruction Fuzzy Hash: D8115E71B00018BBCF00FB95CC42EFE77ADAB84705B10402EBA15E3182DB78AB028799

Function 00403880 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000,00000000), ref: 004038C6
??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000), ref: 00403904
??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405), ref: 0040392A
??3@YAXPAX@Z.MSVCRT(00000000,00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788), ref: 00403932

Strings

%%T\, xrefs: 004038A6
%%T/, xrefs: 004038E4

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ??3@
String ID: %%T/$%%T\
API String ID: 613200358-2679640699
Opcode ID: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
Instruction ID: 53c9ca64f2466311d4136dbbff57d229d1af9e29f5fa76e56e45344ae10c91f3
Opcode Fuzzy Hash: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
Instruction Fuzzy Hash: 5011DD3190410EBACF05FFA1D857CEDBB79AE00708F50806AB511760E1EF79A785DB98

Function 0040393B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403981
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 004039BF
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405), ref: 004039E5
??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784), ref: 004039ED

Strings

%%S/, xrefs: 0040399F
%%S\, xrefs: 00403961

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ??3@
String ID: %%S/$%%S\
API String ID: 613200358-358529586
Opcode ID: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
Instruction ID: c240205f9e12946546b7747d8fd44f392230bc1153c6614d6b8016afa5fd7689
Opcode Fuzzy Hash: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
Instruction Fuzzy Hash: 1D11AD3190410EBACF05FFA1D856CEDBB79AE00708F51806AB511760E1EF78A789DB98

Function 004039F6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403A3C
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 00403A7A
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405), ref: 00403AA0
??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784), ref: 00403AA8

Strings

%%M\, xrefs: 00403A1C
%%M/, xrefs: 00403A5A

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ??3@
String ID: %%M/$%%M\
API String ID: 613200358-4143866494
Opcode ID: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
Instruction ID: 5f6947e2f47a7d655e02fb84317d9747a35bc7200d49f7273ebe403b31479b31
Opcode Fuzzy Hash: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
Instruction Fuzzy Hash: C911AD3190410EBACF05FFA1D956CEDBB79AE00708F51806AB511760E1EF78A789DB58

Function 0040E456 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00000000,00414CFC), ref: 0040E4EE

Strings

$JA, xrefs: 0040E4B6
4JA, xrefs: 0040E4AF
TJA, xrefs: 0040E4A1
xJA, xrefs: 0040E493
DJA, xrefs: 0040E4A8
hJA, xrefs: 0040E49A

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ExceptionThrow
String ID: $JA$4JA$DJA$TJA$hJA$xJA
API String ID: 432778473-803145960
Opcode ID: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
Instruction ID: 5492ea6659e041f1bcf420c4685f7038b08242b420f8f2c51a6428b2159ddc92
Opcode Fuzzy Hash: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
Instruction Fuzzy Hash: 7211A5F0541B419BC7308F16E544587FBF8AF907587218A1FD0AA9BA51D3F8A1888B9C

Function 0040C0DC Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 243COMMON

Download Yara Rule

APIs

Part of subcall function 0040BA46: ??2@YAPAXI@Z.MSVCRT(0000000C,?,0040C20C,004149B0,00000001,?,?,00000000), ref: 0040BA4B

??3@YAXPAX@Z.MSVCRT(00000000,004149B0,00000001,?,?,00000000), ref: 0040C20D

Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

??2@YAPAXI@Z.MSVCRT(00000014,00000000,004149B0,00000001,?,?,00000000), ref: 0040C245

Strings

IA, xrefs: 0040C0EC
IA, xrefs: 0040C11B
IA, xrefs: 0040C12D

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ??2@$??3@$memmove
String ID: IA$IA$IA
API String ID: 4294387087-924693538
Opcode ID: 3ef1446a3f9eae3cfdc2853b922aca3bc2f9cc2cd28dfb990552d7283ffc15f1
Instruction ID: 38d37476858cbe2739f158cf8086d9562841ccd83740beefedbf55b6536d6dac
Opcode Fuzzy Hash: 3ef1446a3f9eae3cfdc2853b922aca3bc2f9cc2cd28dfb990552d7283ffc15f1
Instruction Fuzzy Hash: 20B1C1B1900209DFCB54EFAAC8819DEBBB5BF48304F50852EF919A7291DB38A945CF54

Function 0040E811 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00100EC3,00414CFC), ref: 0040E83C
??2@YAPAXI@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E864
memcpy.MSVCRT(00000000,?,?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?), ref: 0040E88D
??3@YAXPAX@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E898

Strings

IA, xrefs: 0040E818, 0040E841

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ??2@??3@ExceptionThrowmemcpy
String ID: IA
API String ID: 3462485524-3293647318
Opcode ID: 6b78721643db57d5e00a8af36ebe01533f1ba9cf87e040577b2ff72779c9c95d
Instruction ID: e9362666a157510f6fc1816af10740f0f0ab3f4ff6eb75305f8b2a096945a613
Opcode Fuzzy Hash: 6b78721643db57d5e00a8af36ebe01533f1ba9cf87e040577b2ff72779c9c95d
Instruction Fuzzy Hash: 6811E5736003009BCB28AF57D880D6BFBE9AB84354714C83FEA59A7290D779E8954794

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00401029
wsprintfW.USER32 ref: 00401049
lstrcatW.KERNEL32(?,?), ref: 0040105C
ExitProcess.KERNEL32 ref: 00401084

Strings

0x%p, xrefs: 00401043

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: wsprintf$ExitProcesslstrcat
String ID: 0x%p
API String ID: 2530384128-1745605757
Opcode ID: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
Instruction ID: 6c9eba3c29ae2a0cc7ccd16f79f39b6d6218d418ab2b897ff95ca6c62132cda7
Opcode Fuzzy Hash: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
Instruction Fuzzy Hash: CF019E7580020CAFDB20AFA0DC45FDA777CBF44305F04486AF945A2081D738F6948FAA

Function 00407A3A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000B), ref: 004071E0
Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000C), ref: 004071E9

GetSystemMetrics.USER32(00000007), ref: 00407A51
GetSystemMetrics.USER32(00000007), ref: 00407A62
??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 00407B29

Strings

100%% , xrefs: 00407A81, 00407A88, 00407AE1

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: MetricsSystem$??3@
String ID: 100%%
API String ID: 2562992111-568723177
Opcode ID: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
Instruction ID: d2e8aa6d75c6757367bbc63d1236441fd7733528c0e5853e38aed7656a5d7d9b
Opcode Fuzzy Hash: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
Instruction Fuzzy Hash: 0D31D771A047059FCB24DFA9C9419AEB7F4EF40308B00012EE542A26E1DB78FE44CF99

Function 00407998 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00407A12

Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B

GetDlgItem.USER32(?,000004B3), ref: 004079C6

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 004079E4

Strings

(%u%s), xrefs: 00407A0C

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: TextWindow$ItemLength$??3@wsprintf
String ID: (%u%s)
API String ID: 3595513934-2496177969
Opcode ID: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
Instruction ID: 1b031bef2a273fddd3247fbc9e57f9590cc69a100d620b238320e5a3a24b3f72
Opcode Fuzzy Hash: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
Instruction Fuzzy Hash: 1401C8B15042147FDB107B65DC46EAF777CAF44708F10807FF516A21E2DB7CA9448A68

Function 004021ED Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,0000003C,?,?,?,?,?,?,00406130,?,00000000,?,?,?), ref: 0040220A
GetProcAddress.KERNEL32(00000000), ref: 00402211

Strings

GetNativeSystemInfo, xrefs: 00402200
kernel32, xrefs: 00402205

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32
API String ID: 2574300362-3846845290
Opcode ID: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
Instruction ID: b757a3d5c4c17e34abb063926c294d8abaed4bc4edbc3347b9308a3de004b423
Opcode Fuzzy Hash: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
Instruction Fuzzy Hash: 88F0B432E1521495CF20BBF48B0D6EF66E89A19349B1004BBD852F31D0E5FCCE8141EE

Function 00402185 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,004061B1,?,?,?), ref: 00402198
GetProcAddress.KERNEL32(00000000), ref: 0040219F

Strings

Wow64RevertWow64FsRedirection, xrefs: 0040218E
kernel32, xrefs: 00402193

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32
API String ID: 2574300362-3900151262
Opcode ID: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
Instruction ID: b94e249185ae4a70534d65e1a66e6cdcdba3a47a1e4784fabdbc91f5644b18b3
Opcode Fuzzy Hash: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
Instruction Fuzzy Hash: AFD0C934294201DBDB125FA0EE0E7EA3AB9FB04B0BF458035A920A00F0CBBC9644CA5C

Function 004021B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040223A), ref: 004021CA
GetProcAddress.KERNEL32(00000000), ref: 004021D1

Strings

Wow64DisableWow64FsRedirection, xrefs: 004021C0
kernel32, xrefs: 004021C5

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32
API String ID: 2574300362-736604160
Opcode ID: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
Instruction ID: 817513c890d082da38b6284c2862a66e2f32a8da2897575df7e5c1eb8648f331
Opcode Fuzzy Hash: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
Instruction Fuzzy Hash: 0DD012342443009BDB515FA09E0D7DA3EB4B705B07F508076A520E11D1CBFCA244C7AC

Function 00402A69 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F

Part of subcall function 0040272E: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402ACD,?,?,00000000,00000000,00000000), ref: 00402760

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ??3@$ByteCharMultiWide
String ID:
API String ID: 1731127917-0
Opcode ID: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
Instruction ID: 3903ebf3ba6088976d83fc344d3b185d6a20d7f45533e28e7dbc13297377a7b4
Opcode Fuzzy Hash: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
Instruction Fuzzy Hash: 2831B3729041156ACB14FFA6DD81DEFB3BCEF00714B51403FF952B31E1EA38AA458658

Function 00403F85 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406437,00000000,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FA8
GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FC5
wsprintfW.USER32 ref: 00403FFB
GetFileAttributesW.KERNEL32(?), ref: 00404016

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: PathTemp$AttributesFilewsprintf
String ID:
API String ID: 1746483863-0
Opcode ID: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
Instruction ID: 4b01c17e8612d334da970e7aef70975a1f373095b445c13461924cc76c43a46f
Opcode Fuzzy Hash: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
Instruction Fuzzy Hash: 1B113672100204BFCB01AF59CC85AADB7F8FF88755F50802EF905972E1DB78AA008B88

Function 00401A85 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B03
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B13

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: CharUpper
String ID:
API String ID: 9403516-0
Opcode ID: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
Instruction ID: 0ba0c8867aa888139ba8faa8f8ff432121b60ad667f2455bf366b55ac651d143
Opcode Fuzzy Hash: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
Instruction Fuzzy Hash: 02112E34A11269ABCF108F99C8446BAB7E8FF44356B504467F881E3290D77CDE51EB64

Function 00407FA5 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00407FED
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 0040800D
GetDlgItem.USER32(?,000004B7), ref: 00408020
SetWindowLongW.USER32(00000000,000000FC,Function_00006F37), ref: 0040802E

Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92

Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ItemWindow$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoLongShow
String ID:
API String ID: 2538916108-0
Opcode ID: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
Instruction ID: 9218ed989044434557cb474aaa53437228351995edfdd36a91d94446a14b3a18
Opcode Fuzzy Hash: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
Instruction Fuzzy Hash: 7D1186B1A402146BCB10BBB99D09F9EB7FDEB84B04F00446EB652E31C0D6B8DA008B54

Function 004067ED Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 00406814
GetSystemMetrics.USER32(00000031), ref: 0040683A
CreateFontIndirectW.GDI32(?), ref: 00406849
DeleteObject.GDI32(00000000), ref: 00406878

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
String ID:
API String ID: 1900162674-0
Opcode ID: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
Instruction ID: e152b01862f646c7a4819b14062263d5307cf72e2961abd6127bac75ebed32e6
Opcode Fuzzy Hash: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
Instruction Fuzzy Hash: A9116376A00205AFDB10DF94DC88FEAB7B8EB08300F0180AAED06A7291DB74DE54CF54

Function 0040748A Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040749F
SHBrowseForFolderW.SHELL32(?), ref: 004074B8
SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 004074D4
SHGetMalloc.SHELL32(00000000), ref: 004074FE

Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: BrowseFocusFolderFromItemListMallocPathmemset
String ID:
API String ID: 1557639607-0
Opcode ID: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
Instruction ID: 30b51fec80d89fd3ac1614d0428bedaa433d1aa4d1a510c8e8bcd0531de43efe
Opcode Fuzzy Hash: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
Instruction Fuzzy Hash: 43112171A00114ABDB10EBA5DD48BDE77FCAB84715F1040A9E505E7280DB78EF05CB75

Function 004027C7 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 004027F8
??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00402801

Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000,?,00000000,00000000,00000000), ref: 00402819
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00402839

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ??3@$EnvironmentExpandStrings$??2@
String ID:
API String ID: 612612615-0
Opcode ID: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
Instruction ID: 71972da321696c7643696fa2d61077c4bfdb6251f9c85b9dd911fab2e4c9aeed
Opcode Fuzzy Hash: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
Instruction Fuzzy Hash: EF017976D00118BADB04AB55DD41DDEB7BCEF48714B10417BF901B31D1EB746A4086A8

Function 00403AB1 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

??3@YAXPAX@Z.MSVCRT(?,?,?,00413550,00413558), ref: 00403AFD
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00413550,00413558), ref: 00403B05
SetWindowTextW.USER32(?,?), ref: 00403B12
??3@YAXPAX@Z.MSVCRT(?), ref: 00403B1D

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ??3@TextWindow$Length
String ID:
API String ID: 2308334395-0
Opcode ID: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
Instruction ID: 2cc122b1f520d7f8021a056a959bf32eecafdcf33a956e59961b1277582e5a57
Opcode Fuzzy Hash: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
Instruction Fuzzy Hash: 2EF0FF32D0410DBACF01FBA5DD46CDE7B79EF04705B10406BF501720A1EA79AB559B98

Function 0040702A Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000005C,?), ref: 00407045
CreateFontIndirectW.GDI32(?), ref: 0040705B
GetDlgItem.USER32(?,000004B5), ref: 0040706F
SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 0040707B

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: CreateFontIndirectItemMessageObjectSend
String ID:
API String ID: 2001801573-0
Opcode ID: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
Instruction ID: 5c236ef126686a3da9008926c30106754acf3bfa0ff8e01310dffb34f405da6a
Opcode Fuzzy Hash: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
Instruction Fuzzy Hash: 35F05475900704ABDB209BA4DC09F8B7BFCAB48B01F048139BD51E11D4D7B4E5018B19

Function 00401BA3 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00401BA8
GetWindowRect.USER32(?,?), ref: 00401BC1
ScreenToClient.USER32(00000000,?), ref: 00401BCF
ScreenToClient.USER32(00000000,?), ref: 00401BD6

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: ClientScreen$ParentRectWindow
String ID:
API String ID: 2099118873-0
Opcode ID: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
Instruction ID: 3a6f634f9500a9f0e676680e31990ed58166cb62974d534a535afb1fb6b8d00a
Opcode Fuzzy Hash: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
Instruction Fuzzy Hash: 09E04F722052116BCB10AFA5AC88C8BBF6DDFC5723700447AF941A2220D7709D109A61

Function 00403C63 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 00403C89

Strings

[G@, xrefs: 00403C64, 00403C88
GUIFlags, xrefs: 00403C68

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: _wtol
String ID: GUIFlags$[G@
API String ID: 2131799477-2126219683
Opcode ID: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
Instruction ID: b6302b9691b8fcfec91ee3c39af82f4337802e9cb3a6f407b943601295de961a
Opcode Fuzzy Hash: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
Instruction Fuzzy Hash: 6DF03C3611C1635AFB342E0994187B6AA9CEB05793FE4443BE9C3F12D0C37C8E82825D

Function 00402F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?O@,?,00000001,004177A0,00000000,00417794,?,?,00404F3F,?,?,?,?,?), ref: 00402F26
GetEnvironmentVariableW.KERNEL32(?,00000000,?,00000001,00000002,?,?,00404F3F,?,?,?,?,?), ref: 00402F52

Strings

?O@, xrefs: 00402F23

Memory Dump Source

Source File: 00000000.00000002.1708519387.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1708503929.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708536965.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708551228.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1708565703.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zPJUOck9wt.jbxd

Similarity

API ID: EnvironmentVariable
String ID: ?O@
API String ID: 1431749950-3511380453
Opcode ID: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
Instruction ID: 315e17eccb05daff3adc91fa9074d23558c2207180d60d9b2b56ce26dbf77fcb
Opcode Fuzzy Hash: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
Instruction Fuzzy Hash: 24F06272200118BFDB00AFA9DC458AEB7EDEF88764B51402BF904D72A1D7B4AD008B98

Analysis Process: Update.exePID: 7492, Parent PID: 7448COMMON

Execution Graph

Execution Coverage:	6.8%
Dynamic/Decrypted Code Coverage:	32.5%
Signature Coverage:	6.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	85

Executed Functions

Function 03525430 Relevance: 93.2, APIs: 40, Strings: 13, Instructions: 440
stringnetworklibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0352F707: _malloc.LIBCMT ref: 0352F721

_memset.LIBCMT ref: 0352546C
_memset.LIBCMT ref: 03525485
_memset.LIBCMT ref: 03525495
gethostname.WS2_32(?,00000032), ref: 035254A3
gethostbyname.WS2_32(?), ref: 035254AD
inet_ntoa.WS2_32 ref: 035254C5
_strcat_s.LIBCMT ref: 035254D8
_strcat_s.LIBCMT ref: 035254F1
inet_ntoa.WS2_32 ref: 0352551A
_strcat_s.LIBCMT ref: 0352552D
_strcat_s.LIBCMT ref: 03525546
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 03525573
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000002,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 03525587
GetLastInputInfo.USER32(?), ref: 0352559A
GetTickCount.KERNEL32 ref: 035255A0
wsprintfW.USER32 ref: 035255D5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 035255E8
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000296,00000000), ref: 035255FC
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 03525653
wsprintfW.USER32 ref: 0352566C
GetForegroundWindow.USER32 ref: 03525695
GetWindowTextW.USER32(00000000,000006CE,000000FA), ref: 035256AC
lstrlenW.KERNEL32(000008CC), ref: 035256D3
lstrlenW.KERNEL32(00000994), ref: 03525739
GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 035257AA
GetProcAddress.KERNEL32(00000000), ref: 035257B1
GetNativeSystemInfo.KERNEL32(?), ref: 035257C2
GetSystemInfo.KERNEL32(?), ref: 035257CD
wsprintfW.USER32 ref: 03525806
GetCurrentProcessId.KERNEL32 ref: 03525818
OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 0352582E
K32GetProcessImageFileNameW.KERNEL32(00000000,?,00000104), ref: 0352584B
CloseHandle.KERNEL32(03545164), ref: 0352587F
GetTickCount.KERNEL32 ref: 035258E9
__time64.LIBCMT ref: 035258F8
__localtime64.LIBCMT ref: 0352592F
wsprintfW.USER32 ref: 03525968
GetLocaleInfoW.KERNEL32(00000800,00000002,00000F46,00000040), ref: 0352597D
GetSystemDirectoryW.KERNEL32(00001184,00000032), ref: 0352598C
GetCurrentHwProfileW.ADVAPI32(?), ref: 03525999

Part of subcall function 035280F0: GetLogicalDriveStringsW.KERNEL32(000003E8,?,75BF73E0,00000AD4,00000000), ref: 03528132
Part of subcall function 035280F0: lstrcmpiW.KERNEL32(?,A:\), ref: 03528166
Part of subcall function 035280F0: lstrcmpiW.KERNEL32(?,B:\), ref: 03528176
Part of subcall function 035280F0: QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 035281A6
Part of subcall function 035280F0: lstrlenW.KERNEL32(?), ref: 035281B7
Part of subcall function 035280F0: __wcsnicmp.LIBCMT ref: 035281CE
Part of subcall function 035280F0: lstrcpyW.KERNEL32(00000AD4,?), ref: 03528204

Strings

AppEvents, xrefs: 035256B6, 0352571C
Network, xrefs: 035256C2, 03525728
REMARK, xrefs: 03525746
GROUP, xrefs: 035256E0
1.0, xrefs: 03525702
X86, xrefs: 035259B1, 035259D3
2024.12.12, xrefs: 03525758
x86, xrefs: 035257F4, 035257F9
%d min, xrefs: 035255CF
x64, xrefs: 035257ED
GetNativeSystemInfo, xrefs: 0352576A
kernel32.dll, xrefs: 0352576F
X86 %s, xrefs: 03525800

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: Info$ByteCharMultiSystemWide_strcat_swsprintf$Process_memsetlstrlen$CountCurrentHandleTickWindowinet_ntoalstrcmpi$AddressCloseDeviceDirectoryDriveFileForegroundImageInputLastLocaleLogicalModuleNameNativeOpenProcProfileQueryStringsText__localtime64__time64__wcsnicmp_mallocgethostbynamegethostnamelstrcpy
String ID: %d min$1.0$2024.12.12$AppEvents$GROUP$GetNativeSystemInfo$Network$REMARK$X86$X86 %s$kernel32.dll$x64$x86
API String ID: 1101047656-3021995908
Opcode ID: a0228e5847eed6d4c45ff3d93c847f533338addbbe37bcbf140917c999a0b85b
Instruction ID: fa32b177aba5bc8c90897d5236c041e7818f709f322dc3a48449e890e508d520
Opcode Fuzzy Hash: a0228e5847eed6d4c45ff3d93c847f533338addbbe37bcbf140917c999a0b85b
Instruction Fuzzy Hash: 43F117B5900314AFD724EB64EC85FDAB7B8BF85304F004958F60AA7191FB70A649CF55

Function 02DC0032 Relevance: 70.8, APIs: 2, Strings: 38, Instructions: 795memoryCOMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 02DC04AE
VirtualAlloc.KERNEL32(?,?,00003000,00000004), ref: 02DC04DE

Strings

a, xrefs: 02DC011C
iv, xrefs: 02DC0212
ucti, xrefs: 02DC01BE
A, xrefs: 02DC0147
A, xrefs: 02DC0244
Lo, xrefs: 02DC00FC
mI, xrefs: 02DC0221
ee, xrefs: 02DC00F0
fo, xrefs: 02DC022C
Rt, xrefs: 02DC0233
Fu, xrefs: 02DC025A
o, xrefs: 02DC01C9
Ta, xrefs: 02DC027D
Via, xrefs: 02DC0312
b, xrefs: 02DC0113
Vi, xrefs: 02DC012C
S, xrefs: 02DC00E7
P, xrefs: 02DC0176
a, xrefs: 02DC016D
p, xrefs: 02DC00F7
a, xrefs: 02DC013E
tNat, xrefs: 02DC020A
tu, xrefs: 02DC0166
st, xrefs: 02DC01AD
tu, xrefs: 02DC0137
Syst, xrefs: 02DC0219
Li, xrefs: 02DC010C
yA, xrefs: 02DC0125
G, xrefs: 02DC0205
a, xrefs: 02DC0103
t, xrefs: 02DC0187
ushI, xrefs: 02DC019B
F, xrefs: 02DC018C
b, xrefs: 02DC0287
otec, xrefs: 02DC017F
ctio, xrefs: 02DC026B
oc, xrefs: 02DC0154
Cach, xrefs: 02DC01FA

Memory Dump Source

Source File: 00000003.00000002.3531014580.0000000002DC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2dc0000_Update.jbxd

Similarity

API ID: AllocInfoNativeSystemVirtual
String ID: A$A$Cach$F$Fu$G$Li$Lo$P$Rt$S$Syst$Ta$Vi$Via$a$a$a$a$b$b$ctio$ee$fo$iv$mI$o$oc$otec$p$st$t$tNat$tu$tu$ucti$ushI$yA
API String ID: 2032221330-2899676511
Opcode ID: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
Instruction ID: e151b0f81c52698e1eed8d6e02d7cdb0a88827da358a4a6036e38c322b7246d7
Opcode Fuzzy Hash: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
Instruction Fuzzy Hash: A7627831508386CFD724CF64C840BABBBE4BF94705F24492DE9C99B391E7709989CB96

Function 0352DF10 Relevance: 61.6, APIs: 24, Strings: 11, Instructions: 354
sleepregistrysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03530542: __fassign.LIBCMT ref: 03530538

Sleep.KERNEL32(00000000), ref: 0352DF64
CloseHandle.KERNEL32(00000000), ref: 0352DF91
GetLocalTime.KERNEL32(?), ref: 0352DFA9
wsprintfW.USER32 ref: 0352DFE0
SetUnhandledExceptionFilter.KERNEL32(035275B0), ref: 0352DFEE
CloseHandle.KERNEL32(00000000), ref: 0352E007

Part of subcall function 0352F707: _malloc.LIBCMT ref: 0352F721

EnumWindows.USER32(03525CC0,?), ref: 0352E19D
Sleep.KERNEL32(00004E20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0352E1AA
EnumWindows.USER32(03525CC0,?), ref: 0352E1BE
Sleep.KERNEL32(00000BB8), ref: 0352E1F5
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0352E241
Sleep.KERNEL32(00000FA0), ref: 0352E2C4
RegOpenKeyExW.KERNEL32(80000001,Console,00000000,00020019,?), ref: 0352E2EB
RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 0352E30B
CloseHandle.KERNEL32(?), ref: 0352E35D
Sleep.KERNEL32(000003E8,?,?), ref: 0352E3A4
WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 0352E3D0
CloseHandle.KERNEL32(?,?,?), ref: 0352E3D7
Sleep.KERNEL32(000003E8,?,?), ref: 0352E3E2
CloseHandle.KERNEL32(?), ref: 0352E400
WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 0352E425
CloseHandle.KERNEL32(?,?,?), ref: 0352E42C
Sleep.KERNEL32(00000000,?,?,?), ref: 0352E446
CloseHandle.KERNEL32(?), ref: 0352E464

Strings

206.238.198.14, xrefs: 0352E0B9
9093, xrefs: 0352E12E
206.238.198.14, xrefs: 0352E07B, 0352E0C3, 0352E121, 0352E1E5, 0352E253
206.238.198.14, xrefs: 0352E071
%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 0352DFDA
Console, xrefs: 0352E2D5
9091, xrefs: 0352E088
9091, xrefs: 0352E08F, 0352E0D7, 0352E135, 0352E1CE, 0352E20C
206.238.198.14, xrefs: 0352E117
9092, xrefs: 0352E0D0
IpDatespecial, xrefs: 0352E305

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: CloseHandleSleep$EnumObjectSingleWaitWindows$CreateEventExceptionFilterLocalOpenQueryTimeUnhandledValue__fassign_mallocwsprintf
String ID: %4d.%2d.%2d-%2d:%2d:%2d$206.238.198.14$206.238.198.14$206.238.198.14$206.238.198.14$9091$9091$9092$9093$Console$IpDatespecial
API String ID: 1511462596-3187637918
Opcode ID: 0ad2fcd2d10bc26f9062249df4744c1598ffb5fc7bf4b537e90ef33d23be426e
Instruction ID: 0593fc2493d94900a1249213d843cbedac716efa416b6c75dfd97d9c1625fdcd
Opcode Fuzzy Hash: 0ad2fcd2d10bc26f9062249df4744c1598ffb5fc7bf4b537e90ef33d23be426e
Instruction Fuzzy Hash: 05D1DFB4544311AFD324EF61E886E2EBBB4BBC6708F040A1CF555972F4E770A50ADB62

Function 0352BC70 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 351
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDesktopWindow.USER32 ref: 0352BC8F
GetDC.USER32(00000000), ref: 0352BC9C
CreateCompatibleDC.GDI32(00000000), ref: 0352BCA2
GetDC.USER32(00000000), ref: 0352BCAD
GetDeviceCaps.GDI32(00000000,00000008), ref: 0352BCBA
GetDeviceCaps.GDI32(00000000,00000076), ref: 0352BCC2
ReleaseDC.USER32(00000000,00000000), ref: 0352BCD3
GetSystemMetrics.USER32(0000004E), ref: 0352BCF8
GetSystemMetrics.USER32(0000004F), ref: 0352BD26
GetSystemMetrics.USER32(0000004C), ref: 0352BD78
GetSystemMetrics.USER32(0000004D), ref: 0352BD8D
CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 0352BDA6
SelectObject.GDI32(?,00000000), ref: 0352BDB4
SetStretchBltMode.GDI32(?,00000003), ref: 0352BDC0
GetSystemMetrics.USER32(0000004F), ref: 0352BDCD
GetSystemMetrics.USER32(0000004E), ref: 0352BDE0
StretchBlt.GDI32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,00000000), ref: 0352BE07
_memset.LIBCMT ref: 0352BE7A
GetDIBits.GDI32(?,?,00000000,00000000,?,00000028,00000000), ref: 0352BE97
_memset.LIBCMT ref: 0352BEAF

Part of subcall function 0352F707: _malloc.LIBCMT ref: 0352F721

DeleteObject.GDI32(?), ref: 0352BF23
DeleteObject.GDI32(?), ref: 0352BF2D
ReleaseDC.USER32(00000000,?), ref: 0352BF39
DeleteObject.GDI32(?), ref: 0352BFDF
DeleteObject.GDI32(?), ref: 0352BFE9
ReleaseDC.USER32(00000000,?), ref: 0352BFF5

Strings

gfff, xrefs: 0352BD10
gfff, xrefs: 0352BD38
(, xrefs: 0352BE3E
6, xrefs: 0352BE61

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: MetricsSystem$Object$Delete$Release$CapsCompatibleCreateDeviceStretch_memset$BitmapBitsDesktopModeSelectWindow_malloc
String ID: ($6$gfff$gfff
API String ID: 3293817703-713438465
Opcode ID: 0eae6d654d3b7d4c54c3edffcc31b20ba3bcfdfbacbfc22d5d2d1d56d0c9dbff
Instruction ID: a7f219e23283f038fd5b0f31548b1aa05a2a309c8bd58e6afffdf6bec6acf401
Opcode Fuzzy Hash: 0eae6d654d3b7d4c54c3edffcc31b20ba3bcfdfbacbfc22d5d2d1d56d0c9dbff
Instruction Fuzzy Hash: 9DD19EB5D00318AFDB14EFE5E885B9EBBB9FF89300F144529F505AB290D770A905CB91

Function 6C8A9A10 Relevance: 51.2, APIs: 23, Strings: 6, Instructions: 421
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000), ref: 6C8A9A69
std::bad_exception::bad_exception.LIBCMTD ref: 6C8A9A7E

Part of subcall function 6C8A98C0: std::exception::exception.LIBCONCRTD ref: 6C8A98CE

Part of subcall function 6CA02CDE: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C8A2B0C,?,?,?,?,6C8A2B0C,?,6CA8D624,?,?,6C8A97EF), ref: 6CA02D3F

CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 6C8A9ADE
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6C8A9AEE
std::bad_exception::bad_exception.LIBCMTD ref: 6C8A9B00
CryptHashData.ADVAPI32(?,?,?,00000000,?,6CA8D688,Failed to create hash object.), ref: 6C8A9B5C
CryptDestroyHash.ADVAPI32(00000000), ref: 6C8A9B6A
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6C8A9B76
std::bad_exception::bad_exception.LIBCMTD ref: 6C8A9B88
CryptHashData.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?), ref: 6C8A9CC7
CryptDestroyHash.ADVAPI32(00000000), ref: 6C8A9CD5
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6C8A9CE1
std::bad_exception::bad_exception.LIBCMTD ref: 6C8A9CF3
CryptGetHashParam.ADVAPI32(00000000,00000004,00000000,00000004,00000000), ref: 6C8A9D2E
CryptDestroyHash.ADVAPI32(00000000), ref: 6C8A9D3C
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6C8A9D48
std::bad_exception::bad_exception.LIBCMTD ref: 6C8A9D5A
CryptGetHashParam.ADVAPI32(?,00000002,?,00000000,00000000,00000000), ref: 6C8A9DAB
CryptDestroyHash.ADVAPI32(00000000), ref: 6C8A9DB9
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6C8A9DC5
std::bad_exception::bad_exception.LIBCMTD ref: 6C8A9DD7
CryptDestroyHash.ADVAPI32(00000000), ref: 6C8A9DF2
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6C8A9E9E

Part of subcall function 6C8AA4B0: _DebugHeapAllocator.LIBCPMTD ref: 6C8AA4C8

Strings

Failed to acquire cryptographic context., xrefs: 6C8A9A73
Failed to get hash value., xrefs: 6C8A9DCC
Failed to hash data., xrefs: 6C8A9B7D
Failed to create hash object., xrefs: 6C8A9AF5
Failed to hash data., xrefs: 6C8A9CE8
Failed to get hash length., xrefs: 6C8A9D4F

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Crypt$Hash$Context$Releasestd::bad_exception::bad_exception$Destroy$DataParam$AcquireAllocatorCreateDebugExceptionHeapRaisestd::exception::exception
String ID: Failed to acquire cryptographic context.$Failed to create hash object.$Failed to get hash length.$Failed to get hash value.$Failed to hash data.$Failed to hash data.
API String ID: 558081898-2481914407
Opcode ID: e5ca6d43ef4e48fab698e066c4eeac11d9a72933b3a2b06182662cdb350c4c7c
Instruction ID: 8c9d8fd7e88aae8c07a476087bb7658748b1056af84e89e9262d64e92a9cec8a
Opcode Fuzzy Hash: e5ca6d43ef4e48fab698e066c4eeac11d9a72933b3a2b06182662cdb350c4c7c
Instruction Fuzzy Hash: 3202C9719002199FDB28CF94DD90FEEB7B5BF49304F1085A9E20AA7650DB346E8ACF54

Function 6C8A9FF0 Relevance: 44.1, APIs: 19, Strings: 6, Instructions: 337
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6C8A98F0: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 6C8A9930
Part of subcall function 6C8A98F0: std::bad_exception::bad_exception.LIBCMTD ref: 6C8A9942
Part of subcall function 6C8A98F0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,00000000,00000000,00000000), ref: 6C8A99A8
Part of subcall function 6C8A98F0: std::bad_exception::bad_exception.LIBCMTD ref: 6C8A99BA

CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000), ref: 6C8AA1C8
std::bad_exception::bad_exception.LIBCMTD ref: 6C8AA1DD
CryptImportKey.ADVAPI32(00000000,00000008,00000014,00000000,00000000,00000000), ref: 6C8AA257
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6C8AA267
std::bad_exception::bad_exception.LIBCMTD ref: 6C8AA279
CryptSetKeyParam.ADVAPI32(?,00000001,?,00000000), ref: 6C8AA2B0
CryptDestroyKey.ADVAPI32(00000000), ref: 6C8AA2BE
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6C8AA2CA
std::bad_exception::bad_exception.LIBCMTD ref: 6C8AA2DC
CryptSetKeyParam.ADVAPI32(00000000,00000004,00000001,00000000), ref: 6C8AA306
CryptDestroyKey.ADVAPI32(00000000), ref: 6C8AA314
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6C8AA320
std::bad_exception::bad_exception.LIBCMTD ref: 6C8AA332
CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,?,6CA2B349,000000FF), ref: 6C8AA38D
CryptDestroyKey.ADVAPI32(00000000), ref: 6C8AA39B
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6C8AA3A7
std::bad_exception::bad_exception.LIBCMTD ref: 6C8AA3B9
CryptDestroyKey.ADVAPI32(00000000), ref: 6C8AA3D4
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6C8AA3E0

Part of subcall function 6C8AA4B0: _DebugHeapAllocator.LIBCPMTD ref: 6C8AA4C8

Strings

Failed to import key., xrefs: 6C8AA26E
Salted__, xrefs: 6C8AA04E
Failed to decrypt data., xrefs: 6C8AA3AE
Failed to set IV., xrefs: 6C8AA2D1
Failed to acquire cryptographic context., xrefs: 6C8AA1D2
Failed to set cipher mode., xrefs: 6C8AA327

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Crypt$std::bad_exception::bad_exception$Context$Release$Destroy$BinaryParamString$AcquireAllocatorDebugDecryptHeapImport
String ID: Failed to acquire cryptographic context.$Failed to decrypt data.$Failed to import key.$Failed to set IV.$Failed to set cipher mode.$Salted__
API String ID: 580516112-4088208083
Opcode ID: e2f04a0819b5fbf4174aed5aa9c3114eeb3ec79936a973cb43050cba91ea4c19
Instruction ID: ac65653e6b88bde64015da0069186f0306697eda043cff87043e255bbf203d66
Opcode Fuzzy Hash: e2f04a0819b5fbf4174aed5aa9c3114eeb3ec79936a973cb43050cba91ea4c19
Instruction Fuzzy Hash: A7E10D719002189FDB24CFE4DD94FEEB775BF49304F1089A9E20AA7690DB746A49CF60

Function 035280F0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 114stringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsW.KERNEL32(000003E8,?,75BF73E0,00000AD4,00000000), ref: 03528132
lstrcmpiW.KERNEL32(?,A:\), ref: 03528166
lstrcmpiW.KERNEL32(?,B:\), ref: 03528176
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 035281A6
lstrlenW.KERNEL32(?), ref: 035281B7
__wcsnicmp.LIBCMT ref: 035281CE
lstrcpyW.KERNEL32(00000AD4,?), ref: 03528204
lstrcpyW.KERNEL32(?,?), ref: 03528228
lstrcatW.KERNEL32(?,00000000), ref: 03528233

Strings

B:\, xrefs: 03528170
A:\, xrefs: 03528160

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: lstrcmpilstrcpy$DeviceDriveLogicalQueryStrings__wcsnicmplstrcatlstrlen
String ID: A:\$B:\
API String ID: 950920757-1009255891
Opcode ID: 9fde801dc8a92205f9662cd2b132f9808c025db6130ebc295a313f006d993e6b
Instruction ID: ff1371711ea005f72e215fee27a0268f80f3b7f179333548d905bb60b0737cff
Opcode Fuzzy Hash: 9fde801dc8a92205f9662cd2b132f9808c025db6130ebc295a313f006d993e6b
Instruction Fuzzy Hash: 0441BA75A01238DBDB14DFA4ED44AEEB7B8FF45704F044499E90AA7190E770DA05CB94

Function 03526790 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 116memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03525320: InterlockedDecrement.KERNEL32(00000008), ref: 0352536F
Part of subcall function 03525320: SysFreeString.OLEAUT32(00000000), ref: 03525384
Part of subcall function 03525320: SysAllocString.OLEAUT32(03545148), ref: 035253D5

GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,?,03545148,035269A4,03545148,00000000,75BF73E0), ref: 035267F4
GetLastError.KERNEL32 ref: 035267FE
GetProcessHeap.KERNEL32(00000008,?), ref: 03526816
HeapAlloc.KERNEL32(00000000), ref: 0352681D
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,?,?), ref: 0352683F
LookupAccountSidW.ADVAPI32(00000000,?,?,00000100,?,00000100,?), ref: 03526871
GetLastError.KERNEL32 ref: 0352687B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 035268E6
HeapFree.KERNEL32(00000000), ref: 035268ED

Strings

NONE_MAPPED, xrefs: 03526888

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: Heap$AllocErrorFreeInformationLastProcessStringToken$AccountDecrementInterlockedLookup
String ID: NONE_MAPPED
API String ID: 1317816589-2950899194
Opcode ID: 948691235fbd70ec92863c13e7f80f4b950f3af83d8f21bfa2571471f93ab816
Instruction ID: 7b4b9ddaf14dca49f755838e267789cb77205e8983a799d4eac67f2c2d06f343
Opcode Fuzzy Hash: 948691235fbd70ec92863c13e7f80f4b950f3af83d8f21bfa2571471f93ab816
Instruction Fuzzy Hash: 2541A9B5500229AFD724DF64EC44FAEB7BCFB86704F404498FA09D6190EBB45E899F60

Function 03526C50 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?,74DEDF80,00000000,75BF73E0), ref: 03526C8B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 03526CAA
_memset.LIBCMT ref: 03526CE1
GlobalMemoryStatusEx.KERNEL32(?), ref: 03526CF4
swprintf.LIBCMT ref: 03526D39
swprintf.LIBCMT ref: 03526D4C

Strings

HDD:%d, xrefs: 03526D2E
:, xrefs: 03526C80
@, xrefs: 03526CED
%sFree%d Gb , xrefs: 03526D41

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: swprintf$DiskDriveFreeGlobalMemorySpaceStatusType_memset
String ID: %sFree%d Gb $:$@$HDD:%d
API String ID: 3202570353-3501811827
Opcode ID: de64e9bccbc900b9bd6bfad5ba22a5c124ea69f18cb152c0228a591230b0c23b
Instruction ID: 521b64d30a06570cd42ae50e1384ff94e3197f0dd08912bbd83a459368bf9c02
Opcode Fuzzy Hash: de64e9bccbc900b9bd6bfad5ba22a5c124ea69f18cb152c0228a591230b0c23b
Instruction Fuzzy Hash: 1B316CB6E0021C9BDB14DFE5DC45FEEBBB8FB89300F50421DE91AAB281E6705905CB90

Function 03526EE0 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 410COMMON

Download Yara Rule

APIs

CreateDXGIFactory.DXGI(0354579C,?,CFBDC2C1,74DEDF80,00000000,75BF73E0), ref: 03526F4A
swprintf.LIBCMT ref: 0352711E
std::_Xinvalid_argument.LIBCPMT ref: 035271C7

Strings

vector<T> too long, xrefs: 035271C2
%s%s %d %d , xrefs: 03527113
%s%s %d*%d , xrefs: 03527337

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: CreateFactoryXinvalid_argumentstd::_swprintf
String ID: %s%s %d %d $%s%s %d*%d $vector<T> too long
API String ID: 3803070356-257307503
Opcode ID: 0b04672721e8617507b5e65ca4ca7c5fd811179a20f036421d1c1f7d0921613f
Instruction ID: 3402929aa71ae461817e1c4a4ddbe45b7da9f6baf1caf0cc9abb53281290f6c4
Opcode Fuzzy Hash: 0b04672721e8617507b5e65ca4ca7c5fd811179a20f036421d1c1f7d0921613f
Instruction Fuzzy Hash: F1E16271A002359FDF28CA64DC80BEEB775BF8A700F1445E9D90AA72D5D770AE818F90

Function 03527410 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,03527523), ref: 0352743D
GetProcAddress.KERNEL32(00000000), ref: 03527444
GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,03527523), ref: 03527452
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,03527523), ref: 0352745A

Strings

GetNativeSystemInfo, xrefs: 03527418
kernel32.dll, xrefs: 0352741D

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: InfoSystem$AddressHandleModuleNativeProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 3433367815-192647395
Opcode ID: 91e24886f1168fac9964cfbaf64427541dce93ab4c7b9d386a3c57c533d486af
Instruction ID: 9174f6274b356385ad391012727b23939064c84287d17db45a2a4f510a549090
Opcode Fuzzy Hash: 91e24886f1168fac9964cfbaf64427541dce93ab4c7b9d386a3c57c533d486af
Instruction Fuzzy Hash: 4F017C74D002089FCB54DFB4A804AAEBFF4FB0C204F4009A9E549E3291E7358A00CBA1

Function 03526050 Relevance: 9.1, APIs: 6, Instructions: 86processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0352607C
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 03526088
Process32FirstW.KERNEL32(00000000,00000000), ref: 035260B9
Process32NextW.KERNEL32(00000000,0000022C), ref: 0352610F
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 03526116

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memset
String ID:
API String ID: 2526126748-0
Opcode ID: 1490dbb415c897c7ed3d56aaf57d3f5e55519b05186b5c22b9738c50ea8fb015
Instruction ID: 3828fbeef456f8e75143ca82a03c50a5f7d956cc67b984d47c4a7fedf888d2d3
Opcode Fuzzy Hash: 1490dbb415c897c7ed3d56aaf57d3f5e55519b05186b5c22b9738c50ea8fb015
Instruction Fuzzy Hash: 2D21E135600139ABDB20EF64FC45BEAB7B8FF0A214F040699E80A961E0EB719B05D690

Function 03523360 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(?,?,00000000), ref: 03523413
_memmove.LIBCMT ref: 035234A5

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: Time_memmovetime
String ID:
API String ID: 1463837790-0
Opcode ID: 613c04bd70c5bf3ae746f27562b5bc84de519d6b47206edbfcd05b6b6d3507a6
Instruction ID: 9c2c2fe3f5785a371015840d24191f981675f41c6f62a6a4cff5f748a1a8dfe1
Opcode Fuzzy Hash: 613c04bd70c5bf3ae746f27562b5bc84de519d6b47206edbfcd05b6b6d3507a6
Instruction Fuzzy Hash: 4B51F67A7006269FC710CF69D8C4D6ABBA9BF8621070885ACE809CB760D735F941CBD0

Function 6C8EA8DB Relevance: 68.6, APIs: 34, Strings: 5, Instructions: 356
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 6C8EA8E5

Part of subcall function 6C8D1A91: __EH_prolog3.LIBCMT ref: 6C8D1A98
Part of subcall function 6C8D1A91: GetWindowDC.USER32(00000000,00000004,6C8EAE60,00000000), ref: 6C8D1AC4

GetDeviceCaps.GDI32(?,00000058), ref: 6C8EA905
DeleteObject.GDI32(00000000), ref: 6C8EA961
DeleteObject.GDI32(00000000), ref: 6C8EA97F
DeleteObject.GDI32(00000000), ref: 6C8EA99D
DeleteObject.GDI32(00000000), ref: 6C8EA9BB
DeleteObject.GDI32(00000000), ref: 6C8EA9D9
DeleteObject.GDI32(00000000), ref: 6C8EA9F7
DeleteObject.GDI32(00000000), ref: 6C8EAA15
DeleteObject.GDI32(00000000), ref: 6C8EAA33
DeleteObject.GDI32(00000000), ref: 6C8EAA51
DeleteObject.GDI32(00000000), ref: 6C8EAA6F
GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 6C8EAAA7
lstrcpyW.KERNEL32(?,?), ref: 6C8EAAFC
EnumFontFamiliesW.GDI32(?,00000000,6C8EA140,Segoe UI), ref: 6C8EAB23
lstrcpyW.KERNEL32(?,Segoe UI), ref: 6C8EAB36
EnumFontFamiliesW.GDI32(?,00000000,6C8EA140,Tahoma), ref: 6C8EAB54
lstrcpyW.KERNEL32(?,MS Sans Serif), ref: 6C8EAB6E
CreateFontIndirectW.GDI32(?), ref: 6C8EAB78
CreateFontIndirectW.GDI32(?), ref: 6C8EABC0
CreateFontIndirectW.GDI32(?), ref: 6C8EABFF
CreateFontIndirectW.GDI32(?), ref: 6C8EAC2B
CreateFontIndirectW.GDI32(?), ref: 6C8EAC4C
GetSystemMetrics.USER32(00000048), ref: 6C8EAC6B
lstrcpyW.KERNEL32(?,Marlett), ref: 6C8EAC7E
CreateFontIndirectW.GDI32(?), ref: 6C8EAC88
GetStockObject.GDI32(00000011), ref: 6C8EACB4
GetObjectW.GDI32(00000000,0000005C,?), ref: 6C8EACCF
lstrcpyW.KERNEL32(?,Arial), ref: 6C8EAD10
CreateFontIndirectW.GDI32(?), ref: 6C8EAD1A
CreateFontIndirectW.GDI32(?), ref: 6C8EAD33
GetObjectW.GDI32(?,0000005C,?), ref: 6C8EAD51
CreateFontIndirectW.GDI32(?), ref: 6C8EAD5F
CreateFontIndirectW.GDI32(?), ref: 6C8EAD80

Part of subcall function 6C8EB218: __EH_prolog3_GS.LIBCMT ref: 6C8EB21F
Part of subcall function 6C8EB218: GetTextMetricsW.GDI32(?,?), ref: 6C8EB254
Part of subcall function 6C8EB218: GetTextMetricsW.GDI32(?,?), ref: 6C8EB294

Strings

Marlett, xrefs: 6C8EAC78
MS Sans Serif, xrefs: 6C8EAB68
Segoe UI, xrefs: 6C8EAB11, 6C8EAB2D
Tahoma, xrefs: 6C8EAB42, 6C8EAB61
Arial, xrefs: 6C8EAD00

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Object$Font$CreateDeleteIndirect$lstrcpy$MetricsText$EnumFamiliesH_prolog3_$CapsCharsetDeviceH_prolog3InfoStockSystemWindow
String ID: Arial$MS Sans Serif$Marlett$Segoe UI$Tahoma
API String ID: 2837096512-1395034203
Opcode ID: 6756eed7df6dfd159c42e77438e403d7f3ccf400c21b91719c22dc9f57fee6e4
Instruction ID: 7fb87991c295c70ece0bdab2690ddfe2013faaf38bf3779a80e7834553eb05d8
Opcode Fuzzy Hash: 6756eed7df6dfd159c42e77438e403d7f3ccf400c21b91719c22dc9f57fee6e4
Instruction Fuzzy Hash: 6EE19470A007499FDF25DFB4CE58BDE7BB9BF06709F008969A42AE7640DB34A549CB10

Function 6C8AC5E0 Relevance: 65.3, APIs: 7, Strings: 30, Instructions: 566
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,?), ref: 6C8AC60A
_fwprintf.LIBCONCRTD ref: 6C8AC9EA
CopyFileA.KERNEL32(?,?,00000000), ref: 6C8ACA77
CopyFileA.KERNEL32(?,?,00000000), ref: 6C8ACB1B
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00000001,00000040,00000001), ref: 6C8ACCEA
CloseHandle.KERNEL32(?,?,00000002,00000040,00000001,?,?,?,?,?,?), ref: 6C8ACE00
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8ACE0D

Strings

set "BackupProcessPath=, xrefs: 6C8AC728
start "" "%ProcessPath%", xrefs: 6C8AC93F
monitor.pid, xrefs: 6C8ACD61
D, xrefs: 6C8ACB6E
timeout /t 30 /nobreak >nul, xrefs: 6C8AC967
copy /Y "%BackupProcessPath%" "%ProcessPath%", xrefs: 6C8AC89F
\backup.dll, xrefs: 6C8ACA2C
if not exist "%DLLPath%" (, xrefs: 6C8AC8C7
if %ERRORLEVEL% neq 0 (, xrefs: 6C8AC92B
tasklist /FI "IMAGENAME eq %ProcessName%" | findstr /I "%ProcessName%" >nul, xrefs: 6C8AC917
\monitor.bat, xrefs: 6C8AC633
if not exist "%ProcessPath%" (, xrefs: 6C8AC877
set "DLLPath=, xrefs: 6C8AC7B8
Failed to create backup DLL. Please check the DLL path: , xrefs: 6C8ACA81
@echo off, xrefs: 6C8AC6A2
cmd.exe /B /c "%s", xrefs: 6C8AC9DE
Failed to create backup EXE. Please check the EXE path: , xrefs: 6C8ACB25
set "BackupDLLPath=, xrefs: 6C8AC7E7
echo DLL file not found, restoring from backup..., xrefs: 6C8AC8DB
echo Process file not found, restoring from backup..., xrefs: 6C8AC88B
goto CheckProcess, xrefs: 6C8AC97B
\backup.dll", xrefs: 6C8AC81D
\backup.exe, xrefs: 6C8ACAD0
set "ProcessName=, xrefs: 6C8AC6CA
monitor.pid, xrefs: 6C8ACBCD
\monitor.bat, xrefs: 6C8AC9BA
set "ProcessPath=, xrefs: 6C8AC6F9
:CheckProcess, xrefs: 6C8AC6B6
\backup.exe", xrefs: 6C8AC75E
copy /Y "%BackupDLLPath%" "%DLLPath%", xrefs: 6C8AC8EF

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: CloseCopyFileHandle$CreatePathProcessTemp_fwprintf
String ID: copy /Y "%BackupDLLPath%" "%DLLPath%"$ copy /Y "%BackupProcessPath%" "%ProcessPath%"$ echo DLL file not found, restoring from backup...$ echo Process file not found, restoring from backup...$ start "" "%ProcessPath%"$:CheckProcess$@echo off$D$Failed to create backup DLL. Please check the DLL path: $Failed to create backup EXE. Please check the EXE path: $\backup.dll$\backup.dll"$\backup.exe$\backup.exe"$\monitor.bat$\monitor.bat$cmd.exe /B /c "%s"$goto CheckProcess$if %ERRORLEVEL% neq 0 ($if not exist "%DLLPath%" ($if not exist "%ProcessPath%" ($monitor.pid$monitor.pid$set "BackupDLLPath=$set "BackupProcessPath=$set "DLLPath=$set "ProcessName=$set "ProcessPath=$tasklist /FI "IMAGENAME eq %ProcessName%" | findstr /I "%ProcessName%" >nul$timeout /t 30 /nobreak >nul
API String ID: 3506407943-2707577350
Opcode ID: d87be6743680fdcc36ab904991d02a3d453a9d5c4740d18f3cab25eb6fd3ce1b
Instruction ID: c19cd1e7ed872e3f00b0da3162f984bc8f655f66d7630427bffa47183e2e5852
Opcode Fuzzy Hash: d87be6743680fdcc36ab904991d02a3d453a9d5c4740d18f3cab25eb6fd3ce1b
Instruction Fuzzy Hash: 3E325F75C00218ABDB24DBE4DE64FEDB7B4BF54304F1049A8E609A7641EB305B8ACF61

Function 6C8EADFA Relevance: 64.8, APIs: 43, Instructions: 298
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6C8EAE01
GetSysColor.USER32(00000016), ref: 6C8EAE0A
GetSysColor.USER32(0000000F), ref: 6C8EAE1D
GetSysColor.USER32(00000015), ref: 6C8EAE34
GetSysColor.USER32(0000000F), ref: 6C8EAE40
GetDeviceCaps.GDI32(?,0000000C), ref: 6C8EAE68
GetSysColor.USER32(0000000F), ref: 6C8EAE76
GetSysColor.USER32(00000010), ref: 6C8EAE84
GetSysColor.USER32(00000015), ref: 6C8EAE92
GetSysColor.USER32(00000016), ref: 6C8EAEA0
GetSysColor.USER32(00000014), ref: 6C8EAEAE
GetSysColor.USER32(00000012), ref: 6C8EAEBC
GetSysColor.USER32(00000011), ref: 6C8EAECA
GetSysColor.USER32(00000006), ref: 6C8EAED5
GetSysColor.USER32(0000000D), ref: 6C8EAEE0
GetSysColor.USER32(0000000E), ref: 6C8EAEEB
GetSysColor.USER32(00000005), ref: 6C8EAEF6
GetSysColor.USER32(00000008), ref: 6C8EAF04
GetSysColor.USER32(00000009), ref: 6C8EAF0F
GetSysColor.USER32(00000007), ref: 6C8EAF1A
GetSysColor.USER32(00000002), ref: 6C8EAF25
GetSysColor.USER32(00000003), ref: 6C8EAF30
GetSysColor.USER32(0000001B), ref: 6C8EAF3E
GetSysColor.USER32(0000001C), ref: 6C8EAF4C
GetSysColor.USER32(0000000A), ref: 6C8EAF5A
GetSysColor.USER32(0000000B), ref: 6C8EAF68
GetSysColor.USER32(00000013), ref: 6C8EAF76
GetSysColor.USER32(0000001A), ref: 6C8EAF9F
GetSysColorBrush.USER32(00000010), ref: 6C8EAFB0
GetSysColorBrush.USER32(00000014), ref: 6C8EAFC3
GetSysColorBrush.USER32(00000005), ref: 6C8EAFD6
CreateSolidBrush.GDI32(?), ref: 6C8EAFF7
CreateSolidBrush.GDI32(?), ref: 6C8EB015
CreateSolidBrush.GDI32(?), ref: 6C8EB033
CreateSolidBrush.GDI32(?), ref: 6C8EB054
CreateSolidBrush.GDI32(?), ref: 6C8EB072
CreateSolidBrush.GDI32(?), ref: 6C8EB090
CreateSolidBrush.GDI32(?), ref: 6C8EB0AE
CreatePen.GDI32(00000000,00000001,00000000), ref: 6C8EB0D4
CreatePen.GDI32(00000000,00000001,00000000), ref: 6C8EB0F8
CreatePen.GDI32(00000000,00000001,00000000), ref: 6C8EB11C
CreateSolidBrush.GDI32(?), ref: 6C8EB19A
CreatePatternBrush.GDI32(00000000), ref: 6C8EB1D8

Part of subcall function 6C8D24BB: DeleteObject.GDI32(00000000), ref: 6C8D24CA

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Color$BrushCreate$Solid$CapsDeleteDeviceH_prolog3ObjectPattern
String ID:
API String ID: 3754413814-0
Opcode ID: e5811c3ffaaa74c02a50d650de56765897391373279464d31c7154c9ada9d3a4
Instruction ID: b50832ad4b43546b29d0e184b4aad1a70a467c4f89736de31676fa793e934079
Opcode Fuzzy Hash: e5811c3ffaaa74c02a50d650de56765897391373279464d31c7154c9ada9d3a4
Instruction Fuzzy Hash: 80C183B0B00B02AFDF199FB48D287DDBB71BF0A705F008625E619D7A81DB78A515DB90

Function 100054C0 Relevance: 45.8, APIs: 16, Strings: 10, Instructions: 263
registrymemorysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,00020019,?), ref: 10005507
RegQueryValueExW.ADVAPI32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000003), ref: 1000552E
_memset.LIBCMT ref: 10005548
RegQueryValueExW.ADVAPI32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000003), ref: 10005563
VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 10005586
RegCloseKey.ADVAPI32(?), ref: 100055B1
VirtualFree.KERNEL32(033A0000,00000000,00008000), ref: 10005605
_memset.LIBCMT ref: 10005669
_memset.LIBCMT ref: 1000568D
_memset.LIBCMT ref: 1000569F
VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 10005726
RegCreateKeyW.ADVAPI32(80000001,Console\0,?), ref: 10005799
RegDeleteValueW.KERNEL32(?,9e9e85e05ee16fc372a0c7df6549fbd4), ref: 100057AC
RegSetValueExW.KERNEL32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000065), ref: 100057C4
RegCloseKey.KERNEL32(?), ref: 100057CE
Sleep.KERNEL32(00000BB8), ref: 100057FE

Strings

9e9e85e05ee16fc372a0c7df6549fbd4, xrefs: 10005528, 1000555D, 100057A6, 100057BE
., xrefs: 1000563A
{vU_, xrefs: 10005626
l, xrefs: 10005644
!jWW, xrefs: 10005630
0d3b34577c0a66584d5bdc849e214016, xrefs: 100055BA
_, xrefs: 1000564E
e, xrefs: 100054DC
i, xrefs: 10005658
Console\0, xrefs: 100054F3, 1000578F

Memory Dump Source

Source File: 00000003.00000002.3531769911.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3531751077.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531791163.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531809840.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531828679.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531848054.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Value_memset$Virtual$AllocCloseQuery$CreateDeleteFreeOpenSleep
String ID: !jWW$.$0d3b34577c0a66584d5bdc849e214016$9e9e85e05ee16fc372a0c7df6549fbd4$Console\0$_$e$i$l${vU_
API String ID: 354323817-737951744
Opcode ID: be3d857457f6c34cc49a9ce7b94368c024c206f60fa141a8346ca6c642e4ce58
Instruction ID: 005816a77294032e0ea7aedf6318117014c310f5a4f2017eaf50af4860f80873
Opcode Fuzzy Hash: be3d857457f6c34cc49a9ce7b94368c024c206f60fa141a8346ca6c642e4ce58
Instruction Fuzzy Hash: 5891D475A00718ABF710CF60CC84FAB77BAFB88741F508158FA089B245DB75EA40CB51

Function 6C8B3A20 Relevance: 40.7, APIs: 15, Strings: 6, Instructions: 3938
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6C8B39D0: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 6C8B39EE

_Smanip.LIBCPMTD ref: 6C8B40B1
_Smanip.LIBCPMTD ref: 6C8B89CC

Part of subcall function 6C8B3880: HandleT.LIBCPMTD ref: 6C8B38D7

Part of subcall function 6C8B3960: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 6C8B3981

_Smanip.LIBCPMTD ref: 6C8B8BEA
_Smanip.LIBCPMTD ref: 6C8B8CFB

Part of subcall function 6C8B37B0: SetFileAttributesA.KERNEL32(00000000,00000001,6C8B8DCB,000000FF,?,?,00000022,00000040,00000001), ref: 6C8B384E

Sleep.KERNEL32(000000C8,?,00000000,?,?,?,0000005C,?), ref: 6C8B8DE3
_Smanip.LIBCPMTD ref: 6C8B8E40
_Smanip.LIBCPMTD ref: 6C8B8F74
Sleep.KERNEL32(000000C8,?,00000000), ref: 6C8B9378
_Smanip.LIBCPMTD ref: 6C8B95A3
_Smanip.LIBCPMTD ref: 6C8B9660
WinExec.KERNEL32(00000000,00000000), ref: 6C8B973A
_Smanip.LIBCPMTD ref: 6C8B984F
_Smanip.LIBCPMTD ref: 6C8B990B
WinExec.KERNEL32(00000000,00000000), ref: 6C8B9A2C
Sleep.KERNEL32(00007530,?,?,?,?,?,?,00000063,?,00000070,?,?,?,?,00000063,?), ref: 6C8B9A37

Part of subcall function 6C8B3940: SetFileAttributesA.KERNEL32(00000000,00000080,?,6C8B9A65,?,00000000,?,?,?,?,?,?,00000063,?,00000070,?), ref: 6C8B3951

Part of subcall function 6C8B39B0: DeleteFileA.KERNEL32(6C8B9AC3,?,6C8B9AC3,00000000,00000000,00000000,?,?,?,?,?,?,00000063,?,00000070,?), ref: 6C8B39B7

Strings

cmd.exe /C , xrefs: 6C8B9656, 6C8B9659
powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", xrefs: 6C8B9596, 6C8B959C
\PolicyManagement.xml, xrefs: 6C8B8CF1, 6C8B8CF4
.NET Framework NGEN v4.0.30320, xrefs: 6C8B3A5E
powershell -ExecutionPolicy Bypass -File , xrefs: 6C8B9842, 6C8B9848
cmd.exe /C , xrefs: 6C8B9901, 6C8B9904

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Smanip$File$Sleep$AttributesExec$DeleteFolderHandleModuleNamePath
String ID: .NET Framework NGEN v4.0.30320$\PolicyManagement.xml$cmd.exe /C $cmd.exe /C $powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"$powershell -ExecutionPolicy Bypass -File
API String ID: 1248587581-523289145
Opcode ID: fc8a4b8a4bd244b931e98e6896b97a2a84ec631804619c550bb2e4a27df83d77
Instruction ID: 94225a70062a616b9f6df2249f04866a434e758ff6e602083188207f73a160a0
Opcode Fuzzy Hash: fc8a4b8a4bd244b931e98e6896b97a2a84ec631804619c550bb2e4a27df83d77
Instruction Fuzzy Hash: 14D37A50D0D6E8C9EB22C2688C587DDBEA55B22349F4841D9819C26283C7FF1F99CF76

Function 6C8B8AEB Relevance: 32.4, APIs: 13, Strings: 5, Instructions: 933
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6C8B3960: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 6C8B3981

_Smanip.LIBCPMTD ref: 6C8B8BEA

Part of subcall function 6C8B3880: HandleT.LIBCPMTD ref: 6C8B38D7

_Smanip.LIBCPMTD ref: 6C8B8CFB

Part of subcall function 6C8B37B0: SetFileAttributesA.KERNEL32(00000000,00000001,6C8B8DCB,000000FF,?,?,00000022,00000040,00000001), ref: 6C8B384E

Sleep.KERNEL32(000000C8,?,00000000,?,?,?,0000005C,?), ref: 6C8B8DE3
_Smanip.LIBCPMTD ref: 6C8B8E40
_Smanip.LIBCPMTD ref: 6C8B8F74
Sleep.KERNEL32(000000C8,?,00000000), ref: 6C8B9378
_Smanip.LIBCPMTD ref: 6C8B95A3
_Smanip.LIBCPMTD ref: 6C8B9660
WinExec.KERNEL32(00000000,00000000), ref: 6C8B973A
_Smanip.LIBCPMTD ref: 6C8B984F
_Smanip.LIBCPMTD ref: 6C8B990B
WinExec.KERNEL32(00000000,00000000), ref: 6C8B9A2C
Sleep.KERNEL32(00007530,?,?,?,?,?,?,00000063,?,00000070,?,?,?,?,00000063,?), ref: 6C8B9A37

Part of subcall function 6C8B3940: SetFileAttributesA.KERNEL32(00000000,00000080,?,6C8B9A65,?,00000000,?,?,?,?,?,?,00000063,?,00000070,?), ref: 6C8B3951

Part of subcall function 6C8B39B0: DeleteFileA.KERNEL32(6C8B9AC3,?,6C8B9AC3,00000000,00000000,00000000,?,?,?,?,?,?,00000063,?,00000070,?), ref: 6C8B39B7

Strings

cmd.exe /C , xrefs: 6C8B9656, 6C8B9659
powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", xrefs: 6C8B9596, 6C8B959C
\PolicyManagement.xml, xrefs: 6C8B8CF1, 6C8B8CF4
powershell -ExecutionPolicy Bypass -File , xrefs: 6C8B9842, 6C8B9848
cmd.exe /C , xrefs: 6C8B9901, 6C8B9904

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Smanip$FileSleep$AttributesExec$DeleteFolderHandlePath
String ID: \PolicyManagement.xml$cmd.exe /C $cmd.exe /C $powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"$powershell -ExecutionPolicy Bypass -File
API String ID: 3436723257-703889769
Opcode ID: 96d3d8f304096586624c56adef8dbca5d101e19efaac54d2e551fff4a86649be
Instruction ID: 7712f58354d64343032a607845e309429ff9ce4118c029ae251b50f28b742f82
Opcode Fuzzy Hash: 96d3d8f304096586624c56adef8dbca5d101e19efaac54d2e551fff4a86649be
Instruction Fuzzy Hash: 09B24870C08298DAEB25CBA8CD44BDDBBB16F55308F0485E9D14977382DBB51B89CF62

Function 03522DA0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203
networkstringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResetEvent.KERNEL32(?), ref: 03522DBB
InterlockedExchange.KERNEL32(?,00000000), ref: 03522DC7
timeGetTime.WINMM ref: 03522DCD
socket.WS2_32(00000002,00000001,00000006), ref: 03522DFA
lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 03522E26
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 03522E32
lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 03522E51
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 03522E5D
gethostbyname.WS2_32(00000000), ref: 03522E6B
htons.WS2_32(?), ref: 03522E8D
connect.WS2_32(?,?,00000010), ref: 03522EAB

Strings

0u, xrefs: 03522F1C

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
String ID: 0u
API String ID: 640718063-3203441087
Opcode ID: f831ad758c521aab8d10bef5bfddbdbbbed645dd7229cab6171f93ba001daabe
Instruction ID: 3157dec6d38bff4d6f5c7baf7551e390292799795b45d10867ebd8355666c059
Opcode Fuzzy Hash: f831ad758c521aab8d10bef5bfddbdbbbed645dd7229cab6171f93ba001daabe
Instruction Fuzzy Hash: 9D61C175A40314AFE724EFA4EC45FAAB7B8FF49B00F10051DF646AB2D0D7B0A8059B60

Function 10002D80 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203
networkstringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResetEvent.KERNEL32(?), ref: 10002D9B
InterlockedExchange.KERNEL32(?,00000000), ref: 10002DA7
timeGetTime.WINMM ref: 10002DAD
socket.WS2_32(00000002,00000001,00000006), ref: 10002DDA
lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 10002E06
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 10002E12
lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 10002E31
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 10002E3D
gethostbyname.WS2_32(00000000), ref: 10002E4B
htons.WS2_32(?), ref: 10002E6D
connect.WS2_32(?,?,00000010), ref: 10002E8B

Strings

0u, xrefs: 10002EFC

Memory Dump Source

Source File: 00000003.00000002.3531769911.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3531751077.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531791163.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531809840.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531828679.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531848054.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
String ID: 0u
API String ID: 640718063-3203441087
Opcode ID: 94c689521af4947466c8b86645af49a3b04e56d54b71338c9307917d991564e9
Instruction ID: d5696d751933d4553be470da2890fc26df070c3c16b6f4ec0f7763c80930fe30
Opcode Fuzzy Hash: 94c689521af4947466c8b86645af49a3b04e56d54b71338c9307917d991564e9
Instruction Fuzzy Hash: 136152B1A40304BFE710DFA4CC85FAAB7B9FF49711F104629F646AB2D0D7B1A9048B64

Function 03526A70 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 141
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(75BF73E0), ref: 03526A94
wsprintfW.USER32 ref: 03526AA7

Part of subcall function 03526910: GetCurrentProcessId.KERNEL32(CFBDC2C1,00000000,00000000,75BF73E0,?,00000000,035410DB,000000FF,?,03526AB3,00000000), ref: 03526938
Part of subcall function 03526910: OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,035410DB,000000FF,?,03526AB3,00000000), ref: 03526947
Part of subcall function 03526910: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,035410DB,000000FF,?,03526AB3,00000000), ref: 03526960
Part of subcall function 03526910: CloseHandle.KERNEL32(00000000,?,00000000,035410DB,000000FF,?,03526AB3,00000000), ref: 0352696B

_memset.LIBCMT ref: 03526AC2
GetVersionExW.KERNEL32(?), ref: 03526ADB
GetCurrentProcess.KERNEL32(00000008,?), ref: 03526B12
OpenProcessToken.ADVAPI32(00000000), ref: 03526B19
GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 03526B3F
GetLastError.KERNEL32 ref: 03526B49
LocalAlloc.KERNEL32(00000040,?), ref: 03526B5D
GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 03526B85
GetSidSubAuthorityCount.ADVAPI32 ref: 03526B98
GetSidSubAuthority.ADVAPI32(00000000), ref: 03526BA6
LocalFree.KERNEL32(?), ref: 03526BB5
CloseHandle.KERNEL32(?), ref: 03526BC2
wsprintfW.USER32 ref: 03526C1B

Strings

NO/, xrefs: 03526BDF
-N/, xrefs: 03526BEF
None/%s, xrefs: 03526BE7

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: Process$Token$CurrentOpen$AuthorityCloseHandleInformationLocalwsprintf$AllocCountErrorFreeLastVersion_memset
String ID: -N/$NO/$None/%s
API String ID: 3036438616-3095023699
Opcode ID: de8686829479602bddd675d208fed6b31e024022c038932988060dc054c79ac1
Instruction ID: 8fac4224fea9d49b355c0fe0423f92cf5a06f0051cac9aefdd7cc489d2df6e23
Opcode Fuzzy Hash: de8686829479602bddd675d208fed6b31e024022c038932988060dc054c79ac1
Instruction Fuzzy Hash: 1C41F974900234AFDB28EB61FC88FEE7B78FB0A304F044895F509961A1EB74D995CB61

Function 0352AD10 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 346
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Console,00000000,00020019,?), ref: 0352AD53
RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 0352AD73

Strings

%s_bin, xrefs: 0352AE33
Console\0, xrefs: 0352B0DC
Console, xrefs: 0352AD39
IpDatespecial, xrefs: 0352AD6D

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: OpenQueryValue
String ID: %s_bin$Console$Console\0$IpDatespecial
API String ID: 4153817207-1338088003
Opcode ID: a1bc17ded5fd5a03bdcea7c74fc149934463ea1ad3f0fa78616706b4cb2fe91c
Instruction ID: 03730e8dd637bd28ae9acbd436b285587c29e33e91a64b6348ee23d27a22b51f
Opcode Fuzzy Hash: a1bc17ded5fd5a03bdcea7c74fc149934463ea1ad3f0fa78616706b4cb2fe91c
Instruction Fuzzy Hash: 5FC1F5B5A003119BE714EF24EC41F6B7BA8FF96714F080528F9499B2E1E771E905C7A2

Function 03526150 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 222stringcomregistryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0352618B
lstrcatW.KERNEL32(03551F10,0354510C,?,CFBDC2C1,00000AD4,00000000,75BF73E0), ref: 035261CD
lstrcatW.KERNEL32(03551F10,0354535C,?,CFBDC2C1,00000AD4,00000000,75BF73E0), ref: 035261D9
CoCreateInstance.OLE32(03542480,00000000,00000017,0354578C,?,?,CFBDC2C1,00000AD4,00000000,75BF73E0), ref: 03526220
_memset.LIBCMT ref: 035262CE
wsprintfW.USER32 ref: 03526336
RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 0352635F
_memset.LIBCMT ref: 03526376

Part of subcall function 03526050: _memset.LIBCMT ref: 0352607C
Part of subcall function 03526050: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 03526088

Strings

Windows Defender IOfficeAntiVirus implementation , xrefs: 03526186, 035261C8, 035261D4, 035263C9, 035263D5, 03526422, 03526436, 0352645A
CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}, xrefs: 03526330

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: _memset$Createlstrcat$InstanceOpenSnapshotToolhelp32wsprintf
String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
API String ID: 1221949200-1583895642
Opcode ID: df01f223746ddf9cc5b52352f1394ea6448707002b56fdd86d09b41f2d92e3a9
Instruction ID: d0bfa01f1f7c7987da58fd043b6ca96ccf6de30424cde4dcf8407725dd9ff5cc
Opcode Fuzzy Hash: df01f223746ddf9cc5b52352f1394ea6448707002b56fdd86d09b41f2d92e3a9
Instruction Fuzzy Hash: E281B7B1A00228AFDB24DB54DC80FAEBBB8FF45704F044589F619A71A1D7B4AE45CF64

Function 6C8BC030 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 197networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 6C8BC053
getaddrinfo.WS2_32(?,?,?,00000000), ref: 6C8BC108
WSACleanup.WS2_32 ref: 6C8BC117
socket.WS2_32(?,?,?), ref: 6C8BC15F
WSACleanup.WS2_32 ref: 6C8BC173

Strings

206.238.198.14, xrefs: 6C8BC088, 6C8BC0A0, 6C8BC0EB
18852, xrefs: 6C8BC0B3, 6C8BC0CB, 6C8BC0DE

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Cleanup$Startupgetaddrinfosocket
String ID: 18852$206.238.198.14
API String ID: 2560534018-580617576
Opcode ID: ed54fa0d53f41dc313c6a4b2c6b4509791ca3c3dbc19e71d51ecacc96333d79e
Instruction ID: f326c22a151833ab396a82b7592f4e1ca7814e8963b1b31e94ea1e8a10b5271b
Opcode Fuzzy Hash: ed54fa0d53f41dc313c6a4b2c6b4509791ca3c3dbc19e71d51ecacc96333d79e
Instruction Fuzzy Hash: 8F816D75A10209DFCB28DFE8EA95BADB7B5BB8E304F10861DE105A7381CB309946DF50

Function 03525F40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 88sleepstringsynchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(00000000,00000000,2024.12.12), ref: 03525F66
GetLastError.KERNEL32 ref: 03525F6E
Sleep.KERNEL32(000003E8), ref: 03525F85
CreateMutexW.KERNEL32(00000000,00000000,2024.12.12), ref: 03525F90
GetLastError.KERNEL32 ref: 03525F92
_memset.LIBCMT ref: 03525FB9
lstrlenW.KERNEL32(?), ref: 03525FC6
lstrcmpW.KERNEL32(?,03545328), ref: 03525FED
Sleep.KERNEL32(000003E8), ref: 03525FF8
GetModuleHandleW.KERNEL32(00000000), ref: 03526005
GetConsoleWindow.KERNEL32 ref: 0352600F

Strings

2024.12.12, xrefs: 03525F5D, 03525F87
key, xrefs: 03525FD2
open, xrefs: 03525FCD

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: CreateErrorLastMutexSleep$ConsoleHandleModuleWindow_memsetlstrcmplstrlen
String ID: 2024.12.12$key$open
API String ID: 2922109467-1989854347
Opcode ID: 1970151b3030cc7f0c0c7a7d94b5502ef882aa8968ef48ca7b03ffafb3a62ba2
Instruction ID: db5065e7b0021c05c4967a0a14267a96b756e0c346812bbce1a84d3735e7389d
Opcode Fuzzy Hash: 1970151b3030cc7f0c0c7a7d94b5502ef882aa8968ef48ca7b03ffafb3a62ba2
Instruction Fuzzy Hash: A821E6755043259BD618EB60FC46F1EB7A8BB85608F540C19F604971E5EBB0A50AC7A3

Function 035262B6 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 125stringregistryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 035262CE
wsprintfW.USER32 ref: 03526336
RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 0352635F
_memset.LIBCMT ref: 03526376
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 035263B2
lstrcatW.KERNEL32(03551F10,?), ref: 035263CE
lstrcatW.KERNEL32(03551F10,0354535C), ref: 035263DA
RegCloseKey.ADVAPI32(00000000), ref: 035263E3
lstrlenW.KERNEL32(03551F10,?,CFBDC2C1,00000AD4,00000000,75BF73E0), ref: 03526427
lstrcatW.KERNEL32(03551F10,035453D4,?,CFBDC2C1,00000AD4,00000000,75BF73E0), ref: 0352643B

Strings

Windows Defender IOfficeAntiVirus implementation , xrefs: 035263C9, 035263D5, 03526422, 03526436, 0352645A
CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}, xrefs: 03526330

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: lstrcat$_memset$CloseOpenQueryValuelstrlenwsprintf
String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
API String ID: 1671694837-1583895642
Opcode ID: 85972bf9996f91c0e080a96cef94bbac69f54b267d90923cfde894611de89059
Instruction ID: 1a0aa3feac49c596b98b19ad0d7407faced7ffac087cb0c8171bd6fe9248c48e
Opcode Fuzzy Hash: 85972bf9996f91c0e080a96cef94bbac69f54b267d90923cfde894611de89059
Instruction Fuzzy Hash: 6141A1B1A00268AFCB24DB50DC90FAEB7B8BF49704F0441C9F349A7191D674AB84CF64

Function 03527490 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 99registrylibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ntdll.dll,75BF73E0,?,?,?,03525611,0000035E,000002FA), ref: 0352749C
GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 035274B2
swprintf.LIBCMT ref: 035274EF

Part of subcall function 03527410: GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,03527523), ref: 0352743D
Part of subcall function 03527410: GetProcAddress.KERNEL32(00000000), ref: 03527444
Part of subcall function 03527410: GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,03527523), ref: 03527452

RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,000002FA), ref: 03527547
RegQueryValueExW.KERNEL32(000002FA,ProductName,00000000,00000001,00000000,?), ref: 03527563
RegCloseKey.KERNEL32(000002FA), ref: 03527586
FreeLibrary.KERNEL32(00000000,?,?,?,03525611,0000035E,000002FA), ref: 03527598

Strings

RtlGetNtVersionNumbers, xrefs: 035274AC
%d.%d.%d, xrefs: 035274E7
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0352753D
ntdll.dll, xrefs: 03527497
ProductName, xrefs: 0352755D

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: AddressLibraryProc$CloseFreeHandleInfoLoadModuleNativeOpenQuerySystemValueswprintf
String ID: %d.%d.%d$ProductName$RtlGetNtVersionNumbers$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
API String ID: 2158625971-3190923360
Opcode ID: a0b52758bfa3e8e856df3062bdbf223203b830af970b61468d6ceb4496d64192
Instruction ID: d10d97f3ce3301d0549bacf9779af7f04a084b04bb5609ae5b155810cb605e7b
Opcode Fuzzy Hash: a0b52758bfa3e8e856df3062bdbf223203b830af970b61468d6ceb4496d64192
Instruction Fuzzy Hash: D031A775A00319BFD718EBA4EC45FBFBBBCEB49604F140919BA09A6195E670DA04C7A0

Function 0352C060 Relevance: 19.7, APIs: 13, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000002,?,CFBDC2C1,?,00000000,?), ref: 0352C09E
GlobalLock.KERNEL32(00000000), ref: 0352C0AA
GlobalUnlock.KERNEL32(00000000), ref: 0352C0BF
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0352C0D5
EnterCriticalSection.KERNEL32(0354FB64), ref: 0352C113
LeaveCriticalSection.KERNEL32(0354FB64), ref: 0352C124

Part of subcall function 03529DE0: GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 03529E04
Part of subcall function 03529DE0: GdipDisposeImage.GDIPLUS(?), ref: 03529E18

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0352C14C

Part of subcall function 0352A460: GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 0352A48D
Part of subcall function 0352A460: _free.LIBCMT ref: 0352A503

GetHGlobalFromStream.OLE32(?,?), ref: 0352C16D
GlobalLock.KERNEL32(?), ref: 0352C177
GlobalFree.KERNEL32(00000000), ref: 0352C18F

Part of subcall function 03529BA0: DeleteObject.GDI32(?), ref: 03529BD2
Part of subcall function 03529BA0: EnterCriticalSection.KERNEL32(0354FB64,?,?,?,03529B7B), ref: 03529BE3
Part of subcall function 03529BA0: EnterCriticalSection.KERNEL32(0354FB64,?,?,?,03529B7B), ref: 03529BF8
Part of subcall function 03529BA0: GdiplusShutdown.GDIPLUS(00000000,?,?,?,03529B7B), ref: 03529C04
Part of subcall function 03529BA0: LeaveCriticalSection.KERNEL32(0354FB64,?,?,?,03529B7B), ref: 03529C15
Part of subcall function 03529BA0: LeaveCriticalSection.KERNEL32(0354FB64,?,?,?,03529B7B), ref: 03529C1C

GlobalSize.KERNEL32(00000000), ref: 0352C1A5
GlobalUnlock.KERNEL32(?), ref: 0352C221
GlobalFree.KERNEL32(00000000), ref: 0352C249

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: Global$CriticalSection$Stream$CreateEnterGdipLeave$FreeFromImageLockSizeUnlock$AllocBitmapDeleteDisposeEncodersGdiplusObjectShutdown_free
String ID:
API String ID: 1483550337-0
Opcode ID: e6a57e5e9f14273e666738342e9132e0fef9af1c6e11124137a24b28f9527b63
Instruction ID: 2ceb64a61cc017631aa88429fc1c17bf7dd1e0869621252ccda9903c50869e56
Opcode Fuzzy Hash: e6a57e5e9f14273e666738342e9132e0fef9af1c6e11124137a24b28f9527b63
Instruction Fuzzy Hash: 19614BB5D00269AFCB14EFA9E884D9EBBB8FF89704F104529F515A7361DB309906CF50

Function 03526490 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 144registrystringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 035264C2
RegOpenKeyExW.KERNEL32(80000001,Software\Tencent\Plugin\VAS,00000000,000F003F,?), ref: 035264E2
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 03526524
_memset.LIBCMT ref: 03526560
_memset.LIBCMT ref: 0352658E
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000AD4,75BF73E0), ref: 035265BA
lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75BF73E0), ref: 035265C3
lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75BF73E0), ref: 035265D5
RegCloseKey.ADVAPI32(?,00000000,00000AD4,75BF73E0), ref: 03526625
lstrlenW.KERNEL32(?), ref: 03526635

Strings

Software\Tencent\Plugin\VAS, xrefs: 035264D8

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: _memsetlstrlen$CloseEnumInfoOpenQuery
String ID: Software\Tencent\Plugin\VAS
API String ID: 2921034913-3343197220
Opcode ID: 1e143c1a207da6da19ca88eee5996d6ec5aa9b4c317b6f51bffe222cf2f4255b
Instruction ID: 73b6e77c8df90ccec118d7ccc91d49e0df92a16a8f44e893adec4714c39f811f
Opcode Fuzzy Hash: 1e143c1a207da6da19ca88eee5996d6ec5aa9b4c317b6f51bffe222cf2f4255b
Instruction Fuzzy Hash: 4C41D8F5A40229ABDB24DB50DD85FEAB77CEB44700F4045D9F309B7091EA70AA858FA4

Function 6C8BCC00 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 235COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,?,C:\Users\Public\Bilite\), ref: 6C8BCCCA
SHGetFolderPathA.SHELL32(00000000,00000000,00000000,00000000,?,?,?,C:\Users\Public\Bilite\), ref: 6C8BCCF9
GetFileAttributesA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,C:\Users\Public\Bilite\), ref: 6C8BCDC6

Strings

C:\Users\Public\Bilite\, xrefs: 6C8BCC7E, 6C8BCC81
.lnk, xrefs: 6C8BCD74

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: AttributesFile$FolderPath
String ID: .lnk$C:\Users\Public\Bilite\
API String ID: 1382956649-3663404336
Opcode ID: 06e905ab7e9cc40229afcb71b440ce66b7f79c317e9f2ddc5eeb13603e2dcd10
Instruction ID: c51689b50ac58ee3698f8e6550f1f68961229ae97aeed53a32089847e264cb52
Opcode Fuzzy Hash: 06e905ab7e9cc40229afcb71b440ce66b7f79c317e9f2ddc5eeb13603e2dcd10
Instruction Fuzzy Hash: 52A1BE70D04248EFDB24CBE8CD54BEEBBB4AF59304F104698E119B7381DB741A4ACBA5

Function 0352A460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 150windowCOMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 0352A48D
_malloc.LIBCMT ref: 0352A4D1
_free.LIBCMT ref: 0352A503
GdipGetImageEncoders.GDIPLUS(?,?,00000008), ref: 0352A522
GdipSaveImageToStream.GDIPLUS(00000000,?,?,00000000), ref: 0352A594
GdipDisposeImage.GDIPLUS(00000000), ref: 0352A59F
GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 0352A5C5
GdipDisposeImage.GDIPLUS(00000000), ref: 0352A5DD

Strings

&, xrefs: 0352A579

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: Gdip$Image$DisposeEncoders$BitmapCreateFromSaveSizeStream_free_malloc
String ID: &
API String ID: 2794124522-3042966939
Opcode ID: 77a9bbbfc8c83eba978ec333c3553e6587c1192a12aafeaa1344c660e442ad48
Instruction ID: 08f596b1a153b3c432656b53b74885dbb69a498beadebad7b0c05b5e217b1a58
Opcode Fuzzy Hash: 77a9bbbfc8c83eba978ec333c3553e6587c1192a12aafeaa1344c660e442ad48
Instruction Fuzzy Hash: F5516676A002259FDF14DFA4E844DEFBBB8FF49604F144559E905AB2A0EB34E905CBE0

Function 100052B0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 123registrysleepCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 10005382
RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 10005392
RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,1001C6E0,000012A0), ref: 100053B0
RegCloseKey.KERNEL32(?), ref: 100053BB
OpenProcess.KERNEL32(00000400,00000000,?), ref: 1000540F
GetExitCodeProcess.KERNEL32(00000000,?), ref: 1000541B
Sleep.KERNEL32(00000BB8), ref: 10005434

Strings

IpDates_info, xrefs: 1000538C, 100053AA
SOFTWARE, xrefs: 10005378

Memory Dump Source

Source File: 00000003.00000002.3531769911.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3531751077.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531791163.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531809840.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531828679.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531848054.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: OpenProcessValue$CloseCodeDeleteExitSleep
String ID: IpDates_info$SOFTWARE
API String ID: 864241144-2243437601
Opcode ID: fa41b33889329ce33d54072f6f587efc439d217482355cea30f751f095a89e77
Instruction ID: c351098f3a10662c2abe80f3babca39824d4604c0415f8e3891e9891bb32f169
Opcode Fuzzy Hash: fa41b33889329ce33d54072f6f587efc439d217482355cea30f751f095a89e77
Instruction Fuzzy Hash: 184146316442819FF310CF308C45F6B7BB5FB453C6F994068E581CA186D3B2EA42C7A2

Function 100052D9 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 84registrysleepCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 10005382
RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 10005392
RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,1001C6E0,000012A0), ref: 100053B0
RegCloseKey.KERNEL32(?), ref: 100053BB
OpenProcess.KERNEL32(00000400,00000000,?), ref: 1000540F
GetExitCodeProcess.KERNEL32(00000000,?), ref: 1000541B
Sleep.KERNEL32(00000BB8), ref: 10005434

Strings

IpDates_info, xrefs: 1000538C, 100053AA
SOFTWARE, xrefs: 10005378

Memory Dump Source

Source File: 00000003.00000002.3531769911.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3531751077.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531791163.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531809840.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531828679.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531848054.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: OpenProcessValue$CloseCodeDeleteExitSleep
String ID: IpDates_info$SOFTWARE
API String ID: 864241144-2243437601
Opcode ID: e48445a0fb638aff792993f9711fe44b6994354607bef0c7859c4fe8ed55e572
Instruction ID: f7f7705b5b84b7b191dcdb77494346d14e222b8940c5b100b936b40375e1b217
Opcode Fuzzy Hash: e48445a0fb638aff792993f9711fe44b6994354607bef0c7859c4fe8ed55e572
Instruction Fuzzy Hash: B731C1306443819FF315CF308848B6B7BF6FB493C6F9944A8F5859A146D3B2DA46C761

Function 6C8DCBD5 Relevance: 15.1, APIs: 10, Instructions: 124memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6CA988F0,?,?,?,6CA988D4,6CA988D4,?,6C8DCE3F,00000004,6C8DB787,6C8C3ABF,6C8D116D,?,6C8D6CE6,00000004,6C8D7498), ref: 6C8DCBE6
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,6CA988D4,6CA988D4,?,6C8DCE3F,00000004,6C8DB787,6C8C3ABF,6C8D116D,?,6C8D6CE6,00000004), ref: 6C8DCC58
GlobalHandle.KERNEL32(6CA988E4), ref: 6C8DCC62
GlobalUnlock.KERNEL32(00000000), ref: 6C8DCC74
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 6C8DCC8F
GlobalLock.KERNEL32(00000000), ref: 6C8DCC9A
LeaveCriticalSection.KERNEL32(6CA988F0), ref: 6C8DCCE7
GlobalHandle.KERNEL32(6CA988E4), ref: 6C8DCCFB
GlobalLock.KERNEL32(00000000), ref: 6C8DCD06
LeaveCriticalSection.KERNEL32(6CA988F0,?,?,?,6CA988D4,6CA988D4,?,6C8DCE3F,00000004,6C8DB787,6C8C3ABF,6C8D116D,?,6C8D6CE6,00000004,6C8D7498), ref: 6C8DCD15

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: 9ac5ee2e802d77e2b9b7f69f3cf2c769a029ea5ecfcfb5ec9ccb55e16f0c0c17
Instruction ID: a26740ba6699d2e0f240bd17e049578fa54163ae0fb21298936ad24f5baa62d0
Opcode Fuzzy Hash: 9ac5ee2e802d77e2b9b7f69f3cf2c769a029ea5ecfcfb5ec9ccb55e16f0c0c17
Instruction Fuzzy Hash: 8741E23160071AEFDB24AF68DE94B89BBB8FF01305F128569E515D7A41EB70F841CB50

Function 6CA29373 Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CA2902C: CreateFileW.KERNEL32(00000040,00000000,?,6CA2941C,?,?,00000000,?,6CA2941C,00000040,0000000C), ref: 6CA29049

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA29487
__dosmaperr.LIBCMT ref: 6CA2948E
GetFileType.KERNEL32(00000000), ref: 6CA2949A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA294A4
__dosmaperr.LIBCMT ref: 6CA294AD
CloseHandle.KERNEL32(00000000), ref: 6CA294CD
CloseHandle.KERNEL32(6CA23A52), ref: 6CA2961A
GetLastError.KERNEL32 ref: 6CA2964C
__dosmaperr.LIBCMT ref: 6CA29653

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 8b47ca9d674eb0c05094f9d88e3b22be947577eeacb6bc10597d610f65a6c4e7
Instruction ID: 638a550fcdaa1fb2cd6afd8e1955e6cf4911f064f97e04017310a955ec172ae8
Opcode Fuzzy Hash: 8b47ca9d674eb0c05094f9d88e3b22be947577eeacb6bc10597d610f65a6c4e7
Instruction Fuzzy Hash: 6FA10631A182659FCF098F78DA51B9D7BB1AB46318F1C424DE811DB790C739889AC791

Function 0352CA70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,000F003F,035412F8,CFBDC2C1,00000001,00000000,00000000), ref: 0352CAB1
RegQueryInfoKeyW.ADVAPI32(035412F8,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0352CAE0
_memset.LIBCMT ref: 0352CB44
_memset.LIBCMT ref: 0352CB53
RegEnumValueW.KERNEL32(035412F8,?,00000000,?,00000000,?,00000000,?), ref: 0352CB72

Part of subcall function 0352F707: _malloc.LIBCMT ref: 0352F721

Part of subcall function 0352F707: std::exception::exception.LIBCMT ref: 0352F756
Part of subcall function 0352F707: std::exception::exception.LIBCMT ref: 0352F770
Part of subcall function 0352F707: __CxxThrowException@8.LIBCMT ref: 0352F781

RegCloseKey.KERNEL32(035412F8,?,?,?,?,?,?,?,?,?,?,?,00000000,035412F8,000000FF), ref: 0352CC83

Strings

Console\0, xrefs: 0352CAA4

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: _memsetstd::exception::exception$CloseEnumException@8InfoOpenQueryThrowValue_malloc
String ID: Console\0
API String ID: 1348767993-1253790388
Opcode ID: cde208e07d6ee2be3ff8a50a855a1675b5d6a99dbe03cadb556a10bdac051d30
Instruction ID: 9325f46fff2c03c1946b0eed834f7879f50f05a418b90e3f99791817cd452c25
Opcode Fuzzy Hash: cde208e07d6ee2be3ff8a50a855a1675b5d6a99dbe03cadb556a10bdac051d30
Instruction Fuzzy Hash: 816140B5D00219AFCB04DFA8E881EAEBBF8FF49314F144569F915E7291D7349901CBA0

Function 6C8BD180 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 176threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6C8A4560: Sleep.KERNEL32(00000064), ref: 6C8A45D7

Part of subcall function 6C8BCF30: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 6C8BCF63

CreateThread.KERNEL32(00000000,00000000,6C8BCB40,00000000,00000000,00000000), ref: 6C8BD28D
CreateThread.KERNEL32(00000000,00000000,6C8BC920,00000000,00000000,00000000), ref: 6C8BD2A3
WaitForSingleObject.KERNEL32(00000000,00011170), ref: 6C8BD2BB
CloseHandle.KERNEL32(00000000), ref: 6C8BD2CC

Part of subcall function 6C8BD000: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 6C8BD033

Part of subcall function 6C8B39D0: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 6C8B39EE

Part of subcall function 6C8BD0D0: GetModuleHandleA.KERNEL32(00000000), ref: 6C8BD0E9

Part of subcall function 6C8AC5E0: GetTempPathA.KERNEL32(00000104,?), ref: 6C8AC60A

Part of subcall function 6C8BC780: GetModuleHandleA.KERNEL32(6C8BD37C), ref: 6C8BC78A
Part of subcall function 6C8BC780: FindResourceW.KERNEL32(?,?,?), ref: 6C8BC87A
Part of subcall function 6C8BC780: LoadResource.KERNEL32(?,00000000), ref: 6C8BC895
Part of subcall function 6C8BC780: SizeofResource.KERNEL32(?,00000000), ref: 6C8BC8A6
Part of subcall function 6C8BC780: LockResource.KERNEL32(?), ref: 6C8BC8B3

CreateThread.KERNEL32(00000000,00000000,6C8B3A20,00000000,00000000,00000000), ref: 6C8BD38E

Part of subcall function 6C8BC030: WSAStartup.WS2_32(00000202,?), ref: 6C8BC053
Part of subcall function 6C8BC030: getaddrinfo.WS2_32(?,?,?,00000000), ref: 6C8BC108
Part of subcall function 6C8BC030: WSACleanup.WS2_32 ref: 6C8BC117

Strings

IiViS, xrefs: 6C8BD1A6, 6C8BD1A9
Update.dll, xrefs: 6C8BD334, 6C8BD337

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Module$Resource$CreateFileHandleNameThread$CleanupCloseFindLoadLockObjectPathSingleSizeofSleepStartupTempWaitgetaddrinfo
String ID: IiViS$Update.dll
API String ID: 3269629270-2501748675
Opcode ID: ebe00871b96ac8fa8333a45c9a82dee789e41a2a1a3fb7cf20240d937e8d8f56
Instruction ID: 520f9e7e9116e2770889f0f12dff9ad5392691ade3c56314357187f4ac04c006
Opcode Fuzzy Hash: ebe00871b96ac8fa8333a45c9a82dee789e41a2a1a3fb7cf20240d937e8d8f56
Instruction Fuzzy Hash: 3461C271C00248BADF24D7E8ED55FEE7B746F51208F0488A8E10976781EF75664ECBA1

Function 0352BB00 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 0352F707: _malloc.LIBCMT ref: 0352F721

_memset.LIBCMT ref: 0352BB21
GetLastInputInfo.USER32(?), ref: 0352BB37
GetTickCount.KERNEL32 ref: 0352BB3D
wsprintfW.USER32 ref: 0352BB66
GetForegroundWindow.USER32 ref: 0352BB6F
GetWindowTextW.USER32(00000000,00000020,000000FA), ref: 0352BB83

Strings

%d min, xrefs: 0352BB60

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: Window$CountForegroundInfoInputLastTextTick_malloc_memsetwsprintf
String ID: %d min
API String ID: 3754759880-1947832151
Opcode ID: efdd2c12fdf33e665bc62c4943a754ad46b03d9ecceccd456d15fdfb35e34a9b
Instruction ID: 6577a75d63a97cc584eb1a104d202473fbe2e216404d054569d8c8b4671c5498
Opcode Fuzzy Hash: efdd2c12fdf33e665bc62c4943a754ad46b03d9ecceccd456d15fdfb35e34a9b
Instruction Fuzzy Hash: 5C41C9B5900225AFCB14DF94E884E9FBBB8FF45700F088554F909AB3A5D7749A04CBE1

Function 03526910 Relevance: 12.1, APIs: 8, Instructions: 128COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(CFBDC2C1,00000000,00000000,75BF73E0,?,00000000,035410DB,000000FF,?,03526AB3,00000000), ref: 03526938
OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,035410DB,000000FF,?,03526AB3,00000000), ref: 03526947
OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,035410DB,000000FF,?,03526AB3,00000000), ref: 03526960
CloseHandle.KERNEL32(00000000,?,00000000,035410DB,000000FF,?,03526AB3,00000000), ref: 0352696B
SysStringLen.OLEAUT32(00000000), ref: 035269BE
SysStringLen.OLEAUT32(00000000), ref: 035269CC
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,035410DB,000000FF), ref: 03526A2E
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,035410DB,000000FF), ref: 03526A34

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: CloseHandleProcess$OpenString$CurrentToken
String ID:
API String ID: 429299433-0
Opcode ID: e8e1dc062279dac56116e2df938ab63b5712df3692294785c8756ac8fbbe4883
Instruction ID: c31198722564e52a38bfbf075025f4abe50f4b2a1f68c5c825a4447a0dd2b5f8
Opcode Fuzzy Hash: e8e1dc062279dac56116e2df938ab63b5712df3692294785c8756ac8fbbe4883
Instruction Fuzzy Hash: 5A41EBB6D002299FC710DFA9DC40EAEFBF8FB45304F144966E915E72A0D7755905CBA0

Function 6C9FF847 Relevance: 10.6, APIs: 7, Instructions: 135COMMONLIBRARYCODE

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6C9FF88E
___scrt_uninitialize_crt.LIBCMT ref: 6C9FF8A8

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: f14590194bcc7bccb6b614542a2b0fefc0f9c24cb0f4834d9b48b66e82a4fa1a
Instruction ID: ff9f453e9011140cacaa2e009773863800b8044042d6ea41f6217ab155093fc7
Opcode Fuzzy Hash: f14590194bcc7bccb6b614542a2b0fefc0f9c24cb0f4834d9b48b66e82a4fa1a
Instruction Fuzzy Hash: E441B172E05619AFDB108F55C841BAE3AF9EB51B9CF11415AE83597B40D730CD87CBA0

Function 03526D70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89registrystringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03526DD9
RegOpenKeyExW.KERNEL32(80000001,03545164,00000000,00020019,75BF73E0), ref: 03526DFC
RegQueryValueExW.KERNEL32(75BF73E0,GROUP,00000000,00000001,?,00000208), ref: 03526E4A
lstrcmpW.KERNEL32(?,03545148), ref: 03526E60
lstrcpyW.KERNEL32(035256EA,?), ref: 03526E72

Strings

GROUP, xrefs: 03526E42

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: OpenQueryValue_memsetlstrcmplstrcpy
String ID: GROUP
API String ID: 2102619503-2593425013
Opcode ID: 36b6cc6eaf28dbfd592e579377babcd8405912d5ffd2c56b09682306e3796493
Instruction ID: 1be9f4add8cbef4ba212915bfb22c12b5c7ec194d16fb1111eeed4a408851df1
Opcode Fuzzy Hash: 36b6cc6eaf28dbfd592e579377babcd8405912d5ffd2c56b09682306e3796493
Instruction Fuzzy Hash: 8B31A771900329ABDB24DF90EC89F9FB7B8FB09714F100699E519A71A0DBB49A44CF50

Function 0352FA29 Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 0352FA4E
__calloc_crt.LIBCMT ref: 0352FA5A
__getptd.LIBCMT ref: 0352FA67
CreateThread.KERNEL32(00000000,00000000,0352F9C4,00000000,00000000,0352E003), ref: 0352FA9E
GetLastError.KERNEL32(?,00000000,?,?,0352E003,00000000,00000000,03525F40,00000000,00000000,00000000), ref: 0352FAA8
_free.LIBCMT ref: 0352FAB1
__dosmaperr.LIBCMT ref: 0352FABC

Part of subcall function 0352F91B: __getptd_noexit.LIBCMT ref: 0352F91B

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
String ID:
API String ID: 155776804-0
Opcode ID: 6a611ad221111d04c1b29f52f9b706cdb16bdcf97d97dc41b08e9f633e1efd22
Instruction ID: 94f62ce4cbc3c449b4d54a1d04c7527f103d3cdbe3ede5f0714778ad551408f8
Opcode Fuzzy Hash: 6a611ad221111d04c1b29f52f9b706cdb16bdcf97d97dc41b08e9f633e1efd22
Instruction Fuzzy Hash: 1B11A03B20472BAFD710EEA5FC4099B3BB8FF86A64B150425F9048A1B0DB70D4018A60

Function 1000721B Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 10007240
__calloc_crt.LIBCMT ref: 1000724C
__getptd.LIBCMT ref: 10007259
CreateThread.KERNEL32(?,?,100071B6,00000000,?,?), ref: 10007290
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 1000729A
_free.LIBCMT ref: 100072A3
__dosmaperr.LIBCMT ref: 100072AE

Part of subcall function 1000710D: __getptd_noexit.LIBCMT ref: 1000710D

Memory Dump Source

Source File: 00000003.00000002.3531769911.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3531751077.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531791163.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531809840.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531828679.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531848054.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
String ID:
API String ID: 155776804-0
Opcode ID: 734b10ab9ba7f1921b38ce4142f5ff93c1ead5fd9a2afb223c48f08537fb4c8c
Instruction ID: e2e0b3d062d787f99d787063b624e9a47e01a5ceed69b34c49d3f3bc16e6f751
Opcode Fuzzy Hash: 734b10ab9ba7f1921b38ce4142f5ff93c1ead5fd9a2afb223c48f08537fb4c8c
Instruction Fuzzy Hash: C911E136604746AFF711DFA8DC41D8B37E8FF453E0B110029F95C8A19ADB79E8008AA0

Function 6C940B9E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C940BA5

Part of subcall function 6C8DF682: EnterCriticalSection.KERNEL32(6CA98B60,?,?,?,?,6C8DCDB6,00000010,00000008,6C8DB7A1,6C8DB7E4,6C8C3ABF,6C8D116D,?,6C8D6CE6,00000004,6C8D7498), ref: 6C8DF6B3
Part of subcall function 6C8DF682: InitializeCriticalSection.KERNEL32(00000000,?,?,?,?,6C8DCDB6,00000010,00000008,6C8DB7A1,6C8DB7E4,6C8C3ABF,6C8D116D,?,6C8D6CE6,00000004,6C8D7498), ref: 6C8DF6C9
Part of subcall function 6C8DF682: LeaveCriticalSection.KERNEL32(6CA98B60,?,?,?,?,6C8DCDB6,00000010,00000008,6C8DB7A1,6C8DB7E4,6C8C3ABF,6C8D116D,?,6C8D6CE6,00000004,6C8D7498), ref: 6C8DF6D7
Part of subcall function 6C8DF682: EnterCriticalSection.KERNEL32(00000000,?,?,?,6C8DCDB6,00000010,00000008,6C8DB7A1,6C8DB7E4,6C8C3ABF,6C8D116D,?,6C8D6CE6,00000004,6C8D7498,00000120), ref: 6C8DF6E4

GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 6C940BF8
GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 6C940C0E

Strings

windows, xrefs: 6C940BF2, 6C940BF7, 6C940C08
DragDelay, xrefs: 6C940C03
DragMinDist, xrefs: 6C940BED

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: CriticalSection$EnterProfile$H_prolog3InitializeLeave
String ID: DragDelay$DragMinDist$windows
API String ID: 3965097884-2101198082
Opcode ID: 80452e11351023a5fc2651691da6be8c48d8de7bf8603da19ba92c19760cd99f
Instruction ID: 80953e89cc3111cd715c2a8af790b87c856d13e739c9836e84ad776dd65d9b2f
Opcode Fuzzy Hash: 80452e11351023a5fc2651691da6be8c48d8de7bf8603da19ba92c19760cd99f
Instruction Fuzzy Hash: 0D010CB0E00B019FDBA09F69865674ABAF1BB18708F409A2EE149D7E50E7749941CB44

Function 0352F9C4 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 0352F9CA

Part of subcall function 03533CA0: TlsGetValue.KERNEL32(00000000,03533DF9,?,03534500,00000000,00000001,00000000,?,03538DE6,00000018,03546448,0000000C,03538E76,00000000,00000000), ref: 03533CA9
Part of subcall function 03533CA0: DecodePointer.KERNEL32(?,03534500,00000000,00000001,00000000,?,03538DE6,00000018,03546448,0000000C,03538E76,00000000,00000000,?,03533F06,0000000D), ref: 03533CBB
Part of subcall function 03533CA0: TlsSetValue.KERNEL32(00000000,?,03534500,00000000,00000001,00000000,?,03538DE6,00000018,03546448,0000000C,03538E76,00000000,00000000,?,03533F06), ref: 03533CCA

___fls_getvalue@4.LIBCMT ref: 0352F9D5

Part of subcall function 03533C80: TlsGetValue.KERNEL32(?,?,0352F9DA,00000000), ref: 03533C8E

___fls_setvalue@8.LIBCMT ref: 0352F9E8

Part of subcall function 03533CD4: DecodePointer.KERNEL32(?,?,?,0352F9ED,00000000,?,00000000), ref: 03533CE5

GetLastError.KERNEL32(00000000,?,00000000), ref: 0352F9F1
ExitThread.KERNEL32 ref: 0352F9F8
GetCurrentThreadId.KERNEL32 ref: 0352F9FE
__freefls@4.LIBCMT ref: 0352FA1E

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID:
API String ID: 2383549826-0
Opcode ID: 5447fb316510b2f2e4f2a7474fd338c01633b95e51ed08c6e4be3ac52d84a3a3
Instruction ID: b65576627bbd59ae047c3b827f9d2e7bcf4770f5f6461b0899dffdc6e27a8308
Opcode Fuzzy Hash: 5447fb316510b2f2e4f2a7474fd338c01633b95e51ed08c6e4be3ac52d84a3a3
Instruction Fuzzy Hash: A1F04F7C600756BBC708FF61F508C0E7FB8BF862447118558E9098B231DB34D442C791

Function 100071B6 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 100071BC

Part of subcall function 10009754: TlsGetValue.KERNEL32(00000000,100098AD,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000), ref: 1000975D
Part of subcall function 10009754: DecodePointer.KERNEL32(?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA,0000000D), ref: 1000976F
Part of subcall function 10009754: TlsSetValue.KERNEL32(00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA), ref: 1000977E

___fls_getvalue@4.LIBCMT ref: 100071C7

Part of subcall function 10009734: TlsGetValue.KERNEL32(?,?,100071CC,00000000), ref: 10009742

___fls_setvalue@8.LIBCMT ref: 100071DA

Part of subcall function 10009788: DecodePointer.KERNEL32(?,?,?,100071DF,00000000,?,00000000), ref: 10009799

GetLastError.KERNEL32(00000000,?,00000000), ref: 100071E3
ExitThread.KERNEL32 ref: 100071EA
GetCurrentThreadId.KERNEL32 ref: 100071F0
__freefls@4.LIBCMT ref: 10007210

Memory Dump Source

Source File: 00000003.00000002.3531769911.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3531751077.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531791163.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531809840.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531828679.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531848054.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID:
API String ID: 2383549826-0
Opcode ID: 9534965ccca21370a2365faca07fc43a5bbbcb8b41f594eb418147c089430495
Instruction ID: 9ef8d05c11a244158b1ee883055881acaa61a2209176cdde4bb0df2a080a06ba
Opcode Fuzzy Hash: 9534965ccca21370a2365faca07fc43a5bbbcb8b41f594eb418147c089430495
Instruction Fuzzy Hash: 7EF09679404240ABF304DFB5C94988E7BA9FF482C4725C458F90C8B21BDB39E8428790

Function 6CA1EAD0 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71c059be90b21570f01d9ad9e0f8df8a7d354fa038e00c2aa85d1795d3da925a
Instruction ID: 944b29d66b03f086a51469898ec2ae200a834791de1bb8d368de6dd993712387
Opcode Fuzzy Hash: 71c059be90b21570f01d9ad9e0f8df8a7d354fa038e00c2aa85d1795d3da925a
Instruction Fuzzy Hash: B7B1D3B0E08249AFDB05CF98C944BADBBB1BF46318F188159E4559BF81C77099C6CBE1

Function 6C8BC940 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C8BC94D
Process32FirstW.KERNEL32(000000FF,0000022C), ref: 6C8BC98E
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000), ref: 6C8BC9B5
CloseHandle.KERNEL32(000000FF,?,?), ref: 6C8BC9F5

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: ByteCharCloseCreateFirstHandleMultiProcess32SnapshotToolhelp32Wide
String ID:
API String ID: 1100011785-0
Opcode ID: 48d7bc257ac20bd5a8dcf6dc141e18a4b56e562e6af6d39e68384b2e8d3aff9d
Instruction ID: 52a560b5857dd74e6516b21305d149c9d532192619ccb79190077db7ecacd345
Opcode Fuzzy Hash: 48d7bc257ac20bd5a8dcf6dc141e18a4b56e562e6af6d39e68384b2e8d3aff9d
Instruction Fuzzy Hash: FA21B271A40208BBDF24DFE4DD49FEE7778AB49705F108698A119F62C1D7306649CB64

Function 100032E0 Relevance: 9.0, APIs: 6, Instructions: 32synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 100032F1
Sleep.KERNEL32(00000258), ref: 100032FE
InterlockedExchange.KERNEL32(?,00000000), ref: 10003306
WaitForSingleObject.KERNEL32(?,000000FF), ref: 10003312
WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000331A
Sleep.KERNEL32(0000012C), ref: 1000332B

Memory Dump Source

Source File: 00000003.00000002.3531769911.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3531751077.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531791163.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531809840.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531828679.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531848054.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: ObjectSingleWait$Sleep$ExchangeInterlocked
String ID:
API String ID: 3137405945-0
Opcode ID: 90501a451cf47964b750dce1617d56ac3a73a9eb1c931f81fede124cf76ff774
Instruction ID: f89297930b1253133b9af3f62c08b225611c8876bcc0692efb07df5bac526d50
Opcode Fuzzy Hash: 90501a451cf47964b750dce1617d56ac3a73a9eb1c931f81fede124cf76ff774
Instruction Fuzzy Hash: 65F08971104314AFD610DBE9CCC4D46F3B8AF89331B144709F221872D0CAB1E8018BA0

Function 03526690 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0352669B
CoCreateInstance.OLE32(035446FC,00000000,00000001,0354471C,?,?,?,?,?,?,?,?,?,?,0352588A), ref: 035266B2
SysFreeString.OLEAUT32(?), ref: 0352674C
CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,0352588A), ref: 0352677D

Strings

FriendlyName, xrefs: 0352673B

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: CreateFreeInitializeInstanceStringUninitialize
String ID: FriendlyName
API String ID: 841178590-3623505368
Opcode ID: 80b53cf03d9acb4919394eb7bf66754b8f0e5124602ed7e36b9f69482653b4ee
Instruction ID: 848b26d8e1b11cbe3c1fc1f149b9fbeea541e0180e58429c8e64a91beb15fe0a
Opcode Fuzzy Hash: 80b53cf03d9acb4919394eb7bf66754b8f0e5124602ed7e36b9f69482653b4ee
Instruction Fuzzy Hash: 7A313C75740605AFDB04DB99EC80EAEB7B9FF89604F148598F504EB2A4D771E902CBA0

Function 0352F707 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0352F721

Part of subcall function 0352F673: __FF_MSGBANNER.LIBCMT ref: 0352F68C
Part of subcall function 0352F673: __NMSG_WRITE.LIBCMT ref: 0352F693
Part of subcall function 0352F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,03534500,00000000,00000001,00000000,?,03538DE6,00000018,03546448,0000000C,03538E76), ref: 0352F6B8

std::exception::exception.LIBCMT ref: 0352F756
std::exception::exception.LIBCMT ref: 0352F770
__CxxThrowException@8.LIBCMT ref: 0352F781

Strings

bad allocation, xrefs: 0352F74F

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID: bad allocation
API String ID: 615853336-2104205924
Opcode ID: 2edab046f1d4d867ff6bd64e73eac24af2bae08e86b9fa46523a04d93a57dcc4
Instruction ID: f78b14ecd17a58883db29b9dead96fdc8033ae8ca6f605a07b05c4722799f7f2
Opcode Fuzzy Hash: 2edab046f1d4d867ff6bd64e73eac24af2bae08e86b9fa46523a04d93a57dcc4
Instruction Fuzzy Hash: D8F02D7890072A6FCB08FB58FC20E9E7FB8BB8320CF180419E415DA1F1DB7096058B90

Function 6C8BC780 Relevance: 7.6, APIs: 5, Instructions: 117COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(6C8BD37C), ref: 6C8BC78A
FindResourceW.KERNEL32(?,?,?), ref: 6C8BC87A
LoadResource.KERNEL32(?,00000000), ref: 6C8BC895
SizeofResource.KERNEL32(?,00000000), ref: 6C8BC8A6
LockResource.KERNEL32(?), ref: 6C8BC8B3

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Resource$FindHandleLoadLockModuleSizeof
String ID:
API String ID: 1601749889-0
Opcode ID: c7f3216b211a8b31957dc231a6cabf6a9312e1282e9a412b253c3eb7dc41a636
Instruction ID: d644bf7c840ded7f40041218cfe5233c7180761847aa890d7f7f1d406a3f2d74
Opcode Fuzzy Hash: c7f3216b211a8b31957dc231a6cabf6a9312e1282e9a412b253c3eb7dc41a636
Instruction Fuzzy Hash: F341F5B4E10208DBDB14DBE4E940BEEB776EF58300F109529E209E7390E7399E45CB5A

Function 00581C50 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(00000001), ref: 00581C61
CommandLineToArgvW.SHELL32(00000000), ref: 00581C68
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00580000), ref: 00581CD3
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 00581CF3
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,00580000,00000000,00000000,00000000,00582778,00000014), ref: 00581D25

Memory Dump Source

Source File: 00000003.00000002.3530270341.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.3530246451.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3530302410.0000000000582000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3530335645.0000000000583000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3530372311.0000000000584000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3530372311.00000000005C6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_Update.jbxd

Similarity

API ID: ByteCharCommandLineMultiWide$ArgvFreeLocal
String ID:
API String ID: 4060259846-0
Opcode ID: e2aa2471ab13495bc38d2d913d62f8197438a20d25496ff1bc71553158c3cadd
Instruction ID: fe383761ed14bcbbd9603c8c2793a835527b51f6b336c2c8e9cf5ed818ef6d2e
Opcode Fuzzy Hash: e2aa2471ab13495bc38d2d913d62f8197438a20d25496ff1bc71553158c3cadd
Instruction Fuzzy Hash: 42319070605705ABE710EF289C49B1B7BE8FF84711F10492DFD59AB2C1E770AD098BA6

Function 6C9FF8F5 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 6C9FF932
dllmain_crt_dispatch.LIBCMT ref: 6C9FF949
dllmain_raw.LIBCMT ref: 6C9FF991
dllmain_crt_dispatch.LIBCMT ref: 6C9FF9A4
dllmain_raw.LIBCMT ref: 6C9FF9B7

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 2a346493c17c681fd001eab6a6ea8f127c9ccfa0d7b67c1c53161339fc619954
Instruction ID: 8a2bc0b203f38dec41523394952f3460af9072a7b2439fc4d3320d81ec711019
Opcode Fuzzy Hash: 2a346493c17c681fd001eab6a6ea8f127c9ccfa0d7b67c1c53161339fc619954
Instruction Fuzzy Hash: 91216B72E01659BBDF218F55C840AAE3AA9EB91B9CF114125E83857B54D730CD83CBA0

Function 10002D10 Relevance: 7.5, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 10002D3C
CancelIo.KERNEL32(?), ref: 10002D46
InterlockedExchange.KERNEL32(00000000,00000000), ref: 10002D4F
closesocket.WS2_32(?), ref: 10002D59
SetEvent.KERNEL32(00000001), ref: 10002D63

Memory Dump Source

Source File: 00000003.00000002.3531769911.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3531751077.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531791163.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531809840.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531828679.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531848054.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
String ID:
API String ID: 1486965892-0
Opcode ID: 2ceef8d7a9cb16c2b8d4c923c9bd50e46f51888a66d7a8a6949057e86b5d425b
Instruction ID: c3dd280d0a222891198d8956340d5cd90ea8efbda93af296f9b36197db09124c
Opcode Fuzzy Hash: 2ceef8d7a9cb16c2b8d4c923c9bd50e46f51888a66d7a8a6949057e86b5d425b
Instruction Fuzzy Hash: 95F04F75100710EFE320DF94CC89F5677B8FB49B12F148659F6829B690C7B1F9048BA0

Function 6C8D8CE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Shell32,?,?,6C8BF2AC,YSS.AppID.NoVersion,00000000,6CA9B478,?,Function_0018AEC0,000000FF,?,6C8A114D), ref: 6C8D8CEE
GetProcAddress.KERNEL32(00000000,SetCurrentProcessExplicitAppUserModelID), ref: 6C8D8CFF

Strings

SetCurrentProcessExplicitAppUserModelID, xrefs: 6C8D8CF9
Shell32, xrefs: 6C8D8CE7

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: SetCurrentProcessExplicitAppUserModelID$Shell32
API String ID: 1646373207-2658420654
Opcode ID: 41fa9fd82af27c706ac79ed6ae1ebdbe1c9a7b3566b592c22ed89062fdb307f5
Instruction ID: 80c7d79afbc4af5af37f0d6d24d7bdeb181239c0480cabbffa318a9849c9f8f3
Opcode Fuzzy Hash: 41fa9fd82af27c706ac79ed6ae1ebdbe1c9a7b3566b592c22ed89062fdb307f5
Instruction Fuzzy Hash: 09E048717017666787245B65EC18C5A7B69DF51662311863AF909C7640CB34D801C6E4

Function 6C8EA342 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003), ref: 6C8EA39F
VerSetConditionMask.KERNEL32(00000000), ref: 6C8EA3A7
VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 6C8EA3B8
GetSystemMetrics.USER32(00001000), ref: 6C8EA3C9

Part of subcall function 6C8EADFA: __EH_prolog3.LIBCMT ref: 6C8EAE01
Part of subcall function 6C8EADFA: GetSysColor.USER32(00000016), ref: 6C8EAE0A
Part of subcall function 6C8EADFA: GetSysColor.USER32(0000000F), ref: 6C8EAE1D
Part of subcall function 6C8EADFA: GetSysColor.USER32(00000015), ref: 6C8EAE34
Part of subcall function 6C8EADFA: GetSysColor.USER32(0000000F), ref: 6C8EAE40
Part of subcall function 6C8EADFA: GetDeviceCaps.GDI32(?,0000000C), ref: 6C8EAE68
Part of subcall function 6C8EADFA: GetSysColor.USER32(0000000F), ref: 6C8EAE76
Part of subcall function 6C8EADFA: GetSysColor.USER32(00000010), ref: 6C8EAE84
Part of subcall function 6C8EADFA: GetSysColor.USER32(00000015), ref: 6C8EAE92
Part of subcall function 6C8EADFA: GetSysColor.USER32(00000016), ref: 6C8EAEA0
Part of subcall function 6C8EADFA: GetSysColor.USER32(00000014), ref: 6C8EAEAE
Part of subcall function 6C8EADFA: GetSysColor.USER32(00000012), ref: 6C8EAEBC
Part of subcall function 6C8EADFA: GetSysColor.USER32(00000011), ref: 6C8EAECA
Part of subcall function 6C8EADFA: GetSysColor.USER32(00000006), ref: 6C8EAED5
Part of subcall function 6C8EADFA: GetSysColor.USER32(0000000D), ref: 6C8EAEE0
Part of subcall function 6C8EADFA: GetSysColor.USER32(0000000E), ref: 6C8EAEEB
Part of subcall function 6C8EADFA: GetSysColor.USER32(00000005), ref: 6C8EAEF6
Part of subcall function 6C8EADFA: GetSysColor.USER32(00000008), ref: 6C8EAF04
Part of subcall function 6C8EADFA: GetSysColor.USER32(00000009), ref: 6C8EAF0F
Part of subcall function 6C8EADFA: GetSysColor.USER32(00000007), ref: 6C8EAF1A
Part of subcall function 6C8EADFA: GetSysColor.USER32(00000002), ref: 6C8EAF25
Part of subcall function 6C8EADFA: GetSysColor.USER32(00000003), ref: 6C8EAF30
Part of subcall function 6C8EADFA: GetSysColor.USER32(0000001B), ref: 6C8EAF3E
Part of subcall function 6C8EADFA: GetSysColor.USER32(0000001C), ref: 6C8EAF4C
Part of subcall function 6C8EADFA: GetSysColor.USER32(0000000A), ref: 6C8EAF5A

Part of subcall function 6C8EA8DB: __EH_prolog3_GS.LIBCMT ref: 6C8EA8E5
Part of subcall function 6C8EA8DB: GetDeviceCaps.GDI32(?,00000058), ref: 6C8EA905
Part of subcall function 6C8EA8DB: DeleteObject.GDI32(00000000), ref: 6C8EA961
Part of subcall function 6C8EA8DB: DeleteObject.GDI32(00000000), ref: 6C8EA97F
Part of subcall function 6C8EA8DB: DeleteObject.GDI32(00000000), ref: 6C8EA99D
Part of subcall function 6C8EA8DB: DeleteObject.GDI32(00000000), ref: 6C8EA9BB
Part of subcall function 6C8EA8DB: DeleteObject.GDI32(00000000), ref: 6C8EA9D9
Part of subcall function 6C8EA8DB: DeleteObject.GDI32(00000000), ref: 6C8EA9F7
Part of subcall function 6C8EA8DB: DeleteObject.GDI32(00000000), ref: 6C8EAA15
Part of subcall function 6C8EA8DB: DeleteObject.GDI32(00000000), ref: 6C8EAA33

Part of subcall function 6C8EA4AE: GetSystemMetrics.USER32(00000031), ref: 6C8EA4BC
Part of subcall function 6C8EA4AE: GetSystemMetrics.USER32(00000032), ref: 6C8EA4CA
Part of subcall function 6C8EA4AE: SetRectEmpty.USER32(?), ref: 6C8EA4DD
Part of subcall function 6C8EA4AE: EnumDisplayMonitors.USER32(00000000,00000000,6C8EA2C4,?,?,00000000,6C8EA3EA), ref: 6C8EA4ED
Part of subcall function 6C8EA4AE: SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6C8EA4FC
Part of subcall function 6C8EA4AE: SystemParametersInfoW.USER32(00001002,00000000,?,00000000), ref: 6C8EA529
Part of subcall function 6C8EA4AE: SystemParametersInfoW.USER32(00001012,00000000,?,00000000), ref: 6C8EA53D
Part of subcall function 6C8EA4AE: SystemParametersInfoW.USER32 ref: 6C8EA563

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Color$DeleteObject$System$Info$Parameters$Metrics$CapsConditionDeviceMask$DisplayEmptyEnumH_prolog3H_prolog3_MonitorsRectVerifyVersion
String ID:
API String ID: 2442922003-0
Opcode ID: ace4d5ab8579c30264768aa2c2cffa683f51787174a19943a013614d5f23806c
Instruction ID: 34172b57871b17bcba9a38f0e7d03a8490421cdfce03e99dd52d44c67ff09f69
Opcode Fuzzy Hash: ace4d5ab8579c30264768aa2c2cffa683f51787174a19943a013614d5f23806c
Instruction Fuzzy Hash: 9E11CAB0B00318ABDB349F759C5AFEB77BCEB89708F00455DE206D7281CBB04A458B90

Function 10006F17 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 10006F31

Part of subcall function 10006E83: __FF_MSGBANNER.LIBCMT ref: 10006E9C
Part of subcall function 10006E83: __NMSG_WRITE.LIBCMT ref: 10006EA3
Part of subcall function 10006E83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F), ref: 10006EC8

std::exception::exception.LIBCMT ref: 10006F66
std::exception::exception.LIBCMT ref: 10006F80
__CxxThrowException@8.LIBCMT ref: 10006F91

Memory Dump Source

Source File: 00000003.00000002.3531769911.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3531751077.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531791163.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531809840.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531828679.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531848054.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID:
API String ID: 615853336-0
Opcode ID: d1b741ba0380379decb7d1b22a74743c7f5a7046d8fc72408544d039aac17dad
Instruction ID: bc3bc25b656f4220cb3330c80879dd0d2e796a6a37b49e0188f73f67aa49fa4f
Opcode Fuzzy Hash: d1b741ba0380379decb7d1b22a74743c7f5a7046d8fc72408544d039aac17dad
Instruction Fuzzy Hash: C5F02D3980425BAAFB00DBA4DC91AAD3AE7EB496C0F300025F4149E0D5DFB1EBC0C740

Function 6C8AD410 Relevance: 4.6, APIs: 3, Instructions: 124COMMON

Download Yara Rule

APIs

_Min_value.LIBCPMTD ref: 6C8AD47D
__fread_nolock.LIBCMT ref: 6C8AD4F9
__fread_nolock.LIBCMT ref: 6C8AD549

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: __fread_nolock$Min_value
String ID:
API String ID: 3100174245-0
Opcode ID: 69540fd15075f42c48b3ecf6efc8efd62ee66a9252466c8f0c774d105b5d3196
Instruction ID: a9faa159934cbc14e14093c79aa614ae4ccf4481fc07ac2a938e632464b6970c
Opcode Fuzzy Hash: 69540fd15075f42c48b3ecf6efc8efd62ee66a9252466c8f0c774d105b5d3196
Instruction Fuzzy Hash: 9D51EA75E01109EFDB14CFD8CA90AEEB7B5BF48308F10896AE915A7740D770AA46CB90

Function 03523160 Relevance: 4.6, APIs: 3, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0352316B
InterlockedExchange.KERNEL32(?,00000001), ref: 03523183
GetCurrentThreadId.KERNEL32 ref: 0352322F

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: CurrentThread$ExchangeInterlocked
String ID:
API String ID: 4033114805-0
Opcode ID: 0dbb5fc35bddbb516a8a8fdbb9ae7c8667ae9e1225777239636a8e0d0fa0858b
Instruction ID: a43a0a191d64f2729d444b5cf86d1a967f0d74a58c9e6c2548233bfdaa1532e0
Opcode Fuzzy Hash: 0dbb5fc35bddbb516a8a8fdbb9ae7c8667ae9e1225777239636a8e0d0fa0858b
Instruction Fuzzy Hash: A231B1782006229FC718DF29D480A67BBF9FF85704B10C92CE85ACB6A5D735F842CB80

Function 035211B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 035211E9
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 03521226
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 03521255

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: Virtual$AllocFree__floor_pentium4
String ID:
API String ID: 2605973128-0
Opcode ID: 87639c270729f20578af644a386dfa7b2660d78d707fbb39d5da95b169225805
Instruction ID: cef98318a0cbf46dd19049f293649d2f66160f53b25285155e5d95cd985f246f
Opcode Fuzzy Hash: 87639c270729f20578af644a386dfa7b2660d78d707fbb39d5da95b169225805
Instruction Fuzzy Hash: 6921C275A00B099FDB14DFAEE845B6FFBF8FF41705F0089A9E849E2690E730A9108740

Function 100011B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 100011E9
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 10001226
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 10001255

Memory Dump Source

Source File: 00000003.00000002.3531769911.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3531751077.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531791163.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531809840.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531828679.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531848054.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Virtual$AllocFree__floor_pentium4
String ID:
API String ID: 2605973128-0
Opcode ID: 7c8a02711727f2d10f68a554ded2e2394815aae473f82a087a4a6f69535250f3
Instruction ID: 68b1d39f7c788df30121c4cd9fa650265093b70568a06a1b8131812e88253602
Opcode Fuzzy Hash: 7c8a02711727f2d10f68a554ded2e2394815aae473f82a087a4a6f69535250f3
Instruction Fuzzy Hash: EB21D170A00709AFEB14DFA9DC85B9EFBF4FF44745F00C5ADE949E2644EA30A8108790

Function 03521100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0352112F
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0352115F
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 03521192

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: Virtual$AllocFree__floor_pentium4
String ID:
API String ID: 2605973128-0
Opcode ID: 4e5e76e57744db7ac219f8254736a1ef7623833b040b6f0c085fd94083dcba5f
Instruction ID: db7814b07698a6fb73e2437f46ae6889bde09f9a6092a0f2a243075445b6572b
Opcode Fuzzy Hash: 4e5e76e57744db7ac219f8254736a1ef7623833b040b6f0c085fd94083dcba5f
Instruction Fuzzy Hash: D411B174A00709ABDB109FA9E885B6FFBB8FF05705F0088A9E959E2290E730A9148750

Function 10001100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 1000112F
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 1000115F
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 10001192

Memory Dump Source

Source File: 00000003.00000002.3531769911.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3531751077.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531791163.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531809840.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531828679.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531848054.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Virtual$AllocFree__floor_pentium4
String ID:
API String ID: 2605973128-0
Opcode ID: 9a9a6dbc4d50d479c69aa6d6b662a424f68bc22565965440325d2e32c173b15c
Instruction ID: ccfbffdb8cfccccbf267e057733e19453fb850e329b77576dd89ff791b5dae30
Opcode Fuzzy Hash: 9a9a6dbc4d50d479c69aa6d6b662a424f68bc22565965440325d2e32c173b15c
Instruction Fuzzy Hash: 77119670A00709ABEB14DFA9DC86B9EF7F4FF04745F008569EE59D2240E671A9148750

Function 03529DE0 Relevance: 4.5, APIs: 3, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 03529E04
GdipDisposeImage.GDIPLUS(?), ref: 03529E18
GdipDisposeImage.GDIPLUS(?), ref: 03529E3B

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: Gdip$DisposeImage$BitmapCreateFromStream
String ID:
API String ID: 800915452-0
Opcode ID: 8ddd75dfee81debf19873da0cb847058730dc9b69a50d972e474167ac7f4a8ff
Instruction ID: 6f5f90eaf77b58e374629daede4a1233b047afe86042a25bae2c4efaeb430d33
Opcode Fuzzy Hash: 8ddd75dfee81debf19873da0cb847058730dc9b69a50d972e474167ac7f4a8ff
Instruction Fuzzy Hash: F4F0A476900239978B14EF94E844CAEFBB9FB45615F14454AFC05AB350E7308F15CBD1

Function 03529AC0 Relevance: 4.5, APIs: 3, Instructions: 36COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0354FB64), ref: 03529ADC
GdiplusStartup.GDIPLUS(0354FB60,?,?), ref: 03529B15
LeaveCriticalSection.KERNEL32(0354FB64), ref: 03529B26

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: CriticalSection$EnterGdiplusLeaveStartup
String ID:
API String ID: 389129658-0
Opcode ID: babffab19bc3df1368ac2bdc639521a364ad9847c9be57eee98f8f2446c6baf1
Instruction ID: fcc0ce437d8871d4bcd983c326bb6f4d90ddad132d1936d9c1f7dcf7e8943bad
Opcode Fuzzy Hash: babffab19bc3df1368ac2bdc639521a364ad9847c9be57eee98f8f2446c6baf1
Instruction Fuzzy Hash: 75F0F6359402199FDB08EFD5F82ABEFBBB8F706309F000199E80453290D7720159DBA2

Function 6CA1F207 Relevance: 4.5, APIs: 3, Instructions: 17fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(6CA0FD10,?,6CA0FD10,?), ref: 6CA1F20F
GetLastError.KERNEL32(?,6CA0FD10,?), ref: 6CA1F219
__dosmaperr.LIBCMT ref: 6CA1F220

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: DeleteErrorFileLast__dosmaperr
String ID:
API String ID: 1545401867-0
Opcode ID: 8b83e9c2aef688eedd6fa6f600622291229e54d9e3aec19c9a2798997095f9b2
Instruction ID: ffa910e99bac764b9812e5cf57035cd9755a8121ca6eded8f52031d5ff14b928
Opcode Fuzzy Hash: 8b83e9c2aef688eedd6fa6f600622291229e54d9e3aec19c9a2798997095f9b2
Instruction Fuzzy Hash: E4D0A9322086086B8B14AAB2BC184163B2DAA822783080319F02CC4980EA25C8828280

Function 10003200 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 15sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 10003200

Strings

206.238.198.14, xrefs: 1002026C
9091, xrefs: 10020254

Memory Dump Source

Source File: 00000003.00000002.3531769911.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3531751077.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531791163.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531809840.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531828679.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531848054.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Sleep
String ID: 206.238.198.14$9091
API String ID: 3472027048-162734680
Opcode ID: 4513ec0b7f0e3245ec74d41a3833d4d9c4567df1cbadf7205a2421670dd53040
Instruction ID: d4922cd372dd7236031f7b79510b5f56ce2b8beeb54c8bf7640301d5853f9da9
Opcode Fuzzy Hash: 4513ec0b7f0e3245ec74d41a3833d4d9c4567df1cbadf7205a2421670dd53040
Instruction Fuzzy Hash: C9D023F0604871CBE928C500DC5447A7375F7C42513940105FC479B144CB74FC08D550

Function 10007156 Relevance: 4.5, APIs: 3, Instructions: 11threadCOMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 1000715B

Part of subcall function 10009896: GetLastError.KERNEL32(00000001,00000000,10007112,10006F0C,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F), ref: 1000989A
Part of subcall function 10009896: ___set_flsgetvalue.LIBCMT ref: 100098A8
Part of subcall function 10009896: __calloc_crt.LIBCMT ref: 100098BC
Part of subcall function 10009896: DecodePointer.KERNEL32(00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA), ref: 100098D6
Part of subcall function 10009896: GetCurrentThreadId.KERNEL32 ref: 100098EC
Part of subcall function 10009896: SetLastError.KERNEL32(00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA), ref: 10009904

__freeptd.LIBCMT ref: 10007165

Part of subcall function 10009A58: TlsGetValue.KERNEL32(?,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009A79
Part of subcall function 10009A58: TlsGetValue.KERNEL32(?,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009A8B
Part of subcall function 10009A58: DecodePointer.KERNEL32(00000000,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009AA1
Part of subcall function 10009A58: __freefls@4.LIBCMT ref: 10009AAC
Part of subcall function 10009A58: TlsSetValue.KERNEL32(00000021,00000000,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009ABE

ExitThread.KERNEL32 ref: 1000716E

Memory Dump Source

Source File: 00000003.00000002.3531769911.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3531751077.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531791163.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531809840.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531828679.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531848054.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Value$DecodeErrorLastPointerThread$CurrentExit___set_flsgetvalue__calloc_crt__freefls@4__freeptd__getptd_noexit
String ID:
API String ID: 4224061863-0
Opcode ID: 13d03437f215ed93d40a7d70e196fa756bd6aa96be3d41e5933ba2785ed1d9c5
Instruction ID: 88b9861ec1dd8ad2b25034eab61c1c94f8d4b81d5381debfb6d8fd2c6c03db1f
Opcode Fuzzy Hash: 13d03437f215ed93d40a7d70e196fa756bd6aa96be3d41e5933ba2785ed1d9c5
Instruction Fuzzy Hash: 79C02B3050060C7BFB00A776CC0E95F3A8DDF811C1F668010F80CC5159EE38FC008291

Function 033A01CB Relevance: 3.3, APIs: 2, Instructions: 267memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 033A022B

Memory Dump Source

Source File: 00000003.00000002.3531273742.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33a0000_Update.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
Instruction ID: 6a9ce1c75e311a7c0e1a6966ab78371385ace3072b3f8e3cb7c253eaf1f15492
Opcode Fuzzy Hash: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
Instruction Fuzzy Hash: 6EA13B75A00A06EFDB18CFADC8C0AAEB7B5FF48304F1881A9E455DB651D770EA51CB90

Function 6CA1DC74 Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CA1D38A: GetConsoleOutputCP.KERNEL32(CDD28759,00000000,00000000,?), ref: 6CA1D3ED

WriteFile.KERNEL32(?,6CA23A52,00000000,6CA29FC5,00000000,6CA23A52,00000000,00000000,?,6CA29FC5,00000000,00000000,6CA29F02,6CA23A52,00000000,?), ref: 6CA1DDF9
GetLastError.KERNEL32(?,6CA29FC5,00000000,00000000,6CA29F02,6CA23A52,00000000,?,6CA292C1,00000000,6CA23A52), ref: 6CA1DE03

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: d019686862690680ebc1264e7abc625525f67ab798162abd3bf08b5da65ca571
Instruction ID: 2355bb7e8cbb06aa78b5e4def19d23396cb7faaad94e8d7bcd209c0d5d3b3900
Opcode Fuzzy Hash: d019686862690680ebc1264e7abc625525f67ab798162abd3bf08b5da65ca571
Instruction Fuzzy Hash: 1261C771D19119AFDF02CFA8C984AEEBFB9BF4A30CF180549E914A7A41D371D985CB90

Function 10003350 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(?,?,00000000), ref: 10003403
_memmove.LIBCMT ref: 10003495

Memory Dump Source

Source File: 00000003.00000002.3531769911.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3531751077.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531791163.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531809840.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531828679.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531848054.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Time_memmovetime
String ID:
API String ID: 1463837790-0
Opcode ID: aa203b2cbda9aec0713802ee616a91a989bc0421ef3b69a448573314bddc25cc
Instruction ID: 7472951ecdc6142c721ad3348498c8fe017ad8d952fa801f9fd3c423b9f36496
Opcode Fuzzy Hash: aa203b2cbda9aec0713802ee616a91a989bc0421ef3b69a448573314bddc25cc
Instruction Fuzzy Hash: A5519F767006029FE316CF69C8C0A9BB7A9FF48294715C669E919CB709DB31FC51CB90

Function 03522FD0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 03523043
recv.WS2_32(?,?,00040000,00000000), ref: 03523064

Part of subcall function 0352F91B: __getptd_noexit.LIBCMT ref: 0352F91B

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: __getptd_noexitrecvselect
String ID:
API String ID: 4248608111-0
Opcode ID: f59a053781454c9c6228ae0da76391affc281a60d0110dabe510c91ee957dab4
Instruction ID: 18fe95721a3a5f83394a80d68b8a7229195231026e534e1fb552d4d82414f530
Opcode Fuzzy Hash: f59a053781454c9c6228ae0da76391affc281a60d0110dabe510c91ee957dab4
Instruction Fuzzy Hash: 8A2191796003289BDB20EF69EC85B9A7BB4FF46710F1805A5E5045B1F0D774A984CBB1

Function 10002FB0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 10003023
recv.WS2_32(?,?,00040000,00000000), ref: 10003044

Part of subcall function 1000710D: __getptd_noexit.LIBCMT ref: 1000710D

Memory Dump Source

Source File: 00000003.00000002.3531769911.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3531751077.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531791163.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531809840.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531828679.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531848054.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: __getptd_noexitrecvselect
String ID:
API String ID: 4248608111-0
Opcode ID: 5f82ec4551d51fc2b9ede6d926e0403675d3e155566f9d28381eb2444e2c218b
Instruction ID: 1cbb114b02e0d86a534962cf0a51f77a1151a50c8d60f66bd4e8238187776ab9
Opcode Fuzzy Hash: 5f82ec4551d51fc2b9ede6d926e0403675d3e155566f9d28381eb2444e2c218b
Instruction Fuzzy Hash: 7F21E770A01318EBFB11DF64DC95B9B73B8EF053D0F1081A5E5095B199DBB1AD84CBA1

Function 6CA1D836 Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,6CA1DDDF,?,6CA292C1,6CA23A52,00000000,6CA23A52,00000000), ref: 6CA1D8D2
GetLastError.KERNEL32(?,6CA1DDDF,?,6CA292C1,6CA23A52,00000000,6CA23A52,00000000,00000000,?,6CA29FC5,00000000,00000000,6CA29F02,6CA23A52,00000000), ref: 6CA1D8F8

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 0a375bd6e04e64fbbf71f90c04a342c5d1ba0af3bba44504e1e837d26edb229e
Instruction ID: ed1bf097464053e84124a9cd3aa8c7ff732ae6539c30cc5324afcdc42cfa112c
Opcode Fuzzy Hash: 0a375bd6e04e64fbbf71f90c04a342c5d1ba0af3bba44504e1e837d26edb229e
Instruction Fuzzy Hash: 0421F334E042298FDB1ACF59DC849D9B7BAEB49305F2481A9E94AD7B10D730DD82CF60

Function 6C9FF740 Relevance: 3.1, APIs: 2, Instructions: 76COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6C9FF78D

Part of subcall function 6CA007C2: InitializeSListHead.KERNEL32(6CA9A848,6C9FF797,6CA8CB98,00000010,6C9FF728,?,?,?,6C9FF94E,?,00000001,?,?,00000001,?,6CA8CBE0), ref: 6CA007C7

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6C9FF7F7

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: a3052271047cacc68084bc3e2c4b3440af59b029bf9778861da0be53fc960e46
Instruction ID: 4a07e22926321fedfa6774168b8e3afc1b7b8605bf9ea37122f25ae5324ea91e
Opcode Fuzzy Hash: a3052271047cacc68084bc3e2c4b3440af59b029bf9778861da0be53fc960e46
Instruction Fuzzy Hash: 5D2143327496068EDB045FB4A8147DC37F2AF6236DF10419AC4A2A6FC1DB22808FC765

Function 6C8A4560 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 63sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 6C8A4310: Mailbox.LIBCMTD ref: 6C8A436E

Sleep.KERNEL32(00000064), ref: 6C8A45D7

Strings

Game Over! Final Score: , xrefs: 6C8A45E0

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: MailboxSleep
String ID: Game Over! Final Score:
API String ID: 3547818576-1191702134
Opcode ID: ec675a04d7961d9472ee0ed1c5c94fb964c75bc901f7f12bda01ec39a1f199ce
Instruction ID: e57fb4f040b0074515a2c58f807471b6f90f63d96a7a8c0d73fd00f9ab64b974
Opcode Fuzzy Hash: ec675a04d7961d9472ee0ed1c5c94fb964c75bc901f7f12bda01ec39a1f199ce
Instruction Fuzzy Hash: 09118BF5C001085BDF14DBD4EE55BDDB778AB54618F140E34E419A3B40FB35AA09C7A2

Function 03523260 Relevance: 3.1, APIs: 2, Instructions: 60networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,00040000,00000000), ref: 03523291
send.WS2_32(?,?,?,00000000), ref: 035232CE

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 010881bb5cca2622eba84ef6b65ba3648ffac13dc0806493da00106b5c006a46
Instruction ID: 9e1e06898b4c9d1da924120e6e944c83a78083f901600a04b6a7e0513324a5d7
Opcode Fuzzy Hash: 010881bb5cca2622eba84ef6b65ba3648ffac13dc0806493da00106b5c006a46
Instruction Fuzzy Hash: 8511E57AB01324A7C720CA6AEC88B5ABFA9FB82264F144125F908D72E0D278AD459654

Function 6CA1EF80 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,?,00008000,6C8AF27C,00008000,6CA23A52,?,?,?,6CA1F08A,6CA23A52,?,00000000,6C8AF27C,?), ref: 6CA1EFBC
GetLastError.KERNEL32(00000000,?,?,?,6CA1F08A,6CA23A52,?,00000000,6C8AF27C,?,00000000,00008000,6CA23A52,?,?,6CA29390), ref: 6CA1EFC9

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 210c975e8e1d64287cb12766194424c68fedbb669e17cf0fecb5b80031c1a017
Instruction ID: 84663cd7d51482429416b89870fc44544337d45952fdd79277c832a5fbc9353a
Opcode Fuzzy Hash: 210c975e8e1d64287cb12766194424c68fedbb669e17cf0fecb5b80031c1a017
Instruction Fuzzy Hash: 3401C832618655AFCB058F59DC0989E7B36EBC6324B284208FC11DBAD0E671D9918BD0

Function 035230E0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 0352310A
timeGetTime.WINMM ref: 03523124

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: aabf24dda5926ef488fbb7ea2cf5631b6e14aa915e9b733f65018679c5150d2b
Instruction ID: 6227c1f529a8c1d9fa54e47c500d3a1fede8c3e9752e7bea7c60f63d8c8892f5
Opcode Fuzzy Hash: aabf24dda5926ef488fbb7ea2cf5631b6e14aa915e9b733f65018679c5150d2b
Instruction Fuzzy Hash: B801D439200266AFD315DF29E8C8B69FBB5FB9A301F184264E604471E0C735A9C6C7D1

Function 100030C0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 100030EA
timeGetTime.WINMM ref: 10003104

Memory Dump Source

Source File: 00000003.00000002.3531769911.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3531751077.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531791163.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531809840.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531828679.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531848054.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: 306b1d3a46dce6522edd8cfdaf26c6c38e0bc8121be3e04cf2ef1a2578d2637d
Instruction ID: 27fac5dcdbeed923c3366fb10e8a319fa95706dbc2a1d72b4a6ad2049d896b26
Opcode Fuzzy Hash: 306b1d3a46dce6522edd8cfdaf26c6c38e0bc8121be3e04cf2ef1a2578d2637d
Instruction Fuzzy Hash: B501DF31A00206AFE302DF65C8C4BABB3F9FB99381F108624D1018B294C771ADD6C7E1

Function 0352CD00 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000004,00000000,00000000,0352E04E,00000000,03529800,?,?,?,00000000,0354125B,000000FF,?,0352E04E), ref: 0352CD1B
_free.LIBCMT ref: 0352CD56

Part of subcall function 03521280: __CxxThrowException@8.LIBCMT ref: 03521290
Part of subcall function 03521280: DeleteCriticalSection.KERNEL32(00000000,0352D3E6,03546624,?,?,0352D3E6,?,?,?,?,03545A40,00000000), ref: 035212A1

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
String ID:
API String ID: 1116298128-0
Opcode ID: 10b9b23fe5e0c672cbe4b83d3ff079f6209cd8acc17fca22dfd66e750b9fe73a
Instruction ID: a1406227761d33682f91e1a9194636fd6d1acfbfc153221821de975dedc7be31
Opcode Fuzzy Hash: 10b9b23fe5e0c672cbe4b83d3ff079f6209cd8acc17fca22dfd66e750b9fe73a
Instruction Fuzzy Hash: 0C017EB4A00B508FC330DF6AA844A07FAF8FF99700B114A1EE6DAC7A60D370A105CF55

Function 10006410 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000004,00000000,00000000,?,00000000,10005AF2), ref: 1000642B
_free.LIBCMT ref: 10006466

Part of subcall function 10001280: __CxxThrowException@8.LIBCMT ref: 10001290
Part of subcall function 10001280: DeleteCriticalSection.KERNEL32(00000000,?,10017E78), ref: 100012A1

Memory Dump Source

Source File: 00000003.00000002.3531769911.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3531751077.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531791163.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531809840.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531828679.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531848054.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
String ID:
API String ID: 1116298128-0
Opcode ID: a128095ffdd49348268c3586f1fd9261e0840fd0acd737389bb6af715d81e8f7
Instruction ID: d75aab6d42964042dd9719b22c7254e4122bf8c787039a32894d973a0e8f9c7d
Opcode Fuzzy Hash: a128095ffdd49348268c3586f1fd9261e0840fd0acd737389bb6af715d81e8f7
Instruction Fuzzy Hash: D6017EF4A00B408FD321CF6A8884A47FAF9FF98750B104A1EE2DAC7A10D770A545CF55

Function 6C8BC1CC Relevance: 3.0, APIs: 2, Instructions: 28networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,?,?), ref: 6C8BC15F
WSACleanup.WS2_32 ref: 6C8BC173
connect.WS2_32(00000410,?,?), ref: 6C8BC1A0
closesocket.WS2_32(00000410), ref: 6C8BC1B5
freeaddrinfo.WS2_32(00000000,?,?), ref: 6C8BC1D5
WSACleanup.WS2_32 ref: 6C8BC1E5

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Cleanup$closesocketconnectfreeaddrinfosocket
String ID:
API String ID: 2878866204-0
Opcode ID: a090edf7e6f21867a276a90162998c503b5bc18709e24102e348308717172186
Instruction ID: 222e50bd038611ed298738a363602c4756f1134948fc1133ccdb59595bbc08c6
Opcode Fuzzy Hash: a090edf7e6f21867a276a90162998c503b5bc18709e24102e348308717172186
Instruction Fuzzy Hash: AEF03078A45109EFCB14DFE4DB44A99B3B5EB89314F208788E908A7781C730DE42DB50

Function 0352E480 Relevance: 3.0, APIs: 2, Instructions: 21synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,0352DF10,00000000,00000000,00000000), ref: 0352E49B
WaitForSingleObject.KERNEL32(00000000,000000FF,?,03531168,?,?,?,?,?,?,03546298,0000000C,03531210,?), ref: 0352E4A9

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: CreateObjectSingleThreadWait
String ID:
API String ID: 1891408510-0
Opcode ID: bbf2f75fcfb7d91c0af25da58d081a9444823934f3edbec1a734b038d6101973
Instruction ID: e86532f9ebba1a05dcbd1a60481f07dbad8a50e344e586fe6a7d4ea8cbaac9ab
Opcode Fuzzy Hash: bbf2f75fcfb7d91c0af25da58d081a9444823934f3edbec1a734b038d6101973
Instruction Fuzzy Hash: 3CE0C2B1044319BFDF00EA55BC95E3A3BDCE304330B100611B920C26B8D630A9419AA0

Function 0352F983 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0352F98F

Part of subcall function 03533E5B: __getptd_noexit.LIBCMT ref: 03533E5E
Part of subcall function 03533E5B: __amsg_exit.LIBCMT ref: 03533E6B

Part of subcall function 0352F964: __getptd_noexit.LIBCMT ref: 0352F969
Part of subcall function 0352F964: __freeptd.LIBCMT ref: 0352F973
Part of subcall function 0352F964: ExitThread.KERNEL32 ref: 0352F97C

__XcptFilter.LIBCMT ref: 0352F9B0

Part of subcall function 0353418F: __getptd_noexit.LIBCMT ref: 03534195

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
String ID:
API String ID: 418257734-0
Opcode ID: bfec36aeef5b8d705b477ea4f62cf8bc297a328c14ee2c9c7b0eaf7320bda0f9
Instruction ID: c92fda53f7dcbf549934691add2bb2b3485f06d8b7d738c690e47e5f6e5739e7
Opcode Fuzzy Hash: bfec36aeef5b8d705b477ea4f62cf8bc297a328c14ee2c9c7b0eaf7320bda0f9
Instruction Fuzzy Hash: 4CE0ECB9904702EFEB18EBA1E905E7D7775BF86601F200148E1026F2B1CB799940DA21

Function 10007175 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 10007181

Part of subcall function 1000990F: __getptd_noexit.LIBCMT ref: 10009912
Part of subcall function 1000990F: __amsg_exit.LIBCMT ref: 1000991F

Part of subcall function 10007156: __getptd_noexit.LIBCMT ref: 1000715B
Part of subcall function 10007156: __freeptd.LIBCMT ref: 10007165
Part of subcall function 10007156: ExitThread.KERNEL32 ref: 1000716E

__XcptFilter.LIBCMT ref: 100071A2

Part of subcall function 10009C41: __getptd_noexit.LIBCMT ref: 10009C47

Memory Dump Source

Source File: 00000003.00000002.3531769911.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3531751077.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531791163.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531809840.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531828679.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531848054.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
String ID:
API String ID: 418257734-0
Opcode ID: 297936fcc0dbf5f526c0e08448a2f351abf61589ee907ea93caa2c8fedee672a
Instruction ID: 91050fa4c4edb40f5b5d990f834f761f3b027d6385ed46559f27b3ea4901cb17
Opcode Fuzzy Hash: 297936fcc0dbf5f526c0e08448a2f351abf61589ee907ea93caa2c8fedee672a
Instruction Fuzzy Hash: 76E0ECB9904604DFF718DBA0C956E6E7775EF44241F210049F1015B2A6CB35B940DB24

Function 03536403 Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0353641B

Part of subcall function 03538E5B: __mtinitlocknum.LIBCMT ref: 03538E71
Part of subcall function 03538E5B: __amsg_exit.LIBCMT ref: 03538E7D
Part of subcall function 03538E5B: EnterCriticalSection.KERNEL32(00000000,00000000,?,03533F06,0000000D,03546340,00000008,03533FFF,00000000,?,035310F0,00000000,03546278,00000008,03531155,?), ref: 03538E85

__tzset_nolock.LIBCMT ref: 0353642C

Part of subcall function 03535D22: __lock.LIBCMT ref: 03535D44
Part of subcall function 03535D22: ____lc_codepage_func.LIBCMT ref: 03535D8B
Part of subcall function 03535D22: __getenv_helper_nolock.LIBCMT ref: 03535DAD
Part of subcall function 03535D22: _free.LIBCMT ref: 03535DE4
Part of subcall function 03535D22: _strlen.LIBCMT ref: 03535DEB
Part of subcall function 03535D22: __malloc_crt.LIBCMT ref: 03535DF2
Part of subcall function 03535D22: _strlen.LIBCMT ref: 03535E08
Part of subcall function 03535D22: _strcpy_s.LIBCMT ref: 03535E16
Part of subcall function 03535D22: __invoke_watson.LIBCMT ref: 03535E2B
Part of subcall function 03535D22: _free.LIBCMT ref: 03535E3A

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: __lock_free_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__invoke_watson__malloc_crt__mtinitlocknum__tzset_nolock_strcpy_s
String ID:
API String ID: 1828324828-0
Opcode ID: c060d0d7c21ccd2c6be56da1a7fa3e9ad0bd7d57121fa30ba8a9ac1985ad1c65
Instruction ID: 825e0ad4b9cca044310028c14da23e476867f3f25971c5f8b945fea834efe112
Opcode Fuzzy Hash: c060d0d7c21ccd2c6be56da1a7fa3e9ad0bd7d57121fa30ba8a9ac1985ad1c65
Instruction Fuzzy Hash: 92E08C78C42312E6C622FBE0B282A1C73307BC3B21B900149E4411B0F0DB308256E692

Function 1000474C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 12stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(|p1:206.238.198.14|o1:9091|t1:1|p2:206.238.198.14|o2:9092|t2:1|p3:206.238.198.14|o3:9093|t3:1|dd:1|cl:1|fz:), ref: 10004755

Part of subcall function 10003260: __wcsrev.LIBCMT ref: 10020655

Strings

|p1:206.238.198.14|o1:9091|t1:1|p2:206.238.198.14|o2:9092|t2:1|p3:206.238.198.14|o3:9093|t3:1|dd:1|cl:1|fz:, xrefs: 10004750

Memory Dump Source

Source File: 00000003.00000002.3531769911.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3531751077.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531791163.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531809840.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531828679.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531848054.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: __wcsrevlstrlen
String ID: |p1:206.238.198.14|o1:9091|t1:1|p2:206.238.198.14|o2:9092|t2:1|p3:206.238.198.14|o3:9093|t3:1|dd:1|cl:1|fz:
API String ID: 4062721203-120680253
Opcode ID: ef503d5516fdfa215c481ae33ec846e637023be3d257a54ad483c27845c77df4
Instruction ID: 3065bb4344b1789bcecd08ba6036c617636919b35652953f12b0e4d8e139a27a
Opcode Fuzzy Hash: ef503d5516fdfa215c481ae33ec846e637023be3d257a54ad483c27845c77df4
Instruction Fuzzy Hash: EFC08C72208214CFF202E3D4988876D7359EB33722F608039FA00CD012E672CC8097B1

Function 03526EBC Relevance: 3.0, APIs: 2, Instructions: 8registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(80000001,03526E9A), ref: 03526EC9
RegCloseKey.ADVAPI32(75BF73E0), ref: 03526ED2

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 7b4ca34bbeaf61db50a778c818619153038733033d1bf423fa359917b37c3ca0
Instruction ID: b142b48bb668aba679eff4851acca7c6d1ffe79976addc437e7d4f45eafc9640
Opcode Fuzzy Hash: 7b4ca34bbeaf61db50a778c818619153038733033d1bf423fa359917b37c3ca0
Instruction Fuzzy Hash: ECC04C72D0103857CB14E6A4ED4494977B85B4C110F1144C2A108A3114C634BD418F90

Function 6CA1960A Relevance: 2.6, APIs: 2, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,6CA0EDF8,6CA19144,?,?,6CA19506,00000001,00000364,?,00000006,000000FF,?,?,6CA05A34), ref: 6CA1960E
SetLastError.KERNEL32(00000000,6C8A458B,00000000,?,?,?,?,?,?,?,?,?,?,?,6CA2B00D,000000FF), ref: 6CA196B0

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 3312f3bd528a026b55022556e5658e5ed11edf17e5e935f36106d021043db99d
Instruction ID: 900f953ebefa388126be7be1b0738fd93566a975f467e151cd9593bc2b221bc5
Opcode Fuzzy Hash: 3312f3bd528a026b55022556e5658e5ed11edf17e5e935f36106d021043db99d
Instruction Fuzzy Hash: 3211E13235D3116EE7012EB48FC9DDA366DAB423ACB184230F93982ED0EB55898DC176

Function 6CA1DFF4 Relevance: 2.6, APIs: 2, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,6CA1DFE3,6CA29566,?,00000000,00000000), ref: 6CA1E04A
GetLastError.KERNEL32(?,00000000,?,6CA1DFE3,6CA29566,?,00000000,00000000), ref: 6CA1E054

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: c59e823d1c04165dd797cd103e58705a9f053d50752747f0bd6a3b8364de688e
Instruction ID: e54b4ed9b5829d48462fc0a25594a45e32cc53453a640536560083377193296e
Opcode Fuzzy Hash: c59e823d1c04165dd797cd103e58705a9f053d50752747f0bd6a3b8364de688e
Instruction Fuzzy Hash: 50112932B8C2105ED7150634994D79E27BA9F8273CF2D0309E81DC6FC0DF6198C541D0

Function 6CA16527 Relevance: 1.7, APIs: 1, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dcddb850c144f0339e48f50db203528eee9bdbfb506c79adc8520c0470a9fa4
Instruction ID: 71c447d40759649f42b1323fd78f3f1279d24623fcfa237bec48b7c10c908518
Opcode Fuzzy Hash: 1dcddb850c144f0339e48f50db203528eee9bdbfb506c79adc8520c0470a9fa4
Instruction Fuzzy Hash: 9D519270A08204EFDB04CF58C980AD9BFB1EF49368F288158E859DBB51D7719E85CB90

Function 6C8BC530 Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

fpos.LIBCPMTD ref: 6C8BC5C7

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: fpos
String ID:
API String ID: 1083263101-0
Opcode ID: 7f29ea71bf61a0de4ea2a289fa7fe8bd5c9fb4013beb31001578348d32c21df6
Instruction ID: 0cf9653aa3966a4936d6350ab9a34d9318f7d67c1ac051cc89341ddb2f8c59c1
Opcode Fuzzy Hash: 7f29ea71bf61a0de4ea2a289fa7fe8bd5c9fb4013beb31001578348d32c21df6
Instruction Fuzzy Hash: 7D412C70900109EBDB24DF98DE51FEEB7B5BF44304F108A68A5167B790DB716E4ACB90

Function 6C8BD620 Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

fpos.LIBCPMTD ref: 6C8BD6E7

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: fpos
String ID:
API String ID: 1083263101-0
Opcode ID: ff1f08e6be1675f8de49bb2fa1126219e1f7dbcd09095ab3ca6182da6bec6f29
Instruction ID: e5eaa0053395e90943ebc8eec8b0e2e0d73fb659563b2fc7ab9aa88edd388f1f
Opcode Fuzzy Hash: ff1f08e6be1675f8de49bb2fa1126219e1f7dbcd09095ab3ca6182da6bec6f29
Instruction Fuzzy Hash: B84109B5A00109EFCB04CF98DA91AEEB7B1FF49314F248619E515BB790C731AE01CBA4

Function 6C8E95E7 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C8E95EE

Part of subcall function 6C8EA342: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003), ref: 6C8EA39F
Part of subcall function 6C8EA342: VerSetConditionMask.KERNEL32(00000000), ref: 6C8EA3A7
Part of subcall function 6C8EA342: VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 6C8EA3B8
Part of subcall function 6C8EA342: GetSystemMetrics.USER32(00001000), ref: 6C8EA3C9

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: ConditionMask$H_prolog3InfoMetricsSystemVerifyVersion
String ID:
API String ID: 2710481357-0
Opcode ID: 51e0256d824e8ba4e0066307178fd9b4f6443c91ab69ce9b41da6b7e691b845b
Instruction ID: a373c92adde23fab23f7b7b167073139483335ca812f7bd33d8cf855dcd08c42
Opcode Fuzzy Hash: 51e0256d824e8ba4e0066307178fd9b4f6443c91ab69ce9b41da6b7e691b845b
Instruction Fuzzy Hash: 0351DEB0945F41CFD3A9CF3A85417C6FAE0BF89300F108A2E81AED6660EB716184CF55

Function 6CA23A96 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 6CA23A4D

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 94b0d5ea21cf6b70640e98bcd8f5d053865cc54454becc6e2a7ca772e9e766ce
Instruction ID: 380c5b0a1f7f4a4051e96d82c4dbc3b8abdf9e8fef8d53448c024ac1008e6977
Opcode Fuzzy Hash: 94b0d5ea21cf6b70640e98bcd8f5d053865cc54454becc6e2a7ca772e9e766ce
Instruction Fuzzy Hash: 1C116A71A0420EAFCB05CF58E94499B3BF8EF49314F088069F809EB341D631E915CBA4

Function 6C8B37B0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00000000,00000001,6C8B8DCB,000000FF,?,?,00000022,00000040,00000001), ref: 6C8B384E

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 563511991c0cec5eba08501e0f0a54fca63281530601eda94014aa2901480a27
Instruction ID: 93cc6fcf45702c06fab7080e5e6398d07db5b422fb867660027c828435d1ec13
Opcode Fuzzy Hash: 563511991c0cec5eba08501e0f0a54fca63281530601eda94014aa2901480a27
Instruction Fuzzy Hash: D1115C70A00109ABDB24DF98DD50FEEB774BB44304F108A68E51AA77C0DF30AA4ACB94

Function 0353A6F2 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,0353454A,00000000,00000001,00000000,00000000,00000000,?,03533E0D,00000001,00000214,?,03534500), ref: 0353A735

Part of subcall function 0352F91B: __getptd_noexit.LIBCMT ref: 0352F91B

Memory Dump Source

Source File: 00000003.00000002.3531331892.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true

Associated: 00000003.00000002.3531331892.0000000003554000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3520000_Update.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: d4080f4a22ec371dc0d901d20daf4246ef92c155fe93b0c8269eff8f37c1244f
Instruction ID: c764446e148825062b488189ac619c2e26b9ac1581cc4a2569f3f04fc4f5ff14
Opcode Fuzzy Hash: d4080f4a22ec371dc0d901d20daf4246ef92c155fe93b0c8269eff8f37c1244f
Instruction Fuzzy Hash: A601B5392012159AEB29DE25FC84B6737B8BB827A4F194529E896CB1F0D73494018750

Function 1000E555 Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,10009FFA,00000000,00000001,00000000,00000000,00000000,?,100098C1,00000001,00000214,?,10009FB0), ref: 1000E598

Part of subcall function 1000710D: __getptd_noexit.LIBCMT ref: 1000710D

Memory Dump Source

Source File: 00000003.00000002.3531769911.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3531751077.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531791163.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531809840.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531828679.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531848054.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: d06f835299f278651632b800e6ea60e14773797a6a441bb7e279904f59b9ce12
Instruction ID: 103cc215c0c144a9a87f3cbc911116c8ac8a7c4356fc0ca5ef77af160fbe558d
Opcode Fuzzy Hash: d06f835299f278651632b800e6ea60e14773797a6a441bb7e279904f59b9ce12
Instruction Fuzzy Hash: E9012435205A958EFB18CF24CC54B5A37D4EB853E6F018929E815AA0D4EB70DC00CB80

Function 6C8DCDF8 Relevance: 1.5, APIs: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C8DCDFF

Part of subcall function 6C8DCAC8: TlsAlloc.KERNEL32(?,6C8DCE2B,00000004,6C8DB787,6C8C3ABF,6C8D116D,?,6C8D6CE6,00000004,6C8D7498,00000120,6C8BF296,00000000,6CA9B478,?,Function_0018AEC0), ref: 6C8DCAE7
Part of subcall function 6C8DCAC8: InitializeCriticalSection.KERNEL32(6CA988F0,?,6C8DCE2B,00000004,6C8DB787,6C8C3ABF,6C8D116D,?,6C8D6CE6,00000004,6C8D7498,00000120,6C8BF296,00000000,6CA9B478), ref: 6C8DCAF8

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: AllocCriticalH_prolog3InitializeSection
String ID:
API String ID: 2369468792-0
Opcode ID: 50e4b0a70838aa620873e14a0db2f86e6b436ff79e17cfc0f71d4cf5266634ce
Instruction ID: 6ec77aa2a950b34c86c6c31dc6009017be43f2bf605b6cc61a0982fa94082bd9
Opcode Fuzzy Hash: 50e4b0a70838aa620873e14a0db2f86e6b436ff79e17cfc0f71d4cf5266634ce
Instruction Fuzzy Hash: D30171B1B023179BDB24BFB8C94569937B0AF01398B258A35D420DBB91EF74EA45C741

Function 6CA1F22F Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CA197A4: HeapAlloc.KERNEL32(00000000,00001000,?,?,6C8C1C78,00001000,?,?,?,6C8A2B8C,00001000,?,6C8A982D,00001000), ref: 6CA197D6

RtlReAllocateHeap.NTDLL(00000000,00710E48,6C8BC271,?,?,?,6C8BC271,00710E48,00020000,?,?), ref: 6CA1F28C

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Heap$AllocAllocate
String ID:
API String ID: 2177240990-0
Opcode ID: ecde9f74db8fc9e92ce201d1c6b1a2491903f54f066089653a238c4079f72456
Instruction ID: 593a7be98bf02fc93da220dd36f8f7a243cdcfc472f3a5844d8b192943372dd0
Opcode Fuzzy Hash: ecde9f74db8fc9e92ce201d1c6b1a2491903f54f066089653a238c4079f72456
Instruction Fuzzy Hash: 89F0FC3524D6516ADB111E2A6D04FCA376C9FC3674F2C421DED5496E90DF70C4CB8191

Function 6CA190F2 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,6CA19506,00000001,00000364,?,00000006,000000FF,?,?,6CA05A34,?,6C8A458B,00000000), ref: 6CA19133

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e82e60f2749de7817f68a5da4ed317aaed37d2a7f35a433228513dee273dd56f
Instruction ID: f2172ee905e089d9bc7558734c92e37d521be7d933dd96b3facf2c6351bec76c
Opcode Fuzzy Hash: e82e60f2749de7817f68a5da4ed317aaed37d2a7f35a433228513dee273dd56f
Instruction Fuzzy Hash: 1EF0B43264A62567AB915E369A0DB9B376CAB42774F288111E858EBE80DB20D4C5C3E0

Function 6C8B3960 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 6C8B3981

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: fd9f33cd9e7df21120716b49f7afc0f3289a93427263b61b446aa88a9264ff46
Instruction ID: 31280f1e9ac2571b7a679ae52f9fbb3364f5dbae1cf3f33757a71fe69ea1730e
Opcode Fuzzy Hash: fd9f33cd9e7df21120716b49f7afc0f3289a93427263b61b446aa88a9264ff46
Instruction Fuzzy Hash: D9F06D30644208BBEB20CF94CD46FDD77B8EB44704F008294E98C9B280EBB0AE848B91

Function 1000608A Relevance: 1.5, APIs: 1, Instructions: 25registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32 ref: 100060A0

Memory Dump Source

Source File: 00000003.00000002.3531769911.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3531751077.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531791163.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531809840.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531828679.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531848054.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ce9d18141ac8a2415a65a9b8a38807c62c68c0f35cc9388145c160860f9cea29
Instruction ID: d3b2713253b45803e0e36550a0a091f6b3b019736998aa0157c013c20421de29
Opcode Fuzzy Hash: ce9d18141ac8a2415a65a9b8a38807c62c68c0f35cc9388145c160860f9cea29
Instruction Fuzzy Hash: B2E09274908216EADB25DB80C984BFE73B5FB64385F30814DE8042F094D375AE84AA91

Function 6CA2902C Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000040,00000000,?,6CA2941C,?,?,00000000,?,6CA2941C,00000040,0000000C), ref: 6CA29049

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 58908be512d1173aeb80cda15237849fb6975e644899a767f543f6bef10cea31
Instruction ID: deb01071315f8d21cf9ab58390e3028eb09c146b8778583a4e0759c715e4d2d6
Opcode Fuzzy Hash: 58908be512d1173aeb80cda15237849fb6975e644899a767f543f6bef10cea31
Instruction Fuzzy Hash: 31D06C3210020DBBDF128E84DC06EDA3BAAFB48714F058100BA1896020C732E822AB90

Function 10005E07 Relevance: 1.5, APIs: 1, Instructions: 14registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32 ref: 1001F0F9

Memory Dump Source

Source File: 00000003.00000002.3531769911.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3531751077.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531791163.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531809840.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531828679.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531848054.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: bc9ecc6ca19783af6d6fbb40ca28845bcba02b8ce6e2273daa9cad6eb9c5806e
Instruction ID: fe46c43de78f47d222b333b3703367a29387d0af8959c827854050506a177f75
Opcode Fuzzy Hash: bc9ecc6ca19783af6d6fbb40ca28845bcba02b8ce6e2273daa9cad6eb9c5806e
Instruction Fuzzy Hash: 26C08C30C4C75EE2D032E8101C0A1BDB3E4E778299F3005BFAC452D884E4F4A9C0B6EA

Function 6C8B39B0 Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(6C8B9AC3,?,6C8B9AC3,00000000,00000000,00000000,?,?,?,?,?,?,00000063,?,00000070,?), ref: 6C8B39B7

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: cc7900ed48ace1c573dd72ef44e62f7cc050bed90f5755c79aaf44763530667a
Instruction ID: d2e5ce220d032400a6c39584153d47f973d8e400fd2f30ccee7e3b293ab32004
Opcode Fuzzy Hash: cc7900ed48ace1c573dd72ef44e62f7cc050bed90f5755c79aaf44763530667a
Instruction Fuzzy Hash: 2BC02B3534430C979F200EF8B905AD237DC1503604B404800B45CD3B01CD30F805C660

Function 100060DF Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 1001FAB1

Memory Dump Source

Source File: 00000003.00000002.3531769911.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3531751077.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531791163.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531809840.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531828679.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531848054.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: aaf3e0f0d0f8f1f3a4ac2f5b8bd5fab41d3eaa100fa15abfee4d2d644b7fd40f
Instruction ID: 723c430d69d621f95a846468934f8435ff5600678504d51602c72318876ab3a6
Opcode Fuzzy Hash: aaf3e0f0d0f8f1f3a4ac2f5b8bd5fab41d3eaa100fa15abfee4d2d644b7fd40f
Instruction Fuzzy Hash: B9D012B8104910C7E310DB50C4C465EB2E1FF58300F30C519E92D8B615C738F8C18652

Function 10004274 Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_00006110,00000000), ref: 10020693

Memory Dump Source

Source File: 00000003.00000002.3531769911.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3531751077.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531791163.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531809840.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531828679.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531848054.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 13c8da13fabdb43a0039df29cdbc36604e7b86c2d4870efbc9606bf7f6935c8f
Instruction ID: caee183b5a6c68c45fee89ce5ab94ef9cb690e012967d693a85690ee7ea4d081
Opcode Fuzzy Hash: 13c8da13fabdb43a0039df29cdbc36604e7b86c2d4870efbc9606bf7f6935c8f
Instruction Fuzzy Hash: 20C04C3424C314E9F430D1442C46B5C1401F75EB65EB543177B205E4D74D7040C13553

Function 6C8B3940 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00000000,00000080,?,6C8B9A65,?,00000000,?,?,?,?,?,?,00000063,?,00000070,?), ref: 6C8B3951

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c6a80ea5c3fa109397c56ab927a2ea5c052c768520e624c2dbc415bcdeb24781
Instruction ID: 6c21415e2051220092c8cb50840ce41d82a6c5e4628d979a4706f3c9d09658eb
Opcode Fuzzy Hash: c6a80ea5c3fa109397c56ab927a2ea5c052c768520e624c2dbc415bcdeb24781
Instruction Fuzzy Hash: 79B09B3014130C77CF1856E5EC25F59771DA786555F405510F54D57640DF61E40787D8

Function 00581000 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

TCGamerUpdateMain.UPDATE(?,?), ref: 0058100B

Memory Dump Source

Source File: 00000003.00000002.3530270341.0000000000581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.3530246451.0000000000580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3530302410.0000000000582000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3530335645.0000000000583000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3530372311.0000000000584000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3530372311.00000000005C6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_Update.jbxd

Similarity

API ID: GamerMainUpdate
String ID:
API String ID: 3533789159-0
Opcode ID: 0dc032e54f475a4c8a862538ffc73d883b9d6e7095286aea5a65631e74e2db75
Instruction ID: 349561630f453fcc05d0f09b1094199103b2537a8333431cf951c7dd70fa2768
Opcode Fuzzy Hash: 0dc032e54f475a4c8a862538ffc73d883b9d6e7095286aea5a65631e74e2db75
Instruction Fuzzy Hash: 0DB092B656020CAB8B44FAD8EC46C9A379C6A88650B408014BE0D8B241E936FA9087A5

Function 6C8D24BB Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 6C8D24CA

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: DeleteObject
String ID:
API String ID: 1531683806-0
Opcode ID: 3f5c3a0a87d6c1fca110f6ed90d6db28b24fa4bb6ce4dacfb16a309272aae83f
Instruction ID: e1180bb71e963804e4089d68a9da7d5a5eff74ab90f1d12443d30e71b2aa20c1
Opcode Fuzzy Hash: 3f5c3a0a87d6c1fca110f6ed90d6db28b24fa4bb6ce4dacfb16a309272aae83f
Instruction Fuzzy Hash: 8AB092A0911609AEEE64AA348B1CB0736766B4131AF258DA4A408D2541DB3DE406D710

Function 1001F63D Relevance: 1.5, APIs: 1, Instructions: 3networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 1001F63D

Memory Dump Source

Source File: 00000003.00000002.3531828679.000000001001F000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3531751077.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531769911.0000000010001000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531791163.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531809840.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531848054.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: b133ea7d05f53c3c11ad6334d0588478f261473ccb87b5617e28918120fa56af
Instruction ID: 6b957aef4a72e5dc30e8cb3213a85d60c43ac51bc1e09057d618b7ba0e2fc2ae
Opcode Fuzzy Hash: b133ea7d05f53c3c11ad6334d0588478f261473ccb87b5617e28918120fa56af
Instruction Fuzzy Hash: 8D900238288511FAA2124A2158897593654D6145423185418DC02C9010D631C2806514

Function 6C8BCB40 Relevance: 1.3, APIs: 1, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 6C8BC940: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C8BC94D

Sleep.KERNEL32(00000BB8,?), ref: 6C8BCBD9

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: CreateSleepSnapshotToolhelp32
String ID:
API String ID: 684154974-0
Opcode ID: d6d1273e24d6fff424679033cdb3280b91dd35071baed00a258e84bb129b8f04
Instruction ID: 84baf082ac238574e24e4cdf085e50e405b8c8bc8d8a399c59618504b33f25a7
Opcode Fuzzy Hash: d6d1273e24d6fff424679033cdb3280b91dd35071baed00a258e84bb129b8f04
Instruction Fuzzy Hash: 7511B2B1D05208ABCF24DFE8DA10BEDB778AB45714F208668D426B3781DB345A09CB51

Function 6C8BC283 Relevance: 1.3, APIs: 1, Instructions: 23memorynetworkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000410,-6C38A5D8,-6CA7B420,00000000), ref: 6C8BC226
VirtualAlloc.KERNEL32(00000000,0001C9DB,00003000,00000040,?,?), ref: 6C8BC2CF

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: AllocVirtualrecv
String ID:
API String ID: 2836469700-0
Opcode ID: d931f3ec8669955eb2f0cf8c20e1c44cc7b94bf7179c955e5e618054b74765eb
Instruction ID: 3219c745c9c315a5b4b042e4a529c760e5c21945b1f040e879429bcb16748285
Opcode Fuzzy Hash: d931f3ec8669955eb2f0cf8c20e1c44cc7b94bf7179c955e5e618054b74765eb
Instruction Fuzzy Hash: 79E01271B507099BDB24DFD4E949F7A77B8AB4D709F104209F608E6380D63159019B66

Function 10005EB2 Relevance: 1.3, APIs: 1, Instructions: 15sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 10005EB2

Part of subcall function 10006F17: _malloc.LIBCMT ref: 10006F31

Memory Dump Source

Source File: 00000003.00000002.3531769911.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3531751077.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531791163.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531809840.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531828679.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3531848054.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Sleep_malloc
String ID:
API String ID: 617756273-0
Opcode ID: bd1a2801bd1f1b37b244e82fcf0364694be79379b717d5536a6d8ec7b8dccb93
Instruction ID: c703cf204976232012e29921027dce2d5ea17eb50e6b597cbfa29dc34b4da51f
Opcode Fuzzy Hash: bd1a2801bd1f1b37b244e82fcf0364694be79379b717d5536a6d8ec7b8dccb93
Instruction Fuzzy Hash: 6CD0A772D08202CBE7B0EDD048C403D6052A758284F74803DD6059D001D5718D849382

Function 6C8BC920 Relevance: 1.3, APIs: 1, Instructions: 7sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00011D28), ref: 6C8BC928

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 6c28d3ab4a47418aac246650c1da5ae99f1dc3c6b1834297f5bfb71ad5a48c9e
Instruction ID: 25b6bcd9567abf0abe7295c0b5a5fa579331a187053faf9f0fc49a4cc46be7a5
Opcode Fuzzy Hash: 6c28d3ab4a47418aac246650c1da5ae99f1dc3c6b1834297f5bfb71ad5a48c9e
Instruction Fuzzy Hash: 16B0127124430C1B030452E97C0684277DC8B556603408021B308C6000D46150514079

Non-executed Functions

Function 6C8E0AA6 Relevance: 22.7, APIs: 15, Instructions: 181COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00003020), ref: 6C8E0ACE
GetDlgItem.USER32(?,00003020), ref: 6C8E0AF9
GetWindowRect.USER32(00000000,?), ref: 6C8E0B0D
MapDialogRect.USER32(?,?), ref: 6C8E0B30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000016), ref: 6C8E0B5A
GetDlgItem.USER32(?,00000001), ref: 6C8E0B6B
GetWindowRect.USER32(00000000,?), ref: 6C8E0B7D
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000015,?), ref: 6C8E0BA1
GetWindowRect.USER32(?,?), ref: 6C8E0BB6
GetWindowRect.USER32(?,?), ref: 6C8E0C14
GetDlgItem.USER32(?,00000001), ref: 6C8E0C26
GetWindowRect.USER32(00000000,?), ref: 6C8E0C35
GetDlgItem.USER32(?,00000001), ref: 6C8E0C5E
ShowWindow.USER32(00000000,00000000), ref: 6C8E0C6D
EnableWindow.USER32(00000000,00000000), ref: 6C8E0C76

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Window$Rect$Item$DialogEnableShow
String ID:
API String ID: 763981185-0
Opcode ID: f4f7c1c1d99bf7d9d92c3de2850cd1e1d1f9e4826ddf289ad8259cf9a419cd06
Instruction ID: a60b6a762e625b9b0aabaef3389f01032142bca28226ae8c9d91e2f570da0f43
Opcode Fuzzy Hash: f4f7c1c1d99bf7d9d92c3de2850cd1e1d1f9e4826ddf289ad8259cf9a419cd06
Instruction Fuzzy Hash: 58512E71A0070AAFDB24DFA5CE48EBFBBB9FF49304F104A18F545E2551DB31A9419B20

Function 6C8DEDE4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C8D847C,6C8D7999,00000003,?,00000004,6C8D7999), ref: 6C8DEDF6
GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 6C8DEE06
EncodePointer.KERNEL32(00000000,?,6C8D847C,6C8D7999,00000003,?,00000004,6C8D7999), ref: 6C8DEE0F
DecodePointer.KERNEL32(00000000,?,?,6C8D847C,6C8D7999,00000003,?,00000004,6C8D7999), ref: 6C8DEE1D
GetLocaleInfoW.KERNEL32(00000000,00000004,?,00000003,?,6C8D847C,6C8D7999,00000003,?,00000004,6C8D7999), ref: 6C8DEE54

Strings

GetLocaleInfoEx, xrefs: 6C8DEE00
kernel32.dll, xrefs: 6C8DEDF1

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleInfoLocaleModuleProc
String ID: GetLocaleInfoEx$kernel32.dll
API String ID: 1461536855-1547310189
Opcode ID: f2420bf2236b2ec01279ee70a01fd4e13e92d9ffd068b680f389ef50ef32957c
Instruction ID: fd98efe20105a8172bbc50fb1b865601a2f6533f85b303c436cad0cc6a5bb36e
Opcode Fuzzy Hash: f2420bf2236b2ec01279ee70a01fd4e13e92d9ffd068b680f389ef50ef32957c
Instruction Fuzzy Hash: 17018B3160171BAFCF261FA0ED0889E3F7AFF09351B018A25F919D6510CB31D8219BA0

Function 6C8EEB8C Relevance: 10.6, APIs: 7, Instructions: 138fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C8EEB96
PathIsUNCW.SHLWAPI(?,?,?,?,6C93A239,00000024,?,?,?), ref: 6C8EEC46
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,6C93A239,00000024,?,?,?), ref: 6C8EEC6A
GetFullPathNameW.KERNEL32(?,00000104,?,?,00000268,6C8EE390,?,?,00000000,?,6C93A239,00000024,?,?,?), ref: 6C8EEBC9

Part of subcall function 6C8EEB4A: GetLastError.KERNEL32(?,?,?,6C8EEC7B,?,?,?,6C93A239,00000024,?,?,?), ref: 6C8EEB56

Part of subcall function 6C8EE407: PathStripToRootW.SHLWAPI(00000000,?,?,6C93A239,00000024,?,?,?), ref: 6C8EE43B

CharUpperW.USER32(?,?,6C93A239,00000024,?,?,?), ref: 6C8EEC98
FindFirstFileW.KERNEL32(?,?,?,6C93A239,00000024,?,?,?), ref: 6C8EECB0
FindClose.KERNEL32(00000000,?,6C93A239,00000024,?,?,?), ref: 6C8EECBC

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Path$Find$CharCloseErrorFileFirstFullH_prolog3_InformationLastNameRootStripUpperVolume
String ID:
API String ID: 2323451338-0
Opcode ID: 73d11fe1f455d9b89a1dd3e14c0373b97e24f7672af3a4865762819975dac373
Instruction ID: 2df7f381d677d532ab36eab0c10916ed31e54cf2d9040991b9a4105b075a7c46
Opcode Fuzzy Hash: 73d11fe1f455d9b89a1dd3e14c0373b97e24f7672af3a4865762819975dac373
Instruction Fuzzy Hash: DC41AC715045156FDB34AB28CE88EEF737DEF05318F104E95E41AE2A40EB319E89CBA1

Function 6C8D62D4 Relevance: 9.2, APIs: 6, Instructions: 218COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 6C8D631C
EqualRect.USER32(?,?), ref: 6C8D633A

Part of subcall function 6C8C926E: SetWindowPos.USER32(?,?,?,CDD28759,6C8C962D,?,6C8C9CCC,00000000,?,6C8CCE6F,00000000,00000000,00000000,00000000,00000000,00000097), ref: 6C8C9296

GetDlgCtrlID.USER32(?), ref: 6C8D63E6
CopyRect.USER32(?,?), ref: 6C8D6422
GetParent.USER32(?), ref: 6C8D6503
SetParent.USER32(?,?), ref: 6C8D6519

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Rect$ParentWindow$CopyCtrlEqual
String ID:
API String ID: 1662903855-0
Opcode ID: 496eff235392b46f829da97f5df3c1fd12ddb1bca2832c15ea9aa252ad58b573
Instruction ID: 03f38d8900781e9a1d3a07d16e143274848ad07e91e58792cde01c913f43a839
Opcode Fuzzy Hash: 496eff235392b46f829da97f5df3c1fd12ddb1bca2832c15ea9aa252ad58b573
Instruction Fuzzy Hash: B181D371601619ABCB28DF68CD88BEAB7B9FF04308F114AB9E819D7650DB34A945CF50

Function 033A660F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 033A66A0
swprintf.LIBCMT ref: 033A66F8
swprintf.LIBCMT ref: 033A670B

Strings

@, xrefs: 033A66AC
:, xrefs: 033A663F

Memory Dump Source

Source File: 00000003.00000002.3531273742.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33a0000_Update.jbxd

Similarity

API ID: swprintf$_memset
String ID: :$@
API String ID: 1292703666-1367939426
Opcode ID: 3ce09b44c703f379a6cffab786f078c12705430181853880a2577985a84515e9
Instruction ID: 52fa012bd0dc6f9ff25e6a8794c4edeab92a9f02c0e08c3017982512af493038
Opcode Fuzzy Hash: 3ce09b44c703f379a6cffab786f078c12705430181853880a2577985a84515e9
Instruction Fuzzy Hash: 5E3161B6D0021CABDB14DFE9CC85FEEB7B9FB88300F50421DE91AAB241E6746905CB54

Function 6C8D00CD Relevance: 7.8, APIs: 5, Instructions: 266COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6C8D00F0
InflateRect.USER32(?,?,?), ref: 6C8D010C
BeginDeferWindowPos.USER32(?), ref: 6C8D0180
InvalidateRect.USER32(?,00000000,00000001,00000018,00000008,00000000,0000EA20), ref: 6C8D01EF
EndDeferWindowPos.USER32(00000000), ref: 6C8D03ED

Part of subcall function 6C8C8EAD: GetDlgItem.USER32(?,?), ref: 6C8C8EBE

Part of subcall function 6C8CF153: GetClientRect.USER32(?,?), ref: 6C8CF175
Part of subcall function 6C8CF153: GetParent.USER32(?), ref: 6C8CF18E
Part of subcall function 6C8CF153: GetClientRect.USER32(?,?), ref: 6C8CF1BD

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Rect$Client$DeferWindow$BeginInflateInvalidateItemParent
String ID:
API String ID: 939197390-0
Opcode ID: c71278aa290f78958c2514476ff727ec068d3b5efc72657f7bd1787f79efe36a
Instruction ID: d017d29376ff4e26d3cb9b142864dbe4f59c494f78ce022fc1c6cae01ed46d3f
Opcode Fuzzy Hash: c71278aa290f78958c2514476ff727ec068d3b5efc72657f7bd1787f79efe36a
Instruction Fuzzy Hash: C5B12531E0064AEFDB19CFA8C980BEDFBB6FF48304F158629E459A7250DB30A955CB51

Function 6CA26BC2 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CA194B9: GetLastError.KERNEL32(?,?,6CA05A34,?,6C8A458B,00000000), ref: 6CA194BD
Part of subcall function 6CA194B9: SetLastError.KERNEL32(00000000,6C8A458B,00000000,?,?,?,?,?,?,?,?,?,?,?,6CA2B00D,000000FF), ref: 6CA1955F

GetACP.KERNEL32(?,?,?,?,?,?,6CA1B226,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 6CA26C81
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6CA1B226,?,?,?,00000055,?,-00000050,?,?), ref: 6CA26CB8
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6CA26E1B

Strings

utf8, xrefs: 6CA26D8A

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: 48b364b6a3385f1e2ea27f3df0b44e681b4c9012ecb15adb2fe3d9ee379fda35
Instruction ID: 87dc4a64f6a915331a142d9cd92de6505114903eb68ac833e7d50a96fe208e6b
Opcode Fuzzy Hash: 48b364b6a3385f1e2ea27f3df0b44e681b4c9012ecb15adb2fe3d9ee379fda35
Instruction Fuzzy Hash: C5713A31606626AAEB14AB75CD45BEA33B8EF0470CF1C4529E515D7F80EB78E5C8C790

Function 6CA0DCF0 Relevance: 6.5, APIs: 4, Instructions: 455COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65742e894918bf4e86fc2b9ed42b1f87a8ffac3a49cef3bbaea6e76e472994b
Instruction ID: c0ecc7737f5eecd45837be89e5475d26e3db3488a26f3e96e4535461cb6e03f2
Opcode Fuzzy Hash: e65742e894918bf4e86fc2b9ed42b1f87a8ffac3a49cef3bbaea6e76e472994b
Instruction Fuzzy Hash: F7027C71F012199BDB14CFA9D98069EFBF1FF48358F288269D519E7780D731AA85CB80

Function 6C902969 Relevance: 6.3, APIs: 4, Instructions: 339keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 6C8C8F23: GetWindowLongW.USER32(?,000000EC), ref: 6C8C8F30

GetAsyncKeyState.USER32(00000011), ref: 6C902A73
GetClientRect.USER32(?,?), ref: 6C902C15
SetScrollPos.USER32(00000000,00000002,?,00000001), ref: 6C902D03

Part of subcall function 6C8FFF7E: GetClientRect.USER32(?,?), ref: 6C8FFFB8
Part of subcall function 6C8FFF7E: InflateRect.USER32(?,00000000,00000000), ref: 6C8FFFF2
Part of subcall function 6C8FFF7E: SetRectEmpty.USER32(?), ref: 6C900096
Part of subcall function 6C8FFF7E: SetRectEmpty.USER32(?), ref: 6C9000A3
Part of subcall function 6C8FFF7E: GetSystemMetrics.USER32(00000002), ref: 6C9000C8
Part of subcall function 6C8FFF7E: EqualRect.USER32(?,?), ref: 6C900195

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Rect$ClientEmpty$AsyncEqualInflateLongMetricsScrollStateSystemWindow
String ID:
API String ID: 3234605627-0
Opcode ID: 0b4554ed9557bf1d949744dde5c8cad7197ccfa1d78f45b605c93bdf78c26864
Instruction ID: 7ca2347f92ac377608c9bb7cdc5622b4db4160495b956e92f1b784f8d4b6b429
Opcode Fuzzy Hash: 0b4554ed9557bf1d949744dde5c8cad7197ccfa1d78f45b605c93bdf78c26864
Instruction Fuzzy Hash: 1BC18D31701A178BDF199F6488A87BD77B6AF46309F14426ED816EBB90CB74DC46CB80

Function 6CA0060D Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00000001), ref: 6CA00619
IsDebuggerPresent.KERNEL32 ref: 6CA006E5
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CA006FE
UnhandledExceptionFilter.KERNEL32(?), ref: 6CA00708

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 96d651c12851daaf77154acf74886c6b6e457f42376bed97fafee768d5fa5fed
Instruction ID: d38a10cd2a164eb369eb593a5c7e4732e9b9d7f804da3e9927f8fb9bc065c1de
Opcode Fuzzy Hash: 96d651c12851daaf77154acf74886c6b6e457f42376bed97fafee768d5fa5fed
Instruction Fuzzy Hash: 4A31F875E057199BDF21DFA4D9497CDBBB8AF08344F1042AAE40CAB240EB749A858F45

Function 6CA0A83C Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6CA0A934
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6CA0A93E
UnhandledExceptionFilter.KERNEL32(-00000325,?,?,?,?,?,00000000), ref: 6CA0A94B

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: cf128ea9623e3b89473935bd14bf488ae392494d379c0543b035228965589003
Instruction ID: c7afb91b3dffa507dbaddd6fc39c97a06fada3250c7526799b44350363a13f6c
Opcode Fuzzy Hash: cf128ea9623e3b89473935bd14bf488ae392494d379c0543b035228965589003
Instruction Fuzzy Hash: 1131B574A017199BCB21DF64D9887CDBBB4BF08354F5082DAE41CA7250EB709F858F44

Function 033A00CD Relevance: 2.6, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

ntdl, xrefs: 033A0185
l, xrefs: 033A018C

Memory Dump Source

Source File: 00000003.00000002.3531273742.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33a0000_Update.jbxd

Similarity

API ID:
String ID: l$ntdl
API String ID: 0-924918826
Opcode ID: c362b51c53e3eeabca090c6237b61e6bcf708d1a3817c6eecd03a2daff8ddda5
Instruction ID: b4e52286ccacd876ddd61a5bfb68041c2b13da26b51d118f472df033eb6f786a
Opcode Fuzzy Hash: c362b51c53e3eeabca090c6237b61e6bcf708d1a3817c6eecd03a2daff8ddda5
Instruction Fuzzy Hash: 22218F79E00A209FCB2DDF18859862FBBB6EF4971071581A9E405DF354EB38C90297D1

Function 6C8C68AC Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 6C8C68B8

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: c6e41ffc659e24ca531049ed01fb8f6b9058b53ff0e24c17090d8c3fb74a79c2
Instruction ID: d28328df93cd83ac1c1ca951164aefcc29ae607c28d75582783bd0899dee3b16
Opcode Fuzzy Hash: c6e41ffc659e24ca531049ed01fb8f6b9058b53ff0e24c17090d8c3fb74a79c2
Instruction Fuzzy Hash: 04D0C931319B60DBC7355A26A9947D2B3B5AB05719B014D3AD44296970D7A0E885CB81

Function 6C9444B1 Relevance: 44.1, APIs: 24, Strings: 1, Instructions: 327fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C9444BB
GetModuleFileNameW.KERNEL32(00000000,?,00000104,6CA3F5FC,00000000,6CA4D894,00000000,6CA3C6EC,00000000,?,?,00000A88,6C9456FD,?,00000000,00000038), ref: 6C94455A
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,6CA3C6EC,00000000,?,?,00000A88,6C9456FD,?,00000000,00000038), ref: 6C94460D

Strings

, xrefs: 6C9448F8

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: File$CreateH_prolog3_ModuleName
String ID:
API String ID: 3408945735-3916222277
Opcode ID: 781ac7aaac540eab1af6f5357a2919ce0eb6ee74885bc629025584d85597b076
Instruction ID: 919b874a1cf493583f8f299ca1c7f699d6f41acbbcfa1ed740346fb0fff2c69e
Opcode Fuzzy Hash: 781ac7aaac540eab1af6f5357a2919ce0eb6ee74885bc629025584d85597b076
Instruction Fuzzy Hash: EEC17E72A00718AFDF249F64CC54FEA77B9EF06314F1085A9E909E2A50DB709A85CF51

Function 6C8A1C5C Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 42registrywindowCOMMON

Download Yara Rule

APIs

RegisterWindowMessageW.USER32(Native), ref: 6C9FF248
RegisterWindowMessageW.USER32(OwnerLink), ref: 6C9FF255
RegisterWindowMessageW.USER32(ObjectLink), ref: 6C9FF263
RegisterWindowMessageW.USER32(Embedded Object), ref: 6C9FF271
RegisterWindowMessageW.USER32(Embed Source), ref: 6C9FF27F
RegisterWindowMessageW.USER32(Link Source), ref: 6C9FF28D
RegisterWindowMessageW.USER32(Object Descriptor), ref: 6C9FF29B
RegisterWindowMessageW.USER32(Link Source Descriptor), ref: 6C9FF2A9
RegisterWindowMessageW.USER32(FileName), ref: 6C9FF2B7
RegisterWindowMessageW.USER32(FileNameW), ref: 6C9FF2C5
RegisterWindowMessageW.USER32(Rich Text Format), ref: 6C9FF2D3
RegisterWindowMessageW.USER32(RichEdit Text and Objects), ref: 6C9FF2E1

Strings

RichEdit Text and Objects, xrefs: 6C9FF2D9
FileName, xrefs: 6C9FF2AF
OwnerLink, xrefs: 6C9FF24E
Native, xrefs: 6C9FF241
FileNameW, xrefs: 6C9FF2BD
Link Source, xrefs: 6C9FF285
Link Source Descriptor, xrefs: 6C9FF2A1
Embedded Object, xrefs: 6C9FF269
Embed Source, xrefs: 6C9FF277
Object Descriptor, xrefs: 6C9FF293
ObjectLink, xrefs: 6C9FF25B
Rich Text Format, xrefs: 6C9FF2CB

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: MessageRegisterWindow
String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
API String ID: 1814269913-2889995556
Opcode ID: 55bdc58abea0ba5e67817f844ab731df4acbd85ab8a672488fe9198634d82a5e
Instruction ID: 4fcfcc4da8c991ad716024dbadb27f3af827f874c91938d0bb4a56e1c708af97
Opcode Fuzzy Hash: 55bdc58abea0ba5e67817f844ab731df4acbd85ab8a672488fe9198634d82a5e
Instruction Fuzzy Hash: F1115572900B029FCF789FB2AE1C4467BF1BA8A6117188E19F95AC7E01D7349082CF54

Function 6C8CA8C6 Relevance: 33.7, APIs: 16, Strings: 3, Instructions: 413windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C8CA8D0
GetClassNameW.USER32(?,00000000,00000001), ref: 6C8CA91B

Part of subcall function 6C8C423E: GetParent.USER32(00000000), ref: 6C8C426A

SendMessageW.USER32(?,0000041C), ref: 6C8CAA0E
SendMessageW.USER32(?,00000409,?,?), ref: 6C8CAA23
GetClassNameW.USER32(?,00000000,00000001), ref: 6C8CAA4B
SendMessageW.USER32(?,00000418,00000000,00000000), ref: 6C8CAADC
SendMessageW.USER32(?,0000041D,-00000001,?), ref: 6C8CAAF8
IntersectRect.USER32(?,?,?), ref: 6C8CAB0A
CreatePopupMenu.USER32 ref: 6C8CAB70
CreateCompatibleDC.GDI32(?), ref: 6C8CAB88
CopyRect.USER32(?,?), ref: 6C8CAC73
OffsetRect.USER32(?,?,?), ref: 6C8CAC89
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C8CACA9
GetSysColor.USER32(00000004), ref: 6C8CACF8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 6C8CADE0
CopyRect.USER32(?,?), ref: 6C8CADFD

Strings

ToolbarWindow32, xrefs: 6C8CAA29, 6C8CAA71
0, xrefs: 6C8CAB2A
ReBarWindow32, xrefs: 6C8CA8FA, 6C8CA93D

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: MessageRectSend$Create$ClassCompatibleCopyMenuName$BitmapColorH_prolog3_InsertIntersectItemOffsetParentPopup
String ID: 0$ReBarWindow32$ToolbarWindow32
API String ID: 4204073102-333968262
Opcode ID: 21585a72e540cfe61c219af7889ddcf91716181dab3102a29cb3246ac53cc232
Instruction ID: 9c3b702eda0b4bff033bcf75c0dfdac5d32e6e58433f2e9c272d2df47c2c8b85
Opcode Fuzzy Hash: 21585a72e540cfe61c219af7889ddcf91716181dab3102a29cb3246ac53cc232
Instruction Fuzzy Hash: C6023B71A002299BDF35DB64CD94BEDB779BF15308F0049E9E50AA7A50DB30AE89CF50

Function 6C8D1D34 Relevance: 30.3, APIs: 20, Instructions: 265windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C8D1D3B
CreateCompatibleDC.GDI32(00000000), ref: 6C8D1D90
CreateCompatibleDC.GDI32(00000000), ref: 6C8D1DA8
CreateCompatibleDC.GDI32(00000000), ref: 6C8D1DC0
GetObjectW.GDI32(00000004,00000018,?), ref: 6C8D1DE0
CreateBitmap.GDI32(?,?,?,?,00000000), ref: 6C8D1E06
CreateBitmap.GDI32(00000008,00000008,00000001,00000001,6CA3E460), ref: 6C8D1E29
CreatePatternBrush.GDI32(?), ref: 6C8D1E3B
DeleteObject.GDI32(?), ref: 6C8D1E6A
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 6C8D1E7B
GetPixel.GDI32(?,00000000,00000000), ref: 6C8D1EC3
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C8D1EE9
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00EE0086), ref: 6C8D1F11
FillRect.USER32(?,?,?), ref: 6C8D1F73

Part of subcall function 6C8D2EBE: __EH_prolog3.LIBCMT ref: 6C8D2EC5

BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 6C8D1FA1
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,008800C6), ref: 6C8D1FBC
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 6C8D1FD3
DeleteDC.GDI32(00000000), ref: 6C8D2040
DeleteDC.GDI32(00000000), ref: 6C8D205C
DeleteDC.GDI32(00000000), ref: 6C8D207B

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Create$Delete$BitmapCompatible$Object$BrushFillH_prolog3H_prolog3_PatternPixelRect
String ID:
API String ID: 308707564-0
Opcode ID: 1bfee7550d3b20bf7cf85da1ff8e8036764d7e41f1438778eb6a6e63d68f8558
Instruction ID: 2a4d3dcd0031c5346a78bce79e3e9fe3c6a598b5e365ad31d7c809943ecb574f
Opcode Fuzzy Hash: 1bfee7550d3b20bf7cf85da1ff8e8036764d7e41f1438778eb6a6e63d68f8558
Instruction Fuzzy Hash: 06B11771D00209AFDF259FE4CE989EEBB7AFF08304F114428F509A6660DB35AD46DB20

Function 6C8E2B80 Relevance: 28.7, APIs: 19, Instructions: 239windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C8E2B87
CreateRectRgnIndirect.GDI32(?), ref: 6C8E2BBF
CopyRect.USER32(?,?), ref: 6C8E2BD3
InflateRect.USER32(?,?,?), ref: 6C8E2BE9
IntersectRect.USER32(?,?,?), ref: 6C8E2BF5
CreateRectRgnIndirect.GDI32(?), ref: 6C8E2BFF
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6C8E2C14
CombineRgn.GDI32(?,?,?,00000003), ref: 6C8E2C2E
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6C8E2C75
SetRectRgn.GDI32(?,?,00000004,?,?), ref: 6C8E2C92
CopyRect.USER32(?,?), ref: 6C8E2C9D
InflateRect.USER32(?,?,?), ref: 6C8E2CB3
IntersectRect.USER32(?,?,?), ref: 6C8E2CBF
SetRectRgn.GDI32(?,?,?,?,?), ref: 6C8E2CD4
CombineRgn.GDI32(?,?,?,00000003), ref: 6C8E2CE5
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6C8E2CF9
CombineRgn.GDI32(?,?,?,00000003), ref: 6C8E2D13

Part of subcall function 6C8E2EDC: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 6C8E2F23
Part of subcall function 6C8E2EDC: CreatePatternBrush.GDI32(00000000), ref: 6C8E2F30
Part of subcall function 6C8E2EDC: DeleteObject.GDI32(00000000), ref: 6C8E2F3C

PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 6C8E2D71

Part of subcall function 6C8D2AAB: SelectObject.GDI32(?,00000000), ref: 6C8D2ACB
Part of subcall function 6C8D2AAB: SelectObject.GDI32(?,00000000), ref: 6C8D2AE1

Part of subcall function 6C8D29C0: SelectClipRgn.GDI32(?,00000000), ref: 6C8D29E0
Part of subcall function 6C8D29C0: SelectClipRgn.GDI32(?,00000000), ref: 6C8D29F6

PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 6C8E2DD4

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Rect$Create$Select$CombineObject$ClipCopyIndirectInflateIntersect$BitmapBrushDeleteH_prolog3_Pattern
String ID:
API String ID: 770706554-0
Opcode ID: 3d32e189716897fb988ed8fdd83895915a6513017f414d427b44a87753ab0543
Instruction ID: bf0b661538e0f5ec877ee4ca008841268e6d87fe8eeb53cfe677b6fe8864c9b9
Opcode Fuzzy Hash: 3d32e189716897fb988ed8fdd83895915a6513017f414d427b44a87753ab0543
Instruction Fuzzy Hash: BD91E875A00219AFCF19DFA8DD98DEEBBBAFF49304B044519F906E3650DB34A905CB60

Function 6C9BE2D7 Relevance: 24.4, APIs: 16, Instructions: 395COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C9BE2DE
GetCursorPos.USER32(?), ref: 6C9BE397
IsRectEmpty.USER32(?), ref: 6C9BE3CB
IsRectEmpty.USER32(?), ref: 6C9BE3F2
IsRectEmpty.USER32(?), ref: 6C9BE414
GetWindowRect.USER32(?,?), ref: 6C9BE442
GetWindowRect.USER32(?,?), ref: 6C9BE472
PtInRect.USER32(?,?,?), ref: 6C9BE4BF
OffsetRect.USER32(?,?,00000000), ref: 6C9BE4D7

Part of subcall function 6C9BF4F0: __EH_prolog3.LIBCMT ref: 6C9BF4F7
Part of subcall function 6C9BF4F0: SetRectEmpty.USER32 ref: 6C9BF5F7
Part of subcall function 6C9BF4F0: SetRectEmpty.USER32(?), ref: 6C9BF5FE

SetRectEmpty.USER32(?), ref: 6C9BE4FA
OffsetRect.USER32(?,?,?), ref: 6C9BE68B
IsRectEmpty.USER32(?), ref: 6C9BE6AB
IsRectEmpty.USER32(?), ref: 6C9BE6DE
PtInRect.USER32(?,00000000,00000000), ref: 6C9BE6F2
OffsetRect.USER32(?,?,?), ref: 6C9BE71E
IsRectEmpty.USER32(?), ref: 6C9BE73D

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Rect$Empty$Offset$Window$CursorH_prolog3H_prolog3_
String ID:
API String ID: 359163869-0
Opcode ID: a118e6220f1a843e0f90c2cfae821e3cb6d96ef87c206f1ad5efdf4152b04463
Instruction ID: 144a6fbf31af1ddcf0fce369d15e43ead7f0d5f44d970210f2b046b3437bf4cf
Opcode Fuzzy Hash: a118e6220f1a843e0f90c2cfae821e3cb6d96ef87c206f1ad5efdf4152b04463
Instruction Fuzzy Hash: 92E18131A00615EFDF15CFA4C984AAEB7BEFF45314F1482A9E805EB645EB31E845CB90

Function 6C8DEE5D Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 172libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?), ref: 6C8DEE90
GetProcAddress.KERNEL32(00000000,GetThreadPreferredUILanguages), ref: 6C8DEEA0
EncodePointer.KERNEL32(00000000,?,?), ref: 6C8DEEA9
DecodePointer.KERNEL32(00000000,?,?), ref: 6C8DEEB7
GetUserDefaultUILanguage.KERNEL32(?,?), ref: 6C8DEEDE
___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C8DEEEE
___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C8DEF22
GetSystemDefaultUILanguage.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8DEF55
___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C8DEF65
___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C8DEFA2
___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C8DEFDD

Strings

GetThreadPreferredUILanguages, xrefs: 6C8DEE9A
kernel32.dll, xrefs: 6C8DEE8B

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: DownlevelLocaleName___crt$DefaultLanguagePointer$AddressDecodeEncodeHandleModuleProcSystemUser
String ID: GetThreadPreferredUILanguages$kernel32.dll
API String ID: 404278886-1646127487
Opcode ID: df71de381904b6057ec24d06e87da55eb9448b1998f93b124c7a12bbe11df975
Instruction ID: 744f71e3df6ff34c355666095064560a3720ecbfe76a4f5a62774c4601e6d847
Opcode Fuzzy Hash: df71de381904b6057ec24d06e87da55eb9448b1998f93b124c7a12bbe11df975
Instruction Fuzzy Hash: 22512CB1E0421A9FCB14DFA8C994EEF77BDEF49304F014525E905E7640DB34AA1ACBA1

Function 6C8D2089 Relevance: 22.7, APIs: 15, Instructions: 212windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C8D2090
GetSysColor.USER32(00000014), ref: 6C8D20C7

Part of subcall function 6C8D1945: __EH_prolog3.LIBCMT ref: 6C8D194C
Part of subcall function 6C8D1945: CreateSolidBrush.GDI32(?), ref: 6C8D1967

GetSysColor.USER32(00000010), ref: 6C8D20DC
CreateCompatibleDC.GDI32(00000000), ref: 6C8D20F0
CreateCompatibleDC.GDI32(00000000), ref: 6C8D2108
GetObjectW.GDI32(00000004,00000018,?), ref: 6C8D212B
CreateBitmap.GDI32(?,?,?,?,00000000), ref: 6C8D214C
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 6C8D216D

Part of subcall function 6C8D2A4C: SelectObject.GDI32(00000048,?), ref: 6C8D2A55

GetPixel.GDI32(?,00000000,00000000), ref: 6C8D21B5

Part of subcall function 6C8D2B65: SetBkColor.GDI32(?,?), ref: 6C8D2B7A
Part of subcall function 6C8D2B65: SetBkColor.GDI32(?,?), ref: 6C8D2B8C

BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C8D21DE
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,001100A6), ref: 6C8D2208
BitBlt.GDI32(?,00000001,00000001,?,?,?,00000000,00000000,00E20746), ref: 6C8D2273
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00E20746), ref: 6C8D229C
DeleteDC.GDI32(00000000), ref: 6C8D2311
DeleteDC.GDI32(00000000), ref: 6C8D2330

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Create$Color$BitmapCompatibleDeleteH_prolog3Object$BrushPixelSelectSolid
String ID:
API String ID: 2254850417-0
Opcode ID: 2069f103b3616296bf4269bf034591553c9c8038cdd4a5be4d4cd5053b510adc
Instruction ID: 718f7f03a478614efa15995c2bdbd544c1874ed2f894a9915e760264d24f7d8c
Opcode Fuzzy Hash: 2069f103b3616296bf4269bf034591553c9c8038cdd4a5be4d4cd5053b510adc
Instruction Fuzzy Hash: 1B815771900209AFDF25DFE4CE98AEEBB7AAF08304F114428F505B66A0DB746D56DB60

Function 6C9065E2 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 216COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C9065E9

Part of subcall function 6C8CD33C: __EH_prolog3.LIBCMT ref: 6C8CD343

Part of subcall function 6C978836: __EH_prolog3.LIBCMT ref: 6C97883D

Strings

MFCFontComboBox, xrefs: 6C9066B9
MFCLink, xrefs: 6C9066F3
MFCShellTree, xrefs: 6C90680E
MFCMenuButton, xrefs: 6C906767
MFCMaskedEdit, xrefs: 6C90672D
MFCButton, xrefs: 6C906608
MFCShellList, xrefs: 6C9067DB
MFCVSListBox, xrefs: 6C906841
MFCPropertyGrid, xrefs: 6C9067A1
MFCColorButton, xrefs: 6C906645
MFCEditBrowse, xrefs: 6C90667F

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: H_prolog3
String ID: MFCButton$MFCColorButton$MFCEditBrowse$MFCFontComboBox$MFCLink$MFCMaskedEdit$MFCMenuButton$MFCPropertyGrid$MFCShellList$MFCShellTree$MFCVSListBox
API String ID: 431132790-2110171958
Opcode ID: 472ec8ea65ef4ad09f3a4d880667f29dbe86e6bf435c0db98b631f9ff777eaee
Instruction ID: 0d445c3952cac46ee5aae081ecd59661801e96cc449e00641264b6ad584b42a4
Opcode Fuzzy Hash: 472ec8ea65ef4ad09f3a4d880667f29dbe86e6bf435c0db98b631f9ff777eaee
Instruction Fuzzy Hash: 93618321B0A24599EF14DBBC66547BD67F46F2135CF2048AEAD50E7EC0EF35C688C226

Function 6C94E23E Relevance: 21.2, APIs: 2, Strings: 10, Instructions: 195COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C94E245
GetWindowRect.USER32(?,?), ref: 6C94E32B

Part of subcall function 6C8C8E82: GetDlgCtrlID.USER32(?), ref: 6C8C8E8D

Part of subcall function 6C94BA69: GetWindowRect.USER32(?,?), ref: 6C94BA77

Strings

Panes, xrefs: 6C94E252
RecentFrameAlignment, xrefs: 6C94E3E4
%TsPane-%d%x, xrefs: 6C94E2A9
%TsPane-%d, xrefs: 6C94E292
IsFloating, xrefs: 6C94E421
MRUWidth, xrefs: 6C94E441
RectRecentFloat, xrefs: 6C94E3A5
RecentRowIndex, xrefs: 6C94E404
RectRecentDocked, xrefs: 6C94E3C6
PinState, xrefs: 6C94E461

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: RectWindow$CtrlH_prolog3
String ID: %TsPane-%d$%TsPane-%d%x$IsFloating$MRUWidth$Panes$PinState$RecentFrameAlignment$RecentRowIndex$RectRecentDocked$RectRecentFloat
API String ID: 3396713241-2628993547
Opcode ID: 644c483b23d1f24ba4d7b90f9f21d0e4e6d41f0afbfccf727c1e87151d872fad
Instruction ID: 63d5ea3feee3de37a2ee101d08eb82df886c384f17490b82bc939fe9422a4ada
Opcode Fuzzy Hash: 644c483b23d1f24ba4d7b90f9f21d0e4e6d41f0afbfccf727c1e87151d872fad
Instruction Fuzzy Hash: AB81497560020A9FCF04DFA5CC949BDB776BF89314F098569E916AB7A1CB30AC02CF90

Function 6C8E026D Relevance: 19.8, APIs: 13, Instructions: 253memorywindowCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000004,?), ref: 6C8E034E
GlobalLock.KERNEL32(00000000), ref: 6C8E035B
GlobalUnlock.KERNEL32(00000000), ref: 6C8E036C
SetPropW.USER32(?,00000000), ref: 6C8E037C
GlobalFree.KERNEL32(00000000), ref: 6C8E0387
IsWindowEnabled.USER32(00000000), ref: 6C8E042F
EnableWindow.USER32(00000000,00000000), ref: 6C8E043B
GetCapture.USER32 ref: 6C8E0448
SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 6C8E0457
EnableWindow.USER32(00000000,00000001), ref: 6C8E0534
GetActiveWindow.USER32 ref: 6C8E053E
SetActiveWindow.USER32(00000000), ref: 6C8E0549
EnableWindow.USER32(00000000,00000001), ref: 6C8E0588

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Window$Global$Enable$Active$AllocCaptureEnabledFreeLockMessagePropSendUnlock
String ID:
API String ID: 2841214920-0
Opcode ID: 54b8daba402034b7ab4c9f6d459e3f0c0810799efb615cb21b5827e10c688c1e
Instruction ID: 15ffc2eda443da20f351e500d325921ba2d9a3ce4ac8e0d6615e211f2fb54dbd
Opcode Fuzzy Hash: 54b8daba402034b7ab4c9f6d459e3f0c0810799efb615cb21b5827e10c688c1e
Instruction Fuzzy Hash: 6A91E2307017069BDB289F79CA58BADB7B5BF0A319F108E29E519D7A80CF74D401DB91

Function 6C94CBB7 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 164COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C94CBBE

Part of subcall function 6C8C8E82: GetDlgCtrlID.USER32(?), ref: 6C8C8E8D

Part of subcall function 6C94A328: __EH_prolog3.LIBCMT ref: 6C94A32F

Strings

Panes, xrefs: 6C94CBCE
RecentFrameAlignment, xrefs: 6C94CCE4
%TsPane-%d%x, xrefs: 6C94CC25
%TsPane-%d, xrefs: 6C94CC0E
IsFloating, xrefs: 6C94CD19
MRUWidth, xrefs: 6C94CD36
RectRecentFloat, xrefs: 6C94CC95
RecentRowIndex, xrefs: 6C94CCFC
RectRecentDocked, xrefs: 6C94CCB2
PinState, xrefs: 6C94CD53

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: H_prolog3$Ctrl
String ID: %TsPane-%d$%TsPane-%d%x$IsFloating$MRUWidth$Panes$PinState$RecentFrameAlignment$RecentRowIndex$RectRecentDocked$RectRecentFloat
API String ID: 3879667756-2628993547
Opcode ID: 806e2346839e759228a2510382e83db0926c0bdb08849e023b0671c3c510c1e1
Instruction ID: 691fde661b13b6b186626ede0eb681fb8d462a1d3c0fc017175acaf28a9e42a2
Opcode Fuzzy Hash: 806e2346839e759228a2510382e83db0926c0bdb08849e023b0671c3c510c1e1
Instruction Fuzzy Hash: E651A375B0011AAFCF08DF64CC949EDBB76BF49314B148569E816AB781CB31AD0ACBD1

Function 6C8EE518 Relevance: 18.1, APIs: 12, Instructions: 147COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 6C8EE542
GetCurrentProcess.KERNEL32 ref: 6C8EE54D
DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000,00000000,00000002), ref: 6C8EE560
GetLastError.KERNEL32 ref: 6C8EE5AA
FlushFileBuffers.KERNEL32(000000FF,00000000,00000000,00000000), ref: 6C8EE5C4
GetLastError.KERNEL32 ref: 6C8EE5DA
GetFileSize.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000), ref: 6C8EE5F7
GetLastError.KERNEL32(?,?,?,00000000,00000000), ref: 6C8EE605
GetLastError.KERNEL32(?,?,?,00000000,00000000), ref: 6C8EE622
SetFilePointer.KERNEL32(000000FF,00000000,?,00000001,00000000,?,?,?,00000000,00000000,?,?,?,00000000,00000000), ref: 6C8EE64B
GetLastError.KERNEL32(?,?,?,00000000,00000000,?,?,?,00000000,00000000), ref: 6C8EE659
GetLastError.KERNEL32(?,?,?,00000000,00000000,?,?,?,00000000,00000000), ref: 6C8EE676

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: ErrorLast$File$CurrentProcess$BuffersDuplicateFlushHandlePointerSize
String ID:
API String ID: 3214111443-0
Opcode ID: 4c940357ba91a767a6b452e63fdae3a314aa3798a685b89fa6158410cafdf7e2
Instruction ID: ea526223f2cbba8c4f3411ffcbdf6544573370537ee303fb90138c8bf13c210e
Opcode Fuzzy Hash: 4c940357ba91a767a6b452e63fdae3a314aa3798a685b89fa6158410cafdf7e2
Instruction Fuzzy Hash: C941C631A00714ABDB249FB5DD489DA7BB9EF09324F148A69E51AD7A40EB70DD01C790

Function 6C8C3C74 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 118windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C8C3C7E
SendMessageW.USER32(?,00000000,00000000,00000080), ref: 6C8C3CC5
SendMessageW.USER32(?,00000000,00000000,?), ref: 6C8C3CF1
ValidateRect.USER32(?,00000000), ref: 6C8C3D04

Part of subcall function 6C8DD53E: GetClientRect.USER32(?,?), ref: 6C8DD5A2

GetClientRect.USER32(?,?), ref: 6C8C3D75
BeginPaint.USER32(?,?), ref: 6C8C3D82
SendMessageW.USER32(?,00000000,00000000,?), ref: 6C8C3DB8
SendMessageW.USER32(?,00000000,00000000), ref: 6C8C3DDA
EndPaint.USER32(?,?), ref: 6C8C3DF2

Strings

W, xrefs: 6C8C3D37

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: MessageSend$Rect$ClientPaint$BeginH_prolog3_Validate
String ID: W
API String ID: 3883544035-655174618
Opcode ID: 9d697f7a196f9ec46c452a543cfa508e80ba1cd8a998d39adf72cdb5d80e80a8
Instruction ID: 96a2daabd5af96bc941c423f8d0ac34967b85f60f93303bb3deb3438feac35b3
Opcode Fuzzy Hash: 9d697f7a196f9ec46c452a543cfa508e80ba1cd8a998d39adf72cdb5d80e80a8
Instruction Fuzzy Hash: AB41B571B006059BCF358F65DD54AEEBAB6FF48308F108A2EE15693A20DB30E945DF50

Function 6C8DC0A8 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C8DC0AF
GetObjectW.GDI32(?,00000018,?), ref: 6C8DC0CC
GetSystemMetrics.USER32(00000032), ref: 6C8DC0DF
GetSystemMetrics.USER32(00000031), ref: 6C8DC0EA
GetMenuItemInfoW.USER32(00000000,?,00000000,00000030), ref: 6C8DC12C
GetMenuItemInfoW.USER32(00000000,?,00000000,00000030), ref: 6C8DC157
GetSystemMetrics.USER32(0000000F), ref: 6C8DC1BF
GetSystemMetrics.USER32(0000000F), ref: 6C8DC1CB

Strings

@, xrefs: 6C8DC11C
0, xrefs: 6C8DC112

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: MetricsSystem$InfoItemMenu$H_prolog3Object
String ID: 0$@
API String ID: 414968830-1545510068
Opcode ID: 61d8d4df72c32959e871fbb6ad65d81c8a959c54a481efe6f4db97ed978cec60
Instruction ID: ec2a3969f16fca98078330cfeeec9af0dfc8de91f7fd33b43ad23ae3c2fbdc3b
Opcode Fuzzy Hash: 61d8d4df72c32959e871fbb6ad65d81c8a959c54a481efe6f4db97ed978cec60
Instruction Fuzzy Hash: 76419B71900319ABCF24DFA4CD45BEEB7B9FF14348F114925E906BB691DB70AA09CB60

Function 033AA0AF Relevance: 16.8, APIs: 11, Instructions: 254COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 033AA107
_memset.LIBCMT ref: 033AA147
_memset.LIBCMT ref: 033AA1CD
swprintf.LIBCMT ref: 033AA1EC

Part of subcall function 033AF0C6: _malloc.LIBCMT ref: 033AF0E0

_memset.LIBCMT ref: 033AA2C4
swprintf.LIBCMT ref: 033AA2E3
_memset.LIBCMT ref: 033AA345
swprintf.LIBCMT ref: 033AA364

Memory Dump Source

Source File: 00000003.00000002.3531273742.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33a0000_Update.jbxd

Similarity

API ID: _memset$swprintf$_malloc
String ID:
API String ID: 1873853019-0
Opcode ID: 062e854903829bf1e59bc273fd803ecd21369289b7c01ee10e87d698f024efb4
Instruction ID: a3978d4f643db6fe220af502687a46e5d472fdb55cbf908cca06e41e8f78b376
Opcode Fuzzy Hash: 062e854903829bf1e59bc273fd803ecd21369289b7c01ee10e87d698f024efb4
Instruction Fuzzy Hash: B681B4B6D40700ABE720EB58DCC6F6B77A4EF44310F184164EE195F382EB71E911C6A6

Function 6C8F2987 Relevance: 16.6, APIs: 11, Instructions: 149windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,0000420F,00000001), ref: 6C8F29E5
EnableMenuItem.USER32(?,0000420E,00000001), ref: 6C8F2A00
CheckMenuItem.USER32(?,00004214,00000008), ref: 6C8F2A34
CheckMenuItem.USER32(?,00004212,00000008), ref: 6C8F2A46
CheckMenuItem.USER32(?,00004213,00000008), ref: 6C8F2A59
EnableMenuItem.USER32(?,00004212,00000001), ref: 6C8F2A7B
EnableMenuItem.USER32(?,00004212,00000001), ref: 6C8F2AAA
EnableMenuItem.USER32(?,00004213,00000001), ref: 6C8F2AB9
EnableMenuItem.USER32(?,00004214,00000001), ref: 6C8F2AC8
EnableMenuItem.USER32(?,00004215,00000001), ref: 6C8F2B1A
CheckMenuItem.USER32(?,00004215,00000008), ref: 6C8F2B32

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: ItemMenu$Enable$Check
String ID:
API String ID: 1852492618-0
Opcode ID: 54af15ef1df64f801d3fdd4b15fad0fa2b76d5ffbc50b7c3869979db4618360a
Instruction ID: 34bf875520d71c052789be7cfdce14929159ffdb3813c7ed418ad4f44e142e46
Opcode Fuzzy Hash: 54af15ef1df64f801d3fdd4b15fad0fa2b76d5ffbc50b7c3869979db4618360a
Instruction Fuzzy Hash: 8A51CD30B41616EFDB258F10CE48E59BB72FF04745F0086A5F929AB690C370D942CB90

Function 033ABD5F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 033ABD81
_wcsrchr.LIBCMT ref: 033ABD89
_memset.LIBCMT ref: 033ABDC0
_wcsrchr.LIBCMT ref: 033ABDC8
_memset.LIBCMT ref: 033ABE43
_memset.LIBCMT ref: 033ABE6F
_memset.LIBCMT ref: 033ABE8A
_memset.LIBCMT ref: 033ABF29

Strings

D, xrefs: 033ABF35

Memory Dump Source

Source File: 00000003.00000002.3531273742.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33a0000_Update.jbxd

Similarity

API ID: _memset$_wcsrchr
String ID: D
API String ID: 170005318-2746444292
Opcode ID: dbe0af0cfe405bfaa2f7670afa9565592a0c6507b5e6e8f9ef5526909d63a184
Instruction ID: ff85c2adf6d98c2bcf8996768225401a3e3d9b4ad35d0c908c8d78ada7e9e4c9
Opcode Fuzzy Hash: dbe0af0cfe405bfaa2f7670afa9565592a0c6507b5e6e8f9ef5526909d63a184
Instruction Fuzzy Hash: 2251F7B5D4071C7ADB24EBA4CCC5FEAB378EF14700F444599A70EAA081EB709694CFA5

Function 6C8D481E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 6C8D482E
GetSystemMetrics.USER32(00000048), ref: 6C8D4850
CreateFontW.GDI32(00000000,?,?,6C8D39B9,00001000,?,?,?), ref: 6C8D4857
SelectObject.GDI32(00000000,00000000), ref: 6C8D4865
GetCharWidthW.GDI32(00000000,00000036,00000036,6CA913BC,?,?,6C8D39B9,00001000,?,?,?), ref: 6C8D4877
SelectObject.GDI32(00000000,00000000), ref: 6C8D4883
DeleteObject.GDI32(00000000), ref: 6C8D488A
ReleaseDC.USER32(00000000,00000000), ref: 6C8D4893

Strings

Marlett, xrefs: 6C8D4834

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Object$Select$CharCreateDeleteFontMetricsReleaseSystemWidth
String ID: Marlett
API String ID: 1397664628-3688754224
Opcode ID: 4596c7e8eeae8dc723319b452fca7dfa7a3bcd2ccd6992f79f7e548b5caeb4f4
Instruction ID: 66fda54f0a092d1d1f00f64b0223f566fc82aed6232ca3ee51f499a2b971c22f
Opcode Fuzzy Hash: 4596c7e8eeae8dc723319b452fca7dfa7a3bcd2ccd6992f79f7e548b5caeb4f4
Instruction Fuzzy Hash: 74017C35300B917BD6751A625C9DEAB2E7DEBC7B91F00821CF629D1180DB648802C734

Function 6C8C2CF2 Relevance: 15.5, APIs: 10, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e089b9489584fe3d91fd5f89614b2599dcbd1f29a3b90e2b37328224b0fdcdd
Instruction ID: f2ecc3b41ff52a003bfd2a72833a3bdd22c267d51cf1d7ec271d32fd8b06b853
Opcode Fuzzy Hash: 3e089b9489584fe3d91fd5f89614b2599dcbd1f29a3b90e2b37328224b0fdcdd
Instruction Fuzzy Hash: EE020235B00A09DFCB25CF69D99499EB3B2FF4A315F108A59E901AB750C731ED42CBA1

Function 6C900486 Relevance: 15.4, APIs: 10, Instructions: 351windowtimeCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C9004F4
LoadCursorW.USER32(00000000,00007F00), ref: 6C900522
GetClientRect.USER32(?,?), ref: 6C900564
IsWindowVisible.USER32(?), ref: 6C90079D
SetTimer.USER32(00000000,0000EC15,00000000), ref: 6C9007C0
InvalidateRect.USER32(?,00000000,00000001,6CA98428,00000000,00000000,00000000,00000000,00000053), ref: 6C90082F
UpdateWindow.USER32(?), ref: 6C900838
__EH_prolog3_GS.LIBCMT ref: 6C900861
LoadCursorW.USER32(00000000,00007F00), ref: 6C900888
GetParent.USER32(?), ref: 6C9008D1

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: CursorH_prolog3_LoadRectWindow$ClientInvalidateParentTimerUpdateVisible
String ID:
API String ID: 706703367-0
Opcode ID: 1c2bbff9edf722c4fec51ba9d739bf7db794d320405d2b98a7405820108a9c63
Instruction ID: 230c23e17b22356df65bdcad0c96dfbcd289e552366afe81af96e4474da254e9
Opcode Fuzzy Hash: 1c2bbff9edf722c4fec51ba9d739bf7db794d320405d2b98a7405820108a9c63
Instruction Fuzzy Hash: 5DD18870B016059FDB248F68C994BED77B6BF48318F14427AEC19ABB91CB70E945CB90

Function 6C8E4F7F Relevance: 15.2, APIs: 10, Instructions: 212timeCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 6C8E4FA0
GetWindowRect.USER32(?,?), ref: 6C8E4FB4
KillTimer.USER32(?,0000EC08), ref: 6C8E5039
ReleaseCapture.USER32 ref: 6C8E503F
SetCursor.USER32(00000000), ref: 6C8E5046
SetCursor.USER32(?), ref: 6C8E5099
LoadCursorW.USER32(?,00000000), ref: 6C8E50B1
SetCursor.USER32(00000000), ref: 6C8E50B8
GetParent.USER32(?), ref: 6C8E5159
UpdateWindow.USER32(?), ref: 6C8E51B0

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Cursor$Window$CaptureKillLoadParentRectReleaseTimerUpdate
String ID:
API String ID: 2135910768-0
Opcode ID: 004ba714a4f6da15110e9a2b422d1e6993514db039a505616a4e9001f4c46a3e
Instruction ID: c8bd343a66eeaf63d66583a3cfa799ee1ddecc23b9c56200bb11669803398c16
Opcode Fuzzy Hash: 004ba714a4f6da15110e9a2b422d1e6993514db039a505616a4e9001f4c46a3e
Instruction Fuzzy Hash: 9071D635F043169FDF288F64CA94ABDB775FF4E314F144A65E80AE7A41CB34A8418B91

Function 6C8DA01F Relevance: 15.1, APIs: 10, Instructions: 137COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6C8DA026
FindResourceW.KERNEL32(?,00000000,00000005,00000024,6C8BF62E), ref: 6C8DA067
LoadResource.KERNEL32(?,00000000), ref: 6C8DA073
LockResource.KERNEL32(?,00000024,6C8BF62E), ref: 6C8DA083
GetDesktopWindow.USER32 ref: 6C8DA0BA
IsWindowEnabled.USER32(00000000), ref: 6C8DA0C5
EnableWindow.USER32(00000000,00000000), ref: 6C8DA0D1
EnableWindow.USER32(00000000,00000001), ref: 6C8DA1B5
GetActiveWindow.USER32 ref: 6C8DA1BF
SetActiveWindow.USER32(00000000,?,00000024,6C8BF62E), ref: 6C8DA1CB

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Window$Resource$ActiveEnable$DesktopEnabledFindH_prolog3_catchLoadLock
String ID:
API String ID: 723642982-0
Opcode ID: 29639c1932f381b27ef4ea154f7dd04744f6f345c7313dfd1f35f0aceb411156
Instruction ID: ad82db7fea22629e98f2beb85377fe82ecb863f82bca46ee50c630d2a9fd8a79
Opcode Fuzzy Hash: 29639c1932f381b27ef4ea154f7dd04744f6f345c7313dfd1f35f0aceb411156
Instruction Fuzzy Hash: 6151A030B01716DBDF249BA4CA84BEEBBB5BF08319F254A15D815A7781DB34E801CBA1

Function 6C943C89 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 147COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C943D5A
CopyImage.USER32(?,00000000,00000000,00000000,00002000), ref: 6C943DCB
SelectObject.GDI32(00000000,?), ref: 6C943CA7

Part of subcall function 6C8DC329: DeleteObject.GDI32(?), ref: 6C8DC33B

SelectObject.GDI32(?,?), ref: 6C943CBC
DeleteObject.GDI32(00000000), ref: 6C943D1D
DeleteDC.GDI32(00000000), ref: 6C943D2C
LeaveCriticalSection.KERNEL32(6CA9A080), ref: 6C943D43

Strings

, xrefs: 6C943CC2

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Object$Delete$Select$CopyCriticalH_prolog3ImageLeaveSection
String ID:
API String ID: 1753285881-3916222277
Opcode ID: eebc9acc475d2d32710e483d1c69218f99277030497d4cb02a77706790ae7c29
Instruction ID: 047a8e15434027723539e1555d20cef51d30dccf44f0028e79ea4aed1a2947b2
Opcode Fuzzy Hash: eebc9acc475d2d32710e483d1c69218f99277030497d4cb02a77706790ae7c29
Instruction Fuzzy Hash: E051C035A01601EFDB209F74CD89AAA777AFF05318F10C625EA149B991D770EC45CBA0

Function 6C958F4C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 100sleepthreadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6CA9A104,?,?,?,6C8F8FBA,00000001), ref: 6C958F71
SetThreadPriority.KERNEL32(00000000,000000FF), ref: 6C958FA2
LeaveCriticalSection.KERNEL32(6CA9A104), ref: 6C958FB8
PlaySoundW.WINMM(MenuCommand,00000000,00012002), ref: 6C959009
Sleep.KERNEL32(00000005,?,6CA9A104,?,?,?,?,6C8F8FBA,00000001), ref: 6C959034
PlaySoundW.WINMM(00000000,00000000,00000040), ref: 6C959049

Strings

MenuCommand, xrefs: 6C95901B
MenuPopup, xrefs: 6C959004

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: CriticalPlaySectionSound$EnterLeavePrioritySleepThread
String ID: MenuCommand$MenuPopup
API String ID: 2370138168-2036262055
Opcode ID: 1f419aec5a03656d3b29e7767162b363e1e3383da46237cf361b09e91c6d4190
Instruction ID: 60aa56cd7a1a98fbec4a750b11c3ffe031aa913461289fdcf100b1e23031dc0b
Opcode Fuzzy Hash: 1f419aec5a03656d3b29e7767162b363e1e3383da46237cf361b09e91c6d4190
Instruction Fuzzy Hash: 0931C7706547069BDB18CF699C89B2636BDE747338F708716FA34929D0CB71C4A38B94

Function 6C8C4625 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 6C8C466C
SetActiveWindow.USER32(?), ref: 6C8C4677
SendMessageW.USER32(?,00000112,?,?), ref: 6C8C4691
IsWindow.USER32(?), ref: 6C8C4698
SetActiveWindow.USER32(?), ref: 6C8C46A3
IsWindow.USER32(00000000), ref: 6C8C46AA
SetFocus.USER32(00000000), ref: 6C8C46B5

Strings

u, xrefs: 6C8C46BE

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Window$ActiveFocus$MessageSend
String ID: u
API String ID: 1556911595-4067256894
Opcode ID: f75d484fe1f744f8ff3d1c05e2f013b59cee57a07fa8817af80f2924ed9096a0
Instruction ID: e2f7b5385dca83301195d9991e45778c723c45ea4fe80b89954eff801345d39e
Opcode Fuzzy Hash: f75d484fe1f744f8ff3d1c05e2f013b59cee57a07fa8817af80f2924ed9096a0
Instruction Fuzzy Hash: 2B11B132305704ABEB311F38DE48EBA3B75EBC9319B108E20E915C5D49DA39C8959B42

Function 6C9D9C60 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C9D9C67

Part of subcall function 6C8DF682: EnterCriticalSection.KERNEL32(6CA98B60,?,?,?,?,6C8DCDB6,00000010,00000008,6C8DB7A1,6C8DB7E4,6C8C3ABF,6C8D116D,?,6C8D6CE6,00000004,6C8D7498), ref: 6C8DF6B3
Part of subcall function 6C8DF682: InitializeCriticalSection.KERNEL32(00000000,?,?,?,?,6C8DCDB6,00000010,00000008,6C8DB7A1,6C8DB7E4,6C8C3ABF,6C8D116D,?,6C8D6CE6,00000004,6C8D7498), ref: 6C8DF6C9
Part of subcall function 6C8DF682: LeaveCriticalSection.KERNEL32(6CA98B60,?,?,?,?,6C8DCDB6,00000010,00000008,6C8DB7A1,6C8DB7E4,6C8C3ABF,6C8D116D,?,6C8D6CE6,00000004,6C8D7498), ref: 6C8DF6D7
Part of subcall function 6C8DF682: EnterCriticalSection.KERNEL32(00000000,?,?,?,6C8DCDB6,00000010,00000008,6C8DB7A1,6C8DB7E4,6C8C3ABF,6C8D116D,?,6C8D6CE6,00000004,6C8D7498,00000120), ref: 6C8DF6E4

GetProfileIntW.KERNEL32(windows,DragScrollInset,0000000B), ref: 6C9D9CB2
GetProfileIntW.KERNEL32(windows,DragScrollDelay,00000032), ref: 6C9D9CC5
GetProfileIntW.KERNEL32(windows,DragScrollInterval,00000032), ref: 6C9D9CD8

Strings

DragScrollInset, xrefs: 6C9D9CA7
DragScrollInterval, xrefs: 6C9D9CCD
windows, xrefs: 6C9D9CAC, 6C9D9CB1, 6C9D9CBF, 6C9D9CD2
DragScrollDelay, xrefs: 6C9D9CBA

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: CriticalSection$Profile$Enter$H_prolog3InitializeLeave
String ID: DragScrollDelay$DragScrollInset$DragScrollInterval$windows
API String ID: 4229786687-1024936294
Opcode ID: 7e7f2e03df69aa9ce05c2ddcf13aae59aa9385d775e28782f3c83749460ef82d
Instruction ID: 465d5ee02538ed2e0c5383a2d7d522a06d50d3272ada64ea6818a1a49a2b0353
Opcode Fuzzy Hash: 7e7f2e03df69aa9ce05c2ddcf13aae59aa9385d775e28782f3c83749460ef82d
Instruction Fuzzy Hash: C201D4B0A407429FDB25DF79890670A76F1BB55B04F018A2EF215D7F80DBB494C2CB08

Function 6C8E4246 Relevance: 13.6, APIs: 9, Instructions: 96timeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32 ref: 6C8E425A
GetSystemMetrics.USER32(00000025), ref: 6C8E4262
GetSystemMetrics.USER32(00000025), ref: 6C8E4278
GetSystemMetrics.USER32(00000024), ref: 6C8E428C
GetSystemMetrics.USER32(00000024), ref: 6C8E42A0
CreateEllipticRgn.GDI32(00000000,00000000,00000020,00000020,?,?,00000020,00000020,00000000,00000000,00000000,00000800,00000000,00000000,00000000), ref: 6C8E4319
SetWindowRgn.USER32(?,00000000,00000001), ref: 6C8E4330
SetCapture.USER32(?,?,?,00000020,00000020,00000000,00000000,00000000,00000800,00000000,00000000,00000000), ref: 6C8E4339
SetTimer.USER32(?,0000EC08,00000032,00000000), ref: 6C8E4352

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: MetricsSystem$CaptureClientCreateEllipticScreenTimerWindow
String ID:
API String ID: 47050291-0
Opcode ID: a60db3c66f22af3c679c2dc27cebf14462662d943a2d2f17c4de4f295a0bd6fd
Instruction ID: 80a6891d74c1114576c38943eb0a2ef65bf19ba38c1bf42c6bc358ee85daf2a0
Opcode Fuzzy Hash: a60db3c66f22af3c679c2dc27cebf14462662d943a2d2f17c4de4f295a0bd6fd
Instruction Fuzzy Hash: 61315E71700702AFEB28DF74CD59BAEBB75FB49304F00461CA65AD7281DB71A8018BA0

Function 6C8E0FBE Relevance: 13.6, APIs: 9, Instructions: 67windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 6C8E0FD9
GetWindowLongW.USER32(00000000,000000F0), ref: 6C8E0FE8
IsWindowEnabled.USER32(00000000), ref: 6C8E0FF6
GetDlgItem.USER32(?,00003024), ref: 6C8E100D
GetWindowLongW.USER32(00000000,000000F0), ref: 6C8E1019
IsWindowEnabled.USER32(?), ref: 6C8E1029
GetFocus.USER32 ref: 6C8E104A
IsWindowEnabled.USER32(00000000), ref: 6C8E1051
SetFocus.USER32(?), ref: 6C8E105E

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Window$Enabled$FocusItemLong
String ID:
API String ID: 1558694495-0
Opcode ID: 1497184ebe0de2456949dbb28022cd6115a3e9c0f66c135e113169a32f9d9a56
Instruction ID: 44c5f36483c9ad63c535a753e16439fb6fa35844421c9ec4ff0a193a293b8009
Opcode Fuzzy Hash: 1497184ebe0de2456949dbb28022cd6115a3e9c0f66c135e113169a32f9d9a56
Instruction Fuzzy Hash: B9110231700A12ABCF395F65DD5CB9D7B7AEF4B355B108A24F919D2561DB31C802EB80

Function 6C942AF7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 261windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C943ECE: GdipGetImagePixelFormat.GDIPLUS(?,6CA9A080,00000000,00000000,?,6C942B3B,CDD28759,?,00000000,6CA9A080), ref: 6C943EDC

Part of subcall function 6C943E86: GdipGetImagePalette.GDIPLUS(?,00000000,?,?,?,6C942C5A,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,CDD28759), ref: 6C943E95

GdipBitmapLockBits.GDIPLUS(?,?,00000001,?,?,00000000,00000000,?,00000000,00000000,00000000,CDD28759,?,00000000,6CA9A080), ref: 6C942D4F
GdipBitmapUnlockBits.GDIPLUS(?,?,?,?,00000001,?,?,00000000,00000000,?,00000000,00000000,00000000,CDD28759,?,00000000), ref: 6C942DFF
GdipDrawImageI.GDIPLUS(?,00000000,00000000,00000000,?,?,00000082,00000000,00022009,?,00000000,00000000,?,00000000,00000000,00000000), ref: 6C942E51
GdipDeleteGraphics.GDIPLUS(?,?,00000000,00000000,00000000,?,?,00000082,00000000,00022009,?,00000000,00000000,?,00000000,00000000), ref: 6C942E5C
GdipDisposeImage.GDIPLUS(?,?,?,00000000,00000000,00000000,?,?,00000082,00000000,00022009,?,00000000,00000000,?,00000000), ref: 6C942E67

Strings

&, xrefs: 6C942B7F
&, xrefs: 6C942D09

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Gdip$Image$BitmapBits$DeleteDisposeDrawFormatGraphicsLockPalettePixelUnlock
String ID: &$ &
API String ID: 1665940520-360661826
Opcode ID: 2f1f3fe42bea76d0b5deeb455be0454e7e60f69511ba45b61faf4a39bf8bfcd9
Instruction ID: 32206e76388ff931ac4a1e7510d5639e453440dd47947af697ed5c6b558d5f68
Opcode Fuzzy Hash: 2f1f3fe42bea76d0b5deeb455be0454e7e60f69511ba45b61faf4a39bf8bfcd9
Instruction Fuzzy Hash: ABA172B1A015299BCB248F54CD94AEDB7B9FF44358F5081E9DA08A7701D730DE85CF98

Function 6C8C4E9F Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 209libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll), ref: 6C8C4EC1
GetProcAddress.KERNEL32(00000000,GetGestureInfo), ref: 6C8C4EF6
GetProcAddress.KERNEL32(00000000,CloseGestureInfoHandle), ref: 6C8C4F1E
ScreenToClient.USER32(?,?), ref: 6C8C4FAA

Strings

user32.dll, xrefs: 6C8C4EB7
CloseGestureInfoHandle, xrefs: 6C8C4F10
GetGestureInfo, xrefs: 6C8C4EE8

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: AddressProc$ClientHandleModuleScreen
String ID: CloseGestureInfoHandle$GetGestureInfo$user32.dll
API String ID: 471820996-2905070798
Opcode ID: fc1d4ac0ad3950f10d33f56b6e9a08222270fbc715f6396bc57acd77e0533016
Instruction ID: ae4b36913e37edea0f0d722b94515e3994ac4d4ba902a2e8ae6f543f3f56106c
Opcode Fuzzy Hash: fc1d4ac0ad3950f10d33f56b6e9a08222270fbc715f6396bc57acd77e0533016
Instruction Fuzzy Hash: 9281CF78710716EFCB29CF68CA549A9BBB1FF49304B008A6AE905D7B10DB30E951DF81

Function 6C9F5CF8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C9F5CFF
IsAppThemed.UXTHEME(0000003C,6C9F5E74,?), ref: 6C9F5D41
OpenThemeData.UXTHEME(?,Button), ref: 6C9F5D6C
GetThemePartSize.UXTHEME(?,00000005,00000003,00000005,00000000,00000001,00000000,00000000,00000000), ref: 6C9F5DB3
CloseThemeData.UXTHEME(?,?), ref: 6C9F5DD4
GetObjectW.GDI32(?,00000018,?), ref: 6C9F5DFD

Strings

Button, xrefs: 6C9F5D66

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Theme$Data$CloseH_prolog3ObjectOpenPartSizeThemed
String ID: Button
API String ID: 1633685699-1034594571
Opcode ID: 7c544574fa2b59ccdfa91504b1d0bdf0d0c8f87f74423fed8649a61fe2ef7a7b
Instruction ID: 5bb83df5d2815615df3729112f165a2715768784ba9b653bca1a6b09de67aed2
Opcode Fuzzy Hash: 7c544574fa2b59ccdfa91504b1d0bdf0d0c8f87f74423fed8649a61fe2ef7a7b
Instruction Fuzzy Hash: 14319271B01206AFEB14DFA4CC58BEEB7B9FF44704F118429E511EA680EB70E906CB60

Function 6C8DEAAA Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(uxtheme.dll), ref: 6C8DEABC
GetProcAddress.KERNEL32(00000000,DrawThemeTextEx), ref: 6C8DEACC
EncodePointer.KERNEL32(00000000), ref: 6C8DEAD5
DecodePointer.KERNEL32(00000000), ref: 6C8DEAE3
DrawThemeText.UXTHEME(?,?,?,?,?,?,?,00000000,?), ref: 6C8DEB30

Strings

DrawThemeTextEx, xrefs: 6C8DEAC6
uxtheme.dll, xrefs: 6C8DEAB7

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Pointer$AddressDecodeDrawEncodeHandleModuleProcTextTheme
String ID: DrawThemeTextEx$uxtheme.dll
API String ID: 1727381832-3035683158
Opcode ID: c402c87cbec7c8e4dc3a8ef4c712e4393816e321f0fdec1d37c162691468b5c6
Instruction ID: 6792fadf6713d1d8b3c84bfacf4d4edc488eb2287af59f7aa40d8705e58c6822
Opcode Fuzzy Hash: c402c87cbec7c8e4dc3a8ef4c712e4393816e321f0fdec1d37c162691468b5c6
Instruction Fuzzy Hash: F811E53660160AFFCF265FA0DD14DDE7F76BF09794B058511FE09A1120C732D862AB90

Function 6C8C672F Relevance: 12.1, APIs: 8, Instructions: 139windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6C8C6779
BeginDeferWindowPos.USER32(00000008), ref: 6C8C678F
GetTopWindow.USER32(?), ref: 6C8C67A0
GetDlgCtrlID.USER32(00000000), ref: 6C8C67A9
SendMessageW.USER32(00000000,00000361,00000000,00000000), ref: 6C8C67E1
GetWindow.USER32(00000000,00000002), ref: 6C8C67EA
CopyRect.USER32(?,?), ref: 6C8C6805
EndDeferWindowPos.USER32(00000000), ref: 6C8C6895

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Window$DeferRect$BeginClientCopyCtrlMessageSend
String ID:
API String ID: 1228040700-0
Opcode ID: 0ef80fe163fcdc6449d561aac6aec6ae8c8441dc8aa48ab0a840350f0c85357a
Instruction ID: d2a39cc21bec3c24be8879d4ee0035cfe23d102f8378d5e124484dfeea3b245b
Opcode Fuzzy Hash: 0ef80fe163fcdc6449d561aac6aec6ae8c8441dc8aa48ab0a840350f0c85357a
Instruction Fuzzy Hash: BA512771A01219DFCF24CFA8C984AEEB7B5FF09315F148A69E805E7640C734E951CBA5

Function 6C942294 Relevance: 12.1, APIs: 8, Instructions: 135clipboardwindowCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 6C94229B

Part of subcall function 6C8D1A91: __EH_prolog3.LIBCMT ref: 6C8D1A98
Part of subcall function 6C8D1A91: GetWindowDC.USER32(00000000,00000004,6C8EAE60,00000000), ref: 6C8D1AC4

CreateCompatibleDC.GDI32(00000000), ref: 6C9422C1
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C9422E7

Part of subcall function 6C8D2A4C: SelectObject.GDI32(00000048,?), ref: 6C8D2A55

FillRect.USER32(?,?,00000000), ref: 6C942339
OpenClipboard.USER32(?), ref: 6C942393
EmptyClipboard.USER32 ref: 6C9423D3
SetClipboardData.USER32(00000002,00000000), ref: 6C9423F7
CloseClipboard.USER32 ref: 6C942411

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Clipboard$CompatibleCreate$BitmapCloseDataEmptyFillH_prolog3H_prolog3_catch_ObjectOpenRectSelectWindow
String ID:
API String ID: 2940850299-0
Opcode ID: 49213feda559c58c86978c504dfae1ae768a754087d8693d49299c3d97744534
Instruction ID: bf9582b23ce379887c6121c966885fdbaebe7f0eb7f7094159a58ed2d7427203
Opcode Fuzzy Hash: 49213feda559c58c86978c504dfae1ae768a754087d8693d49299c3d97744534
Instruction Fuzzy Hash: 3E419471900215ABCB18DBE9DD58DDEBB79BF15318F118129E419E7AA0DB30DA08CB60

Function 6C8DCF43 Relevance: 12.1, APIs: 8, Instructions: 97memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6C8DCF4A
EnterCriticalSection.KERNEL32(?,00000010,6C8DCE73,?,00000000,?,6C8D6CE6,00000004,6C8D7498,00000120,6C8BF296,00000000,6CA9B478,?,Function_0018AEC0,000000FF), ref: 6C8DCF5B
TlsGetValue.KERNEL32(?,?,00000000,?,6C8D6CE6,00000004,6C8D7498,00000120,6C8BF296,00000000,6CA9B478,?,Function_0018AEC0,000000FF,?,6C8A114D), ref: 6C8DCF77
LocalAlloc.KERNEL32(00000000,00000000,00000010,?,?,00000000,?,6C8D6CE6,00000004,6C8D7498,00000120,6C8BF296,00000000,6CA9B478,?,Function_0018AEC0), ref: 6C8DCFE0
LocalReAlloc.KERNEL32(?,00000000,00000002,00000010,?,?,00000000,?,6C8D6CE6,00000004,6C8D7498,00000120,6C8BF296,00000000,6CA9B478), ref: 6C8DCFEE
TlsSetValue.KERNEL32(?,00000000), ref: 6C8DD01F
LeaveCriticalSection.KERNEL32(?,?,00000000,?,6C8D6CE6,00000004,6C8D7498,00000120,6C8BF296,00000000,6CA9B478,?,Function_0018AEC0,000000FF,?,6C8A114D), ref: 6C8DD03D

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: AllocCriticalLocalSectionValue$EnterH_prolog3_catchLeave
String ID:
API String ID: 1707010094-0
Opcode ID: 44f27a2c986aabf0f3d3e4fe0bb88a69382be88d3f0d15dec08533e227b83c2f
Instruction ID: a0a3573b2177e766731306a8b5880ad54e97f57fb72405d592fc8bb633a591f4
Opcode Fuzzy Hash: 44f27a2c986aabf0f3d3e4fe0bb88a69382be88d3f0d15dec08533e227b83c2f
Instruction Fuzzy Hash: 1631B031600702DFDB359F19C984A5ABBB1EF80314B21C92AE8699BA55DB70F846CF51

Function 6C9449B4 Relevance: 12.1, APIs: 8, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000002,00000000,00000000,00000000,?,?,6C9449A9,00000000,00000000,?,6CA4DEF0,?,6C945767,?,?,?), ref: 6C9449C5
GlobalLock.KERNEL32(00000000), ref: 6C9449D2
GlobalUnlock.KERNEL32(00000000), ref: 6C9449DD
GlobalFree.KERNEL32(00000000), ref: 6C9449E4
GlobalUnlock.KERNEL32(00000000), ref: 6C944A02
CreateStreamOnHGlobal.OLE32(00000000,00000001,00000000), ref: 6C944A0F
EnterCriticalSection.KERNEL32(6CA9A080,00000000), ref: 6C944A28
LeaveCriticalSection.KERNEL32(6CA9A080,00000000), ref: 6C944A8F

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Global$CriticalSectionUnlock$AllocCreateEnterFreeLeaveLockStream
String ID:
API String ID: 295443201-0
Opcode ID: a31cb544ae8071c83445030ddd79620b5ad087f0d229eab56bf19b69e9fd198c
Instruction ID: b47a4060e63393bd96c3e57474dcf3da6862aeb0e4f889c7d07b2fb3aec4bd58
Opcode Fuzzy Hash: a31cb544ae8071c83445030ddd79620b5ad087f0d229eab56bf19b69e9fd198c
Instruction Fuzzy Hash: 7321E135B01712ABDF289F64DD5AA9E37BEAF0670AB10C126E509E6A40DF34CD06CB54

Function 6C8EA4AE Relevance: 12.1, APIs: 8, Instructions: 65COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000031), ref: 6C8EA4BC
GetSystemMetrics.USER32(00000032), ref: 6C8EA4CA
SetRectEmpty.USER32(?), ref: 6C8EA4DD
EnumDisplayMonitors.USER32(00000000,00000000,6C8EA2C4,?,?,00000000,6C8EA3EA), ref: 6C8EA4ED
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6C8EA4FC
SystemParametersInfoW.USER32(00001002,00000000,?,00000000), ref: 6C8EA529
SystemParametersInfoW.USER32(00001012,00000000,?,00000000), ref: 6C8EA53D
SystemParametersInfoW.USER32 ref: 6C8EA563

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: System$InfoParameters$Metrics$DisplayEmptyEnumMonitorsRect
String ID:
API String ID: 2614369430-0
Opcode ID: d56af66a7dfc0dc0b1328e72e992c01bdca173e207e31d3820439d6186d44413
Instruction ID: 50f975fb0b6cd84adbe9cb4996adb9780208d0ad5ed9539241a2965b85c2ca14
Opcode Fuzzy Hash: d56af66a7dfc0dc0b1328e72e992c01bdca173e207e31d3820439d6186d44413
Instruction Fuzzy Hash: 46211AB0701A16BFE7184F719C88AE3BBBCFF0A785F004629E95AC6140D7706955CBA0

Function 033AB62F Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 351COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 033AB839
_memset.LIBCMT ref: 033AB86E

Part of subcall function 033AF0C6: _malloc.LIBCMT ref: 033AF0E0

Strings

(, xrefs: 033AB7FD
6, xrefs: 033AB820
gfff, xrefs: 033AB6F7
gfff, xrefs: 033AB6CF

Memory Dump Source

Source File: 00000003.00000002.3531273742.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33a0000_Update.jbxd

Similarity

API ID: _memset$_malloc
String ID: ($6$gfff$gfff
API String ID: 3506388080-713438465
Opcode ID: adc29c7617633d4b8d790a07087d8aa0c6b7af03618b52efd29b7f2ce1e6f169
Instruction ID: 8ceb0aff98cc34e6ffdeda97fe87c18ac106f151e7209ee43bdcc31f2647205e
Opcode Fuzzy Hash: adc29c7617633d4b8d790a07087d8aa0c6b7af03618b52efd29b7f2ce1e6f169
Instruction Fuzzy Hash: 9DD159B5E00318AFDB14EFE9DC85AAEFBB9FF48300F104129E505AB251D774A945CBA1

Function 6C8D09C3 Relevance: 10.8, APIs: 7, Instructions: 347COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,00000000,?), ref: 6C8D0ADC
OffsetRect.USER32(?,?,00000000), ref: 6C8D0AFC
SetCapture.USER32(?), ref: 6C8D0B6F
RedrawWindow.USER32(?,00000000,00000000,00000180,00000000), ref: 6C8D0B8E
ReleaseCapture.USER32 ref: 6C8D0C1C
OffsetRect.USER32(?,000000FF,000000FF), ref: 6C8D0C92
OffsetRect.USER32(?,000000FF,000000FF), ref: 6C8D0CA3

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: OffsetRect$Capture$RedrawReleaseWindow
String ID:
API String ID: 1110970518-0
Opcode ID: 547831b733a114ec9158eb00254485d21d3bc20821806fdaa2033c7f721d3627
Instruction ID: 37502f50f95b767a4ad6f830624cd807829a69a7968a05a5415f224ba479077d
Opcode Fuzzy Hash: 547831b733a114ec9158eb00254485d21d3bc20821806fdaa2033c7f721d3627
Instruction Fuzzy Hash: 92D191347016159FCF188F58CCA8BAD77B6AF49321F1586BAED0ADB785CB70AC018B51

Function 6CA19C7A Relevance: 10.8, APIs: 7, Instructions: 329COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 6CA19D00

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: dcf6de6983ba25cf7fb2a1e790eb05696bef74ce987331217bebaa3cc46a5552
Instruction ID: 71d06db2083c7590b06e8ec9662f48167136bf3a61f4cb16476393e591dba10e
Opcode Fuzzy Hash: dcf6de6983ba25cf7fb2a1e790eb05696bef74ce987331217bebaa3cc46a5552
Instruction Fuzzy Hash: 1EB16832A09365AFDB018F78CE80BEE7BB6EF46314F184155E804ABB81D3749985C7A1

Function 6C8DAFEF Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C9018AB: IsWindow.USER32(?), ref: 6C9018B7

SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C8DB1B3

Part of subcall function 6C90029F: GetClientRect.USER32(?,?), ref: 6C9002C7
Part of subcall function 6C90029F: PtInRect.USER32(?,00000000,?), ref: 6C9002E1

ScreenToClient.USER32(?,?), ref: 6C8DB080
PtInRect.USER32(?,?,?), ref: 6C8DB093
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C8DB0C5
GetParent.USER32(?), ref: 6C8DB0F5
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C8DB173
GetFocus.USER32 ref: 6C8DB179

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: MessageRectSend$Client$FocusParentScreenWindow
String ID:
API String ID: 1639644240-0
Opcode ID: 07d3519658a838dc02c7b9bf079b93d2b4f54427e7caf5a42b36b8eabbad0e84
Instruction ID: 83cc312b42ae361f38a85dd4cb5eaca5acbf86785249fafcc7ecefd815de8ca2
Opcode Fuzzy Hash: 07d3519658a838dc02c7b9bf079b93d2b4f54427e7caf5a42b36b8eabbad0e84
Instruction Fuzzy Hash: 71518F71A00619AFDF20DFA9CE549AEBBB4FF49708B11896AE815E7750DB30F901CB50

Function 6C944AAA Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002000), ref: 6C944B8D
GetObjectW.GDI32(00000000,00000018,?), ref: 6C944BAA
DeleteObject.GDI32(00000000), ref: 6C944BB5
DeleteObject.GDI32(00000000), ref: 6C944C5A

Part of subcall function 6C94589E: GetObjectW.GDI32(?,00000054,?), ref: 6C9458B8

__EH_prolog3.LIBCMT ref: 6C944AB1

Part of subcall function 6C8DC329: DeleteObject.GDI32(?), ref: 6C8DC33B

Part of subcall function 6C944950: FindResourceW.KERNEL32(00000000,?,PNG,?,?,?,6CA4DEF0,?,6C945767,?,?,?,00000038,6C944425), ref: 6C944972
Part of subcall function 6C944950: LoadResource.KERNEL32(00000000,00000000,?,6CA4DEF0,?,6C945767,?,?,?,00000038,6C944425), ref: 6C944980
Part of subcall function 6C944950: LockResource.KERNEL32(00000000,?,6CA4DEF0,?,6C945767,?,?,?,00000038,6C944425), ref: 6C94498B
Part of subcall function 6C944950: SizeofResource.KERNEL32(00000000,00000000,?,6CA4DEF0,?,6C945767,?,?,?,00000038,6C944425), ref: 6C944999

Strings

, xrefs: 6C944BC0

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Object$Resource$Delete$Load$FindH_prolog3ImageLockSizeof
String ID:
API String ID: 1337615151-3916222277
Opcode ID: 4f3a6fa28cde6b60f5c910d4f5fab20ae987ce31469d39b2004ae557b3eaf171
Instruction ID: 768c0214f409e48b57de480493de66d765a68d88c331dd62ee2b0fc586141b34
Opcode Fuzzy Hash: 4f3a6fa28cde6b60f5c910d4f5fab20ae987ce31469d39b2004ae557b3eaf171
Instruction Fuzzy Hash: B8518271A01616EFDB14DFA4C990BEEB378BF04309F048639E525A7A50DB30E959CFA1

Function 6C8C68CD Relevance: 10.6, APIs: 7, Instructions: 135windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6C8C68FA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 6C8C691C
UpdateWindow.USER32(?), ref: 6C8C6936
SendMessageW.USER32(00000000,00000121,00000001,?), ref: 6C8C695C
SendMessageW.USER32(?,0000036A,00000000,00000000), ref: 6C8C6974
UpdateWindow.USER32(?), ref: 6C8C69C1

Part of subcall function 6C8C8F77: GetWindowLongW.USER32(?,000000F0), ref: 6C8C8F84

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 6C8C6A0B

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: f7d61bd7b679e68483197c68f192431fdc2955e3a5a3dec7ae491e9ebf28ec4a
Instruction ID: 75e628669d20fe5637967bf4154cd3c5a71f66ec077198feda2247222b1ec555
Opcode Fuzzy Hash: f7d61bd7b679e68483197c68f192431fdc2955e3a5a3dec7ae491e9ebf28ec4a
Instruction Fuzzy Hash: 8D41A571B01715ABDB248F75CA48BBEBBB8FF05718F108A78E815D3990D770E9058751

Function 6C9804E5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C9804EC

Part of subcall function 6C908EEE: __EH_prolog3.LIBCMT ref: 6C908EF5

Part of subcall function 6C9EA894: SetRectEmpty.USER32(?), ref: 6C9EA8C9

SetRectEmpty.USER32(?), ref: 6C98061C
SetRectEmpty.USER32 ref: 6C98062D
SetRectEmpty.USER32(?), ref: 6C980634

Part of subcall function 6C8BFC40: _wmemcpy_s.LIBCPMTD ref: 6C8BFCBD

Strings

True, xrefs: 6C98063C, 6C980647, 6C98068F
False, xrefs: 6C98069B, 6C9806A0, 6C9806A8

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: EmptyRect$H_prolog3$_wmemcpy_s
String ID: False$True
API String ID: 3178944079-1895882422
Opcode ID: 151f0bc0e3946c63f2d87728f6aa6424913ad52f4b3916342b02c1202e9c826d
Instruction ID: 0ca1206a8819cfd07115d7b396b43edd486e49ff4ce5bcc99eacba8f77873e8a
Opcode Fuzzy Hash: 151f0bc0e3946c63f2d87728f6aa6424913ad52f4b3916342b02c1202e9c826d
Instruction Fuzzy Hash: 7851F2B09057029FCB1ACF28D5947E8BBE8BF19304F1881BEA81C9F796CB705645CB65

Function 6C94BC90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C94BC97
CopyRect.USER32(?,?), ref: 6C94BD45
IsRectEmpty.USER32(?), ref: 6C94BD5D
IsRectEmpty.USER32(?), ref: 6C94BD75
IsRectEmpty.USER32(?), ref: 6C94BD8A

Part of subcall function 6C8EA57A: __EH_prolog3.LIBCMT ref: 6C8EA581
Part of subcall function 6C8EA57A: LoadCursorW.USER32(00000000,00007F00), ref: 6C8EA5A5
Part of subcall function 6C8EA57A: GetClassInfoW.USER32(?,?,?), ref: 6C8EA5E0

Strings

Afx:ControlBar, xrefs: 6C94BCCC

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Rect$Empty$ClassCopyCursorH_prolog3H_prolog3_InfoLoad
String ID: Afx:ControlBar
API String ID: 685170547-4244778371
Opcode ID: 1f53e5e396965d19da17b094403c2fbdb2aa3ea692bd7737f3777ef236561296
Instruction ID: 0fa2038bd1048bc5fdd42a8a4c309b715318caa25c90367220c0ab048891bbf9
Opcode Fuzzy Hash: 1f53e5e396965d19da17b094403c2fbdb2aa3ea692bd7737f3777ef236561296
Instruction Fuzzy Hash: E6413671A006099FCF05CFA8C994AEE77B9BF59308F1485A9EC05FB640DB71E909CB60

Function 6C8E4BC3 Relevance: 10.6, APIs: 7, Instructions: 121windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C8E4BCA
CreateCompatibleDC.GDI32(?), ref: 6C8E4BF9
GetClientRect.USER32(?,?), ref: 6C8E4C16
SelectObject.GDI32(?,?), ref: 6C8E4C4F
BitBlt.GDI32(?,00000000,00000000,?,?,00000001,00000000,00000000,00CC0020), ref: 6C8E4C76
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C8E4CFC
SelectObject.GDI32(?,00000000), ref: 6C8E4D0A

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: ObjectSelect$ClientCompatibleCreateH_prolog3_Rect
String ID:
API String ID: 1651110115-0
Opcode ID: 91ec0735e268e19b88dde5673c41a5331c541472e58fec700894cd201e4201c5
Instruction ID: 6f76ba059f6bd99dfacf228539a791c3ffdb99fb5867525d4889bf55e785cd3d
Opcode Fuzzy Hash: 91ec0735e268e19b88dde5673c41a5331c541472e58fec700894cd201e4201c5
Instruction Fuzzy Hash: FB411871A00209AFDF14DBA8DE95EEEB7BAFF99704F108129F505A3690DB706D05CB60

Function 6CA02B80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6CA02BB7
___except_validate_context_record.LIBVCRUNTIME ref: 6CA02BBF
_ValidateLocalCookies.LIBCMT ref: 6CA02C48
__IsNonwritableInCurrentImage.LIBCMT ref: 6CA02C73
_ValidateLocalCookies.LIBCMT ref: 6CA02CC8

Strings

csm, xrefs: 6CA02C5D

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 024832b7174898d9acd459fa43af6a2b91400f485995f91516eb7085436a2023
Instruction ID: 5bbf1e4b0fe9dcdd1382fb29d7ee3c485e86a51263190bb20ec126fb001008ef
Opcode Fuzzy Hash: 024832b7174898d9acd459fa43af6a2b91400f485995f91516eb7085436a2023
Instruction Fuzzy Hash: 0541D334B003199FCF04DF69D888ADEBBB1AF4536CF188255E8189B751C731D99ACB90

Function 6C8EE917 Relevance: 10.6, APIs: 7, Instructions: 113fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 6C8EE937
GetLastError.KERNEL32 ref: 6C8EE953
SetFilePointer.KERNEL32(?,?,?,?,00000000,?,?,?,00000000,00000000), ref: 6C8EE980
GetLastError.KERNEL32(?,?,?,00000000,00000000), ref: 6C8EE98E
GetLastError.KERNEL32(?,?,?,00000000,00000000), ref: 6C8EE9AD
SetEndOfFile.KERNEL32(?,?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000), ref: 6C8EEA0A
GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000), ref: 6C8EEA24

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: ErrorLast$File$PointerRead
String ID:
API String ID: 839530781-0
Opcode ID: 964f9b2abda8ff939363ecc4b25092dd6e76ee1a87c2b12da2c929b0e6d6c6b3
Instruction ID: aefd7389178e138ee04d714ef3279f3c5b34e7fbe1f28fcc5c79cdb75d863ad6
Opcode Fuzzy Hash: 964f9b2abda8ff939363ecc4b25092dd6e76ee1a87c2b12da2c929b0e6d6c6b3
Instruction Fuzzy Hash: 0A31DF31600619BBCF24AFA1DC08EDE7BB9EF09365B108529F919C7A10DB30EA01CBD0

Function 6C8D694E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C8D6958
GetClassNameW.USER32(?,?,000000FF), ref: 6C8D69B2
IsAppThemed.UXTHEME(?,?,?,?), ref: 6C8D6A43
GetStockObject.GDI32(00000005), ref: 6C8D6A54

Strings

Button, xrefs: 6C8D69D4
Static, xrefs: 6C8D69EB

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: ClassH_prolog3_NameObjectStockThemed
String ID: Button$Static
API String ID: 2434646892-2498952662
Opcode ID: c8292bf8756ff2a42d44f04ff0d39fa29ba5702e27a65a6f1f21550a7cbc81e9
Instruction ID: 111e160d40e66d01aa6adfe1245ef17dbd5fd9eb247bc6850bb4cc173d0099ad
Opcode Fuzzy Hash: c8292bf8756ff2a42d44f04ff0d39fa29ba5702e27a65a6f1f21550a7cbc81e9
Instruction Fuzzy Hash: DA31E431A8021D9BCB34CF58CA88BD973B4AF14318F114DE9D559E7A80DB70BE85CB61

Function 6C940C79 Relevance: 10.6, APIs: 7, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C940C80

Part of subcall function 6C940B9E: __EH_prolog3.LIBCMT ref: 6C940BA5
Part of subcall function 6C940B9E: GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 6C940BF8
Part of subcall function 6C940B9E: GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 6C940C0E

CopyRect.USER32(?,?), ref: 6C940CB5
GetCursorPos.USER32(?), ref: 6C940CC7
SetRect.USER32(?,?,?,?,?), ref: 6C940CDA
IsRectEmpty.USER32(?), ref: 6C940CF5
InflateRect.USER32(?,00000002,00000002), ref: 6C940D07
DoDragDrop.OLE32(00000000,00000000,?,?), ref: 6C940D4F

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Rect$Profile$CopyCursorDragDropEmptyH_prolog3H_prolog3_Inflate
String ID:
API String ID: 1837043813-0
Opcode ID: e1423b68118653aadac5b2f22874f29fed8556ccb3eeb2712b3a65c833fcb6bd
Instruction ID: e7201aafc60b088b11db1a20e5c9d7bf9f1300a7d9fa3f3e19145d41e3f6deea
Opcode Fuzzy Hash: e1423b68118653aadac5b2f22874f29fed8556ccb3eeb2712b3a65c833fcb6bd
Instruction Fuzzy Hash: 1C316571A017599BCF148FE8CD589ED7BB9FF59308B009119E81AEB744CB34D94ACBA0

Function 6C8D8733 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 6C8D876E
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6C8D879A
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6C8D87C6
RegCloseKey.ADVAPI32(00000000), ref: 6C8D87D8
RegCloseKey.ADVAPI32(00000000), ref: 6C8D87E7

Part of subcall function 6C8D8C4A: GetModuleHandleW.KERNEL32(Advapi32.dll,0002001F,?,?,6C8D876C,80000001,software,00000000,0002001F,?), ref: 6C8D8C5B
Part of subcall function 6C8D8C4A: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 6C8D8C6B

Strings

software, xrefs: 6C8D8757

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: CloseCreate$AddressHandleModuleOpenProc
String ID: software
API String ID: 550756860-2010147023
Opcode ID: 58c07d8aa0dcdf50b90fb976943115cdacc2a2e60f42a8acd2ddecd2aaf5f8fe
Instruction ID: b54c1129e7405e31f91b2bd941eda7e03bfaba08d7a810f262888347ccf1423e
Opcode Fuzzy Hash: 58c07d8aa0dcdf50b90fb976943115cdacc2a2e60f42a8acd2ddecd2aaf5f8fe
Instruction Fuzzy Hash: 0921BE72A01219FFDB259A94DE44EBF7BBEEB42B04F11446AF905E2500D330AA00CBE4

Function 6CA1C572 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,CDD28759,?,6CA1C681,6CA05A34,?,00000000), ref: 6CA1C633

Strings

api-ms-, xrefs: 6CA1C5C9
ext-ms-, xrefs: 6CA1C5DD

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 5a9d0508e75b3ae56628f71c6ab0fb044d9147d2be63aecaf51bdc4558cada72
Instruction ID: dd56167bf7c2292498775a674bad116ed236e994176df3c939a32e5b86c22949
Opcode Fuzzy Hash: 5a9d0508e75b3ae56628f71c6ab0fb044d9147d2be63aecaf51bdc4558cada72
Instruction Fuzzy Hash: F1216031B09216B7D721AE65DC44A8B77799F4277CF281330E925A7E81DB30ED41CAD0

Function 6C8C65CF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 70libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,user32.dll,?,?,00000000,?,6C8C4CD3,00000000,00000000), ref: 6C8C65E0
GetProcAddress.KERNEL32(00000000,RegisterTouchWindow), ref: 6C8C65F2
GetProcAddress.KERNEL32(00000000,UnregisterTouchWindow), ref: 6C8C6600

Strings

RegisterTouchWindow, xrefs: 6C8C65EC
user32.dll, xrefs: 6C8C65D7
UnregisterTouchWindow, xrefs: 6C8C65F8

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: RegisterTouchWindow$UnregisterTouchWindow$user32.dll
API String ID: 667068680-2470269259
Opcode ID: 24c671bc628d23da1d387e04dca30cac2d0d66fc5494e2bb1731f5229ff35ca8
Instruction ID: b5dba4ade8ad625c8712049a0f083d8222ecd3f73e5a9018e6d42398a957e1c2
Opcode Fuzzy Hash: 24c671bc628d23da1d387e04dca30cac2d0d66fc5494e2bb1731f5229ff35ca8
Instruction Fuzzy Hash: 4C115932701A26EFC7201B6AED48929BB79FF45339B108636F808C3A00CB71DC418AE1

Function 6C8E8A74 Relevance: 10.6, APIs: 7, Instructions: 68windowCOMMON

Download Yara Rule

APIs

GetMessageW.USER32(?,00000000,0000000F,0000000F), ref: 6C8E8A8E
DispatchMessageW.USER32(?), ref: 6C8E8AA0
PeekMessageW.USER32(?,00000000,0000000F,0000000F,00000000), ref: 6C8E8AAE
SetRectEmpty.USER32(?), ref: 6C8E8AD6
GetDesktopWindow.USER32 ref: 6C8E8AEE
LockWindowUpdate.USER32(?,00000000), ref: 6C8E8AFF
GetDCEx.USER32(?,00000000,00000003), ref: 6C8E8B16

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Message$Window$DesktopDispatchEmptyLockPeekRectUpdate
String ID:
API String ID: 1192691108-0
Opcode ID: d6dc024e95207e3ee531e004827259bd1e72dd13e43c203060d187b057d5b6a8
Instruction ID: 0072796277897d918af82659430131d8de83c5aec4d0c0359a57223f503b4bd1
Opcode Fuzzy Hash: d6dc024e95207e3ee531e004827259bd1e72dd13e43c203060d187b057d5b6a8
Instruction Fuzzy Hash: B8211FB1A01706BBD7259FB9DD58A97BBBDFB09354B00493AA119C6901D734E411CBA0

Function 6C8DC613 Relevance: 10.6, APIs: 7, Instructions: 66COMMON

Download Yara Rule

APIs

RealChildWindowFromPoint.USER32(?,?,?), ref: 6C8DC637
ClientToScreen.USER32(?,?), ref: 6C8DC651
GetWindow.USER32(?,00000005), ref: 6C8DC6A3

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Window$ChildClientFromPointRealScreen
String ID:
API String ID: 2518355518-0
Opcode ID: 6217bb1fa084aa4e30a92f51e29bea5dce238df898307925e9cf32dfe3bebcf8
Instruction ID: dff36257424b9861c98b6c0cc7a1f6a4077657d4898fd96f1c7e90a0af1454cb
Opcode Fuzzy Hash: 6217bb1fa084aa4e30a92f51e29bea5dce238df898307925e9cf32dfe3bebcf8
Instruction Fuzzy Hash: 9E11B731B0161AAFCB21DF65DD08AEF77B9EF4A300B114619F415E3140DB309D028BA0

Function 6C8C2A33 Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6C8C2A50
GetWindowRect.USER32(?,?), ref: 6C8C2A6E
ScreenToClient.USER32(?,?), ref: 6C8C2A7B
ScreenToClient.USER32(?,?), ref: 6C8C2A88
EqualRect.USER32(?,?), ref: 6C8C2A93
DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 6C8C2ABA
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 6C8C2AC4

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Window$ClientRectScreen$DeferEqualParent
String ID:
API String ID: 443303494-0
Opcode ID: 03cfd2f995f4175aa06cb5668f48a4c564cd21a4c5c75d6dfcb1b242ff34b072
Instruction ID: 5a6dafbf6acb4bbe146a30a7e846aacb116c135253093d9cc5573d774d090b0e
Opcode Fuzzy Hash: 03cfd2f995f4175aa06cb5668f48a4c564cd21a4c5c75d6dfcb1b242ff34b072
Instruction Fuzzy Hash: 76218435A0160AEFDF20DFA4CD88EBEBBB9FF05304B148629E905E6151D730D941CB61

Function 6C8C49A5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 6C8C49BC
FindResourceW.KERNEL32(?,00000000,AFX_DIALOG_LAYOUT), ref: 6C8C49E4
SizeofResource.KERNEL32(?,00000000), ref: 6C8C49F6
LoadResource.KERNEL32(?,00000000), ref: 6C8C4A02
LockResource.KERNEL32(00000000), ref: 6C8C4A0D

Strings

AFX_DIALOG_LAYOUT, xrefs: 6C8C49D5

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Resource$FindLoadLockSizeofWindow
String ID: AFX_DIALOG_LAYOUT
API String ID: 2582447065-2436846380
Opcode ID: 22469a1ea6c8101800a86b740a978e89baf464ac8f4277c5389aa6e800a98cbf
Instruction ID: deee70358b85b44943e34b2b287015486a809629f9f6be756f87da6ec07a3114
Opcode Fuzzy Hash: 22469a1ea6c8101800a86b740a978e89baf464ac8f4277c5389aa6e800a98cbf
Instruction Fuzzy Hash: 8C11E5B1701700ABDB214B74DE48EBE76BDEBC5259B104934B805E3A00EB74C881C765

Function 6C916788 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C91678F

Part of subcall function 6C8CD33C: __EH_prolog3.LIBCMT ref: 6C8CD343

Strings

BLUE_, xrefs: 6C9167E3
IDX_OFFICE2007_STYLE, xrefs: 6C91679F
SILVER_, xrefs: 6C9167CE
AQUA_, xrefs: 6C9167D5
BLACK_, xrefs: 6C9167DC, 6C9167E8, 6C9167F0

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: H_prolog3
String ID: AQUA_$BLACK_$BLUE_$IDX_OFFICE2007_STYLE$SILVER_
API String ID: 431132790-2717817858
Opcode ID: d70fbd79d24eebaca9b3851d74515367ffa1c8768a888194391432aa5c7006f9
Instruction ID: 746aa8cdb95a27b20b66bdf3d18ba642427f71cfef0f8ed89d2c5fd4809104a2
Opcode Fuzzy Hash: d70fbd79d24eebaca9b3851d74515367ffa1c8768a888194391432aa5c7006f9
Instruction Fuzzy Hash: 9A11C17690410D9BCB10DFACCA41AFE7778EF90328F154A29A111EBF84DB70DA89C752

Function 6C8DE93F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(uxtheme.dll), ref: 6C8DE951
GetProcAddress.KERNEL32(00000000,BeginBufferedPaint), ref: 6C8DE961
EncodePointer.KERNEL32(00000000), ref: 6C8DE96A
DecodePointer.KERNEL32(00000000), ref: 6C8DE978

Strings

BeginBufferedPaint, xrefs: 6C8DE95B
uxtheme.dll, xrefs: 6C8DE94C

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: BeginBufferedPaint$uxtheme.dll
API String ID: 2061474489-1632326970
Opcode ID: 22af28eadc59c334344332825a6f75d40105749168dad94b69defcfdbcad96cd
Instruction ID: 088f0eee583ef819a11e14f600c8152fa511f4ddbb7a7075ee3db885c4d9c722
Opcode Fuzzy Hash: 22af28eadc59c334344332825a6f75d40105749168dad94b69defcfdbcad96cd
Instruction Fuzzy Hash: E7F09035603B1BBF8F655FB5ED0886ABF79AF09661701C921FD09D2610DB30E8129BE0

Function 6C8DED85 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(uxtheme.dll), ref: 6C8DED97
GetProcAddress.KERNEL32(00000000,EndBufferedPaint), ref: 6C8DEDA7
EncodePointer.KERNEL32(00000000), ref: 6C8DEDB0
DecodePointer.KERNEL32(00000000), ref: 6C8DEDBE

Strings

uxtheme.dll, xrefs: 6C8DED92
EndBufferedPaint, xrefs: 6C8DEDA1

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: EndBufferedPaint$uxtheme.dll
API String ID: 2061474489-2993015961
Opcode ID: 85475c695c4ec437439f5ed450f4dc772ad00c28ddc296145ff22cb712f66ace
Instruction ID: fe43f74493b668782dd7713284c07157e42604d7a9d6b919550d8a57a842218e
Opcode Fuzzy Hash: 85475c695c4ec437439f5ed450f4dc772ad00c28ddc296145ff22cb712f66ace
Instruction Fuzzy Hash: 37F05435641716AB8F341E799D188597B79AB06792701C521FC09D6610DF30D8428BE4

Function 6C8DEA4E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll), ref: 6C8DEA60
GetProcAddress.KERNEL32(00000000,ChangeWindowMessageFilter), ref: 6C8DEA70
EncodePointer.KERNEL32(00000000), ref: 6C8DEA79
DecodePointer.KERNEL32(00000000), ref: 6C8DEA87

Strings

user32.dll, xrefs: 6C8DEA5B
ChangeWindowMessageFilter, xrefs: 6C8DEA6A

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: ChangeWindowMessageFilter$user32.dll
API String ID: 2061474489-2498399450
Opcode ID: 63bce0e6b436b0f2739ac370c3084908b84a6ad6ea543de3b1fba800fec19ad6
Instruction ID: a9c665b3e6671b3af3f657f78f82c806925cea6cf91bfc1932c995553ae2386f
Opcode Fuzzy Hash: 63bce0e6b436b0f2739ac370c3084908b84a6ad6ea543de3b1fba800fec19ad6
Instruction Fuzzy Hash: 4DF0B4347417179F9B345B75AC1881A7B79BB0A2A5301CA71FC08D2600DA30D8414BE4

Function 6C8DE8E3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C8D7A27,00000000), ref: 6C8DE8F5
GetProcAddress.KERNEL32(00000000,ApplicationRecoveryInProgress), ref: 6C8DE905
EncodePointer.KERNEL32(00000000,?,?,6C8D7A27,00000000), ref: 6C8DE90E
DecodePointer.KERNEL32(00000000,?,?,6C8D7A27,00000000), ref: 6C8DE91C

Strings

ApplicationRecoveryInProgress, xrefs: 6C8DE8FF
kernel32.dll, xrefs: 6C8DE8F0

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: ApplicationRecoveryInProgress$kernel32.dll
API String ID: 2061474489-2899047487
Opcode ID: 7502ed8e04626b92e5c289ee447212c88dbd8912cc6311f8640bf6ce75775b2c
Instruction ID: 6498c480bd3b1e49b5c6cf7aa473204c9ef4e9e5fcce48654e15f168b5c9b1ff
Opcode Fuzzy Hash: 7502ed8e04626b92e5c289ee447212c88dbd8912cc6311f8640bf6ce75775b2c
Instruction Fuzzy Hash: C5F08975742F27BB8F241B755D1882E77B9AB0A6557018A21FC05D7601DB20E4024BF5

Function 6C8DE88E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C8D7A6A,00000001), ref: 6C8DE8A0
GetProcAddress.KERNEL32(00000000,ApplicationRecoveryFinished), ref: 6C8DE8B0
EncodePointer.KERNEL32(00000000,?,6C8D7A6A,00000001), ref: 6C8DE8B9
DecodePointer.KERNEL32(00000000,?,?,6C8D7A6A,00000001), ref: 6C8DE8C7

Strings

ApplicationRecoveryFinished, xrefs: 6C8DE8AA
kernel32.dll, xrefs: 6C8DE89B

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: ApplicationRecoveryFinished$kernel32.dll
API String ID: 2061474489-1962646049
Opcode ID: 47b55ba3728cf8fdce5fb2634d6d2a627c16312b5b0b28a710af895e02ebe425
Instruction ID: 356a8b6c2bf3efe2410cb3fed5b1bc51eb430afc474455f221c75248ca645658
Opcode Fuzzy Hash: 47b55ba3728cf8fdce5fb2634d6d2a627c16312b5b0b28a710af895e02ebe425
Instruction Fuzzy Hash: 02F0A734B027379B8B242BB5AD189297BB9AE0A695701CA31FC05D3600DB20E4414BE4

Function 6C8DE9A4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(uxtheme.dll), ref: 6C8DE9B3
GetProcAddress.KERNEL32(00000000,BufferedPaintInit), ref: 6C8DE9C3
EncodePointer.KERNEL32(00000000), ref: 6C8DE9CC
DecodePointer.KERNEL32(00000000), ref: 6C8DE9DA

Strings

uxtheme.dll, xrefs: 6C8DE9AE
BufferedPaintInit, xrefs: 6C8DE9BD

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: BufferedPaintInit$uxtheme.dll
API String ID: 2061474489-1331937065
Opcode ID: be79346fed2489c337d01364d938e48d79f85266331196f6f0c126205b5d8ba0
Instruction ID: db9515476c9ffb4696f034a1ae77f167fd8232d5f32afe12d1ff8d26857d2ea3
Opcode Fuzzy Hash: be79346fed2489c337d01364d938e48d79f85266331196f6f0c126205b5d8ba0
Instruction Fuzzy Hash: 9BE0E531B03F33AB8F242B74BC1855936B4AF02255302CA22F805D3600DF20DC434BE4

Function 6C8DE9F9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(uxtheme.dll), ref: 6C8DEA08
GetProcAddress.KERNEL32(00000000,BufferedPaintUnInit), ref: 6C8DEA18
EncodePointer.KERNEL32(00000000), ref: 6C8DEA21
DecodePointer.KERNEL32(00000000), ref: 6C8DEA2F

Strings

uxtheme.dll, xrefs: 6C8DEA03
BufferedPaintUnInit, xrefs: 6C8DEA12

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: BufferedPaintUnInit$uxtheme.dll
API String ID: 2061474489-1501038116
Opcode ID: 497d855e9c3c2144082b36bc68419101d10270f3dd64b9ac7d53f6d44c2b5a8a
Instruction ID: ab07adc7151578a6b220d272a01637f95bcd7ffe58086b3933262c5dcd67af40
Opcode Fuzzy Hash: 497d855e9c3c2144082b36bc68419101d10270f3dd64b9ac7d53f6d44c2b5a8a
Instruction Fuzzy Hash: DFE0A031B42B239B8F245B74BD1886D26B5BB06655706CA62F809D2A00DB24C8434BF4

Function 6C8F0D9B Relevance: 9.3, APIs: 6, Instructions: 333COMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 6C8F0E23
GetClientRect.USER32(?,6C8F07CC), ref: 6C8F0E36
GetWindowRect.USER32(00000000,?), ref: 6C8F0E80
GetParent.USER32(00000000), ref: 6C8F0E89
GetParent.USER32(00000000), ref: 6C8F111C
RedrawWindow.USER32(?,00000000,00000000,00000105,?,?,00000000,?,?,?,?,?,?,?,6C8F07CC,00000000), ref: 6C8F114C

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Parent$RectWindow$ClientRedraw
String ID:
API String ID: 443302174-0
Opcode ID: b03bf02d958463368adca9667732ff2ffc220bf686f79855614fc1d2dfa83960
Instruction ID: 402bb06c3d6b8cd3dbb1488d35f797626785163ffef0f9b9a4f02f9788bf3880
Opcode Fuzzy Hash: b03bf02d958463368adca9667732ff2ffc220bf686f79855614fc1d2dfa83960
Instruction Fuzzy Hash: FED19071B01619DFDF14CFA8C994AEDB7B2EF49355F14866AE825A7780CB30A842CF50

Function 6C9025E9 Relevance: 9.3, APIs: 6, Instructions: 293windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 6C902719
GetWindowRect.USER32(?,?), ref: 6C90272D
PtInRect.USER32(?,?,?), ref: 6C902756
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C90276A

Part of subcall function 6C8C4227: GetParent.USER32(?), ref: 6C8C4231

SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C9027CC
GetFocus.USER32 ref: 6C9028F3

Part of subcall function 6C92966F: __EH_prolog3_GS.LIBCMT ref: 6C929679
Part of subcall function 6C92966F: GetWindowRect.USER32(?,?), ref: 6C92970D
Part of subcall function 6C92966F: SetRect.USER32(?,00000000,00000000,?,?), ref: 6C92972E
Part of subcall function 6C92966F: CreateCompatibleDC.GDI32(?), ref: 6C92973A
Part of subcall function 6C92966F: CreateCompatibleBitmap.GDI32(?,?,00000128), ref: 6C929764
Part of subcall function 6C92966F: GetWindowRect.USER32(?,?), ref: 6C9297B9
Part of subcall function 6C92966F: GetClientRect.USER32(?,?), ref: 6C9297C6

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Rect$Window$CompatibleCreateMessageSend$BitmapClientCursorFocusH_prolog3_Parent
String ID:
API String ID: 2914356772-0
Opcode ID: b3fa0179575878bb75792be0013798e577e9b8ca498919f3f5a3a0343e0b078a
Instruction ID: 606b922bfdf23f98228371b712bf431442ec6c4b633095b37309356f86a43ec9
Opcode Fuzzy Hash: b3fa0179575878bb75792be0013798e577e9b8ca498919f3f5a3a0343e0b078a
Instruction Fuzzy Hash: 54A1F334B00A169FDF189F65C898AAEB7B9BF49358B14817ED815E7B40DF30E841CB90

Function 6C8F6100 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6C8F62A3
GetParent.USER32(?), ref: 6C8F62C2
GetParent.USER32(?), ref: 6C8F62D1
RedrawWindow.USER32(?,00000000,00000000,00000505,6CA507A8,00000000), ref: 6C8F6337
GetParent.USER32(?), ref: 6C8F6340
RedrawWindow.USER32(?,00000000,00000000,00000505,00000000), ref: 6C8F6367

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Parent$RedrawWindow
String ID:
API String ID: 2946272266-0
Opcode ID: b072d3715a746562ab9741e140307c39d14664ba985504af47b81788a87a5cd2
Instruction ID: f54cf50cc40a5945c9c9735b2bf1012881874f085cb030c474d134e74b8b9155
Opcode Fuzzy Hash: b072d3715a746562ab9741e140307c39d14664ba985504af47b81788a87a5cd2
Instruction Fuzzy Hash: 7471E575B00616AFCF188F64CD98AAD77BAFF49355B10866AE815D7750DB30AC02CF90

Function 6CA01C13 Relevance: 9.2, APIs: 6, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 6CA01C5A
MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 6CA01CC5
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6CA01CE2
LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 6CA01D21
LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 6CA01D80
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6CA01DA3

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: add2fd0047901e31a42aae39294c09eb7617d3bc053543c31198746f303de6ad
Instruction ID: 77550dd815f4c3597a4eac594ffa29db682901b2c1c3274d4dfceab05ed8c361
Opcode Fuzzy Hash: add2fd0047901e31a42aae39294c09eb7617d3bc053543c31198746f303de6ad
Instruction Fuzzy Hash: 98518C72701216EBEF114FA4EC84FFA3BAAEF4578CF244529EA15A6590D730C895CB60

Function 6C8F05FE Relevance: 9.2, APIs: 6, Instructions: 167windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 6C8F068C
SendMessageW.USER32(?,0000040C,00000000,00000000), ref: 6C8F06C8
SendMessageW.USER32(00000000,0000041C,00000000,?), ref: 6C8F06FB
SetRectEmpty.USER32(?), ref: 6C8F0761
SendMessageW.USER32(00000000,0000040B,00000000,?), ref: 6C8F07BD
RedrawWindow.USER32(00000000,00000000,00000000,00000505), ref: 6C8F07EC

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: MessageSend$EmptyParentRectRedrawWindow
String ID:
API String ID: 3879113052-0
Opcode ID: 04e1b11db7ad49c8e95da84bb83245738bb68c8c7b099f96319087e3012825fb
Instruction ID: f52c5d5887ed2a5158076e1acce93915b49bf342974721a3f8aaccb26223a96a
Opcode Fuzzy Hash: 04e1b11db7ad49c8e95da84bb83245738bb68c8c7b099f96319087e3012825fb
Instruction Fuzzy Hash: A1519270B016199FDB28CF64C994BADBBB5FF48304F20866EE515A7781DB30A941CF40

Function 6C8DAE25 Relevance: 9.1, APIs: 6, Instructions: 145windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C8DAEAA
IsWindow.USER32(?), ref: 6C8DAF25
ClientToScreen.USER32(?,?), ref: 6C8DAF36
IsWindow.USER32(?), ref: 6C8DAF54
ClientToScreen.USER32(?,?), ref: 6C8DAF84
SendMessageW.USER32(?,0000020A,?,?), ref: 6C8DAFE2

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: ClientMessageScreenSendWindow
String ID:
API String ID: 2093367132-0
Opcode ID: 7cd882eab78a87b555ba6141c09443c9b1ccc80e3f59da0ef153cae070d28481
Instruction ID: f934dfbe9e570dfb1a86de8dd27d539ac2d6ea7ad10d6fc2457097c4c21f09c2
Opcode Fuzzy Hash: 7cd882eab78a87b555ba6141c09443c9b1ccc80e3f59da0ef153cae070d28481
Instruction Fuzzy Hash: 0E41A5B1601606ABDB315B79CF44FFA7AB5EB05309F324EA9A461D1DA0D731F600C762

Function 6C8D48D5 Relevance: 9.1, APIs: 6, Instructions: 140windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C8C8F77: GetWindowLongW.USER32(?,000000F0), ref: 6C8C8F84

SendMessageW.USER32(?,0000043D,00000000,00000000), ref: 6C8D497B
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 6C8D498C
SendMessageW.USER32(?,0000043C,00000001,00000000), ref: 6C8D49A0
SendMessageW.USER32(?,0000043C,00000000,00000000), ref: 6C8D49B1
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6C8D49C0
InvalidateRect.USER32(?,00000000,00000001,00000000,?,00000000,?,?,?,?,?,6C8D365E,00000000,?,?,?), ref: 6C8D4A53

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: MessageSend$InvalidateLongRectWindow
String ID:
API String ID: 74886174-0
Opcode ID: ae294176dfac5f96609709e606e42e2608a7bd5059e5c24df680af3ba2c4dc8a
Instruction ID: c23ce3198a138fb6cd3b4b72358f065a8c66d966c4858447b5f7cae5e0b25095
Opcode Fuzzy Hash: ae294176dfac5f96609709e606e42e2608a7bd5059e5c24df680af3ba2c4dc8a
Instruction Fuzzy Hash: 7141D171700219BBDF248F60CC55FEEBB76EF89714F048265FA09AB691DB70A841CB90

Function 6C904C87 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00000000,?), ref: 6C904CAF
OffsetRect.USER32(?,?,?), ref: 6C904CD0
SendMessageW.USER32(00000000,0000000B,00000000,00000000), ref: 6C904CDD
IsWindowVisible.USER32(00000000), ref: 6C904CE6
SendMessageW.USER32(00000000,0000000B,00000001,00000000), ref: 6C904D59
RedrawWindow.USER32(00000000,00000000,00000000,00000105), ref: 6C904D69

Part of subcall function 6C8C931F: ShowWindow.USER32(?,?,00000000,?,6C8CCF2F,00000000,?,?,?,?,?,?,?,6C8CCA7A,00000000,000000FF), ref: 6C8C9330

Part of subcall function 6C8C926E: SetWindowPos.USER32(?,?,?,CDD28759,6C8C962D,?,6C8C9CCC,00000000,?,6C8CCE6F,00000000,00000000,00000000,00000000,00000000,00000097), ref: 6C8C9296

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Window$MessageRectSend$OffsetRedrawShowVisible
String ID:
API String ID: 2359670889-0
Opcode ID: db64fa170b6bea76da2ef7ddc70ea166c94d2e1bbd989901da1de071055ed185
Instruction ID: 7f6edabaca55bc3c1fe85c65fb07a1976fab4ab4e1a5d42ee83a1bf78e9afea6
Opcode Fuzzy Hash: db64fa170b6bea76da2ef7ddc70ea166c94d2e1bbd989901da1de071055ed185
Instruction Fuzzy Hash: B5313EB261060ABFDB21DBA8CD95EBFB7BDFB48704F004618B556E2590D770AD40DB20

Function 6C902E3D Relevance: 9.1, APIs: 6, Instructions: 86timeCOMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 6C902E5C
ReleaseCapture.USER32 ref: 6C902E6A
PtInRect.USER32(?,?,?), ref: 6C902EBF
InvalidateRect.USER32(?,?,00000001), ref: 6C902F29
SetTimer.USER32(?,0000EC16,00000050,00000000), ref: 6C902F4D

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Rect$CaptureInvalidateReleaseTimer
String ID:
API String ID: 2903485716-0
Opcode ID: 49aaefb93a6abcc2cb4282339ae7ed59deff579734894666c5c935348387d1c7
Instruction ID: 48a96dc18841f07c199b4dbb4577cb886acd0a33d485b09799dbc7810b61f249
Opcode Fuzzy Hash: 49aaefb93a6abcc2cb4282339ae7ed59deff579734894666c5c935348387d1c7
Instruction Fuzzy Hash: AE316171301A07EFDF194F60DC48AE9B779FF49395F00822AEA2DC6550D770A422DB51

Function 6C8C6A3E Relevance: 9.1, APIs: 6, Instructions: 86windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 6C8C6A5F
GetWindow.USER32(?,00000005), ref: 6C8C6A76
GetWindowRect.USER32(00000000,?), ref: 6C8C6A91

Part of subcall function 6C8D2981: ScreenToClient.USER32(?,?), ref: 6C8D2990
Part of subcall function 6C8D2981: ScreenToClient.USER32(?,?), ref: 6C8D299D

SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015,?), ref: 6C8C6AB7
GetWindow.USER32(00000000,00000002), ref: 6C8C6AC0
ScrollWindow.USER32(?,?,?,?,?), ref: 6C8C6ADC

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Window$ClientScreen$RectScrollVisible
String ID:
API String ID: 1714389229-0
Opcode ID: 36340b355fefc764394bb2ad891fa3fdb3de9d65b832ab2ed0c713746d832dc3
Instruction ID: 050dc3250559f5f4b4bdfdf064a0f8d3195350e1f0b13449fdbad917fae7dc83
Opcode Fuzzy Hash: 36340b355fefc764394bb2ad891fa3fdb3de9d65b832ab2ed0c713746d832dc3
Instruction Fuzzy Hash: 4B21AE7570060AABCB11CF65CD889BFBBBAFF89318B158629F905E7610EB30DD018B50

Function 6C8E6D1D Relevance: 9.1, APIs: 6, Instructions: 80windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C8E6D26

Part of subcall function 6C8D1A91: __EH_prolog3.LIBCMT ref: 6C8D1A98
Part of subcall function 6C8D1A91: GetWindowDC.USER32(00000000,00000004,6C8EAE60,00000000), ref: 6C8D1AC4

GetClientRect.USER32(?,?), ref: 6C8E6D48
GetWindowRect.USER32(?,?), ref: 6C8E6D5C

Part of subcall function 6C8D2981: ScreenToClient.USER32(?,?), ref: 6C8D2990
Part of subcall function 6C8D2981: ScreenToClient.USER32(?,?), ref: 6C8D299D

OffsetRect.USER32(?,?,?), ref: 6C8E6D7D

Part of subcall function 6C8D258F: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 6C8D25C6
Part of subcall function 6C8D258F: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 6C8D25E3

OffsetRect.USER32(?,?,?), ref: 6C8E6D9F

Part of subcall function 6C8D26D4: IntersectClipRect.GDI32(?,?,?,?,?), ref: 6C8D270B
Part of subcall function 6C8D26D4: IntersectClipRect.GDI32(00000000,?,?,?,?), ref: 6C8D2728

SendMessageW.USER32(?,00000014,?,00000000), ref: 6C8E6DD7

Part of subcall function 6C8D1BEA: ReleaseDC.USER32(?,00000000), ref: 6C8D1C1E

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Rect$Clip$Client$ExcludeIntersectOffsetScreenWindow$H_prolog3H_prolog3_MessageReleaseSend
String ID:
API String ID: 3860140383-0
Opcode ID: e8a941e698e591af8562dcf78cdf59f4108147184efdf9982eab6a8a4b8eb1a0
Instruction ID: 1baf737251195fb34123380280e20d51075ea99126be47bd3418fd3e7aedbfe2
Opcode Fuzzy Hash: e8a941e698e591af8562dcf78cdf59f4108147184efdf9982eab6a8a4b8eb1a0
Instruction Fuzzy Hash: 60312871A0021AAFCF19DBA4CC58DFDB779FF59204B144219E406E3650EB34AA49CB60

Function 6C8D3DCA Relevance: 9.1, APIs: 6, Instructions: 80windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C8E6D26

Part of subcall function 6C8D1A91: __EH_prolog3.LIBCMT ref: 6C8D1A98
Part of subcall function 6C8D1A91: GetWindowDC.USER32(00000000,00000004,6C8EAE60,00000000), ref: 6C8D1AC4

GetClientRect.USER32(?,?), ref: 6C8E6D48
GetWindowRect.USER32(?,?), ref: 6C8E6D5C

Part of subcall function 6C8D2981: ScreenToClient.USER32(?,?), ref: 6C8D2990
Part of subcall function 6C8D2981: ScreenToClient.USER32(?,?), ref: 6C8D299D

OffsetRect.USER32(?,?,?), ref: 6C8E6D7D

Part of subcall function 6C8D258F: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 6C8D25C6
Part of subcall function 6C8D258F: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 6C8D25E3

OffsetRect.USER32(?,?,?), ref: 6C8E6D9F

Part of subcall function 6C8D26D4: IntersectClipRect.GDI32(?,?,?,?,?), ref: 6C8D270B
Part of subcall function 6C8D26D4: IntersectClipRect.GDI32(00000000,?,?,?,?), ref: 6C8D2728

SendMessageW.USER32(?,00000014,?,00000000), ref: 6C8E6DD7

Part of subcall function 6C8D1BEA: ReleaseDC.USER32(?,00000000), ref: 6C8D1C1E

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Rect$Clip$Client$ExcludeIntersectOffsetScreenWindow$H_prolog3H_prolog3_MessageReleaseSend
String ID:
API String ID: 3860140383-0
Opcode ID: 974246eb3548d1fd1e6d736aac9f3a489f38da8ab66b2a9d9dba07add5989f11
Instruction ID: 81fb5bb16879703b26e73abe8ba149d258f6d52885ecace4c90af8b60312ee05
Opcode Fuzzy Hash: 974246eb3548d1fd1e6d736aac9f3a489f38da8ab66b2a9d9dba07add5989f11
Instruction Fuzzy Hash: AD312871A0021AAFCF19DBA4CD58DFDB379BF59305B144219E406E3650EB34AA49CB60

Function 6C94EB6C Relevance: 9.1, APIs: 6, Instructions: 67COMMON

Download Yara Rule

APIs

Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C94EC01
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C94EC17
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C94EC22
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C94EC2D
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C94EC38
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C94EC43

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: ContextExternal$BaseBase::~Concurrency::details::
String ID:
API String ID: 1690591649-0
Opcode ID: 8d1cf76fb9b882272a2b9dd2fe89b2a17483e400ca35276547acff8bb4eb26e2
Instruction ID: fc77fa317f5a293070f24e3606d01f76cd6fa8752c778a119d576724e8c2b304
Opcode Fuzzy Hash: 8d1cf76fb9b882272a2b9dd2fe89b2a17483e400ca35276547acff8bb4eb26e2
Instruction Fuzzy Hash: 00216A32300941AFC71CDB68C8A0BEDF765FB65655F404A2EC41747B80DF20AA4ACBD5

Function 6CA04692 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6CA044E1,6C9FF455,6C9FF718,?,6C9FF94E,?,00000001,?,?,00000001,?,6CA8CBE0,0000000C,6C9FFA47), ref: 6CA046A0
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CA046AE
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CA046C7
SetLastError.KERNEL32(00000000,6C9FF94E,?,00000001,?,?,00000001,?,6CA8CBE0,0000000C,6C9FFA47,?,00000001,?), ref: 6CA04719

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8b3077eab4cd62235f26d6750e7aaae0ad8554f8bac82728964c0b4404e7e988
Instruction ID: d706b41ef1fa9ec4dca8f264c2ac860f7e47663f916e13db66b9e640c7f088bf
Opcode Fuzzy Hash: 8b3077eab4cd62235f26d6750e7aaae0ad8554f8bac82728964c0b4404e7e988
Instruction Fuzzy Hash: 0C01453231E7125EA71809B9BC8968637E9FB133FEB240329E414459E0FF414CDAD654

Function 6C8CCF5A Relevance: 9.1, APIs: 6, Instructions: 59COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 6C8CCF63
GetWindow.USER32(00000000), ref: 6C8CCF6A
GetWindowLongW.USER32(00000000,000000F0), ref: 6C8CCF98
ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,6C8CCA7A,00000000,000000FF), ref: 6C8CCFB3
ShowWindow.USER32(00000000,00000004,?,?,?,?,?,?,?,?,?,?,6C8CCA7A,00000000,000000FF), ref: 6C8CCFD4
GetWindow.USER32(00000000,00000002), ref: 6C8CCFE1

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Window$Show$DesktopLong
String ID:
API String ID: 3178490500-0
Opcode ID: 1970b19b149d8aa589898b8f788c88f27b2d7e3b65dabf19902b8f5c8a853681
Instruction ID: 1e8db86456e4eb1b6106e2ffb3304c1dd1d5ab56378aad057621c058ace76290
Opcode Fuzzy Hash: 1970b19b149d8aa589898b8f788c88f27b2d7e3b65dabf19902b8f5c8a853681
Instruction Fuzzy Hash: 0A114831359F1AA7D7326F218F09B8A3636AF42769F104B22FC14D5982DBB4C401C6E6

Function 6C8DC4D4 Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 6C8DC4ED
GetDlgCtrlID.USER32(00000000), ref: 6C8DC4F8
GetWindowLongW.USER32(00000000,000000F0), ref: 6C8DC508
GetWindowRect.USER32(00000000,?), ref: 6C8DC521
PtInRect.USER32(?,?,?), ref: 6C8DC531
GetWindow.USER32(?,00000005), ref: 6C8DC53E

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: ff428ad498171b4c9991ddd9728bd6ea997851eafdb87dc36a79a11b226a66db
Instruction ID: 0af8e031ce50b3d5923bf7c74eccbc9f8a5a29383969044bd7c0bdb48921feb8
Opcode Fuzzy Hash: ff428ad498171b4c9991ddd9728bd6ea997851eafdb87dc36a79a11b226a66db
Instruction Fuzzy Hash: B701C43161161AEBDF21EF689D18EEE77B9EF1A304F518711F805E6041DB34EA42CB90

Function 033BFF6D Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 033BFF95

Part of subcall function 033BFA76: __getptd.LIBCMT ref: 033BFA84
Part of subcall function 033BFA76: __getptd.LIBCMT ref: 033BFA92

__getptd.LIBCMT ref: 033BFF9F

Part of subcall function 033B381A: __getptd_noexit.LIBCMT ref: 033B381D
Part of subcall function 033B381A: __amsg_exit.LIBCMT ref: 033B382A

__getptd.LIBCMT ref: 033BFFAD
__getptd.LIBCMT ref: 033BFFBB
__getptd.LIBCMT ref: 033BFFC6
_CallCatchBlock2.LIBCMT ref: 033BFFEC

Part of subcall function 033BFB1B: __CallSettingFrame@12.LIBCMT ref: 033BFB67

Part of subcall function 033C0093: __getptd.LIBCMT ref: 033C00A2
Part of subcall function 033C0093: __getptd.LIBCMT ref: 033C00B0

Memory Dump Source

Source File: 00000003.00000002.3531273742.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33a0000_Update.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 5f1381efd39d468ef928fc2953ab13acdae555040b7c1ee41bdff31c76f18644
Instruction ID: 7174f7025fdd4484b939be503131dad2da19dbc4d58e252b2d01a915ab3fb581
Opcode Fuzzy Hash: 5f1381efd39d468ef928fc2953ab13acdae555040b7c1ee41bdff31c76f18644
Instruction Fuzzy Hash: 9A11D2B9D00359DFDB00EFA4D884AEDBBB1FF08321F108469E914AB250DB389A159F51

Function 6C8DC25D Relevance: 9.0, APIs: 6, Instructions: 48windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 6C8DC261

Part of subcall function 6C8DC5AB: GetWindowLongW.USER32(?,000000F0), ref: 6C8DC5C6
Part of subcall function 6C8DC5AB: GetClassNameW.USER32(?,?,0000000A), ref: 6C8DC5DB
Part of subcall function 6C8DC5AB: CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF), ref: 6C8DC5F2

GetParent.USER32(00000000), ref: 6C8DC282
GetWindowLongW.USER32(?,000000F0), ref: 6C8DC2A1
GetParent.USER32(?), ref: 6C8DC2AF
GetDesktopWindow.USER32 ref: 6C8DC2B7
SendMessageW.USER32(00000000,0000014F,00000000,00000000), ref: 6C8DC2CB

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Window$LongParent$ClassCompareDesktopFocusMessageNameSendString
String ID:
API String ID: 1233893325-0
Opcode ID: d3c5cb677855d9fc6516e71688fbc7fb9d3649cb8c133fff30c418159a945247
Instruction ID: e1f304521c5b1cd10838a04741b929dfb2c1b98222266701fadc7b55ceeb7bac
Opcode Fuzzy Hash: d3c5cb677855d9fc6516e71688fbc7fb9d3649cb8c133fff30c418159a945247
Instruction Fuzzy Hash: 54F0DB3234271163DE3136656E59B6D37399B82B65F128618FC16F3981CB70F40247D0

Function 6C8F4405 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6C8F440F

Part of subcall function 6C8C8E82: GetDlgCtrlID.USER32(?), ref: 6C8C8E8D

Strings

Buttons, xrefs: 6C8F4505
MFCToolBars, xrefs: 6C8F441F
%TsMFCToolBar-%d, xrefs: 6C8F4464
%TsMFCToolBar-%d%x, xrefs: 6C8F447C

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: CtrlH_prolog3_catch
String ID: %TsMFCToolBar-%d$%TsMFCToolBar-%d%x$Buttons$MFCToolBars
API String ID: 3893142374-3577816979
Opcode ID: c7fdb50ad4b543e03cae0b358729e364ffcd4145787f1263d6e1529e88e4690a
Instruction ID: 3e440e9849a5408c2610130dffefea984887c4d47d4681ebaadbdf7935b9d7e0
Opcode Fuzzy Hash: c7fdb50ad4b543e03cae0b358729e364ffcd4145787f1263d6e1529e88e4690a
Instruction Fuzzy Hash: C4919E74A00209DFDF10DF94CA94AEDB7B6AF99314F14856AE815B7790CB30AD06CF61

Function 6C912BAE Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6C912BB8
CloseHandle.KERNEL32(?,?,?,00000080,6C972735,?,00000000,?,?,00000000,?,00000000), ref: 6C912BF3

Part of subcall function 6C8E1B60: __EH_prolog3.LIBCMT ref: 6C8E1B67

GetTempPathW.KERNEL32(00000104,00000000,00000104,?,?,00000080,6C972735,?,00000000,?,?,00000000,?,00000000), ref: 6C912C14
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,04000100,00000000,000000FF,000000FF,?,?,00000000,?,00000000), ref: 6C912C69

Strings

AFX, xrefs: 6C912C3E

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: CloseCreateFileH_prolog3H_prolog3_catchHandlePathTemp
String ID: AFX
API String ID: 775233504-1300893600
Opcode ID: c392774eeadbbe76dc413537e72c44d844e199975bcaf483bc274d8b3f7c2067
Instruction ID: c6a6e7ad4e7a73199261cb3674e8461ea87833346f609d8b5744296b450419d5
Opcode Fuzzy Hash: c392774eeadbbe76dc413537e72c44d844e199975bcaf483bc274d8b3f7c2067
Instruction Fuzzy Hash: A04192749001099FDB24DFA8CD94FEEB7B4AF56308F108968E416B77D0DB70AA09CB64

Function 6C8CCFF4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C8CCFFE

Part of subcall function 6C8C8F77: GetWindowLongW.USER32(?,000000F0), ref: 6C8C8F84

swprintf.LIBCMT ref: 6C8CD053
swprintf.LIBCMT ref: 6C8CD0F7

Strings

- , xrefs: 6C8CD074, 6C8CD079, 6C8CD081, 6C8CD0B1, 6C8CD0B6, 6C8CD0BE
:%d, xrefs: 6C8CD048, 6C8CD0E9

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: swprintf$H_prolog3_LongWindow
String ID: - $:%d
API String ID: 524023746-2359489159
Opcode ID: c21e88c87c15d94e212c9b3050bbfb4908fd98c3b3a8d38210b2767ec188c899
Instruction ID: a7a8412a1eb5cf333d9acc6e941e8f2dd78f5e3ea2b55118278ea7aa3f447130
Opcode Fuzzy Hash: c21e88c87c15d94e212c9b3050bbfb4908fd98c3b3a8d38210b2767ec188c899
Instruction Fuzzy Hash: E1318471A00529AFD724ABB4CE45FEEB36CAF10318F401865A509A7E41DB34EE5E8B91

Function 6C8C292F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

__snprintf_s.LIBCMT ref: 6C8C297B
__snprintf_s.LIBCMT ref: 6C8C29AF
GetClassInfoW.USER32(?,0000007C,?), ref: 6C8C29DF

Strings

Afx:%p:%x:%p:%p:%p, xrefs: 6C8C29A5
Afx:%p:%x, xrefs: 6C8C296F

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: __snprintf_s$ClassInfo
String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
API String ID: 1341824228-2801496823
Opcode ID: 1285ed573edea6d4a086fc78fb85c4502e5bc9cbb35423d5b3a86e87e0fd5d5d
Instruction ID: 8a2fc499fcce1e95d50b71db840174ffb94e115cf7cc32fea332cc7343bdd319
Opcode Fuzzy Hash: 1285ed573edea6d4a086fc78fb85c4502e5bc9cbb35423d5b3a86e87e0fd5d5d
Instruction Fuzzy Hash: 1331AC70A00219EFCB21DFA9DA44BCEBBF8FF49348F015426E514A7750D7349A58DBA2

Function 6C94AAAE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C94AAB5

Part of subcall function 6C8C8E82: GetDlgCtrlID.USER32(?), ref: 6C8C8E8D

Strings

%TsBasePane-%d%x, xrefs: 6C94AB16
IsVisible, xrefs: 6C94AB6D
%TsBasePane-%d, xrefs: 6C94AAFF
BasePanes, xrefs: 6C94AAC2

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: CtrlH_prolog3
String ID: %TsBasePane-%d$%TsBasePane-%d%x$BasePanes$IsVisible
API String ID: 3125906040-2169875744
Opcode ID: 2d95503a0e5298bbf9063f7969ed3eae6dbee3a56cb18a3f32c1c2537aa8eeaa
Instruction ID: 785e648fc1aa542290c24e15f4ff578d0e290d4ca72849d5ec7ae56734720bd7
Opcode Fuzzy Hash: 2d95503a0e5298bbf9063f7969ed3eae6dbee3a56cb18a3f32c1c2537aa8eeaa
Instruction Fuzzy Hash: D131E635A002199FCF10DFA8CC449FEB776BF99314F048A69E812A7791DB309D05CBA1

Function 6C94A328 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 89COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C94A32F

Part of subcall function 6C8C8E82: GetDlgCtrlID.USER32(?), ref: 6C8C8E8D

Strings

%TsBasePane-%d%x, xrefs: 6C94A393
IsVisible, xrefs: 6C94A3E2
%TsBasePane-%d, xrefs: 6C94A37C
BasePanes, xrefs: 6C94A33F

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: CtrlH_prolog3
String ID: %TsBasePane-%d$%TsBasePane-%d%x$BasePanes$IsVisible
API String ID: 3125906040-2169875744
Opcode ID: 97b1e1b9981b5d725508f18388df45f8a79d4009194cb6bdde9b6f3b4c6287c2
Instruction ID: 95cad77bb862446e645179fa3afca50d2ccc1ab8f1101cd43c6562092a1a810c
Opcode Fuzzy Hash: 97b1e1b9981b5d725508f18388df45f8a79d4009194cb6bdde9b6f3b4c6287c2
Instruction Fuzzy Hash: 3131C075A0010A9FCF10DFA8C8849EEB7B5BF59318F148669E915B7781DB309E05CBA1

Function 6C8DA668 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

Edit, xrefs: 6C8DA6BF

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: a9608f0a933b163f2f09753ba967c5b0247e22d27d838deac7c9a5c013f12fb0
Instruction ID: 7aa8fa3b0d2a38951f76ddabcec1e344a5a9125511db87ec988cf46cf99baded
Opcode Fuzzy Hash: a9608f0a933b163f2f09753ba967c5b0247e22d27d838deac7c9a5c013f12fb0
Instruction Fuzzy Hash: B711C231311302EBEA341A25DE48FE676B9AF46369F314D39F595E18A0DB71F801C754

Function 6C8EE49A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50libraryfileloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,?,?,00000000,00000000,?,?,6C8EE1FC,CDD28759), ref: 6C8EE4AD
GetProcAddress.KERNEL32(00000000,CreateFileTransactedW), ref: 6C8EE4BD
CreateFileW.KERNEL32(?,?,CDD28759,6C8EE1FC,?,?,00000000,?,00000000,?,?,00000000,00000000,?,?,6C8EE1FC), ref: 6C8EE506

Strings

CreateFileTransactedW, xrefs: 6C8EE4B7
kernel32.dll, xrefs: 6C8EE4A8

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: AddressCreateFileHandleModuleProc
String ID: CreateFileTransactedW$kernel32.dll
API String ID: 2580138172-2053874626
Opcode ID: cc22c5a087fb24f1917be11c192bb502a7e5c5a9113c81ba3812b05b1e973006
Instruction ID: 0edac507c845cfe82ef8035218e792bfe8f5424903fe12a06d074eba209bddfe
Opcode Fuzzy Hash: cc22c5a087fb24f1917be11c192bb502a7e5c5a9113c81ba3812b05b1e973006
Instruction Fuzzy Hash: CB01003210150EFFDF225E94DD48CAB3B7BFF4A355B208529FA5595420D732C861EBA0

Function 6C8DE34F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C8DE356
GetClassNameW.USER32(?,00000000,00000400), ref: 6C8DE387
GetWindowLongW.USER32(?,000000F0), ref: 6C8DE3C0

Strings

ComboBoxEx32, xrefs: 6C8DE3AB
ComboBox, xrefs: 6C8DE39A

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: ClassH_prolog3LongNameWindow
String ID: ComboBox$ComboBoxEx32
API String ID: 297531199-1907415764
Opcode ID: 962f935e290ff6b11365362448557020cfcb67d086c2cd9983199d7a3da2d9e0
Instruction ID: 46015817b34c2960eb389ef55a38a4b25bdc25814799785235ff892d9fe1e09c
Opcode Fuzzy Hash: 962f935e290ff6b11365362448557020cfcb67d086c2cd9983199d7a3da2d9e0
Instruction Fuzzy Hash: D701A135804112ABDB24D758CE04BFDB374BF21368F140A28E521A2BD0DF70E419CB95

Function 6C944950 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00000000,?,PNG,?,?,?,6CA4DEF0,?,6C945767,?,?,?,00000038,6C944425), ref: 6C944972
LoadResource.KERNEL32(00000000,00000000,?,6CA4DEF0,?,6C945767,?,?,?,00000038,6C944425), ref: 6C944980
LockResource.KERNEL32(00000000,?,6CA4DEF0,?,6C945767,?,?,?,00000038,6C944425), ref: 6C94498B
SizeofResource.KERNEL32(00000000,00000000,?,6CA4DEF0,?,6C945767,?,?,?,00000038,6C944425), ref: 6C944999

Strings

PNG, xrefs: 6C944969

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: PNG
API String ID: 3473537107-364855578
Opcode ID: f447d32dda5bd68ab00c0e17608407d82fe553847e42d8efb60c92d65714d6a5
Instruction ID: cd2bac710946f692826bf396c412cd88c39c0da2cf657406c4912eceb5b7fe33
Opcode Fuzzy Hash: f447d32dda5bd68ab00c0e17608407d82fe553847e42d8efb60c92d65714d6a5
Instruction Fuzzy Hash: DCF0C23A601611BF9B115FA5DD58C9F37BDDF86A54314C614B905F3200DB70D9019B79

Function 6C8DEB39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(00000000), ref: 6C8DEB72

Part of subcall function 6C8C33F4: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 6C8C341A
Part of subcall function 6C8C33F4: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C8C342A
Part of subcall function 6C8C33F4: EncodePointer.KERNEL32(00000000,?,00000000), ref: 6C8C3433

GetProcAddress.KERNEL32(00000000,DwmDefWindowProc), ref: 6C8DEB5B
EncodePointer.KERNEL32(00000000), ref: 6C8DEB64

Strings

DwmDefWindowProc, xrefs: 6C8DEB55
dwmapi.dll, xrefs: 6C8DEB46

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleModule
String ID: DwmDefWindowProc$dwmapi.dll
API String ID: 1102202064-234806475
Opcode ID: f48598a895f0bf0ce36737119f0617e95b4438c4b20f8fe1446f35baf6acba14
Instruction ID: 108d43f99da53b4566062bf6029741b602579c99eb479e5f71055aea5db4b030
Opcode Fuzzy Hash: f48598a895f0bf0ce36737119f0617e95b4438c4b20f8fe1446f35baf6acba14
Instruction Fuzzy Hash: 60F0C239601717BF8F211FB4ED0485A7F79AF0A2647008921FC0AE2600DB30E8128BE1

Function 6C8DEC59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(00000000), ref: 6C8DEC92

Part of subcall function 6C8C33F4: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 6C8C341A
Part of subcall function 6C8C33F4: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C8C342A
Part of subcall function 6C8C33F4: EncodePointer.KERNEL32(00000000,?,00000000), ref: 6C8C3433

GetProcAddress.KERNEL32(00000000,DwmSetIconicLivePreviewBitmap), ref: 6C8DEC7B
EncodePointer.KERNEL32(00000000), ref: 6C8DEC84

Strings

DwmSetIconicLivePreviewBitmap, xrefs: 6C8DEC75
dwmapi.dll, xrefs: 6C8DEC66

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleModule
String ID: DwmSetIconicLivePreviewBitmap$dwmapi.dll
API String ID: 1102202064-1757063745
Opcode ID: 6040d01226d1be37c0dd3d74009ee0f0b0dae5374c620e2b14b10998ed545ff3
Instruction ID: d694203ab1bd87feb48a0ba7f68d94f833c4eb285b3f667c29fc67cf9655bc73
Opcode Fuzzy Hash: 6040d01226d1be37c0dd3d74009ee0f0b0dae5374c620e2b14b10998ed545ff3
Instruction Fuzzy Hash: 89F02475A1171BEF8F351FA4FE0885A7BB9BF092557028921FC09E7600CB30D8028BE0

Function 6C8DED20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(00000000), ref: 6C8DED59

Part of subcall function 6C8C33F4: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 6C8C341A
Part of subcall function 6C8C33F4: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C8C342A
Part of subcall function 6C8C33F4: EncodePointer.KERNEL32(00000000,?,00000000), ref: 6C8C3433

GetProcAddress.KERNEL32(00000000,DwmSetWindowAttribute), ref: 6C8DED42
EncodePointer.KERNEL32(00000000), ref: 6C8DED4B

Strings

DwmSetWindowAttribute, xrefs: 6C8DED3C
dwmapi.dll, xrefs: 6C8DED2D

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleModule
String ID: DwmSetWindowAttribute$dwmapi.dll
API String ID: 1102202064-3105884578
Opcode ID: 9b878dd878865ce2b7fb203ad2980a0473fc5a15082261641f3c10b1efd5a160
Instruction ID: 5ab559e7c39509299de303d14ee67a9bee3a867bf9abb99dbb1fb9e4ab2d5c4d
Opcode Fuzzy Hash: 9b878dd878865ce2b7fb203ad2980a0473fc5a15082261641f3c10b1efd5a160
Instruction Fuzzy Hash: FFF0BB7564171BAF8F351FB9ED088697B79AF062567018921FD05D7610DF30D812CBE1

Function 6C8DECBE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(00000000), ref: 6C8DECF7

Part of subcall function 6C8C33F4: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 6C8C341A
Part of subcall function 6C8C33F4: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C8C342A
Part of subcall function 6C8C33F4: EncodePointer.KERNEL32(00000000,?,00000000), ref: 6C8C3433

GetProcAddress.KERNEL32(00000000,DwmSetIconicThumbnail), ref: 6C8DECE0
EncodePointer.KERNEL32(00000000), ref: 6C8DECE9

Strings

DwmSetIconicThumbnail, xrefs: 6C8DECDA
dwmapi.dll, xrefs: 6C8DECCB

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleModule
String ID: DwmSetIconicThumbnail$dwmapi.dll
API String ID: 1102202064-2331651847
Opcode ID: 40eaf68a0efc7f48a3bc0578340170de8663b76f9e41989ac9ab0b22c0bef987
Instruction ID: b2ef30ee539e0346c2b2141b793d212dcdb4c6e062080c149c019c0e52baa217
Opcode Fuzzy Hash: 40eaf68a0efc7f48a3bc0578340170de8663b76f9e41989ac9ab0b22c0bef987
Instruction Fuzzy Hash: 46F0E979642717AF8F341FA8ED0885A7B79AF05352711C922FD04D7600DF30D8428BE4

Function 6C8DEBFA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(00000000), ref: 6C8DEC33

Part of subcall function 6C8C33F4: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 6C8C341A
Part of subcall function 6C8C33F4: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C8C342A
Part of subcall function 6C8C33F4: EncodePointer.KERNEL32(00000000,?,00000000), ref: 6C8C3433

GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled), ref: 6C8DEC1C
EncodePointer.KERNEL32(00000000), ref: 6C8DEC25

Strings

DwmIsCompositionEnabled, xrefs: 6C8DEC16
dwmapi.dll, xrefs: 6C8DEC07

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleModule
String ID: DwmIsCompositionEnabled$dwmapi.dll
API String ID: 1102202064-1198327662
Opcode ID: 389949027e9307ae4fd6712ef3446565f1c53d64fcd2da44c441933e53e60253
Instruction ID: 7b5372a5b70012d265c199a10454a3270fff3ba2dec6e24f37e7ac805efe9ed9
Opcode Fuzzy Hash: 389949027e9307ae4fd6712ef3446565f1c53d64fcd2da44c441933e53e60253
Instruction Fuzzy Hash: 06F0B43561171B9FCB251BB4FF1456D77B9AF06255B03C922EC04D7A00DF20E80247E5

Function 6C8DEB9E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(00000000), ref: 6C8DEBD7

Part of subcall function 6C8C33F4: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 6C8C341A
Part of subcall function 6C8C33F4: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C8C342A
Part of subcall function 6C8C33F4: EncodePointer.KERNEL32(00000000,?,00000000), ref: 6C8C3433

GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps), ref: 6C8DEBC0
EncodePointer.KERNEL32(00000000), ref: 6C8DEBC9

Strings

DwmInvalidateIconicBitmaps, xrefs: 6C8DEBBA
dwmapi.dll, xrefs: 6C8DEBAB

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleModule
String ID: DwmInvalidateIconicBitmaps$dwmapi.dll
API String ID: 1102202064-1901905683
Opcode ID: b3f2b234571347b4ee0ab46fd0c0875e3769b8b7f7ae53763865d77f78e3c54e
Instruction ID: 99af8a2b0741488b41f9b68a41fe4f90ab48299a740fa7203ad2bd4f1cf58a3a
Opcode Fuzzy Hash: b3f2b234571347b4ee0ab46fd0c0875e3769b8b7f7ae53763865d77f78e3c54e
Instruction Fuzzy Hash: 7BF08235641B27AB8B341AA9AD1885977B8AF06255301CD21EC06E7A40DF21EC028BE5

Function 6C8E8BCB Relevance: 7.9, APIs: 5, Instructions: 385COMMON

Download Yara Rule

APIs

Part of subcall function 6C8E8A74: PeekMessageW.USER32(?,00000000,0000000F,0000000F,00000000), ref: 6C8E8AAE
Part of subcall function 6C8E8A74: SetRectEmpty.USER32(?), ref: 6C8E8AD6
Part of subcall function 6C8E8A74: GetDesktopWindow.USER32 ref: 6C8E8AEE
Part of subcall function 6C8E8A74: LockWindowUpdate.USER32(?,00000000), ref: 6C8E8AFF
Part of subcall function 6C8E8A74: GetDCEx.USER32(?,00000000,00000003), ref: 6C8E8B16

Part of subcall function 6C8D264C: GetLayout.GDI32(?,6C8E8BFC), ref: 6C8D264F

GetWindowRect.USER32(?,?), ref: 6C8E8C2D

Part of subcall function 6C8D2BC8: SetLayout.GDI32(?,?), ref: 6C8D2BD1

Part of subcall function 6C8E7ECA: AdjustWindowRectEx.USER32(?,?,00000000,00000188), ref: 6C8E7EDA

InflateRect.USER32(?,00000002,00000002), ref: 6C8E8F4B
InflateRect.USER32(00000000,00000002,00000002), ref: 6C8E8F62

Part of subcall function 6C8E957E: OffsetRect.USER32(?,00000000,00000000), ref: 6C8E95B7

Part of subcall function 6C8E8B2D: OffsetRect.USER32(?,?,?), ref: 6C8E8B47
Part of subcall function 6C8E8B2D: OffsetRect.USER32(?,?,?), ref: 6C8E8B53
Part of subcall function 6C8E8B2D: OffsetRect.USER32(?,?,?), ref: 6C8E8B5F
Part of subcall function 6C8E8B2D: OffsetRect.USER32(?,?,?), ref: 6C8E8B6B

Part of subcall function 6C8E93F6: GetCapture.USER32 ref: 6C8E9400
Part of subcall function 6C8E93F6: SetCapture.USER32(?), ref: 6C8E9414
Part of subcall function 6C8E93F6: GetCapture.USER32 ref: 6C8E9420
Part of subcall function 6C8E93F6: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 6C8E943E
Part of subcall function 6C8E93F6: DispatchMessageW.USER32(?), ref: 6C8E947A
Part of subcall function 6C8E93F6: GetCapture.USER32 ref: 6C8E94D8

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Rect$Offset$CaptureWindow$Message$InflateLayout$AdjustDesktopDispatchEmptyLockPeekUpdate
String ID:
API String ID: 2444846054-0
Opcode ID: 4ead5bf95408f499d2511f758b4bd27ee505a14c1e89194ccd49611b0b99d171
Instruction ID: fff71d613e349cc8db9f10344d6e75e5a4a80ef03b1600a675f8e2789c124799
Opcode Fuzzy Hash: 4ead5bf95408f499d2511f758b4bd27ee505a14c1e89194ccd49611b0b99d171
Instruction Fuzzy Hash: 12E13875E006199FCF15CF98C940AEEBBB2BF4A310F15811AF915BB350DB71A942CB94

Function 6C8F2CCA Relevance: 7.9, APIs: 5, Instructions: 357COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6C8F2CEC
SetRectEmpty.USER32(?), ref: 6C8F2D77
SetRectEmpty.USER32(?), ref: 6C8F2F97
GetClientRect.USER32(?,?), ref: 6C8F2FF4
GetClientRect.USER32(?,?), ref: 6C8F300A

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Rect$Empty$Client
String ID:
API String ID: 1457177775-0
Opcode ID: 6021fc21370e4b30d1141d41d889e2064dfc1bb7140f3a8b385f7ad1ada073f0
Instruction ID: 1d9342c99d694de8ce8d4db2d26896512643036df0940faf7d504f26c5420502
Opcode Fuzzy Hash: 6021fc21370e4b30d1141d41d889e2064dfc1bb7140f3a8b385f7ad1ada073f0
Instruction Fuzzy Hash: C4D18D31A00A19CFDF25CFA8CA846DEB7F2FF49354F244529E825BB640D775A942CB60

Function 6C8FC839 Relevance: 7.7, APIs: 5, Instructions: 200COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C8FC840
IsWindow.USER32(00000000), ref: 6C8FC854
GetClientRect.USER32(00000000,00000000), ref: 6C8FC8A9
GetCursorPos.USER32(?), ref: 6C8FCA72
ScreenToClient.USER32(00000000,?), ref: 6C8FCA7F

Part of subcall function 6C8F0801: __EH_prolog3_GS.LIBCMT ref: 6C8F080B
Part of subcall function 6C8F0801: GetClientRect.USER32(00000000,00000000), ref: 6C8F0865

Part of subcall function 6C8FBEAB: __EH_prolog3_GS.LIBCMT ref: 6C8FBEB5
Part of subcall function 6C8FBEAB: SendMessageW.USER32(00000000,0000040D,00000000,00000000), ref: 6C8FBEE0

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: ClientH_prolog3_$Rect$CursorMessageScreenSendWindow
String ID:
API String ID: 3214297127-0
Opcode ID: 7c7f4332ddfda14b2a5c9ac868b43a58c397080ce64317d3fa22a27177ef8ed8
Instruction ID: 0306e349f54a6d58cb3a7a3f0c1e4eb7c7f52343c5ec0b414ef01df2954e3e2e
Opcode Fuzzy Hash: 7c7f4332ddfda14b2a5c9ac868b43a58c397080ce64317d3fa22a27177ef8ed8
Instruction Fuzzy Hash: 5E818071E00619CFCF24DFA8C980ADCBBB5BF48348F14457AD815AB755DB34A94ACB60

Function 6C8D9D2F Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6C8D9D36
GlobalLock.KERNEL32(00000000), ref: 6C8D9E38
DestroyWindow.USER32(?,?,?,00000000,6C8D9B30,00000000), ref: 6C8D9F21
GlobalUnlock.KERNEL32(00000000), ref: 6C8D9F2E
GlobalFree.KERNEL32(00000000), ref: 6C8D9F35

Part of subcall function 6C8EF46E: GetStockObject.GDI32(00000011), ref: 6C8EF490
Part of subcall function 6C8EF46E: GetStockObject.GDI32(0000000D), ref: 6C8EF49C
Part of subcall function 6C8EF46E: GetObjectW.GDI32(00000000,0000005C,?), ref: 6C8EF4AD
Part of subcall function 6C8EF46E: GetDC.USER32(00000000), ref: 6C8EF4BC
Part of subcall function 6C8EF46E: GetDeviceCaps.GDI32(00000000,0000005A), ref: 6C8EF4D3
Part of subcall function 6C8EF46E: MulDiv.KERNEL32(?,00000048,00000000), ref: 6C8EF4DF
Part of subcall function 6C8EF46E: ReleaseDC.USER32(00000000,00000000), ref: 6C8EF4EB

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: GlobalObject$Stock$CapsDestroyDeviceFreeH_prolog3_catchLockReleaseUnlockWindow
String ID:
API String ID: 2997204342-0
Opcode ID: 8f089662d04800fd98362231d6c3e5dc469c6cb2c1e957d9a778e5eee1523b7c
Instruction ID: 792ae3fd2c8dd75c6346c00a494e2c909f2ce514261ecc1d6bf37139b1cfd252
Opcode Fuzzy Hash: 8f089662d04800fd98362231d6c3e5dc469c6cb2c1e957d9a778e5eee1523b7c
Instruction Fuzzy Hash: D351A130A0121ADFCF15CFA8CA94AEEB7B4BF09315F114969E811E7790DB74AA05CB91

Function 6C90029F Relevance: 7.6, APIs: 5, Instructions: 120COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6C9002C7

Part of subcall function 6C8D23E0: ClientToScreen.USER32(?,?), ref: 6C8D23EF
Part of subcall function 6C8D23E0: ClientToScreen.USER32(?,?), ref: 6C8D23FC

PtInRect.USER32(?,00000000,?), ref: 6C9002E1
PtInRect.USER32(?,?,?), ref: 6C90035A

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: ClientRect$Screen
String ID:
API String ID: 3187875807-0
Opcode ID: 3c8eab5d84d7107673c0e2785a8034aabec80896da9c66746d8adc8352ae607d
Instruction ID: 2991e6be7b8df9873045e7d6721144d524afec4351f3efec846c22d69c294434
Opcode Fuzzy Hash: 3c8eab5d84d7107673c0e2785a8034aabec80896da9c66746d8adc8352ae607d
Instruction Fuzzy Hash: AD412832B0064AAFCF11CFA8C98499EB7B9BF09344F10556DE909EBA54D730EA45CB60

Function 6C8E81A7 Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 6C8C8F77: GetWindowLongW.USER32(?,000000F0), ref: 6C8C8F84

GetWindowRect.USER32(?,?), ref: 6C8E81D4
GetSystemMetrics.USER32(00000021), ref: 6C8E81DC
GetSystemMetrics.USER32(00000020), ref: 6C8E81E6
GetKeyState.USER32(00000002), ref: 6C8E820A
InflateRect.USER32(?,?,00000000), ref: 6C8E8243

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: MetricsRectSystemWindow$InflateLongState
String ID:
API String ID: 2406722796-0
Opcode ID: 20f61b14058dbf705de17e152f81730e7ef8fa7d433fa174d69fc5877af69a92
Instruction ID: 432d546833ed8ef383b886adc2f13ddfbaa0ed8385ab773c0a24885e1a31ace4
Opcode Fuzzy Hash: 20f61b14058dbf705de17e152f81730e7ef8fa7d433fa174d69fc5877af69a92
Instruction Fuzzy Hash: 4931E632B40A0A9BDB209EBCC959BBE77B5FF4E744F208A1AE911EB581D630C940C750

Function 6C8C0161 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C8C8F77: GetWindowLongW.USER32(?,000000F0), ref: 6C8C8F84

Part of subcall function 6C8C0735: GetParent.USER32(?), ref: 6C8C0738
Part of subcall function 6C8C0735: GetParent.USER32(00000000), ref: 6C8C073F

SendMessageW.USER32(?,00000234,00000000,00000000), ref: 6C8C01D5
SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6C8C01FE
SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6C8C021D
SendMessageW.USER32(?,00000222,?,00000000), ref: 6C8C0237
SendMessageW.USER32(?,00000222,00000000,?), ref: 6C8C0260

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: MessageSend$Parent$LongWindow
String ID:
API String ID: 4191550487-0
Opcode ID: c1497f2715baa31dcecd10bdb4e6d606b99f4e15425b77fbd188f93cfddaa00f
Instruction ID: 60e6c58e102c57fd58f59bd0b868c48379e10f28503484c763c921899126a3d2
Opcode Fuzzy Hash: c1497f2715baa31dcecd10bdb4e6d606b99f4e15425b77fbd188f93cfddaa00f
Instruction Fuzzy Hash: 5221B1F1700A48BFEB365B65CD88FAEB67EFB08398F004A29E04691591D771ED508652

Function 6C8FEEF7 Relevance: 7.6, APIs: 5, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 6C8FEF40
GetClientRect.USER32(?,?), ref: 6C8FEF6C
PtInRect.USER32(?,?,?), ref: 6C8FEF84
MapWindowPoints.USER32(?,?,?,00000001), ref: 6C8FEFAD
SendMessageW.USER32(?,00000200,?,?), ref: 6C8FEFCC

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Rect$ClientCursorMessagePointsSendWindow
String ID:
API String ID: 1257894355-0
Opcode ID: 0c35b75c1fac509574f011c52ce8492d39302e1dc86916dae7f53fa87e28986e
Instruction ID: 3b6f7f78cd3badc27a32f6918ca5191d318f58f1aec41c99f2a2b69d79af744a
Opcode Fuzzy Hash: 0c35b75c1fac509574f011c52ce8492d39302e1dc86916dae7f53fa87e28986e
Instruction Fuzzy Hash: 8B31937160030AEFDF248F64CD549AEBBB6FF04354B10862EF82993550D730E961CB90

Function 6C8C6F6D Relevance: 7.6, APIs: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C8C6F77
GetTopWindow.USER32(?), ref: 6C8C6FA4
GetDlgCtrlID.USER32(00000000), ref: 6C8C6FB6
SendMessageW.USER32(?,00000087,00000000,00000000), ref: 6C8C7011
GetWindow.USER32(00000000,00000002), ref: 6C8C7053

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Window$CtrlH_prolog3MessageSend
String ID:
API String ID: 849854284-0
Opcode ID: 991f9591b8c1005eed6ba2d8600692c19d2bdd9b456dad83a1f8dad28d2ddda8
Instruction ID: a7b5c39e45540fa2770481e23d86c68611d08c94eaa6343f1cb1c9d3a0bd0071
Opcode Fuzzy Hash: 991f9591b8c1005eed6ba2d8600692c19d2bdd9b456dad83a1f8dad28d2ddda8
Instruction Fuzzy Hash: 95210271B11218AADF309B25CE40FEE77B6AF51308F100669F815E2A80EB30CA05CB52

Function 6C8F8053 Relevance: 7.6, APIs: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C8FADCA: __EH_prolog3_GS.LIBCMT ref: 6C8FADD1
Part of subcall function 6C8FADCA: GetWindowRect.USER32(00000000,00000000), ref: 6C8FAE1A
Part of subcall function 6C8FADCA: CreateRoundRectRgn.GDI32(00000000,00000000,00000001,?,00000004,00000004), ref: 6C8FAE44
Part of subcall function 6C8FADCA: SetWindowRgn.USER32(00000000,?,00000000), ref: 6C8FAE5A

GetSystemMenu.USER32(?,00000000), ref: 6C8F80DD
DeleteMenu.USER32(?,0000F120,00000000,00000000), ref: 6C8F80FA
DeleteMenu.USER32(?,0000F020,00000000), ref: 6C8F8109
DeleteMenu.USER32(?,0000F030,00000000), ref: 6C8F8118
EnableMenuItem.USER32(?,0000F060,00000001), ref: 6C8F8140

Part of subcall function 6C8F4EAB: SetRectEmpty.USER32(?), ref: 6C8F4ED6
Part of subcall function 6C8F4EAB: ReleaseCapture.USER32 ref: 6C8F4EDC
Part of subcall function 6C8F4EAB: SetCapture.USER32(?), ref: 6C8F4EEF
Part of subcall function 6C8F4EAB: RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 6C8F4FEF

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Menu$DeleteRectWindow$Capture$CreateEmptyEnableH_prolog3_ItemRedrawReleaseRoundSystem
String ID:
API String ID: 4022425685-0
Opcode ID: 46d2b5ff41373819382d896e2f1b6309b03148deda46ef2d9ae7e8690b60b3e8
Instruction ID: ff138f71e995381a28696fd94f4132c5d48c9a0484721a106da9880487ed176b
Opcode Fuzzy Hash: 46d2b5ff41373819382d896e2f1b6309b03148deda46ef2d9ae7e8690b60b3e8
Instruction Fuzzy Hash: FE21D331301212EFDF351F628D98DAD7B76EF8A399B048536F919D6651CB309812CA60

Function 6C8D05FA Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 6C8DF682: EnterCriticalSection.KERNEL32(6CA98B60,?,?,?,?,6C8DCDB6,00000010,00000008,6C8DB7A1,6C8DB7E4,6C8C3ABF,6C8D116D,?,6C8D6CE6,00000004,6C8D7498), ref: 6C8DF6B3
Part of subcall function 6C8DF682: InitializeCriticalSection.KERNEL32(00000000,?,?,?,?,6C8DCDB6,00000010,00000008,6C8DB7A1,6C8DB7E4,6C8C3ABF,6C8D116D,?,6C8D6CE6,00000004,6C8D7498), ref: 6C8DF6C9
Part of subcall function 6C8DF682: LeaveCriticalSection.KERNEL32(6CA98B60,?,?,?,?,6C8DCDB6,00000010,00000008,6C8DB7A1,6C8DB7E4,6C8C3ABF,6C8D116D,?,6C8D6CE6,00000004,6C8D7498), ref: 6C8DF6D7
Part of subcall function 6C8DF682: EnterCriticalSection.KERNEL32(00000000,?,?,?,6C8DCDB6,00000010,00000008,6C8DB7A1,6C8DB7E4,6C8C3ABF,6C8D116D,?,6C8D6CE6,00000004,6C8D7498,00000120), ref: 6C8DF6E4

SetCursor.USER32(00000009), ref: 6C8D0644
LoadCursorW.USER32(?,00007905), ref: 6C8D0689
LoadCursorW.USER32(00000000,00007F85), ref: 6C8D069F
SetCursor.USER32(00000000,?,00000009), ref: 6C8D06B8
DestroyCursor.USER32(00000000), ref: 6C8D06C3

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Cursor$CriticalSection$EnterLoad$DestroyInitializeLeave
String ID:
API String ID: 900973665-0
Opcode ID: bf6f41281bdedbab8c8d6d3425b8d7bc0734ae88b7b87914def7d680555e43a5
Instruction ID: 28fb8436d5f85da7bc48dfde2e71756769fc95572b63d629146f738fc93125d1
Opcode Fuzzy Hash: bf6f41281bdedbab8c8d6d3425b8d7bc0734ae88b7b87914def7d680555e43a5
Instruction Fuzzy Hash: F5119671B053868FDF345F69EA48A9A3675D792314F124D32F208DBA51CB34FC418B91

Function 6C8D8EB7 Relevance: 7.6, APIs: 5, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyW.ADVAPI32(00000000,?), ref: 6C8D8EDB
RegDeleteValueW.ADVAPI32(00000000,?,?,00000000), ref: 6C8D8EFB
RegCloseKey.ADVAPI32(00000000), ref: 6C8D8F2C

Part of subcall function 6C8D8733: RegCloseKey.ADVAPI32(00000000), ref: 6C8D87D8
Part of subcall function 6C8D8733: RegCloseKey.ADVAPI32(00000000), ref: 6C8D87E7

RegSetValueExW.ADVAPI32(00000000,?,00000000,00000001,?,00000000,?,00000000), ref: 6C8D8F23
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 6C8D8F47

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Close$DeleteValue$PrivateProfileStringWrite
String ID:
API String ID: 222425065-0
Opcode ID: 232453259596f1b4c8bd11160c5a64a3240c35ddee707b12cc3a2eb14d75cd5c
Instruction ID: b1fd3337c6ebba42c09a6192f8bab2b5b2450fac6ce9bcdeb5344b079ef276a9
Opcode Fuzzy Hash: 232453259596f1b4c8bd11160c5a64a3240c35ddee707b12cc3a2eb14d75cd5c
Instruction Fuzzy Hash: B1112332105B16BFCB321B649D04F9F3B3AEF46794B025922F814DA500DB30E80287E0

Function 6C8FCFCC Relevance: 7.6, APIs: 5, Instructions: 65windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,00004212,00000001), ref: 6C8FCFFE
EnableMenuItem.USER32(?,00004213,00000000), ref: 6C8FD00F
EnableMenuItem.USER32(?,00004214,00000000), ref: 6C8FD03E
CheckMenuItem.USER32(?,00004213,00000008), ref: 6C8FD064
CheckMenuItem.USER32(?,00004214,00000000), ref: 6C8FD070

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: ItemMenu$Enable$Check
String ID:
API String ID: 1852492618-0
Opcode ID: 37d3d94e0bce709639dd757679f2e3125d011178660dc69ccb3007f149e2aaf4
Instruction ID: 77ad378477cf76f12f018784059ff0b2c6dc2e4a34645600fbc678582b76be17
Opcode Fuzzy Hash: 37d3d94e0bce709639dd757679f2e3125d011178660dc69ccb3007f149e2aaf4
Instruction Fuzzy Hash: FE11E671340706FFEB345F20DE85E52B7BAFF55785F408925B21AD68A0C770AC12CA60

Function 6C8FADCA Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C8FADD1
GetWindowRect.USER32(00000000,00000000), ref: 6C8FAE1A
CreateRoundRectRgn.GDI32(00000000,00000000,00000001,?,00000004,00000004), ref: 6C8FAE44
SetWindowRgn.USER32(00000000,?,00000000), ref: 6C8FAE5A
SetWindowRgn.USER32(00000000,00000000,00000000), ref: 6C8FAE72

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Window$Rect$CreateH_prolog3_Round
String ID:
API String ID: 2502471913-0
Opcode ID: 0f76cbb19546ab3542603ee446e2bad9bfc7430bf8362e37b6236638e4ddb5ec
Instruction ID: 1fb7e43c222eb776f3e6b7500901f311214955776bcc687f88adbb7918e46d27
Opcode Fuzzy Hash: 0f76cbb19546ab3542603ee446e2bad9bfc7430bf8362e37b6236638e4ddb5ec
Instruction Fuzzy Hash: 9611B171A0060A9FDF18CFA4CD849EDBB79FF19318F104629E525B3A50DB30AC82CB60

Function 6C8D44E4 Relevance: 7.6, APIs: 5, Instructions: 56windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 6C8D44ED
SendMessageW.USER32(?,00000420,00000000,?), ref: 6C8D4511
SendMessageW.USER32(?,0000041F,00000000,?), ref: 6C8D452E
SendMessageW.USER32(?,0000043A,00000000,00000000), ref: 6C8D454A
InvalidateRect.USER32(?,00000000,00000001,?,6C8D3CA2,?,?,?,?,00000000,?,?,?,?,?), ref: 6C8D4568

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: MessageSend$InvalidateRectWindow
String ID:
API String ID: 3225880595-0
Opcode ID: 916f3cc4b83026291a5cd4b75c9ae8a9ade10ac6a4ea4489720f41942b43e356
Instruction ID: 5e2a725843e1fbd24b8c7e1e49ba1f596d34c4bb0e837c398c7c5690d59c9d56
Opcode Fuzzy Hash: 916f3cc4b83026291a5cd4b75c9ae8a9ade10ac6a4ea4489720f41942b43e356
Instruction Fuzzy Hash: EE116371210745AFEB248F25DC08ABB7BF5FB89701F00C92EF99B96250D770A851DB20

Function 6CA00D50 Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CA00D57
std::_Lockit::_Lockit.LIBCPMT ref: 6CA00D62
std::_Lockit::~_Lockit.LIBCPMT ref: 6CA00DD0

Part of subcall function 6CA00EB4: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6CA00ECC

std::locale::_Setgloballocale.LIBCPMT ref: 6CA00D7D
_Yarn.LIBCPMT ref: 6CA00D93

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 136ed602277be8ace7d4391aca0b8089dad4c1e921df919497f02f300b7be707
Instruction ID: af264d9cf2911cc78766fa78b0d1dce4118643bbb39ff5f9a26bf4609a573bb7
Opcode Fuzzy Hash: 136ed602277be8ace7d4391aca0b8089dad4c1e921df919497f02f300b7be707
Instruction Fuzzy Hash: F701F775B016568FCB09DF60D9509BD7772BF8529CB14800AD81157F80CF34AE8ACBD1

Function 033B49C5 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 033B49D1

Part of subcall function 033B381A: __getptd_noexit.LIBCMT ref: 033B381D
Part of subcall function 033B381A: __amsg_exit.LIBCMT ref: 033B382A

__getptd.LIBCMT ref: 033B49E8
__amsg_exit.LIBCMT ref: 033B49F6
__lock.LIBCMT ref: 033B4A06
__updatetlocinfoEx_nolock.LIBCMT ref: 033B4A1A

Memory Dump Source

Source File: 00000003.00000002.3531273742.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33a0000_Update.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: b8df328af2ca13b15628588c2ddeec9715aad909c858093188abaa4f1f59b7b1
Instruction ID: f910126970c18a7410bfc378b914c0afc4974a3cf8b2b9130c44d4c1182c8c81
Opcode Fuzzy Hash: b8df328af2ca13b15628588c2ddeec9715aad909c858093188abaa4f1f59b7b1
Instruction Fuzzy Hash: C9F0F03AE44720CAE620FBA988827CA33B0AF00620F148208D704AFAD2DB2419018A4E

Function 6C8EA57A Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 218COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C8EA581
LoadCursorW.USER32(00000000,00007F00), ref: 6C8EA5A5
GetClassInfoW.USER32(?,?,?), ref: 6C8EA5E0

Part of subcall function 6C8C2890: __EH_prolog3_catch.LIBCMT ref: 6C8C2897
Part of subcall function 6C8C2890: GetClassInfoW.USER32(?,?,00000030), ref: 6C8C28A9

Strings

%Ts:%x:%x:%x:%x, xrefs: 6C8EA5CB

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: ClassInfo$CursorH_prolog3H_prolog3_catchLoad
String ID: %Ts:%x:%x:%x:%x
API String ID: 937286869-4057404147
Opcode ID: 671ed5551e6e1f25a9348b15fb109726c74db8070445e5543797f5af1e4f72f4
Instruction ID: 2a10c758569bb7f32ea2686b524f5fbf2356e74e34cde727565c39a906c8a199
Opcode Fuzzy Hash: 671ed5551e6e1f25a9348b15fb109726c74db8070445e5543797f5af1e4f72f4
Instruction Fuzzy Hash: BE71A875D00219AFDB20DFA9DE809DEBBF5FF5A704F10452AD804B7710DB709A458B90

Function 6C8F41BA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C8F41C1

Strings

MFCToolBars, xrefs: 6C8F41CC
%TsMFCToolBarParameters, xrefs: 6C8F41F4
LargeIcons, xrefs: 6C8F4239

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: H_prolog3
String ID: %TsMFCToolBarParameters$LargeIcons$MFCToolBars
API String ID: 431132790-953485693
Opcode ID: 90ca8b485f0dd0c4c2f0efaf3e2c4e27fb4099ab6972c99edc477ed0b117f46e
Instruction ID: d60884430274777037176e37e38a15b1b23c15eb8f39bf1c246ae10bf3581d5f
Opcode Fuzzy Hash: 90ca8b485f0dd0c4c2f0efaf3e2c4e27fb4099ab6972c99edc477ed0b117f46e
Instruction Fuzzy Hash: 58216D74A0021A9FCF14DFA8C9909EEB772BF98304F144969D416BB781DB74990ACBA1

Function 6C8DC432 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C8C8BC0: LoadLibraryW.KERNEL32(?,6CA7F518,00000010,6C8C34BC,?,?,?,00000000), ref: 6C8C8C01

GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 6C8DC471
FreeLibrary.KERNEL32(00000000,?,?,00001000,?,?,?), ref: 6C8DC4BD

Part of subcall function 6C8DC41B: GetLastError.KERNEL32(00000000,00000000,0000F000), ref: 6C8DC41B

Strings

DllGetVersion, xrefs: 6C8DC46B
comctl32.dll, xrefs: 6C8DC44A

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Library$AddressErrorFreeLastLoadProc
String ID: DllGetVersion$comctl32.dll
API String ID: 2540614322-3857068685
Opcode ID: e4a3b7f67fb6663c1a738e4431aca441c5a96f1b5f8a16f6b3889f30b3b1407d
Instruction ID: 0a7de2e2b5dd38879fe98038d273d4a8431c73f1797d89ac59b33f9482c9f520
Opcode Fuzzy Hash: e4a3b7f67fb6663c1a738e4431aca441c5a96f1b5f8a16f6b3889f30b3b1407d
Instruction Fuzzy Hash: 1C112775A0060A9BCB20EFA8CD44BEFBBF6AF85316F118425E90497301DB34D905CBA4

Function 6C8E6E33 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6C8E6E5E
IsAppThemed.UXTHEME ref: 6C8E6EB8
OpenThemeData.UXTHEME(?,REBAR), ref: 6C8E6ECA

Strings

REBAR, xrefs: 6C8E6EC2

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: DataOpenParentThemeThemed
String ID: REBAR
API String ID: 2040651904-925029515
Opcode ID: 1bc7a1dc10edf3a9087f139e958dc487e5431a5e6bf8e6299809e1081851eb73
Instruction ID: 64ea4aeb09497c9f7b559c77f50d94252664ffae2a0b1f241d72e4afbce3d7e3
Opcode Fuzzy Hash: 1bc7a1dc10edf3a9087f139e958dc487e5431a5e6bf8e6299809e1081851eb73
Instruction Fuzzy Hash: E8010431700717ABDB284B74CE647AE7766BF8A218F204E39E909C2BD0DB30D806C791

Function 6C8C27BD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C8DF682: EnterCriticalSection.KERNEL32(6CA98B60,?,?,?,?,6C8DCDB6,00000010,00000008,6C8DB7A1,6C8DB7E4,6C8C3ABF,6C8D116D,?,6C8D6CE6,00000004,6C8D7498), ref: 6C8DF6B3
Part of subcall function 6C8DF682: InitializeCriticalSection.KERNEL32(00000000,?,?,?,?,6C8DCDB6,00000010,00000008,6C8DB7A1,6C8DB7E4,6C8C3ABF,6C8D116D,?,6C8D6CE6,00000004,6C8D7498), ref: 6C8DF6C9
Part of subcall function 6C8DF682: LeaveCriticalSection.KERNEL32(6CA98B60,?,?,?,?,6C8DCDB6,00000010,00000008,6C8DB7A1,6C8DB7E4,6C8C3ABF,6C8D116D,?,6C8D6CE6,00000004,6C8D7498), ref: 6C8DF6D7
Part of subcall function 6C8DF682: EnterCriticalSection.KERNEL32(00000000,?,?,?,6C8DCDB6,00000010,00000008,6C8DB7A1,6C8DB7E4,6C8C3ABF,6C8D116D,?,6C8D6CE6,00000004,6C8D7498,00000120), ref: 6C8DF6E4

Part of subcall function 6C8DCD9C: __EH_prolog3_catch.LIBCMT ref: 6C8DCDA3

Part of subcall function 6C8C33F4: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 6C8C341A
Part of subcall function 6C8C33F4: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C8C342A
Part of subcall function 6C8C33F4: EncodePointer.KERNEL32(00000000,?,00000000), ref: 6C8C3433

GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 6C8C27FF
FreeLibrary.KERNEL32(?,?,6C8C3ABF,?,?,?,6C8D9E54), ref: 6C8C280F

Strings

HtmlHelpW, xrefs: 6C8C27F9
hhctrl.ocx, xrefs: 6C8C27E3

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: CriticalSection$AddressEnterProc$EncodeFreeH_prolog3_catchHandleInitializeLeaveLibraryModulePointer
String ID: HtmlHelpW$hhctrl.ocx
API String ID: 849444252-3773518134
Opcode ID: c967f9369f0fc9a2a78f4b21e2df5ad0f72c20b260af89a00a520349fa40c357
Instruction ID: 1248f09f24c94693e12e58366f364e83d3b9b7a61c675ac27a0ad962663b5279
Opcode Fuzzy Hash: c967f9369f0fc9a2a78f4b21e2df5ad0f72c20b260af89a00a520349fa40c357
Instruction Fuzzy Hash: 41012431200B2AABCB305F69EE28B4A7BB0EF00754F00CD35F91996EA0DF34D8109B52

Function 6C8D8BDA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,0002001F,?,?,6C8D87C4,?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6C8D8BEB
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 6C8D8BFB

Strings

Advapi32.dll, xrefs: 6C8D8BE6
RegCreateKeyTransactedW, xrefs: 6C8D8BF5

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1646373207-2994018265
Opcode ID: e1a7834a3cb9915ddc541d8d69c3f8c15c91b777de39c4f80d8bd517dea1f05e
Instruction ID: 0e39997dd36a7ec1beb79c9450d666f000681b49d9dd7e3dcc207828f123f4de
Opcode Fuzzy Hash: e1a7834a3cb9915ddc541d8d69c3f8c15c91b777de39c4f80d8bd517dea1f05e
Instruction Fuzzy Hash: 23016232201509EBCF261F98ED04FE93BB6FB89356F128526FA5491420D732E4A1EB90

Function 6C8DC5AB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 6C8DC5C6
GetClassNameW.USER32(?,?,0000000A), ref: 6C8DC5DB
CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF), ref: 6C8DC5F2

Strings

combobox, xrefs: 6C8DC5E3

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: ClassCompareLongNameStringWindow
String ID: combobox
API String ID: 1414938635-2240613097
Opcode ID: e4382112f79176c8c72a358c012173555163e502f2902bdf45ca26d465ac62c5
Instruction ID: 74c21b0e1e1f72ebfa859b93a9524e81e1e6212193a70b57928f4cb890e0dea8
Opcode Fuzzy Hash: e4382112f79176c8c72a358c012173555163e502f2902bdf45ca26d465ac62c5
Instruction Fuzzy Hash: 16F0FF32655219ABCB10EF688C56EEE73B8EB06320F508314F522E70C0DA20A902C794

Function 6C8D8C4A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,0002001F,?,?,6C8D876C,80000001,software,00000000,0002001F,?), ref: 6C8D8C5B
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 6C8D8C6B

Strings

RegOpenKeyTransactedW, xrefs: 6C8D8C65
Advapi32.dll, xrefs: 6C8D8C56

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 1646373207-3913318428
Opcode ID: 4b3273c98144b0d90c8e932081d7863e1a1e1f7b05ae8f9ab5827b216d33dc14
Instruction ID: aa8d3f5fb8adb1c0d9a31089abb7c3f50d323bc12931fb49b4f67f70f771c4ec
Opcode Fuzzy Hash: 4b3273c98144b0d90c8e932081d7863e1a1e1f7b05ae8f9ab5827b216d33dc14
Instruction Fuzzy Hash: 4DF0C23220160AEBDF211F96FD08BAA7BB6FB85252F12C83AF615C1460D7329451DBA0

Function 6C908E39 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 6C908E63
GetFileAttributesW.KERNEL32(000000FF,00000104,00000104,000000FF,?,?), ref: 6C908E6E
GetTempFileNameW.KERNEL32(?,?,00000000,000000FF,?,?,6C912C49,00000000,AFX,00000000,00000104,00000104,000000FF,?,?), ref: 6C908E86

Strings

%s%s%X.tmp, xrefs: 6C908E58

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: File$AttributesNameTempswprintf
String ID: %s%s%X.tmp
API String ID: 2659213859-596088238
Opcode ID: e7dce3d7cfa67d60856231d5c136f4d39aec6b9ab87734d126fd4524a7527d1c
Instruction ID: f6e21704992c2a72adf2f13798736c8e0fae1b51cfa205fb452b6ad03ddf2c36
Opcode Fuzzy Hash: e7dce3d7cfa67d60856231d5c136f4d39aec6b9ab87734d126fd4524a7527d1c
Instruction Fuzzy Hash: 19F05E3160020EBFCF019FA4DC05ACE3B7AFF05329F508610F924A48A0D732C660AB50

Function 6C8E6768 Relevance: 6.2, APIs: 4, Instructions: 228COMMON

Download Yara Rule

APIs

IsThemeBackgroundPartiallyTransparent.UXTHEME(?,00000006,00000000,6CA3E490), ref: 6C8E6856
DrawThemeParentBackground.UXTHEME(?,?,00000000), ref: 6C8E6870
DrawThemeBackground.UXTHEME(?,?,00000006,00000000,00000000,00000000), ref: 6C8E688C
GetBkColor.GDI32(?), ref: 6C8E689E

Part of subcall function 6C8E2E3A: SetBkColor.GDI32(?,?), ref: 6C8E2E53
Part of subcall function 6C8E2E3A: ExtTextOutW.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 6C8E2E85

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: BackgroundTheme$ColorDraw$ParentPartiallyTextTransparent
String ID:
API String ID: 501873518-0
Opcode ID: 97488df6aace204383e1c565b1dad2c0056d78e11ee13808f0ac1ee16ed7cf6d
Instruction ID: 280a02c8f33ee5724ab3bbd85feb1d5f54c76842415b9f6099eea204c537a946
Opcode Fuzzy Hash: 97488df6aace204383e1c565b1dad2c0056d78e11ee13808f0ac1ee16ed7cf6d
Instruction Fuzzy Hash: 60914F31E0122AEBDF21CF99C944BEEBBB1EF4A714F148525E914FB690C7759841CB90

Function 6C904E95 Relevance: 6.2, APIs: 4, Instructions: 195COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6C904EE9
InflateRect.USER32(?,00000000,00000000), ref: 6C904F1F
GetSystemMetrics.USER32(00000002), ref: 6C904FA6

Part of subcall function 6C8C6C52: SetScrollInfo.USER32(?,?,?,?), ref: 6C8C6C96

EnableScrollBar.USER32(?,00000002,00000003), ref: 6C9050C5

Part of subcall function 6C8C8E3F: EnableWindow.USER32(?,00000024), ref: 6C8C8E50

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: EnableRectScroll$ClientInflateInfoMetricsSystemWindow
String ID:
API String ID: 3090651611-0
Opcode ID: 387268e28c4dc55e43e1518f32bd2450af9ea6f6e07b63177770db77e5487dd8
Instruction ID: a7f0ca3269efc17ed98e37d97f341decb74229be236e94fa1d21c0b84bf16eeb
Opcode Fuzzy Hash: 387268e28c4dc55e43e1518f32bd2450af9ea6f6e07b63177770db77e5487dd8
Instruction Fuzzy Hash: 00714771A01619DFCF14CFA8C984AEDB7B9FF48704F14417AE909EB685DB70A941CB60

Function 6C8CC35A Relevance: 6.2, APIs: 4, Instructions: 181windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C8CC364
GetDlgCtrlID.USER32(?), ref: 6C8CC3B4
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 6C8CC449
SetMenu.USER32(?,?), ref: 6C8CC555

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: CtrlH_prolog3_MenuWindow
String ID:
API String ID: 739472796-0
Opcode ID: bb8420137177bee653bfb4c77e38b8e67286fdb21521168651199609cc9cd841
Instruction ID: e35fe04d789559e63e3874f6ccbea8d331e6cf63fbf864b68e02a5f2c2563414
Opcode Fuzzy Hash: bb8420137177bee653bfb4c77e38b8e67286fdb21521168651199609cc9cd841
Instruction Fuzzy Hash: 4F512A3170060A9BCB30AB68CE44AEEB779FF55314F14896AE915D7B81DB70E841CB92

Function 6C8CE84E Relevance: 6.2, APIs: 4, Instructions: 158COMMON

Download Yara Rule

APIs

Part of subcall function 6C8CF42F: GetDlgCtrlID.USER32(?), ref: 6C8CF43D
Part of subcall function 6C8CF42F: IsChild.USER32(?,?), ref: 6C8CF44B

GetScrollPos.USER32(?,00000002), ref: 6C8CE897
GetScrollPos.USER32(?,00000002), ref: 6C8CE8C3
SetScrollPos.USER32(?,00000002,00000000,00000000), ref: 6C8CE920
SetScrollPos.USER32(?,00000002,00000000,00000000), ref: 6C8CE9A2

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Scroll$ChildCtrl
String ID:
API String ID: 656700424-0
Opcode ID: 2911de091cb95096b0cd8f0b2d41fb2261eff1cc48488ba1e46f5df215e7d8f2
Instruction ID: 8136c3127b70b5c88424db0ae701e4014129794a16335e6f583be6cc3dc47073
Opcode Fuzzy Hash: 2911de091cb95096b0cd8f0b2d41fb2261eff1cc48488ba1e46f5df215e7d8f2
Instruction Fuzzy Hash: 81516E71B0062AAFDF158F54CC55BBEBBB6FF48311F10856AE915E7290CB70A901CB91

Function 6C8CEA04 Relevance: 6.2, APIs: 4, Instructions: 151COMMON

Download Yara Rule

APIs

Part of subcall function 6C8CF42F: GetDlgCtrlID.USER32(?), ref: 6C8CF43D
Part of subcall function 6C8CF42F: IsChild.USER32(?,?), ref: 6C8CF44B

GetScrollPos.USER32(?,00000002), ref: 6C8CEA4D
GetScrollPos.USER32(?,00000002), ref: 6C8CEA79
SetScrollPos.USER32(?,00000002,00000000,00000000), ref: 6C8CEAD6
SetScrollPos.USER32(?,00000002,00000000,00000000), ref: 6C8CEB4B

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Scroll$ChildCtrl
String ID:
API String ID: 656700424-0
Opcode ID: 5052bc14fa5d7cd933ec8bf8d735975adeed448b64fdb35ab7b87ee7c73eb510
Instruction ID: 0c9591687274768f15418c08d3b34aac946f34f3511f4d475bee72b747ab76c8
Opcode Fuzzy Hash: 5052bc14fa5d7cd933ec8bf8d735975adeed448b64fdb35ab7b87ee7c73eb510
Instruction Fuzzy Hash: 07513A71B0021AAFDF15CF95C955BBEBBB6BF88310F10856AE815B7290C731A9029F91

Function 6C8ECC04 Relevance: 6.1, APIs: 4, Instructions: 144registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C8ECC0E

Part of subcall function 6C8D8733: RegCloseKey.ADVAPI32(00000000), ref: 6C8D87D8
Part of subcall function 6C8D8733: RegCloseKey.ADVAPI32(00000000), ref: 6C8D87E7

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 6C8ECD93
RegCloseKey.ADVAPI32(?), ref: 6C8ECDA6
RegCloseKey.ADVAPI32(?,00000000,00000000,0002001F), ref: 6C8ECE00

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Close$EnumH_prolog3_Value
String ID:
API String ID: 431837299-0
Opcode ID: 78c2f757316926e04f92029569cad368228bc57d40c032edec2631cb26791b35
Instruction ID: 7daf89b66570730bbe0bb0b2b1161121021dfc28906dd644f0cf02aadaef06b0
Opcode Fuzzy Hash: 78c2f757316926e04f92029569cad368228bc57d40c032edec2631cb26791b35
Instruction Fuzzy Hash: EE5140B1A011389BCB31DB54CD84ADEBBBCEF49254F4005DAE609A7241DB709F89CF98

Function 6C8D89F3 Relevance: 6.1, APIs: 4, Instructions: 117registryCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(?,?,6CA3C6B0,?,00001000,?), ref: 6C8D8B40

Part of subcall function 6C8D8B72: RegCloseKey.ADVAPI32(00000000,?,?,?,6C8D8881,?,00000000,00000018), ref: 6C8D8BB7

RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,00000000,?,?,00000000,CDD28759,?,?,?,?,6CA2CAAF,000000FF), ref: 6C8D8A8E
RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,00000000,?,?,?,?,?,?,6CA2CAAF,000000FF), ref: 6C8D8ACA
RegCloseKey.ADVAPI32(00000000,?,?,?,?,6CA2CAAF,000000FF), ref: 6C8D8AE4

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: CloseQueryValue$PrivateProfileString
String ID:
API String ID: 2114517702-0
Opcode ID: baec8e58d07469bccf6043aeb49865b4859d66e7a30905eeb82e587825e27441
Instruction ID: 71e646558cbf650f630c7190435e5cb11647b0f392c03181b134b46b4ad1cf7e
Opcode Fuzzy Hash: baec8e58d07469bccf6043aeb49865b4859d66e7a30905eeb82e587825e27441
Instruction Fuzzy Hash: 87416371A00319AFDB25CF18CD48AEEB3B9EF05314F0045AAE519A7641D734AE49CF61

Function 6C8E8752 Relevance: 6.1, APIs: 4, Instructions: 117COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000000), ref: 6C8E877A

Part of subcall function 6C8E2EDC: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 6C8E2F23
Part of subcall function 6C8E2EDC: CreatePatternBrush.GDI32(00000000), ref: 6C8E2F30
Part of subcall function 6C8E2EDC: DeleteObject.GDI32(00000000), ref: 6C8E2F3C

GetSystemMetrics.USER32(00000020), ref: 6C8E87BB
GetSystemMetrics.USER32(00000021), ref: 6C8E87C7
InflateRect.USER32(?,000000FF,000000FF), ref: 6C8E8829

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: CreateMetricsObjectSystem$BitmapBrushDeleteInflatePatternRectStock
String ID:
API String ID: 419749085-0
Opcode ID: 844566069a6510ddef85b185287518ff08aa0b19689967fcba78d9891a2207d2
Instruction ID: 4924785ae8a9c3c86c7265126e7f9eec2324508a979c16e02d5c91e42eb025a7
Opcode Fuzzy Hash: 844566069a6510ddef85b185287518ff08aa0b19689967fcba78d9891a2207d2
Instruction Fuzzy Hash: FC414A71D00619CFCB14CFA9C944AEEBBB5FF4E314F21826AE910B7261D7349946CBA4

Function 6C8FEFF5 Relevance: 6.1, APIs: 4, Instructions: 111windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 6C8FF08E
ScreenToClient.USER32(000000FF,?), ref: 6C8FF09E
PtInRect.USER32(000000D8,?,?), ref: 6C8FF0B1
PostMessageW.USER32(000000FF,00000010,00000000,00000000), ref: 6C8FF0CC

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: ClientCursorMessagePostRectScreen
String ID:
API String ID: 1913696736-0
Opcode ID: 188c1cb1450600e2f81593250e7f0e18be71b94700b9610765a959f143c01c78
Instruction ID: cf0a41e29769ac53d9cb8fd51db65153d4021b8cbc25260e91ae3a67d04f8d52
Opcode Fuzzy Hash: 188c1cb1450600e2f81593250e7f0e18be71b94700b9610765a959f143c01c78
Instruction Fuzzy Hash: CD312735B0021AEFCF258FA4CD44AAD7BF5FF48394B108666E829D3650EB309913CB60

Function 033B39D3 Relevance: 6.1, APIs: 4, Instructions: 109COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtterm.LIBCMT ref: 033B39E7
__init_pointers.LIBCMT ref: 033B3A99
__calloc_crt.LIBCMT ref: 033B3B07

Memory Dump Source

Source File: 00000003.00000002.3531273742.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33a0000_Update.jbxd

Similarity

API ID: __calloc_crt__init_pointers__mtterm
String ID:
API String ID: 2478854527-0
Opcode ID: 76c9643fd1df18821398edaab6323fbd9f0414cbbe87c74b2baaec3723e64a7d
Instruction ID: b1939a5633ee4b19725acb9986ae83fabd9b0a0f2f89286e1a782eeeeca18c19
Opcode Fuzzy Hash: 76c9643fd1df18821398edaab6323fbd9f0414cbbe87c74b2baaec3723e64a7d
Instruction Fuzzy Hash: 31315C35D02730EEFB12EB758CD8A96BFB4EB447A0B24451AFA109A6B1EB308045DF40

Function 6C8C474E Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C8C8F77: GetWindowLongW.USER32(?,000000F0), ref: 6C8C8F84

GetClientRect.USER32(?,?), ref: 6C8C47B6
IsMenu.USER32(00000000), ref: 6C8C47F2
AdjustWindowRectEx.USER32(?,00000000,00000000,?), ref: 6C8C480A
GetClientRect.USER32(?,?), ref: 6C8C4852

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Rect$ClientWindow$AdjustLongMenu
String ID:
API String ID: 3435883281-0
Opcode ID: 4c23c2edfebcfe605be937515f5e58492ffd6d7f1f32f3d09d02516b9b4d950d
Instruction ID: a955b096656779b4d473fabaad529fa5d89a7380287a926317f6611bdb371dc2
Opcode Fuzzy Hash: 4c23c2edfebcfe605be937515f5e58492ffd6d7f1f32f3d09d02516b9b4d950d
Instruction Fuzzy Hash: 40318431B00259AFDF14DFB9C998ABEB7B9EF85208F118529E904E7640DB30E941CB51

Function 6C8D0FA4 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

InflateRect.USER32(?,?,?), ref: 6C8D1036
GetWindowRect.USER32(?,?), ref: 6C8D104A
GetParent.USER32(?), ref: 6C8D1053
EqualRect.USER32(?,?), ref: 6C8D1072

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Rect$EqualInflateParentWindow
String ID:
API String ID: 719057501-0
Opcode ID: a2fff8ecf502becdc9190a6ab4b7a6ad5c4329a019431a6b2326ff6965df93f2
Instruction ID: f4e255ff0ef75e72e596da2e2bd0cb24d9d7b5593c136b57ddcd08e23612e6c8
Opcode Fuzzy Hash: a2fff8ecf502becdc9190a6ab4b7a6ad5c4329a019431a6b2326ff6965df93f2
Instruction Fuzzy Hash: 48318271B002099BCF24DFA4CA54AEEB7B9FF09308F20492AE505E3640EB35ED458B61

Function 6C95BDCE Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 6C95BE37
EqualRect.USER32(?,?), ref: 6C95BE5D
BeginDeferWindowPos.USER32(?), ref: 6C95BE6A
EndDeferWindowPos.USER32(00000000), ref: 6C95BE90

Part of subcall function 6C94E85D: GetWindowRect.USER32(?,?), ref: 6C94E871
Part of subcall function 6C94E85D: GetParent.USER32(?), ref: 6C94E8C7
Part of subcall function 6C94E85D: GetParent.USER32(?), ref: 6C94E8DA

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Window$Rect$DeferParent$BeginEqual
String ID:
API String ID: 2054780619-0
Opcode ID: 2578ae6e5597fc946e779b1f56e8acdd8b33149ab8df9efdab67362997380f3c
Instruction ID: 468db30450ffea20457dd97704cc7f9afb760187b9245cefc5bc8ebd2ea48667
Opcode Fuzzy Hash: 2578ae6e5597fc946e779b1f56e8acdd8b33149ab8df9efdab67362997380f3c
Instruction Fuzzy Hash: 41318471F016099BCF04DF65C9949EEB7F9BF59304F54822AE905E3A10DB30E959CBA0

Function 6C8FEDFB Relevance: 6.1, APIs: 4, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6C8FEE1D
PtInRect.USER32(?,?,?), ref: 6C8FEE47

Part of subcall function 6C8FD1E2: ScreenToClient.USER32(?,?), ref: 6C8FD1FE
Part of subcall function 6C8FD1E2: GetParent.USER32(?), ref: 6C8FD20E
Part of subcall function 6C8FD1E2: GetClientRect.USER32(?,?), ref: 6C8FD2A1
Part of subcall function 6C8FD1E2: MapWindowPoints.USER32(?,?,?,00000002), ref: 6C8FD2B3
Part of subcall function 6C8FD1E2: PtInRect.USER32(?,?,?), ref: 6C8FD2C3

MapWindowPoints.USER32(?,?,?,00000001), ref: 6C8FEE70
SendMessageW.USER32(?,00000202,?,?), ref: 6C8FEE8F

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Rect$Client$PointsWindow$MessageParentScreenSend
String ID:
API String ID: 2689702638-0
Opcode ID: 8a4eb75259eb8f8537e1a3b8f45bd90a14b7624ceea4fa2cc102e86b0cd8a7a2
Instruction ID: cbae3e5c8a9b13d1e4d19814eda4dc1189beede78a67516d1e0b1b18a5bb3018
Opcode Fuzzy Hash: 8a4eb75259eb8f8537e1a3b8f45bd90a14b7624ceea4fa2cc102e86b0cd8a7a2
Instruction Fuzzy Hash: 9731C13160070AEBCF26DF65DD148EE7BB6FF48354B10862AF86987550EB31D912DB90

Function 6C8FFC44 Relevance: 6.1, APIs: 4, Instructions: 74windowCOMMON

Download Yara Rule

APIs

DestroyMenu.USER32(?,CDD28759,?,?,?,Function_0018C862,000000FF), ref: 6C8FFC95
IsWindow.USER32(?), ref: 6C8FFCA6
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C8FFCBA
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C8FFD17

Part of subcall function 6C96F292: GetParent.USER32(00000000), ref: 6C96F319

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: ContextExternal$BaseBase::~Concurrency::details::DestroyMenuMessageParentSendWindow
String ID:
API String ID: 3377428259-0
Opcode ID: 590dd61bc7e4648c629be132e30f566c0012c4a87cf17b7a0b9d1c6549d596b1
Instruction ID: b781317f4fd04e64abc25d89a243ad5424e4b308511ab6e6365b16830a28646e
Opcode Fuzzy Hash: 590dd61bc7e4648c629be132e30f566c0012c4a87cf17b7a0b9d1c6549d596b1
Instruction Fuzzy Hash: 19218D74201B419BD739DF39C994BFAB7E8FF55788F10482DE46A82B90CB747506CA10

Function 6C8C62E8 Relevance: 6.1, APIs: 4, Instructions: 71windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6C8C6322
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6C8C634C
GetCapture.USER32 ref: 6C8C6362
SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 6C8C6371

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: MessageSend$Capture
String ID:
API String ID: 1665607226-0
Opcode ID: 4df9cd9204d708937bbdfff486eef4e02dc6fb9c12b53045a7d22e2c9185afd5
Instruction ID: 197b5c1f457ea9d3a57fc7f74c123b7bb49ae27729c447c097540827aa433826
Opcode Fuzzy Hash: 4df9cd9204d708937bbdfff486eef4e02dc6fb9c12b53045a7d22e2c9185afd5
Instruction Fuzzy Hash: 1E11D3B130060ABFEE251B249C88EFE7B7EFB48798F008531F61597A91CB708C019661

Function 6C8FE3B1 Relevance: 6.1, APIs: 4, Instructions: 70timewindowCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,0000EC17), ref: 6C8FE3C5
KillTimer.USER32(?,0000EC18), ref: 6C8FE3D3
IsWindow.USER32(?), ref: 6C8FE443
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 6C8FE46A

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: KillTimer$MessagePostWindow
String ID:
API String ID: 3970157719-0
Opcode ID: 49ba1035408ae367ba527769b397be01cc7236cda94358d3367bac55239c0265
Instruction ID: 8821e64ff8be0a74c1330feb9b6718c1aafc914d208ed72b90882f9b55cc7425
Opcode Fuzzy Hash: 49ba1035408ae367ba527769b397be01cc7236cda94358d3367bac55239c0265
Instruction Fuzzy Hash: B9212531701701AFEF148F61CC98B9A7BB6FF44354F104569D855D7691CB30A802CB80

Function 6C8FED35 Relevance: 6.1, APIs: 4, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 6C8FED67
PtInRect.USER32(?,?,?), ref: 6C8FED80

Part of subcall function 6C8FD1E2: ScreenToClient.USER32(?,?), ref: 6C8FD1FE
Part of subcall function 6C8FD1E2: GetParent.USER32(?), ref: 6C8FD20E
Part of subcall function 6C8FD1E2: GetClientRect.USER32(?,?), ref: 6C8FD2A1
Part of subcall function 6C8FD1E2: MapWindowPoints.USER32(?,?,?,00000002), ref: 6C8FD2B3
Part of subcall function 6C8FD1E2: PtInRect.USER32(?,?,?), ref: 6C8FD2C3

MapWindowPoints.USER32(?,?,?,00000001), ref: 6C8FEDB6
SendMessageW.USER32(?,00000201,?,?), ref: 6C8FEDD5

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Rect$Client$PointsWindow$MessageParentScreenSend
String ID:
API String ID: 2689702638-0
Opcode ID: 677b9155c9a77cfabfeaec0e159e722f2e18a73848429f89c76653fe9f344694
Instruction ID: 40c2d1fb0a838360d3b80187aa26b991dcc69ea18d3cf96a39ad28a2fba9d51b
Opcode Fuzzy Hash: 677b9155c9a77cfabfeaec0e159e722f2e18a73848429f89c76653fe9f344694
Instruction Fuzzy Hash: 8F217131A0070EEFDF259F64CC14AEEBBB6FF44304F10862AF85596650E7719962DB90

Function 6C8EEAB3 Relevance: 6.1, APIs: 4, Instructions: 61fileCOMMON

Download Yara Rule

APIs

UnlockFile.KERNEL32(?,?,?,?,?), ref: 6C8EEAC8
GetLastError.KERNEL32 ref: 6C8EEAE1
WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,00000000,00000000), ref: 6C8EEB0B

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: File$ErrorLastUnlockWrite
String ID:
API String ID: 1673360954-0
Opcode ID: 678b2fb8e21f342cfbc2036f44727af5d04a20a9a676184aa6b28cc4ae55292f
Instruction ID: d0a9c6aa880ce412eb93740aee54fa1dd46829e75351aafa23bc55e64e41efe8
Opcode Fuzzy Hash: 678b2fb8e21f342cfbc2036f44727af5d04a20a9a676184aa6b28cc4ae55292f
Instruction Fuzzy Hash: EC110632500629BBCF349F91DC08DEB7B6CFF56265B008625FA2D96990DB30E914C7E0

Function 6C8DAC59 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(00000000), ref: 6C8DACA6
GetWindowRect.USER32(?,?), ref: 6C8DACC2
PtInRect.USER32(?,00000000,00000000), ref: 6C8DACD2
CallNextHookEx.USER32(?,?,?), ref: 6C8DACFA

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Rect$CallCursorHookNextWindow
String ID:
API String ID: 3719484595-0
Opcode ID: 8017a1e14a58fbf77cb604a8246d99272012df7d95051452e287df2843d7dfe6
Instruction ID: 6a465bee07225b36972b29ea14fe9f950965e26bb1a14941d52be3b477cc3a90
Opcode Fuzzy Hash: 8017a1e14a58fbf77cb604a8246d99272012df7d95051452e287df2843d7dfe6
Instruction Fuzzy Hash: 3A21AF32A1120BDBCF15DFA4DE09BEE7BB5FF0531AF228615E015E2560DB30A652CB60

Function 6C8D8E2E Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,00000000), ref: 6C8D8E69
RegCloseKey.ADVAPI32(00000000), ref: 6C8D8E72
swprintf.LIBCMT ref: 6C8D8E8F
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 6C8D8EA0

Part of subcall function 6C8D8B72: RegCloseKey.ADVAPI32(00000000,?,?,?,6C8D8881,?,00000000,00000018), ref: 6C8D8BB7

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Close$PrivateProfileStringValueWriteswprintf
String ID:
API String ID: 581541481-0
Opcode ID: 7c4c375a36b63d9bc89b0c034ab72f36ff6a2c345e6bb0900cdc1249a5d8a4bf
Instruction ID: e959b0a9bf3e2255c70e163cbcfcdccdca7eb300caff2525924a460d4ed78e08
Opcode Fuzzy Hash: 7c4c375a36b63d9bc89b0c034ab72f36ff6a2c345e6bb0900cdc1249a5d8a4bf
Instruction Fuzzy Hash: 57018E72600309ABDB209F688D85FAF73BCAB4A604F51481AB605EA590DB74ED058BA0

Function 6C8C459B Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000000C,?), ref: 6C8C45E6
SetBkColor.GDI32(?,?), ref: 6C8C45F0
GetSysColor.USER32(00000008), ref: 6C8C4600
SetTextColor.GDI32(?,?), ref: 6C8C4608

Part of subcall function 6C8DC5AB: GetWindowLongW.USER32(?,000000F0), ref: 6C8DC5C6
Part of subcall function 6C8DC5AB: GetClassNameW.USER32(?,?,0000000A), ref: 6C8DC5DB
Part of subcall function 6C8DC5AB: CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF), ref: 6C8DC5F2

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Color$ClassCompareLongNameObjectStringTextWindow
String ID:
API String ID: 3274569906-0
Opcode ID: 3da6552fd816455b4335a96d590b0d1b2556636009ff54bad05bb9f4199ac87a
Instruction ID: 7f84d5dfab3de14216523b95d72673f306f327b054c4b38249d51ce516211227
Opcode Fuzzy Hash: 3da6552fd816455b4335a96d590b0d1b2556636009ff54bad05bb9f4199ac87a
Instruction Fuzzy Hash: 97016531701605ABEB309FA89D44DBF77B9EFC6214B104A15E917D3588CB30DD818762

Function 6CA10514 Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,6CA103B6,00000000,00000004,00000000), ref: 6CA10563
GetLastError.KERNEL32(?,?,?,6C958F8E,6C958FDE,00000000,00000000,?,?,?,6C8F8FBA,00000001), ref: 6CA1056F
__dosmaperr.LIBCMT ref: 6CA10576

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 0eaec13facf461ef77a5b6032bf6f5b6eafdaecfc5b5f23b743fcd83f023fe0f
Instruction ID: 07cd9b6235a90a34eefa1e30e1497bdf108e0067267e17eff90a449e643a3931
Opcode Fuzzy Hash: 0eaec13facf461ef77a5b6032bf6f5b6eafdaecfc5b5f23b743fcd83f023fe0f
Instruction Fuzzy Hash: 55010472905644BBCB10CF65DD04B9E7B75EF813B9F248209F524869C0DB708999D760

Function 6C8D003C Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32(?), ref: 6C8D004C
GetScrollPos.USER32(?,00000002), ref: 6C8D005F
SendMessageW.USER32(?,00000115,?,?), ref: 6C8D0099
SetScrollPos.USER32(?,00000002,?,00000000), ref: 6C8D00B7

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Scroll$CtrlMessageSend
String ID:
API String ID: 1219558039-0
Opcode ID: e7fb3b9f21a6230eb74be29d636b103dad7ff1888880001b2ecc8f8ff430bc7c
Instruction ID: d3acf11d7a933e62d593e1d0a9c25962b1324f6059ce7eb5176a9cf2e1044859
Opcode Fuzzy Hash: e7fb3b9f21a6230eb74be29d636b103dad7ff1888880001b2ecc8f8ff430bc7c
Instruction Fuzzy Hash: B4118E72600258BFDF214F69CD49EAA7BB6FF88340F014A69F9059B152E771AC11DBA0

Function 6C8E811C Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C8C8F77: GetWindowLongW.USER32(?,000000F0), ref: 6C8C8F84

GetForegroundWindow.USER32 ref: 6C8E8145
GetLastActivePopup.USER32(?), ref: 6C8E815A
SendMessageW.USER32(?,0000036D,00000040,00000000), ref: 6C8E8176
SendMessageW.USER32(?,0000036D,00000004,00000000), ref: 6C8E8192

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: MessageSendWindow$ActiveForegroundLastLongPopup
String ID:
API String ID: 2039223353-0
Opcode ID: 1ccd0fcf463a983873735e09b56a59008e1eabf9246151714ea486bce2bae4bd
Instruction ID: c9a7099b83a569aedf2bee9cbb41faa802e8445682eced5e3674c60f17aa8b22
Opcode Fuzzy Hash: 1ccd0fcf463a983873735e09b56a59008e1eabf9246151714ea486bce2bae4bd
Instruction Fuzzy Hash: A201D6B2350B017BEA352B7D9E09FAE2179AB4A718F244E3BF745D6E90DF70C8064152

Function 033BB7AA Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 033BB7D0

Part of subcall function 033BB5FC: __fltout2.LIBCMT ref: 033BB627

__cftog_l.LIBCMT ref: 033BB7F6
__cftoe_l.LIBCMT ref: 033BB828

Memory Dump Source

Source File: 00000003.00000002.3531273742.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33a0000_Update.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: b9fd154cff5f108cdf334a5fdc891d13d4383b675310626a53bff8e02f58ce52
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 2D114E7640018ABBCF129F84CC91CEEBF76BF18251F488415FB6899930DB36C5B1AB81

Function 6C8E8B2D Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,?,?), ref: 6C8E8B47
OffsetRect.USER32(?,?,?), ref: 6C8E8B53
OffsetRect.USER32(?,?,?), ref: 6C8E8B5F
OffsetRect.USER32(?,?,?), ref: 6C8E8B6B

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: 114ea9c611bbab89be8e176509df62b78505dabd990bee68ea74c2da62b9ce37
Instruction ID: ea445fb1ea33646870d9567baa196d2f251fca1d67511bd188f4b9e269b4f8d1
Opcode Fuzzy Hash: 114ea9c611bbab89be8e176509df62b78505dabd990bee68ea74c2da62b9ce37
Instruction Fuzzy Hash: A2012D72601204AFCF149FA9DC889CA7BBDEF4A250B00856AED09CB206D734E845CBA0

Function 6C8C07EB Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00000000), ref: 6C8C07FB
GetSubMenu.USER32(00000000,-00000001), ref: 6C8C080A
GetMenuItemCount.USER32(00000000), ref: 6C8C0817
GetMenuItemID.USER32(00000000,00000000), ref: 6C8C082D

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Menu$Item$Count
String ID:
API String ID: 879546783-0
Opcode ID: 2ce45a9e6afcabb817ca70d56a0ca4bf55423031652ae3d298f14f5bc2e6b438
Instruction ID: 0f63eeb1153b0ec7ed6aaa32a1d8419cb84224ce14019fa3ce2e42c8d6869fb9
Opcode Fuzzy Hash: 2ce45a9e6afcabb817ca70d56a0ca4bf55423031652ae3d298f14f5bc2e6b438
Instruction Fuzzy Hash: 0E0144B171266AEFDF258BA4DEE8A4E7AA9EF05384F10CD35F409E6600DB30C9418691

Function 6C8C06B0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000F0), ref: 6C8C06D0
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 6C8C06DF
IsWindow.USER32(00000000), ref: 6C8C06F0
SetWindowLongW.USER32(00000000,000000F0,?), ref: 6C8C0700

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 0f31e4f3e18845b56d0747866c15e18cefc09c3671524092700e938401a86a1b
Instruction ID: d44d98d17737226f2c71efda3101efd705fe8800c55aacf84b27a3f62eeadb6e
Opcode Fuzzy Hash: 0f31e4f3e18845b56d0747866c15e18cefc09c3671524092700e938401a86a1b
Instruction Fuzzy Hash: 82012671309611AFDF149B748C98E7E36B9EB8B774B104728F822D63C0DB70D8028B52

Function 6C8C6B5D Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(6C8C05D0), ref: 6C8C6B64
GetTopWindow.USER32(00000000), ref: 6C8C6BA7
GetWindow.USER32(00000000,00000002), ref: 6C8C6BC9

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: ecb96b5e22f7baaa3af62bff0247aaec6fd8352eddf4a34198c3d0c16b713b5f
Instruction ID: 371945c8ffab8043966337ccbbd9f56041626c6db75badbfe4c496ee529ec0f0
Opcode Fuzzy Hash: ecb96b5e22f7baaa3af62bff0247aaec6fd8352eddf4a34198c3d0c16b713b5f
Instruction Fuzzy Hash: 2F01083220161AFBCF225F94DE14EEE3B3ABF19354F008924FA14D0461C736C625EBA6

Function 6C8C404B Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(6C8C05D0,?), ref: 6C8C4055
GetTopWindow.USER32(00000000), ref: 6C8C4062

Part of subcall function 6C8C404B: GetWindow.USER32(00000000,00000002), ref: 6C8C40B1

GetTopWindow.USER32(6C8C05D0), ref: 6C8C4096

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 72a7d335b4031ff4f280a0f519a737727cb284c0917ff595df8cf6e567a87c64
Instruction ID: 212a5081173b4ebee8eee7869df13ede37a5f3ddc19b33060ee5bf60553a4d69
Opcode Fuzzy Hash: 72a7d335b4031ff4f280a0f519a737727cb284c0917ff595df8cf6e567a87c64
Instruction Fuzzy Hash: 7601A23138172AB7CB722F658E04AEF3BB9AFD5358F048A20FC1496900D731C5998E97

Function 033AF0C6 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 033AF0E0

Part of subcall function 033AF032: __FF_MSGBANNER.LIBCMT ref: 033AF04B
Part of subcall function 033AF032: __NMSG_WRITE.LIBCMT ref: 033AF052

std::exception::exception.LIBCMT ref: 033AF115
std::exception::exception.LIBCMT ref: 033AF12F
__CxxThrowException@8.LIBCMT ref: 033AF140

Memory Dump Source

Source File: 00000003.00000002.3531273742.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33a0000_Update.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw_malloc
String ID:
API String ID: 2388904642-0
Opcode ID: b08fdf8cb5e3b65abb6e8e2bd981c9ae2de8ac343fbf2f6e0fd6789c4a68690e
Instruction ID: d9aaa1d40846611bd0362eb4dcb10166bfe36abf0fa610915ea7aba13f52d76e
Opcode Fuzzy Hash: b08fdf8cb5e3b65abb6e8e2bd981c9ae2de8ac343fbf2f6e0fd6789c4a68690e
Instruction Fuzzy Hash: 15F0F435C00B18ABDB15EB98DCE4ABE7AA9EF40644F944168D900EA090DB75CA02CB41

Function 6CA0072A Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000001), ref: 6CA0073C
GetCurrentThreadId.KERNEL32 ref: 6CA0074B
GetCurrentProcessId.KERNEL32 ref: 6CA00754
QueryPerformanceCounter.KERNEL32(?), ref: 6CA00761

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 09708be24fc44aec52e6e6c37c037a32b93c873c3cb1ec3eab68a64afff131e1
Instruction ID: 047caab8e0761028a1598f5cbe71fc02e6d4f0634d1da26915ce421260ab1526
Opcode Fuzzy Hash: 09708be24fc44aec52e6e6c37c037a32b93c873c3cb1ec3eab68a64afff131e1
Instruction Fuzzy Hash: 5EF0B270D1060EEFCF04DBF4CA8898EBBF8FF1D204B918696A412E7100EB30AB458B50

Function 6C8E870B Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 6C8E8752: GetStockObject.GDI32(00000000), ref: 6C8E877A
Part of subcall function 6C8E8752: InflateRect.USER32(?,000000FF,000000FF), ref: 6C8E8829

ReleaseCapture.USER32 ref: 6C8E8716
GetDesktopWindow.USER32 ref: 6C8E871C
LockWindowUpdate.USER32(00000000,00000000), ref: 6C8E872C
ReleaseDC.USER32(?,?), ref: 6C8E8742

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: ReleaseWindow$CaptureDesktopInflateLockObjectRectStockUpdate
String ID:
API String ID: 1260764132-0
Opcode ID: 82be720ee3112b2c43409bf7bfda262033ee5343fde1b9b610cef5bc2c5c54a7
Instruction ID: e64badf7c1cbbd16e3990abf8fcaab08521c871a5ba69045c1e9b23a315a543f
Opcode Fuzzy Hash: 82be720ee3112b2c43409bf7bfda262033ee5343fde1b9b610cef5bc2c5c54a7
Instruction Fuzzy Hash: E4E01A36301702ABDB381B75EE1CBCA3A36FF87716F108929F14AC6560CB7298028B50

Function 6C8A7C30 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 394COMMON

Download Yara Rule

APIs

_strcspn.LIBCMT ref: 6C8A7CF7
_strcspn.LIBCMT ref: 6C8A7D44

Strings

@, xrefs: 6C8A7F33

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: _strcspn
String ID: @
API String ID: 3709121408-2766056989
Opcode ID: f4cb60e296cd8b8b02824ffa2d3b7efb4d25eb4fe26c62885e04e6d932cc813a
Instruction ID: b958a1f4479c8371d9bbe4ba93eb18f43dcd33f3a9a1e9e3a1c5ef1c9f873136
Opcode Fuzzy Hash: f4cb60e296cd8b8b02824ffa2d3b7efb4d25eb4fe26c62885e04e6d932cc813a
Instruction Fuzzy Hash: EBF17BB1A00249EFCB14CFE8C990BEEBBB5BF48304F148569E515A7794DB34A946CF60

Function 033A980F Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 302COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 033A997F

Part of subcall function 033AF032: __FF_MSGBANNER.LIBCMT ref: 033AF04B
Part of subcall function 033AF032: __NMSG_WRITE.LIBCMT ref: 033AF052

_memcpy_s.LIBCMT ref: 033A9B42

Strings

&, xrefs: 033A98A0

Memory Dump Source

Source File: 00000003.00000002.3531273742.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33a0000_Update.jbxd

Similarity

API ID: _malloc_memcpy_s
String ID: &
API String ID: 3561290194-3042966939
Opcode ID: c8a5b5b6493a3e00500570122ab972c2785b00225f4301cae1c49e60748ae0d9
Instruction ID: 13d084fd4a4685e5819ad83574dee5107b727bde0a0c26f0b06e90857a7451b5
Opcode Fuzzy Hash: c8a5b5b6493a3e00500570122ab972c2785b00225f4301cae1c49e60748ae0d9
Instruction Fuzzy Hash: 23C153F1A00A199FDB24CF59CCC4BAAB7B8EF48300F1485ADD709A7241D774AA85CF54

Function 6C8BA1F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 177COMMON

Download Yara Rule

Strings

, xrefs: 6C8BA2AD
, xrefs: 6C8BA2B3

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 05cbaf42b832159deb634e64fcc2ce51e13062d08229133408db7c445646a859
Instruction ID: 64f5620d9f8e553405cc5028f677d72e1f5141f9f72a2c9723e6cd7ec87c8ae3
Opcode Fuzzy Hash: 05cbaf42b832159deb634e64fcc2ce51e13062d08229133408db7c445646a859
Instruction Fuzzy Hash: 4B614AB5D00209EFCB14CFE8C9909EEBBB5BF49308F108968D525B7741D731AA46CB95

Function 033AC2CF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

_wcsrchr.LIBCMT ref: 033AC386
_memset.LIBCMT ref: 033AC3C3

Strings

D, xrefs: 033AC3E2

Memory Dump Source

Source File: 00000003.00000002.3531273742.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33a0000_Update.jbxd

Similarity

API ID: _memset_wcsrchr
String ID: D
API String ID: 1675014779-2746444292
Opcode ID: 9448fe74a29e6cb94ba3ba7ffaf0542041cc64757f3c043286b2e5ea21082185
Instruction ID: c3608b1ac28bd1742c1634b84f4c2fec586cdfa27d0b46034059ba1ad0865b3f
Opcode Fuzzy Hash: 9448fe74a29e6cb94ba3ba7ffaf0542041cc64757f3c043286b2e5ea21082185
Instruction Fuzzy Hash: 8E31F472A402187BE724D7A49CCAFEB776CEB44710F140129FB0AAA1C0DA759946C6E5

Function 6C8EC113 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C8EC11A
CoCreateGuid.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,00000028), ref: 6C8EC175

Strings

%08lX%04X%04x%02X%02X%02X%02X%02X%02X%02X%02X, xrefs: 6C8EC1BF

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: CreateGuidH_prolog3_
String ID: %08lX%04X%04x%02X%02X%02X%02X%02X%02X%02X%02X
API String ID: 2971167768-1017209998
Opcode ID: 7bbd87771d55fa67e30caf3f15a9160623a133d4db4581b26c1cccf86f5eef42
Instruction ID: 515028c90a1225ffd0693dc11725a77161ed95d0823203296bb93b3a0e4fa7fe
Opcode Fuzzy Hash: 7bbd87771d55fa67e30caf3f15a9160623a133d4db4581b26c1cccf86f5eef42
Instruction Fuzzy Hash: 5D41927190015AAFCB21DFACC954AFEBBB9AF19314F044859E441B7781CB789E09CBA0

Function 6C8D8D56 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

Part of subcall function 6C8D8B72: RegCloseKey.ADVAPI32(00000000,?,?,?,6C8D8881,?,00000000,00000018), ref: 6C8D8BB7

RegSetValueExW.ADVAPI32(00000000,?,00000000,00000003,?,?,?,00000000), ref: 6C8D8D88
RegCloseKey.ADVAPI32(00000000), ref: 6C8D8D91

Strings

A, xrefs: 6C8D8DCB

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: Close$Value
String ID: A
API String ID: 299128501-3554254475
Opcode ID: 6c4fcc76822f31b2276f53fae199477387a82da79022edba3a82523bcc6c0b1f
Instruction ID: e173c68af84d1148ba6a7db6307e12d0e7ef63e8f4062ae0e8697b30ef3316b6
Opcode Fuzzy Hash: 6c4fcc76822f31b2276f53fae199477387a82da79022edba3a82523bcc6c0b1f
Instruction Fuzzy Hash: 71214836500225BBCF258F58DC48AEE7BB9EF05360F21452AF808CB290EB35DD02DB90

Function 6C8BCA30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,00000010,00000000,00000000,?), ref: 6C8BCA5D
DeleteFileA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 6C8BCB19

Strings

.lnk, xrefs: 6C8BCAD0

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: DeleteFileFolderPath
String ID: .lnk
API String ID: 2724039827-24824748
Opcode ID: dc2e9e1f2ccb54bbad00f737e9caf41012c3c8f1a6991bab92ec69e44ad4e5fd
Instruction ID: d050bd47e7eb198093be0db6cda5e810e62110390848b3eec73095ac197969b9
Opcode Fuzzy Hash: dc2e9e1f2ccb54bbad00f737e9caf41012c3c8f1a6991bab92ec69e44ad4e5fd
Instruction Fuzzy Hash: 97312F71D00209EFCB24DBD4DE51BEDB7B4BB98304F108668E515A7780EF746A09CBA0

Function 033AF179 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

__output_l.LIBCMT ref: 033AF1D4

Part of subcall function 033AF2DA: __getptd_noexit.LIBCMT ref: 033AF2DA

Strings

B, xrefs: 033AF1CD

Memory Dump Source

Source File: 00000003.00000002.3531273742.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33a0000_Update.jbxd

Similarity

API ID: __getptd_noexit__output_l
String ID: B
API String ID: 2141734944-1255198513
Opcode ID: 87aa76b5352f051ca7e96a60a55cb843f290c199b1586efbdbad223d858718fb
Instruction ID: 2dc359ae024482390054713a505682160d15009a8b098defd3870c5b48931f6a
Opcode Fuzzy Hash: 87aa76b5352f051ca7e96a60a55cb843f290c199b1586efbdbad223d858718fb
Instruction Fuzzy Hash: 58014075E0025D9BDF10DFA8CC81BEEBBB8FF44364F144255E924AA281D7749501CBB5

Function 6C8EA2C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetMonitorInfoW.USER32(?,?), ref: 6C8EA2E7
CopyRect.USER32(?,?), ref: 6C8EA2F9

Strings

(, xrefs: 6C8EA2E0

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: CopyInfoMonitorRect
String ID: (
API String ID: 2119610155-3887548279
Opcode ID: 42b01810c026519e2f08f5498cfd3de819c4ba25c7996d6d774197483edbc2b2
Instruction ID: 88c39822e783af6b4badd40166ec684fd02ffd8877a23157a1d6b42bc04b5920
Opcode Fuzzy Hash: 42b01810c026519e2f08f5498cfd3de819c4ba25c7996d6d774197483edbc2b2
Instruction Fuzzy Hash: CF11A271A01B09DFCB14DFA9D58499AB7F9FF08605B50882EE4AAE3650E730E945CF50

Function 033C0093 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 033C00A2

Part of subcall function 033B381A: __getptd_noexit.LIBCMT ref: 033B381D
Part of subcall function 033B381A: __amsg_exit.LIBCMT ref: 033B382A

__getptd.LIBCMT ref: 033C00B0

Strings

csm, xrefs: 033C00BE

Memory Dump Source

Source File: 00000003.00000002.3531273742.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33a0000_Update.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
Instruction ID: ab3d86d98cf9043789e23ded3f4a977589c7e48ba97fa4367d20d9fac4958593
Opcode Fuzzy Hash: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
Instruction Fuzzy Hash: 12012838810385CACF38DF66C9C06ADF7B9AF04215F58856ED1C1AAA50CF34D995CB01

Function 6CA00879 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 6C8A1E90: GetLastError.KERNEL32 ref: 6C8A1EC9
Part of subcall function 6C8A1E90: _HRESULT_FROM_WIN32.LIBCMTD ref: 6C8A1ED0

IsDebuggerPresent.KERNEL32(?,?,?,6C8A1C6B), ref: 6CA008AC
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,6C8A1C6B), ref: 6CA008BB

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 6CA008B6

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 389471666-631824599
Opcode ID: 87b33888e80546e88d63c8e1d40a1a620899ab5481e0a782117327d9a13fa55a
Instruction ID: d897b0901cb79e72e2067cd6727a59eafc0a0f017b6ec7c6290be8f5a97036fc
Opcode Fuzzy Hash: 87b33888e80546e88d63c8e1d40a1a620899ab5481e0a782117327d9a13fa55a
Instruction Fuzzy Hash: 6CE030712017818BD7709FA9E50974677F4BB41748F008A1CD456C2F40DF74D0898BA1

Function 6C8DCE9D Relevance: 5.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6CA988F0,?,?,?,?,6C8DCE99,00000000,00000004,6C8DB787,6C8C3ABF,6C8D116D,?,6C8D6CE6,00000004,6C8D7498,00000120), ref: 6C8DCEA9
TlsGetValue.KERNEL32(6CA988D4,?,?,?,?,6C8DCE99,00000000,00000004,6C8DB787,6C8C3ABF,6C8D116D,?,6C8D6CE6,00000004,6C8D7498,00000120), ref: 6C8DCEBD
LeaveCriticalSection.KERNEL32(6CA988F0,?,?,?,?,6C8DCE99,00000000,00000004,6C8DB787,6C8C3ABF,6C8D116D,?,6C8D6CE6,00000004,6C8D7498,00000120), ref: 6C8DCED7
LeaveCriticalSection.KERNEL32(6CA988F0,?,?,?,?,6C8DCE99,00000000,00000004,6C8DB787,6C8C3ABF,6C8D116D,?,6C8D6CE6,00000004,6C8D7498,00000120), ref: 6C8DCEE2

Memory Dump Source

Source File: 00000003.00000002.3531880544.000000006C8A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C8A0000, based on PE: true

Associated: 00000003.00000002.3531864910.000000006C8A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3531979852.000000006CA3B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532017419.000000006CA91000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532035372.000000006CA93000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532053913.000000006CA98000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3532070195.000000006CA9C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c8a0000_Update.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: a394187749a53f907bab2358b6e71ce3e2a371d7bc3fbf391f953cf8d20cc765
Instruction ID: e69eb7acf7dcbdc50ab40f71cacd889528ce0a86b5cda293ac12020f26c438fd
Opcode Fuzzy Hash: a394187749a53f907bab2358b6e71ce3e2a371d7bc3fbf391f953cf8d20cc765
Instruction Fuzzy Hash: A3F0967220061A9BDB24EF15DC8495AF73CFF057953268526E806D7903C731F846CBA0

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report zPJUOck9wt.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Bilite\Axialis\IiViS

C:\Users\Public\Bilite\Axialis\Update.dll

C:\Users\Public\Bilite\Axialis\Update.exe

C:\Users\Public\Bilite\install_flash_player_ppapi.exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\PolicyManagement.xml

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3322gm14.ao5.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ovkdsoq.vvi.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4u2emuuk.cte.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_523ue3du.aco.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dpxgv1sa.aak.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fiil12dg.yiv.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kqu3hwdc.k11.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_smi1dxsr.vyt.psm1

C:\Users\user\AppData\Local\Temp\backup.dll

Windows Analysis Report
zPJUOck9wt.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre