Edit tour

Windows Analysis Report
6f0slJzOrF.exe

Overview

General Information

Sample name:	6f0slJzOrF.exe renamed because original name is a hash value
Original sample name:	E0B31F24AA1B867B395D4F62F15DC51A.exe
Analysis ID:	1582215
MD5:	e0b31f24aa1b867b395d4f62f15dc51a
SHA1:	f3c915a4d1ef71e74978e8f14c809e2d2012e8ad
SHA256:	090e553ac4ce1567dddc7548139b14c7645bf1dae7ec608730d6894a783c0b89
Tags:	exeValleyRATuser-abuse_ch
Infos:

Detection

GhostRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GhostRat

AI detected suspicious sample

Bypasses PowerShell execution policy

Connects to many ports of the same IP (likely port scanning)

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Loading BitLocker PowerShell Module

Sigma detected: Execution from Suspicious Folder

Sigma detected: Parent in Public Folder Suspicious Process

Sigma detected: Suspicious Program Location with Network Connections

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Installs a global mouse hook

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sleep loop found (likely to delay execution)

Stores large binary data to the registry

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

6f0slJzOrF.exe (PID: 7308 cmdline: "C:\Users\user\Desktop\6f0slJzOrF.exe" MD5: E0B31F24AA1B867B395D4F62F15DC51A)

cmd.exe (PID: 7444 cmdline: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Update.exe (PID: 7496 cmdline: C:\Users\Public\Bilite\Axialis\Update.exe MD5: FB325C945A08D06FE91681179BDCCC66)

cmd.exe (PID: 8012 cmdline: cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 8072 cmdline: tasklist /FI "IMAGENAME eq Update.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 8092 cmdline: findstr /I "Update.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 8128 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 7316 cmdline: tasklist /FI "IMAGENAME eq Update.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7396 cmdline: findstr /I "Update.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 3748 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 7648 cmdline: tasklist /FI "IMAGENAME eq Update.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7636 cmdline: findstr /I "Update.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 7708 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 1284 cmdline: tasklist /FI "IMAGENAME eq Update.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 3176 cmdline: findstr /I "Update.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 1988 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cmd.exe (PID: 8144 cmdline: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1396 cmdline: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cmd.exe (PID: 8152 cmdline: cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5344 cmdline: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: Update.exe PID: 7496	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Bilite\Axialis\Update.exe, CommandLine: C:\Users\Public\Bilite\Axialis\Update.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Bilite\Axialis\Update.exe, NewProcessName: C:\Users\Public\Bilite\Axialis\Update.exe, OriginalFileName: C:\Users\Public\Bilite\Axialis\Update.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7444, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Bilite\Axialis\Update.exe, ProcessId: 7496, ProcessName: Update.exe

Sigma detected: Parent in Public Folder Suspicious Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\Public\Bilite\Axialis\Update.exe, ParentImage: C:\Users\Public\Bilite\Axialis\Update.exe, ParentProcessId: 7496, ParentProcessName: Update.exe, ProcessCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 8144, ProcessName: cmd.exe

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 154.82.85.79, DestinationIsIpv6: false, DestinationPort: 18852, EventID: 3, Image: C:\Users\Public\Bilite\Axialis\Update.exe, Initiated: true, ProcessId: 7496, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49899

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8144, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 1396, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8144, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 1396, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Anonymous RAT CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T03:44:29.546494+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49924	154.82.85.79	18091	TCP
2024-12-30T03:45:39.297430+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49953	154.82.85.79	18091	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Bilite\Axialis\Update.dll	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\backup.dll	ReversingLabs: Detection: 78%

Multi AV Scanner detection for submitted file

Source: 6f0slJzOrF.exe

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.2% probability

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1B5DCB CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,CryptReleaseContext,___std_exception_copy,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,___std_exception_copy,	3_2_6C1B5DCB
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1B56FA CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptReleaseContext,___std_exception_copy,CryptDestroyHash,CryptReleaseContext,___std_exception_copy,CryptDestroyHash,CryptReleaseContext,___std_exception_copy,CryptReleaseContext,___std_exception_copy,CryptDestroyHash,CryptReleaseContext,___std_exception_copy,___std_exception_copy,	3_2_6C1B56FA
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1B556C CryptStringToBinaryA,CryptStringToBinaryA,___std_exception_copy,	3_2_6C1B556C

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Unpacked PE file: 3.2.Update.exe.4320000.6.unpack

Source: 6f0slJzOrF.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: \YSS\Release\Update.pdb source: 6f0slJzOrF.exe, 00000000.00000003.1774772328.0000000002C4A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmp, Update.exe, 00000003.00000003.2480482624.00000000015C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \YSS\Release\Update.pdb0 source: 6f0slJzOrF.exe, 00000000.00000003.1774772328.0000000002C4A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmp, Update.exe, 00000003.00000003.2480482624.00000000015C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\setup\build\sfxrar64\Release\sfxrar.pdb. source: winrar-x64-700scp.exe.0.dr
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2615239555.0000000006D2F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb source: 6f0slJzOrF.exe, 00000000.00000003.1774772328.0000000002C4A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000000.1778858106.0000000000222000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000003.00000002.3548624115.0000000000222000.00000002.00000001.01000000.00000005.sdmp, Update.exe.0.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbo source: powershell.exe, 00000012.00000002.2621611408.0000000007D97000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb50r source: powershell.exe, 00000012.00000002.2615239555.0000000006D2F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2621611408.0000000007D97000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdbLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLIST,, source: powershell.exe, 00000012.00000002.2614200432.0000000006C97000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb((& source: 6f0slJzOrF.exe, 00000000.00000003.1774772328.0000000002C4A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000000.1778858106.0000000000222000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000003.00000002.3548624115.0000000000222000.00000002.00000001.01000000.00000005.sdmp, Update.exe.0.dr
Source:	Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb3w source: powershell.exe, 00000012.00000002.2621611408.0000000007D90000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\setup\build\sfxrar64\Release\sfxrar.pdb source: winrar-x64-700scp.exe.0.dr
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb( source: powershell.exe, 00000012.00000002.2594552418.0000000000461000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: z:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: x:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: v:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: t:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: r:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: p:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: n:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: l:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: j:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: h:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: f:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: b:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: y:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: w:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: u:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: s:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: q:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: o:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: m:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: k:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: i:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: g:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: c:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: [:	Jump to behavior

Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Code function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_0040301A
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Code function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402B79
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C32813B FindFirstFileExW,	3_2_6C32813B
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C3281EC FindFirstFileExW,RevokeDragDrop,FindNextFileW,FindClose,FindClose,	3_2_6C3281EC
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C2116B5 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,	3_2_6C2116B5

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_043280F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,

3_2_043280F0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49924 -> 154.82.85.79:18091
Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49953 -> 154.82.85.79:18091

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 154.82.85.79 ports 18852,18091,1,2,5,8

Source: global traffic

TCP traffic: 192.168.2.4:49899 -> 154.82.85.79:18852

Source: Joe Sandbox View

ASN Name: ROOTNETWORKSUS ROOTNETWORKSUS

Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.85.79

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_04322FD0 recv,select,recv,

3_2_04322FD0

Source: Update.exe, 00000003.00000003.2481316048.000000000151C000.00000004.00000020.00020000.00000000.sdmp, winrar-x64-700scp.exe.0.dr, Update.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Update.exe, 00000003.00000003.2481316048.0000000001521000.00000004.00000020.00020000.00000000.sdmp, winrar-x64-700scp.exe.0.dr, Update.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Update.exe, 00000003.00000003.2481316048.0000000001521000.00000004.00000020.00020000.00000000.sdmp, winrar-x64-700scp.exe.0.dr, Update.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Update.exe, 00000003.00000003.2481316048.0000000001521000.00000004.00000020.00020000.00000000.sdmp, winrar-x64-700scp.exe.0.dr, Update.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 00000011.00000002.2594539470.000000000049F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2594653699.00000000004C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000011.00000002.2618375019.0000000007CD2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2615239555.0000000006D17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000012.00000002.2621611408.0000000007D97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: Update.exe, 00000003.00000003.2481316048.000000000151C000.00000004.00000020.00020000.00000000.sdmp, winrar-x64-700scp.exe.0.dr, Update.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Update.exe, 00000003.00000003.2481316048.0000000001521000.00000004.00000020.00020000.00000000.sdmp, winrar-x64-700scp.exe.0.dr, Update.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Update.exe, 00000003.00000003.2481316048.0000000001521000.00000004.00000020.00020000.00000000.sdmp, winrar-x64-700scp.exe.0.dr, Update.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Update.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Update.exe, 00000003.00000003.2481316048.0000000001521000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: winrar-x64-700scp.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: powershell.exe, 00000011.00000002.2606826646.0000000005614000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2609988130.00000000052D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Update.exe, 00000003.00000003.2481316048.0000000001521000.00000004.00000020.00020000.00000000.sdmp, winrar-x64-700scp.exe.0.dr, Update.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Update.exe, 00000003.00000003.2481316048.0000000001521000.00000004.00000020.00020000.00000000.sdmp, winrar-x64-700scp.exe.0.dr, Update.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Update.exe, 00000003.00000003.2481316048.000000000151C000.00000004.00000020.00020000.00000000.sdmp, winrar-x64-700scp.exe.0.dr, Update.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Update.exe, 00000003.00000003.2481316048.0000000001521000.00000004.00000020.00020000.00000000.sdmp, winrar-x64-700scp.exe.0.dr, Update.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 00000012.00000002.2595617657.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000011.00000002.2595466540.0000000004D5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2595466540.0000000004705000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2595617657.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000011.00000002.2595466540.00000000045B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2595617657.0000000004271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000011.00000002.2595466540.0000000004D5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2595466540.0000000004705000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2595617657.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000012.00000002.2595617657.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Update.exe, 00000003.00000003.2481316048.0000000001521000.00000004.00000020.00020000.00000000.sdmp, winrar-x64-700scp.exe.0.dr, Update.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000012.00000002.2615239555.0000000006CFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka..winsvr
Source: powershell.exe, 00000011.00000002.2595466540.00000000045B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2595617657.0000000004271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000012.00000002.2595617657.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000012.00000002.2609988130.00000000052D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000012.00000002.2609988130.00000000052D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000012.00000002.2609988130.00000000052D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000012.00000002.2595617657.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000012.00000002.2621548933.0000000007D75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ion=v4.5
Source: powershell.exe, 00000011.00000002.2606826646.0000000005614000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2609988130.00000000052D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture and log keystrokes

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: [esc]	3_2_0432E850
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: [esc]	3_2_0432E850
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: [esc]	3_2_0432E850
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: [esc]	3_2_0432E850

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_0432E850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,

3_2_0432E850

Source: C:\Users\Public\Bilite\Axialis\Update.exe

3_2_0432E850

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_0432BC70 GetDesktopWindow,GetDC,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,_memset,GetDIBits,_memset,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,

3_2_0432BC70

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_6C200D93 __EH_prolog3_GS,GetParent,GetParent,UpdateWindow,SetCursor,GetAsyncKeyState,InvalidateRect,InflateRect,RedrawWindow,InvalidateRect,InflateRect,UpdateWindow,InflateRect,SetCapture,SetCursor,IsWindow,GetCursorPos,ScreenToClient,PtInRect,RedrawWindow,GetParent,GetParent,RedrawWindow,RedrawWindow,GetParent,GetParent,GetParent,InvalidateRect,UpdateWindow,UpdateWindow,NotifyWinEvent,NotifyWinEvent,SetCapture,RedrawWindow,

3_2_6C200D93

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_0432E4F0 Sleep,CreateMutexW,GetLastError,SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,

3_2_0432E4F0

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C25CE24 GetKeyState,GetKeyState,GetKeyState,	3_2_6C25CE24
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1D64A2 GetKeyState,GetKeyState,GetKeyState,SendMessageW,	3_2_6C1D64A2
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1ED8C7 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,	3_2_6C1ED8C7

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_6C1B5DCB CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,CryptReleaseContext,___std_exception_copy,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,___std_exception_copy,

3_2_6C1B5DCB

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0432B43F ExitWindowsEx,	3_2_0432B43F
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0432B41B ExitWindowsEx,	3_2_0432B41B
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0432B463 ExitWindowsEx,	3_2_0432B463

Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Code function: 0_2_00404FAA	0_2_00404FAA
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Code function: 0_2_0041206B	0_2_0041206B
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Code function: 0_2_0041022D	0_2_0041022D
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Code function: 0_2_00411F91	0_2_00411F91
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_04326C50	3_2_04326C50
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_04326EE0	3_2_04326EE0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_043224B0	3_2_043224B0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0433DDF0	3_2_0433DDF0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0433D89F	3_2_0433D89F
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_04328900	3_2_04328900
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0433F9FF	3_2_0433F9FF
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0433EA1D	3_2_0433EA1D
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0433E341	3_2_0433E341
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_04338381	3_2_04338381
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1B6C38	3_2_6C1B6C38
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1C5C94	3_2_6C1C5C94
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1B5DCB	3_2_6C1B5DCB
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1C1991	3_2_6C1C1991
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1B56FA	3_2_6C1B56FA
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1C5103	3_2_6C1C5103
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1B6C78	3_2_6C1B6C78
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1B6CF9	3_2_6C1B6CF9
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1D6EE3	3_2_6C1D6EE3
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1BCFBE	3_2_6C1BCFBE
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C20495F	3_2_6C20495F
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C230A1B	3_2_6C230A1B
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C27CACE	3_2_6C27CACE
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C3106AB	3_2_6C3106AB
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1BC6CC	3_2_6C1BC6CC
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1BE6EC	3_2_6C1BE6EC
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1E6795	3_2_6C1E6795
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1E2313	3_2_6C1E2313
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1BBFAC	3_2_6C1BBFAC
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C30BFF0	3_2_6C30BFF0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1B7902	3_2_6C1B7902
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1CD9D2	3_2_6C1CD9D2
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C319A96	3_2_6C319A96
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C313BF4	3_2_6C313BF4
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C203551	3_2_6C203551
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1FB6BB	3_2_6C1FB6BB
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1D1701	3_2_6C1D1701
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1B7783	3_2_6C1B7783
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C32F7F2	3_2_6C32F7F2
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1B3192	3_2_6C1B3192
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1F518D	3_2_6C1F518D
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C313270	3_2_6C313270
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1C3242	3_2_6C1C3242
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1C52E6	3_2_6C1C52E6
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C29B31D	3_2_6C29B31D
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_1001122F	3_2_1001122F
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_100024B0	3_2_100024B0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_1000B66A	3_2_1000B66A
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_10011780	3_2_10011780
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_10010CDE	3_2_10010CDE
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_10012D91	3_2_10012D91
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_10011E5C	3_2_10011E5C
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03280032	3_2_03280032
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03291206	3_2_03291206
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03291757	3_2_03291757
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0328B641	3_2_0328B641
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03292D68	3_2_03292D68
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03290CB5	3_2_03290CB5
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03282487	3_2_03282487
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_041BDD00	3_2_041BDD00
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_041B7D40	3_2_041B7D40
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_041A660F	3_2_041A660F
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_041A1E6F	3_2_041A1E6F
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_041BD7AF	3_2_041BD7AF
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_041A689F	3_2_041A689F

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Bilite\Axialis\Update.exe 0C2CC4513EC9101A28A7988C72A46175EFD82F387BB3BCFB2612E808804282B5

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: String function: 6C22C521 appears 71 times
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: String function: 04334300 appears 32 times
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: String function: 6C1E6BF0 appears 76 times
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: String function: 6C1E8B2F appears 44 times
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: String function: 6C1E89DB appears 333 times
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: String function: 6C1E8A44 appears 123 times
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: String function: 6C1B1900 appears 64 times
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: String function: 6C1C80BA appears 43 times
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: String function: 6C1C9700 appears 63 times
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: String function: 6C1C9B7C appears 243 times
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: String function: 6C2A688F appears 42 times
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Code function: String function: 0040243B appears 37 times

Source: 6f0slJzOrF.exe

Static PE information: invalid certificate

Source: 6f0slJzOrF.exe, 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs 6f0slJzOrF.exe
Source: 6f0slJzOrF.exe, 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7zSfxNew.exe< vs 6f0slJzOrF.exe
Source: 6f0slJzOrF.exe, 00000000.00000003.1774772328.0000000002C4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamensdksetupJ vs 6f0slJzOrF.exe
Source: 6f0slJzOrF.exe, 00000000.00000003.1774772328.0000000002C4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUpdate.exe vs 6f0slJzOrF.exe
Source: 6f0slJzOrF.exe, 00000000.00000003.1680411362.000000000255D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs 6f0slJzOrF.exe
Source: 6f0slJzOrF.exe, 00000000.00000003.1680411362.000000000255D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7zSfxNew.exe< vs 6f0slJzOrF.exe
Source: 6f0slJzOrF.exe	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs 6f0slJzOrF.exe
Source: 6f0slJzOrF.exe	Binary or memory string: OriginalFilename7zSfxNew.exe< vs 6f0slJzOrF.exe

Source: 6f0slJzOrF.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@43/29@0/1

Source: C:\Users\user\Desktop\6f0slJzOrF.exe

Code function: 0_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_00407776

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_04327620 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,	3_2_04327620
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_04327740 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,	3_2_04327740
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_04327B70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	3_2_04327B70

Source: C:\Users\user\Desktop\6f0slJzOrF.exe

Code function: 0_2_0040118A GetDiskFreeSpaceExW,SendMessageW,

0_2_0040118A

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_04326050 _memset,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,CloseHandle,

3_2_04326050

Source: C:\Users\user\Desktop\6f0slJzOrF.exe

Code function: 0_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_004034C1

Source: C:\Users\user\Desktop\6f0slJzOrF.exe

Code function: 0_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,

0_2_00401BDF

Source: C:\Users\user\Desktop\6f0slJzOrF.exe

File created: C:\Users\Public\Bilite

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8020:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Mutant created: \Sessions\1\BaseNamedObjects\2024.11.10
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8168:120:WilError_03

Source: C:\Users\Public\Bilite\Axialis\Update.exe

File created: C:\Users\user\AppData\Local\Temp\monitor.bat

Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"

Source: 6f0slJzOrF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'UPDATE.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'UPDATE.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'UPDATE.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'UPDATE.EXE'

Source: C:\Users\user\Desktop\6f0slJzOrF.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\6f0slJzOrF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 6f0slJzOrF.exe

ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\6f0slJzOrF.exe

File read: C:\Users\user\Desktop\6f0slJzOrF.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\6f0slJzOrF.exe "C:\Users\user\Desktop\6f0slJzOrF.exe"
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Bilite\Axialis\Update.exe C:\Users\Public\Bilite\Axialis\Update.exe
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Bilite\Axialis\Update.exe C:\Users\Public\Bilite\Axialis\Update.exe	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1	Jump to behavior

Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: update.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: dinput8.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"

Source: winrar-x64-700scp.exe.lnk.3.dr

LNK file: ..\..\Public\Bilite\winrar-x64-700scp.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 6f0slJzOrF.exe

Static file information: File size 73598737 > 1048576

Source:	Binary string: \YSS\Release\Update.pdb source: 6f0slJzOrF.exe, 00000000.00000003.1774772328.0000000002C4A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmp, Update.exe, 00000003.00000003.2480482624.00000000015C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \YSS\Release\Update.pdb0 source: 6f0slJzOrF.exe, 00000000.00000003.1774772328.0000000002C4A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmp, Update.exe, 00000003.00000003.2480482624.00000000015C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\setup\build\sfxrar64\Release\sfxrar.pdb. source: winrar-x64-700scp.exe.0.dr
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2615239555.0000000006D2F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb source: 6f0slJzOrF.exe, 00000000.00000003.1774772328.0000000002C4A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000000.1778858106.0000000000222000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000003.00000002.3548624115.0000000000222000.00000002.00000001.01000000.00000005.sdmp, Update.exe.0.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbo source: powershell.exe, 00000012.00000002.2621611408.0000000007D97000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb50r source: powershell.exe, 00000012.00000002.2615239555.0000000006D2F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2621611408.0000000007D97000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdbLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLIST,, source: powershell.exe, 00000012.00000002.2614200432.0000000006C97000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb((& source: 6f0slJzOrF.exe, 00000000.00000003.1774772328.0000000002C4A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000000.1778858106.0000000000222000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000003.00000002.3548624115.0000000000222000.00000002.00000001.01000000.00000005.sdmp, Update.exe.0.dr
Source:	Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb3w source: powershell.exe, 00000012.00000002.2621611408.0000000007D90000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\setup\build\sfxrar64\Release\sfxrar.pdb source: winrar-x64-700scp.exe.0.dr
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb( source: powershell.exe, 00000012.00000002.2594552418.0000000000461000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Unpacked PE file: 3.2.Update.exe.4320000.6.unpack

Source: C:\Users\user\Desktop\6f0slJzOrF.exe

Code function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

0_2_00406D5D

Source: Update.dll.0.dr	Static PE information: section name: .00cfg
Source: winrar-x64-700scp.exe.0.dr	Static PE information: section name: .didat
Source: winrar-x64-700scp.exe.0.dr	Static PE information: section name: _RDATA
Source: backup.dll.3.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Code function: 0_2_00411C20 push eax; ret	0_2_00411C4E
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_04342470 push ebp; retf	3_2_04342474
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_04342450 push ebp; retf	3_2_04342474
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_04334345 push ecx; ret	3_2_04334358
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1E8AB3 push ecx; ret	3_2_6C1E8AC6
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C2AA779 push ecx; ret	3_2_6C2AA78E
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_10009DF5 push ecx; ret	3_2_10009E08
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_1001FE9A push ecx; ret	3_2_1001FEBF
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0328CB0B push 701000CBh; retf	3_2_0328CB10
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0328CB07 pushad ; retf	3_2_0328CB08
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0328CB61 pushfd ; retf	3_2_0328CB64
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0328CAFF push eax; retf	3_2_0328CB00
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03289DCC push ecx; ret	3_2_03289DDF
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_041B3D04 push ecx; ret	3_2_041B3D17

Source: C:\Users\Public\Bilite\Axialis\Update.exe	File created: C:\Users\user\AppData\Local\Temp\backup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	File created: C:\Users\Public\Bilite\Axialis\Update.dll	Jump to dropped file
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	File created: C:\Users\Public\Bilite\winrar-x64-700scp.exe	Jump to dropped file
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	File created: C:\Users\Public\Bilite\Axialis\Update.exe	Jump to dropped file
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File created: C:\Users\user\AppData\Local\Temp\backup.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1EC42D GetParent,IsIconic,GetParent,__EH_prolog3,	3_2_6C1EC42D
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1DC528 IsWindowVisible,IsIconic,	3_2_6C1DC528
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1D0523 IsIconic,IsWindowVisible,	3_2_6C1D0523
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C25E028 IsWindowVisible,ScreenToClient,IsIconic,GetSystemMetrics,PtInRect,PtInRect,GetSystemMetrics,PtInRect,	3_2_6C25E028
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C25C1C2 IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,IsWindow,GetWindowRect,PtInRect,SendMessageW,PtInRect,SendMessageW,ScreenToClient,PtInRect,GetParent,SendMessageW,GetFocus,WindowFromPoint,SendMessageW,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,	3_2_6C25C1C2
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C25E231 IsIconic,PostMessageW,	3_2_6C25E231
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C25BEF7 GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,	3_2_6C25BEF7
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C25DF0D IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	3_2_6C25DF0D
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C25DF0D IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	3_2_6C25DF0D
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C25DF0D IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	3_2_6C25DF0D
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C201B74 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	3_2_6C201B74
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1D7BB2 IsIconic,	3_2_6C1D7BB2
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C235610 GetClientRect,IsRectEmpty,IsWindow,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,GetWindowRect,GetParent,IsRectEmpty,EqualRect,EndDeferWindowPos,	3_2_6C235610
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C25D734 IsWindowVisible,IsWindowVisible,GetWindowRect,IsIconic,CopyRect,MonitorFromPoint,GetMonitorInfoW,CopyRect,CopyRect,SystemParametersInfoW,OffsetRect,GetSystemMetrics,GetSystemMetrics,	3_2_6C25D734

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_0432B3C0 OpenEventLogW,OpenEventLogW,ClearEventLogW,CloseEventLog,

3_2_0432B3C0

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Key value created or modified: HKEY_CURRENT_USER\Console\0 9e9e85e05ee16fc372a0c7df6549fbd4

Jump to behavior

Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Window / User API: threadDelayed 5763	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4294	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 440	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8765	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 840	Jump to behavior

Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Dropped PE file which has not been started: C:\Users\Public\Bilite\winrar-x64-700scp.exe			Jump to dropped file
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\backup.dll			Jump to dropped file

Source: C:\Users\Public\Bilite\Axialis\Update.exe

API coverage: 7.2 %

Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 7524	Thread sleep time: -73000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 7520	Thread sleep time: -63000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 8028	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 5804	Thread sleep count: 340 > 30	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 2832	Thread sleep count: 5763 > 30	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 2832	Thread sleep time: -57630s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 8132	Thread sleep count: 255 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2056	Thread sleep count: 4294 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7300	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5468	Thread sleep count: 440 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4416	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5332	Thread sleep count: 8765 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7296	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7204	Thread sleep count: 840 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 7576	Thread sleep count: 265 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 7716	Thread sleep count: 269 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 5368	Thread sleep count: 149 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Last function: Thread delayed
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe	Last function: Thread delayed

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Thread sleep count: Count: 5763 delay: -10

Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\Update.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Code function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_0040301A
Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Code function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402B79
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C32813B FindFirstFileExW,	3_2_6C32813B
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C3281EC FindFirstFileExW,RevokeDragDrop,FindNextFileW,FindClose,FindClose,	3_2_6C3281EC
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C2116B5 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,	3_2_6C2116B5

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_043280F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,

3_2_043280F0

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_04325430 _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,

3_2_04325430

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Thread delayed: delay time: 73000	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: powershell.exe, 00000012.00000002.2595617657.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000012.00000002.2595617657.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000012.00000002.2595617657.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: Update.exe, 00000003.00000002.3549168443.00000000014FC000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2902927331.00000000014FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\Public\Bilite\Axialis\Update.exe

API call chain: ExitProcess graph end node

graph_3-130451

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_002215D0 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_002215D0

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_6C1CA257 OutputDebugStringA,GetLastError,

3_2_6C1CA257

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_0433054D VirtualProtect ?,-00000001,00000104,?

3_2_0433054D

Source: C:\Users\user\Desktop\6f0slJzOrF.exe

Code function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

0_2_00406D5D

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03280AE4 mov eax, dword ptr fs:[00000030h]		3_2_03280AE4
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_041A00CD mov eax, dword ptr fs:[00000030h]		3_2_041A00CD

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_04326790 wsprintfW,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,LookupAccountSidW,GetLastError,GetProcessHeap,HeapFree,

3_2_04326790

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_00221A8F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00221A8F
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_00221764 SetUnhandledExceptionFilter,	3_2_00221764
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_002215D0 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_002215D0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0432DF10 Sleep,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,Sleep,RegOpenKeyExW,RegQueryValueExW,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,	3_2_0432DF10
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_04331F67 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_04331F67
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0432F00A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0432F00A
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C31AEDD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C31AEDD
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C1E6AD6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C1E6AD6
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C241B96 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6C241B96
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_10008587 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_10008587
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_10006815 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_10006815
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_032867EC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_032867EC

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1

Contains functionality to inject code into remote processes

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_04327E50 _memset,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,VirtualAllocEx,WriteProcessMemory,GetThreadContext,SetThreadContext,ResumeThread,

3_2_04327E50

Contains functionality to inject threads in other processes

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_043277E0 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,

3_2_043277E0

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\SysWOW64\svchost.exe		3_2_043277E0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe		3_2_043277E0

Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Bilite\Axialis\Update.exe C:\Users\Public\Bilite\Axialis\Update.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1	Jump to behavior

Source: Update.exe, 00000003.00000003.3386596565.0000000005341000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.3221832615.0000000005341000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2733520874.000000000531D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0 minProgram Manager
Source: Update.exe, 00000003.00000002.3551135076.0000000005341000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0 minProgram ManagerG

Source: C:\Users\user\Desktop\6f0slJzOrF.exe

Code function: 0_2_0040D72E cpuid

0_2_0040D72E

Source: C:\Users\user\Desktop\6f0slJzOrF.exe	Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,	0_2_00401F9D
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,	3_2_04325430
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: EnumSystemLocalesW,	3_2_6C324C0B
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: EnumSystemLocalesW,	3_2_6C32EDC4
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,	3_2_6C32EE23
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: EnumSystemLocalesW,	3_2_6C32EEF8
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,	3_2_6C32EF43
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_6C32EFEA
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_6C32E885
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: EnumSystemLocalesW,	3_2_6C32EAD6
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_6C32EB71
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,	3_2_6C3245EC
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoW,	3_2_6C1EF4A1
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,	3_2_6C32F0F0

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\6f0slJzOrF.exe

Code function: 0_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_00401626

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_04335D22 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

3_2_04335D22

Source: C:\Users\user\Desktop\6f0slJzOrF.exe

Code function: 0_2_00404FAA GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

0_2_00404FAA

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Update.exe	Binary or memory string: acs.exe
Source: Update.exe	Binary or memory string: avcenter.exe
Source: Update.exe	Binary or memory string: kxetray.exe
Source: Update.exe	Binary or memory string: vsserv.exe
Source: Update.exe	Binary or memory string: avp.exe
Source: Update.exe	Binary or memory string: cfp.exe
Source: Update.exe	Binary or memory string: KSafeTray.exe
Source: Update.exe	Binary or memory string: 360Safe.exe
Source: Update.exe	Binary or memory string: 360tray.exe
Source: Update.exe	Binary or memory string: rtvscan.exe
Source: Update.exe	Binary or memory string: TMBMSRV.exe
Source: Update.exe	Binary or memory string: ashDisp.exe
Source: Update.exe	Binary or memory string: 360Tray.exe
Source: Update.exe	Binary or memory string: avgwdsvc.exe
Source: Update.exe	Binary or memory string: AYAgent.aye
Source: Update.exe	Binary or memory string: QUHLPSVC.EXE
Source: Update.exe	Binary or memory string: RavMonD.exe
Source: Update.exe	Binary or memory string: Mcshield.exe
Source: Update.exe	Binary or memory string: K7TSecurity.exe

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match

File source: Process Memory Space: Update.exe PID: 7496, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match

File source: Process Memory Space: Update.exe PID: 7496, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Replication Through Removable Media	1 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	141 Input Capture	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	1 System Shutdown/Reboot
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	222 Process Injection	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	141 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	38 System Information Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	141 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	222 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Indicator Removal	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
6f0slJzOrF.exe	39%	ReversingLabs	Win32.Ransomware.Generic

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\Bilite\Axialis\Update.dll	78%	ReversingLabs	Win32.Trojan.Generic
C:\Users\Public\Bilite\Axialis\Update.exe	0%	ReversingLabs
C:\Users\Public\Bilite\winrar-x64-700scp.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\backup.dll	78%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\backup.exe	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://ion=v4.5	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000011.00000002.2606826646.0000000005614000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2609988130.00000000052D4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000012.00000002.2595617657.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micro	powershell.exe, 00000011.00000002.2618375019.0000000007CD2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2615239555.0000000006D17000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000012.00000002.2595617657.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000011.00000002.2595466540.0000000004D5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2595466540.0000000004705000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2595617657.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000011.00000002.2595466540.00000000045B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2595617657.0000000004271000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoft	powershell.exe, 00000012.00000002.2621611408.0000000007D97000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000012.00000002.2595617657.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ion=v4.5	powershell.exe, 00000012.00000002.2621548933.0000000007D75000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000011.00000002.2595466540.0000000004D5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2595466540.0000000004705000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2595617657.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000012.00000002.2609988130.00000000052D4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000011.00000002.2606826646.0000000005614000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2609988130.00000000052D4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000012.00000002.2609988130.00000000052D4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000012.00000002.2609988130.00000000052D4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000011.00000002.2595466540.00000000045B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2595617657.0000000004271000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka..winsvr	powershell.exe, 00000012.00000002.2615239555.0000000006CFF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000012.00000002.2595617657.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
154.82.85.79	unknown	Seychelles		32708	ROOTNETWORKSUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582215
Start date and time:	2024-12-30 03:42:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	6f0slJzOrF.exe renamed because original name is a hash value
Original Sample Name:	E0B31F24AA1B867B395D4F62F15DC51A.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@43/29@0/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 98% Number of executed functions: 164 Number of non-executed functions: 191
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 1396 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5344 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ROOTNETWORKSUS	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	156.236.225.1
	Installer eSPT Masa PPh versi 2.0#U007e26022009.exe	Get hash	malicious	BlackMoon	Browse	154.82.113.139
	Installer eSPT Masa PPh versi 2.0#U007e26022009.exe	Get hash	malicious	BlackMoon	Browse	154.82.113.139
	MicrosoftEdgeUpdateSetup.exe	Get hash	malicious	Unknown	Browse	154.82.68.34
	nshkarm5.elf	Get hash	malicious	Mirai	Browse	154.94.148.181
	x86.elf	Get hash	malicious	Unknown	Browse	154.82.151.143
	bot.x86.elf	Get hash	malicious	Mirai	Browse	38.145.246.125
	nsharm7.elf	Get hash	malicious	Mirai	Browse	156.236.225.1
	akcqrfutuo.elf	Get hash	malicious	Unknown	Browse	154.94.130.206
	jmhgeojeri.elf	Get hash	malicious	Unknown	Browse	154.82.254.162

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Bilite\Axialis\Update.exe	zPJUOck9wt.exe	Get hash	malicious	GhostRat	Browse
	zPJUOck9wt.exe	Get hash	malicious	Unknown	Browse
	MEuu1a2o6n.exe	Get hash	malicious	GhostRat	Browse
	MEuu1a2o6n.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\Public\Bilite\Axialis\IiViS

Download File

Process:	C:\Users\user\Desktop\6f0slJzOrF.exe
File Type:	openssl enc'd data with salted password, base64 encoded
Category:	dropped
Size (bytes):	56
Entropy (8bit):	5.074862957617357
Encrypted:	false
SSDEEP:	3:iqkCdV1YgPPfShdDHqY:ilVgPPfSrDHj
MD5:	6E39ED9B20EC66F4A15F676643E817B7
SHA1:	00BB683B434109DB7F92D5EC0A8C1624B8DDD76A
SHA-256:	8B51398F2ECF48BE517D1C4D35A5A423E506EBD98A04666DDA316FA73EFD708F
SHA-512:	418E6D9EEBB9B5A01FD0DDCCD6A899DACACE55332157DE46F1835AB590CE9F6CC70A877CFA40236648925218FCDFB7A6C8E240A9772687F7B5D90A53BCD6D196
Malicious:	false
Preview:	U2FsdGVkX1/SU80PltnAuPjjzlWfLAoH0tdbM+zlnff/LmxqUYBY5A==

C:\Users\Public\Bilite\Axialis\Update.dll

Download File

Process:	C:\Users\user\Desktop\6f0slJzOrF.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2180096
Entropy (8bit):	6.630734298081442
Encrypted:	false
SSDEEP:	49152:5s5wTerN66bKTfixsRJHmYOmsMUEQ8keZ4E/Q46H+be9BMH8kCU:u5wTep66bKTasRRVOtZ58keZ4ET6H+bB
MD5:	D4B2DBE4B2D1D05553F6A479AC91CC0B
SHA1:	2FF3DF81CD215C338EFA57FE7C9E84F7FD74BD81
SHA-256:	A3EF22F2D5F70B6ACE17DCD6B06F297E9D1B5D83708A14B457A47AA8322CF6AC
SHA-512:	54B58F2F102BAECD557725D710059E46947188292C9BFD380BDADD735A79BEDA44533C48C238A9F3A5304C5AA5DB5321330EE66A729A0584D42EE895A1F68B9E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 78%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....kg...........!.........&................................................!...........@.........................XC..O....C..h....P...G.......................-...1...............................................N...............................text............................... ..`.rdata...M...0...N..................@..@.data...8........^...l..............@....00cfg.......0......................@..@.tls.........@......................@....rsrc....G...P...H..................@..@.reloc...-..........................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Bilite\Axialis\Update.exe

Download File

Process:	C:\Users\user\Desktop\6f0slJzOrF.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	395368
Entropy (8bit):	5.090673225697451
Encrypted:	false
SSDEEP:	6144:I0acLF3rgypB1Grf/TRfiJ7BePaEvLJggZy:Y/TRfi3ePtJRg
MD5:	FB325C945A08D06FE91681179BDCCC66
SHA1:	F5D91B7D75D34E156066AB4099E0FD0DF9227B32
SHA-256:	0C2CC4513EC9101A28A7988C72A46175EFD82F387BB3BCFB2612E808804282B5
SHA-512:	2BB588EBE2FA35D03652AEC4E5D51DABD3A24E996336A4D5EC9C762D6084862D5CD5F530F1DA0B98D2887BA88F4E077697D128071FF497D2967F9F42ADC2F533
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: zPJUOck9wt.exe, Detection: malicious, Browse Filename: zPJUOck9wt.exe, Detection: malicious, Browse Filename: MEuu1a2o6n.exe, Detection: malicious, Browse Filename: MEuu1a2o6n.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:..[...[...[...#l..[.......[.......[.......[.......[..b....[..e....[...0...[...[...[..e....[..e....[...[h..[..e....[..Rich.[..........................PE..L...X..e............................\........ ....@..................................8....@.................................D(.......@..................h(...........!..T............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0.......$..............@....rsrc........@.......&..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

C:\Users\Public\Bilite\Axialis\ypuvomgj.png

Download File

Process:	C:\Users\user\Desktop\6f0slJzOrF.exe
File Type:	data
Category:	dropped
Size (bytes):	67743960
Entropy (8bit):	7.999995177123799
Encrypted:	true
SSDEEP:	1572864:m9dsnu4FYxGsrFKHPbGmHb6xX5JsSiD7LX:m9qnSePbfx7r
MD5:	095764E4AD28A2BBDEAA8165DDB32305
SHA1:	BAC7FE65D7A4D6D114778E45B9099735C041C9B4
SHA-256:	E9EEE49B8663B52ED03FE9344DE5225742D36C5FDEA82671C0887F221DD98C17
SHA-512:	7CEB023DBB39325896EC20920BE05C09C9A10B5B4499F9189E0056C320A5EC98BA1B1E42CA68E8C15EE303C3A94A46CB5A237BB52B84B215A018A396825F97CB
Malicious:	false
Preview:	..>..9..x...@....)..b.;.G.....k...L$Q....{C[..........}......2.'.....d,........5..=1@.`o.R.4..E..N].ZG.;.W...G.._.Q<...7........p.>Nd.........>....y..........x..J.t.@K.W....=.7.@..u2=o..........y.'...Y..K.W.k.@}...Z.:.\|........:...g.k.......#m.q.mU.'.d..!.......i?.....q..ZZ.<..p.q.......;..C..k.\|F!L..........U\|x.u...?....@yyL.%AG`.\.r.=.............MB.Fy"~..2s.h......a..,..0...Mo...H.yM&(I.Aq.:.3sH:.oC..i......S..._.^]...w.r...:..L......q.....1..h.....M....\....Q..V...2...~.w.D8UzQ.p.$.1l...'v.3..E........:.v...%MCp.c.W.B...=.NUW..Dl.Mg.,.......<..].....4%r..%.....l...T...z..4...f.e...#.6..-..+.o...M.].7...uP7..K.f......t1..f.......cH}/%1.~v&2..8..(.F...A.2...D....VM.m.ZF.R....;z.pF@...,..[H..PU..I...BT...w......Y..N.m.f.l'....\.....l5.....ZwY.^c6 L..J~5...6K.!\....CL..r>..L....&.~.r..r$.C.%E..!.W...E#.".....}...4<;6^@........+..........~O..=..*...{m.t.WG..8J...m...X...........+;.P.....Ds..m.X......F.f.u.`t..<.smB.

C:\Users\Public\Bilite\winrar-x64-700scp.exe

Download File

Process:	C:\Users\user\Desktop\6f0slJzOrF.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4106352
Entropy (8bit):	7.958994203647152
Encrypted:	false
SSDEEP:	98304:2WaVOBfKP4QT41wUbqTA0AxVSYIuU+LzmTOYOM2IJ7lETr3dwBkR173n:Xa7gQ1Oqk0AxVSN4zwl2IdlUNbRp
MD5:	213C4AD2CCE43FE07E748FA50D91BDAC
SHA1:	3FBE73E57594FDBCEA8A2C2631DE1F4789DC5293
SHA-256:	902098CA985B2E6703CFC53BDB0A41D01AB461130668694742B1BB8F1D149C36
SHA-512:	189B13030662CF3B58254519EE267CF832B98EC828BCB269D69DB32597583455EF2E6DDD9F87877CCF292D77E14D5C64720217E99992CCC3F53BAF98420A5051
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u...u...u...v...u...p.P.u.J.....u.J.q...u.J.v...u.J.p...u...q...u...s...u...t...u...t...u.D.\|...u.D.u...u.D.....u.D.w...u.Rich..u.........................PE..d....S.e.........."....!."..........`..........@.............................0........?...`.........................................PO..4....O..P.......dZ...`...?....>..(... ..D...@...T.......................(....M..@............@......,A.......................text...N!.......".................. ..`.rdata... ...@..."...&..............@..@.data........p.......H..............@....pdata...?...`...@...Z..............@..@.didat..8...........................@..._RDATA..\...........................@..@.rsrc....`.......\..................@..@.reloc..D.... ......................@..B................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	5.402858173152827
Encrypted:	false
SSDEEP:	24:36WSKco4KmBs4RPT6BmFoUebIKomjKcmZ9tXt/NK3R88bJ02r2W3b2:KWSU4y4RQmFoUeWmfmZ9tlNWR832qab2
MD5:	AF36592F85D7B7C543EFF5FDFA110A05
SHA1:	927E58BBC8A0B4BB43A2FF92E414C06A734F891A
SHA-256:	FEFFCA6FA7A5138800281624215FF083CC7086BEC9F51306EAC661FAB8552594
SHA-512:	1D9DBA6C62C84F8C34E74E92F42D399C46929E35752205BCAFBBC2046C8B6223A3D0A08146418256A66AAC932DFF9C9A919168A0CCD087D8CD2720DAE7EC5EF0
Malicious:	false
Preview:	@...e...........................................................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

C:\Users\user\AppData\Local\PolicyManagement.xml

Download File

Process:	C:\Users\Public\Bilite\Axialis\Update.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1893
Entropy (8bit):	5.212287775015203
Encrypted:	false
SSDEEP:	48:c55XzDl4Q2ZbXL6Q0QFdOFQOzN33O4OiDdKrKsTLXbGMv:O5XzDl4Q2ZbGQhFdOFQOzBdKrKsTLXbV
MD5:	E3FB2ECD2AD10C30913339D97E0E9042
SHA1:	A004CE2B3D398312B80E2955E76BDA69EF9B7203
SHA-256:	1BD6DB55FFF870C9DF7A0AAC11B895B50F57774F20A5744E63BBC3BD40D11F28
SHA-512:	9D6F0C1E344F1DC5A0EF4CAAD86281F92A6C108E1085BACD8D6143F9C742198C2F759CA5BDFFAD4D9E40203E6B0460E84896D1C6B8B1759350452E1DE809B716
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2006-11-10T14:29:55.5851926</Date>. <Author>Microsoft Corporation</Author>. <Description>????? AD RMS ?????????????????? Web ?????????,???????????</Description>. <URI>\AS AMD updata</URI>. <SecurityDescriptor>D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;WD)</SecurityDescriptor>. </RegistrationInfo>. <Triggers>. <LogonTrigger id="06b3f632-87ad-4ac0-9737-48ea5ddbaf11">. <Enabled>true</Enabled>. <Delay>PT30S</Delay>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="AllUsers">. <GroupId>S-1-1-0</GroupId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_24qowyrn.gbj.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4uugam2n.3tl.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5dgnzhy4.2a4.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cjh1nwgi.ahl.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jfqxkpyc.1s2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mxtxivrx.ank.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oxcip0rv.cao.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r552qvtv.xfe.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\backup.dll

Download File

Process:	C:\Users\Public\Bilite\Axialis\Update.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2180096
Entropy (8bit):	6.630734298081442
Encrypted:	false
SSDEEP:	49152:5s5wTerN66bKTfixsRJHmYOmsMUEQ8keZ4E/Q46H+be9BMH8kCU:u5wTep66bKTasRRVOtZ58keZ4ET6H+bB
MD5:	D4B2DBE4B2D1D05553F6A479AC91CC0B
SHA1:	2FF3DF81CD215C338EFA57FE7C9E84F7FD74BD81
SHA-256:	A3EF22F2D5F70B6ACE17DCD6B06F297E9D1B5D83708A14B457A47AA8322CF6AC
SHA-512:	54B58F2F102BAECD557725D710059E46947188292C9BFD380BDADD735A79BEDA44533C48C238A9F3A5304C5AA5DB5321330EE66A729A0584D42EE895A1F68B9E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 78%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....kg...........!.........&................................................!...........@.........................XC..O....C..h....P...G.......................-...1...............................................N...............................text............................... ..`.rdata...M...0...N..................@..@.data...8........^...l..............@....00cfg.......0......................@..@.tls.........@......................@....rsrc....G...P...H..................@..@.reloc...-..........................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\backup.exe

Download File

Process:	C:\Users\Public\Bilite\Axialis\Update.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	395368
Entropy (8bit):	5.090673225697451
Encrypted:	false
SSDEEP:	6144:I0acLF3rgypB1Grf/TRfiJ7BePaEvLJggZy:Y/TRfi3ePtJRg
MD5:	FB325C945A08D06FE91681179BDCCC66
SHA1:	F5D91B7D75D34E156066AB4099E0FD0DF9227B32
SHA-256:	0C2CC4513EC9101A28A7988C72A46175EFD82F387BB3BCFB2612E808804282B5
SHA-512:	2BB588EBE2FA35D03652AEC4E5D51DABD3A24E996336A4D5EC9C762D6084862D5CD5F530F1DA0B98D2887BA88F4E077697D128071FF497D2967F9F42ADC2F533
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:..[...[...[...#l..[.......[.......[.......[.......[..b....[..e....[...0...[...[...[..e....[..e....[...[h..[..e....[..Rich.[..........................PE..L...X..e............................\........ ....@..................................8....@.................................D(.......@..................h(...........!..T............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0.......$..............@....rsrc........@.......&..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\monitor.bat

Download File

Process:	C:\Users\Public\Bilite\Axialis\Update.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	769
Entropy (8bit):	5.113976261619789
Encrypted:	false
SSDEEP:	24:NFW/WAW/WAWE3fzWcWrfZKx31SIYaYZLZ6y:NFVAVAjvz6ZKx31SIYN/6y
MD5:	F7F23953F7C236A0F12AE4848F174480
SHA1:	E222C191BE437B39FB294EDD1FCCAF961B1F7265
SHA-256:	0CD1B31F9AA2F089BD33331B172CD4813167BD59F889EFDC7EB2ADAA71F3D9CC
SHA-512:	2790AFD071756E25FF408426E0D40879603EBCBC23C1D98AD891017237A2930F27CC19F28C38C5BAB5221E828B0B08727EDCEC1D2AA528FCCED0B7EE576836B8
Malicious:	false
Preview:	@echo off..:CheckProcess..set "ProcessName=Update.exe"..set "ProcessPath=C:\Users\Public\Bilite\Axialis\Update.exe"..set "BackupProcessPath=C:\Users\user\AppData\Local\Temp\\backup.exe"..set "DLLPath=C:\Users\Public\Bilite\Axialis\Update.dll"..set "BackupDLLPath=C:\Users\user\AppData\Local\Temp\\backup.dll"..if not exist "%ProcessPath%" (.. echo Process file not found, restoring from backup..... copy /Y "%BackupProcessPath%" "%ProcessPath%"..)..if not exist "%DLLPath%" (.. echo DLL file not found, restoring from backup..... copy /Y "%BackupDLLPath%" "%DLLPath%"..)..tasklist /FI "IMAGENAME eq %ProcessName%" \| findstr /I "%ProcessName%" >nul..if %ERRORLEVEL% neq 0 (.. start "" "%ProcessPath%"..)..timeout /t 30 /nobreak >nul..goto CheckProcess..

C:\Users\user\AppData\Local\Temp\monitor.pid

Download File

Process:	C:\Users\Public\Bilite\Axialis\Update.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:EX:EX
MD5:	8BCF57CAA3CCB4C6C1A633674F4AAA84
SHA1:	167895235D38BF0CA3C9C3F9DD65CF45625D5EA4
SHA-256:	C7D02069EA9E317E7ED126A3FAAF2F16B9949E3B072BA2E646CDEA10069D890E
SHA-512:	DE96465D98D942E568AA5A4FEF30740BAF618328E1B725217692F3F3B93F5B4D6F1C5430E9081254120DD04A1216F1E8A9C54017C9EB8137785B15AB9D4D056A
Malicious:	false
Preview:	8012

C:\Users\user\AppData\Local\updated.ps1

Download File

Process:	C:\Users\Public\Bilite\Axialis\Update.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.741657013789009
Encrypted:	false
SSDEEP:	3:41Ai+PBoAwnLFsI2FIERMJyjqLWAfXIhS/ytIEFMEQVGdAn:4yi+5dwnLFsI2F5KJy0fXnMFFQhn
MD5:	AA0E1012D3B7C24FAD1BE4806756C2CF
SHA1:	FE0D130AF9105D9044FF3D657D1ABEAF0B750516
SHA-256:	FC47E1FA89397C3139D9047DC667531A9153A339F8E29AC713E518D51A995897
SHA-512:	15FAE192951747A0C71059F608700F88548F3E60BB5C708B206BF793A7E3D059A278F2058D4AC86B86781B202037401A29602EE4D6C0CBAAFF532CEF311975F4
Malicious:	true
Preview:	$xmlPath = "XML??".$taskName = "????".$xmlContent = Get-Content -Path $xmlPath \| Out-String.Register-ScheduledTask -Xml $xmlContent -TaskName $taskName

C:\Users\user\Desktop\winrar-x64-700scp.exe.lnk

Download File

Process:	C:\Users\Public\Bilite\Axialis\Update.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Dec 30 01:43:13 2024, mtime=Mon Dec 30 01:43:13 2024, atime=Thu Nov 21 08:19:09 2024, length=4106352, window=hide
Category:	dropped
Size (bytes):	1086
Entropy (8bit):	4.712485565261973
Encrypted:	false
SSDEEP:	12:8TvlUlGIZQCICHqXs3XkACmqy2fl5SlFEpOjAU/G6EWaviKpsaG44t2YZ/elFlSd:8T0GFiHZE4AoEjvFXqyFm
MD5:	1425E429C9E6C7477F37DF51283FFB62
SHA1:	AC47191C38DC914990C5AFFD63D5E3B6896884CE
SHA-256:	0CA00E18BDED43F09E27BF04775C7D9A2D6B1D5D438CFE8AB2DD2C1B0D1CEA28
SHA-512:	6DC5C982AC8F58D9B672A78EDA03BCBE6284C1A9184AA82CCA14BF857AA376E1AF48A37662273DA70C67B905E9A905311AC9F01687623BB036711A3125EDC826
Malicious:	false
Preview:	L..................F.... ....{A.dZ....n.dZ..`,.k.;..p.>..........................P.O. .:i.....+00.../C:\...................x.1.....CW;^..Users.d......OwH.Ya.....................:.....K...U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....\|.1......Yc...Public..f......O.I.Yh.....+...............<.....T...P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....T.1......Yg...Bilite..>......Yc..Yg.............................S.B.i.l.i.t.e.....x.2.p.>.uYeJ .WINRAR~1.EXE..\......Yg..Yg.....T.......................Y.w.i.n.r.a.r.-.x.6.4.-.7.0.0.s.c.p...e.x.e.......[...............-.......Z............u......C:\Users\Public\Bilite\winrar-x64-700scp.exe..).....\.....\.P.u.b.l.i.c.\.B.i.l.i.t.e.\.w.i.n.r.a.r.-.x.6.4.-.7.0.0.s.c.p...e.x.e..........v..*.cM.jVD.Es.!...`.......X.......580913...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	118
Entropy (8bit):	4.231779304291169
Encrypted:	false
SSDEEP:	3:hYFRZARcWmFsFJQZ/ctXvY/4to/9uF8cttEfYhnQUW:hYFRamFSQZ0lv5y/9JctESnQUW
MD5:	EA4370C6D3E1915502DEABAFCFE379F1
SHA1:	B32FFD2D69DF742E47EA86D0D739717CF6B147D3
SHA-256:	A8DFD19D19766FFD7DBEE9742F933099850C2594A81BDD38CA900A8255FD3B92
SHA-512:	C66EC971096851DF7A923F0602F6760AA544B84D474515E1A10B31FC44A473A7A3CA66370475084931A920BA45558EEE5BCCAEB82A4781FEF302CDF68AF00266
Malicious:	false
Preview:	..Waiting for 30 seconds, press CTRL+C to quit .....29..28..27..26..25..24..23..22..21..20..19..18..17..16..15..14..13

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.99988625048371
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	6f0slJzOrF.exe
File size:	73'598'737 bytes
MD5:	e0b31f24aa1b867b395d4f62f15dc51a
SHA1:	f3c915a4d1ef71e74978e8f14c809e2d2012e8ad
SHA256:	090e553ac4ce1567dddc7548139b14c7645bf1dae7ec608730d6894a783c0b89
SHA512:	adf922a11063cbf9a8c88e223bdc50c241b6b3aee13562a93fc0da700352ff9f7ca4aac4a1a8c167515d03f472b39d50d452e7e9b801eac1d40699a4596d6f0b
SSDEEP:	1572864:MK6Kz6KxLBN+7kTzc1hIrf0UpLE112AVK6Z6YYIuhi0l:1eOe7kTzg2pLEHV/ZyEg
TLSH:	6FF73343FB0E1DDDE396597A5CF483B411FFC6952AA9BE526AC344070ECA801964F0EE
File Content Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................................0....@..........................@...............................................P........................b..).

File Icon


Icon Hash:	01e0f2ccd4d4c400

Static PE Info

General

Entrypoint:	0x411def
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4C26F87E [Sun Jun 27 07:06:38 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b5a014d7eeb4c2042897567e1288a095

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	18/07/2022 01:00:00 18/07/2024 00:59:59
Subject Chain	CN=Incredibuild Software Ltd., O=Incredibuild Software Ltd., S=Tel Aviv, C=IL
Version:	3
Thumbprint MD5:	8164525B12F9B6829CCD5054865F2D41
Thumbprint SHA-1:	583F01EE72450A9945FB1CFA539BAAB983D3F1D9
Thumbprint SHA-256:	2EBD549CFBD28201F8773F370E920A21BB010F577BA74B4726332D2CE7836F69
Serial:	7098774ED29B0565AB114EF2F2871CF7

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00414C50h
push 00411F80h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [00413184h]
pop ecx
or dword ptr [00419924h], FFFFFFFFh
or dword ptr [00419928h], FFFFFFFFh
call dword ptr [00413188h]
mov ecx, dword ptr [0041791Ch]
mov dword ptr [eax], ecx
call dword ptr [0041318Ch]
mov ecx, dword ptr [00417918h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00413190h]
mov eax, dword ptr [eax]
mov dword ptr [00419920h], eax
call 00007F37D07F97E2h
cmp dword ptr [00417710h], ebx
jne 00007F37D07F96CEh
push 00411F78h
call dword ptr [00413194h]
pop ecx
call 00007F37D07F97B4h
push 00417048h
push 00417044h
call 00007F37D07F979Fh
mov eax, dword ptr [00417914h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00417910h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0041319Ch]
push 00417040h
push 00417000h
call 00007F37D07F976Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x150dc	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0x190d7	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x462ddf9	0x2918
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13000	0x310	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11317	0x11400	797279c5ab1a163aed1f2a528f9fe3ce	False	0.6174988677536232	data	6.576987441854239	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x30ea	0x3200	1359639b02bcb8f0a8743e6ead1c0030	False	0.43828125	data	5.549434098115495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x17000	0x292c	0x800	9415c9c8dea3245d6d73c23393e27d8e	False	0.431640625	data	3.6583182363171756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1a000	0x190d7	0x19200	aedf42f084dabb70902985d8cb8d4f42	False	0.14223802860696516	data	4.481844282645869	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1a208	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Russian	Russia	0.42819148936170215
RT_ICON	0x1a670	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Russian	Russia	0.2767354596622889
RT_ICON	0x1b718	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Russian	Russia	0.2513485477178423
RT_ICON	0x1dcc0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	Russian	Russia	0.17170524326877656
RT_ICON	0x21ee8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	Russian	Russia	0.09922512717378446
RT_GROUP_ICON	0x32710	0x4c	data	Russian	Russia	0.7763157894736842
RT_VERSION	0x3275c	0x350	data	English	United States	0.47523584905660377
RT_VERSION	0x32aac	0x3b0	data	Chinese	China	0.4523305084745763
RT_MANIFEST	0x32e5c	0x27b	ASCII text, with very long lines (635), with no line terminators	English	United States	0.5118110236220472

Imports

DLL	Import
COMCTL32.dll
KERNEL32.dll	GetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceExA, MulDiv, GlobalFree, GlobalAlloc, lstrcmpiA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrlenA, lstrcmpiW, GetEnvironmentVariableW, lstrcmpW, GlobalMemoryStatusEx, VirtualAlloc, WideCharToMultiByte, ExpandEnvironmentStringsW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, SetThreadLocale, GetLocalTime, GetSystemTimeAsFileTime, lstrlenW, GetTempPathW, SetEnvironmentVariableW, CloseHandle, CreateFileW, GetDriveTypeW, SetCurrentDirectoryW, GetModuleFileNameW, GetCommandLineW, GetVersionExW, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, TerminateThread, ResumeThread, SuspendThread, IsBadReadPtr, LocalFree, lstrcpyW, FormatMessageW, GetSystemDirectoryW, DeleteCriticalSection, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetModuleHandleA, SystemTimeToFileTime, GetLastError, CreateThread, WaitForSingleObject, GetExitCodeThread, Sleep, SetLastError, SetFileAttributesW, GetDiskFreeSpaceExW, lstrcatW, ExitProcess, CompareFileTime, GetStartupInfoA
USER32.dll	CharUpperW, EndDialog, DestroyWindow, KillTimer, ReleaseDC, DispatchMessageW, GetMessageW, SetTimer, CreateWindowExW, ScreenToClient, GetWindowRect, wsprintfW, GetParent, GetSystemMenu, EnableMenuItem, EnableWindow, MessageBeep, LoadIconW, LoadImageW, wvsprintfW, IsWindow, DefWindowProcW, CallWindowProcW, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, DrawTextW, ShowWindow, SystemParametersInfoW, SetFocus, SetWindowLongW, GetSystemMetrics, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, wsprintfA, SetWindowTextW, GetSysColor, GetWindowTextLengthW, GetWindowTextW, GetClassNameA, GetWindowLongW, GetMenu, SetWindowPos, CopyImage, SendMessageW, GetWindowDC
GDI32.dll	GetCurrentObject, StretchBlt, SetStretchBltMode, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetObjectW, GetDeviceCaps, DeleteObject, CreateFontIndirectW, DeleteDC
SHELL32.dll	SHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, SHGetSpecialFolderPathW, ShellExecuteW
ole32.dll	CoInitialize, CreateStreamOnHGlobal, CoCreateInstance
OLEAUT32.dll	VariantClear, OleLoadPicture, SysAllocString
MSVCRT.dll	__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, memset, _wcsnicmp, strncmp, malloc, memmove, _wtol, memcpy, free, memcmp, _purecall, ??2@YAPAXI@Z, ??3@YAXPAX@Z, _except_handler3, _controlfp

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States
Chinese	China

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-30T03:44:29.546494+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.4	49924	154.82.85.79	18091	TCP
2024-12-30T03:45:39.297430+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.4	49953	154.82.85.79	18091	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 03:44:25.659112930 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:25.663950920 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:25.664014101 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:26.433526039 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.433542967 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.433553934 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.433564901 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.433581114 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.433589935 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:26.433630943 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:26.484683037 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:26.646327019 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.646341085 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.646353006 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.646367073 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.646373034 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.646393061 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:26.646433115 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:26.646785975 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.646797895 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.646814108 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.646822929 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:26.646823883 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.646852970 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:26.647211075 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.647250891 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:26.647259951 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.647270918 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.647301912 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:26.859493017 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.859517097 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.859529972 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.859539986 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.859551907 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.859575987 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:26.859613895 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:26.859931946 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.859944105 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.859955072 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.859966040 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.859977961 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.859983921 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:26.860014915 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:26.860797882 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.860809088 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.860820055 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.860831022 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.860862970 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:26.860889912 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:26.943685055 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:26.984704971 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.072438955 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.072459936 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.072472095 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.072514057 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.072567940 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.072608948 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.072623014 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.072637081 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.072660923 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.072671890 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.072678089 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.072712898 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.073640108 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.073652029 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.073662996 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.073673010 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.073678970 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.073683977 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.073694944 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.073703051 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.073721886 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.074537039 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.074547052 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.074557066 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.074568033 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.074574947 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.074579954 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.074599028 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.074620008 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.285501003 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.285550117 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.285562038 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.285573959 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.285584927 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.285614967 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.285799980 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.285851955 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.285861015 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.285861969 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.285876989 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.285897970 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.286251068 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.286262035 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.286273956 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.286284924 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.286295891 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.286302090 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.286338091 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.286861897 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.286871910 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.286884069 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.286894083 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.286905050 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.286916018 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.286916018 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.286926985 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.286937952 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.286947966 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.286978006 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.287755013 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.287767887 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.287776947 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.287787914 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.287807941 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.287842035 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.498505116 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.498589993 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.498601913 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.498614073 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.498626947 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.498640060 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.498651028 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.498651981 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.498697996 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.498862982 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.498872042 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.498919964 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.498922110 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.498940945 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.498950958 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.498960972 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.498996973 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.499325037 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.499335051 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.499346972 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.499356031 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.499366045 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.499372959 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.499376059 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.499398947 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.499423027 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.499856949 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.499867916 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.499877930 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.499887943 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.499897957 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.499907970 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.499914885 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.499917984 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.499924898 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.499934912 CET	18852	49899	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:27.499948025 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:27.499975920 CET	49899	18852	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:29.541121006 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:29.546030998 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:29.546089888 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:29.546494007 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:29.551297903 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:30.392494917 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:30.392832994 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:30.397690058 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:30.397701979 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:30.397703886 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:30.958779097 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:30.958792925 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:30.958811045 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:30.958822012 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:30.958832979 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:30.958843946 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:30.958863974 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:30.958899021 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:31.172261000 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.172283888 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.172296047 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.172307014 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.172318935 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.172350883 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:31.172704935 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.172718048 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.172766924 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:31.172940016 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.172971964 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.173362970 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:31.385560989 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.385695934 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.385709047 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.385720015 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.385756016 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:31.385801077 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:31.385931969 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.385948896 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.385960102 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.385974884 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.385987043 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.386004925 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:31.386024952 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:31.386814117 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.386826038 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.386837006 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.386852026 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.386862040 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.386969090 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:31.386969090 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:31.386969090 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:31.599015951 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.599030972 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.599040985 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.599050999 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.599061966 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.599071980 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.599072933 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:31.599107981 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:31.599370003 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.599387884 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.599530935 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:31.599648952 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.599689960 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.599701881 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.599713087 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.599736929 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:31.599822998 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:31.600274086 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.600285053 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.600291967 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.600311995 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.600328922 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:31.600332022 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.600337982 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.600374937 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:31.600390911 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:31.601176023 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.641030073 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:31.812361956 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.812453985 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.812463999 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.812475920 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.812484980 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.812524080 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.812535048 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.812546015 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.812551022 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.812556028 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.812582016 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:31.812634945 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:31.813374043 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.813385963 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.813393116 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.813402891 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.813414097 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.813424110 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.813431978 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:31.813435078 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.813446045 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.813446045 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:31.813481092 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:31.813481092 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:31.814323902 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.814340115 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.814351082 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.814362049 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.814373016 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.814383030 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:31.814388037 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:31.814388037 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:31.814431906 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.025533915 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.025551081 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.025561094 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.025630951 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.025634050 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.025645971 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.025659084 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.025672913 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.025711060 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.025918007 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.025928974 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.025939941 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.025949955 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.025960922 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.025962114 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.025983095 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.026422024 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.026432991 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.026443005 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.026467085 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.026488066 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.026669979 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.026680946 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.026686907 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.026695967 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.026711941 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.026721954 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.026722908 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.026734114 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.026743889 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.026753902 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.026757002 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.026762009 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.026783943 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.027509928 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.027549982 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.027662039 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.027673006 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.027688980 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.027695894 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.027698040 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.027704954 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.027715921 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.027726889 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.027726889 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.027746916 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.027764082 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.028451920 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.028469086 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.028480053 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.028506041 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.078447104 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.238949060 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.238961935 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.238971949 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.239029884 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.239125967 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.239136934 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.239146948 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.239156008 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.239166021 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.239176989 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.239227057 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.239227057 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.239362001 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.239378929 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.239391088 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.239399910 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.239411116 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.239429951 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.239453077 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.239814043 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.239824057 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.239834070 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.239845037 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.239854097 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.239864111 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.239865065 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.239871025 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.239895105 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.240304947 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.240314960 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.240324974 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.240334988 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.240345955 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.240354061 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.240355968 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.240361929 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.240366936 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.240382910 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.240386009 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.240392923 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.240405083 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.240411997 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.240415096 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.240427017 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.240439892 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.240468979 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.241173983 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.241184950 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.241195917 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.241205931 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.241215944 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.241218090 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.241225958 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.241235971 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.241238117 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.241245985 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.241255999 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.241265059 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.241266966 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.241275072 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.241286993 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.241307020 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.241326094 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.242018938 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.242028952 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.242039919 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.242064953 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.242078066 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.242089033 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.242090940 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.242100000 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.242120028 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.281608105 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.452647924 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.452661991 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.452673912 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.452683926 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.452693939 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.452694893 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.452704906 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.452714920 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.452724934 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.452727079 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.452733994 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.452737093 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.452747107 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.452758074 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.452795029 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.452939034 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.452950001 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.452960014 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.452965021 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.452976942 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.452976942 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.452991009 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.453001976 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.453002930 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.453011990 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.453021049 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.453023911 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.453031063 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.453042030 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.453042984 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.453071117 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:32.535073042 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.535167933 CET	18091	49924	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:32.535232067 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:33.563280106 CET	49953	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:33.568223953 CET	18091	49953	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:33.568317890 CET	49953	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:35.547398090 CET	49924	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:39.469986916 CET	49953	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:39.474900007 CET	18091	49953	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:39.474920988 CET	18091	49953	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:39.474934101 CET	18091	49953	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:39.474948883 CET	18091	49953	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:39.775757074 CET	18091	49953	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:39.775994062 CET	49953	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:39.780817986 CET	18091	49953	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:50.485191107 CET	49953	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:50.490320921 CET	18091	49953	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:50.788635015 CET	18091	49953	154.82.85.79	192.168.2.4
Dec 30, 2024 03:44:50.844116926 CET	49953	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:50.858216047 CET	49953	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:44:50.863198996 CET	18091	49953	154.82.85.79	192.168.2.4
Dec 30, 2024 03:45:07.453646898 CET	49953	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:45:07.458610058 CET	18091	49953	154.82.85.79	192.168.2.4
Dec 30, 2024 03:45:07.756974936 CET	18091	49953	154.82.85.79	192.168.2.4
Dec 30, 2024 03:45:07.797293901 CET	49953	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:45:07.834187031 CET	49953	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:45:07.839039087 CET	18091	49953	154.82.85.79	192.168.2.4
Dec 30, 2024 03:45:23.594284058 CET	49953	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:45:23.599169970 CET	18091	49953	154.82.85.79	192.168.2.4
Dec 30, 2024 03:45:23.897444010 CET	18091	49953	154.82.85.79	192.168.2.4
Dec 30, 2024 03:45:23.938046932 CET	49953	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:45:23.976100922 CET	49953	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:45:23.981472015 CET	18091	49953	154.82.85.79	192.168.2.4
Dec 30, 2024 03:45:39.297430038 CET	49953	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:45:39.302398920 CET	18091	49953	154.82.85.79	192.168.2.4
Dec 30, 2024 03:45:39.600620031 CET	18091	49953	154.82.85.79	192.168.2.4
Dec 30, 2024 03:45:39.641175985 CET	49953	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:45:39.686984062 CET	49953	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:45:39.691849947 CET	18091	49953	154.82.85.79	192.168.2.4
Dec 30, 2024 03:45:55.766170979 CET	49953	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:45:55.771025896 CET	18091	49953	154.82.85.79	192.168.2.4
Dec 30, 2024 03:45:56.069291115 CET	18091	49953	154.82.85.79	192.168.2.4
Dec 30, 2024 03:45:56.109872103 CET	49953	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:45:56.169076920 CET	49953	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:45:56.173959017 CET	18091	49953	154.82.85.79	192.168.2.4
Dec 30, 2024 03:46:11.985563993 CET	49953	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:46:11.990529060 CET	18091	49953	154.82.85.79	192.168.2.4
Dec 30, 2024 03:46:12.288852930 CET	18091	49953	154.82.85.79	192.168.2.4
Dec 30, 2024 03:46:12.344314098 CET	49953	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:46:12.673295021 CET	49953	18091	192.168.2.4	154.82.85.79
Dec 30, 2024 03:46:12.678132057 CET	18091	49953	154.82.85.79	192.168.2.4

Target ID:	0
Start time:	21:43:04
Start date:	29/12/2024
Path:	C:\Users\user\Desktop\6f0slJzOrF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\6f0slJzOrF.exe"
Imagebase:	0x400000
File size:	73'598'737 bytes
MD5 hash:	E0B31F24AA1B867B395D4F62F15DC51A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	21:43:14
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:43:14
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:43:14
Start date:	29/12/2024
Path:	C:\Users\Public\Bilite\Axialis\Update.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Bilite\Axialis\Update.exe
Imagebase:	0x220000
File size:	395'368 bytes
MD5 hash:	FB325C945A08D06FE91681179BDCCC66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	21:44:24
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	21:44:24
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	21:44:24
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq Update.exe"
Imagebase:	0x620000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	21:44:24
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "Update.exe"
Imagebase:	0x5f0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	21:44:24
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0xf90000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	21:44:24
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	21:44:25
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	21:44:25
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	21:44:25
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	21:44:25
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Imagebase:	0xdf0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	21:44:25
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Imagebase:	0xdf0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	21:44:54
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq Update.exe"
Imagebase:	0x620000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	21:44:54
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "Update.exe"
Imagebase:	0x5f0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	21:44:54
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0xf90000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	21:45:24
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq Update.exe"
Imagebase:	0x620000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	21:45:24
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "Update.exe"
Imagebase:	0x5f0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	21:45:24
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0xf90000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	21:45:54
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq Update.exe"
Imagebase:	0x620000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	21:45:54
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "Update.exe"
Imagebase:	0x5f0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	21:45:54
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0xf90000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	18%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	26.8%
Total number of Nodes:	1423
Total number of Limit Nodes:	15

Executed Functions

Function 00404FAA Relevance: 250.2, APIs: 103, Strings: 39, Instructions: 1671keyboardsynchronizationwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B37: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
Part of subcall function 00401B37: CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
Part of subcall function 00401B37: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
Part of subcall function 00401B37: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
Part of subcall function 00401B37: DispatchMessageW.USER32(?), ref: 00401B89
Part of subcall function 00401B37: KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
Part of subcall function 00401B37: KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99

GetVersionExW.KERNEL32(?,?,?,00000000), ref: 00404FCE
GetCommandLineW.KERNEL32(?,00000020,?,?,00000000), ref: 0040505C

Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F

Part of subcall function 00403D71: lstrlenW.KERNEL32(?,00000000,00000020,?,0040508F,?,?,00000000,?,00000000), ref: 00403DA5
Part of subcall function 00403D71: lstrlenW.KERNEL32(?,?,00000000), ref: 00403DAD

_wtol.MSVCRT ref: 0040509F
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004050F1
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405102
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040510A
GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,?,00000000), ref: 00405138
_wtol.MSVCRT ref: 00405217
??2@YAPAXI@Z.MSVCRT(00000010,004177C4,004177C4,?,00000000), ref: 0040538F

Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
Part of subcall function 00404E3F: wsprintfA.USER32 ref: 00404EBC

Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
Part of subcall function 00402844: memcmp.MSVCRT(?,?,?), ref: 004028E4
Part of subcall function 00402844: memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
Part of subcall function 00402844: memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953

??3@YAXPAX@Z.MSVCRT(?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405453
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040545B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405463
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054DD
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054E5
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054ED
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405509
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405511
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405519

Part of subcall function 00403093: ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405559
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405561
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405569

Part of subcall function 00403B94: lstrlenW.KERNEL32(?,00000020,?,?,00405650,?,00414668,?,00000000,?), ref: 00403BA1
Part of subcall function 00403B94: lstrlenW.KERNEL32(?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00403BAA
Part of subcall function 00403B94: _wcsnicmp.MSVCRT ref: 00403BB6

wsprintfW.USER32 ref: 00405595
_wtol.MSVCRT ref: 004057DE
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040587B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00405883
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040588B
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,0000003D,00000000,00000000,?,?,00000000,?), ref: 00405913
??3@YAXPAX@Z.MSVCRT(?,0000003D,00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4), ref: 00405938
??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059AA
??3@YAXPAX@Z.MSVCRT(?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059B2
??3@YAXPAX@Z.MSVCRT(?,?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059BA
CoInitialize.OLE32(00000000), ref: 004059E9
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405A30
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405A38
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405A40
GetKeyState.USER32(00000010), ref: 00405AA1
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405BCD
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BDB
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BE3
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C16
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C1E
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C26
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C2E
memset.MSVCRT ref: 004060AE
ShellExecuteExW.SHELL32(?), ref: 0040617E
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 0040619A
CloseHandle.KERNEL32(?,?,?,?), ref: 004061A6
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004061D4
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004061DC
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 004061E4
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 004061EA
??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 004061FD
??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00406205
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406222
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040622A
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406232
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040623A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406242
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 0040624A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 00406252
??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 0040626E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00406276
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BEB

Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405C4A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405C52
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C5A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C62
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C94
??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405CD4
??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D41
??3@YAXPAX@Z.MSVCRT(?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D49
??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D51
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D59
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E20
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E28
GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E32
??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405EEC
??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00405EF4
_wtol.MSVCRT ref: 00405F65
??3@YAXPAX@Z.MSVCRT(?,00000001,00000010,?,?,?,?), ref: 00406294
??3@YAXPAX@Z.MSVCRT(?,?,00000001,00000010,?,?,?,?), ref: 0040629C
??3@YAXPAX@Z.MSVCRT(?,?,?,00000001,00000010,?,?,?,?), ref: 004062A4
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062AA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062B2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062BA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062C2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062CA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062D2
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004062F1
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004062F9
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 00406301
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 00406307
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406343
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040636D
??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,?,?,?,?,?,?,00000000,?,?,?), ref: 004063E6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040643D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,?,?,?), ref: 00406445
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,?,?,?), ref: 0040644D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406455
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040646A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040647B
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406483
MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 0040649C

Strings

MiscFlags, xrefs: 0040573F
7-Zip SFX, xrefs: 00406490
4AA, xrefs: 0040504C
setup.exe, xrefs: 00405DE5, 00405DEA, 00405E45
x64, xrefs: 00405FF7
@DA, xrefs: 00405699
SetEnvironment, xrefs: 0040586E, 0040591F
i386, xrefs: 00405FD1
XpA, xrefs: 00405581
InstallPath, xrefs: 004059F3
Delete, xrefs: 00406352
ExecuteFile, xrefs: 00405A61, 00405B47, 00405B55
FinishMessage, xrefs: 00406399
ExecuteParameters, xrefs: 0040605D
SelfDelete, xrefs: 0040577C, 0040640B
amd64, xrefs: 00405FE4
IA, xrefs: 004055D2, 004058FB
AutoInstall, xrefs: 00405AC1, 00405B1C, 00405ECC
7zSfxString%d, xrefs: 0040558F
GUIFlags, xrefs: 0040571F
shc, xrefs: 00405F7A
BeginPrompt, xrefs: 00405A71
OverwriteMode, xrefs: 004056BB
sfxversion, xrefs: 004050D6
7ZipSfx.%03x, xrefs: 00405C77
;!@Install@!UTF-8!, xrefs: 00405436
Sorry, this program requires Microsoft Windows 2000 or later., xrefs: 00406495
x86, xrefs: 00405FBE
4DA, xrefs: 00406034
Shortcut, xrefs: 0040632A
del, xrefs: 00405F9A
RunProgram, xrefs: 00405A66, 00405B6B, 00405B79
nowait, xrefs: 00405F03
HelpText, xrefs: 0040595E
;!@InstallEnd@!, xrefs: 00405431
sfxconfig, xrefs: 0040527C, 00405488
hidcon, xrefs: 00405E5E
forcenowait, xrefs: 00405F25
GUIMode, xrefs: 004056FF

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ??3@$lstrlen$Message$_wtol$??2@FileFormatHandleModuleTimerlstrcpymemcmpwsprintf$AttributesCallbackCloseCommandCreateCurrentDirectoryDispatchDispatcherErrorExecuteFreeInitializeKillLastLineLocalNameObjectShellSingleStateUserVersionWaitWindow_wcsnicmpmemmovememsetwvsprintf
String ID: 4AA$4DA$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$;!@Install@!UTF-8!$;!@InstallEnd@!$@DA$AutoInstall$BeginPrompt$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$XpA$amd64$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxversion$shc$x64$x86$IA
API String ID: 154539431-3058303289
Opcode ID: cabb4e2e52945036c720e1880f7d789d9992fedd99c9f327f88584105f760328
Instruction ID: bd55e9a5e2f2b8c77b34d16bce6880ff8bafa7c96c93ceffa7f521d25999041e
Opcode Fuzzy Hash: cabb4e2e52945036c720e1880f7d789d9992fedd99c9f327f88584105f760328
Instruction Fuzzy Hash: 65C2E231904619AADF21AF61DC45AEF3769EF00708F54403BF906B61E2EB7C9981CB5D

Function 00401626 Relevance: 22.8, APIs: 15, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f637a799f1653e3b63fa741730d3cbaf64608c0369243d42a1217ae41316ed6c
Instruction ID: 8ae67fe93764504dd4472983a8ee98937692ca3eac7777145cc28303e79798ac
Opcode Fuzzy Hash: f637a799f1653e3b63fa741730d3cbaf64608c0369243d42a1217ae41316ed6c
Instruction Fuzzy Hash: 8DB17C71900205EFCB14EFA5D8849AEB7B5FF44304B24842BF512BB2F1EB39A945CB58

Function 0040301A Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403028
SetLastError.KERNEL32(00000010), ref: 0040303D

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
Instruction ID: 32a2c072cbeca167af0ba40feded167abd8377b8b15159977275e4e23b0806bf
Opcode Fuzzy Hash: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
Instruction Fuzzy Hash: 42018B30102004AADF206F749C4CAAB3BACAB0136BF108632F621F11D8D738DB46965E

Function 0040118A Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011A6
SendMessageW.USER32(00008001,00000000,?), ref: 004011FF

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: DiskFreeMessageSendSpace
String ID:
API String ID: 696007252-0
Opcode ID: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
Instruction ID: 9edb1a80411cac00ba33afe52a6c86c35bfa08927eae57e7515b94cd88b359ae
Opcode Fuzzy Hash: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
Instruction Fuzzy Hash: 1C014B30654209ABEB18EB90DD85F9A3BE9EB05704F108436F611F91F0CB79BA408B1D

Function 00411DEF Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00411E1C
__p__fmode.MSVCRT ref: 00411E31
__p__commode.MSVCRT ref: 00411E3F
__setusermatherr.MSVCRT ref: 00411E6B
_initterm.MSVCRT ref: 00411E81
__getmainargs.MSVCRT ref: 00411EA4
_initterm.MSVCRT ref: 00411EB4
GetStartupInfoA.KERNEL32(?), ref: 00411EF3
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00411F17
exit.KERNELBASE ref: 00411F27
_XcptFilter.MSVCRT ref: 00411F39

Strings

HpA, xrefs: 00411E9C, 00411E9F

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID: HpA
API String ID: 801014965-2938899866
Opcode ID: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
Instruction ID: 158ffaedae0d42993a529c42e252781da09b2560f8e529a8c548a3e081932a5e
Opcode Fuzzy Hash: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
Instruction Fuzzy Hash: 254192B0944344AFDB20DFA4DC45AEA7BB8FB09711F20452FFA51973A1D7784981CB58

Function 00401B37 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47
timewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
DispatchMessageW.USER32(?), ref: 00401B89
KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99

Strings

Static, xrefs: 00401B5A

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: MessageTimer$CallbackCreateDispatchDispatcherHandleKillModuleUserWindow
String ID: Static
API String ID: 2479445380-2272013587
Opcode ID: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
Instruction ID: f02a6d563a0a994406544e3b77250aae51f77c8b940714b819f60fd1d37dc764
Opcode Fuzzy Hash: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
Instruction Fuzzy Hash: 10F03C3250212476CA203FA69C4DEEF7E6CDB86BA2F008160B615A10D1DAB88241C6B9

Function 0040B163 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT(00000000,?,0000001F,00010000), ref: 0040B1C5
memmove.MSVCRT(00000000,-000000C1,00000020,?,00010000), ref: 0040B289
??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040B298

Strings

, xrefs: 0040B22D

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ??3@memcpymemmove
String ID:
API String ID: 3549172513-3916222277
Opcode ID: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
Instruction ID: 201babb0cc669d9fea5df8a163075e687156198648327345136f7fe875bf0058
Opcode Fuzzy Hash: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
Instruction Fuzzy Hash: 495181B1A00205ABDF14DB95C889AAE7BB4EF49354F1441BAE905B7381D338DD81CB9D

Function 00403354 Relevance: 10.6, APIs: 7, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D

Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

memcpy.MSVCRT(-00000001,00404AC6,?,?,?,?,?,00404AC6,?), ref: 0040342F
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 0040346C
??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,00404AC6,00404AC6,?,?,?,?,00404AC6,?), ref: 004034B2

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
String ID:
API String ID: 846840743-0
Opcode ID: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
Instruction ID: c1b9adc2f16cc45d244a7c0b75b8b4a4f89234fa72cd4c12ee41ca3d86f3c48f
Opcode Fuzzy Hash: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
Instruction Fuzzy Hash: 8F41C836904611AADB216F998881ABF7F6CEF40716F80403BED01B61D5DB3C9B4282DD

Function 00404405 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401F47: GetUserDefaultUILanguage.KERNEL32(00404416,00000000,00000020,?), ref: 00401F51

Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119

Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
Part of subcall function 00401F9D: _wtol.MSVCRT ref: 0040212A
Part of subcall function 00401F9D: MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,?,?,00000000,00000020,?), ref: 0040448C
wsprintfW.USER32 ref: 004044A7

Part of subcall function 00402F6C: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71

#17.COMCTL32(?,?,?,?,00000000,00000020,?), ref: 00404533

Strings

7zSfxFolder%02d, xrefs: 004044A1
IA, xrefs: 0040447B

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
String ID: 7zSfxFolder%02d$IA
API String ID: 3387708999-1317665167
Opcode ID: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
Instruction ID: c443879f351b6d6d2b07c84fde6f3777072453d7374e8d7fc75fcfd2f507d9dd
Opcode Fuzzy Hash: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
Instruction Fuzzy Hash: E03140B19042199BDB10FFA2DC86AEE7B78EB44308F40407FF619B21E1EB785644DB58

Function 00408EA4 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 464
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000018,?,?,00000000,?), ref: 00408F0F
??2@YAPAXI@Z.MSVCRT(00000028,00000000,?,?,00000000,?), ref: 00408F59

Strings

IA, xrefs: 00409391
IA, xrefs: 00409225

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ??2@
String ID: IA$IA
API String ID: 1033339047-1400641299
Opcode ID: 6a22e71803ea0f4d69e2f58a84b042c4ce0c016d1f42beed39b79896576e25f5
Instruction ID: ddcf9de22f7a46eeefc4975c1fab543939f34ce9f972055b0c78c556d294e1f5
Opcode Fuzzy Hash: 6a22e71803ea0f4d69e2f58a84b042c4ce0c016d1f42beed39b79896576e25f5
Instruction Fuzzy Hash: EF123671A00209DFCB14EFA5C98489ABBB5FF48304B10456EF95AA7392DB39ED85CF44

Function 00410CD0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 23
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00410D0D

Strings

$KA, xrefs: 00410CF7
HKA, xrefs: 00410CE9
\KA, xrefs: 00410CE2
4KA, xrefs: 00410CF0

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: free
String ID: $KA$4KA$HKA$\KA
API String ID: 1294909896-3316857779
Opcode ID: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
Instruction ID: 889df95fe732b3a4b2d84b4ab476e7a54c7f97cead7299b76f73e2708a1c6c0a
Opcode Fuzzy Hash: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
Instruction Fuzzy Hash: C5F09271409B109FC7319F55E405AC6B7F4AE447183058A2EA89A5BA11D3B8F989CB9C

Function 004096C7 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 004096D0
??2@YAPAXI@Z.MSVCRT(00000038,00000001), ref: 0040986E
??2@YAPAXI@Z.MSVCRT(00000038,?,00000000,00000000,00000001), ref: 00409941

Part of subcall function 00409C13: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,?,00409952,?,00000000,00000000,00000001), ref: 00409C3B

Strings

HIA, xrefs: 0040978B

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ??2@$H_prolog
String ID: HIA
API String ID: 3431946709-2712174624
Opcode ID: 3a91edc2a80342029bdf13785710b8021a7be55c7c109f54d8d38dfd795fbdbc
Instruction ID: da3614a8b55b1d80bdf53177d95d0cff5abf3d9c279f99a440b99522f39c568d
Opcode Fuzzy Hash: 3a91edc2a80342029bdf13785710b8021a7be55c7c109f54d8d38dfd795fbdbc
Instruction Fuzzy Hash: 53F13971610249DFCB24DF69C884AAA77F4BF48314F24416AF829AB392DB39ED41CF54

Function 00402844 Relevance: 6.4, APIs: 5, Instructions: 118
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
memcmp.MSVCRT(?,?,?), ref: 004028E4
memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: lstrlenmemcmp$memmove
String ID:
API String ID: 3251180759-0
Opcode ID: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
Instruction ID: d4955105e7b234ce255a009ef61331e6eb412850de833d0a73495bfba1f32545
Opcode Fuzzy Hash: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
Instruction Fuzzy Hash: 4A417F72E00209AFCF01DFA4C9889EEBBB5EF08344F04447AE945B3291D3B49E55CB55

Function 0040150B Relevance: 6.1, APIs: 4, Instructions: 100
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,0040129C,00000000,00000000,?), ref: 0040154F
WaitForSingleObject.KERNEL32(000000FF,?,00404AFB,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401570

Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
String ID:
API String ID: 359084233-0
Opcode ID: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
Instruction ID: 87277f5b9ffc23463226fd0df2644328d4cfb3d5af9d6e9341eee715f5e270ad
Opcode Fuzzy Hash: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
Instruction Fuzzy Hash: 8231F171644200BBDA305B15DC86EBB37B9EBC5350F24843BF522F92F0CA79A941DA5E

Function 00401986 Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(004033CE,00000000,-00000001,004033CE,?,00404AC6,?,?,?,?,00404AC6,?), ref: 0040198D
GetLastError.KERNEL32(?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401997
SetLastError.KERNEL32(000000B7,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019A7
GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019B5

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ErrorLast$AttributesCreateDirectoryFile
String ID:
API String ID: 635176117-0
Opcode ID: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
Instruction ID: 5ae0be16486f509c6b40768ba71a6c1c2cea9be4331c5fc90c1b41dbeb0419e3
Opcode Fuzzy Hash: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
Instruction Fuzzy Hash: D5E09AB0518250AFDE142BB4BD187DB3AA5AF46362F508932F495E02F0C33888428A89

Function 00404A44 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(000001E8,00000000,?,ExecuteFile,00000015,?,00405D20,?,00417788,00417788), ref: 00404A5A
??2@YAPAXI@Z.MSVCRT(00000040,?,?,?,?,?,?,?,?,00000000,?), ref: 00404ADC

Strings

ExecuteFile, xrefs: 00404A48

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ??2@
String ID: ExecuteFile
API String ID: 1033339047-323923146
Opcode ID: 612dc6f8e3fe8df0745ed42aa02adea807ab2e0a0b71f5bf8dc2b3d1454147a6
Instruction ID: 446d0bd8c70a379003bbf02419fa435b46014474c8a02eb0da5acec479ce97d7
Opcode Fuzzy Hash: 612dc6f8e3fe8df0745ed42aa02adea807ab2e0a0b71f5bf8dc2b3d1454147a6
Instruction Fuzzy Hash: EA1184B5340104BFD710AB659C85D6B73A8EF80355724443FF602B72D1DA789D418A6D

Function 0040ADC3 Relevance: 4.5, APIs: 3, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ??2@??3@memmove
String ID:
API String ID: 3828600508-0
Opcode ID: 2c1e852e3357fe345785b0ad8426fcfe448c8ec3a37487201466d82e595bf6a2
Instruction ID: a8ce0a3cb4653ecb547b1a3698f229d81d6147035ad3680bc60947505803a3f4
Opcode Fuzzy Hash: 2c1e852e3357fe345785b0ad8426fcfe448c8ec3a37487201466d82e595bf6a2
Instruction Fuzzy Hash: 74F089763047016FC3205B1ADC80857BBABDFC4715311883FE55E93A50D634F891965A

Function 0040245A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 0040247E

Strings

@, xrefs: 00402471

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
Instruction ID: 9ce3ff159218229c34eda893c3d8d64f83397f3f2cddac743d7c565554413103
Opcode Fuzzy Hash: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
Instruction Fuzzy Hash: AAF0AF30A042048ADF15AB719E8DA5A37A4BB00348F10853AF516F52D4D7BCE9048B5D

Function 0040C9FC Relevance: 3.2, APIs: 2, Instructions: 184COMMON

Download Yara Rule

APIs

Part of subcall function 0040AAAB: _CxxThrowException.MSVCRT(?,00414EF8), ref: 0040AAC5

Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

??3@YAXPAX@Z.MSVCRT(?,?,?,?,004149F0,?,004149B0), ref: 0040CAF2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,004149F0,?,004149B0), ref: 0040CC4A

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ??3@$??2@ExceptionThrowmemmove
String ID:
API String ID: 4269121280-0
Opcode ID: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
Instruction ID: 88480e7f7e551c391a26326ce122d220a9eefc885560dc6ed21150e7f5ba8ef6
Opcode Fuzzy Hash: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
Instruction Fuzzy Hash: 00712571A00209EFCB24DFA5C8D1AAEBBB1FF08314F10463AE545A3291D739A945CF99

Function 0040A62F Relevance: 3.1, APIs: 2, Instructions: 135COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A634
??3@YAXPAX@Z.MSVCRT(?), ref: 0040A729

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ??3@H_prolog
String ID:
API String ID: 1329742358-0
Opcode ID: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
Instruction ID: 956102545b91a7c0cba0a64d671320761176ea25dc816e9057e3d4af94f09eda
Opcode Fuzzy Hash: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
Instruction Fuzzy Hash: 0D411F32800204AFCB09DB65CD45EBE7B35EF50304B18883BF402B72E2D63E9E21965B

Function 0040112B Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: ebac23084a16b944365a47061f6b21e986bd860b63916dd214b45b095081060c
Instruction ID: 063e94d8e06ff9613a5b681c15dc067c338ae4066a9753272274ce5f9f11bd0f
Opcode Fuzzy Hash: ebac23084a16b944365a47061f6b21e986bd860b63916dd214b45b095081060c
Instruction Fuzzy Hash: 71F0A476210612ABC334DF2DC581867B3E4EF88711710893FE6C7C72B1DA31A881C754

Function 0040D9F0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040DA0B
GetLastError.KERNEL32(?,?,?,?), ref: 0040DA19

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
Instruction ID: d86f9e507f4e039952bd1031b0dc001be1b0661bb6f0ed5f18f0f7cd7a7605a3
Opcode Fuzzy Hash: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
Instruction Fuzzy Hash: FCF0B2B8A04208FFCB04CFA8D8448AE7BB9EB49314B2085A9F815A7390D735DA04DF64

Function 0040ECED Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0040ED05
_CxxThrowException.MSVCRT(?,00415010), ref: 0040ED28

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: AllocExceptionStringThrow
String ID:
API String ID: 3773818493-0
Opcode ID: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
Instruction ID: 896a1b371a95ab63a3f889c911e7bff8eb1facf706b7c8fcc1dab20228dace7a
Opcode Fuzzy Hash: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
Instruction Fuzzy Hash: CDE06D71600309ABDB10AF66D8419D67BE8EF00380B00C83FF948CA250E779E590C7D9

Function 0040E73A Relevance: 2.5, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0040E745
LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040E764

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
Instruction ID: 086d926b78662e0ab04275255430a857868cdabe8091615e808f779c17768b54
Opcode Fuzzy Hash: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
Instruction Fuzzy Hash: 76F05436200214FBCB119F95DC08E9BBBB9FF49761F14842AF945E7260C771E821DBA4

Function 0040A7DE Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A7E3

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
Instruction ID: 39d544f4fee3d18347c8ea8d59cce7c7d4ef222c74644271f89bd24cd9d44c54
Opcode Fuzzy Hash: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
Instruction Fuzzy Hash: 4B2180316003099BCB14EFA5C945AAE73B5EF40344F14843EF806BB291DB38DD16CB1A

Function 0040120B Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 0040124F

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
Instruction ID: 5817d5120c2da98d16edaa91ace5ca285f5b3ff1e58b2ffd557e42fef7bfdc6e
Opcode Fuzzy Hash: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
Instruction Fuzzy Hash: 66F05E72100201DBC720AF98C840BA777F5BB84314F04483EE583F2AA0D778B885CB59

Function 00411A2D Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00411A32

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 05aa82fd4493c2954843b58147a6e12e638aaadf2772ca9641b0bace8f10624d
Instruction ID: 375caa893e42e0daca7b158ffe4b4b415bc54d3572d418f3e5e61c8e5be1c541
Opcode Fuzzy Hash: 05aa82fd4493c2954843b58147a6e12e638aaadf2772ca9641b0bace8f10624d
Instruction Fuzzy Hash: 30F0F272500109BBCF029F85D901AEEBB36EB48354F00811ABA1161160D33A9961AB99

Function 0040DA56 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D985: CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990

CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50), ref: 0040DA78

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
Instruction ID: 040011ad7fb3de3f437c6c7e3ebc1dcda5640d8293b7e84d035d3e38099293ab
Opcode Fuzzy Hash: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
Instruction Fuzzy Hash: A1E04F32140219ABCF215FA49C01BCA7B96AF09760F144526BE11A61E0C672D465AF94

Function 0040DB97 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040DD78,00000001,00000000,00000000,00413330,?,00404D94,?,?), ref: 0040DBBA

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
Instruction ID: ec3d056ad33d5175d1bee219b94afd5900c8108b90431a53c6143dcb1d381838
Opcode Fuzzy Hash: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
Instruction Fuzzy Hash: D7E0C275600208FBCB00CF95C801B9E7BBABB49755F10C069F918AA2A0D739AA10DF54

Function 0040653F Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_beginthreadex.MSVCRT ref: 00406552

Part of subcall function 00406501: GetLastError.KERNEL32(00406563,00000000), ref: 004064F5

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ErrorLast_beginthreadex
String ID:
API String ID: 4034172046-0
Opcode ID: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
Instruction ID: fe95790bd269afcad05a26a3721163fc0b830ac61c9b3c5b6bbddf8a66cf2d64
Opcode Fuzzy Hash: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
Instruction Fuzzy Hash: 12D05EF6400208BFDF01DFE0DC05CAB3BADEB08204B004464FD05C2150E632DA108B60

Function 0040CC59 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040CC5E

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
Instruction ID: 312fbe8762c42e8d4a239ae194adb86e93363bc1e5443e54fb58aca6058f63a2
Opcode Fuzzy Hash: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
Instruction Fuzzy Hash: 70D05EB2A04108FBE7109F85D946BEEFB78EB80399F10823FB506B1150D7BC5A0196AD

Function 0040DADC Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040DAF2

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
Instruction ID: c05821c64f4412cbb188b0f884d423eaa3d686fb1c941f6ac6705c8b1bb703da
Opcode Fuzzy Hash: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
Instruction Fuzzy Hash: 58E0EC75211208FFDB01CF90CD01FDE7BBDFB49755F208058E90596160C7759A10EB54

Function 0040DB6A Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE(?,?,?,?,0040DB94,00000000,00000000,?,0040123C,?), ref: 0040DB78

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
Instruction ID: c6000770aa4fb4c72b4925fc402daec6625791e8065b7518697746b49206ca3e
Opcode Fuzzy Hash: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
Instruction Fuzzy Hash: 40C04C3A199105FF8F020F70CD04C1ABBA2AB95722F10C918B199C4070CB328424EB02

Function 0040E9F7 Relevance: 1.3, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

memmove.MSVCRT(?,?,?), ref: 0040EA24

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 97bd8de7a7fe9ad43a3345e9333d2138b4beb196f0434672ce39f7d09e0e15cd
Instruction ID: f56dbf57367ec124b55c1fed62106b1dafce564086f6503587e0b0fbfa293862
Opcode Fuzzy Hash: 97bd8de7a7fe9ad43a3345e9333d2138b4beb196f0434672ce39f7d09e0e15cd
Instruction Fuzzy Hash: EA21A271A00B009FC724CFAAC88485BF7F9FF88724764896EE49A93A40E774B945CB54

Function 0040E5D3 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(?,00414F84), ref: 0040E616

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ExceptionThrow
String ID:
API String ID: 432778473-0
Opcode ID: 85c4e5dde0f8cee934fbe77132b2d5831568e55a053817787dcfc8e06ea2b7f6
Instruction ID: f2b552c6dcb6979234feea5fe890f572eb9d388e9264680fa6f26452196acfb0
Opcode Fuzzy Hash: 85c4e5dde0f8cee934fbe77132b2d5831568e55a053817787dcfc8e06ea2b7f6
Instruction Fuzzy Hash: 20017171600701AFDB28CFBAD805997BBF8EF85314704496EE482D3651E374F946CB50

Function 0040F42D Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040F446

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
Instruction ID: 8ccd5c106adaedd21fdabd868c2a091acccb285e2c6396e7c66228af9079aab7
Opcode Fuzzy Hash: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
Instruction Fuzzy Hash: 68E0ED311087008BEB74DA38A941F97B3DAAB14314F15893FE89AE7690EB74FC448A59

Function 00402F6C Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 76c2607c9262a084594b8968e60506e1095ba5b3921c342d3f15f01c827a8030
Instruction ID: 194059228ff5733793a196764ebf5a0b63d959e09992ce12dff2d54d27d13516
Opcode Fuzzy Hash: 76c2607c9262a084594b8968e60506e1095ba5b3921c342d3f15f01c827a8030
Instruction Fuzzy Hash: 67D0A9313083121ADA5432320A09AAF84848B503A0F10083FB800A32D1DCBE8C81A299

Function 0040D985 Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
Instruction ID: 71cfb53d0268b44c797f7400575dcc0518408263689e7c465582b3111ebcfb94
Opcode Fuzzy Hash: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
Instruction Fuzzy Hash: 95D0127251422156CF646E7CB8849C277D85A06334335176AF0B4E32E4D3749DCB5698

Function 004024C4 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040E4D6,00020000,00000000,?,00000000,?,0040D92B,?,?,00000000,?,0040D96E), ref: 004024E0

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
Instruction ID: 23ad038ad5ccaf642d49e1102795c1c714580f299e31bec6e074b0e2bc220d86
Opcode Fuzzy Hash: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
Instruction Fuzzy Hash: D3C080301443007DED115F505E06B463A916B44717F508065F344540D0C7F484009509

Function 00411388 Relevance: 1.3, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(000000D0), ref: 0041138D

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 08d588780a3caab37cf70573278ad1822b03e6a84bf609910ea5ba04e31b1b9c
Instruction ID: d5b8b2b556814232dc2945b8f7e5995fed121ff751d048b21687cc00dda573f5
Opcode Fuzzy Hash: 08d588780a3caab37cf70573278ad1822b03e6a84bf609910ea5ba04e31b1b9c
Instruction Fuzzy Hash: B4B0123438914504FE5413B208013FB01800F40303F10087B5B02E4DF9FD0884805139

Function 00401B1F Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,0040E561,?,00000004,0040E5B0,?,?,004117E5,?), ref: 00401B2A

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
Instruction ID: 5381ed20748db0b7fd93371e38984c83fa4171db9cf80dc6a42123bab5888d64
Opcode Fuzzy Hash: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
Instruction Fuzzy Hash: 45A002305446007ADE515B10DD05F457F516744B11F20C5547155540E586755654DA09

Function 0040F3FC Relevance: 1.3, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040F400

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
Instruction ID: 7baee4be7330d58fba6a4d3e6254b3dabd4481adb37f3967e502ba2394f26960
Opcode Fuzzy Hash: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
Instruction Fuzzy Hash:

Non-executed Functions

Function 004034C1 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290comCOMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 004034E5
SHGetSpecialFolderPathW.SHELL32(00000000,?,CC5BE863,00000000,004177A0,00000000,00417794), ref: 00403588
??3@YAXPAX@Z.MSVCRT(?,?), ref: 004035F9
??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 00403601
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00403609
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 00403611
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 00403619
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00403621
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403629
_wtol.MSVCRT ref: 0040367F
CoCreateInstance.OLE32(00414BF4,00000000,00000001,00414BE4,00404F9B,.lnk,?,0000005C), ref: 00403720
??3@YAXPAX@Z.MSVCRT(?,0000005C), ref: 004037B8
??3@YAXPAX@Z.MSVCRT(?,?,0000005C), ref: 004037C0
??3@YAXPAX@Z.MSVCRT(?,?,?,0000005C), ref: 004037C8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,0000005C), ref: 004037D0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0000005C), ref: 004037D8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,0000005C), ref: 004037E0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,0000005C), ref: 004037E8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,0000005C), ref: 004037EE
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0000005C), ref: 004037F6

Strings

.lnk, xrefs: 004036FF

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
String ID: .lnk
API String ID: 408529070-24824748
Opcode ID: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
Instruction ID: c4a1d47ac56633071a1bd2db01059e5edb54ffe0bccc65637149caefe5d2277b
Opcode Fuzzy Hash: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
Instruction Fuzzy Hash: 8EA18A71910219ABDF04EFA1CC46DEEBB79EF44705F50442AF502B71A1EB79AA81CB18

Function 00401F9D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 150stringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
wsprintfW.USER32 ref: 00401FFD
GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
GetLastError.KERNEL32 ref: 00402017
??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
GetLastError.KERNEL32 ref: 0040204C
lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
SetLastError.KERNEL32(00000000), ref: 00402098
lstrlenA.KERNEL32(00413FD0), ref: 004020CC
??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
_wtol.MSVCRT ref: 0040212A
MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A

Strings

\3A, xrefs: 00401FDB
XpA, xrefs: 00401FB4
7zSfxString%d, xrefs: 00401FF7

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
String ID: 7zSfxString%d$XpA$\3A
API String ID: 2117570002-3108448011
Opcode ID: 332d11925e247980b34bd098e8b038dc96ba1155979fc83484f9ac8f636b93aa
Instruction ID: 5c0681f152172bce6659d4e02be164ba9bb36eab7c70e8d4f1a0ed4420d73572
Opcode Fuzzy Hash: 332d11925e247980b34bd098e8b038dc96ba1155979fc83484f9ac8f636b93aa
Instruction Fuzzy Hash: 11518471604305AFDB209F74DD899DBBBB9EB08345B11407AF646E62E0E774AA44CB18

Function 00401BDF Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
LockResource.KERNEL32(00000000), ref: 00401C41
LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401C6D
GetProcAddress.KERNEL32(00000000), ref: 00401C76
wsprintfW.USER32 ref: 00401C95
LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401CAA
GetProcAddress.KERNEL32(00000000), ref: 00401CAD

Strings

SetThreadPreferredUILanguages, xrefs: 00401CA4
kernel32, xrefs: 00401C5D, 00401C62, 00401CA9
%04X%c%04X%c, xrefs: 00401C8F
SetProcessPreferredUILanguages, xrefs: 00401C58

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
API String ID: 2639302590-365843014
Opcode ID: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
Instruction ID: 1b367ad183524107b1556f539f271e2bfa11f4d2ebd4ebc35158efee647c5c94
Opcode Fuzzy Hash: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
Instruction Fuzzy Hash: 002153B1944318BBDB109FA59D48F9B7FBCEB48751F118036FA05B72D1D678DA008BA8

Function 00407776 Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON

Download Yara Rule

APIs

wvsprintfW.USER32(?,00000000,?), ref: 0040779A
GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
String ID:
API String ID: 829399097-0
Opcode ID: bf60f95a6a1f59c2bb6c04e2e113b9a1b5cd8de0030c6a868400c9436056581d
Instruction ID: 98041b7e574f1f1c61a73cce3db0a13ad597614178cae5aaf21d0c5f67190c53
Opcode Fuzzy Hash: bf60f95a6a1f59c2bb6c04e2e113b9a1b5cd8de0030c6a868400c9436056581d
Instruction Fuzzy Hash: 85218172804209BEDF14AFA0DC85CEB7BACEB04355B10847BF506A7150EB34EE848BA4

Function 00402B79 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00413454,?,?,?,00000000), ref: 00402BA8
lstrcmpW.KERNEL32(?,00413450,?,0000005C,?,?,?,00000000), ref: 00402BFB
lstrcmpW.KERNEL32(?,00413448,?,?,00000000), ref: 00402C11
SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402C27
DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402C2E
FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402C40
FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402C4F
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402C5A
RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402C63
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C6E
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C79

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 1862581289-0
Opcode ID: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
Instruction ID: 7ffcf375551190f92b7aba4ef5ef3cd4ed0286f9dec59b0789af02bc25bdcc12
Opcode Fuzzy Hash: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
Instruction Fuzzy Hash: A321A230500209BAEB10AF61DE4CFBF7B7C9B0470AF14417AB505B11E0EB78DB459A6C

Function 00406D5D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme,?,00407F57,000004B1,00000000,?,?,?,?,?,0040803E), ref: 00406D65
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00406D76
GetWindow.USER32(?,00000005), ref: 00406D8F
GetWindow.USER32(00000000,00000002), ref: 00406DA5

Strings

\EA, xrefs: 00406D98
SetWindowTheme, xrefs: 00406D70
uxtheme, xrefs: 00406D5E

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: Window$AddressLibraryLoadProc
String ID: SetWindowTheme$\EA$uxtheme
API String ID: 324724604-1613512829
Opcode ID: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
Instruction ID: f2e0bdee1e376373ef12be0a37c87caa708c4cf78f5ebad58458586032015049
Opcode Fuzzy Hash: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
Instruction Fuzzy Hash: 47F0A73274172537C6312A6A6C4CF9B6B9C9FC6B51B070176B905F7280DA6CCD0045BC

Function 0041022D Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
Instruction ID: 2cf66fefa79674a345482580870fbecf2b771b639b37e27eb1fc897e4fc9b441
Opcode Fuzzy Hash: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
Instruction Fuzzy Hash: 44126E31E00129DFDF08CF68C6945ECBBB2EF85345F2585AAD856AB280D6749EC1DF84

Function 0041206B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
Instruction ID: 8743f1180a29be23716da9caa70fae7f7856ace610ba4dfa2102d12747f13ae8
Opcode Fuzzy Hash: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
Instruction Fuzzy Hash: D12129725104255BC711DF1DE8887B7B3E1FFC4319F678A36DA81CB281C629D894C6A0

Function 00411F91 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction ID: 7cc7f0f00d3fdf34bc0739e2af2c3edfb6ca911da6c9eaecf720caf4c907201e
Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction Fuzzy Hash: 0621F53290062587CB12CE6EE4845A7F392FBC436AF134727EE84A3291C62CA855C6A0

Function 0040D72E Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
Instruction ID: 0032c0c3dd355d3b1328166acc4be040b7821e5e83bc1fe28c274bced218c28f
Opcode Fuzzy Hash: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
Instruction Fuzzy Hash: 4EF074B5A05209EFCB09CFA9C49199EFBF5FF48304B1084A9E819E7350E731AA11CF50

Function 00404AFF Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?,?,?), ref: 00404B46
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404B77
WriteFile.KERNEL32(004177C4,?,?,00406437,00000000,del ",:Repeat,00000000), ref: 00404C2C
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C37
CloseHandle.KERNEL32(004177C4), ref: 00404C40
SetFileAttributesW.KERNEL32(00406437,00000000), ref: 00404C57
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00404C69
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C72
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C7E
??3@YAXPAX@Z.MSVCRT(00406437,?), ref: 00404C84
??3@YAXPAX@Z.MSVCRT(00406437,?,?,?,?,?,?,?,?,?,?,?,?,?,00406437,004177C4), ref: 00404CB2

Strings

:Repeat, xrefs: 00404B92
7ZSfx%03x.cmd, xrefs: 00404B58
open, xrefs: 00404C63
", xrefs: 00404BB9, 00404BBE, 00404C02
del ", xrefs: 00404B9F, 00404BA4, 00404BED
if exist ", xrefs: 00404BC7
" goto Repeat, xrefs: 00404BE0

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
API String ID: 3007203151-3467708659
Opcode ID: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
Instruction ID: 7a4c4b622d76ac6c1822c64a370ea4e05d699ec4102568342bfcf68b8c9639ad
Opcode Fuzzy Hash: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
Instruction Fuzzy Hash: DE416171D01119BADB00EBA5ED85DEEBB78EF44358F50803AF511720E1EB78AE85CB58

Function 00404603 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 207stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,0041442C,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004046DF

Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119

_wtol.MSVCRT ref: 004047DC
_wtol.MSVCRT ref: 004047F8

Strings

Progress, xrefs: 004046C7
MiscFlags, xrefs: 00404771, 00404776, 00404792
ErrorTitle, xrefs: 0040467F
ExtractPathTitle, xrefs: 00404801
Title, xrefs: 00404611
OverwriteMode, xrefs: 00404721
ExtractDialogText, xrefs: 004047AD
ExtractPathWidth, xrefs: 004047E5
CancelPrompt, xrefs: 00404831
ExtractDialogWidth, xrefs: 004047BE
ExtractTitle, xrefs: 004046AF
WarningTitle, xrefs: 00404697
|wA, xrefs: 0040464B
ExtractPathText, xrefs: 00404819
ExtractCancelText, xrefs: 004047A1
GUIFlags, xrefs: 0040473E, 00404743, 0040475F
GUIMode, xrefs: 004046F4

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle$|wA
API String ID: 2725485552-3187639848
Opcode ID: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
Instruction ID: a5d789275b7dd46d140941e9fd319bf554fc7ea6ad5da08365fcb0f0a182a74d
Opcode Fuzzy Hash: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
Instruction Fuzzy Hash: 4251B5F1A402047EDB10BB619D86EFF36ACDA85308B64443BF904F32C1E6BC5E854A6D

Function 00402DC0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00402DD3
lstrcmpiA.KERNEL32(?,STATIC), ref: 00402DE6
GetWindowLongW.USER32(?,000000F0), ref: 00402DF3

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

Part of subcall function 00401A85: CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF

??3@YAXPAX@Z.MSVCRT(?), ref: 00402E20
GetParent.USER32(?), ref: 00402E2E
LoadLibraryA.KERNEL32(riched20), ref: 00402E42
GetMenu.USER32(?), ref: 00402E55
SetThreadLocale.KERNEL32(00000419), ref: 00402E62
CreateWindowExW.USER32(00000000,RichEdit20W,0041335C,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 00402E92
DestroyWindow.USER32(?), ref: 00402EA3
SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00402EB8
GetSysColor.USER32(0000000F), ref: 00402EBC
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00402ECA
SendMessageW.USER32(00000000,00000461,?,?), ref: 00402EF5
??3@YAXPAX@Z.MSVCRT(?), ref: 00402EFA
??3@YAXPAX@Z.MSVCRT(?,?), ref: 00402F02

Strings

STATIC, xrefs: 00402DDD
{\rtf, xrefs: 00402E09
riched20, xrefs: 00402E3D
RichEdit20W, xrefs: 00402E8C

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: Window$??3@MessageSend$CharTextUpper$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
String ID: RichEdit20W$STATIC$riched20${\rtf
API String ID: 1731037045-2281146334
Opcode ID: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
Instruction ID: c7c9ca1f65d7473fe19c29f8272bdbb18bb8b251efb89c9ee4785ec66c96c850
Opcode Fuzzy Hash: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
Instruction Fuzzy Hash: FE316072A40119BFDB01AFA5DD49DEF7BBCEF08745F104036F601B21D1DA789A008B68

Function 00401CC8 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON

Download Yara Rule

APIs

GetWindowDC.USER32(00000000), ref: 00401CD4
GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
GetObjectW.GDI32(?,00000018,?), ref: 00401D28
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
CreateCompatibleDC.GDI32(?), ref: 00401D4B
CreateCompatibleDC.GDI32(?), ref: 00401D52
SelectObject.GDI32(00000000,?), ref: 00401D60
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
SelectObject.GDI32(00000000,00000000), ref: 00401D76
SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
SelectObject.GDI32(00000000,?), ref: 00401DB3
SelectObject.GDI32(00000000,?), ref: 00401DB9
DeleteDC.GDI32(00000000), ref: 00401DC2
DeleteDC.GDI32(00000000), ref: 00401DC5
ReleaseDC.USER32(00000000,?), ref: 00401DCC
ReleaseDC.USER32(00000000,?), ref: 00401DDB
CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401DE8

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
String ID:
API String ID: 3462224810-0
Opcode ID: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
Instruction ID: 24730f8ff9b6a3f8d7f0600a39c6f646a54ca28d21b12e05547a6914d757f366
Opcode Fuzzy Hash: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
Instruction Fuzzy Hash: 00313976D00208BBDF215FA19C48EEFBFBDEB48752F108066F604B21A0C6758A50EB64

Function 00401DF3 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00401E05
lstrcmpiA.KERNEL32(?,STATIC), ref: 00401E1C
GetWindowLongW.USER32(?,000000F0), ref: 00401E2F
GetMenu.USER32(?), ref: 00401E44

Part of subcall function 00401BDF: GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
Part of subcall function 00401BDF: SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
Part of subcall function 00401BDF: LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
Part of subcall function 00401BDF: LockResource.KERNEL32(00000000), ref: 00401C41

GlobalAlloc.KERNEL32(00000040,00000010), ref: 00401E76
memcpy.MSVCRT(00000000,00000000,00000010), ref: 00401E83
CoInitialize.OLE32(00000000), ref: 00401E8C
CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00401E98
OleLoadPicture.OLEAUT32(?,00000000,00000000,00414C14,?), ref: 00401EBD
GlobalFree.KERNEL32(00000000), ref: 00401ECD

Part of subcall function 00401CC8: GetWindowDC.USER32(00000000), ref: 00401CD4
Part of subcall function 00401CC8: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
Part of subcall function 00401CC8: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
Part of subcall function 00401CC8: GetObjectW.GDI32(?,00000018,?), ref: 00401D28
Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D4B
Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D52
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401D60
Part of subcall function 00401CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,00000000), ref: 00401D76
Part of subcall function 00401CC8: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
Part of subcall function 00401CC8: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
Part of subcall function 00401CC8: GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB3
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB9
Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC2
Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC5
Part of subcall function 00401CC8: ReleaseDC.USER32(00000000,?), ref: 00401DCC

GetObjectW.GDI32(00000000,00000018,?), ref: 00401EFF
SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 00401F13
SendMessageW.USER32(00000010,00000172,00000000,?), ref: 00401F25
GlobalFree.KERNEL32(00000000), ref: 00401F3A

Strings

STATIC, xrefs: 00401E13
IMAGES, xrefs: 00401E4E

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
String ID: IMAGES$STATIC
API String ID: 4202116410-1168396491
Opcode ID: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
Instruction ID: 08c73d75f8249df6a552952f3d33af28cabbedea74541c6d0cfd8ce2793c0c4e
Opcode Fuzzy Hash: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
Instruction Fuzzy Hash: C7417C71A00218BFCB11DFA1DC49DEEBF7DEF08742B008076FA05A61A0DB758A41DB68

Function 0040813D Relevance: 27.1, APIs: 18, Instructions: 147windowcomtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

GetDlgItem.USER32(?,000004B8), ref: 0040816A
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408179
GetDlgItem.USER32(?,000004B5), ref: 004081C0
GetWindowLongW.USER32(00000000,000000F0), ref: 004081C5
GetDlgItem.USER32(?,000004B5), ref: 004081D5
SetWindowLongW.USER32(00000000), ref: 004081D8
GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 004081FE
EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408210
GetDlgItem.USER32(?,000004B4), ref: 0040821A
SetFocus.USER32(00000000), ref: 0040821D
SetTimer.USER32(?,00000001,00000000,00000000), ref: 0040824C
CoCreateInstance.OLE32(00414C34,00000000,00000001,00414808,00000000), ref: 00408277
GetDlgItem.USER32(?,00000002), ref: 00408294
IsWindow.USER32(00000000), ref: 00408297
GetDlgItem.USER32(?,00000002), ref: 004082A7
EnableWindow.USER32(00000000), ref: 004082AA
GetDlgItem.USER32(?,000004B5), ref: 004082BE
ShowWindow.USER32(00000000), ref: 004082C1

Part of subcall function 00407134: GetDlgItem.USER32(?,000004B6), ref: 00407142

Part of subcall function 00407B33: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
Part of subcall function 00407B33: GetDlgItem.USER32(?,000004B8), ref: 00407B8B
Part of subcall function 00407B33: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
Part of subcall function 00407B33: wsprintfW.USER32 ref: 00407BBB
Part of subcall function 00407B33: ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53

Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: Item$Window$MessageSend$System$EnableHandleLoadLongMenuMetricsModuleShow$??3@CreateFocusIconImageInstanceTimerUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID:
API String ID: 855516470-0
Opcode ID: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
Instruction ID: 3ce0214ef3d03b0ee840dd4ab9c121ae631e901bc0d6870238ad5b6e85178a64
Opcode Fuzzy Hash: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
Instruction Fuzzy Hash: 014174B0644748ABDA206F65DD49F5B7BADEB40B05F00847DF552A62E1CB79B800CA1C

Function 00403093 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 244stringCOMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,hAA,00000000), ref: 004030F6
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,hAA,00000000), ref: 004030FE
strncmp.MSVCRT ref: 004031F1
??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00403255
lstrcmpW.KERNEL32(?,SetEnvironment,00000000), ref: 00403273
??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347

Strings

MiscFlags, xrefs: 004032C0
hAA, xrefs: 0040309E
{\rtf, xrefs: 004031D6, 004031EB
SetEnvironment, xrefs: 0040326B
GUIFlags, xrefs: 004032B2

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ??3@$lstrcmpstrncmp
String ID: GUIFlags$MiscFlags$SetEnvironment$hAA${\rtf
API String ID: 2881732429-172299233
Opcode ID: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
Instruction ID: da55d09168dcf28f6e950782b6654b171f18f9ca5632fa18d2c46afc5d57570a
Opcode Fuzzy Hash: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
Instruction Fuzzy Hash: 23819D31900218ABDF11DFA1CD55BEE7B78AF14305F1040ABE8017B2E6DB78AB05DB59

Function 00406A47 Relevance: 24.3, APIs: 16, Instructions: 270COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 00406A69
GetWindowLongW.USER32(00000000,000000F0), ref: 00406A6E
GetDlgItem.USER32(?,000004B4), ref: 00406AA5
GetWindowLongW.USER32(00000000,000000F0), ref: 00406AAA
GetSystemMetrics.USER32(00000010), ref: 00406B0B
GetSystemMetrics.USER32(00000011), ref: 00406B11
GetSystemMetrics.USER32(00000008), ref: 00406B18
GetSystemMetrics.USER32(00000007), ref: 00406B1F
GetParent.USER32(?), ref: 00406B43
GetClientRect.USER32(00000000,?), ref: 00406B55
ClientToScreen.USER32(?,?), ref: 00406B68
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00406BCE
GetClientRect.USER32(?,?), ref: 00406C55
ClientToScreen.USER32(?,?), ref: 00406B71

Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B

GetSystemMetrics.USER32(00000008), ref: 00406CD6
GetSystemMetrics.USER32(00000007), ref: 00406CDD

Part of subcall function 00406A18: GetDlgItem.USER32(?,?), ref: 00406A36
Part of subcall function 00406A18: SetWindowPos.USER32(00000000), ref: 00406A3D

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
String ID:
API String ID: 747815384-0
Opcode ID: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
Instruction ID: 701d8c843d4ec3579feae24e97f284edc15b0bac0439a5efdbaa5111af673c9b
Opcode Fuzzy Hash: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
Instruction Fuzzy Hash: 7B912D71A00209AFDB14DFB9CD85AEEB7F9EF48704F148529E642F6290D778E9008B64

Function 00407D06 Relevance: 22.7, APIs: 15, Instructions: 231windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
LoadIconW.USER32(00000000), ref: 00407D33
GetSystemMetrics.USER32(00000032), ref: 00407D43
GetSystemMetrics.USER32(00000031), ref: 00407D48
GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
LoadImageW.USER32(00000000), ref: 00407D54
SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
GetWindow.USER32(?,00000005), ref: 00407E76
GetWindow.USER32(?,00000005), ref: 00407E92
GetWindow.USER32(?,00000005), ref: 00407EAA
GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,0040803E), ref: 00407F0A
LoadIconW.USER32(00000000), ref: 00407F0D
GetDlgItem.USER32(?,000004B1), ref: 00407F28
SendMessageW.USER32(00000000), ref: 00407F2F

Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: Window$HandleItemLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
String ID:
API String ID: 1889686859-0
Opcode ID: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
Instruction ID: b6a50195b8a608de49edc5b96f3e83ee8a9b90890169e94b1220211b89b9884f
Opcode Fuzzy Hash: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
Instruction Fuzzy Hash: E861D47064C7096AE9257B61DC4AF3B3699AB40B05F10447FF642B92D2DBBCBC0056AF

Function 00406F37 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00406F45
GetWindowLongW.USER32(00000000), ref: 00406F4C
DefWindowProcW.USER32(?,?,?,?), ref: 00406F62
CallWindowProcW.USER32(?,?,?,?,?), ref: 00406F7F
GetSystemMetrics.USER32(00000031), ref: 00406F91
GetSystemMetrics.USER32(00000032), ref: 00406F98
GetWindowDC.USER32(?), ref: 00406FAA
GetWindowRect.USER32(?,?), ref: 00406FB7
DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 00406FEB
ReleaseDC.USER32(?,00000000), ref: 00406FF3

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
String ID:
API String ID: 2586545124-0
Opcode ID: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
Instruction ID: b1ff7c23223d170b9333fa97acec74f2c9230ee3eabfe87d0be763292bfdf634
Opcode Fuzzy Hash: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
Instruction Fuzzy Hash: 8E210C7650021ABFCF01AFA8DD48DDF7F69FB08351F008565FA15E21A0C775EA209B64

Function 0040677A Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 0040678E
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067A1
GetDlgItem.USER32(?,000004B4), ref: 004067AB
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067B3
SendMessageW.USER32(?,00000401,?,00000000), ref: 004067C3
GetDlgItem.USER32(?,?), ref: 004067CC
SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 004067D4
GetDlgItem.USER32(?,?), ref: 004067DD
SetFocus.USER32(00000000,?,000004B4,74DF0E50,00407E06,000004B4,000004B3,00000000,000004B4,00000000,000004B2,?,000004B7), ref: 004067E0

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ItemMessageSend$Focus
String ID:
API String ID: 3946207451-0
Opcode ID: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
Instruction ID: e7a8c5b21de344c7c4c5496bf688f1d5cc3ba414acf11b32f4788b893cc62525
Opcode Fuzzy Hash: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
Instruction Fuzzy Hash: 6FF04F712403087BEA212B61DD86F5BBA6EEF81B45F018425F340650F0CBF7EC109A28

Function 0040C3D8 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 480COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,00000000), ref: 0040C603

Strings

IA, xrefs: 0040C4D9
IA, xrefs: 0040C65E
IA, xrefs: 0040C66E
IA, xrefs: 0040C74D
IA, xrefs: 0040C4C6
IA, xrefs: 0040C4AF

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ??3@
String ID: IA$IA$IA$IA$IA$IA
API String ID: 613200358-3743982587
Opcode ID: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
Instruction ID: 4cebfcab61734def35128a955d6a3e34031d8899c11ca8f9bd2aeb72941b6852
Opcode Fuzzy Hash: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
Instruction Fuzzy Hash: D2221671900248DFCB24EF65C8D09EEBBB5FF48304F50852EE91AA7291DB38A945CF58

Function 004083B6 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 196COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,00417788,00000000,SetEnvironment), ref: 00408479

Strings

BeginPrompt, xrefs: 004084A4, 004084A9
ErrorTitle, xrefs: 00408511
FinishMessage, xrefs: 00408417, 00408433
HelpText, xrefs: 00408598
WarningTitle, xrefs: 0040853A
SetEnvironment, xrefs: 004083BC

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ??3@
String ID: BeginPrompt$ErrorTitle$FinishMessage$HelpText$SetEnvironment$WarningTitle
API String ID: 613200358-994561823
Opcode ID: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
Instruction ID: 5566f9f9667118f06bc812855c9affabb63102f3a10b3971892d5eca1131561f
Opcode Fuzzy Hash: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
Instruction Fuzzy Hash: CA51D47080420AAACF24AB559E85AFB7774EB20348F54443FF881722E1EF7D5D82D64E

Function 00406DB2 Relevance: 12.1, APIs: 8, Instructions: 69COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,00417410,00000160), ref: 00406DD1
SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 00406DF0
GetDC.USER32(00000000), ref: 00406DFB
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00406E07
MulDiv.KERNEL32(?,00000048,00000000), ref: 00406E16
ReleaseDC.USER32(00000000,?), ref: 00406E24
GetModuleHandleW.KERNEL32(00000000), ref: 00406E4C
DialogBoxIndirectParamW.USER32(00000000,?,?,Function_0000667A), ref: 00406E81

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
String ID:
API String ID: 2693764856-0
Opcode ID: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
Instruction ID: b2c1943609947f3a034a1f42a4fd453b3666a2b5c4d4ccfd9a1c2059c5c1cb6f
Opcode Fuzzy Hash: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
Instruction Fuzzy Hash: C32184B5500218BFDB215F61DC45EEB7B7CFB08746F0040B6F609A1190D7748E948B65

Function 0040695E Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 0040696E
GetSystemMetrics.USER32(0000000B), ref: 0040698A
GetSystemMetrics.USER32(0000003D), ref: 00406993
GetSystemMetrics.USER32(0000003E), ref: 0040699B
SelectObject.GDI32(?,?), ref: 004069B8
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004069D3
SelectObject.GDI32(?,?), ref: 004069F9
ReleaseDC.USER32(?,?), ref: 00406A08

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: MetricsSystem$ObjectSelect$DrawReleaseText
String ID:
API String ID: 2466489532-0
Opcode ID: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
Instruction ID: 7c755332e1b278278a0584394201b19561512224090c74d51841a9ad660c27ee
Opcode Fuzzy Hash: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
Instruction Fuzzy Hash: 6B216871900209EFCB119F65DD84A8EBFF4EF08321F10C46AE559A72A0C7359A50DF40

Function 00407B33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
GetDlgItem.USER32(?,000004B8), ref: 00407B8B
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
wsprintfW.USER32 ref: 00407BBB
??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53

Strings

%d%%, xrefs: 00407BB5

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ??3@ItemMessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID: %d%%
API String ID: 3753976982-1518462796
Opcode ID: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
Instruction ID: b955b8041d8a67620c3180d4911c799512bd6939d195f5b55c3092177650065a
Opcode Fuzzy Hash: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
Instruction Fuzzy Hash: 1D31D371904208BBDB11AFA0CC45EDA7BB9EF48708F10847AFA42B61E1D779B904CB59

Function 0040408B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(hAA,00000020,?,?,00405838,?,?,?,00000000,?), ref: 004040A4

Part of subcall function 00401A85: CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404156
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040415E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 0040416D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404175

Strings

hAA, xrefs: 00404091, 0040409B, 004040A2, 004040B0

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ??3@$CharUpper$lstrlen
String ID: hAA
API String ID: 2587799592-1362906312
Opcode ID: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
Instruction ID: 7f7e13310b21401de90169bcc26cd057e2afddf23eedd5de54135d69024cf91c
Opcode Fuzzy Hash: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
Instruction Fuzzy Hash: D7212772D40215AACF20ABA4CC46AEB77B9DF90354F10407BEB41BB2E1E7789D848658

Function 00404CBC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000001,00000000,00000000,00000001,?,00000000), ref: 00404D3E
??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DA0
??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DB8

Part of subcall function 00403354: lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
Part of subcall function 00403354: GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
Part of subcall function 00403354: GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
Part of subcall function 00403354: ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D

Strings

;!@InstallEnd@!, xrefs: 00404D73
;!@Install@!UTF-8!, xrefs: 00404D59
03A, xrefs: 00404CCF

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ??3@$FileTime$AttributesSystemlstrlen
String ID: 03A$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 4038993085-2279431206
Opcode ID: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
Instruction ID: 637b7b13a9bcd1d52ea1019587bfa2fb4435f6835f564ae220b3123002230846
Opcode Fuzzy Hash: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
Instruction Fuzzy Hash: CE312D71D0021EEACF05EF92CD429EEBBB4BF44318F10042BE911762E1DB785649DB98

Function 0040755F Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000000), ref: 00407579
KillTimer.USER32(?,00000001), ref: 0040758A
SetTimer.USER32(?,00000001,00000000,00000000), ref: 004075B4
SuspendThread.KERNEL32(00000298), ref: 004075CD
ResumeThread.KERNEL32(00000298), ref: 004075EA
EndDialog.USER32(?,00000000), ref: 0040760C

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: DialogThreadTimer$KillResumeSuspend
String ID:
API String ID: 4151135813-0
Opcode ID: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
Instruction ID: ebb94c5c4675b2e6542c2b2cb7d5652cccd5624f9a00d71f737e39ca63bd9789
Opcode Fuzzy Hash: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
Instruction Fuzzy Hash: 9811BF70A08618BBD7212F15EE849E77BBDFB00756B00843AF523A05A0CB39BD00DA1D

Function 00404E3F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85

Part of subcall function 00404343: ??3@YAXPAX@Z.MSVCRT(?,?,?,004177C4,004177C4,?,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 004043B6

??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
wsprintfA.USER32 ref: 00404EBC

Strings

;!@InstallEnd@!, xrefs: 00404E59
;!@Install@!UTF-8!, xrefs: 00404E4A
:Language:%u!, xrefs: 00404EB6

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ??3@$wsprintf
String ID: :Language:%u!$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 2704270482-1550708412
Opcode ID: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
Instruction ID: afe26c372a183c0ca4a1b7edc16cb7be903c3e4040aad79e05e22cec791dc9d0
Opcode Fuzzy Hash: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
Instruction Fuzzy Hash: D8115E71B00018BBCF00FB95CC42EFE77ADAB84705B10402EBA15E3182DB78AB028799

Function 00403880 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000,00000000), ref: 004038C6
??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000), ref: 00403904
??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405), ref: 0040392A
??3@YAXPAX@Z.MSVCRT(00000000,00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788), ref: 00403932

Strings

%%T/, xrefs: 004038E4
%%T\, xrefs: 004038A6

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ??3@
String ID: %%T/$%%T\
API String ID: 613200358-2679640699
Opcode ID: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
Instruction ID: 53c9ca64f2466311d4136dbbff57d229d1af9e29f5fa76e56e45344ae10c91f3
Opcode Fuzzy Hash: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
Instruction Fuzzy Hash: 5011DD3190410EBACF05FFA1D857CEDBB79AE00708F50806AB511760E1EF79A785DB98

Function 0040393B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403981
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 004039BF
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405), ref: 004039E5
??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784), ref: 004039ED

Strings

%%S\, xrefs: 00403961
%%S/, xrefs: 0040399F

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ??3@
String ID: %%S/$%%S\
API String ID: 613200358-358529586
Opcode ID: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
Instruction ID: c240205f9e12946546b7747d8fd44f392230bc1153c6614d6b8016afa5fd7689
Opcode Fuzzy Hash: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
Instruction Fuzzy Hash: 1D11AD3190410EBACF05FFA1D856CEDBB79AE00708F51806AB511760E1EF78A789DB98

Function 004039F6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403A3C
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 00403A7A
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405), ref: 00403AA0
??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784), ref: 00403AA8

Strings

%%M/, xrefs: 00403A5A
%%M\, xrefs: 00403A1C

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ??3@
String ID: %%M/$%%M\
API String ID: 613200358-4143866494
Opcode ID: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
Instruction ID: 5f6947e2f47a7d655e02fb84317d9747a35bc7200d49f7273ebe403b31479b31
Opcode Fuzzy Hash: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
Instruction Fuzzy Hash: C911AD3190410EBACF05FFA1D956CEDBB79AE00708F51806AB511760E1EF78A789DB58

Function 0040E456 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00000000,00414CFC), ref: 0040E4EE

Strings

4JA, xrefs: 0040E4AF
xJA, xrefs: 0040E493
hJA, xrefs: 0040E49A
TJA, xrefs: 0040E4A1
$JA, xrefs: 0040E4B6
DJA, xrefs: 0040E4A8

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ExceptionThrow
String ID: $JA$4JA$DJA$TJA$hJA$xJA
API String ID: 432778473-803145960
Opcode ID: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
Instruction ID: 5492ea6659e041f1bcf420c4685f7038b08242b420f8f2c51a6428b2159ddc92
Opcode Fuzzy Hash: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
Instruction Fuzzy Hash: 7211A5F0541B419BC7308F16E544587FBF8AF907587218A1FD0AA9BA51D3F8A1888B9C

Function 0040C0DC Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 243COMMON

Download Yara Rule

APIs

Part of subcall function 0040BA46: ??2@YAPAXI@Z.MSVCRT(0000000C,?,0040C20C,004149B0,00000001,?,?,00000000), ref: 0040BA4B

??3@YAXPAX@Z.MSVCRT(00000000,004149B0,00000001,?,?,00000000), ref: 0040C20D

Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

??2@YAPAXI@Z.MSVCRT(00000014,00000000,004149B0,00000001,?,?,00000000), ref: 0040C245

Strings

IA, xrefs: 0040C0EC
IA, xrefs: 0040C12D
IA, xrefs: 0040C11B

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ??2@$??3@$memmove
String ID: IA$IA$IA
API String ID: 4294387087-924693538
Opcode ID: 3ef1446a3f9eae3cfdc2853b922aca3bc2f9cc2cd28dfb990552d7283ffc15f1
Instruction ID: 38d37476858cbe2739f158cf8086d9562841ccd83740beefedbf55b6536d6dac
Opcode Fuzzy Hash: 3ef1446a3f9eae3cfdc2853b922aca3bc2f9cc2cd28dfb990552d7283ffc15f1
Instruction Fuzzy Hash: 20B1C1B1900209DFCB54EFAAC8819DEBBB5BF48304F50852EF919A7291DB38A945CF54

Function 0040E811 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00100EC3,00414CFC), ref: 0040E83C
??2@YAPAXI@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E864
memcpy.MSVCRT(00000000,?,?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?), ref: 0040E88D
??3@YAXPAX@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E898

Strings

IA, xrefs: 0040E818, 0040E841

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ??2@??3@ExceptionThrowmemcpy
String ID: IA
API String ID: 3462485524-3293647318
Opcode ID: 6b78721643db57d5e00a8af36ebe01533f1ba9cf87e040577b2ff72779c9c95d
Instruction ID: e9362666a157510f6fc1816af10740f0f0ab3f4ff6eb75305f8b2a096945a613
Opcode Fuzzy Hash: 6b78721643db57d5e00a8af36ebe01533f1ba9cf87e040577b2ff72779c9c95d
Instruction Fuzzy Hash: 6811E5736003009BCB28AF57D880D6BFBE9AB84354714C83FEA59A7290D779E8954794

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00401029
wsprintfW.USER32 ref: 00401049
lstrcatW.KERNEL32(?,?), ref: 0040105C
ExitProcess.KERNEL32 ref: 00401084

Strings

0x%p, xrefs: 00401043

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: wsprintf$ExitProcesslstrcat
String ID: 0x%p
API String ID: 2530384128-1745605757
Opcode ID: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
Instruction ID: 6c9eba3c29ae2a0cc7ccd16f79f39b6d6218d418ab2b897ff95ca6c62132cda7
Opcode Fuzzy Hash: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
Instruction Fuzzy Hash: CF019E7580020CAFDB20AFA0DC45FDA777CBF44305F04486AF945A2081D738F6948FAA

Function 00407A3A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000B), ref: 004071E0
Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000C), ref: 004071E9

GetSystemMetrics.USER32(00000007), ref: 00407A51
GetSystemMetrics.USER32(00000007), ref: 00407A62
??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 00407B29

Strings

100%% , xrefs: 00407A81, 00407A88, 00407AE1

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: MetricsSystem$??3@
String ID: 100%%
API String ID: 2562992111-568723177
Opcode ID: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
Instruction ID: d2e8aa6d75c6757367bbc63d1236441fd7733528c0e5853e38aed7656a5d7d9b
Opcode Fuzzy Hash: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
Instruction Fuzzy Hash: 0D31D771A047059FCB24DFA9C9419AEB7F4EF40308B00012EE542A26E1DB78FE44CF99

Function 00407998 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00407A12

Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B

GetDlgItem.USER32(?,000004B3), ref: 004079C6

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 004079E4

Strings

(%u%s), xrefs: 00407A0C

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: TextWindow$ItemLength$??3@wsprintf
String ID: (%u%s)
API String ID: 3595513934-2496177969
Opcode ID: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
Instruction ID: 1b031bef2a273fddd3247fbc9e57f9590cc69a100d620b238320e5a3a24b3f72
Opcode Fuzzy Hash: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
Instruction Fuzzy Hash: 1401C8B15042147FDB107B65DC46EAF777CAF44708F10807FF516A21E2DB7CA9448A68

Function 004021ED Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,0000003C,?,?,?,?,?,?,00406130,?,00000000,?,?,?), ref: 0040220A
GetProcAddress.KERNEL32(00000000), ref: 00402211

Strings

GetNativeSystemInfo, xrefs: 00402200
kernel32, xrefs: 00402205

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32
API String ID: 2574300362-3846845290
Opcode ID: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
Instruction ID: b757a3d5c4c17e34abb063926c294d8abaed4bc4edbc3347b9308a3de004b423
Opcode Fuzzy Hash: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
Instruction Fuzzy Hash: 88F0B432E1521495CF20BBF48B0D6EF66E89A19349B1004BBD852F31D0E5FCCE8141EE

Function 00402185 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,004061B1,?,?,?), ref: 00402198
GetProcAddress.KERNEL32(00000000), ref: 0040219F

Strings

kernel32, xrefs: 00402193
Wow64RevertWow64FsRedirection, xrefs: 0040218E

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32
API String ID: 2574300362-3900151262
Opcode ID: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
Instruction ID: b94e249185ae4a70534d65e1a66e6cdcdba3a47a1e4784fabdbc91f5644b18b3
Opcode Fuzzy Hash: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
Instruction Fuzzy Hash: AFD0C934294201DBDB125FA0EE0E7EA3AB9FB04B0BF458035A920A00F0CBBC9644CA5C

Function 004021B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040223A), ref: 004021CA
GetProcAddress.KERNEL32(00000000), ref: 004021D1

Strings

kernel32, xrefs: 004021C5
Wow64DisableWow64FsRedirection, xrefs: 004021C0

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32
API String ID: 2574300362-736604160
Opcode ID: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
Instruction ID: 817513c890d082da38b6284c2862a66e2f32a8da2897575df7e5c1eb8648f331
Opcode Fuzzy Hash: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
Instruction Fuzzy Hash: 0DD012342443009BDB515FA09E0D7DA3EB4B705B07F508076A520E11D1CBFCA244C7AC

Function 00402A69 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F

Part of subcall function 0040272E: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402ACD,?,?,00000000,00000000,00000000), ref: 00402760

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ??3@$ByteCharMultiWide
String ID:
API String ID: 1731127917-0
Opcode ID: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
Instruction ID: 3903ebf3ba6088976d83fc344d3b185d6a20d7f45533e28e7dbc13297377a7b4
Opcode Fuzzy Hash: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
Instruction Fuzzy Hash: 2831B3729041156ACB14FFA6DD81DEFB3BCEF00714B51403FF952B31E1EA38AA458658

Function 00403F85 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406437,00000000,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FA8
GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FC5
wsprintfW.USER32 ref: 00403FFB
GetFileAttributesW.KERNEL32(?), ref: 00404016

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: PathTemp$AttributesFilewsprintf
String ID:
API String ID: 1746483863-0
Opcode ID: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
Instruction ID: 4b01c17e8612d334da970e7aef70975a1f373095b445c13461924cc76c43a46f
Opcode Fuzzy Hash: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
Instruction Fuzzy Hash: 1B113672100204BFCB01AF59CC85AADB7F8FF88755F50802EF905972E1DB78AA008B88

Function 00401A85 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B03
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B13

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: CharUpper
String ID:
API String ID: 9403516-0
Opcode ID: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
Instruction ID: 0ba0c8867aa888139ba8faa8f8ff432121b60ad667f2455bf366b55ac651d143
Opcode Fuzzy Hash: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
Instruction Fuzzy Hash: 02112E34A11269ABCF108F99C8446BAB7E8FF44356B504467F881E3290D77CDE51EB64

Function 00407FA5 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00407FED
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 0040800D
GetDlgItem.USER32(?,000004B7), ref: 00408020
SetWindowLongW.USER32(00000000,000000FC,Function_00006F37), ref: 0040802E

Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92

Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ItemWindow$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoLongShow
String ID:
API String ID: 2538916108-0
Opcode ID: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
Instruction ID: 9218ed989044434557cb474aaa53437228351995edfdd36a91d94446a14b3a18
Opcode Fuzzy Hash: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
Instruction Fuzzy Hash: 7D1186B1A402146BCB10BBB99D09F9EB7FDEB84B04F00446EB652E31C0D6B8DA008B54

Function 004067ED Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 00406814
GetSystemMetrics.USER32(00000031), ref: 0040683A
CreateFontIndirectW.GDI32(?), ref: 00406849
DeleteObject.GDI32(00000000), ref: 00406878

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
String ID:
API String ID: 1900162674-0
Opcode ID: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
Instruction ID: e152b01862f646c7a4819b14062263d5307cf72e2961abd6127bac75ebed32e6
Opcode Fuzzy Hash: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
Instruction Fuzzy Hash: A9116376A00205AFDB10DF94DC88FEAB7B8EB08300F0180AAED06A7291DB74DE54CF54

Function 0040748A Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040749F
SHBrowseForFolderW.SHELL32(?), ref: 004074B8
SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 004074D4
SHGetMalloc.SHELL32(00000000), ref: 004074FE

Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: BrowseFocusFolderFromItemListMallocPathmemset
String ID:
API String ID: 1557639607-0
Opcode ID: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
Instruction ID: 30b51fec80d89fd3ac1614d0428bedaa433d1aa4d1a510c8e8bcd0531de43efe
Opcode Fuzzy Hash: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
Instruction Fuzzy Hash: 43112171A00114ABDB10EBA5DD48BDE77FCAB84715F1040A9E505E7280DB78EF05CB75

Function 004027C7 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 004027F8
??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00402801

Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000,?,00000000,00000000,00000000), ref: 00402819
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00402839

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ??3@$EnvironmentExpandStrings$??2@
String ID:
API String ID: 612612615-0
Opcode ID: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
Instruction ID: 71972da321696c7643696fa2d61077c4bfdb6251f9c85b9dd911fab2e4c9aeed
Opcode Fuzzy Hash: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
Instruction Fuzzy Hash: EF017976D00118BADB04AB55DD41DDEB7BCEF48714B10417BF901B31D1EB746A4086A8

Function 00403AB1 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

??3@YAXPAX@Z.MSVCRT(?,?,?,00413550,00413558), ref: 00403AFD
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00413550,00413558), ref: 00403B05
SetWindowTextW.USER32(?,?), ref: 00403B12
??3@YAXPAX@Z.MSVCRT(?), ref: 00403B1D

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ??3@TextWindow$Length
String ID:
API String ID: 2308334395-0
Opcode ID: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
Instruction ID: 2cc122b1f520d7f8021a056a959bf32eecafdcf33a956e59961b1277582e5a57
Opcode Fuzzy Hash: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
Instruction Fuzzy Hash: 2EF0FF32D0410DBACF01FBA5DD46CDE7B79EF04705B10406BF501720A1EA79AB559B98

Function 0040702A Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000005C,?), ref: 00407045
CreateFontIndirectW.GDI32(?), ref: 0040705B
GetDlgItem.USER32(?,000004B5), ref: 0040706F
SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 0040707B

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: CreateFontIndirectItemMessageObjectSend
String ID:
API String ID: 2001801573-0
Opcode ID: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
Instruction ID: 5c236ef126686a3da9008926c30106754acf3bfa0ff8e01310dffb34f405da6a
Opcode Fuzzy Hash: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
Instruction Fuzzy Hash: 35F05475900704ABDB209BA4DC09F8B7BFCAB48B01F048139BD51E11D4D7B4E5018B19

Function 00401BA3 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00401BA8
GetWindowRect.USER32(?,?), ref: 00401BC1
ScreenToClient.USER32(00000000,?), ref: 00401BCF
ScreenToClient.USER32(00000000,?), ref: 00401BD6

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: ClientScreen$ParentRectWindow
String ID:
API String ID: 2099118873-0
Opcode ID: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
Instruction ID: 3a6f634f9500a9f0e676680e31990ed58166cb62974d534a535afb1fb6b8d00a
Opcode Fuzzy Hash: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
Instruction Fuzzy Hash: 09E04F722052116BCB10AFA5AC88C8BBF6DDFC5723700447AF941A2220D7709D109A61

Function 00403C63 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 00403C89

Strings

[G@, xrefs: 00403C64, 00403C88
GUIFlags, xrefs: 00403C68

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: _wtol
String ID: GUIFlags$[G@
API String ID: 2131799477-2126219683
Opcode ID: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
Instruction ID: b6302b9691b8fcfec91ee3c39af82f4337802e9cb3a6f407b943601295de961a
Opcode Fuzzy Hash: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
Instruction Fuzzy Hash: 6DF03C3611C1635AFB342E0994187B6AA9CEB05793FE4443BE9C3F12D0C37C8E82825D

Function 00402F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?O@,?,00000001,004177A0,00000000,00417794,?,?,00404F3F,?,?,?,?,?), ref: 00402F26
GetEnvironmentVariableW.KERNEL32(?,00000000,?,00000001,00000002,?,?,00404F3F,?,?,?,?,?), ref: 00402F52

Strings

?O@, xrefs: 00402F23

Memory Dump Source

Source File: 00000000.00000002.1779844775.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1779820883.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779863111.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779881618.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779910532.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd

Similarity

API ID: EnvironmentVariable
String ID: ?O@
API String ID: 1431749950-3511380453
Opcode ID: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
Instruction ID: 315e17eccb05daff3adc91fa9074d23558c2207180d60d9b2b56ce26dbf77fcb
Opcode Fuzzy Hash: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
Instruction Fuzzy Hash: 24F06272200118BFDB00AFA9DC458AEB7EDEF88764B51402BF904D72A1D7B4AD008B98

Analysis Process: Update.exePID: 7496, Parent PID: 7444COMMON

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	22.2%
Signature Coverage:	5.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	96

Executed Functions

Function 04325430 Relevance: 93.2, APIs: 40, Strings: 13, Instructions: 440
stringnetworklibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0432F707: _malloc.LIBCMT ref: 0432F721

_memset.LIBCMT ref: 0432546C
_memset.LIBCMT ref: 04325485
_memset.LIBCMT ref: 04325495
gethostname.WS2_32(?,00000032), ref: 043254A3
gethostbyname.WS2_32(?), ref: 043254AD
inet_ntoa.WS2_32 ref: 043254C5
_strcat_s.LIBCMT ref: 043254D8
_strcat_s.LIBCMT ref: 043254F1
inet_ntoa.WS2_32 ref: 0432551A
_strcat_s.LIBCMT ref: 0432552D
_strcat_s.LIBCMT ref: 04325546
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 04325573
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000002,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 04325587
GetLastInputInfo.USER32(?), ref: 0432559A
GetTickCount.KERNEL32 ref: 043255A0
wsprintfW.USER32 ref: 043255D5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 043255E8
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000296,00000000), ref: 043255FC
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 04325653
wsprintfW.USER32 ref: 0432566C
GetForegroundWindow.USER32 ref: 04325695
GetWindowTextW.USER32(00000000,000006CE,000000FA), ref: 043256AC
lstrlenW.KERNEL32(000008CC), ref: 043256D3
lstrlenW.KERNEL32(00000994), ref: 04325739
GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 043257AA
GetProcAddress.KERNEL32(00000000), ref: 043257B1
GetNativeSystemInfo.KERNEL32(?), ref: 043257C2
GetSystemInfo.KERNEL32(?), ref: 043257CD
wsprintfW.USER32 ref: 04325806
GetCurrentProcessId.KERNEL32 ref: 04325818
OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 0432582E
K32GetProcessImageFileNameW.KERNEL32(00000000,?,00000104), ref: 0432584B
CloseHandle.KERNEL32(04345164), ref: 0432587F
GetTickCount.KERNEL32 ref: 043258E9
__time64.LIBCMT ref: 043258F8
__localtime64.LIBCMT ref: 0432592F
wsprintfW.USER32 ref: 04325968
GetLocaleInfoW.KERNEL32(00000800,00000002,00000F46,00000040), ref: 0432597D
GetSystemDirectoryW.KERNEL32(00001184,00000032), ref: 0432598C
GetCurrentHwProfileW.ADVAPI32(?), ref: 04325999

Part of subcall function 043280F0: GetLogicalDriveStringsW.KERNEL32(000003E8,?,75BF73E0,00000AD4,00000000), ref: 04328132
Part of subcall function 043280F0: lstrcmpiW.KERNEL32(?,A:\), ref: 04328166
Part of subcall function 043280F0: lstrcmpiW.KERNEL32(?,B:\), ref: 04328176
Part of subcall function 043280F0: QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 043281A6
Part of subcall function 043280F0: lstrlenW.KERNEL32(?), ref: 043281B7
Part of subcall function 043280F0: __wcsnicmp.LIBCMT ref: 043281CE
Part of subcall function 043280F0: lstrcpyW.KERNEL32(00000AD4,?), ref: 04328204

Strings

Network, xrefs: 043256C2, 04325728
1.0, xrefs: 04325702
AppEvents, xrefs: 043256B6, 0432571C
X86, xrefs: 043259B1, 043259D3
2024.11.10, xrefs: 04325758
%d min, xrefs: 043255CF
GROUP, xrefs: 043256E0
X86 %s, xrefs: 04325800
x64, xrefs: 043257ED
kernel32.dll, xrefs: 0432576F
x86, xrefs: 043257F4, 043257F9
REMARK, xrefs: 04325746
GetNativeSystemInfo, xrefs: 0432576A

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: Info$ByteCharMultiSystemWide_strcat_swsprintf$Process_memsetlstrlen$CountCurrentHandleTickWindowinet_ntoalstrcmpi$AddressCloseDeviceDirectoryDriveFileForegroundImageInputLastLocaleLogicalModuleNameNativeOpenProcProfileQueryStringsText__localtime64__time64__wcsnicmp_mallocgethostbynamegethostnamelstrcpy
String ID: %d min$1.0$2024.11.10$AppEvents$GROUP$GetNativeSystemInfo$Network$REMARK$X86$X86 %s$kernel32.dll$x64$x86
API String ID: 1101047656-762248391
Opcode ID: 31d87e32d01440788b15215899d6dfe8843b28e6476c93d62f9560bb1980dad1
Instruction ID: 733aa0ca6edbed6324cd863eb3d8dde2cd145548f285bb9e59a029fbdfddf6f6
Opcode Fuzzy Hash: 31d87e32d01440788b15215899d6dfe8843b28e6476c93d62f9560bb1980dad1
Instruction Fuzzy Hash: E0F1B1B5A40214BBE724DB64CD85FEB73B8EF88704F005598F71AA7280EA70BA44CF55

Function 6C1B6CF9 Relevance: 73.1, APIs: 12, Strings: 29, Instructions: 1321COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6C1B6FBE

Strings

.batitor, xrefs: 6C1B6F2D, 6C1B6F3C
timeout /t 30 /nobreak >nul, xrefs: 6C1B76BC
goto CheckProcess, xrefs: 6C1B76D0
set "ProcessPath=, xrefs: 6C1B6F54
if not exist "%DLLPath%" (, xrefs: 6C1B761C
if not exist "%ProcessPath%" (, xrefs: 6C1B75D2
.battor., xrefs: 6C1B8705, 6C1B6F68, 6C1B6F79
copy /Y "%BackupProcessPath%" "%ProcessPath%", xrefs: 6C1B75F4
set "ProcessName=, xrefs: 6C1B6F1F
.batkup., xrefs: 6C1B7CE4, 6C1B7EFD, 6C1B7F60, 6C1B7F3C, 6C1B7F72
:CheckProcess, xrefs: 6C1B6F0B
set "BackupDLLPath=, xrefs: 6C1B72DD
.bat, xrefs: 6C1B6D01
tasklist /FI "IMAGENAME eq %ProcessName%" | findstr /I "%ProcessName%" >nul, xrefs: 6C1B766C
start "" "%ProcessPath%", xrefs: 6C1B7694
P}2, xrefs: 6C1B6E83
@echo off, xrefs: 6C1B6EF7
Failed to create backup EXE. Please check the EXE path: , xrefs: 6C1B7F51
if %ERRORLEVEL% neq 0 (, xrefs: 6C1B7680
set "DLLPath=, xrefs: 6C1B72A6
Failed to create backup DLL. Please check the DLL path: , xrefs: 6C1B7C90
.pid, xrefs: 6C1B84FF
cmd.exe /B /c "%s", xrefs: 6C1B79A2
echo DLL file not found, restoring from backup..., xrefs: 6C1B7630
tor., xrefs: 6C1B84F7
copy /Y "%BackupDLLPath%" "%DLLPath%", xrefs: 6C1B7644
itor, xrefs: 6C1B6D09
echo Process file not found, restoring from backup..., xrefs: 6C1B75E0
set "BackupProcessPath=, xrefs: 6C1B6F91

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: _strlen
String ID: .batkup.$.battor.$ copy /Y "%BackupDLLPath%" "%DLLPath%"$ copy /Y "%BackupProcessPath%" "%ProcessPath%"$ echo DLL file not found, restoring from backup...$ echo Process file not found, restoring from backup...$ start "" "%ProcessPath%"$.bat$.batitor$.pid$:CheckProcess$@echo off$Failed to create backup DLL. Please check the DLL path: $Failed to create backup EXE. Please check the EXE path: $P}2$cmd.exe /B /c "%s"$goto CheckProcess$if %ERRORLEVEL% neq 0 ($if not exist "%DLLPath%" ($if not exist "%ProcessPath%" ($itor$set "BackupDLLPath=$set "BackupProcessPath=$set "DLLPath=$set "ProcessName=$set "ProcessPath=$tasklist /FI "IMAGENAME eq %ProcessName%" | findstr /I "%ProcessName%" >nul$timeout /t 30 /nobreak >nul$tor.
API String ID: 4218353326-1072435208
Opcode ID: 2d26c3f1a91fe7d39af7e8b00ca01e3fa28db90eaf337819fe294eda547ad807
Instruction ID: 7daf6862bee14b70148eda4cada71c55e10ba2a640b4db090d5454e353195f0e
Opcode Fuzzy Hash: 2d26c3f1a91fe7d39af7e8b00ca01e3fa28db90eaf337819fe294eda547ad807
Instruction Fuzzy Hash: 31B2D0B1900B018BE324CF34D894B97B7E5BF59308F144A2DD5AA97B81EB34F5498FA1

Function 03280032 Relevance: 70.8, APIs: 2, Strings: 38, Instructions: 795memoryCOMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 032804AE
VirtualAlloc.KERNEL32(?,?,00003000,00000004), ref: 032804DE

Strings

mI, xrefs: 03280221
ushI, xrefs: 0328019B
ee, xrefs: 032800F0
Rt, xrefs: 03280233
a, xrefs: 03280103
ctio, xrefs: 0328026B
Via, xrefs: 03280312
tu, xrefs: 03280137
tNat, xrefs: 0328020A
a, xrefs: 0328011C
otec, xrefs: 0328017F
P, xrefs: 03280176
Cach, xrefs: 032801FA
Vi, xrefs: 0328012C
Fu, xrefs: 0328025A
b, xrefs: 03280287
Syst, xrefs: 03280219
iv, xrefs: 03280212
tu, xrefs: 03280166
A, xrefs: 03280244
b, xrefs: 03280113
a, xrefs: 0328016D
st, xrefs: 032801AD
fo, xrefs: 0328022C
t, xrefs: 03280187
F, xrefs: 0328018C
G, xrefs: 03280205
A, xrefs: 03280147
ucti, xrefs: 032801BE
Li, xrefs: 0328010C
Ta, xrefs: 0328027D
o, xrefs: 032801C9
S, xrefs: 032800E7
a, xrefs: 0328013E
p, xrefs: 032800F7
Lo, xrefs: 032800FC
yA, xrefs: 03280125
oc, xrefs: 03280154

Memory Dump Source

Source File: 00000003.00000002.3549853052.0000000003280000.00000040.00001000.00020000.00000000.sdmp, Offset: 03280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3280000_Update.jbxd

Similarity

API ID: AllocInfoNativeSystemVirtual
String ID: A$A$Cach$F$Fu$G$Li$Lo$P$Rt$S$Syst$Ta$Vi$Via$a$a$a$a$b$b$ctio$ee$fo$iv$mI$o$oc$otec$p$st$t$tNat$tu$tu$ucti$ushI$yA
API String ID: 2032221330-2899676511
Opcode ID: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
Instruction ID: 9dd9c1bcf65517956332899f6b13cbc195ee47f88d239c645b6e53d359944806
Opcode Fuzzy Hash: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
Instruction Fuzzy Hash: 4C629E7251A3859FD330DF14C840BABB7E4FF84704F08882DE9C99B291E774A989CB56

Function 6C1B6C38 Relevance: 70.2, APIs: 12, Strings: 27, Instructions: 1961COMMON

Download Yara Rule

Strings

tor., xrefs: 6C1B855C
.batitor, xrefs: 6C1B6F2D, 6C1B6F3C
timeout /t 30 /nobreak >nul, xrefs: 6C1B76BC
goto CheckProcess, xrefs: 6C1B76D0
set "ProcessPath=, xrefs: 6C1B6F54
if not exist "%DLLPath%" (, xrefs: 6C1B761C
if not exist "%ProcessPath%" (, xrefs: 6C1B75D2
.battor., xrefs: 6C1B8705, 6C1B6F68, 6C1B6F79
copy /Y "%BackupProcessPath%" "%ProcessPath%", xrefs: 6C1B75F4
.pid, xrefs: 6C1B8564
set "ProcessName=, xrefs: 6C1B6F1F
.batkup., xrefs: 6C1B7CE4, 6C1B7EFD, 6C1B7F60, 6C1B7F3C, 6C1B7F72
:CheckProcess, xrefs: 6C1B6F0B
set "BackupDLLPath=, xrefs: 6C1B72DD
tasklist /FI "IMAGENAME eq %ProcessName%" | findstr /I "%ProcessName%" >nul, xrefs: 6C1B766C
start "" "%ProcessPath%", xrefs: 6C1B7694
P}2, xrefs: 6C1B6E83
@echo off, xrefs: 6C1B6EF7
Failed to create backup EXE. Please check the EXE path: , xrefs: 6C1B7F51
if %ERRORLEVEL% neq 0 (, xrefs: 6C1B7680
set "DLLPath=, xrefs: 6C1B72A6
Failed to create backup DLL. Please check the DLL path: , xrefs: 6C1B7C90
cmd.exe /B /c "%s", xrefs: 6C1B79A2
echo DLL file not found, restoring from backup..., xrefs: 6C1B7630
copy /Y "%BackupDLLPath%" "%DLLPath%", xrefs: 6C1B7644
echo Process file not found, restoring from backup..., xrefs: 6C1B75E0
set "BackupProcessPath=, xrefs: 6C1B6F91

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID:
String ID: .batkup.$.battor.$ copy /Y "%BackupDLLPath%" "%DLLPath%"$ copy /Y "%BackupProcessPath%" "%ProcessPath%"$ echo DLL file not found, restoring from backup...$ echo Process file not found, restoring from backup...$ start "" "%ProcessPath%"$.batitor$.pid$:CheckProcess$@echo off$Failed to create backup DLL. Please check the DLL path: $Failed to create backup EXE. Please check the EXE path: $P}2$cmd.exe /B /c "%s"$goto CheckProcess$if %ERRORLEVEL% neq 0 ($if not exist "%DLLPath%" ($if not exist "%ProcessPath%" ($set "BackupDLLPath=$set "BackupProcessPath=$set "DLLPath=$set "ProcessName=$set "ProcessPath=$tasklist /FI "IMAGENAME eq %ProcessName%" | findstr /I "%ProcessName%" >nul$timeout /t 30 /nobreak >nul$tor.
API String ID: 0-297688578
Opcode ID: 0f5f532cd6b788d51b8a72a1f122d0be1973c38475a56a94ce433d3a2bd3ec9d
Instruction ID: f8f70fa74f114e2c04f2b4b6cec23c407c30e1b6c2586baac5a383bf79ffc5b9
Opcode Fuzzy Hash: 0f5f532cd6b788d51b8a72a1f122d0be1973c38475a56a94ce433d3a2bd3ec9d
Instruction Fuzzy Hash: F2F2A0B1900B019BE324CF34C894BA7B7E5BF59308F144A2ED59A97B41EB34F5498FA1

Function 6C1B6C78 Relevance: 69.6, APIs: 12, Strings: 27, Instructions: 1390COMMON

Download Yara Rule

Strings

.batitor, xrefs: 6C1B6F2D, 6C1B6F3C
timeout /t 30 /nobreak >nul, xrefs: 6C1B76BC
goto CheckProcess, xrefs: 6C1B76D0
set "ProcessPath=, xrefs: 6C1B6F54
if not exist "%DLLPath%" (, xrefs: 6C1B761C
if not exist "%ProcessPath%" (, xrefs: 6C1B75D2
.battor., xrefs: 6C1B8705, 6C1B6F68, 6C1B6F79
copy /Y "%BackupProcessPath%" "%ProcessPath%", xrefs: 6C1B75F4
set "ProcessName=, xrefs: 6C1B6F1F
.batkup., xrefs: 6C1B7CE4, 6C1B7EFD, 6C1B7F60, 6C1B7F3C, 6C1B7F72
:CheckProcess, xrefs: 6C1B6F0B
set "BackupDLLPath=, xrefs: 6C1B72DD
tasklist /FI "IMAGENAME eq %ProcessName%" | findstr /I "%ProcessName%" >nul, xrefs: 6C1B766C
start "" "%ProcessPath%", xrefs: 6C1B7694
P}2, xrefs: 6C1B6E83
@echo off, xrefs: 6C1B6EF7
Failed to create backup EXE. Please check the EXE path: , xrefs: 6C1B7F51
if %ERRORLEVEL% neq 0 (, xrefs: 6C1B7680
set "DLLPath=, xrefs: 6C1B72A6
Failed to create backup DLL. Please check the DLL path: , xrefs: 6C1B7C90
.pid, xrefs: 6C1B84FF
cmd.exe /B /c "%s", xrefs: 6C1B79A2
echo DLL file not found, restoring from backup..., xrefs: 6C1B7630
tor., xrefs: 6C1B84F7
copy /Y "%BackupDLLPath%" "%DLLPath%", xrefs: 6C1B7644
echo Process file not found, restoring from backup..., xrefs: 6C1B75E0
set "BackupProcessPath=, xrefs: 6C1B6F91

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID:
String ID: .batkup.$.battor.$ copy /Y "%BackupDLLPath%" "%DLLPath%"$ copy /Y "%BackupProcessPath%" "%ProcessPath%"$ echo DLL file not found, restoring from backup...$ echo Process file not found, restoring from backup...$ start "" "%ProcessPath%"$.batitor$.pid$:CheckProcess$@echo off$Failed to create backup DLL. Please check the DLL path: $Failed to create backup EXE. Please check the EXE path: $P}2$cmd.exe /B /c "%s"$goto CheckProcess$if %ERRORLEVEL% neq 0 ($if not exist "%DLLPath%" ($if not exist "%ProcessPath%" ($set "BackupDLLPath=$set "BackupProcessPath=$set "DLLPath=$set "ProcessName=$set "ProcessPath=$tasklist /FI "IMAGENAME eq %ProcessName%" | findstr /I "%ProcessName%" >nul$timeout /t 30 /nobreak >nul$tor.
API String ID: 0-297688578
Opcode ID: 813b0591e56a67d53193c993b9291cdd9e8bf9c35a0a47cdeb8b1e38043d903a
Instruction ID: 973d9c7ee9f0619a8d469d2238e2ba4903069fd2a120c6793156d70e497c1dcb
Opcode Fuzzy Hash: 813b0591e56a67d53193c993b9291cdd9e8bf9c35a0a47cdeb8b1e38043d903a
Instruction Fuzzy Hash: AAC2C0B1900B018BE325CF34C894B96B7F5BF59308F144A2DD5AA97B81EB34F5488FA1

Function 0432DF10 Relevance: 59.9, APIs: 24, Strings: 10, Instructions: 354
sleepregistrysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 04330542: __fassign.LIBCMT ref: 04330538

Sleep.KERNEL32(00000000), ref: 0432DF64
CloseHandle.KERNEL32(00000000), ref: 0432DF91
GetLocalTime.KERNEL32(?), ref: 0432DFA9
wsprintfW.USER32 ref: 0432DFE0
SetUnhandledExceptionFilter.KERNEL32(043275B0), ref: 0432DFEE
CloseHandle.KERNEL32(00000000), ref: 0432E007

Part of subcall function 0432F707: _malloc.LIBCMT ref: 0432F721

EnumWindows.USER32(04325CC0,?), ref: 0432E19D
Sleep.KERNEL32(00004E20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0432E1AA
EnumWindows.USER32(04325CC0,?), ref: 0432E1BE
Sleep.KERNEL32(00000BB8), ref: 0432E1F5
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0432E241
Sleep.KERNEL32(00000FA0), ref: 0432E2C4
RegOpenKeyExW.KERNEL32(80000001,Console,00000000,00020019,?), ref: 0432E2EB
RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 0432E30B
CloseHandle.KERNEL32(?), ref: 0432E35D
Sleep.KERNEL32(000003E8,?,?), ref: 0432E3A4
WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 0432E3D0
CloseHandle.KERNEL32(?,?,?), ref: 0432E3D7
Sleep.KERNEL32(000003E8,?,?), ref: 0432E3E2
CloseHandle.KERNEL32(?), ref: 0432E400
WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 0432E425
CloseHandle.KERNEL32(?,?,?), ref: 0432E42C
Sleep.KERNEL32(00000000,?,?,?), ref: 0432E446
CloseHandle.KERNEL32(?), ref: 0432E464

Strings

Console, xrefs: 0432E2D5
18092, xrefs: 0432E0D0
127.0.0.1, xrefs: 0432E117
154.82.85.79, xrefs: 0432E07B, 0432E0C3, 0432E121, 0432E1E5, 0432E253
18091, xrefs: 0432E08F, 0432E0D7, 0432E135, 0432E1CE, 0432E20C
154.82.85.79, xrefs: 0432E0B9
%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 0432DFDA
18091, xrefs: 0432E088
154.82.85.79, xrefs: 0432E071
IpDatespecial, xrefs: 0432E305

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: CloseHandleSleep$EnumObjectSingleWaitWindows$CreateEventExceptionFilterLocalOpenQueryTimeUnhandledValue__fassign_mallocwsprintf
String ID: %4d.%2d.%2d-%2d:%2d:%2d$127.0.0.1$154.82.85.79$154.82.85.79$154.82.85.79$18091$18091$18092$Console$IpDatespecial
API String ID: 1511462596-2091554053
Opcode ID: 7767d5162235558d0e3ba002a212be26efa888af9d0219f2d0b4977fcfb7db1f
Instruction ID: da4e115d670166f3a450bc6f0a95c4a86723f11002e78fc70ebe1b54fa4f1809
Opcode Fuzzy Hash: 7767d5162235558d0e3ba002a212be26efa888af9d0219f2d0b4977fcfb7db1f
Instruction Fuzzy Hash: C5D1AEB4944350ABE320DF64D986ABB77BCFBC8B14F006A1DF55592280EB75B901CB62

Function 0432BC70 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 351
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDesktopWindow.USER32 ref: 0432BC8F
GetDC.USER32(00000000), ref: 0432BC9C
CreateCompatibleDC.GDI32(00000000), ref: 0432BCA2
GetDC.USER32(00000000), ref: 0432BCAD
GetDeviceCaps.GDI32(00000000,00000008), ref: 0432BCBA
GetDeviceCaps.GDI32(00000000,00000076), ref: 0432BCC2
ReleaseDC.USER32(00000000,00000000), ref: 0432BCD3
GetSystemMetrics.USER32(0000004E), ref: 0432BCF8
GetSystemMetrics.USER32(0000004F), ref: 0432BD26
GetSystemMetrics.USER32(0000004C), ref: 0432BD78
GetSystemMetrics.USER32(0000004D), ref: 0432BD8D
CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 0432BDA6
SelectObject.GDI32(?,00000000), ref: 0432BDB4
SetStretchBltMode.GDI32(?,00000003), ref: 0432BDC0
GetSystemMetrics.USER32(0000004F), ref: 0432BDCD
GetSystemMetrics.USER32(0000004E), ref: 0432BDE0
StretchBlt.GDI32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,00000000), ref: 0432BE07
_memset.LIBCMT ref: 0432BE7A
GetDIBits.GDI32(?,?,00000000,00000000,?,00000028,00000000), ref: 0432BE97
_memset.LIBCMT ref: 0432BEAF

Part of subcall function 0432F707: _malloc.LIBCMT ref: 0432F721

DeleteObject.GDI32(?), ref: 0432BF23
DeleteObject.GDI32(?), ref: 0432BF2D
ReleaseDC.USER32(00000000,?), ref: 0432BF39
DeleteObject.GDI32(?), ref: 0432BFDF
DeleteObject.GDI32(?), ref: 0432BFE9
ReleaseDC.USER32(00000000,?), ref: 0432BFF5

Strings

6, xrefs: 0432BE61
gfff, xrefs: 0432BD38
gfff, xrefs: 0432BD10
(, xrefs: 0432BE3E

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: MetricsSystem$Object$Delete$Release$CapsCompatibleCreateDeviceStretch_memset$BitmapBitsDesktopModeSelectWindow_malloc
String ID: ($6$gfff$gfff
API String ID: 3293817703-713438465
Opcode ID: 1e0c050462f9fe3476cfcedf07693701c3071e1a7295dcc7886d2334a5a09b7a
Instruction ID: f81da8a269ff7de3ec9965dccacf5404c66da8b5fb95ad9c04f36626f08a2cb0
Opcode Fuzzy Hash: 1e0c050462f9fe3476cfcedf07693701c3071e1a7295dcc7886d2334a5a09b7a
Instruction Fuzzy Hash: 90D16BB1E01318AFDB14DFE9E985AAEBBB9FF88300F145529F505AB240D774B901CB91

Function 6C1B56FA Relevance: 40.8, APIs: 22, Strings: 1, Instructions: 558
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextW.ADVAPI32 ref: 6C1B5799
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 6C1B57FD
CryptHashData.ADVAPI32(?,?,?,00000000), ref: 6C1B5827
CryptHashData.ADVAPI32(?,?,?,00000000,?,?,?), ref: 6C1B5890
CryptGetHashParam.ADVAPI32(?,00000004,?,?,00000000), ref: 6C1B58B8
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 6C1B59ED
CryptDestroyHash.ADVAPI32(?), ref: 6C1B59F8
CryptReleaseContext.ADVAPI32(?,00000000), ref: 6C1B5A33
CryptReleaseContext.ADVAPI32(?,00000000), ref: 6C1B5B7A
___std_exception_copy.LIBVCRUNTIME ref: 6C1B5B9E

Part of subcall function 6C30B6F1: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C1B22CA,?,?,?,6C1E5BF2,6C1B22CA,6C38B17C,?,6C1B22CA,string too long,6C1C6933), ref: 6C30B752

___std_exception_copy.LIBVCRUNTIME ref: 6C1B5D6D

Strings

X;4l, xrefs: 6C1B5D75

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Crypt$Hash$Context$DataParamRelease___std_exception_copy$AcquireCreateDestroyExceptionRaise
String ID: X;4l
API String ID: 1086747659-4176293028
Opcode ID: 61d878936093d1d3f0c1af5a015113e17d8a1f736e4361c6e070f0ac3a1a0bc0
Instruction ID: 6a9aae842f46c5f2ce1d119b6ab21a73b2a5fcee5d0b0df57bc8951686ec201f
Opcode Fuzzy Hash: 61d878936093d1d3f0c1af5a015113e17d8a1f736e4361c6e070f0ac3a1a0bc0
Instruction Fuzzy Hash: 89229CB2E112189FDB14CFA4CD89AAEBBB9EF49704F148229E805FB750D7749944CF90

Function 6C1B5DCB Relevance: 35.6, APIs: 17, Strings: 3, Instructions: 561
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6C1B556C: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 6C1B55B5
Part of subcall function 6C1B556C: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 6C1B562D

CryptAcquireContextW.ADVAPI32 ref: 6C1B5EBA
CryptImportKey.ADVAPI32(?,?,00000014,00000000,00000000,?), ref: 6C1B5EFE
CryptSetKeyParam.ADVAPI32(?,00000001,?,00000000), ref: 6C1B5F16
CryptSetKeyParam.ADVAPI32(?,00000004,?,00000000), ref: 6C1B5F35
CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,?,?), ref: 6C1B5FC1
CryptDestroyKey.ADVAPI32(?,?,?), ref: 6C1B5FCC
CryptReleaseContext.ADVAPI32(?,00000000,?,?), ref: 6C1B5FD6
___std_exception_copy.LIBVCRUNTIME ref: 6C1B6303
CryptReleaseContext.ADVAPI32(?,00000000), ref: 6C1B632F
___std_exception_copy.LIBVCRUNTIME ref: 6C1B6356
CryptDestroyKey.ADVAPI32(?), ref: 6C1B6381
CryptReleaseContext.ADVAPI32(?,00000000), ref: 6C1B638D
___std_exception_copy.LIBVCRUNTIME ref: 6C1B63B4

Part of subcall function 6C30B6F1: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C1B22CA,?,?,?,6C1E5BF2,6C1B22CA,6C38B17C,?,6C1B22CA,string too long,6C1C6933), ref: 6C30B752

Strings

X;4l, xrefs: 6C1B6462
ed__, xrefs: 6C1B5E29
Salt, xrefs: 6C1B5E22

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Crypt$Context$Release___std_exception_copy$BinaryDestroyParamString$AcquireDecryptExceptionImportRaise
String ID: Salt$X;4l$ed__
API String ID: 2404961614-4278597082
Opcode ID: 93935b5a5b37c18af8d99cdbfcf65de726862f8a77bbae1c94276934536bb6b4
Instruction ID: a68ffc219752b1832c3b7e24011fc45996a60c7c3b8575b21ddacedcf699ace4
Opcode Fuzzy Hash: 93935b5a5b37c18af8d99cdbfcf65de726862f8a77bbae1c94276934536bb6b4
Instruction Fuzzy Hash: F0229EB2E012189FEB18CF68CC55BAEBBB9EF55308F148269E805F7740E73599448F91

Function 6C1B7902 Relevance: 32.2, APIs: 9, Strings: 9, Instructions: 705fileCOMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6C1B7A13
CopyFileA.KERNEL32(?,?,00000000), ref: 6C1B7C7C
_strlen.LIBCMT ref: 6C1B7CDA

Strings

.battor., xrefs: 6C1B8705
Failed to create backup DLL. Please check the DLL path: , xrefs: 6C1B7C90
.bat, xrefs: 6C1B7910
.pid, xrefs: 6C1B84FF
cmd.exe /B /c "%s", xrefs: 6C1B79A2
.batkup., xrefs: 6C1B7CE4, 6C1B7EFD, 6C1B7F60, 6C1B7F3C, 6C1B7F72
itor, xrefs: 6C1B7918
tor., xrefs: 6C1B84F7
Failed to create backup EXE. Please check the EXE path: , xrefs: 6C1B7F51

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: _strlen$CopyFile
String ID: .batkup.$.battor.$.bat$.pid$Failed to create backup DLL. Please check the DLL path: $Failed to create backup EXE. Please check the EXE path: $cmd.exe /B /c "%s"$itor$tor.
API String ID: 2689559967-3443813646
Opcode ID: 0e4c008c9ca34d06b402bb0c26a320e789fd2a6f87b8197fe9bbde302edadf6e
Instruction ID: 1ef5c488d9a57b220ccc6603493b6c1aa13b4be4b4b7be33dac86293880c98be
Opcode Fuzzy Hash: 0e4c008c9ca34d06b402bb0c26a320e789fd2a6f87b8197fe9bbde302edadf6e
Instruction Fuzzy Hash: F752AEB1900B018BE325CF38C890796B7E5BF89318F144A2ED59A97B91EB34F585CF91

Function 6C1B7783 Relevance: 30.6, APIs: 9, Strings: 8, Instructions: 802COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6C1B7A13

Strings

.battor., xrefs: 6C1B8705
Failed to create backup DLL. Please check the DLL path: , xrefs: 6C1B7C90
.pid, xrefs: 6C1B84FF
cmd.exe /B /c "%s", xrefs: 6C1B79A2
.bat, xrefs: 6C1B78B8
.batkup., xrefs: 6C1B7CE4, 6C1B7EFD, 6C1B7F60, 6C1B7F3C, 6C1B7F72
tor., xrefs: 6C1B84F7
Failed to create backup EXE. Please check the EXE path: , xrefs: 6C1B7F51

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: _strlen
String ID: .batkup.$.battor.$.bat$.pid$Failed to create backup DLL. Please check the DLL path: $Failed to create backup EXE. Please check the EXE path: $cmd.exe /B /c "%s"$tor.
API String ID: 4218353326-3685226845
Opcode ID: 5b3818781bf766f8bbf44993bdba6f4c0506c38b3f3e9cf54d5b8d8c0c6901cb
Instruction ID: b3e4059851dc31664f5813e3b134e9a1a44b170e4a872b3470e4a9b4d7482fb5
Opcode Fuzzy Hash: 5b3818781bf766f8bbf44993bdba6f4c0506c38b3f3e9cf54d5b8d8c0c6901cb
Instruction Fuzzy Hash: FD629DB1900B018BE725CF38C8907A6B7E5BF89314F144A2ED5AA97B81EB34F545CF91

Function 6C1C1991 Relevance: 22.1, APIs: 10, Strings: 2, Instructions: 1074processfilesleepCOMMON

Download Yara Rule

APIs

WinExec.KERNEL32(?,00000000), ref: 6C1C1A1B
_strlen.LIBCMT ref: 6C1C1CD9
WinExec.KERNEL32(?,00000000), ref: 6C1C1F8C
Sleep.KERNEL32(00007530), ref: 6C1C1F97
_strlen.LIBCMT ref: 6C1C1FC2
SetFileAttributesA.KERNEL32(00000000,00000080), ref: 6C1C2073
_strlen.LIBCMT ref: 6C1C20D8
SetFileAttributesA.KERNEL32(00000000,00000080), ref: 6C1C2188
DeleteFileA.KERNEL32(?), ref: 6C1C21E4
DeleteFileA.KERNEL32(?), ref: 6C1C21FE

Strings

&, xrefs: 6C1C2911
%, xrefs: 6C1C275C

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: File$_strlen$AttributesDeleteExec$Sleep
String ID: %$&
API String ID: 4120753353-3793893698
Opcode ID: 47d3ed332570fb736e345975b37d9a73acf477e486e007fd8c93ccf0cb8b498e
Instruction ID: 04057ff9abb62e0ad4c228942364a70501577e7283bf68498d0dc64c70d29b78
Opcode Fuzzy Hash: 47d3ed332570fb736e345975b37d9a73acf477e486e007fd8c93ccf0cb8b498e
Instruction Fuzzy Hash: 9F82F7B2E001248FDB28CF64CC987DDB7B2AF55318F154268E519B7780DB789E858F92

Function 043280F0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 114stringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsW.KERNEL32(000003E8,?,75BF73E0,00000AD4,00000000), ref: 04328132
lstrcmpiW.KERNEL32(?,A:\), ref: 04328166
lstrcmpiW.KERNEL32(?,B:\), ref: 04328176
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 043281A6
lstrlenW.KERNEL32(?), ref: 043281B7
__wcsnicmp.LIBCMT ref: 043281CE
lstrcpyW.KERNEL32(00000AD4,?), ref: 04328204
lstrcpyW.KERNEL32(?,?), ref: 04328228
lstrcatW.KERNEL32(?,00000000), ref: 04328233

Strings

A:\, xrefs: 04328160
B:\, xrefs: 04328170

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: lstrcmpilstrcpy$DeviceDriveLogicalQueryStrings__wcsnicmplstrcatlstrlen
String ID: A:\$B:\
API String ID: 950920757-1009255891
Opcode ID: 4a964ae0f662ac3420bccbbcd7d019405f68c6479852ec62c763073b9e347877
Instruction ID: 4b922c674e654720d7c2f26c52f3941eddb7365bfa3bff944f4be44c4cfd0ffc
Opcode Fuzzy Hash: 4a964ae0f662ac3420bccbbcd7d019405f68c6479852ec62c763073b9e347877
Instruction Fuzzy Hash: 72414375A012289BDB14DFA4DD44AEEB3BCEF88714F005199EA19A3140EB74BA05CB94

Function 04326790 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 116memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 04325320: InterlockedDecrement.KERNEL32(00000008), ref: 0432536F
Part of subcall function 04325320: SysFreeString.OLEAUT32(00000000), ref: 04325384
Part of subcall function 04325320: SysAllocString.OLEAUT32(04345148), ref: 043253D5

GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,?,04345148,043269A4,04345148,00000000,75BF73E0), ref: 043267F4
GetLastError.KERNEL32 ref: 043267FE
GetProcessHeap.KERNEL32(00000008,?), ref: 04326816
HeapAlloc.KERNEL32(00000000), ref: 0432681D
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,?,?), ref: 0432683F
LookupAccountSidW.ADVAPI32(00000000,?,?,00000100,?,00000100,?), ref: 04326871
GetLastError.KERNEL32 ref: 0432687B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 043268E6
HeapFree.KERNEL32(00000000), ref: 043268ED

Strings

NONE_MAPPED, xrefs: 04326888

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: Heap$AllocErrorFreeInformationLastProcessStringToken$AccountDecrementInterlockedLookup
String ID: NONE_MAPPED
API String ID: 1317816589-2950899194
Opcode ID: f5f2f02ea41c55fcd70c9cf8a468a0c7f5f961e65c99016b5ed90ad826d94cde
Instruction ID: 9c1fd350acaa9fcb4e13560661514ee8cd8a7ae5f7f6327cfeebb4567c066da0
Opcode Fuzzy Hash: f5f2f02ea41c55fcd70c9cf8a468a0c7f5f961e65c99016b5ed90ad826d94cde
Instruction Fuzzy Hash: EF4161B5A00228ABDB209B64DD45FFF77BCEFC8704F406499F709A6140DA74AE858F60

Function 04326C50 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?,74DEDF80,00000000,75BF73E0), ref: 04326C8B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 04326CAA
_memset.LIBCMT ref: 04326CE1
GlobalMemoryStatusEx.KERNEL32(?), ref: 04326CF4
swprintf.LIBCMT ref: 04326D39
swprintf.LIBCMT ref: 04326D4C

Strings

:, xrefs: 04326C80
%sFree%d Gb , xrefs: 04326D41
HDD:%d, xrefs: 04326D2E
@, xrefs: 04326CED

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: swprintf$DiskDriveFreeGlobalMemorySpaceStatusType_memset
String ID: %sFree%d Gb $:$@$HDD:%d
API String ID: 3202570353-3501811827
Opcode ID: 49cd42903147316b884846089d1bf03121b3c833cfb09c74077302ea1fe3ddae
Instruction ID: acb3d960cb3636ef8798340c90871042c469e31c2a88124016ed247720069fc1
Opcode Fuzzy Hash: 49cd42903147316b884846089d1bf03121b3c833cfb09c74077302ea1fe3ddae
Instruction Fuzzy Hash: 58313EB6E0021CABDB14CFE5CC45BEEB7B9FF88700F50521DE91AA7241DA746905CB50

Function 04326EE0 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 410COMMON

Download Yara Rule

APIs

CreateDXGIFactory.DXGI(0434579C,?,45F3111E,74DEDF80,00000000,75BF73E0), ref: 04326F4A
swprintf.LIBCMT ref: 0432711E
std::_Xinvalid_argument.LIBCPMT ref: 043271C7

Strings

%s%s %d*%d , xrefs: 04327337
vector<T> too long, xrefs: 043271C2
%s%s %d %d , xrefs: 04327113

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: CreateFactoryXinvalid_argumentstd::_swprintf
String ID: %s%s %d %d $%s%s %d*%d $vector<T> too long
API String ID: 3803070356-257307503
Opcode ID: 6a20af08e643b24c3e5c3c4f0cca899dd9c4b047244e3f7bb1987883150e3d07
Instruction ID: 223202a646ff4cf84235db677e42a3dd7b4d1bc826f382de3858f14278179f7a
Opcode Fuzzy Hash: 6a20af08e643b24c3e5c3c4f0cca899dd9c4b047244e3f7bb1987883150e3d07
Instruction Fuzzy Hash: 49E15471A012359FDF24CE64CD81BEEB375BF89700F1456A9E919A7284D730BE818F91

Function 6C1C5103 Relevance: 15.5, APIs: 10, Instructions: 547processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C1C5111
Process32FirstW.KERNEL32(00000000,?), ref: 6C1C5148
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,00000002,00000000), ref: 6C1C5176
_strlen.LIBCMT ref: 6C1C518D
Process32NextW.KERNEL32(?,?), ref: 6C1C52AE
CloseHandle.KERNEL32(00000000,?,00000002,00000000), ref: 6C1C52BC
CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 6C1C52D2
SHGetFolderPathA.SHELL32 ref: 6C1C532D
_strlen.LIBCMT ref: 6C1C534B

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: CloseHandleProcess32_strlen$ByteCharCreateFirstFolderMultiNextPathSnapshotToolhelp32Wide
String ID:
API String ID: 2690550405-0
Opcode ID: 0566080c19302e38227f669dbc7151bd6f82d3e6ff23a34c7cc8f0cfc055ae94
Instruction ID: f0820816d24f39527c14bd159cb0d94ae4a820a28b80ac96433885ba5f2b488d
Opcode Fuzzy Hash: 0566080c19302e38227f669dbc7151bd6f82d3e6ff23a34c7cc8f0cfc055ae94
Instruction Fuzzy Hash: C0120772F012148BDB10CF68CC907DEB7F6EF99324F254628F855A7781EB3899458B52

Function 6C1C5C94 Relevance: 14.3, APIs: 9, Instructions: 769comCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?), ref: 6C1C5E3E
SHGetFolderPathA.SHELL32 ref: 6C1C5E61
_strlen.LIBCMT ref: 6C1C5E7F
GetFileAttributesA.KERNEL32(?), ref: 6C1C6434
CoInitialize.OLE32(00000000), ref: 6C1C648E
CoCreateInstance.OLE32(6C348C90,00000000,00000001,6C345330,00000000), ref: 6C1C64A5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 6C1C64D4
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000104), ref: 6C1C6570
CoUninitialize.COMBASE ref: 6C1C6594

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: AttributesByteCharFileMultiWide$CreateFolderInitializeInstancePathUninitialize_strlen
String ID:
API String ID: 1074249417-0
Opcode ID: b33c1b09cceebc464c9d5b511581cd68922f105db02675a8fe79e9ef2da990d4
Instruction ID: db6df2b51be5ddb02f8d23b4fe97548fcd1c0511de6cc1c0af327bc3add35f9b
Opcode Fuzzy Hash: b33c1b09cceebc464c9d5b511581cd68922f105db02675a8fe79e9ef2da990d4
Instruction Fuzzy Hash: 6E52C2B1E002188FDB14CF68CC947EEBBB5FF59318F144269E519E7780EB3899858B52

Function 04326050 Relevance: 9.1, APIs: 6, Instructions: 86processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0432607C
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 04326088
Process32FirstW.KERNEL32(00000000,00000000), ref: 043260B9
Process32NextW.KERNEL32(00000000,0000022C), ref: 0432610F
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 04326116

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memset
String ID:
API String ID: 2526126748-0
Opcode ID: 341b104eea3e70e7e80d9767d751aa45225d6c0c3b52bee31a76179892b00277
Instruction ID: 617d3eb3c940a62ac7c42cc6227b3d1be1f75bd4645adf5b5ec2d619d72fd2c5
Opcode Fuzzy Hash: 341b104eea3e70e7e80d9767d751aa45225d6c0c3b52bee31a76179892b00277
Instruction Fuzzy Hash: 4C21A631604134ABDB20EF64DD56BFA7379EF58714F005299ED1A96180EF35BA04D650

Function 04322FD0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 04323043
recv.WS2_32(?,?,00040000,00000000), ref: 04323064

Part of subcall function 0432F91B: __getptd_noexit.LIBCMT ref: 0432F91B

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: __getptd_noexitrecvselect
String ID:
API String ID: 4248608111-0
Opcode ID: 71ab5a3c916bd0fa6b22f0c55e67d6fb60d72f4a012469e970627d7ec564b169
Instruction ID: a82822f15e69f66b34744ac22298b4619ddfb8aa5976325a584a65d00ac6c6c6
Opcode Fuzzy Hash: 71ab5a3c916bd0fa6b22f0c55e67d6fb60d72f4a012469e970627d7ec564b169
Instruction Fuzzy Hash: E721F670600228AFEB20EF79DE85B9B73B4EF04714F0495A5E9056B180D774BD84CBB1

Function 6C1E7C58 Relevance: 70.4, APIs: 34, Strings: 6, Instructions: 356
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 6C1E7C62

Part of subcall function 6C1CD1DC: __EH_prolog3.LIBCMT ref: 6C1CD1E3
Part of subcall function 6C1CD1DC: GetWindowDC.USER32(00000000,00000004,6C1E78A0,00000000), ref: 6C1CD20F

GetDeviceCaps.GDI32(?,00000058), ref: 6C1E7C82
DeleteObject.GDI32(00000000), ref: 6C1E7CDE
DeleteObject.GDI32(00000000), ref: 6C1E7CFC
DeleteObject.GDI32(00000000), ref: 6C1E7D1A
DeleteObject.GDI32(00000000), ref: 6C1E7D38
DeleteObject.GDI32(00000000), ref: 6C1E7D56
DeleteObject.GDI32(00000000), ref: 6C1E7D74
DeleteObject.GDI32(00000000), ref: 6C1E7D92
DeleteObject.GDI32(00000000), ref: 6C1E7DB0
DeleteObject.GDI32(00000000), ref: 6C1E7DCE
DeleteObject.GDI32(00000000), ref: 6C1E7DEC
GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 6C1E7E24
lstrcpyW.KERNEL32(?,?), ref: 6C1E7E79
EnumFontFamiliesW.GDI32(?,00000000,6C1E8905,Segoe UI), ref: 6C1E7EA0
lstrcpyW.KERNEL32(?,Segoe UI), ref: 6C1E7EB3
EnumFontFamiliesW.GDI32(?,00000000,6C1E8905,Tahoma), ref: 6C1E7ED1
lstrcpyW.KERNEL32(?,MS Sans Serif), ref: 6C1E7EEB
CreateFontIndirectW.GDI32(?), ref: 6C1E7EF5
CreateFontIndirectW.GDI32(?), ref: 6C1E7F3D
CreateFontIndirectW.GDI32(?), ref: 6C1E7F7C
CreateFontIndirectW.GDI32(?), ref: 6C1E7FA8
CreateFontIndirectW.GDI32(?), ref: 6C1E7FC9
GetSystemMetrics.USER32(00000048), ref: 6C1E7FE8
lstrcpyW.KERNEL32(?,Marlett), ref: 6C1E7FFB
CreateFontIndirectW.GDI32(?), ref: 6C1E8005
GetStockObject.GDI32(00000011), ref: 6C1E8031
GetObjectW.GDI32(00000000,0000005C,?), ref: 6C1E804C
lstrcpyW.KERNEL32(?,Arial), ref: 6C1E808D
CreateFontIndirectW.GDI32(?), ref: 6C1E8097
CreateFontIndirectW.GDI32(?), ref: 6C1E80B0
GetObjectW.GDI32(?,0000005C,?), ref: 6C1E80CE
CreateFontIndirectW.GDI32(?), ref: 6C1E80DC
CreateFontIndirectW.GDI32(?), ref: 6C1E80FD

Part of subcall function 6C1E874A: __EH_prolog3_GS.LIBCMT ref: 6C1E8751
Part of subcall function 6C1E874A: GetTextMetricsW.GDI32(?,?), ref: 6C1E8786
Part of subcall function 6C1E874A: GetTextMetricsW.GDI32(?,?), ref: 6C1E87C6

Strings

MS Sans Serif, xrefs: 6C1E7EE5
Marlett, xrefs: 6C1E7FF5
Arial, xrefs: 6C1E807D
Segoe UI, xrefs: 6C1E7E8E, 6C1E7EAA
D}4l, xrefs: 6C1E8151
Tahoma, xrefs: 6C1E7EBF, 6C1E7EDE

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Object$Font$CreateDeleteIndirect$lstrcpy$MetricsText$EnumFamiliesH_prolog3_$CapsCharsetDeviceH_prolog3InfoStockSystemWindow
String ID: Arial$D}4l$MS Sans Serif$Marlett$Segoe UI$Tahoma
API String ID: 2837096512-749692918
Opcode ID: ba4f139090c80045c7a232696f6aee4e735591f61214ac938b85635cef9d99ae
Instruction ID: 2c727bdcb2a181e281703be4d9723688c00eb700635c0927ad8ca1f62cb65d0a
Opcode Fuzzy Hash: ba4f139090c80045c7a232696f6aee4e735591f61214ac938b85635cef9d99ae
Instruction Fuzzy Hash: CDE17E70A017489FEF11DBB4C858BEEB7BDAF1A308F00855AE41AE7681EB389545CF51

Function 6C1E783A Relevance: 64.8, APIs: 43, Instructions: 298
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6C1E7841
GetSysColor.USER32(00000016), ref: 6C1E784A
GetSysColor.USER32(0000000F), ref: 6C1E785D
GetSysColor.USER32(00000015), ref: 6C1E7874
GetSysColor.USER32(0000000F), ref: 6C1E7880
GetDeviceCaps.GDI32(?,0000000C), ref: 6C1E78A8
GetSysColor.USER32(0000000F), ref: 6C1E78B6
GetSysColor.USER32(00000010), ref: 6C1E78C4
GetSysColor.USER32(00000015), ref: 6C1E78D2
GetSysColor.USER32(00000016), ref: 6C1E78E0
GetSysColor.USER32(00000014), ref: 6C1E78EE
GetSysColor.USER32(00000012), ref: 6C1E78FC
GetSysColor.USER32(00000011), ref: 6C1E790A
GetSysColor.USER32(00000006), ref: 6C1E7915
GetSysColor.USER32(0000000D), ref: 6C1E7920
GetSysColor.USER32(0000000E), ref: 6C1E792B
GetSysColor.USER32(00000005), ref: 6C1E7936
GetSysColor.USER32(00000008), ref: 6C1E7944
GetSysColor.USER32(00000009), ref: 6C1E794F
GetSysColor.USER32(00000007), ref: 6C1E795A
GetSysColor.USER32(00000002), ref: 6C1E7965
GetSysColor.USER32(00000003), ref: 6C1E7970
GetSysColor.USER32(0000001B), ref: 6C1E797E
GetSysColor.USER32(0000001C), ref: 6C1E798C
GetSysColor.USER32(0000000A), ref: 6C1E799A
GetSysColor.USER32(0000000B), ref: 6C1E79A8
GetSysColor.USER32(00000013), ref: 6C1E79B6
GetSysColor.USER32(0000001A), ref: 6C1E79DF
GetSysColorBrush.USER32(00000010), ref: 6C1E79F0
GetSysColorBrush.USER32(00000014), ref: 6C1E7A03
GetSysColorBrush.USER32(00000005), ref: 6C1E7A16
CreateSolidBrush.GDI32(?), ref: 6C1E7A37
CreateSolidBrush.GDI32(?), ref: 6C1E7A55
CreateSolidBrush.GDI32(?), ref: 6C1E7A73
CreateSolidBrush.GDI32(?), ref: 6C1E7A94
CreateSolidBrush.GDI32(?), ref: 6C1E7AB2
CreateSolidBrush.GDI32(?), ref: 6C1E7AD0
CreateSolidBrush.GDI32(?), ref: 6C1E7AEE
CreatePen.GDI32(00000000,00000001,00000000), ref: 6C1E7B14
CreatePen.GDI32(00000000,00000001,00000000), ref: 6C1E7B38
CreatePen.GDI32(00000000,00000001,00000000), ref: 6C1E7B5C
CreateSolidBrush.GDI32(?), ref: 6C1E7BDA
CreatePatternBrush.GDI32(00000000), ref: 6C1E7C18

Part of subcall function 6C1CC4FE: DeleteObject.GDI32(00000000), ref: 6C1CC50D

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Color$BrushCreate$Solid$CapsDeleteDeviceH_prolog3ObjectPattern
String ID:
API String ID: 3754413814-0
Opcode ID: 619716b0a0587b94b8dfeb679a392df105a1f15db75028f785b286f5508f3cd0
Instruction ID: 864832533e13ea67557faa03ec970468957586f538703fbdc8f2cdcf4ddcf34b
Opcode Fuzzy Hash: 619716b0a0587b94b8dfeb679a392df105a1f15db75028f785b286f5508f3cd0
Instruction Fuzzy Hash: C5C1D670B02B06AFEB05AFB488187DCBBB5BF1A701F044119E616D7A80CBB89565DBD1

Function 100054C0 Relevance: 45.8, APIs: 16, Strings: 10, Instructions: 263
registrymemorysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,00020019,?), ref: 10005507
RegQueryValueExW.ADVAPI32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000003), ref: 1000552E
_memset.LIBCMT ref: 10005548
RegQueryValueExW.ADVAPI32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000003), ref: 10005563
VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 10005586
RegCloseKey.ADVAPI32(?), ref: 100055B1
VirtualFree.KERNEL32(?,00000000,00008000), ref: 10005605
_memset.LIBCMT ref: 10005669
_memset.LIBCMT ref: 1000568D
_memset.LIBCMT ref: 1000569F
VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 10005726
RegCreateKeyW.ADVAPI32(80000001,Console\0,?), ref: 10005799
RegDeleteValueW.KERNEL32(?,9e9e85e05ee16fc372a0c7df6549fbd4), ref: 100057AC
RegSetValueExW.KERNEL32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000065), ref: 100057C4
RegCloseKey.KERNEL32(?), ref: 100057CE
Sleep.KERNEL32(00000BB8), ref: 100057FE

Strings

l, xrefs: 10005644
e, xrefs: 100054DC
_, xrefs: 1000564E
i, xrefs: 10005658
0d3b34577c0a66584d5bdc849e214016, xrefs: 100055BA
9e9e85e05ee16fc372a0c7df6549fbd4, xrefs: 10005528, 1000555D, 100057A6, 100057BE
!jWW, xrefs: 10005630
{vU_, xrefs: 10005626
Console\0, xrefs: 100054F3, 1000578F
., xrefs: 1000563A

Memory Dump Source

Source File: 00000003.00000002.3551303488.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3551255249.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551324667.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551342209.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551359349.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551377013.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Value_memset$Virtual$AllocCloseQuery$CreateDeleteFreeOpenSleep
String ID: !jWW$.$0d3b34577c0a66584d5bdc849e214016$9e9e85e05ee16fc372a0c7df6549fbd4$Console\0$_$e$i$l${vU_
API String ID: 354323817-737951744
Opcode ID: be3d857457f6c34cc49a9ce7b94368c024c206f60fa141a8346ca6c642e4ce58
Instruction ID: 005816a77294032e0ea7aedf6318117014c310f5a4f2017eaf50af4860f80873
Opcode Fuzzy Hash: be3d857457f6c34cc49a9ce7b94368c024c206f60fa141a8346ca6c642e4ce58
Instruction Fuzzy Hash: 5891D475A00718ABF710CF60CC84FAB77BAFB88741F508158FA089B245DB75EA40CB51

Function 04329E50 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 314
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GdipGetImagePixelFormat.GDIPLUS(Function_00009A30,?,?,00000000), ref: 04329E7B
GdipGetImageHeight.GDIPLUS(Function_00009A30,?,?,00000000), ref: 04329EFC
GdipGetImageWidth.GDIPLUS(Function_00009A30,?,?,00000000), ref: 04329F24
GdipGetImagePaletteSize.GDIPLUS(Function_00009A30,?,?,00000000), ref: 04329F7F
_malloc.LIBCMT ref: 04329FC0

Part of subcall function 0432F673: __FF_MSGBANNER.LIBCMT ref: 0432F68C
Part of subcall function 0432F673: __NMSG_WRITE.LIBCMT ref: 0432F693
Part of subcall function 0432F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,04334500,00000000,00000001,00000000,?,04338DE6,00000018,04346448,0000000C,04338E76), ref: 0432F6B8

_free.LIBCMT ref: 0432A000
GdipGetImagePalette.GDIPLUS(?,00000008,?,?,00000000), ref: 0432A028
SetDIBColorTable.GDI32(?,00000000,?,?,?,00000000), ref: 0432A0B7
GdipBitmapLockBits.GDIPLUS(Function_00009A30,?,00000001,?,?,?,00000000), ref: 0432A112
_free.LIBCMT ref: 0432A134
_memcpy_s.LIBCMT ref: 0432A183
GdipBitmapUnlockBits.GDIPLUS(?,?,?,00000000), ref: 0432A1D0
GdipCreateBitmapFromScan0.GDIPLUS(?,?,04345A78,00022009,?,00000000,?,00000000), ref: 0432A22C
GdipGetImageGraphicsContext.GDIPLUS(00000000,00022009,?,00000000), ref: 0432A24C
GdipDrawImageI.GDIPLUS(00000000,Function_00009A30,00000000,00000000,?,00000000), ref: 0432A267
GdipDeleteGraphics.GDIPLUS(?,?,00000000), ref: 0432A274
GdipDisposeImage.GDIPLUS(00000000,?,00000000), ref: 0432A27B
_free.LIBCMT ref: 0432A296

Strings

&, xrefs: 04329EE1

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: Gdip$Image$Bitmap_free$BitsGraphicsPalette$AllocateColorContextCreateDeleteDisposeDrawFormatFromHeapHeightLockPixelScan0SizeTableUnlockWidth_malloc_memcpy_s
String ID: &
API String ID: 640422297-3042966939
Opcode ID: c757035e53cac9aaa555b6d883d04d0d60ae4a6f772152d49927cd7342abd222
Instruction ID: d1a70daec0f2b983dd62b3c0bd85a27cfeeed9b7ace574f884be0ecfc9e8a578
Opcode Fuzzy Hash: c757035e53cac9aaa555b6d883d04d0d60ae4a6f772152d49927cd7342abd222
Instruction Fuzzy Hash: F3D143F1A006299FDB20DF55DD80BAAB7B8FF48304F0095A9E609A7201D774BE85CF65

Function 04322DA0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203
networkstringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResetEvent.KERNEL32(?), ref: 04322DBB
InterlockedExchange.KERNEL32(?,00000000), ref: 04322DC7
timeGetTime.WINMM ref: 04322DCD
socket.WS2_32(00000002,00000001,00000006), ref: 04322DFA
lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 04322E26
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 04322E32
lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 04322E51
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 04322E5D
gethostbyname.WS2_32(00000000), ref: 04322E6B
htons.WS2_32(?), ref: 04322E8D
connect.WS2_32(?,?,00000010), ref: 04322EAB

Strings

0u, xrefs: 04322F1C

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
String ID: 0u
API String ID: 640718063-3203441087
Opcode ID: 74386bf5f15011f5eca9909d63fd8a4ad3a9b7b24977d1b9467015a76543de2b
Instruction ID: 4a3f47180aae980e5112a6bc868c1b6012db1af43f42872c295464e9a3cdd48b
Opcode Fuzzy Hash: 74386bf5f15011f5eca9909d63fd8a4ad3a9b7b24977d1b9467015a76543de2b
Instruction Fuzzy Hash: EF618BB1A40304AFE720DFA4DD45FABB7B8FF4CB10F105559F656A7280DAB4B8048B64

Function 10002D80 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203
networkstringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResetEvent.KERNEL32(?), ref: 10002D9B
InterlockedExchange.KERNEL32(?,00000000), ref: 10002DA7
timeGetTime.WINMM ref: 10002DAD
socket.WS2_32(00000002,00000001,00000006), ref: 10002DDA
lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 10002E06
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 10002E12
lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 10002E31
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 10002E3D
gethostbyname.WS2_32(00000000), ref: 10002E4B
htons.WS2_32(?), ref: 10002E6D
connect.WS2_32(?,?,00000010), ref: 10002E8B

Strings

0u, xrefs: 10002EFC

Memory Dump Source

Source File: 00000003.00000002.3551303488.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3551255249.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551324667.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551342209.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551359349.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551377013.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
String ID: 0u
API String ID: 640718063-3203441087
Opcode ID: 94c689521af4947466c8b86645af49a3b04e56d54b71338c9307917d991564e9
Instruction ID: d5696d751933d4553be470da2890fc26df070c3c16b6f4ec0f7763c80930fe30
Opcode Fuzzy Hash: 94c689521af4947466c8b86645af49a3b04e56d54b71338c9307917d991564e9
Instruction Fuzzy Hash: 136152B1A40304BFE710DFA4CC85FAAB7B9FF49711F104629F646AB2D0D7B1A9048B64

Function 04326A70 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 141
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(75BF73E0), ref: 04326A94
wsprintfW.USER32 ref: 04326AA7

Part of subcall function 04326910: GetCurrentProcessId.KERNEL32(45F3111E,00000000,00000000,75BF73E0,?,00000000,043410DB,000000FF,?,04326AB3,00000000), ref: 04326938
Part of subcall function 04326910: OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,043410DB,000000FF,?,04326AB3,00000000), ref: 04326947
Part of subcall function 04326910: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,043410DB,000000FF,?,04326AB3,00000000), ref: 04326960
Part of subcall function 04326910: CloseHandle.KERNEL32(00000000,?,00000000,043410DB,000000FF,?,04326AB3,00000000), ref: 0432696B

_memset.LIBCMT ref: 04326AC2
GetVersionExW.KERNEL32(?), ref: 04326ADB
GetCurrentProcess.KERNEL32(00000008,?), ref: 04326B12
OpenProcessToken.ADVAPI32(00000000), ref: 04326B19
GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 04326B3F
GetLastError.KERNEL32 ref: 04326B49
LocalAlloc.KERNEL32(00000040,?), ref: 04326B5D
GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 04326B85
GetSidSubAuthorityCount.ADVAPI32 ref: 04326B98
GetSidSubAuthority.ADVAPI32(00000000), ref: 04326BA6
LocalFree.KERNEL32(?), ref: 04326BB5
CloseHandle.KERNEL32(?), ref: 04326BC2
wsprintfW.USER32 ref: 04326C1B

Strings

NO/, xrefs: 04326BDF
-N/, xrefs: 04326BEF
None/%s, xrefs: 04326BE7

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: Process$Token$CurrentOpen$AuthorityCloseHandleInformationLocalwsprintf$AllocCountErrorFreeLastVersion_memset
String ID: -N/$NO/$None/%s
API String ID: 3036438616-3095023699
Opcode ID: f631f3d0287da1a3b38cf05b061b70900cb7fb3b40b2be5b9790ad65b1c31a4e
Instruction ID: 6f299bddab06dbc3643fb02e878c6644aec43f6a32834e81b4ff6188c633ba06
Opcode Fuzzy Hash: f631f3d0287da1a3b38cf05b061b70900cb7fb3b40b2be5b9790ad65b1c31a4e
Instruction Fuzzy Hash: A0419274A00234ABDB249B619E8AFEB76BCEF4D744F006095F605A6241DA34FD90CBA1

Function 0432AD10 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 346
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Console,00000000,00020019,?), ref: 0432AD53
RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 0432AD73

Strings

Console, xrefs: 0432AD39
Console\0, xrefs: 0432B0DC
%s_bin, xrefs: 0432AE33
IpDatespecial, xrefs: 0432AD6D

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: OpenQueryValue
String ID: %s_bin$Console$Console\0$IpDatespecial
API String ID: 4153817207-1338088003
Opcode ID: f053874c9f0d3eba8f4e19c99f508bec0cd564cab5621ed69151be23fe01246e
Instruction ID: 8f2c643241efb8c71d5c7bcb715ee6529c800364cf42d8a5bd80c21178c2028d
Opcode Fuzzy Hash: f053874c9f0d3eba8f4e19c99f508bec0cd564cab5621ed69151be23fe01246e
Instruction Fuzzy Hash: E6C1B2B1A00310ABE710EF24DD46F6B73A9FF94718F045528F949AB281E775F905CBA2

Function 04326150 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 222
stringcomregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0432618B
lstrcatW.KERNEL32(04351F10,0434510C,?,45F3111E,00000AD4,00000000,75BF73E0), ref: 043261CD
lstrcatW.KERNEL32(04351F10,0434535C,?,45F3111E,00000AD4,00000000,75BF73E0), ref: 043261D9
CoCreateInstance.OLE32(04342480,00000000,00000017,0434578C,?,?,45F3111E,00000AD4,00000000,75BF73E0), ref: 04326220
_memset.LIBCMT ref: 043262CE
wsprintfW.USER32 ref: 04326336
RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 0432635F
_memset.LIBCMT ref: 04326376

Part of subcall function 04326050: _memset.LIBCMT ref: 0432607C
Part of subcall function 04326050: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 04326088

Strings

CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}, xrefs: 04326330
Windows Defender IOfficeAntiVirus implementation , xrefs: 04326186, 043261C8, 043261D4, 043263C9, 043263D5, 04326422, 04326436, 0432645A

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: _memset$Createlstrcat$InstanceOpenSnapshotToolhelp32wsprintf
String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
API String ID: 1221949200-1583895642
Opcode ID: e59a809a143b9c44fba6b794beaa0eeeed56c0904267ad0b997b5b40de552ccb
Instruction ID: 6c4204a91bd4a85dfbd90713fada61de56c91252adef6fc5f522c0ef297a4595
Opcode Fuzzy Hash: e59a809a143b9c44fba6b794beaa0eeeed56c0904267ad0b997b5b40de552ccb
Instruction Fuzzy Hash: FC815FB1A40268ABDB20DB54CC91FEEB7B8EF88704F545189F709A7151D674BE80CF64

Function 04325F40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 88
sleepstringsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32(00000000,00000000,2024.11.10), ref: 04325F66
GetLastError.KERNEL32 ref: 04325F6E
Sleep.KERNEL32(000003E8), ref: 04325F85
CreateMutexW.KERNEL32(00000000,00000000,2024.11.10), ref: 04325F90
GetLastError.KERNEL32 ref: 04325F92
_memset.LIBCMT ref: 04325FB9
lstrlenW.KERNEL32(?), ref: 04325FC6
lstrcmpW.KERNEL32(?,04345328), ref: 04325FED
Sleep.KERNEL32(000003E8), ref: 04325FF8
GetModuleHandleW.KERNEL32(00000000), ref: 04326005
GetConsoleWindow.KERNEL32 ref: 0432600F

Strings

open, xrefs: 04325FCD
2024.11.10, xrefs: 04325F5D, 04325F87
key, xrefs: 04325FD2

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: CreateErrorLastMutexSleep$ConsoleHandleModuleWindow_memsetlstrcmplstrlen
String ID: 2024.11.10$key$open
API String ID: 2922109467-3483727992
Opcode ID: bc1660df1b466f8dec1e53a6c599e033609e357f915369f87b9691be19ae6ffa
Instruction ID: 288f2e60a973181eee94569a0dbe1ac36eeaa8f83baabbbd0ab72f9d8d8d3339
Opcode Fuzzy Hash: bc1660df1b466f8dec1e53a6c599e033609e357f915369f87b9691be19ae6ffa
Instruction Fuzzy Hash: E821E476904315ABE610DBA0ED46BAA7398EFC8744F506819F604A71C0DA74FA05CBA3

Function 6C1C6BCA Relevance: 23.3, APIs: 8, Strings: 5, Instructions: 523threadsynchronizationCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?), ref: 6C1C6BEB
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 6C1C6C0D
_strlen.LIBCMT ref: 6C1C6C26

Part of subcall function 6C1B22C0: _strlen.LIBCMT ref: 6C1B230B

Part of subcall function 6C1C6707: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 6C1C6745
Part of subcall function 6C1C6707: _strlen.LIBCMT ref: 6C1C6759

CreateThread.KERNEL32(00000000,00000000,Function_00015A00,6C39DF78,00000000,00000000), ref: 6C1C70CB
CreateThread.KERNEL32(00000000,00000000,6C1C50F3,00000000,00000000,00000000), ref: 6C1C70DD
WaitForSingleObject.KERNEL32(00000000,00011170), ref: 6C1C70F3
CloseHandle.KERNEL32(00000000), ref: 6C1C7105
CreateThread.KERNEL32(00000000,00000000,6C1BF754,00000000,00000000,00000000), ref: 6C1C7250

Part of subcall function 6C1C3DE8: WSAStartup.WS2_32(00000202,?), ref: 6C1C3E03

Strings

te.d, xrefs: 6C1C71A8
Upda, xrefs: 6C1C71AF
Update.d, xrefs: 6C1C7286
Update.d, xrefs: 6C1C71E3, 6C1C7238, 6C1C71EC, 6C1C723B
dll, xrefs: 6C1C71A1

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: CreateModuleThread_strlen$FileHandleName$CloseObjectSingleStartupWait
String ID: Upda$Update.d$Update.d$dll$te.d
API String ID: 1548707355-244782202
Opcode ID: 2180d6dd3e6e07e87ebb1c3cf4ff807d06d08f30395af3a1d1ea05d80d37b0e1
Instruction ID: 0a620b5f5f068088896f820a787d976b6e3ca37ee40f09719a9966338befaa07
Opcode Fuzzy Hash: 2180d6dd3e6e07e87ebb1c3cf4ff807d06d08f30395af3a1d1ea05d80d37b0e1
Instruction Fuzzy Hash: BC0204B1E002089FDB10CF64CC947EEB7B9EF65318F154629F455E7780EB78A9488B92

Function 043262B6 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 125stringregistryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 043262CE
wsprintfW.USER32 ref: 04326336
RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 0432635F
_memset.LIBCMT ref: 04326376
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 043263B2
lstrcatW.KERNEL32(04351F10,?), ref: 043263CE
lstrcatW.KERNEL32(04351F10,0434535C), ref: 043263DA
RegCloseKey.ADVAPI32(00000000), ref: 043263E3
lstrlenW.KERNEL32(04351F10,?,45F3111E,00000AD4,00000000,75BF73E0), ref: 04326427
lstrcatW.KERNEL32(04351F10,043453D4,?,45F3111E,00000AD4,00000000,75BF73E0), ref: 0432643B

Strings

CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}, xrefs: 04326330
Windows Defender IOfficeAntiVirus implementation , xrefs: 043263C9, 043263D5, 04326422, 04326436, 0432645A

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: lstrcat$_memset$CloseOpenQueryValuelstrlenwsprintf
String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
API String ID: 1671694837-1583895642
Opcode ID: 87438569e9aa753099b23beb07089b37f1d121506c8f9959f487606565d88427
Instruction ID: 5d1324deb9f83f5c56152a8580229c26977e041febbe84fcea4b2c96a68bd0a6
Opcode Fuzzy Hash: 87438569e9aa753099b23beb07089b37f1d121506c8f9959f487606565d88427
Instruction Fuzzy Hash: D441A4F1A002686BDB24DB90CC51FEEB7B8AF88705F0051C9F749A7191DA74AA80CF64

Function 04327490 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 99registrylibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ntdll.dll,75BF73E0,?,?,?,04325611,0000035E,000002FA), ref: 0432749C
GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 043274B2
swprintf.LIBCMT ref: 043274EF

Part of subcall function 04327410: GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,04327523), ref: 0432743D
Part of subcall function 04327410: GetProcAddress.KERNEL32(00000000), ref: 04327444
Part of subcall function 04327410: GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,04327523), ref: 04327452

RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,000002FA), ref: 04327547
RegQueryValueExW.KERNEL32(000002FA,ProductName,00000000,00000001,00000000,?), ref: 04327563
RegCloseKey.KERNEL32(000002FA), ref: 04327586
FreeLibrary.KERNEL32(00000000,?,?,?,04325611,0000035E,000002FA), ref: 04327598

Strings

ntdll.dll, xrefs: 04327497
ProductName, xrefs: 0432755D
%d.%d.%d, xrefs: 043274E7
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0432753D
RtlGetNtVersionNumbers, xrefs: 043274AC

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: AddressLibraryProc$CloseFreeHandleInfoLoadModuleNativeOpenQuerySystemValueswprintf
String ID: %d.%d.%d$ProductName$RtlGetNtVersionNumbers$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
API String ID: 2158625971-3190923360
Opcode ID: 91a5b7c6bbfc095591f319bba2bdc9ad3d24d29f0791232f5a1902a0bdd4ef51
Instruction ID: 529f91f42032a0aec29c21e4119fd2a84ea298b61e27eb3629cda2935ff4bb4e
Opcode Fuzzy Hash: 91a5b7c6bbfc095591f319bba2bdc9ad3d24d29f0791232f5a1902a0bdd4ef51
Instruction Fuzzy Hash: CD31B675A40219BBE714DBA4DD45FFFBBBCEF88740F141559BA06A6140EA74FA00CBA0

Function 0432C060 Relevance: 19.7, APIs: 13, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000002,?,45F3111E,?,00000000,?), ref: 0432C09E
GlobalLock.KERNEL32(00000000), ref: 0432C0AA
GlobalUnlock.KERNEL32(00000000), ref: 0432C0BF
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0432C0D5
EnterCriticalSection.KERNEL32(0434FB64), ref: 0432C113
LeaveCriticalSection.KERNEL32(0434FB64), ref: 0432C124

Part of subcall function 04329DE0: GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 04329E04
Part of subcall function 04329DE0: GdipDisposeImage.GDIPLUS(?), ref: 04329E18

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0432C14C

Part of subcall function 0432A460: GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 0432A48D
Part of subcall function 0432A460: _free.LIBCMT ref: 0432A503

GetHGlobalFromStream.OLE32(?,?), ref: 0432C16D
GlobalLock.KERNEL32(?), ref: 0432C177
GlobalFree.KERNEL32(00000000), ref: 0432C18F

Part of subcall function 04329BA0: DeleteObject.GDI32(?), ref: 04329BD2
Part of subcall function 04329BA0: EnterCriticalSection.KERNEL32(0434FB64,?,?,?,04329B7B), ref: 04329BE3
Part of subcall function 04329BA0: EnterCriticalSection.KERNEL32(0434FB64,?,?,?,04329B7B), ref: 04329BF8
Part of subcall function 04329BA0: GdiplusShutdown.GDIPLUS(00673A16,?,?,?,04329B7B), ref: 04329C04
Part of subcall function 04329BA0: LeaveCriticalSection.KERNEL32(0434FB64,?,?,?,04329B7B), ref: 04329C15
Part of subcall function 04329BA0: LeaveCriticalSection.KERNEL32(0434FB64,?,?,?,04329B7B), ref: 04329C1C

GlobalSize.KERNEL32(00000000), ref: 0432C1A5
GlobalUnlock.KERNEL32(?), ref: 0432C221
GlobalFree.KERNEL32(00000000), ref: 0432C249

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: Global$CriticalSection$Stream$CreateEnterGdipLeave$FreeFromImageLockSizeUnlock$AllocBitmapDeleteDisposeEncodersGdiplusObjectShutdown_free
String ID:
API String ID: 1483550337-0
Opcode ID: fcbda059fddb32fbed8c6bafb485b1c47f60fabc8b1e58b669df1b938e931998
Instruction ID: ba095a7bc736e58103ab110272fd651fe05f651b0002387bd7bcd98b171260ce
Opcode Fuzzy Hash: fcbda059fddb32fbed8c6bafb485b1c47f60fabc8b1e58b669df1b938e931998
Instruction Fuzzy Hash: 2E6118B5D00218AFDB10EFE9D9849EEBBB8FF89714F20952AF515A7240DB34A901CF50

Function 04326490 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 144registrystringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 043264C2
RegOpenKeyExW.KERNEL32(80000001,Software\Tencent\Plugin\VAS,00000000,000F003F,?), ref: 043264E2
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 04326524
_memset.LIBCMT ref: 04326560
_memset.LIBCMT ref: 0432658E
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000AD4,75BF73E0), ref: 043265BA
lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75BF73E0), ref: 043265C3
lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75BF73E0), ref: 043265D5
RegCloseKey.ADVAPI32(?,00000000,00000AD4,75BF73E0), ref: 04326625
lstrlenW.KERNEL32(?), ref: 04326635

Strings

Software\Tencent\Plugin\VAS, xrefs: 043264D8

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: _memsetlstrlen$CloseEnumInfoOpenQuery
String ID: Software\Tencent\Plugin\VAS
API String ID: 2921034913-3343197220
Opcode ID: 2d3b2b8d688a2d3319a4b7bcec19dfd274cbfbf0c4dd20f73f60014cf36ee84e
Instruction ID: 6d9817b54e1b4109e54c10f3348c0097030be11a351d9f4cd1b8797275d9bfa6
Opcode Fuzzy Hash: 2d3b2b8d688a2d3319a4b7bcec19dfd274cbfbf0c4dd20f73f60014cf36ee84e
Instruction Fuzzy Hash: AC4175F5A40228ABE724DB50CD85FEA737CDF48704F0055D9F709B6041EA74BA858F64

Function 0432A460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 150windowCOMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 0432A48D
_malloc.LIBCMT ref: 0432A4D1
_free.LIBCMT ref: 0432A503
GdipGetImageEncoders.GDIPLUS(?,?,00000008), ref: 0432A522
GdipSaveImageToStream.GDIPLUS(00000000,?,?,00000000), ref: 0432A594
GdipDisposeImage.GDIPLUS(00000000), ref: 0432A59F
GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 0432A5C5
GdipDisposeImage.GDIPLUS(00000000), ref: 0432A5DD

Strings

&, xrefs: 0432A579

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: Gdip$Image$DisposeEncoders$BitmapCreateFromSaveSizeStream_free_malloc
String ID: &
API String ID: 2794124522-3042966939
Opcode ID: 7c1f014b0619718cc5d57747781ebe44e95519f227b38c4988a823194ef01cb1
Instruction ID: 941215f4243bbfe0698f43fcf0bea7e6cf3cd8b896a17fb28915fd4ac51a57b8
Opcode Fuzzy Hash: 7c1f014b0619718cc5d57747781ebe44e95519f227b38c4988a823194ef01cb1
Instruction Fuzzy Hash: A15163B2A006259FDB04EFA4D944AEFB7B8EF48354F10A159E905A7250D734F905CFE1

Function 100052B0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 123registrysleepCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 10005382
RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 10005392
RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,1001C6E0,000012A0), ref: 100053B0
RegCloseKey.KERNEL32(?), ref: 100053BB
OpenProcess.KERNEL32(00000400,00000000,?), ref: 1000540F
GetExitCodeProcess.KERNEL32(00000000,?), ref: 1000541B
Sleep.KERNEL32(00000BB8), ref: 10005434

Strings

SOFTWARE, xrefs: 10005378
IpDates_info, xrefs: 1000538C, 100053AA

Memory Dump Source

Source File: 00000003.00000002.3551303488.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3551255249.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551324667.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551342209.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551359349.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551377013.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: OpenProcessValue$CloseCodeDeleteExitSleep
String ID: IpDates_info$SOFTWARE
API String ID: 864241144-2243437601
Opcode ID: fa41b33889329ce33d54072f6f587efc439d217482355cea30f751f095a89e77
Instruction ID: c351098f3a10662c2abe80f3babca39824d4604c0415f8e3891e9891bb32f169
Opcode Fuzzy Hash: fa41b33889329ce33d54072f6f587efc439d217482355cea30f751f095a89e77
Instruction Fuzzy Hash: 184146316442819FF310CF308C45F6B7BB5FB453C6F994068E581CA186D3B2EA42C7A2

Function 100052D9 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 84registrysleepCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 10005382
RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 10005392
RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,1001C6E0,000012A0), ref: 100053B0
RegCloseKey.KERNEL32(?), ref: 100053BB
OpenProcess.KERNEL32(00000400,00000000,?), ref: 1000540F
GetExitCodeProcess.KERNEL32(00000000,?), ref: 1000541B
Sleep.KERNEL32(00000BB8), ref: 10005434

Strings

SOFTWARE, xrefs: 10005378
IpDates_info, xrefs: 1000538C, 100053AA

Memory Dump Source

Source File: 00000003.00000002.3551303488.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3551255249.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551324667.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551342209.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551359349.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551377013.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: OpenProcessValue$CloseCodeDeleteExitSleep
String ID: IpDates_info$SOFTWARE
API String ID: 864241144-2243437601
Opcode ID: e48445a0fb638aff792993f9711fe44b6994354607bef0c7859c4fe8ed55e572
Instruction ID: f7f7705b5b84b7b191dcdb77494346d14e222b8940c5b100b936b40375e1b217
Opcode Fuzzy Hash: e48445a0fb638aff792993f9711fe44b6994354607bef0c7859c4fe8ed55e572
Instruction Fuzzy Hash: B731C1306443819FF315CF308848B6B7BF6FB493C6F9944A8F5859A146D3B2DA46C761

Function 6C1EE7AD Relevance: 15.1, APIs: 10, Instructions: 124memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C1DDB74,?,6C1D26E9,?,6C1DD034), ref: 6C1EE7BE
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,?,?,?,?,6C1DDB74,?,6C1D26E9,?,6C1DD034), ref: 6C1EE830
GlobalHandle.KERNEL32(?), ref: 6C1EE83A
GlobalUnlock.KERNEL32(00000000), ref: 6C1EE84C
GlobalReAlloc.KERNEL32(?,00000000), ref: 6C1EE867
GlobalLock.KERNEL32(00000000), ref: 6C1EE872
LeaveCriticalSection.KERNEL32(?), ref: 6C1EE8BF
GlobalHandle.KERNEL32(?), ref: 6C1EE8D3
GlobalLock.KERNEL32(00000000), ref: 6C1EE8DE
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C1DDB74,?,6C1D26E9,?,6C1DD034,8BAE044A), ref: 6C1EE8ED

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: 64985d9b777984e2f47d7e23cb5d84406d47053d3e7e55997edce358ac79aafc
Instruction ID: df7937d83f0d4352e8690ccb626798e19176a52805c7effb97d7afd613a90934
Opcode Fuzzy Hash: 64985d9b777984e2f47d7e23cb5d84406d47053d3e7e55997edce358ac79aafc
Instruction Fuzzy Hash: 50419471601A15EFEB048F64C884F99B7F8FF0A305F104169E416D7950DB70EA64DBD1

Function 6C331B6E Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C331F73: CreateFileW.KERNEL32(6C1C6E59,00000000,?,6C331C17,?,?,00000000,?,6C331C17,6C1C6E59,0000000C), ref: 6C331F90

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C331C82
__dosmaperr.LIBCMT ref: 6C331C89
GetFileType.KERNEL32(00000000), ref: 6C331C95
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C331C9F
__dosmaperr.LIBCMT ref: 6C331CA8
CloseHandle.KERNEL32(00000000), ref: 6C331CC8
CloseHandle.KERNEL32(6C328E1C), ref: 6C331E15
GetLastError.KERNEL32 ref: 6C331E47
__dosmaperr.LIBCMT ref: 6C331E4E

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 4d1c7b21cbadd04190b355e0d2a603dbc60405fc1d16421bf723c9b0600db68a
Instruction ID: 6cfe082ddd9314db8476354243b1b671f4db7df5acab0216d598129595d6ef5a
Opcode Fuzzy Hash: 4d1c7b21cbadd04190b355e0d2a603dbc60405fc1d16421bf723c9b0600db68a
Instruction Fuzzy Hash: D5A17632B141A49FCF099F68DC55BAD7BB4AB47328F14024DE858AB790D736C816CF92

Function 0432CA70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,000F003F,043412F8,45F3111E,00000001,00000000,00000000), ref: 0432CAB1
RegQueryInfoKeyW.ADVAPI32(043412F8,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0432CAE0
_memset.LIBCMT ref: 0432CB44
_memset.LIBCMT ref: 0432CB53
RegEnumValueW.KERNEL32(043412F8,?,00000000,?,00000000,?,00000000,?), ref: 0432CB72

Part of subcall function 0432F707: _malloc.LIBCMT ref: 0432F721

Part of subcall function 0432F707: std::exception::exception.LIBCMT ref: 0432F756
Part of subcall function 0432F707: std::exception::exception.LIBCMT ref: 0432F770
Part of subcall function 0432F707: __CxxThrowException@8.LIBCMT ref: 0432F781

RegCloseKey.KERNEL32(043412F8,?,?,?,?,?,?,?,?,?,?,?,00000000,043412F8,000000FF), ref: 0432CC83

Strings

Console\0, xrefs: 0432CAA4

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: _memsetstd::exception::exception$CloseEnumException@8InfoOpenQueryThrowValue_malloc
String ID: Console\0
API String ID: 1348767993-1253790388
Opcode ID: a2eb533a1b8e32d6e442778091dde41da693e57fd24538fe1f9da8ed69915459
Instruction ID: fe8a40ae672aa85402158506ab0e0cea92c731c881c6cb9ecdfb224e51269188
Opcode Fuzzy Hash: a2eb533a1b8e32d6e442778091dde41da693e57fd24538fe1f9da8ed69915459
Instruction Fuzzy Hash: 3061FCB5A00219AFDB04DFA8D981EEEB7B8FF48314F14556AE915A7241DB34A901CBA0

Function 0432BB00 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 0432F707: _malloc.LIBCMT ref: 0432F721

_memset.LIBCMT ref: 0432BB21
GetLastInputInfo.USER32(?), ref: 0432BB37
GetTickCount.KERNEL32 ref: 0432BB3D
wsprintfW.USER32 ref: 0432BB66
GetForegroundWindow.USER32 ref: 0432BB6F
GetWindowTextW.USER32(00000000,00000020,000000FA), ref: 0432BB83

Strings

%d min, xrefs: 0432BB60

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: Window$CountForegroundInfoInputLastTextTick_malloc_memsetwsprintf
String ID: %d min
API String ID: 3754759880-1947832151
Opcode ID: 9e93eec8f079c9231c0b93e980bd39a4d2757307a480e2b3667b035f0dfec2c1
Instruction ID: e55baaa336e1f25d78e460593316bbc1bfeb4322958d2f8f976ccbafb499d2f0
Opcode Fuzzy Hash: 9e93eec8f079c9231c0b93e980bd39a4d2757307a480e2b3667b035f0dfec2c1
Instruction Fuzzy Hash: 5441C4B5900128AFDB10DFA4D985EAFBBB8EF48710F049054F909AB355DA74BA00CBE1

Function 04326910 Relevance: 12.1, APIs: 8, Instructions: 128COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(45F3111E,00000000,00000000,75BF73E0,?,00000000,043410DB,000000FF,?,04326AB3,00000000), ref: 04326938
OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,043410DB,000000FF,?,04326AB3,00000000), ref: 04326947
OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,043410DB,000000FF,?,04326AB3,00000000), ref: 04326960
CloseHandle.KERNEL32(00000000,?,00000000,043410DB,000000FF,?,04326AB3,00000000), ref: 0432696B
SysStringLen.OLEAUT32(00000000), ref: 043269BE
SysStringLen.OLEAUT32(00000000), ref: 043269CC
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,043410DB,000000FF), ref: 04326A2E
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,043410DB,000000FF), ref: 04326A34

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: CloseHandleProcess$OpenString$CurrentToken
String ID:
API String ID: 429299433-0
Opcode ID: 99ae4be7ceaaf794879a4a4531bc5e5449768a7ff387ceb4e49b7276fe8116e9
Instruction ID: 910edda04f88d310efaaa38a92f11f1725696499912f3f27c5f87b3d58afac73
Opcode Fuzzy Hash: 99ae4be7ceaaf794879a4a4531bc5e5449768a7ff387ceb4e49b7276fe8116e9
Instruction Fuzzy Hash: 2641B6B2D005389BDB10DFA8CD41AAEB7F8FF44714F145666E915F7240DB7579008BA0

Function 04326D70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89registrystringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 04326DD9
RegOpenKeyExW.KERNEL32(80000001,04345164,00000000,00020019,75BF73E0), ref: 04326DFC
RegQueryValueExW.KERNEL32(75BF73E0,GROUP,00000000,00000001,?,00000208), ref: 04326E4A
lstrcmpW.KERNEL32(?,04345148), ref: 04326E60
lstrcpyW.KERNEL32(043256EA,?), ref: 04326E72

Strings

GROUP, xrefs: 04326E42

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: OpenQueryValue_memsetlstrcmplstrcpy
String ID: GROUP
API String ID: 2102619503-2593425013
Opcode ID: 7422584eb8c6fbaf985000b1a41ca6e5feae56b158ac2816112fdfc2e18a5a30
Instruction ID: 3b151bfd6c999368947f5d5faff44a9fde25c8fccad8eb8ec9cb64116a1d942d
Opcode Fuzzy Hash: 7422584eb8c6fbaf985000b1a41ca6e5feae56b158ac2816112fdfc2e18a5a30
Instruction Fuzzy Hash: 9F318771900329ABDB60DF90EE89BDEB7B8FF48714F105299E515A7190DB78BA40CF90

Function 0432FA29 Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 0432FA4E
__calloc_crt.LIBCMT ref: 0432FA5A
__getptd.LIBCMT ref: 0432FA67
CreateThread.KERNEL32(00000000,00000000,0432F9C4,00000000,00000000,0432E003), ref: 0432FA9E
GetLastError.KERNEL32(?,00000000,?,?,0432E003,00000000,00000000,04325F40,00000000,00000000,00000000), ref: 0432FAA8
_free.LIBCMT ref: 0432FAB1
__dosmaperr.LIBCMT ref: 0432FABC

Part of subcall function 0432F91B: __getptd_noexit.LIBCMT ref: 0432F91B

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
String ID:
API String ID: 155776804-0
Opcode ID: a70d8cf0b3cc8645bce5363ad94ec5ad91f07b6ebb0297c83f60415fedad536a
Instruction ID: 687ed70318eaf296d893ebea97fc2c76342fe501e077d82f1c50cf26587af47b
Opcode Fuzzy Hash: a70d8cf0b3cc8645bce5363ad94ec5ad91f07b6ebb0297c83f60415fedad536a
Instruction Fuzzy Hash: C911A532204B26BFF711AFA9ED4099B37A8DF45778B106026F91597190DB71F8019F60

Function 1000721B Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 10007240
__calloc_crt.LIBCMT ref: 1000724C
__getptd.LIBCMT ref: 10007259
CreateThread.KERNEL32(?,?,100071B6,00000000,?,?), ref: 10007290
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 1000729A
_free.LIBCMT ref: 100072A3
__dosmaperr.LIBCMT ref: 100072AE

Part of subcall function 1000710D: __getptd_noexit.LIBCMT ref: 1000710D

Memory Dump Source

Source File: 00000003.00000002.3551303488.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3551255249.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551324667.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551342209.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551359349.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551377013.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
String ID:
API String ID: 155776804-0
Opcode ID: 734b10ab9ba7f1921b38ce4142f5ff93c1ead5fd9a2afb223c48f08537fb4c8c
Instruction ID: e2e0b3d062d787f99d787063b624e9a47e01a5ceed69b34c49d3f3bc16e6f751
Opcode Fuzzy Hash: 734b10ab9ba7f1921b38ce4142f5ff93c1ead5fd9a2afb223c48f08537fb4c8c
Instruction Fuzzy Hash: C911E136604746AFF711DFA8DC41D8B37E8FF453E0B110029F95C8A19ADB79E8008AA0

Function 04327410 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,04327523), ref: 0432743D
GetProcAddress.KERNEL32(00000000), ref: 04327444
GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,04327523), ref: 04327452
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,04327523), ref: 0432745A

Strings

kernel32.dll, xrefs: 0432741D
GetNativeSystemInfo, xrefs: 04327418

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: InfoSystem$AddressHandleModuleNativeProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 3433367815-192647395
Opcode ID: 21f58063fa034a27ff56525eb387a52504313d62ee52e1d17d2c64ffba8e0422
Instruction ID: 96c71f509c9ffba7af60307b3e2e6f5de79f50d4811d1eff9e55eceeb90da06f
Opcode Fuzzy Hash: 21f58063fa034a27ff56525eb387a52504313d62ee52e1d17d2c64ffba8e0422
Instruction Fuzzy Hash: 0E01D6B4D002099FCB50DFF599446EEBBF9EB48300F5055AAE919E2240EB79AA508F61

Function 6C24A432 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C24A439

Part of subcall function 6C1EC870: EnterCriticalSection.KERNEL32(6C3A0410,?,?,?,?,6C1D8ABC,00000001,?,6C1D8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1EC8A1
Part of subcall function 6C1EC870: InitializeCriticalSection.KERNEL32(00000000,?,6C1D8ABC,00000001,?,6C1D8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1EC8B7
Part of subcall function 6C1EC870: LeaveCriticalSection.KERNEL32(6C3A0410,?,6C1D8ABC,00000001,?,6C1D8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1EC8C5
Part of subcall function 6C1EC870: EnterCriticalSection.KERNEL32(00000000,?,?,?,6C1D8ABC,00000001,?,6C1D8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1EC8D2

GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 6C24A48C
GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 6C24A4A2

Strings

DragMinDist, xrefs: 6C24A481
windows, xrefs: 6C24A486, 6C24A48B, 6C24A49C
DragDelay, xrefs: 6C24A497

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: CriticalSection$EnterProfile$H_prolog3InitializeLeave
String ID: DragDelay$DragMinDist$windows
API String ID: 3965097884-2101198082
Opcode ID: 79073c275184f348c58e27ccbb2125a9a6784724f6459cdf8d54aed389891215
Instruction ID: 40a23cc354e860c1cf153a3d35324111a4bd7250e5eafe522513ffec18880ffc
Opcode Fuzzy Hash: 79073c275184f348c58e27ccbb2125a9a6784724f6459cdf8d54aed389891215
Instruction Fuzzy Hash: A7015AB4A01B80DFDBA0DFB58905B49BAF4BB4A704F40492EE54ADBF90E7B4A014CF04

Function 0432F9C4 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 0432F9CA

Part of subcall function 04333CA0: TlsGetValue.KERNEL32(00000000,04333DF9,?,04334500,00000000,00000001,00000000,?,04338DE6,00000018,04346448,0000000C,04338E76,00000000,00000000), ref: 04333CA9
Part of subcall function 04333CA0: DecodePointer.KERNEL32(?,04334500,00000000,00000001,00000000,?,04338DE6,00000018,04346448,0000000C,04338E76,00000000,00000000,?,04333F06,0000000D), ref: 04333CBB
Part of subcall function 04333CA0: TlsSetValue.KERNEL32(00000000,?,04334500,00000000,00000001,00000000,?,04338DE6,00000018,04346448,0000000C,04338E76,00000000,00000000,?,04333F06), ref: 04333CCA

___fls_getvalue@4.LIBCMT ref: 0432F9D5

Part of subcall function 04333C80: TlsGetValue.KERNEL32(?,?,0432F9DA,00000000), ref: 04333C8E

___fls_setvalue@8.LIBCMT ref: 0432F9E8

Part of subcall function 04333CD4: DecodePointer.KERNEL32(?,?,?,0432F9ED,00000000,?,00000000), ref: 04333CE5

GetLastError.KERNEL32(00000000,?,00000000), ref: 0432F9F1
ExitThread.KERNEL32 ref: 0432F9F8
GetCurrentThreadId.KERNEL32 ref: 0432F9FE
__freefls@4.LIBCMT ref: 0432FA1E

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID:
API String ID: 2383549826-0
Opcode ID: b975a750568b2c31a01042f403b35c2540b9a163b5069e7b9e3153535350b269
Instruction ID: 7e3f7a2d5051fbbf6d26d48362043cc1e126ac2c389d1513d6269016f3da25a9
Opcode Fuzzy Hash: b975a750568b2c31a01042f403b35c2540b9a163b5069e7b9e3153535350b269
Instruction Fuzzy Hash: 76F06278500710BBD708BF70C60885E7BACEF8824A711E558F90997201DA38F841DB91

Function 100071B6 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 100071BC

Part of subcall function 10009754: TlsGetValue.KERNEL32(00000000,100098AD,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000), ref: 1000975D
Part of subcall function 10009754: DecodePointer.KERNEL32(?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA,0000000D), ref: 1000976F
Part of subcall function 10009754: TlsSetValue.KERNEL32(00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA), ref: 1000977E

___fls_getvalue@4.LIBCMT ref: 100071C7

Part of subcall function 10009734: TlsGetValue.KERNEL32(?,?,100071CC,00000000), ref: 10009742

___fls_setvalue@8.LIBCMT ref: 100071DA

Part of subcall function 10009788: DecodePointer.KERNEL32(?,?,?,100071DF,00000000,?,00000000), ref: 10009799

GetLastError.KERNEL32(00000000,?,00000000), ref: 100071E3
ExitThread.KERNEL32 ref: 100071EA
GetCurrentThreadId.KERNEL32 ref: 100071F0
__freefls@4.LIBCMT ref: 10007210

Memory Dump Source

Source File: 00000003.00000002.3551303488.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3551255249.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551324667.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551342209.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551359349.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551377013.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID:
API String ID: 2383549826-0
Opcode ID: 9534965ccca21370a2365faca07fc43a5bbbcb8b41f594eb418147c089430495
Instruction ID: 9ef8d05c11a244158b1ee883055881acaa61a2209176cdde4bb0df2a080a06ba
Opcode Fuzzy Hash: 9534965ccca21370a2365faca07fc43a5bbbcb8b41f594eb418147c089430495
Instruction Fuzzy Hash: 7EF09679404240ABF304DFB5C94988E7BA9FF482C4725C458F90C8B21BDB39E8428790

Function 6C32B8D2 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 977c78c5da6c3e7803641d44e15b4456599066931e3b90d8b284905396db56d7
Instruction ID: d9aa1c353fb3240bb6aa6f22149a18889d1fb17a4d97ccd0be597c4bda10a8f0
Opcode Fuzzy Hash: 977c78c5da6c3e7803641d44e15b4456599066931e3b90d8b284905396db56d7
Instruction Fuzzy Hash: 8EB12571B04249AFDF01CF99C885BADBBB8BF4A31CF144248E4529BB81C7799941CFA1

Function 6C1C40A8 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 435COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6C1C4131
_strlen.LIBCMT ref: 6C1C42ED
_strlen.LIBCMT ref: 6C1C4320

Strings

IP=, xrefs: 6C1C40E8
Port, xrefs: 6C1C40F5

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: _strlen
String ID: IP=$Port
API String ID: 4218353326-1046961985
Opcode ID: 0ede795bbe29cefcfbf973872d759c9032f4d7c321d052f4991e6b2cfff48713
Instruction ID: 3b948db3bc1f1bc2d8f671fd5d11e6e1af50964c8afb1583bcf719c628be3afd
Opcode Fuzzy Hash: 0ede795bbe29cefcfbf973872d759c9032f4d7c321d052f4991e6b2cfff48713
Instruction Fuzzy Hash: 55F1D7B2A047008BD720CF34C894BA7B7F6BF95318F154A2DE59A87B50E735F5498B42

Function 100032E0 Relevance: 9.0, APIs: 6, Instructions: 32synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 100032F1
Sleep.KERNEL32(00000258), ref: 100032FE
InterlockedExchange.KERNEL32(?,00000000), ref: 10003306
WaitForSingleObject.KERNEL32(?,000000FF), ref: 10003312
WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000331A
Sleep.KERNEL32(0000012C), ref: 1000332B

Memory Dump Source

Source File: 00000003.00000002.3551303488.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3551255249.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551324667.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551342209.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551359349.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551377013.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: ObjectSingleWait$Sleep$ExchangeInterlocked
String ID:
API String ID: 3137405945-0
Opcode ID: 90501a451cf47964b750dce1617d56ac3a73a9eb1c931f81fede124cf76ff774
Instruction ID: f89297930b1253133b9af3f62c08b225611c8876bcc0692efb07df5bac526d50
Opcode Fuzzy Hash: 90501a451cf47964b750dce1617d56ac3a73a9eb1c931f81fede124cf76ff774
Instruction Fuzzy Hash: 65F08971104314AFD610DBE9CCC4D46F3B8AF89331B144709F221872D0CAB1E8018BA0

Function 04326690 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0432669B
CoCreateInstance.OLE32(043446FC,00000000,00000001,0434471C,?,?,?,?,?,?,?,?,?,?,0432588A), ref: 043266B2
SysFreeString.OLEAUT32(?), ref: 0432674C
CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,0432588A), ref: 0432677D

Strings

FriendlyName, xrefs: 0432673B

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: CreateFreeInitializeInstanceStringUninitialize
String ID: FriendlyName
API String ID: 841178590-3623505368
Opcode ID: 32fe3563375919256fcfa46ed15928587fd8c34170924fd2460b61f078b12ae2
Instruction ID: 484bfab122591a234312c625c700b396d17fde385f5ed79c16c88fdcbc2036bb
Opcode Fuzzy Hash: 32fe3563375919256fcfa46ed15928587fd8c34170924fd2460b61f078b12ae2
Instruction Fuzzy Hash: 2C311979700209AFDB00DA99DC81EAEB7B9EFC8704F149599F504EB250DA71FD02CB60

Function 0432F707 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0432F721

Part of subcall function 0432F673: __FF_MSGBANNER.LIBCMT ref: 0432F68C
Part of subcall function 0432F673: __NMSG_WRITE.LIBCMT ref: 0432F693
Part of subcall function 0432F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,04334500,00000000,00000001,00000000,?,04338DE6,00000018,04346448,0000000C,04338E76), ref: 0432F6B8

std::exception::exception.LIBCMT ref: 0432F756
std::exception::exception.LIBCMT ref: 0432F770
__CxxThrowException@8.LIBCMT ref: 0432F781

Strings

bad allocation, xrefs: 0432F74F

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID: bad allocation
API String ID: 615853336-2104205924
Opcode ID: c61199134cc7f539fc213d1dc55980065a2a33df9684c40b45a03a6574800a74
Instruction ID: e4ff924f5bf1b1501fbed4a46d5a5e18a54546a9269d6a5f285e947548d9ad77
Opcode Fuzzy Hash: c61199134cc7f539fc213d1dc55980065a2a33df9684c40b45a03a6574800a74
Instruction Fuzzy Hash: FDF0F4749002296BFB00EB58DE25AEF7AB8EF85798F143159E404E6190DFB0FA009B80

Function 00221C50 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(00000001), ref: 00221C61
CommandLineToArgvW.SHELL32(00000000), ref: 00221C68
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00220000), ref: 00221CD3
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 00221CF3
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,00220000,00000000,00000000,00000000,00222778,00000014), ref: 00221D25

Memory Dump Source

Source File: 00000003.00000002.3548588453.0000000000221000.00000020.00000001.01000000.00000005.sdmp, Offset: 00220000, based on PE: true

Associated: 00000003.00000002.3548541401.0000000000220000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3548624115.0000000000222000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3548649924.0000000000223000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3548676740.0000000000224000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3548676740.0000000000266000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_220000_Update.jbxd

Similarity

API ID: ByteCharCommandLineMultiWide$ArgvFreeLocal
String ID:
API String ID: 4060259846-0
Opcode ID: 75d9453584fc0b3b64f5e5354220c8efcebe9b8775368668d65a88d3c8218a58
Instruction ID: 8259c16b1a8d907bc58b9bd26433447f869acba04d182d644392de1d435330d1
Opcode Fuzzy Hash: 75d9453584fc0b3b64f5e5354220c8efcebe9b8775368668d65a88d3c8218a58
Instruction Fuzzy Hash: 2331B070604315FBE720EFA8AC45F1B77E4EFA4711F10092DF955972D0D631AE298B62

Function 6C30B498 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 6C30B4D5
dllmain_crt_dispatch.LIBCMT ref: 6C30B4EC
dllmain_raw.LIBCMT ref: 6C30B534
dllmain_crt_dispatch.LIBCMT ref: 6C30B547
dllmain_raw.LIBCMT ref: 6C30B55A

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 94fbf4296e8f1b7b42ff85a5754d9f30a7e2bdce3e97d20c19ac1e42743777b2
Instruction ID: 619d5cc7811372493d70ff8b0388e624dbb137f4af6c33d6795cafb6ed3495e4
Opcode Fuzzy Hash: 94fbf4296e8f1b7b42ff85a5754d9f30a7e2bdce3e97d20c19ac1e42743777b2
Instruction Fuzzy Hash: D7218173F01619ABCB218E55CC40AAF3A79EB85B9CF114165FC156FB20C7328E058FA0

Function 6C1C503F Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?), ref: 6C1C5049
FindResourceW.KERNEL32(00000000,?,?), ref: 6C1C5090
LoadResource.KERNEL32(00000000,00000000,?,?), ref: 6C1C509E
SizeofResource.KERNEL32(00000000,00000000,?,?), ref: 6C1C50A8
LockResource.KERNEL32(00000000,?,?), ref: 6C1C50B1

Part of subcall function 6C1C40A8: _strlen.LIBCMT ref: 6C1C4131

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Resource$FindHandleLoadLockModuleSizeof_strlen
String ID:
API String ID: 415223560-0
Opcode ID: 6e26f122de6682cdd5e82956f363162eb849734217ae36e91c9a569e1cfee014
Instruction ID: e6e2274113b126ed3a5db81b3be06ed799149c0b7b6ece576aad02ddbd94197a
Opcode Fuzzy Hash: 6e26f122de6682cdd5e82956f363162eb849734217ae36e91c9a569e1cfee014
Instruction Fuzzy Hash: DB1182F1A013409FE7015B348C08AAB37BCEF66218B149164F94A8A212FB79D959C7A6

Function 10002D10 Relevance: 7.5, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 10002D3C
CancelIo.KERNEL32(?), ref: 10002D46
InterlockedExchange.KERNEL32(00000000,00000000), ref: 10002D4F
closesocket.WS2_32(?), ref: 10002D59
SetEvent.KERNEL32(00000001), ref: 10002D63

Memory Dump Source

Source File: 00000003.00000002.3551303488.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3551255249.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551324667.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551342209.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551359349.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551377013.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
String ID:
API String ID: 1486965892-0
Opcode ID: 2ceef8d7a9cb16c2b8d4c923c9bd50e46f51888a66d7a8a6949057e86b5d425b
Instruction ID: c3dd280d0a222891198d8956340d5cd90ea8efbda93af296f9b36197db09124c
Opcode Fuzzy Hash: 2ceef8d7a9cb16c2b8d4c923c9bd50e46f51888a66d7a8a6949057e86b5d425b
Instruction Fuzzy Hash: 95F04F75100710EFE320DF94CC89F5677B8FB49B12F148659F6829B690C7B1F9048BA0

Function 6C1C6CC8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

Strings

te.d, xrefs: 6C1C71A8
Upda, xrefs: 6C1C71AF
dll, xrefs: 6C1C71A1

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: FileModuleName_strlen
String ID: Upda$dll$te.d
API String ID: 2404361900-2264352279
Opcode ID: a21a6e1d4985a8cacc89f0cf39226a887d3c8509f1c050606ecb84a9d7e8fc88
Instruction ID: 0b5afef6c93efe0abaa69efad398a2174a7aad6072f9e3d3bd8d7a129b491b2a
Opcode Fuzzy Hash: a21a6e1d4985a8cacc89f0cf39226a887d3c8509f1c050606ecb84a9d7e8fc88
Instruction Fuzzy Hash: E131D3B1E013489FEB10CFA4C985BFEBBB9FF11304F104519E851AB641D778AA48CB92

Function 6C1E3A37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Shell32,?,?,6C1C7CE7,YSS.AppID.NoVersion,00000000,?,00000000,?,00000000,6C1C8345,?), ref: 6C1E3A42
GetProcAddress.KERNEL32(00000000,SetCurrentProcessExplicitAppUserModelID), ref: 6C1E3A53

Strings

SetCurrentProcessExplicitAppUserModelID, xrefs: 6C1E3A4D
Shell32, xrefs: 6C1E3A3B

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: SetCurrentProcessExplicitAppUserModelID$Shell32
API String ID: 1646373207-2658420654
Opcode ID: e646e4c98e87590e0d08f715a304836e410982fa928d1a210d750b44b69e3fbf
Instruction ID: 1db1225479ae963eea2d00e69b60307ea90cf185263038fb380f995a8ccb7b86
Opcode Fuzzy Hash: e646e4c98e87590e0d08f715a304836e410982fa928d1a210d750b44b69e3fbf
Instruction Fuzzy Hash: EBE08635702B25678E255B65D858C9F7F6CDB966B1300043EF906D7B00CE34D801CBE4

Function 6C1C6D4F Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 036123bd63a2718ae53cbdc5a83dbc76eaeb2b2a790b9afc75c2513ef707261d
Instruction ID: 0b5cb29c9fa64d503c1993b9e378e59b4e3126d4af8bf83cf3bb10eaa29261a1
Opcode Fuzzy Hash: 036123bd63a2718ae53cbdc5a83dbc76eaeb2b2a790b9afc75c2513ef707261d
Instruction Fuzzy Hash: 468134B1E001148FDB14CF68CC947EDB7B6EF66318F154229F811A7780EB78AD858B92

Function 6C1C5A00 Relevance: 6.2, APIs: 4, Instructions: 208sleepCOMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6C1C5A3E
Sleep.KERNEL32(00000BB8), ref: 6C1C5B2C
_strlen.LIBCMT ref: 6C1C5B44
_strlen.LIBCMT ref: 6C1C5B77

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: _strlen$Sleep
String ID:
API String ID: 2737124692-0
Opcode ID: ee87e6551f7402e9cf764df978d1baa8065ac2e2e5b9b4e44dadd02bbfdbf465
Instruction ID: 8b2d8ed9e11af7ed4f2ff4bb5b471ba0791fb1294f9b55bf533144d9ae26c454
Opcode Fuzzy Hash: ee87e6551f7402e9cf764df978d1baa8065ac2e2e5b9b4e44dadd02bbfdbf465
Instruction Fuzzy Hash: A071F7B2E012189BCB10CFB4DC807DE7BB6BF65314F150225F858A7B80F7399A448B92

Function 6C1D2829 Relevance: 6.1, APIs: 4, Instructions: 121threadCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C1D2833

Part of subcall function 6C1E1666: __EH_prolog3.LIBCMT ref: 6C1E166D

GetCurrentThread.KERNEL32 ref: 6C1D2892
GetCurrentThreadId.KERNEL32 ref: 6C1D289B
GetVersionExW.KERNEL32 ref: 6C1D2937

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: CurrentThread$H_prolog3H_prolog3_Version
String ID:
API String ID: 786120064-0
Opcode ID: 0176463f1efdd890d9640323524718fc8bd7167f12827d9be406da0d1c599aaa
Instruction ID: b71f66de41fb46042fd65d5ef18eab8f3f78ccacbe7b3cfed85271dd41b21a66
Opcode Fuzzy Hash: 0176463f1efdd890d9640323524718fc8bd7167f12827d9be406da0d1c599aaa
Instruction Fuzzy Hash: EE51EFB0A05B108FDB25CF2A848869AFBF5BF49704F51896ED5AEC7B00DB70A945CF41

Function 6C1E777D Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003), ref: 6C1E77DA
VerSetConditionMask.KERNEL32(00000000), ref: 6C1E77E2
VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 6C1E77F3
GetSystemMetrics.USER32(00001000), ref: 6C1E7804

Part of subcall function 6C1E783A: __EH_prolog3.LIBCMT ref: 6C1E7841
Part of subcall function 6C1E783A: GetSysColor.USER32(00000016), ref: 6C1E784A
Part of subcall function 6C1E783A: GetSysColor.USER32(0000000F), ref: 6C1E785D
Part of subcall function 6C1E783A: GetSysColor.USER32(00000015), ref: 6C1E7874
Part of subcall function 6C1E783A: GetSysColor.USER32(0000000F), ref: 6C1E7880
Part of subcall function 6C1E783A: GetDeviceCaps.GDI32(?,0000000C), ref: 6C1E78A8
Part of subcall function 6C1E783A: GetSysColor.USER32(0000000F), ref: 6C1E78B6
Part of subcall function 6C1E783A: GetSysColor.USER32(00000010), ref: 6C1E78C4
Part of subcall function 6C1E783A: GetSysColor.USER32(00000015), ref: 6C1E78D2
Part of subcall function 6C1E783A: GetSysColor.USER32(00000016), ref: 6C1E78E0
Part of subcall function 6C1E783A: GetSysColor.USER32(00000014), ref: 6C1E78EE
Part of subcall function 6C1E783A: GetSysColor.USER32(00000012), ref: 6C1E78FC
Part of subcall function 6C1E783A: GetSysColor.USER32(00000011), ref: 6C1E790A
Part of subcall function 6C1E783A: GetSysColor.USER32(00000006), ref: 6C1E7915
Part of subcall function 6C1E783A: GetSysColor.USER32(0000000D), ref: 6C1E7920
Part of subcall function 6C1E783A: GetSysColor.USER32(0000000E), ref: 6C1E792B
Part of subcall function 6C1E783A: GetSysColor.USER32(00000005), ref: 6C1E7936
Part of subcall function 6C1E783A: GetSysColor.USER32(00000008), ref: 6C1E7944
Part of subcall function 6C1E783A: GetSysColor.USER32(00000009), ref: 6C1E794F
Part of subcall function 6C1E783A: GetSysColor.USER32(00000007), ref: 6C1E795A
Part of subcall function 6C1E783A: GetSysColor.USER32(00000002), ref: 6C1E7965
Part of subcall function 6C1E783A: GetSysColor.USER32(00000003), ref: 6C1E7970
Part of subcall function 6C1E783A: GetSysColor.USER32(0000001B), ref: 6C1E797E
Part of subcall function 6C1E783A: GetSysColor.USER32(0000001C), ref: 6C1E798C
Part of subcall function 6C1E783A: GetSysColor.USER32(0000000A), ref: 6C1E799A

Part of subcall function 6C1E7C58: __EH_prolog3_GS.LIBCMT ref: 6C1E7C62
Part of subcall function 6C1E7C58: GetDeviceCaps.GDI32(?,00000058), ref: 6C1E7C82
Part of subcall function 6C1E7C58: DeleteObject.GDI32(00000000), ref: 6C1E7CDE
Part of subcall function 6C1E7C58: DeleteObject.GDI32(00000000), ref: 6C1E7CFC
Part of subcall function 6C1E7C58: DeleteObject.GDI32(00000000), ref: 6C1E7D1A
Part of subcall function 6C1E7C58: DeleteObject.GDI32(00000000), ref: 6C1E7D38
Part of subcall function 6C1E7C58: DeleteObject.GDI32(00000000), ref: 6C1E7D56
Part of subcall function 6C1E7C58: DeleteObject.GDI32(00000000), ref: 6C1E7D74
Part of subcall function 6C1E7C58: DeleteObject.GDI32(00000000), ref: 6C1E7D92
Part of subcall function 6C1E7C58: DeleteObject.GDI32(00000000), ref: 6C1E7DB0

Part of subcall function 6C1E8177: GetSystemMetrics.USER32(00000031), ref: 6C1E8185
Part of subcall function 6C1E8177: GetSystemMetrics.USER32(00000032), ref: 6C1E8193
Part of subcall function 6C1E8177: SetRectEmpty.USER32(?), ref: 6C1E81A6
Part of subcall function 6C1E8177: EnumDisplayMonitors.USER32(00000000,00000000,6C1E894F,?,?,?), ref: 6C1E81B6
Part of subcall function 6C1E8177: SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6C1E81C5
Part of subcall function 6C1E8177: SystemParametersInfoW.USER32(00001002,00000000,?,00000000), ref: 6C1E81F2
Part of subcall function 6C1E8177: SystemParametersInfoW.USER32(00001012,00000000,?,00000000), ref: 6C1E8206
Part of subcall function 6C1E8177: SystemParametersInfoW.USER32(0000100A,00000000,?,00000000), ref: 6C1E822C

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Color$DeleteObject$System$Info$Parameters$Metrics$CapsConditionDeviceMask$DisplayEmptyEnumH_prolog3H_prolog3_MonitorsRectVerifyVersion
String ID:
API String ID: 2442922003-0
Opcode ID: 2e7197f4321beb6f8b11b63f1c897a8a9cb4f2ac940ef19f4891c77c998154b7
Instruction ID: 16c50fda1daf8012eb2abee89c7d5f4b7e46a7d093edf2de944c34a7c469beb4
Opcode Fuzzy Hash: 2e7197f4321beb6f8b11b63f1c897a8a9cb4f2ac940ef19f4891c77c998154b7
Instruction Fuzzy Hash: 9D11A3B0A00708ABEB159F759C59FEB76BCEB8A708F40045EE246D6281CBB14A05CFD0

Function 10006F17 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 10006F31

Part of subcall function 10006E83: __FF_MSGBANNER.LIBCMT ref: 10006E9C
Part of subcall function 10006E83: __NMSG_WRITE.LIBCMT ref: 10006EA3
Part of subcall function 10006E83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F), ref: 10006EC8

std::exception::exception.LIBCMT ref: 10006F66
std::exception::exception.LIBCMT ref: 10006F80
__CxxThrowException@8.LIBCMT ref: 10006F91

Memory Dump Source

Source File: 00000003.00000002.3551303488.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3551255249.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551324667.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551342209.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551359349.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551377013.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID:
API String ID: 615853336-0
Opcode ID: d1b741ba0380379decb7d1b22a74743c7f5a7046d8fc72408544d039aac17dad
Instruction ID: bc3bc25b656f4220cb3330c80879dd0d2e796a6a37b49e0188f73f67aa49fa4f
Opcode Fuzzy Hash: d1b741ba0380379decb7d1b22a74743c7f5a7046d8fc72408544d039aac17dad
Instruction Fuzzy Hash: C5F02D3980425BAAFB00DBA4DC91AAD3AE7EB496C0F300025F4149E0D5DFB1EBC0C740

Function 6C1B9628 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 6C1B96D3

Strings

GL\X, xrefs: 6C1B9C6B

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: __fread_nolock
String ID: GL\X
API String ID: 2638373210-767099042
Opcode ID: f50627584f8ae813fa0e8e73bbecc42529a2e3f3997c3b6ee8ce4f89ae63f6b3
Instruction ID: 8b21ddb02a9d03af3c7e93a2556c8ad2567f808c6d015fbe12067113eda7a303
Opcode Fuzzy Hash: f50627584f8ae813fa0e8e73bbecc42529a2e3f3997c3b6ee8ce4f89ae63f6b3
Instruction Fuzzy Hash: C851F472B042148FCB48CE3DD890A5A73F5EB99718F164269EC48DB785D635EC0A8F91

Function 6C1E7421 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C1E7428

Part of subcall function 6C1E777D: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003), ref: 6C1E77DA
Part of subcall function 6C1E777D: VerSetConditionMask.KERNEL32(00000000), ref: 6C1E77E2
Part of subcall function 6C1E777D: VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 6C1E77F3
Part of subcall function 6C1E777D: GetSystemMetrics.USER32(00001000), ref: 6C1E7804

Strings

D}4l, xrefs: 6C1E74CB
(^4l, xrefs: 6C1E7434

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: ConditionMask$H_prolog3InfoMetricsSystemVerifyVersion
String ID: (^4l$D}4l
API String ID: 2710481357-1067907240
Opcode ID: b27ce7848ae93fdb27c8b7f58ffa033d267512a26e9caac862dd6ec01d0b0708
Instruction ID: 040696dd2844a6951b364b72bcb3b584e5510392de4231d853675c4a4a7ab2c4
Opcode Fuzzy Hash: b27ce7848ae93fdb27c8b7f58ffa033d267512a26e9caac862dd6ec01d0b0708
Instruction Fuzzy Hash: 3351CDB0906F458FD3A9CF3A85417C6FAE0BF89300F10CA2E91AED6660EB7161848F55

Function 04323160 Relevance: 4.6, APIs: 3, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0432316B
InterlockedExchange.KERNEL32(?,00000001), ref: 04323183
GetCurrentThreadId.KERNEL32 ref: 0432322F

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: CurrentThread$ExchangeInterlocked
String ID:
API String ID: 4033114805-0
Opcode ID: 75923cf6a22db9910e41db0d8adb32a3fe17ad06a2ee1c98dfff600a0d96d4a8
Instruction ID: 58e2976741eba6aed5e07cc4c06216778df4bdc82a116edfd3b466d8e732dd33
Opcode Fuzzy Hash: 75923cf6a22db9910e41db0d8adb32a3fe17ad06a2ee1c98dfff600a0d96d4a8
Instruction Fuzzy Hash: E6317F702006129FDB18DF69CA84A67B3E9FF84704B10D52DED6ADB615D739F842CB90

Function 043211B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 043211E9
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 04321226
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 04321255

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: Virtual$AllocFree__floor_pentium4
String ID:
API String ID: 2605973128-0
Opcode ID: 3331b6cd3d8e075da7121820f86a23c2e88f23401934fd97668f86186ca3d822
Instruction ID: 5609f1f920a17cd35dabbc737473f925309d928afee356dc4780d9591c4fd01d
Opcode Fuzzy Hash: 3331b6cd3d8e075da7121820f86a23c2e88f23401934fd97668f86186ca3d822
Instruction Fuzzy Hash: 99219271A00709AFDB109FA9DA45B6FBBF8EF44705F009569E959E2640EA30B8108750

Function 100011B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 100011E9
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 10001226
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 10001255

Memory Dump Source

Source File: 00000003.00000002.3551303488.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3551255249.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551324667.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551342209.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551359349.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551377013.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Virtual$AllocFree__floor_pentium4
String ID:
API String ID: 2605973128-0
Opcode ID: 7c8a02711727f2d10f68a554ded2e2394815aae473f82a087a4a6f69535250f3
Instruction ID: 68b1d39f7c788df30121c4cd9fa650265093b70568a06a1b8131812e88253602
Opcode Fuzzy Hash: 7c8a02711727f2d10f68a554ded2e2394815aae473f82a087a4a6f69535250f3
Instruction Fuzzy Hash: EB21D170A00709AFEB14DFA9DC85B9EFBF4FF44745F00C5ADE949E2644EA30A8108790

Function 04321100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0432112F
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0432115F
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 04321192

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: Virtual$AllocFree__floor_pentium4
String ID:
API String ID: 2605973128-0
Opcode ID: beb3e7148fa9e4bbb1a3c3ff3d409df779f5aba1972415ad1d0075c62c932a1b
Instruction ID: bb2ef35ff3c2cf295bb31fc1b357fe2cc8e42f7c9c84ba71ad1c69cab634a5b5
Opcode Fuzzy Hash: beb3e7148fa9e4bbb1a3c3ff3d409df779f5aba1972415ad1d0075c62c932a1b
Instruction Fuzzy Hash: D9119371E00708AFEF109FA9DA85B6FFBF8EF44745F008569E959E2640E774B9108750

Function 10001100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 1000112F
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 1000115F
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 10001192

Memory Dump Source

Source File: 00000003.00000002.3551303488.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3551255249.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551324667.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551342209.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551359349.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551377013.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Virtual$AllocFree__floor_pentium4
String ID:
API String ID: 2605973128-0
Opcode ID: 9a9a6dbc4d50d479c69aa6d6b662a424f68bc22565965440325d2e32c173b15c
Instruction ID: ccfbffdb8cfccccbf267e057733e19453fb850e329b77576dd89ff791b5dae30
Opcode Fuzzy Hash: 9a9a6dbc4d50d479c69aa6d6b662a424f68bc22565965440325d2e32c173b15c
Instruction Fuzzy Hash: 77119670A00709ABEB14DFA9DC86B9EF7F4FF04745F008569EE59D2240E671A9148750

Function 04329DE0 Relevance: 4.5, APIs: 3, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 04329E04
GdipDisposeImage.GDIPLUS(?), ref: 04329E18
GdipDisposeImage.GDIPLUS(?), ref: 04329E3B

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: Gdip$DisposeImage$BitmapCreateFromStream
String ID:
API String ID: 800915452-0
Opcode ID: 26b8529bd05d4b2e9024fb55a469e35df48efb3b7335a227950b5188914731fd
Instruction ID: 2523e82445f089e04e810be0e965230877ecc1ab8de75505a122ec2980084001
Opcode Fuzzy Hash: 26b8529bd05d4b2e9024fb55a469e35df48efb3b7335a227950b5188914731fd
Instruction Fuzzy Hash: CCF031B6A00229A78B11EF94D9448EFB7B9EF48755F00519AF805B7340DA34AE15CBD1

Function 04329AC0 Relevance: 4.5, APIs: 3, Instructions: 36COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0434FB64), ref: 04329ADC
GdiplusStartup.GDIPLUS(0434FB60,?,?), ref: 04329B15
LeaveCriticalSection.KERNEL32(0434FB64), ref: 04329B26

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: CriticalSection$EnterGdiplusLeaveStartup
String ID:
API String ID: 389129658-0
Opcode ID: c60b3451f1dd8246423faf8b8c499c03d4f4c1d8a0ff3129c4677fc51ff24264
Instruction ID: 61ac61f725e30868ab544fa64009852ebe3568e2bf5ec90243a33ae0219a730f
Opcode Fuzzy Hash: c60b3451f1dd8246423faf8b8c499c03d4f4c1d8a0ff3129c4677fc51ff24264
Instruction Fuzzy Hash: 2BF06275A412099BDF009FD1E86A7FB77B8FB89345F442199E50452140DB763544CBE2

Function 6C32C139 Relevance: 4.5, APIs: 3, Instructions: 17fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(6C31F26E,?,6C31F26E,?,?,?,?), ref: 6C32C141
GetLastError.KERNEL32(?,6C31F26E,?,?,?,?), ref: 6C32C14B
__dosmaperr.LIBCMT ref: 6C32C152

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: DeleteErrorFileLast__dosmaperr
String ID:
API String ID: 1545401867-0
Opcode ID: 92691a4e482d66b5d0ce3de1d7ff6eda8b6b1d13bcc6321f8b2219f8ca265e93
Instruction ID: e83fc94acd02cb4d1cdc8a4ef538a8866c587b2f8247cb7d1c195c61c64a74c4
Opcode Fuzzy Hash: 92691a4e482d66b5d0ce3de1d7ff6eda8b6b1d13bcc6321f8b2219f8ca265e93
Instruction Fuzzy Hash: 97D012323152486B9F012AF6AC098463B7CEB873B93145719F42CC5A90DF36D8509A91

Function 10003200 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 15sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 10003200

Strings

154.82.85.79, xrefs: 1002026C
18091, xrefs: 10020254

Memory Dump Source

Source File: 00000003.00000002.3551303488.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3551255249.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551324667.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551342209.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551359349.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551377013.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Sleep
String ID: 154.82.85.79$18091
API String ID: 3472027048-3534000569
Opcode ID: 4513ec0b7f0e3245ec74d41a3833d4d9c4567df1cbadf7205a2421670dd53040
Instruction ID: d4922cd372dd7236031f7b79510b5f56ce2b8beeb54c8bf7640301d5853f9da9
Opcode Fuzzy Hash: 4513ec0b7f0e3245ec74d41a3833d4d9c4567df1cbadf7205a2421670dd53040
Instruction Fuzzy Hash: C9D023F0604871CBE928C500DC5447A7375F7C42513940105FC479B144CB74FC08D550

Function 10007156 Relevance: 4.5, APIs: 3, Instructions: 11threadCOMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 1000715B

Part of subcall function 10009896: GetLastError.KERNEL32(00000001,00000000,10007112,10006F0C,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F), ref: 1000989A
Part of subcall function 10009896: ___set_flsgetvalue.LIBCMT ref: 100098A8
Part of subcall function 10009896: __calloc_crt.LIBCMT ref: 100098BC
Part of subcall function 10009896: DecodePointer.KERNEL32(00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA), ref: 100098D6
Part of subcall function 10009896: GetCurrentThreadId.KERNEL32 ref: 100098EC
Part of subcall function 10009896: SetLastError.KERNEL32(00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA), ref: 10009904

__freeptd.LIBCMT ref: 10007165

Part of subcall function 10009A58: TlsGetValue.KERNEL32(?,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009A79
Part of subcall function 10009A58: TlsGetValue.KERNEL32(?,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009A8B
Part of subcall function 10009A58: DecodePointer.KERNEL32(00000000,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009AA1
Part of subcall function 10009A58: __freefls@4.LIBCMT ref: 10009AAC
Part of subcall function 10009A58: TlsSetValue.KERNEL32(00000021,00000000,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009ABE

ExitThread.KERNEL32 ref: 1000716E

Memory Dump Source

Source File: 00000003.00000002.3551303488.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3551255249.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551324667.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551342209.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551359349.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551377013.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Value$DecodeErrorLastPointerThread$CurrentExit___set_flsgetvalue__calloc_crt__freefls@4__freeptd__getptd_noexit
String ID:
API String ID: 4224061863-0
Opcode ID: 13d03437f215ed93d40a7d70e196fa756bd6aa96be3d41e5933ba2785ed1d9c5
Instruction ID: 88b9861ec1dd8ad2b25034eab61c1c94f8d4b81d5381debfb6d8fd2c6c03db1f
Opcode Fuzzy Hash: 13d03437f215ed93d40a7d70e196fa756bd6aa96be3d41e5933ba2785ed1d9c5
Instruction Fuzzy Hash: 79C02B3050060C7BFB00A776CC0E95F3A8DDF811C1F668010F80CC5159EE38FC008291

Function 6C1C3DE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 6C1C3E03

Strings

, xrefs: 6C1C3D0B

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-184147866
Opcode ID: df09960881f1881f3f893479b81fb5a2ef2b89d9b9eb7ed3ba159c1500acabf8
Instruction ID: 077e3ec5f4ad5c87ea89bea26e7658ea6b9f7fd4e0d2b4d8f413b0a2fdca75c5
Opcode Fuzzy Hash: df09960881f1881f3f893479b81fb5a2ef2b89d9b9eb7ed3ba159c1500acabf8
Instruction Fuzzy Hash: E5E065714083419AE300DF11C80DB9BB6F8EFD630CF415B0DF4C415041D3B956888B57

Function 041A01CB Relevance: 3.3, APIs: 2, Instructions: 267memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 041A022B

Memory Dump Source

Source File: 00000003.00000002.3550490289.00000000041A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_41a0000_Update.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
Instruction ID: bd9f402af36a810cda87c9cffc6fe3581d01087201dad56f9a0eefaaf35da7fa
Opcode Fuzzy Hash: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
Instruction Fuzzy Hash: F4A14E79A00606EFDB14CFA9C9C0AAEBBB5FF48304F1481A9E415DB751E770E961CB90

Function 6C32A83A Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C32ABE4: GetConsoleOutputCP.KERNEL32(8BAE044A,00000000,00000000,?), ref: 6C32AC47

WriteFile.KERNEL32(?,6C328E1C,00000000,6C333367,00000000,6C328E1C,00000000,00000000,?,6C333367,00000000,00000000,6C3332A4,6C328E1C,00000000,?), ref: 6C32A9BF
GetLastError.KERNEL32(?,6C333367,00000000,00000000,6C3332A4,6C328E1C,00000000,?,6C332208,00000000,6C328E1C), ref: 6C32A9C9

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 8b504ef41a3b33cac141d17c05c9e15db11ebdade211c1cb0e1e7da27be1d313
Instruction ID: ed3894e9832ac349ac1fb67b72af2a7015f64daa5d2806a3c253f77b1b76ac03
Opcode Fuzzy Hash: 8b504ef41a3b33cac141d17c05c9e15db11ebdade211c1cb0e1e7da27be1d313
Instruction Fuzzy Hash: 3B619EB1D04119AFDF01CFA9C984AEEBFB9EF0A308F150149E914A7641D33AD916DFA1

Function 04323360 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(?,?,00000000), ref: 04323413
_memmove.LIBCMT ref: 043234A5

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: Time_memmovetime
String ID:
API String ID: 1463837790-0
Opcode ID: a0e5ec005169978959b565d06ed5292441fb0b3ebdbcca9f727c14cda17ff1a0
Instruction ID: 9479b8ad1c5c8d713f6fedbb443b98d372e4d308c079ce7a6b937ddc69c4fe42
Opcode Fuzzy Hash: a0e5ec005169978959b565d06ed5292441fb0b3ebdbcca9f727c14cda17ff1a0
Instruction Fuzzy Hash: B251B072700A259FD711CFB9CAC0A6AB7A9FF8821471496ACED199B700DB35F941CB90

Function 10003350 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(?,?,00000000), ref: 10003403
_memmove.LIBCMT ref: 10003495

Memory Dump Source

Source File: 00000003.00000002.3551303488.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3551255249.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551324667.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551342209.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551359349.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551377013.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Time_memmovetime
String ID:
API String ID: 1463837790-0
Opcode ID: aa203b2cbda9aec0713802ee616a91a989bc0421ef3b69a448573314bddc25cc
Instruction ID: 7472951ecdc6142c721ad3348498c8fe017ad8d952fa801f9fd3c423b9f36496
Opcode Fuzzy Hash: aa203b2cbda9aec0713802ee616a91a989bc0421ef3b69a448573314bddc25cc
Instruction Fuzzy Hash: A5519F767006029FE316CF69C8C0A9BB7A9FF48294715C669E919CB709DB31FC51CB90

Function 6C30B265 Relevance: 3.1, APIs: 2, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6C30B2B2

Part of subcall function 6C30B65E: InitializeSListHead.KERNEL32(6C3A2058,6C30B2BC,6C397588,00000010,6C30B455,?,00000000,?,00000007,6C3975A8,00000010,6C30B468,?,?,6C30B4F1,?), ref: 6C30B663

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6C30B31C

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: 2e741aada6656d01bd433bba50084bb0f26e8ee1e45ba6fa7614e6a2ec2294ec
Instruction ID: ba9a3aa44144f3dfefc18995f14cf5d6f339b50ec1db2137cc229d105d43a83a
Opcode Fuzzy Hash: 2e741aada6656d01bd433bba50084bb0f26e8ee1e45ba6fa7614e6a2ec2294ec
Instruction Fuzzy Hash: 5021F1337493099EDB049FB8A8107CD33A8AB1632DF20486DD5919BFC1EB675018CE66

Function 10002FB0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 10003023
recv.WS2_32(?,?,00040000,00000000), ref: 10003044

Part of subcall function 1000710D: __getptd_noexit.LIBCMT ref: 1000710D

Memory Dump Source

Source File: 00000003.00000002.3551303488.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3551255249.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551324667.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551342209.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551359349.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551377013.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: __getptd_noexitrecvselect
String ID:
API String ID: 4248608111-0
Opcode ID: 5f82ec4551d51fc2b9ede6d926e0403675d3e155566f9d28381eb2444e2c218b
Instruction ID: 1cbb114b02e0d86a534962cf0a51f77a1151a50c8d60f66bd4e8238187776ab9
Opcode Fuzzy Hash: 5f82ec4551d51fc2b9ede6d926e0403675d3e155566f9d28381eb2444e2c218b
Instruction Fuzzy Hash: 7F21E770A01318EBFB11DF64DC95B9B73B8EF053D0F1081A5E5095B199DBB1AD84CBA1

Function 6C32B013 Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,6C32A9A5,?,6C332208,6C328E1C,00000000,6C328E1C,00000000), ref: 6C32B0AF
GetLastError.KERNEL32(?,6C32A9A5,?,6C332208,6C328E1C,00000000,6C328E1C,00000000,00000000,?,6C333367,00000000,00000000,6C3332A4,6C328E1C,00000000), ref: 6C32B0D5

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 56a8f16257bc8441cdd6df90cc8a1be4d393af92d686f96f2de4420a1d5e81bf
Instruction ID: f6a9bc33445af84c6fe3d0472966414cd85ee1a46595bebcde32272cbb08d44d
Opcode Fuzzy Hash: 56a8f16257bc8441cdd6df90cc8a1be4d393af92d686f96f2de4420a1d5e81bf
Instruction Fuzzy Hash: 5121B130A002199BCF1ACF29CC809DDF7B9EB49309F1481AAE906DB641D7319E46CF65

Function 6C30B36C Relevance: 3.1, APIs: 2, Instructions: 75COMMONLIBRARYCODE

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6C30B3B3
___scrt_uninitialize_crt.LIBCMT ref: 6C30B3CD

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 122fe017e9da82eb8bf56475845e5d17cfffb61212397f1ccd004abb56611483
Instruction ID: 3ebbcf10d3f81d74697d8344c5f49b37cd9e22fc0d75e844ae4207b602792d60
Opcode Fuzzy Hash: 122fe017e9da82eb8bf56475845e5d17cfffb61212397f1ccd004abb56611483
Instruction Fuzzy Hash: 99210233B48309DBDB04DFB998007DC37A8EB0671DF10452AE5149AF90CB7682198E62

Function 6C1BF5E2 Relevance: 3.1, APIs: 2, Instructions: 69COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000), ref: 6C1BF602
_strlen.LIBCMT ref: 6C1BF615

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: FolderPath_strlen
String ID:
API String ID: 1140449666-0
Opcode ID: fd36852034cb4471a56a9502d375f0bc23474c1d42516cc2fbc8b4b875fa233c
Instruction ID: c18bbff5aead577596488faf7a1a60d98aa4306499095027c371c6f26155b702
Opcode Fuzzy Hash: fd36852034cb4471a56a9502d375f0bc23474c1d42516cc2fbc8b4b875fa233c
Instruction Fuzzy Hash: EB11E6F69013456BD7305F359C44A9BBAFCEFD6308F11092AF885D2A01F77595488BA2

Function 6C1D07F9 Relevance: 3.1, APIs: 2, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 6C1D084C
SysAllocStringLen.OLEAUT32(00000000,?), ref: 6C1D0872

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: AllocString_memcpy_s
String ID:
API String ID: 696070862-0
Opcode ID: ae6f4ba1efba958d3f42dff93831f1c1e0d1a39a7c3de38606ea996c65814f7a
Instruction ID: df4fc39d0655aff6f0d85c1189661557fd5f909ad381a824fa6cf3c4467a3cf8
Opcode Fuzzy Hash: ae6f4ba1efba958d3f42dff93831f1c1e0d1a39a7c3de38606ea996c65814f7a
Instruction Fuzzy Hash: A811C636700244AFEB009B598C44FAE7768EF61758F51402AF91597A50DB79E824CAA3

Function 04323260 Relevance: 3.1, APIs: 2, Instructions: 60networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,00040000,00000000), ref: 04323291
send.WS2_32(?,?,?,00000000), ref: 043232CE

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 6821b56b3b2cfa9756cbdf5c635453f0948edf33ecae58db0fc71fc729a572cc
Instruction ID: b5ab9c0c6247ccda315c6ce0e776c2c9f4de3c41601d64b22e56b5b4674721de
Opcode Fuzzy Hash: 6821b56b3b2cfa9756cbdf5c635453f0948edf33ecae58db0fc71fc729a572cc
Instruction Fuzzy Hash: E911E572B01324B7D7608A7ADE88B5E77ACFF85364F106165FD08D7280D278BD418654

Function 6C328D4F Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,?,00008000,6C1BA407,00008000,6C328E1C,?,?,?,6C328BD7,6C328E1C,?,00000000,6C1BA407,?), ref: 6C328D8B
GetLastError.KERNEL32(00000000,?,?,?,6C328BD7,6C328E1C,?,00000000,6C1BA407,?,00000000,00008000,6C328E1C,?,?,6C331B8B), ref: 6C328D98

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 4d1c7ac6b1728365e1526453604a60d57140f1ea38a1510171ae5500be27c7f1
Instruction ID: 867efce7ea691eb5b796198e637a09fad478c1fc2038d8be138be2527bde12c4
Opcode Fuzzy Hash: 4d1c7ac6b1728365e1526453604a60d57140f1ea38a1510171ae5500be27c7f1
Instruction Fuzzy Hash: 0A012233714655AFCF058F59CC09D9E3B7AEF96328B240209F8109B690EB72E945CFA1

Function 043230E0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 0432310A
timeGetTime.WINMM ref: 04323124

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: 686423fa6eaeb525ef4398d10b63d93254f47a4ec1fc577624aae37f6ff5da66
Instruction ID: a3a44278c3843446c6247aa388dfa7d7d256c3a6f675345b24aff7386b17df5c
Opcode Fuzzy Hash: 686423fa6eaeb525ef4398d10b63d93254f47a4ec1fc577624aae37f6ff5da66
Instruction Fuzzy Hash: 6B01D435200215AFD315DF29C8C8BB9B7B9FF99301F144264EA1467180C739B9C6C7D1

Function 100030C0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 100030EA
timeGetTime.WINMM ref: 10003104

Memory Dump Source

Source File: 00000003.00000002.3551303488.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3551255249.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551324667.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551342209.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551359349.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551377013.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: 306b1d3a46dce6522edd8cfdaf26c6c38e0bc8121be3e04cf2ef1a2578d2637d
Instruction ID: 27fac5dcdbeed923c3366fb10e8a319fa95706dbc2a1d72b4a6ad2049d896b26
Opcode Fuzzy Hash: 306b1d3a46dce6522edd8cfdaf26c6c38e0bc8121be3e04cf2ef1a2578d2637d
Instruction Fuzzy Hash: B501DF31A00206AFE302DF65C8C4BABB3F9FB99381F108624D1018B294C771ADD6C7E1

Function 0432CD00 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000004,00000000,00000000,0432E04E,00000000,04329800,?,?,?,00000000,0434125B,000000FF,?,0432E04E), ref: 0432CD1B
_free.LIBCMT ref: 0432CD56

Part of subcall function 04321280: __CxxThrowException@8.LIBCMT ref: 04321290
Part of subcall function 04321280: DeleteCriticalSection.KERNEL32(00000000,0432D3E6,04346624,?,?,0432D3E6,?,?,?,?,04345A40,00000000), ref: 043212A1

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
String ID:
API String ID: 1116298128-0
Opcode ID: 9519f1e2840c67144cb03f3edab26d62cbfb2c05577478d8d7e7635f1b681885
Instruction ID: 92b3e223c8541a9dbe2ac31b6787a267a1123a219d57e8101d0359216f46bfb1
Opcode Fuzzy Hash: 9519f1e2840c67144cb03f3edab26d62cbfb2c05577478d8d7e7635f1b681885
Instruction Fuzzy Hash: A0017AB0A00B508FD7309F6A9944A57FAF8FF98700B105A1EE6DAC7A50D374A505CFA5

Function 10006410 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000004,00000000,00000000,?,00000000,10005AF2), ref: 1000642B
_free.LIBCMT ref: 10006466

Part of subcall function 10001280: __CxxThrowException@8.LIBCMT ref: 10001290
Part of subcall function 10001280: DeleteCriticalSection.KERNEL32(00000000,?,10017E78), ref: 100012A1

Memory Dump Source

Source File: 00000003.00000002.3551303488.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3551255249.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551324667.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551342209.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551359349.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551377013.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
String ID:
API String ID: 1116298128-0
Opcode ID: a128095ffdd49348268c3586f1fd9261e0840fd0acd737389bb6af715d81e8f7
Instruction ID: d75aab6d42964042dd9719b22c7254e4122bf8c787039a32894d973a0e8f9c7d
Opcode Fuzzy Hash: a128095ffdd49348268c3586f1fd9261e0840fd0acd737389bb6af715d81e8f7
Instruction Fuzzy Hash: D6017EF4A00B408FD321CF6A8884A47FAF9FF98750B104A1EE2DAC7A10D770A545CF55

Function 6C1CD1DC Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C1CD1E3
GetWindowDC.USER32(00000000,00000004,6C1E78A0,00000000), ref: 6C1CD20F

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: H_prolog3Window
String ID:
API String ID: 616115145-0
Opcode ID: a435f171f658260e34b7effb47f6f7ae1972f58f226b76d8ae9ed7db3ed8df3f
Instruction ID: 04a7dd4b0d90eeb2e419c8bbff806e34907418983350d2c84f41b0a6df56c952
Opcode Fuzzy Hash: a435f171f658260e34b7effb47f6f7ae1972f58f226b76d8ae9ed7db3ed8df3f
Instruction Fuzzy Hash: C5F08CB0B01B158FDB54DFB8C50076E7AE0BF59304B10882EE65ACBB00DB78D5068F46

Function 0432E480 Relevance: 3.0, APIs: 2, Instructions: 21synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,0432DF10,00000000,00000000,00000000), ref: 0432E49B
WaitForSingleObject.KERNEL32(00000000,000000FF,?,04331168,?,?,?,?,?,?,04346298,0000000C,04331210,?), ref: 0432E4A9

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: CreateObjectSingleThreadWait
String ID:
API String ID: 1891408510-0
Opcode ID: 53004c9bd081e870803ad77dacde4ada974f34d86323a07b21ae6d7d8febd3e3
Instruction ID: c0bf989ead569c3e38469eaf2a236dab84caf915d22f36052467fc2ae1ee2259
Opcode Fuzzy Hash: 53004c9bd081e870803ad77dacde4ada974f34d86323a07b21ae6d7d8febd3e3
Instruction Fuzzy Hash: 32E012B5444719BFDF509A54AD86E77339CD708770F206615B910D2640D939FC408A60

Function 0432F983 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0432F98F

Part of subcall function 04333E5B: __getptd_noexit.LIBCMT ref: 04333E5E
Part of subcall function 04333E5B: __amsg_exit.LIBCMT ref: 04333E6B

Part of subcall function 0432F964: __getptd_noexit.LIBCMT ref: 0432F969
Part of subcall function 0432F964: __freeptd.LIBCMT ref: 0432F973
Part of subcall function 0432F964: ExitThread.KERNEL32 ref: 0432F97C

__XcptFilter.LIBCMT ref: 0432F9B0

Part of subcall function 0433418F: __getptd_noexit.LIBCMT ref: 04334195

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
String ID:
API String ID: 418257734-0
Opcode ID: 1fec46b3ee73eda22651a5640fe6d4661efe8146aa600078e195ad445de7c065
Instruction ID: e9af47bd9ae6df7664d46fa09161a43e4785e2133cc098e59c3f550b521a3c30
Opcode Fuzzy Hash: 1fec46b3ee73eda22651a5640fe6d4661efe8146aa600078e195ad445de7c065
Instruction Fuzzy Hash: 86E0ECB1900600EFFB18EBA0D905E7D7775AF5561AF205149E1026B2A0CB79B940DA20

Function 10007175 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 10007181

Part of subcall function 1000990F: __getptd_noexit.LIBCMT ref: 10009912
Part of subcall function 1000990F: __amsg_exit.LIBCMT ref: 1000991F

Part of subcall function 10007156: __getptd_noexit.LIBCMT ref: 1000715B
Part of subcall function 10007156: __freeptd.LIBCMT ref: 10007165
Part of subcall function 10007156: ExitThread.KERNEL32 ref: 1000716E

__XcptFilter.LIBCMT ref: 100071A2

Part of subcall function 10009C41: __getptd_noexit.LIBCMT ref: 10009C47

Memory Dump Source

Source File: 00000003.00000002.3551303488.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3551255249.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551324667.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551342209.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551359349.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551377013.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
String ID:
API String ID: 418257734-0
Opcode ID: 297936fcc0dbf5f526c0e08448a2f351abf61589ee907ea93caa2c8fedee672a
Instruction ID: 91050fa4c4edb40f5b5d990f834f761f3b027d6385ed46559f27b3ea4901cb17
Opcode Fuzzy Hash: 297936fcc0dbf5f526c0e08448a2f351abf61589ee907ea93caa2c8fedee672a
Instruction Fuzzy Hash: 76E0ECB9904604DFF718DBA0C956E6E7775EF44241F210049F1015B2A6CB35B940DB24

Function 04336403 Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0433641B

Part of subcall function 04338E5B: __mtinitlocknum.LIBCMT ref: 04338E71
Part of subcall function 04338E5B: __amsg_exit.LIBCMT ref: 04338E7D
Part of subcall function 04338E5B: EnterCriticalSection.KERNEL32(00000000,00000000,?,04333F06,0000000D,04346340,00000008,04333FFF,00000000,?,043310F0,00000000,04346278,00000008,04331155,?), ref: 04338E85

__tzset_nolock.LIBCMT ref: 0433642C

Part of subcall function 04335D22: __lock.LIBCMT ref: 04335D44
Part of subcall function 04335D22: ____lc_codepage_func.LIBCMT ref: 04335D8B
Part of subcall function 04335D22: __getenv_helper_nolock.LIBCMT ref: 04335DAD
Part of subcall function 04335D22: _free.LIBCMT ref: 04335DE4
Part of subcall function 04335D22: _strlen.LIBCMT ref: 04335DEB
Part of subcall function 04335D22: __malloc_crt.LIBCMT ref: 04335DF2
Part of subcall function 04335D22: _strlen.LIBCMT ref: 04335E08
Part of subcall function 04335D22: _strcpy_s.LIBCMT ref: 04335E16
Part of subcall function 04335D22: __invoke_watson.LIBCMT ref: 04335E2B
Part of subcall function 04335D22: _free.LIBCMT ref: 04335E3A

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: __lock_free_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__invoke_watson__malloc_crt__mtinitlocknum__tzset_nolock_strcpy_s
String ID:
API String ID: 1828324828-0
Opcode ID: c68b5419e44204073cac38bcd848f42797afd42253f133d8e0659734d9c7d0a6
Instruction ID: aea27038ec7079fd7d6a8d20d1b276604c07827349bcbd1ad56b632069c0adf0
Opcode Fuzzy Hash: c68b5419e44204073cac38bcd848f42797afd42253f133d8e0659734d9c7d0a6
Instruction Fuzzy Hash: A4E0EC31C41714EBE7767FE0A60765C7278EF98B37F60711AE48122190CA757591CA92

Function 1000474C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 12stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(|p1:154.82.85.79|o1:18091|t1:1|p2:154.82.85.79|o2:18092|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:), ref: 10004755

Part of subcall function 10003260: __wcsrev.LIBCMT ref: 10020655

Strings

|p1:154.82.85.79|o1:18091|t1:1|p2:154.82.85.79|o2:18092|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:, xrefs: 10004750

Memory Dump Source

Source File: 00000003.00000002.3551303488.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3551255249.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551324667.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551342209.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551359349.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551377013.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: __wcsrevlstrlen
String ID: |p1:154.82.85.79|o1:18091|t1:1|p2:154.82.85.79|o2:18092|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:
API String ID: 4062721203-723003806
Opcode ID: ef503d5516fdfa215c481ae33ec846e637023be3d257a54ad483c27845c77df4
Instruction ID: 3065bb4344b1789bcecd08ba6036c617636919b35652953f12b0e4d8e139a27a
Opcode Fuzzy Hash: ef503d5516fdfa215c481ae33ec846e637023be3d257a54ad483c27845c77df4
Instruction Fuzzy Hash: EFC08C72208214CFF202E3D4988876D7359EB33722F608039FA00CD012E672CC8097B1

Function 04326EBC Relevance: 3.0, APIs: 2, Instructions: 8registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(80000001,04326E9A), ref: 04326EC9
RegCloseKey.ADVAPI32(75BF73E0), ref: 04326ED2

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 99cf4360bc845faf3a784dc755dd610b2cb89962689ee0ed5581654130a40a06
Instruction ID: d7755af4b171cdeadcca30423d5f2c538b03cab668136a988b34117dd41a11f8
Opcode Fuzzy Hash: 99cf4360bc845faf3a784dc755dd610b2cb89962689ee0ed5581654130a40a06
Instruction Fuzzy Hash: 9FC04C72D0102857CB10E6A4ED4494A77B89B8C210F1140C2A104A3114C634BD418F90

Function 6C32A510 Relevance: 2.6, APIs: 2, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,6C32A4FF,6C331D61,?,00000000,00000000), ref: 6C32A566
GetLastError.KERNEL32(?,00000000,?,6C32A4FF,6C331D61,?,00000000,00000000), ref: 6C32A570

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 066432979934ca82defa9937a90e6399dad03e59b659a4d70e6f1d9c01db8377
Instruction ID: 235754c84e72b89ff0e918e02c960f99b40c53d4b8a98725356b711f339c742d
Opcode Fuzzy Hash: 066432979934ca82defa9937a90e6399dad03e59b659a4d70e6f1d9c01db8377
Instruction Fuzzy Hash: AA11E93370D2101FDF050675A8457AF77AA9B8373CF390209E99496EC1DB3A85454A51

Function 6C31EA3D Relevance: 1.7, APIs: 1, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1396d3f199e109da6f9a8ffb9e14904a7fd7fa9470db4d0ddb3cd2cfd86ce755
Instruction ID: 457f9b2286b32e3e35bbd243e5012847b3fe547088e5aa42dc2265b8f5cb452d
Opcode Fuzzy Hash: 1396d3f199e109da6f9a8ffb9e14904a7fd7fa9470db4d0ddb3cd2cfd86ce755
Instruction Fuzzy Hash: D8519370A08208AFDB08CF58CC89E99BBB5EB49368F14C158E8595BF91D3739A41CFD1

Function 6C1C3B0C Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6C1C3B25

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 4849664dbf894499bcba18708a2522571c174fff784790f06afbe16e39a68da3
Instruction ID: bfa80eedf8aaca62444ab4d2066eb1777d35e2e84678723a1e2c5b6853a2fe98
Opcode Fuzzy Hash: 4849664dbf894499bcba18708a2522571c174fff784790f06afbe16e39a68da3
Instruction Fuzzy Hash: 75312EF2B042405BD720DF38D8557DB7BE9ABA6308F650529F046C7B41F73A844987A2

Function 6C1BF17C Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(?,00000001,?,?,00000000,?), ref: 6C1BF217

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 86915d87a08eb928ee7c13868c0567b411cc86b76c50b3d1eba525eed77598c5
Instruction ID: 91d846f9d863566b6cc6bd036bd51e88d87bb6e50097d42259f375b1957a1549
Opcode Fuzzy Hash: 86915d87a08eb928ee7c13868c0567b411cc86b76c50b3d1eba525eed77598c5
Instruction Fuzzy Hash: B5219078601740DFD720CF29C848F86BBAAFB85B20F008559E52A9B791C774E944CF91

Function 6C328DD2 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 6C328E17

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 048982b8d3edfa07f0855fddfe5627751774d5cd3a97aca1ab6c881341d7773e
Instruction ID: c9ce87d0d8da8dfdbd3662e6dccc1e887b13869fcf89dc35e76b89f08a056e28
Opcode Fuzzy Hash: 048982b8d3edfa07f0855fddfe5627751774d5cd3a97aca1ab6c881341d7773e
Instruction Fuzzy Hash: 78116672A0420AAFCF05CF99E94099B7BF8EF49308F00406AF818AB301D671E911CBA5

Function 0433A6F2 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,0433454A,00000000,00000001,00000000,00000000,00000000,?,04333E0D,00000001,00000214,?,04334500), ref: 0433A735

Part of subcall function 0432F91B: __getptd_noexit.LIBCMT ref: 0432F91B

Memory Dump Source

Source File: 00000003.00000002.3550596047.0000000004320000.00000040.00001000.00020000.00000000.sdmp, Offset: 04320000, based on PE: true

Associated: 00000003.00000002.3550596047.0000000004354000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4320000_Update.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 518ed15064d5359f1b51ca6c471a19497cda763128c521158eeb036fbe5fdb4f
Instruction ID: 9184b05fb77ab0682d1b0a05775990ecd845e5e9506d48cb7691eb6a1a96161f
Opcode Fuzzy Hash: 518ed15064d5359f1b51ca6c471a19497cda763128c521158eeb036fbe5fdb4f
Instruction Fuzzy Hash: 0C01D8393012159FEB24AEA5DC84B7737B8EF817A6F156529F895CB1A0DB34F8018B50

Function 1000E555 Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,10009FFA,00000000,00000001,00000000,00000000,00000000,?,100098C1,00000001,00000214,?,10009FB0), ref: 1000E598

Part of subcall function 1000710D: __getptd_noexit.LIBCMT ref: 1000710D

Memory Dump Source

Source File: 00000003.00000002.3551303488.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3551255249.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551324667.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551342209.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551359349.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551377013.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: d06f835299f278651632b800e6ea60e14773797a6a441bb7e279904f59b9ce12
Instruction ID: 103cc215c0c144a9a87f3cbc911116c8ac8a7c4356fc0ca5ef77af160fbe558d
Opcode Fuzzy Hash: d06f835299f278651632b800e6ea60e14773797a6a441bb7e279904f59b9ce12
Instruction Fuzzy Hash: E9012435205A958EFB18CF24CC54B5A37D4EB853E6F018929E815AA0D4EB70DC00CB80

Function 6C329632 Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C3223F1: RtlAllocateHeap.NTDLL(00000000,6C1E5BE4,6C1B22CA,?,6C30BCF8,6C1B22CC,6C1B22CA,?,?,?,6C1E5B84,6C1E5BE4,6C1B22CE,6C1B22CA,6C1B22CA,6C1B22CA), ref: 6C322423

RtlReAllocateHeap.NTDLL(00000000,00000000,?,6C319328,00000000,?,6C31BB20,00000000,6C319328,?,?,?,?,6C319402,?,?), ref: 6C32968F

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a7e0aa39d03fc3b99524f8241a85bf8a7141e9c6cd155edee181c8cdbf10165c
Instruction ID: de391b92c4e6c64c4ef673242a1a6b52b607da89df295a0d09b11409b38cf57c
Opcode Fuzzy Hash: a7e0aa39d03fc3b99524f8241a85bf8a7141e9c6cd155edee181c8cdbf10165c
Instruction Fuzzy Hash: 24F0FC323053056ADF151E67AC04FCB37AC9FC3778B210116E95496E90DF3ED4018DA6

Function 6C325708 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,6C1E5BE4,?,6C3227E1,00000001,00000364,6C1E5BE4,00000006,000000FF,?,6C30BCF8,6C1B22CC,6C1B22CA,?,?), ref: 6C325749

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 284b7b83bdf6383d9896e86dccaa0bb7b9a8abeaa132539adf47b781276cbb87
Instruction ID: 99d2e062f5cb7ed13797850a85a75603d1cc5f07372f76820d965d334bff6f22
Opcode Fuzzy Hash: 284b7b83bdf6383d9896e86dccaa0bb7b9a8abeaa132539adf47b781276cbb87
Instruction Fuzzy Hash: 5EF0E031786124DBEF158E6E5C44B9B375CAF427A4F204111ECD4EAD44DB39DA018FE1

Function 6C3223F1 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,6C1E5BE4,6C1B22CA,?,6C30BCF8,6C1B22CC,6C1B22CA,?,?,?,6C1E5B84,6C1E5BE4,6C1B22CE,6C1B22CA,6C1B22CA,6C1B22CA), ref: 6C322423

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0d1b192a2debbe70397e25d37386fe1c7c97ba752353dca722f26e132e28af54
Instruction ID: c9d45668d1b66ff9c970f83d0a227afb505d7878634d89da6d1dfb13ba3b93b0
Opcode Fuzzy Hash: 0d1b192a2debbe70397e25d37386fe1c7c97ba752353dca722f26e132e28af54
Instruction Fuzzy Hash: CEE0EC7121512057EF1119A79E0CB87765C9F427B8F510321DD5495D84DF1BC4018DF1

Function 1000608A Relevance: 1.5, APIs: 1, Instructions: 25registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32 ref: 100060A0

Memory Dump Source

Source File: 00000003.00000002.3551303488.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3551255249.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551324667.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551342209.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551359349.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551377013.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ce9d18141ac8a2415a65a9b8a38807c62c68c0f35cc9388145c160860f9cea29
Instruction ID: d3b2713253b45803e0e36550a0a091f6b3b019736998aa0157c013c20421de29
Opcode Fuzzy Hash: ce9d18141ac8a2415a65a9b8a38807c62c68c0f35cc9388145c160860f9cea29
Instruction Fuzzy Hash: B2E09274908216EADB25DB80C984BFE73B5FB64385F30814DE8042F094D375AE84AA91

Function 6C331F73 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(6C1C6E59,00000000,?,6C331C17,?,?,00000000,?,6C331C17,6C1C6E59,0000000C), ref: 6C331F90

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: efa5f4737aa19c039903b93dd5b582f97c4f1e5e2d0330f128a26c940f0654d2
Instruction ID: cdcc9f277677a1c76b2d8410586949568c2633873cac770a84ee63ac5c572dfc
Opcode Fuzzy Hash: efa5f4737aa19c039903b93dd5b582f97c4f1e5e2d0330f128a26c940f0654d2
Instruction Fuzzy Hash: 71D06C3210010DBFDF028E84DC06EDA3BAAFB48714F014000BA1856420C732E821AB90

Function 10005E07 Relevance: 1.5, APIs: 1, Instructions: 14registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32 ref: 1001F0F9

Memory Dump Source

Source File: 00000003.00000002.3551303488.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3551255249.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551324667.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551342209.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551359349.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551377013.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: bc9ecc6ca19783af6d6fbb40ca28845bcba02b8ce6e2273daa9cad6eb9c5806e
Instruction ID: fe46c43de78f47d222b333b3703367a29387d0af8959c827854050506a177f75
Opcode Fuzzy Hash: bc9ecc6ca19783af6d6fbb40ca28845bcba02b8ce6e2273daa9cad6eb9c5806e
Instruction Fuzzy Hash: 26C08C30C4C75EE2D032E8101C0A1BDB3E4E778299F3005BFAC452D884E4F4A9C0B6EA

Function 100060DF Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 1001FAB1

Memory Dump Source

Source File: 00000003.00000002.3551303488.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3551255249.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551324667.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551342209.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551359349.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551377013.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: aaf3e0f0d0f8f1f3a4ac2f5b8bd5fab41d3eaa100fa15abfee4d2d644b7fd40f
Instruction ID: 723c430d69d621f95a846468934f8435ff5600678504d51602c72318876ab3a6
Opcode Fuzzy Hash: aaf3e0f0d0f8f1f3a4ac2f5b8bd5fab41d3eaa100fa15abfee4d2d644b7fd40f
Instruction Fuzzy Hash: B9D012B8104910C7E310DB50C4C465EB2E1FF58300F30C519E92D8B615C738F8C18652

Function 10004274 Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_00006110,00000000), ref: 10020693

Memory Dump Source

Source File: 00000003.00000002.3551303488.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3551255249.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551324667.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551342209.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551359349.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551377013.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 13c8da13fabdb43a0039df29cdbc36604e7b86c2d4870efbc9606bf7f6935c8f
Instruction ID: caee183b5a6c68c45fee89ce5ab94ef9cb690e012967d693a85690ee7ea4d081
Opcode Fuzzy Hash: 13c8da13fabdb43a0039df29cdbc36604e7b86c2d4870efbc9606bf7f6935c8f
Instruction Fuzzy Hash: 20C04C3424C314E9F430D1442C46B5C1401F75EB65EB543177B205E4D74D7040C13553

Function 00221000 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

TCGamerUpdateMain.UPDATE(?,?), ref: 0022100B

Memory Dump Source

Source File: 00000003.00000002.3548588453.0000000000221000.00000020.00000001.01000000.00000005.sdmp, Offset: 00220000, based on PE: true

Associated: 00000003.00000002.3548541401.0000000000220000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3548624115.0000000000222000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3548649924.0000000000223000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3548676740.0000000000224000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3548676740.0000000000266000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_220000_Update.jbxd

Similarity

API ID: GamerMainUpdate
String ID:
API String ID: 3533789159-0
Opcode ID: 0dc032e54f475a4c8a862538ffc73d883b9d6e7095286aea5a65631e74e2db75
Instruction ID: aa768e360cfd845bcc812d86029c720f5d7cb1a33b10d9dd108669b37e7c815e
Opcode Fuzzy Hash: 0dc032e54f475a4c8a862538ffc73d883b9d6e7095286aea5a65631e74e2db75
Instruction Fuzzy Hash: A4B092B656020C7B8B44EAD8EC42D9A339C5A58650B408014BE0C8B241E936FAA08BA1

Function 6C1CC4FE Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 6C1CC50D

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: DeleteObject
String ID:
API String ID: 1531683806-0
Opcode ID: edabca67583d93088af5186660f361258d6c176341b0b7258dfb75839eb6e7eb
Instruction ID: 8a01e00d1338c1d7ee701adb581d47c8c405e9d945077687b7a6508dea232c72
Opcode Fuzzy Hash: edabca67583d93088af5186660f361258d6c176341b0b7258dfb75839eb6e7eb
Instruction Fuzzy Hash: 61B092B0B02104EEDE007671C61C31A39686B6230EF04D894B006C5941DB3D84058602

Function 1001F63D Relevance: 1.5, APIs: 1, Instructions: 3networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 1001F63D

Memory Dump Source

Source File: 00000003.00000002.3551359349.000000001001F000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3551255249.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551303488.0000000010001000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551324667.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551342209.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551377013.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: b133ea7d05f53c3c11ad6334d0588478f261473ccb87b5617e28918120fa56af
Instruction ID: 6b957aef4a72e5dc30e8cb3213a85d60c43ac51bc1e09057d618b7ba0e2fc2ae
Opcode Fuzzy Hash: b133ea7d05f53c3c11ad6334d0588478f261473ccb87b5617e28918120fa56af
Instruction Fuzzy Hash: 8D900238288511FAA2124A2158897593654D6145423185418DC02C9010D631C2806514

Function 10005EB2 Relevance: 1.3, APIs: 1, Instructions: 15sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 10005EB2

Part of subcall function 10006F17: _malloc.LIBCMT ref: 10006F31

Memory Dump Source

Source File: 00000003.00000002.3551303488.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3551255249.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551324667.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551342209.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551359349.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3551377013.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Sleep_malloc
String ID:
API String ID: 617756273-0
Opcode ID: bd1a2801bd1f1b37b244e82fcf0364694be79379b717d5536a6d8ec7b8dccb93
Instruction ID: c703cf204976232012e29921027dce2d5ea17eb50e6b597cbfa29dc34b4da51f
Opcode Fuzzy Hash: bd1a2801bd1f1b37b244e82fcf0364694be79379b717d5536a6d8ec7b8dccb93
Instruction Fuzzy Hash: 6CD0A772D08202CBE7B0EDD048C403D6052A758284F74803DD6059D001D5718D849382

Function 6C1C50F3 Relevance: 1.3, APIs: 1, Instructions: 4sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00011D28), ref: 6C1C50F8

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 8a98d648b0dbbbca9a833132a4c133eae0ba18741bbd82bdbfd709c827387e5a
Instruction ID: 31e40b002f12aea9828d400b5d369980443752a57f3c7b0233bbb28abad1cd48
Opcode Fuzzy Hash: 8a98d648b0dbbbca9a833132a4c133eae0ba18741bbd82bdbfd709c827387e5a
Instruction Fuzzy Hash: CBA002B1752108565B045774580E88675E95FAA713B4194217312C9044EA7441909765

Non-executed Functions

Function 6C200D93 Relevance: 51.7, APIs: 34, Instructions: 699keyboardCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C200D9A
GetParent.USER32(?), ref: 6C200DFF
GetParent.USER32(?), ref: 6C200E1F
UpdateWindow.USER32(?), ref: 6C200E70
SetCursor.USER32(?,?,?), ref: 6C200EAE
GetAsyncKeyState.USER32(00000012), ref: 6C200F26
InvalidateRect.USER32(?,?,00000001,?), ref: 6C20101D
InflateRect.USER32(?,00000000,?), ref: 6C201063
RedrawWindow.USER32(?,?,00000000,00000401), ref: 6C201076
InflateRect.USER32(?,00000000,?), ref: 6C20118B
InvalidateRect.USER32(?,?,00000001,?), ref: 6C201139

Part of subcall function 6C1FC10A: InvalidateRect.USER32(?,?,00000001,?), ref: 6C1FC181
Part of subcall function 6C1FC10A: InflateRect.USER32(?,00000000,?), ref: 6C1FC1C7
Part of subcall function 6C1FC10A: RedrawWindow.USER32(?,?,00000000,00000401), ref: 6C1FC1DB

RedrawWindow.USER32(?,00000000,00000000,00000505,00000000,00000000,?,00000000), ref: 6C201731

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Rect$Window$InflateInvalidateRedraw$Parent$AsyncCursorH_prolog3_StateUpdate
String ID:
API String ID: 3159160173-0
Opcode ID: d07d657b7bf4f6f10e53178dd3eac598aaf027335ead233e94f954f7aed77882
Instruction ID: c7ce25ba0de2aa554f657f8f3494f7497cecbebbe026ec6055e0db9a38dc0e89
Opcode Fuzzy Hash: d07d657b7bf4f6f10e53178dd3eac598aaf027335ead233e94f954f7aed77882
Instruction Fuzzy Hash: 97527231B0161ADFDF09DF64C858BADBBB5BF4A319F14021AF816A7690DB30A855CF90

Function 6C27CACE Relevance: 19.9, APIs: 13, Instructions: 380windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C27CAD5
CreateCompatibleDC.GDI32(00000000), ref: 6C27CB5B
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C27CB92
SelectObject.GDI32(?,00000000), ref: 6C27CBF1
BitBlt.GDI32(?,00000000,00000000,?,?,00000001,?,?,00CC0020), ref: 6C27CC19
MulDiv.KERNEL32(?,?,00000064), ref: 6C27CE0B
MulDiv.KERNEL32(?,?,00000064), ref: 6C27CE26
MulDiv.KERNEL32(?,?,00000064), ref: 6C27CE42
MulDiv.KERNEL32(?,?,00000064), ref: 6C27CE5D
MulDiv.KERNEL32(?,?,00000064), ref: 6C27CE76
MulDiv.KERNEL32(?,?,00000064), ref: 6C27CE90
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 6C27CEEF
DeleteObject.GDI32(?), ref: 6C27CF06

Part of subcall function 6C24DFF7: FillRect.USER32(00000001,?,-000000A8), ref: 6C24E013

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: CompatibleCreateObject$BitmapDeleteFillH_prolog3RectSelect
String ID:
API String ID: 3910664508-0
Opcode ID: ae823813d857626bd1516121643001a1e4b46e8dc9a3fa1ff42edbb3334c9913
Instruction ID: 9b19e830d4589d07dc312423ac39c80baf021db336c0464489689a3a00e492c1
Opcode Fuzzy Hash: ae823813d857626bd1516121643001a1e4b46e8dc9a3fa1ff42edbb3334c9913
Instruction Fuzzy Hash: 5BD19D71A0022A9FDF14DFB9C994AAE7BB4EF49715F10412AF946E7780CB34D905CBA0

Function 6C32EFEA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,6C32E9BB,00000002,00000000,?,?,?,6C32E9BB,?,00000000), ref: 6C32F083
GetLocaleInfoW.KERNEL32(?,20001004,6C32E9BB,00000002,00000000,?,?,?,6C32E9BB,?,00000000), ref: 6C32F0AC
GetACP.KERNEL32(?,?,6C32E9BB,?,00000000), ref: 6C32F0C1

Strings

ACP, xrefs: 6C32F008
OCP, xrefs: 6C32F03E

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 28ed86b64be57f1d24ca50d92afd24a8854fd555ebca7618dcf6cc7cb064ae3b
Instruction ID: 96c9815e3d70381f748ee185d059eabaab627d164b925b36954dfe90578ae2e7
Opcode Fuzzy Hash: 28ed86b64be57f1d24ca50d92afd24a8854fd555ebca7618dcf6cc7cb064ae3b
Instruction Fuzzy Hash: 4821C172605121AAEF248F65C900ACBF3BAAB48F6CB16C524E905C7A00F737DA41CF60

Function 6C32E885 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C322643: GetLastError.KERNEL32(00000000,?,6C3269BA), ref: 6C322647
Part of subcall function 6C322643: SetLastError.KERNEL32(00000000,?,?,00000028,6C31D5FE), ref: 6C3226E9

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 6C32E98D
IsValidCodePage.KERNEL32(00000000), ref: 6C32E9CB
IsValidLocale.KERNEL32(?,00000001), ref: 6C32E9DE
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6C32EA26
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6C32EA41

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: facd7938f497944d835f6dd9d410ecef5d38bc73a6168a1c4adb6e3c73804c3b
Instruction ID: 1c930a0f56283f0324544f136445209bbfa8c5d24ce09daefa399b6273c9cca7
Opcode Fuzzy Hash: facd7938f497944d835f6dd9d410ecef5d38bc73a6168a1c4adb6e3c73804c3b
Instruction Fuzzy Hash: B7517171A01705AEEF10DFB5CC41AEE77B8BF0670AF10442AE560E7690D7799604CFA1

Function 6C1EC42D Relevance: 6.1, APIs: 4, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6C1EC43C
IsIconic.USER32(?), ref: 6C1EC465
GetParent.USER32(?), ref: 6C1EC472
__EH_prolog3.LIBCMT ref: 6C1EC49D

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Parent$H_prolog3Iconic
String ID:
API String ID: 881905488-0
Opcode ID: 25aadc22251349bc90725bc7a6799ca4f5439dad302c8200fc32a661f069e1a0
Instruction ID: f6f6b90212128b80866065bf2e6ca07526d0c16f8ca9cadb47a36bc8cf7bac8c
Opcode Fuzzy Hash: 25aadc22251349bc90725bc7a6799ca4f5439dad302c8200fc32a661f069e1a0
Instruction Fuzzy Hash: CF219A32600A09ABDF12AFA4CC14BAE7BB6BF49318F054125FD06D6A10DB74D824DB91

Function 6C1E6AD6 Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00000001), ref: 6C1E6AE2
IsDebuggerPresent.KERNEL32 ref: 6C1E6BAE
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6C1E6BC7
UnhandledExceptionFilter.KERNEL32(?), ref: 6C1E6BD1

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 2c7be22311869dd1dfb0c2cda577c3eba387eababee013333de7bef5e3e28d12
Instruction ID: 19f9f5868a08a90afae8258df85ca97786eb6e22c44ce2bc7affdcab288decda
Opcode Fuzzy Hash: 2c7be22311869dd1dfb0c2cda577c3eba387eababee013333de7bef5e3e28d12
Instruction Fuzzy Hash: 2F31D7B5E0562C9BDF21DFA4C9497CDBBB8BF08304F5041AAE50DAB240EB719A84CF45

Function 6C1D64A2 Relevance: 6.0, APIs: 4, Instructions: 38keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C1E4E48: GetWindowLongW.USER32(?,000000F0), ref: 6C1E4E55

GetKeyState.USER32(00000010), ref: 6C1D64BF
GetKeyState.USER32(00000011), ref: 6C1D64CC
GetKeyState.USER32(00000012), ref: 6C1D64D9
SendMessageW.USER32(?,00000111,0000E146,00000000), ref: 6C1D64F3

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: f89d663c906b26c8b9732e8faa6759764b48b7cd9f56b4bd6c894583229f828f
Instruction ID: db902c9dcf1c9d41ce6c8c5dca8b051c08002e8aa5fceb758ecbc52d0d9dff6e
Opcode Fuzzy Hash: f89d663c906b26c8b9732e8faa6759764b48b7cd9f56b4bd6c894583229f828f
Instruction Fuzzy Hash: 1FF0E93634220E37FE1026308C48BEA36395F02B4BF164934A903EA9C0CF50D4515360

Function 6C1D6EE3 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 404COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C1D6EED

Strings

pt4l, xrefs: 6C1D732B, 6C1D7336

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: H_prolog3
String ID: pt4l
API String ID: 431132790-3870122376
Opcode ID: 3e32caccfab3985724ad8c969ff6dd242a962899d796bd8b7801d962982cdf6c
Instruction ID: 527f0260098016a6928b8a57021769d5040ae258fd85499dd90c75f644d3c9d5
Opcode Fuzzy Hash: 3e32caccfab3985724ad8c969ff6dd242a962899d796bd8b7801d962982cdf6c
Instruction Fuzzy Hash: F9E18C31A002099BDF04CF64C854BAEBBB6BF49308F16455AE816EBB94DB34E941CB91

Function 6C31AEDD Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,6C1E5BE4), ref: 6C31AFD5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,6C1E5BE4), ref: 6C31AFDF
UnhandledExceptionFilter.KERNEL32(6C1B1FA2,?,?,?,?,?,6C1E5BE4), ref: 6C31AFEC

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 32e2c9219a4baac279eec030e58935e28d56a1fc1e5a0e4b1368024c0ba5b83e
Instruction ID: 1d0209674b828876f6ab4e4a282db4d88855899f50ffa58a5fe42ba71fd26476
Opcode Fuzzy Hash: 32e2c9219a4baac279eec030e58935e28d56a1fc1e5a0e4b1368024c0ba5b83e
Instruction Fuzzy Hash: 4A31C5B590122CABCB21DF28D9887CDBBB8BF48314F5042DAE41CA7250E7709B858F45

Function 6C25CE24 Relevance: 4.5, APIs: 3, Instructions: 28keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 6C25CE46
GetKeyState.USER32(00000011), ref: 6C25CE53
GetKeyState.USER32(00000012), ref: 6C25CE60

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 7772e9a356a5b02cbd75942f111375013274ce695db1bc2487f9c4e7767dec77
Instruction ID: 73b83f8e2d97b1bf2d06d151e25274db1a481740a72feb6ecdda398ef000b1f5
Opcode Fuzzy Hash: 7772e9a356a5b02cbd75942f111375013274ce695db1bc2487f9c4e7767dec77
Instruction Fuzzy Hash: A4F0653435528D8FFB01BBA08808F9B77F99B0BF45FA48174EF4596461EBB095A0D714

Function 6C1DC528 Relevance: 3.0, APIs: 2, Instructions: 36windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 6C1DC53A
IsIconic.USER32(?), ref: 6C1DC54C

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: IconicVisibleWindow
String ID:
API String ID: 1797901696-0
Opcode ID: 75a3920bce9d2b911281ee01e8399df7c38727ab989961f6ead547950c05870d
Instruction ID: 948c4fb4deae88b03fe752ca056bd540f0a370e1927fb5567db4fa28adf29a89
Opcode Fuzzy Hash: 75a3920bce9d2b911281ee01e8399df7c38727ab989961f6ead547950c05870d
Instruction Fuzzy Hash: 71F0E9333250206BD905253D9C106BEBB6D9F9B7347160326FA62D2AE09BD0681116D0

Function 6C1D0523 Relevance: 3.0, APIs: 2, Instructions: 20windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 6C1D0529
IsWindowVisible.USER32(?), ref: 6C1D0536

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: IconicVisibleWindow
String ID:
API String ID: 1797901696-0
Opcode ID: fdac2e9c4d777adc0ca7fa4eff1d5945492cfe52f17daa558d0f2002f3d4a3b4
Instruction ID: adc2c5e0c867d49da4d77ce8152315258a53bccaaf3e082478e16132c5c27c25
Opcode Fuzzy Hash: fdac2e9c4d777adc0ca7fa4eff1d5945492cfe52f17daa558d0f2002f3d4a3b4
Instruction Fuzzy Hash: 2FE08C31311611DFDA051F29D808AADBB79BF8A641305012AE90AC3620EBA0E8118B80

Function 6C1E8DFF Relevance: 45.9, APIs: 25, Strings: 1, Instructions: 428windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C1E8E09

Part of subcall function 6C1C9B7C: __EH_prolog3.LIBCMT ref: 6C1C9B83

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 6C1E8E81
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 6C1E8EB4
CopyRect.USER32(?,?), ref: 6C1E8EDB
GetObjectW.GDI32(?,00000018,?), ref: 6C1E8F08
GetSystemMetrics.USER32(00000032), ref: 6C1E8F25
GetSystemMetrics.USER32(00000031), ref: 6C1E8F30
GetSysColor.USER32(00000004), ref: 6C1E8F70
CreateCompatibleDC.GDI32(00000000), ref: 6C1E8F8A
CopyRect.USER32(?,?), ref: 6C1E8FDE
GetSysColor.USER32(0000000D), ref: 6C1E8FEF
GetSysColor.USER32(00000010), ref: 6C1E900F
GetSysColor.USER32(00000014), ref: 6C1E9019
GetSysColor.USER32(0000000D), ref: 6C1E904F
GetSysColor.USER32(00000007), ref: 6C1E91C4
ExtTextOutW.GDI32(00000001,?,?,00000002,00000000,?,?,00000000), ref: 6C1E9209
CreateCompatibleDC.GDI32(00000000), ref: 6C1E926E
InflateRect.USER32(00000000,000000FF,000000FF), ref: 6C1E9297
BitBlt.GDI32(00000003,00000000,?,?,?,?,00000000,00000000,00CC0020), ref: 6C1E92B6

Strings

@, xrefs: 6C1E8E6E

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Color$Rect$CompatibleCopyCreateInfoItemMenuMetricsSystem$H_prolog3H_prolog3_InflateObjectText
String ID: @
API String ID: 364174344-2766056989
Opcode ID: 32f1097b99d0d01b580bbb3c163c835fd69a235aa0a3e8f768ac5161667bf99c
Instruction ID: 4b6f0b8f398321b2598de8b8312440ef8cf27b21fadb0b10adf2d83e35e65a07
Opcode Fuzzy Hash: 32f1097b99d0d01b580bbb3c163c835fd69a235aa0a3e8f768ac5161667bf99c
Instruction Fuzzy Hash: B7F15671A016189FDF04DFA8CC98BEDBBB9BF4A314F144159E906AB290CB74AD45CF50

Function 6C24CAB7 Relevance: 34.7, APIs: 23, Instructions: 236windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C24CAC1
CopyImage.USER32(?,00000000,00000000,00000000,00002000), ref: 6C24CAF7

Part of subcall function 6C24E0A4: __EH_prolog3_GS.LIBCMT ref: 6C24E0AE
Part of subcall function 6C24E0A4: GetObjectW.GDI32(?,00000018,?), ref: 6C24E0D3
Part of subcall function 6C24E0A4: GetObjectW.GDI32(?,00000054,?), ref: 6C24E118

GetObjectW.GDI32(?,00000018,?), ref: 6C24CB31
DeleteObject.GDI32(?), ref: 6C24CBB6
CreateCompatibleDC.GDI32(00000000), ref: 6C24CBE4
GetObjectW.GDI32(?,00000018,?), ref: 6C24CC00
GetObjectW.GDI32(?,00000018,?), ref: 6C24CC4A
SelectObject.GDI32(?,?), ref: 6C24CC6D
SelectObject.GDI32(?,?), ref: 6C24CCA4
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C24CCCA
SelectObject.GDI32(?,00000000), ref: 6C24CCE5
CreateCompatibleDC.GDI32(?), ref: 6C24CD15
SelectObject.GDI32(?,?), ref: 6C24CD33
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C24CD72
SelectObject.GDI32(?,?), ref: 6C24CD87
BitBlt.GDI32(?,?,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C24CDBD
SelectObject.GDI32(?,?), ref: 6C24CDCF
SelectObject.GDI32(?,00000000), ref: 6C24CDE0
DeleteObject.GDI32(?), ref: 6C24CDF1
DeleteObject.GDI32(?), ref: 6C24CE39
SelectObject.GDI32(?,?), ref: 6C24CE51
SelectObject.GDI32(?,00000000), ref: 6C24CE62
DeleteObject.GDI32(?), ref: 6C24CE6E

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Object$Select$Delete$CompatibleCreate$H_prolog3_$BitmapCopyImage
String ID:
API String ID: 1780083495-0
Opcode ID: c8e1b9ee39a6dc5a6c2f2624f53a766c49307657937d2427dc4eee706e5c25b9
Instruction ID: d62e75f49e94bb7196d81eb6ffed86bbbcce987e329c3fd6ce2fa5ce76e71e4f
Opcode Fuzzy Hash: c8e1b9ee39a6dc5a6c2f2624f53a766c49307657937d2427dc4eee706e5c25b9
Instruction Fuzzy Hash: 23A14F70A02629EFEF259F65CC44BEDBBB8BF0A715F104194F91AA2650DB309E94CF50

Function 6C210ECD Relevance: 31.8, APIs: 21, Instructions: 283fileCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 6C210EF7
GetCurrentProcess.KERNEL32 ref: 6C210F02
DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000,00000000,00000002), ref: 6C210F15
GetLastError.KERNEL32 ref: 6C210F5F
SetFilePointer.KERNEL32(?,?,?,00000000,00000000,?,?,?,00000000,00000000), ref: 6C210F8C
GetLastError.KERNEL32(?,?,?,00000000,00000000), ref: 6C210F9A
GetLastError.KERNEL32(?,?,?,00000000,00000000), ref: 6C210FB9
SetEndOfFile.KERNEL32(?,?,00000000,00000000,?,?,?,00000000,00000000), ref: 6C210FEA
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 6C211004
GetFileSize.KERNEL32(?,?,00000000,?,?,?,00000000,00000000,?,00000000,00000000,?,?,?,00000000,00000000), ref: 6C211021
GetLastError.KERNEL32(?,?,?,00000000,00000000,?,00000000,00000000,?,?,?,00000000,00000000), ref: 6C21102F

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: ErrorLast$File$CurrentProcess$DuplicateHandlePointerSize
String ID:
API String ID: 1051015183-0
Opcode ID: a6a11b4bcfb8eeb64a8a0eb32c629387f981390f1c18ff46a53085b03f6091da
Instruction ID: edd5145570d7e89094014e50d736e8b82ffb582ed41d957c3cc07c91fb16e237
Opcode Fuzzy Hash: a6a11b4bcfb8eeb64a8a0eb32c629387f981390f1c18ff46a53085b03f6091da
Instruction Fuzzy Hash: E7918E71605219BFDF149FA5CC08EDABBBCEF06265F108629FD1697A40DB70D910DBA0

Function 6C1D4FD7 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 179windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C1E4E48: GetWindowLongW.USER32(?,000000F0), ref: 6C1E4E55

GetParent.USER32(6C1DA23E), ref: 6C1D5018
SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 6C1D503A
GetWindowRect.USER32(6C1DA23E,?), ref: 6C1D505E
GetWindowLongW.USER32(00000000,000000F0), ref: 6C1D507E
MonitorFromWindow.USER32(00000000,00000001), ref: 6C1D50B7
GetMonitorInfoW.USER32(00000000), ref: 6C1D50BE
CopyRect.USER32(?,?), ref: 6C1D50CC
GetWindowRect.USER32(00000000,?), ref: 6C1D50D9
MonitorFromWindow.USER32(00000000,00000002), ref: 6C1D50E6
GetMonitorInfoW.USER32(00000000), ref: 6C1D50ED
CopyRect.USER32(?,?), ref: 6C1D50FB
GetParent.USER32(6C1DA23E), ref: 6C1D5105
GetClientRect.USER32(00000000,?), ref: 6C1D5112
GetClientRect.USER32(00000000,?), ref: 6C1D511D
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 6C1D512B

Strings

(, xrefs: 6C1D5099

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Window$Rect$Monitor$ClientCopyFromInfoLongParent$MessagePointsSend
String ID: (
API String ID: 3610148278-3887548279
Opcode ID: ff089c34b6c99390d8396bb70a3aa0a2e15d953ebbe96dca7e7c88cc935c97c0
Instruction ID: 8ed9b909a0937d78745249027ee780dbb34a9671b32a1cc8cdb40fdc7c051975
Opcode Fuzzy Hash: ff089c34b6c99390d8396bb70a3aa0a2e15d953ebbe96dca7e7c88cc935c97c0
Instruction Fuzzy Hash: DC614E72A016199FDF01CFA8C988BEEB7B9FF4A305F254215E516BB240DB70E945CB60

Function 6C202843 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 317windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C20284A
MessageBeep.USER32(000000FF), ref: 6C202868
ScreenToClient.USER32(?,?), ref: 6C2028E5
UpdateWindow.USER32(?), ref: 6C202960
UpdateWindow.USER32(?), ref: 6C2029AE
GetFocus.USER32 ref: 6C202B38
GetParent.USER32(?), ref: 6C202B53
GetParent.USER32(?), ref: 6C202B81
UpdateWindow.USER32(?), ref: 6C202C15
SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 6C202C52

Strings

T}4l, xrefs: 6C202A20

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: UpdateWindow$MessageParent$BeepClientFocusH_prolog3_ScreenSend
String ID: T}4l
API String ID: 841119998-3324797550
Opcode ID: d0a44ceb4251134f9dfc2d03bba8476f5896966f5b2fdf96ef7d6e917c828f24
Instruction ID: e02da4d6ba4545edfa7b699331166c289e4742d16a01d8d7ef938544af3fda23
Opcode Fuzzy Hash: d0a44ceb4251134f9dfc2d03bba8476f5896966f5b2fdf96ef7d6e917c828f24
Instruction Fuzzy Hash: F1C1A071B0161ADBCF159F64C888BAD7BB9BF4A319F15026AFC26A7790DB309811CF50

Function 6C2B8926 Relevance: 24.4, APIs: 16, Instructions: 395COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C2B892D
GetCursorPos.USER32(?), ref: 6C2B89E6
IsRectEmpty.USER32(?), ref: 6C2B8A1A
IsRectEmpty.USER32(?), ref: 6C2B8A41
IsRectEmpty.USER32(?), ref: 6C2B8A63
GetWindowRect.USER32(?,?), ref: 6C2B8A91
GetWindowRect.USER32(?,?), ref: 6C2B8AC1
PtInRect.USER32(?,?,?), ref: 6C2B8B0E
OffsetRect.USER32(?,?,00000000), ref: 6C2B8B26

Part of subcall function 6C2B9F12: __EH_prolog3.LIBCMT ref: 6C2B9F19
Part of subcall function 6C2B9F12: SetRectEmpty.USER32 ref: 6C2BA019
Part of subcall function 6C2B9F12: SetRectEmpty.USER32(?), ref: 6C2BA020

SetRectEmpty.USER32(?), ref: 6C2B8B49
OffsetRect.USER32(?,?,?), ref: 6C2B8CDA
IsRectEmpty.USER32(?), ref: 6C2B8CFA
IsRectEmpty.USER32(?), ref: 6C2B8D2D
PtInRect.USER32(?,00000000,00000000), ref: 6C2B8D41
OffsetRect.USER32(?,?,?), ref: 6C2B8D6D
IsRectEmpty.USER32(?), ref: 6C2B8D8C

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Rect$Empty$Offset$Window$CursorH_prolog3H_prolog3_
String ID:
API String ID: 359163869-0
Opcode ID: 5849c51170942331908c6230e4ccef2717fc91969512d23c5f87a3d46ff419cb
Instruction ID: f99b4ee27d05560231be07aede1868bd85ccaebf372d1a125a74d3ad7b63e41f
Opcode Fuzzy Hash: 5849c51170942331908c6230e4ccef2717fc91969512d23c5f87a3d46ff419cb
Instruction Fuzzy Hash: EEE1BE76A0160ADFDF05CFA4C884AAEBBB9FF49349F14415AED09AB645DB30E841CB40

Function 6C1DCBB8 Relevance: 22.7, APIs: 15, Instructions: 236windowCOMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32(?), ref: 6C1DCC4B
GetDlgItem.USER32(?,?), ref: 6C1DCD08
ShowWindow.USER32(00000000,00000000,?,?,?), ref: 6C1DCD16
GetMenu.USER32(?), ref: 6C1DCD28
InvalidateRect.USER32(?,00000000,00000001), ref: 6C1DCD44
GetDlgItem.USER32(?,0000E900), ref: 6C1DCD90
SetWindowLongW.USER32(00000000,000000F4,0000EA21), ref: 6C1DCDA4
GetDlgItem.USER32(?,0000EA21), ref: 6C1DCDC0
GetDlgItem.USER32(?,0000E900), ref: 6C1DCDD6
SetWindowLongW.USER32(00000000,000000F4,0000EA21), ref: 6C1DCDE8
SetWindowLongW.USER32(?,000000F4,0000E900), ref: 6C1DCDF4
InvalidateRect.USER32(?,00000000,00000001), ref: 6C1DCE07
SetMenu.USER32(?,00000000), ref: 6C1DCE1E
GetDlgItem.USER32(?,?), ref: 6C1DCE7B
ShowWindow.USER32(?,00000005), ref: 6C1DCE89

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: ItemWindow$Long$InvalidateMenuRectShow$Ctrl
String ID:
API String ID: 599340499-0
Opcode ID: 74b10f1650a960d3e39d4f5c33323841adea9982b2ab7110fe704520e37f92a1
Instruction ID: 84d07ce01429049a9c6bbdd1e913d8b0bc8daa85e3c1e51832b3e94354050f94
Opcode Fuzzy Hash: 74b10f1650a960d3e39d4f5c33323841adea9982b2ab7110fe704520e37f92a1
Instruction Fuzzy Hash: 54918D34B01616EFDF04DF68C898BADBBB5FF0A315F110565E916AB690DB70A910CF90

Function 6C1E2ADA Relevance: 21.4, APIs: 14, Instructions: 439COMMON

Download Yara Rule

APIs

IsRectEmpty.USER32(?), ref: 6C1E2B13
GetClientRect.USER32(?,?), ref: 6C1E2B5E
BeginDeferWindowPos.USER32(?), ref: 6C1E2B89
GetWindowRect.USER32(?,?), ref: 6C1E2C6F
OffsetRect.USER32(?,?,00000000), ref: 6C1E2CA6
OffsetRect.USER32(?,?,00000000), ref: 6C1E2CDC
OffsetRect.USER32(?,00000002,00000000), ref: 6C1E2D06
EqualRect.USER32(?,?), ref: 6C1E2D14
OffsetRect.USER32(?,00000000,?), ref: 6C1E2DE1
OffsetRect.USER32(?,00000000,00000002), ref: 6C1E2E19
OffsetRect.USER32(?,00000000,00000002), ref: 6C1E2E3F
EqualRect.USER32(?,?), ref: 6C1E2E76
EndDeferWindowPos.USER32(00000000), ref: 6C1E2F8C
SetRectEmpty.USER32(?), ref: 6C1E2F9D

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Rect$Offset$Window$DeferEmptyEqual$BeginClient
String ID:
API String ID: 3160784657-0
Opcode ID: fba9aaf5f0b3383aa76904d9f2895f51f199ad163a3690c45cea36633273f03c
Instruction ID: db641b9b3179c8fc7a2f4d27f0a1a3d22ffb9c4b53a2ce14a56575ef4b3effc1
Opcode Fuzzy Hash: fba9aaf5f0b3383aa76904d9f2895f51f199ad163a3690c45cea36633273f03c
Instruction Fuzzy Hash: 2F021971A0161ACFDF04CFA8C998BADBBB9BF49308F244169E806EB251D770A945CF50

Function 6C23A555 Relevance: 21.3, APIs: 14, Instructions: 292keyboardwindowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 6C23A639
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C23A65D
IsWindow.USER32(?), ref: 6C23A6D0
IsWindow.USER32(?), ref: 6C23A75E
ClientToScreen.USER32(?,?), ref: 6C23A776
ClientToScreen.USER32(?,?), ref: 6C23A7A4
GetKeyState.USER32(00000011), ref: 6C23A7E8
GetKeyState.USER32(00000010), ref: 6C23A7F4
ImmGetContext.IMM32(?), ref: 6C23A801
ImmGetOpenStatus.IMM32(00000000,?), ref: 6C23A810
ImmReleaseContext.IMM32(?,00000000,?), ref: 6C23A835
GetFocus.USER32 ref: 6C23A867
IsWindow.USER32(?), ref: 6C23A8AB
IsWindow.USER32(?), ref: 6C23A909

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Window$ClientContextScreenState$CaptureFocusMessageOpenReleaseSendStatus
String ID:
API String ID: 1155058817-0
Opcode ID: 60e5ad75ef3e9996e314682c6944ea92ba113603d2fdaa8d22cde0124c542e68
Instruction ID: 5d3695588c76baa484ae2d1d9dc020c1d6d43ad8a234b5984eda2a99fff296c7
Opcode Fuzzy Hash: 60e5ad75ef3e9996e314682c6944ea92ba113603d2fdaa8d22cde0124c542e68
Instruction Fuzzy Hash: EFB1BDB1A0161BDBDF018FA5C948AAE7BB5BF45309F109139FC6A92D60EB35D902CB50

Function 6C280823 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 263COMMON

Download Yara Rule

APIs

FillRect.USER32(56010845,?,?), ref: 6C28085D
FillRect.USER32(?,?,?), ref: 6C2808C4
FillRect.USER32(?,?,?), ref: 6C280967

Part of subcall function 6C1CC5AB: __EH_prolog3.LIBCMT ref: 6C1CC5B2
Part of subcall function 6C1CC5AB: CreateSolidBrush.GDI32(6C1D8A6F), ref: 6C1CC5CD

Strings

(^4l, xrefs: 6C2809B7
(^4l, xrefs: 6C280912
(^4l, xrefs: 6C280866
(^4l, xrefs: 6C280974
(^4l, xrefs: 6C280AD8
(^4l, xrefs: 6C2808D1

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: FillRect$BrushCreateH_prolog3Solid
String ID: (^4l$(^4l$(^4l$(^4l$(^4l$(^4l
API String ID: 1242064992-2836929755
Opcode ID: 538dedd4ec5f02a43f506904489b566450c5664b39a3c75724686f7c2412e32c
Instruction ID: 0ec3ed0885cb342a7d0b878fcb45662e916059ac8b413c55878fd3d3b93113e2
Opcode Fuzzy Hash: 538dedd4ec5f02a43f506904489b566450c5664b39a3c75724686f7c2412e32c
Instruction Fuzzy Hash: 02A16F71E0121ADFCF08CF98C9959EDBBB6FF59304F04811AF905AB690D774AA09CB90

Function 6C244E36 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 216COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C244E3D

Part of subcall function 6C1C9B7C: __EH_prolog3.LIBCMT ref: 6C1C9B83

Part of subcall function 6C2D4A63: __EH_prolog3.LIBCMT ref: 6C2D4A6A

Strings

MFCColorButton, xrefs: 6C244E99
MFCShellList, xrefs: 6C24502F
MFCVSListBox, xrefs: 6C245095
MFCEditBrowse, xrefs: 6C244ED3
MFCShellTree, xrefs: 6C245062
MFCMaskedEdit, xrefs: 6C244F81
MFCFontComboBox, xrefs: 6C244F0D
MFCButton, xrefs: 6C244E5C
MFCLink, xrefs: 6C244F47
MFCPropertyGrid, xrefs: 6C244FF5
MFCMenuButton, xrefs: 6C244FBB

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: H_prolog3
String ID: MFCButton$MFCColorButton$MFCEditBrowse$MFCFontComboBox$MFCLink$MFCMaskedEdit$MFCMenuButton$MFCPropertyGrid$MFCShellList$MFCShellTree$MFCVSListBox
API String ID: 431132790-2110171958
Opcode ID: 9e95b953eed212e2b1354c86230244664dd2cdc666c78a8bfe81287dbc993cdd
Instruction ID: 1c8e59a8363dc43d1e13d6dd17beac36b260f1ec98805521cf753017803705b9
Opcode Fuzzy Hash: 9e95b953eed212e2b1354c86230244664dd2cdc666c78a8bfe81287dbc993cdd
Instruction Fuzzy Hash: 7261C635A0530A9AEF0DDAB4D510BEE73E45F1A21DF20542AF851E7EC0DF39860C8656

Function 6C1D0881 Relevance: 19.6, APIs: 13, Instructions: 146windowCOMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(?,?,?,?,00000000), ref: 6C1D0890
LockResource.KERNEL32(00000000), ref: 6C1D089F

Part of subcall function 6C1D07DA: _memcpy_s.LIBCMT ref: 6C1D07E9

GetSysColor.USER32 ref: 6C1D0923
GetSysColor.USER32 ref: 6C1D0936
GetSysColor.USER32 ref: 6C1D0951
GetDC.USER32(00000000), ref: 6C1D0987
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 6C1D0997
CreateCompatibleDC.GDI32(00000000), ref: 6C1D09A5
SelectObject.GDI32(00000000,?), ref: 6C1D09B1
StretchDIBits.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C1D09E4
SelectObject.GDI32(00000000,00000000), ref: 6C1D09EC
DeleteDC.GDI32(00000000), ref: 6C1D09F3
ReleaseDC.USER32(00000000,00000000), ref: 6C1D09FF

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Color$CompatibleCreateObjectResourceSelect$BitmapBitsDeleteLoadLockReleaseStretch_memcpy_s
String ID:
API String ID: 367613035-0
Opcode ID: a2e92a1c9623fa815123e0612b7a62a07194a1c21104537568389cde2e26951f
Instruction ID: 5d2dc36c9bca4652914670a518748aa1e9d3f0abe4151f960c956911701540a1
Opcode Fuzzy Hash: a2e92a1c9623fa815123e0612b7a62a07194a1c21104537568389cde2e26951f
Instruction Fuzzy Hash: 5041B572A02218AFEB009F58CC44ABFBBBDFF87355B158059F506E7240DB70A901CBA1

Function 6C1E4588 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 171windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,?,00000403), ref: 6C1E45B8
GetFocus.USER32 ref: 6C1E45D2
GetParent.USER32(?), ref: 6C1E45DD
SendMessageW.USER32(?,00000028,00000000,00000000), ref: 6C1E45F2
CheckMenuItem.USER32(?,?,00000400), ref: 6C1E4645
SendMessageW.USER32(?,00000087,00000000,00000000), ref: 6C1E4660
SendMessageW.USER32(?,000000F1,?,00000000), ref: 6C1E467D
SetMenuItemBitmaps.USER32(?,?,00000400,00000000,00000000), ref: 6C1E46EA
SetMenuItemInfoW.USER32(?,?,00000001,?), ref: 6C1E473A

Strings

0, xrefs: 6C1E4729
@, xrefs: 6C1E4730

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: ItemMenu$MessageSend$BitmapsCheckEnableFocusInfoParent
String ID: 0$@
API String ID: 2977031974-1545510068
Opcode ID: 0c1f2996df228a85c5acd599f4d77957afc0c11da104341d189b13a3de4b2783
Instruction ID: a872ca6018eb2f532e1389c4602c7664791b589d2cb66b3caae520d7e67b7467
Opcode Fuzzy Hash: 0c1f2996df228a85c5acd599f4d77957afc0c11da104341d189b13a3de4b2783
Instruction Fuzzy Hash: 7C51A071601A04EFEB248F95C844B9ABBB9FF49709F108629E559DBA50CB70E885CFD0

Function 6C284FE4 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 6C28500E
MonitorFromPoint.USER32(0^5l,?,00000002), ref: 6C28503D
GetMonitorInfoW.USER32(00000000), ref: 6C285044
CopyRect.USER32(?,?), ref: 6C285056
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6C285066
OffsetRect.USER32(?,?,00000000), ref: 6C285089
OffsetRect.USER32(?,?,00000000), ref: 6C2850AC
OffsetRect.USER32(?,00000000,?), ref: 6C2850D1
OffsetRect.USER32(?,00000000,?), ref: 6C2850F5

Strings

(, xrefs: 6C28502A
0^5l, xrefs: 6C285038

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Rect$Offset$InfoMonitor$CopyCursorFromParametersPointSystem
String ID: ($0^5l
API String ID: 4030222242-507558882
Opcode ID: 752b86e586afb63b4490b771d85ca6475a80002066b49e1b565bf0b3cb32f461
Instruction ID: 8bbc037515c0c83b13badd6bbded98b335cd76f83e16d4487487e7a6a2f02bee
Opcode Fuzzy Hash: 752b86e586afb63b4490b771d85ca6475a80002066b49e1b565bf0b3cb32f461
Instruction Fuzzy Hash: 48411071A1250AEFEB08CF64C984D7EF779FB49705720822DE817A7644DB70AD09CB91

Function 6C200487 Relevance: 18.4, APIs: 12, Instructions: 406timewindowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C20048E
SetCursor.USER32(?,00000048,6C1FF935,00000000,00000200,00000000), ref: 6C20052D

Part of subcall function 6C1CD0FD: __EH_prolog3.LIBCMT ref: 6C1CD104
Part of subcall function 6C1CD0FD: GetDC.USER32(00000000), ref: 6C1CD130

Part of subcall function 6C1E9E45: __EH_prolog3_GS.LIBCMT ref: 6C1E9E4C
Part of subcall function 6C1E9E45: CreateRectRgnIndirect.GDI32(?), ref: 6C1E9E84
Part of subcall function 6C1E9E45: CopyRect.USER32(?,?), ref: 6C1E9E98
Part of subcall function 6C1E9E45: InflateRect.USER32(?,?,?), ref: 6C1E9EAE
Part of subcall function 6C1E9E45: IntersectRect.USER32(?,?,?), ref: 6C1E9EBA
Part of subcall function 6C1E9E45: CreateRectRgnIndirect.GDI32(?), ref: 6C1E9EC4
Part of subcall function 6C1E9E45: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6C1E9ED9
Part of subcall function 6C1E9E45: CombineRgn.GDI32(?,?,?,00000003), ref: 6C1E9EF3
Part of subcall function 6C1E9E45: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6C1E9F3A
Part of subcall function 6C1E9E45: SetRectRgn.GDI32(?,?,00000004,?,?), ref: 6C1E9F57
Part of subcall function 6C1E9E45: CopyRect.USER32(?,?), ref: 6C1E9F62

Part of subcall function 6C1CD152: ReleaseDC.USER32(?,00000000), ref: 6C1CD186

GetFocus.USER32 ref: 6C2005C4
SetTimer.USER32(?,0000EC07,000001F4,00000000), ref: 6C2006B5
TrackMouseEvent.USER32(?,?,?,?,?,?,00000000), ref: 6C2006EC
SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 6C200772
InvalidateRect.USER32(?,?,00000001,?,?,?,?,?,?,00000000), ref: 6C2008AD
InflateRect.USER32(?,00000000,?), ref: 6C2008F3
RedrawWindow.USER32(?,?,00000000,00000401,?,?,?,?,?,00000000), ref: 6C200906
KillTimer.USER32(?,0000EC07,?,?,?,?,?,00000000), ref: 6C200995
SetTimer.USER32(?,0000EC07,000001F4,00000000), ref: 6C2009B3
UpdateWindow.USER32(?), ref: 6C2009DC

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Rect$Create$Timer$CopyH_prolog3_IndirectInflateWindow$CombineCursorEventFocusH_prolog3IntersectInvalidateKillMessageMouseRedrawReleaseSendTrackUpdate
String ID:
API String ID: 3035320136-0
Opcode ID: f1fa0bc6582f2ea4c3cb26b0edcdabdd59b3dc1964eef665e92867c93f9d523b
Instruction ID: 6e21df7ca7daf2e751cdefdab3d19edafcb87afa5939a7e056a3b0ab6e38d180
Opcode Fuzzy Hash: f1fa0bc6582f2ea4c3cb26b0edcdabdd59b3dc1964eef665e92867c93f9d523b
Instruction Fuzzy Hash: E0F18230701A5AAFEB09CF64C854BEDBBB5BF45319F10431AF829A7690DB74A851CF81

Function 6C2CCF52 Relevance: 18.2, APIs: 12, Instructions: 172windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C2CD165: LoadCursorW.USER32(00000000,00007F8B), ref: 6C2CD17D
Part of subcall function 6C2CD165: LoadCursorW.USER32(?,00007901), ref: 6C2CD19A

PeekMessageW.USER32(?,?,00000367,00000367,00000003), ref: 6C2CCF88
PostMessageW.USER32(?,00000111,0000E145,?), ref: 6C2CD004
SendMessageW.USER32(?,00000362,0000E002,00000000), ref: 6C2CD029
GetCursorPos.USER32(?), ref: 6C2CD043
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 6C2CD06F
ReleaseCapture.USER32 ref: 6C2CD0C6
SetCapture.USER32(?), ref: 6C2CD0CF
ReleaseCapture.USER32 ref: 6C2CD0DB
SendMessageW.USER32(?,00000362,?,00000000), ref: 6C2CD0ED
SendMessageW.USER32(?,00000111,0000E147,00000000), ref: 6C2CD12D
PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 6C2CD15A

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Message$CaptureCursorSend$LoadPeekPostRelease
String ID:
API String ID: 291007519-0
Opcode ID: b6f9106e682b671b3bfab6d90bf19f9755b8f4589f3d0f2f203dd2ad44df3d8d
Instruction ID: 8987110920d4d73c5ac3c6782ff94bc762a42d92fd2119ea98b79c203ed4381b
Opcode Fuzzy Hash: b6f9106e682b671b3bfab6d90bf19f9755b8f4589f3d0f2f203dd2ad44df3d8d
Instruction Fuzzy Hash: 93516075B41209EFEF019FA5C848E9E7BB9FF8A705F100169FD06AB291CB709901CB61

Function 6C224E4C Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 389COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C224E53
FillRect.USER32(?,?,?), ref: 6C224F60
InflateRect.USER32(?,00000000,000000FF), ref: 6C224F9B
FillRect.USER32(?,?,?), ref: 6C224FB9
GetParent.USER32(?), ref: 6C22504B
GetParent.USER32(?), ref: 6C224FF5

Part of subcall function 6C2852C3: IsWindow.USER32(00000000), ref: 6C2852E2

GetParent.USER32(?), ref: 6C225124
GetParent.USER32(?), ref: 6C225183

Strings

0^5l, xrefs: 6C225005, 6C225134

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Parent$Rect$Fill$H_prolog3_InflateWindow
String ID: 0^5l
API String ID: 353189481-1366870978
Opcode ID: 540c6708ed999146b014e5e2e4d911cd91d2411ac1932b4f7b166e3114cea0f2
Instruction ID: 81a778654b442c97d81c9bf775e1324ce761359c9b301751ee166ae76cf20902
Opcode Fuzzy Hash: 540c6708ed999146b014e5e2e4d911cd91d2411ac1932b4f7b166e3114cea0f2
Instruction Fuzzy Hash: A1E14E31A01619DFDF05DFA4C884AEEBBBABF4A314F150129FD06BB640DB75A905CB90

Function 6C216F5B Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C216F62
InflateRect.USER32(?), ref: 6C216F8A
DrawFocusRect.USER32(?,?), ref: 6C216FF4
InflateRect.USER32(?), ref: 6C217008
InflateRect.USER32(?), ref: 6C217050
InflateRect.USER32(?), ref: 6C2170A0
CreateHatchBrush.GDI32(00000005,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C2170C4
FillRect.USER32(?,?,00000000), ref: 6C2170DF

Strings

(^4l, xrefs: 6C2170AA

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Rect$Inflate$BrushCreateDrawFillFocusH_prolog3Hatch
String ID: (^4l
API String ID: 4128771895-3721299443
Opcode ID: 7c76b9b6778883f9070974a4508df4e8ed5502cc9a7ee3c0a7378487b5357f8d
Instruction ID: 89432c849c34a6451f20bb832006e90de461655dd079cd8382b252e46b005ed8
Opcode Fuzzy Hash: 7c76b9b6778883f9070974a4508df4e8ed5502cc9a7ee3c0a7378487b5357f8d
Instruction Fuzzy Hash: C851297190011DAFDB10DFA5C884EDF7BBCEF4A715F008166F915A7A50DB749A08CBA1

Function 6C20249F Relevance: 15.2, APIs: 10, Instructions: 233COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C252823

Part of subcall function 6C1CD1DC: __EH_prolog3.LIBCMT ref: 6C1CD1E3
Part of subcall function 6C1CD1DC: GetWindowDC.USER32(00000000,00000004,6C1E78A0,00000000), ref: 6C1CD20F

GetClientRect.USER32(?,?), ref: 6C25284D
GetWindowRect.USER32(?,?), ref: 6C252864

Part of subcall function 6C1CD2F4: ScreenToClient.USER32(?,00000000), ref: 6C1CD303
Part of subcall function 6C1CD2F4: ScreenToClient.USER32(?,00000008), ref: 6C1CD310

OffsetRect.USER32(?,?,?), ref: 6C252886

Part of subcall function 6C1CCCC1: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 6C1CCCF8
Part of subcall function 6C1CCCC1: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 6C1CCD15

Part of subcall function 6C1E4E72: GetWindowLongW.USER32(?,000000EC), ref: 6C1E4E7F

GetWindowRect.USER32(?,?), ref: 6C2528DA
GetRgnBox.GDI32(?,?), ref: 6C2528F5
OffsetRect.USER32(?,?,?), ref: 6C25290F
CreateRectRgnIndirect.GDI32(?), ref: 6C252929

Part of subcall function 6C1CCD83: ExtSelectClipRgn.GDI32(?,00000000,?), ref: 6C1CCDA6
Part of subcall function 6C1CCD83: ExtSelectClipRgn.GDI32(?,00000000,?), ref: 6C1CCDBF

OffsetRgn.GDI32(?,?,?), ref: 6C252964
OffsetRect.USER32(?,?,?), ref: 6C252985

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Rect$ClipOffsetWindow$Client$ExcludeScreenSelect$CreateH_prolog3H_prolog3_IndirectLong
String ID:
API String ID: 3148124242-0
Opcode ID: 191d47878956a87fee8eeee7d830d5383a66a84a65cc55702cce953aa105d403
Instruction ID: efb46be10e2519306884d5f439f9e63ad75687e6f28b6da23cb2bb3968ebbb06
Opcode Fuzzy Hash: 191d47878956a87fee8eeee7d830d5383a66a84a65cc55702cce953aa105d403
Instruction Fuzzy Hash: 28914071E1061D9FCF01DFA4C898AEEBBB9FF5A304F144119F806AB650DB74A945CB50

Function 6C29E599 Relevance: 15.2, APIs: 10, Instructions: 165windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C1CC827: SelectObject.GDI32(?,00000000), ref: 6C1CC847
Part of subcall function 6C1CC827: SelectObject.GDI32(?,00000000), ref: 6C1CC85D

PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 6C29E5F4
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 6C29E60E
PatBlt.GDI32(?,00F00021,?,00F00021,?,00F00021), ref: 6C29E62C
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 6C29E64A
InflateRect.USER32(?,000000FE,000000FE), ref: 6C29E659
InflateRect.USER32(?,000000FE,000000FE), ref: 6C29E665
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 6C29E69D
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 6C29E6C0
PatBlt.GDI32(?,00F00021,?,00F00021,?,00F00021), ref: 6C29E6E7
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 6C29E70E

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: InflateObjectRectSelect
String ID:
API String ID: 4092023516-0
Opcode ID: b28280b2977bee43de802e3b81b7de4e7bc1d7264c140888cd540af81400420f
Instruction ID: 6762da27b9a5060d13990ff0490afce56afe691b1d636c0684a183f3ca674c7d
Opcode Fuzzy Hash: b28280b2977bee43de802e3b81b7de4e7bc1d7264c140888cd540af81400420f
Instruction Fuzzy Hash: 8E51E37260024AAFDF01DFA8CD89DEF3FBAFB89314B044118FD1596254CA75E860DB61

Function 6C1E0E01 Relevance: 15.1, APIs: 10, Instructions: 149windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C1E0E0B
GetMenuItemCount.USER32(?), ref: 6C1E0E37
GetSubMenu.USER32(?,00000000), ref: 6C1E0E6D
GetMenuState.USER32(?,?,00000400), ref: 6C1E0E8A
GetSubMenu.USER32(?,00000000), ref: 6C1E0EE7
GetMenuStringW.USER32(?,?,?,00000100,00000400), ref: 6C1E0F10
AppendMenuW.USER32(?,00000010,?,?), ref: 6C1E0F98
GetMenuItemCount.USER32(00000000), ref: 6C1E1008
InsertMenuW.USER32(?,00000000,?,00000000), ref: 6C1E1035
GetMenuItemID.USER32(?,?), ref: 6C1E1066

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Menu$Item$Count$AppendH_prolog3_InsertStateString
String ID:
API String ID: 2171526683-0
Opcode ID: e747a17e75a2658de54ae861425c3dbb41a2a356db331e0b9dacecc10f1654e8
Instruction ID: 8f623b684211c06c7bb7ce42c0f3ad8cbab76d3323ba22988c7be537a37e85b1
Opcode Fuzzy Hash: e747a17e75a2658de54ae861425c3dbb41a2a356db331e0b9dacecc10f1654e8
Instruction Fuzzy Hash: 98612271942229AFDF24DF64DD88BD9B7B5BB19304F1000E9E509E62A0DB749ED0DF50

Function 6C1DAC50 Relevance: 15.1, APIs: 10, Instructions: 137COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6C1DAC57
FindResourceW.KERNEL32(?,00000000,00000005,00000024,6C1C7C26), ref: 6C1DAC98
LoadResource.KERNEL32(?,00000000), ref: 6C1DACA4
LockResource.KERNEL32(?,00000024,6C1C7C26), ref: 6C1DACB4
GetDesktopWindow.USER32 ref: 6C1DACEB
IsWindowEnabled.USER32(00000000), ref: 6C1DACF6
EnableWindow.USER32(00000000,00000000), ref: 6C1DAD02
EnableWindow.USER32(00000000,00000001), ref: 6C1DADE6
GetActiveWindow.USER32 ref: 6C1DADF0
SetActiveWindow.USER32(00000000,?,00000024,6C1C7C26), ref: 6C1DADFC

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Window$Resource$ActiveEnable$DesktopEnabledFindH_prolog3_catchLoadLock
String ID:
API String ID: 723642982-0
Opcode ID: 716096c253566a113fbdb0a317f7076219eba63727c47ba81d6dba590306974d
Instruction ID: e75de50eae25e715563197e3a64d65d71eedd253202a2f2050b8e8c36510ff89
Opcode Fuzzy Hash: 716096c253566a113fbdb0a317f7076219eba63727c47ba81d6dba590306974d
Instruction Fuzzy Hash: 4B517170A01B16DBDF00DFA0C884BEEBBB9BF49719F150115D916B7791DB34A804CBA1

Function 6C1D29E4 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 301windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 6C1D2A05
PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 6C1D2A4F

Strings

RestartByRestartManager, xrefs: 6C1D2BB8, 6C1D2BBD, 6C1D2BC5
%08lX-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X, xrefs: 6C1D2B7F

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: MessagePost
String ID: %08lX-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X$RestartByRestartManager
API String ID: 410705778-5890034
Opcode ID: 2a15723c028da69418c00e09b003bafd160d014206067d20f589993d8cdfc4cc
Instruction ID: 29d925f22728c254e3e56931cdad0da4273986561471475c6ad1b40143cced18
Opcode Fuzzy Hash: 2a15723c028da69418c00e09b003bafd160d014206067d20f589993d8cdfc4cc
Instruction Fuzzy Hash: B2B1CF32A00219AFCF05DBA4D858AFEBBBAFF49314F150069F912A7750DB34AD15DB60

Function 6C218B50 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 236windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C218B57
GetParent.USER32(?), ref: 6C218B6B

Part of subcall function 6C1E4E72: GetWindowLongW.USER32(?,000000EC), ref: 6C1E4E7F

Part of subcall function 6C28515C: __EH_prolog3.LIBCMT ref: 6C285163
Part of subcall function 6C28515C: SendMessageW.USER32(00000000,0000007F,00000000,00000000), ref: 6C285186
Part of subcall function 6C28515C: SendMessageW.USER32(00000000,0000007F,00000001,00000000), ref: 6C28519A
Part of subcall function 6C28515C: GetClassLongW.USER32(00000000,000000DE), ref: 6C2851F7
Part of subcall function 6C28515C: GetClassLongW.USER32(00000000,000000F2), ref: 6C285208

GetSystemMetrics.USER32(00000032), ref: 6C218BB4
GetSystemMetrics.USER32(00000031), ref: 6C218BBF
GetSystemMetrics.USER32(00000004), ref: 6C218BD0
GetSystemMetrics.USER32(00000004), ref: 6C218BDC
DrawIconEx.USER32(?,?,?,?,?,?,00000000,00000000,00000003), ref: 6C218C39

Strings

0^5l, xrefs: 6C218B9D

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: MetricsSystem$Long$ClassH_prolog3MessageSend$DrawIconParentWindow
String ID: 0^5l
API String ID: 1977492230-1366870978
Opcode ID: b0050d940c538af9ae4aa72abb58662ebf8ce6463a69fba4fac8481b6ece4f87
Instruction ID: df5d6dd08d45061409ad5b286242aa7aaeba2231188141250663bcaba79a1bcf
Opcode Fuzzy Hash: b0050d940c538af9ae4aa72abb58662ebf8ce6463a69fba4fac8481b6ece4f87
Instruction Fuzzy Hash: 93917B75A016199FCF05DFA8C884AEEBBF6BF49314F15012AF906E7780DB74A901CB90

Function 6C2B254F Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 183windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C2B2556
GetSystemMenu.USER32(?,00000000), ref: 6C2B2607
IsMenu.USER32(?), ref: 6C2B261D
IsMenu.USER32(?), ref: 6C2B2631
GetWindowLongW.USER32(?,000000F0), ref: 6C2B2656
GetMenuItemInfoW.USER32(00000000,0000F060,00000000,00000030), ref: 6C2B2758
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 6C2B27BB

Strings

0, xrefs: 6C2B273E

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Menu$Window$H_prolog3InfoItemLongRedrawSystem
String ID: 0
API String ID: 2328916801-4108050209
Opcode ID: 8a545d261c2005e3d0904b5e4f8595dcf701da196fb2c808052c492c50e7b958
Instruction ID: 818b7cface1efe8c18625f1d9e50a1da08aa8ae80b5994e524aa6f34913066ea
Opcode Fuzzy Hash: 8a545d261c2005e3d0904b5e4f8595dcf701da196fb2c808052c492c50e7b958
Instruction Fuzzy Hash: 037172B074170BAFEB04CBB4C998BEDB7B4BF05359F200129E925A66D1DB70AA04CB55

Function 6C2DCD0D Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 124COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C2DCD14

Part of subcall function 6C2423BE: __EH_prolog3.LIBCMT ref: 6C2423C5

Part of subcall function 6C303520: SetRectEmpty.USER32(?), ref: 6C303555

SetRectEmpty.USER32(?), ref: 6C2DCE44
SetRectEmpty.USER32 ref: 6C2DCE55
SetRectEmpty.USER32(?), ref: 6C2DCE5C

Strings

(^4l, xrefs: 6C2DCDF6
False, xrefs: 6C2DCEC3, 6C2DCEC8, 6C2DCED0
D}4l, xrefs: 6C2DCD88
True, xrefs: 6C2DCE64, 6C2DCE6F, 6C2DCEB7

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: EmptyRect$H_prolog3
String ID: (^4l$D}4l$False$True
API String ID: 3752103406-1279186606
Opcode ID: 29389383539929c16832836da6ba6ae769e34bed868a40b252ef2b6a6795de4e
Instruction ID: 79e84ff5edc5a69e4bd581949f9ed0d6ba20a19fb1e080a2d40f30c77df6923b
Opcode Fuzzy Hash: 29389383539929c16832836da6ba6ae769e34bed868a40b252ef2b6a6795de4e
Instruction Fuzzy Hash: B251FDB09052018FDB4ACF28C484BE9BBE8BF19304F5881BEA81D9F396CB741204CF65

Function 6C1CA479 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 118libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Comctl32.dll,00000000,00000000,00000002,Comctl32.dll,00000040), ref: 6C1CA60F

Part of subcall function 6C1CA43B: GetProcAddress.KERNEL32(00000000,?), ref: 6C1CA469

GetModuleFileNameW.KERNEL32(?,?,00000105,?,6C1D3B60,00000000,6C38A3F8,00000014,6C1D3C28,InitCommonControlsEx,6C38A418,00000010,6C1D91DD,00000008,?), ref: 6C1CA529
SetLastError.KERNEL32(0000006F,?,6C1D3B60,00000000,6C38A3F8,00000014,6C1D3C28,InitCommonControlsEx,6C38A418,00000010,6C1D91DD,00000008,?), ref: 6C1CA53D
GetLastError.KERNEL32(00000020), ref: 6C1CA594

Strings

@, xrefs: 6C1CA5EA
GetModuleHandleExW, xrefs: 6C1CA4DC
Comctl32.dll, xrefs: 6C1CA5FB, 6C1CA600, 6C1CA60E
, xrefs: 6C1CA548

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: ErrorLast$AddressFileLibraryLoadModuleNameProc
String ID: $@$Comctl32.dll$GetModuleHandleExW
API String ID: 3640817601-4183358198
Opcode ID: 50e8c9a0b632df1bdc67845bc0ce7c5aa95388420d506f81999baa8177c37679
Instruction ID: ab89b9311e6cc8fecb11453bbf9b9e610cc17849a1b254720f9bde81498d57e6
Opcode Fuzzy Hash: 50e8c9a0b632df1bdc67845bc0ce7c5aa95388420d506f81999baa8177c37679
Instruction Fuzzy Hash: 47412BB0B012249AEF228F64DC8CBDD76BCEB65718F204256F514D6990EB7CCA85CF52

Function 6C1DC84B Relevance: 13.6, APIs: 9, Instructions: 137windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C1DC852
GetDesktopWindow.USER32 ref: 6C1DC898
GetWindow.USER32(00000000), ref: 6C1DC89F
IsWindowEnabled.USER32(00000000), ref: 6C1DC8AF
SendMessageW.USER32(00000000,0000036C,00000000,00000000), ref: 6C1DC8DA
EnableWindow.USER32(00000000,00000000), ref: 6C1DC8E6
GetWindow.USER32(00000000,00000002), ref: 6C1DC8FB
IsWindow.USER32(00000000), ref: 6C1DC998
EnableWindow.USER32(?,00000001), ref: 6C1DC9AD

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Window$Enable$DesktopEnabledH_prolog3MessageSend
String ID:
API String ID: 1053735628-0
Opcode ID: ba187224a1717eeadc92fe3e65d8fb3170a0206e872c26b275f59cf343171378
Instruction ID: 21134cb03a068d45650db449e32a6143584c2fb3edea5001b11a29a20f7feb28
Opcode Fuzzy Hash: ba187224a1717eeadc92fe3e65d8fb3170a0206e872c26b275f59cf343171378
Instruction Fuzzy Hash: AC41E732A426129BEB15AF65C854BDF77B8BF12718F120929E91AF6680DF70E805CB50

Function 6C24AD88 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 261windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C24AC24: GdipGetImagePixelFormat.GDIPLUS(?,6C3A1B70,00000000,00000000,?,6C24ADCC,8BAE044A,?,00000000,6C3A1B70), ref: 6C24AC32

Part of subcall function 6C24AC68: GdipGetImagePalette.GDIPLUS(?,00000000,?,?,?,6C24AEEB,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,8BAE044A), ref: 6C24AC77

GdipBitmapLockBits.GDIPLUS(?,?,00000001,?,?,00000000,00000000,?,00000000,00000000,00000000,8BAE044A,?,00000000,6C3A1B70), ref: 6C24AFE0
GdipBitmapUnlockBits.GDIPLUS(?,?,?,?,00000001,?,?,00000000,00000000,?,00000000,00000000,00000000,8BAE044A,?,00000000), ref: 6C24B090
GdipDrawImageI.GDIPLUS(?,00000000,00000000,00000000,?,?,00000082,00000000,00022009,?,00000000,00000000,?,00000000,00000000,00000000), ref: 6C24B0E2
GdipDeleteGraphics.GDIPLUS(?,?,00000000,00000000,00000000,?,?,00000082,00000000,00022009,?,00000000,00000000,?,00000000,00000000), ref: 6C24B0ED
GdipDisposeImage.GDIPLUS(?,?,?,00000000,00000000,00000000,?,?,00000082,00000000,00022009,?,00000000,00000000,?,00000000), ref: 6C24B0F8

Strings

&, xrefs: 6C24AE10
&, xrefs: 6C24AF9A

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Gdip$Image$BitmapBits$DeleteDisposeDrawFormatGraphicsLockPalettePixelUnlock
String ID: &$ &
API String ID: 1665940520-360661826
Opcode ID: 8073cca5531be4405c0693a21951e48b1b6b3616640e7bbe28dfacc3da052783
Instruction ID: 11c4a83355bb8daebf3f16d50f568bf84db5c903505aab6079c5452f711d97ff
Opcode Fuzzy Hash: 8073cca5531be4405c0693a21951e48b1b6b3616640e7bbe28dfacc3da052783
Instruction Fuzzy Hash: 03A173F1A0122D9BCB298F14CC80AEDB7B9EF44318F5181A9EA19A7741D7319D85CF98

Function 6C1D6AEF Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 209libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll), ref: 6C1D6B11
GetProcAddress.KERNEL32(00000000,GetGestureInfo), ref: 6C1D6B46
GetProcAddress.KERNEL32(00000000,CloseGestureInfoHandle), ref: 6C1D6B6E
ScreenToClient.USER32(?,?), ref: 6C1D6BFA

Strings

user32.dll, xrefs: 6C1D6B07
CloseGestureInfoHandle, xrefs: 6C1D6B60
GetGestureInfo, xrefs: 6C1D6B38

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: AddressProc$ClientHandleModuleScreen
String ID: CloseGestureInfoHandle$GetGestureInfo$user32.dll
API String ID: 471820996-2905070798
Opcode ID: f1b91e2f0c3e291d6668ec89a227963fc2e6269d4c063585862938a8c614f6ef
Instruction ID: 0a8d298de4adeb8aa11fc59057c61771ce884e48261e16615ded7b25cdcf8ba5
Opcode Fuzzy Hash: f1b91e2f0c3e291d6668ec89a227963fc2e6269d4c063585862938a8c614f6ef
Instruction Fuzzy Hash: C381A474700A0AEFCB05CF69D994AA9BBB9FF4A344B110569E805D7B60DB35F950CF80

Function 6C20EE7E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 165timeCOMMON

Download Yara Rule

APIs

SystemTimeToVariantTime.OLEAUT32(?,?), ref: 6C20EEA1
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 6C20EECD
__EH_prolog3.LIBCMT ref: 6C20EF39
VarBstrFromDate.OLEAUT32(?,?,?,?,?), ref: 6C20EFD5
SysFreeString.OLEAUT32(?), ref: 6C20F028
SysFreeString.OLEAUT32(?), ref: 6C20F065

Strings

Invalid DateTime, xrefs: 6C20EFA3, 6C20F010

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Time$FreeStringSystemVariant$BstrDateFromH_prolog3
String ID: Invalid DateTime
API String ID: 4133050923-2190634649
Opcode ID: 84bd411396fea1bb2e713307566d2e6ce962d86ffaef944630d948e129c7ee08
Instruction ID: 1b1f6db345eb6d241cf8ebac2a36ca1b0d5e2a9c3ca257590fbc98badcb0f2f0
Opcode Fuzzy Hash: 84bd411396fea1bb2e713307566d2e6ce962d86ffaef944630d948e129c7ee08
Instruction Fuzzy Hash: 4051D63570010EABDB00EFA8C844AEEB774EF1571CF54420AF955ABB80EB309D91C7A5

Function 6C1D6979 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 130libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll), ref: 6C1D69A4
GetProcAddress.KERNEL32(00000000,GetTouchInputInfo), ref: 6C1D69D9
GetProcAddress.KERNEL32(00000000,CloseTouchInputHandle), ref: 6C1D6A01
ScreenToClient.USER32(?,?), ref: 6C1D6AC9

Strings

user32.dll, xrefs: 6C1D699A
GetTouchInputInfo, xrefs: 6C1D69CB
CloseTouchInputHandle, xrefs: 6C1D69F3

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: AddressProc$ClientHandleModuleScreen
String ID: CloseTouchInputHandle$GetTouchInputInfo$user32.dll
API String ID: 471820996-1853737257
Opcode ID: 1a28fdee1de0730ac8dd115a10291dab754e52835c0e413938a86da5c949adb6
Instruction ID: 6895fd60ca9d0cc6a139b3bdd436ad0185e6e6d37880f16004e534c2cc68be56
Opcode Fuzzy Hash: 1a28fdee1de0730ac8dd115a10291dab754e52835c0e413938a86da5c949adb6
Instruction Fuzzy Hash: 8E41D535701214EFCF04CF69C8489AD7BBDEB8A328B21486AF906D3794EB75E901CB50

Function 6C300F74 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C300F7B
IsAppThemed.UXTHEME(00000000,00000000,0000003C,6C300710,?,6C3010C7,00000000,?,00000000), ref: 6C300FBD
OpenThemeData.UXTHEME(?,Button,?,6C3010C7,00000000,?,00000000), ref: 6C300FE8
GetThemePartSize.UXTHEME(?,?,00000003,00000005,00000000,00000001,00000000,00000000,?,?,6C3010C7,00000000,?,00000000), ref: 6C30102F
CloseThemeData.UXTHEME(?,?,?,6C3010C7,00000000,?,00000000), ref: 6C301050
GetObjectW.GDI32(?,00000018,?), ref: 6C301079

Strings

Button, xrefs: 6C300FE2

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Theme$Data$CloseH_prolog3ObjectOpenPartSizeThemed
String ID: Button
API String ID: 1633685699-1034594571
Opcode ID: b122b4c869bc36f036e49b247f7aa1934f932eea5d1322236c4336fc7d43a7ce
Instruction ID: c24102389c6292cf6ae829e98768195e439f188cab1b0612fa446ff49327143d
Opcode Fuzzy Hash: b122b4c869bc36f036e49b247f7aa1934f932eea5d1322236c4336fc7d43a7ce
Instruction Fuzzy Hash: 32318F72B0020AAFEB059F64C855FEEB7B9BF44704F100029F652EA680EB75DA05DF61

Function 6C1F4FB0 Relevance: 12.2, APIs: 8, Instructions: 154windowCOMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(00000000), ref: 6C1F5029
EnableWindow.USER32(00000000,00000000), ref: 6C1F5035
GetCapture.USER32 ref: 6C1F5042
SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 6C1F5051
EnableWindow.USER32(00000000,00000001), ref: 6C1F512E
GetActiveWindow.USER32 ref: 6C1F5138
SetActiveWindow.USER32(00000000), ref: 6C1F5143
EnableWindow.USER32(00000000,00000001), ref: 6C1F5182

Part of subcall function 6C1D8DAA: UnhookWindowsHookEx.USER32(?), ref: 6C1D8DD4

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Window$Enable$Active$CaptureEnabledHookMessageSendUnhookWindows
String ID:
API String ID: 1281840512-0
Opcode ID: 1ca408319148c5ba9c2078296911ee66d892d1b0aaf075c21f48ce0368e4a7d3
Instruction ID: f318fe48bb06ca244e9f619fa2de85e1f1e51053150e8af6ca1e840a8f0fc004
Opcode Fuzzy Hash: 1ca408319148c5ba9c2078296911ee66d892d1b0aaf075c21f48ce0368e4a7d3
Instruction Fuzzy Hash: 36518370B01706ABEB049F74C848BADBBF8BF16319F144618E526E7A80DF74E416DB90

Function 6C1D4D4B Relevance: 12.1, APIs: 8, Instructions: 139windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6C1D4D95
BeginDeferWindowPos.USER32(00000008), ref: 6C1D4DAB
GetTopWindow.USER32(?), ref: 6C1D4DBC
GetDlgCtrlID.USER32(00000000), ref: 6C1D4DC5
SendMessageW.USER32(00000000,00000361,00000000,00000000), ref: 6C1D4DFD
GetWindow.USER32(00000000,00000002), ref: 6C1D4E06
CopyRect.USER32(?,?), ref: 6C1D4E21
EndDeferWindowPos.USER32(00000000), ref: 6C1D4EB1

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Window$DeferRect$BeginClientCopyCtrlMessageSend
String ID:
API String ID: 1228040700-0
Opcode ID: 5ef69e79b0de4b8bd03471a50b975c6da377af0359e45a504fed311854425ec5
Instruction ID: f35f25d574efbabc943cde997931ebedf5e51fa73c8fdfd00a9a7bbf19d4d8c1
Opcode Fuzzy Hash: 5ef69e79b0de4b8bd03471a50b975c6da377af0359e45a504fed311854425ec5
Instruction Fuzzy Hash: 02512931A01219EFDF00CFA8C884BDEB7B9BF5A315F168059E815BB640C779A940CBA1

Function 6C200A00 Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

Part of subcall function 6C257E2D: ReleaseCapture.USER32 ref: 6C257E64
Part of subcall function 6C257E2D: IsWindow.USER32(?), ref: 6C257E93
Part of subcall function 6C257E2D: DestroyWindow.USER32(?), ref: 6C257EA3

SetRectEmpty.USER32(?), ref: 6C200A2B
ReleaseCapture.USER32 ref: 6C200A31
SetCapture.USER32(?,?,?,?,6C1F89A2,?), ref: 6C200A44
GetCapture.USER32 ref: 6C200A83
ReleaseCapture.USER32 ref: 6C200A93
SetCapture.USER32(?,?,?,?,6C1F89A2,?), ref: 6C200AA6
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 6C200B44
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 6C200B91

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Capture$Window$Release$Redraw$DestroyEmptyRect
String ID:
API String ID: 2209428161-0
Opcode ID: cff623c7bb41825001f2af5022009bcbb2b28d31e202b3d043dbfe785aceb75e
Instruction ID: 76e18478a9ffa8de1c2409e5f52f01c84d461b5c0cdbec26b35f3c77cd2c377e
Opcode Fuzzy Hash: cff623c7bb41825001f2af5022009bcbb2b28d31e202b3d043dbfe785aceb75e
Instruction Fuzzy Hash: 5F41B131701656AFEB04DF74C884B9EBBBDFF45319F10026AE92AC3690DB30A915CB91

Function 6C23E9A8 Relevance: 12.1, APIs: 8, Instructions: 74windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C23E9AF
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C23E9C8
DestroyAcceleratorTable.USER32(?), ref: 6C23EA09
GetTopWindow.USER32(?), ref: 6C23EA2B
GetWindow.USER32(?,00000002), ref: 6C23EA43
IsWindow.USER32(?), ref: 6C23EA60
GetParent.USER32(?), ref: 6C23EA6B
DestroyWindow.USER32(?), ref: 6C23EA77

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Window$Destroy$AcceleratorH_prolog3MessageParentSendTable
String ID:
API String ID: 271420684-0
Opcode ID: 85d5802835c3baae7e6e669f7f37e2774b87ca0be6c426c7016d0af1a9ddaf49
Instruction ID: 4e64dfdedb83d0e5a393dc78a29c367f651a29d623b446650f80f5a69eea1c4f
Opcode Fuzzy Hash: 85d5802835c3baae7e6e669f7f37e2774b87ca0be6c426c7016d0af1a9ddaf49
Instruction Fuzzy Hash: 3421A971601609DBEB119FB0C848BDE7BB9BF8A315F541018F85AA7A50DF30A819CBA1

Function 6C1D2E1C Relevance: 12.1, APIs: 8, Instructions: 64memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(00000000), ref: 6C1D2E30
lstrcmpW.KERNEL32(00000000,?), ref: 6C1D2E49
OpenPrinterW.WINSPOOL.DRV(?,?,00000000), ref: 6C1D2E5E
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6C1D2E7E
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6C1D2E86
GlobalLock.KERNEL32(00000000), ref: 6C1D2E94
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 6C1D2EA5
ClosePrinter.WINSPOOL.DRV(?), ref: 6C1D2EBD

Part of subcall function 6C1E9896: GlobalFlags.KERNEL32(?), ref: 6C1E98A3
Part of subcall function 6C1E9896: GlobalUnlock.KERNEL32(?), ref: 6C1E98B1
Part of subcall function 6C1E9896: GlobalFree.KERNEL32(?), ref: 6C1E98BD

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 4d452c9679f2dfde9a0440024259651cb9881d79822b16b2b09651c1f7602db5
Instruction ID: c59e63c895cfccc6dcab53a312934a671a57c1458bb5c96eee22eeebbc6530f4
Opcode Fuzzy Hash: 4d452c9679f2dfde9a0440024259651cb9881d79822b16b2b09651c1f7602db5
Instruction Fuzzy Hash: 12119DB1501609BEEF125FA1CD88EAB7BFDEF00748B110429B62295931D731EE50EB70

Function 6C1ECACF Relevance: 12.0, APIs: 8, Instructions: 34COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 6C1ECAD5
GetSystemMetrics.USER32(0000000C), ref: 6C1ECAE0
GetSystemMetrics.USER32(00000002), ref: 6C1ECAEB
GetSystemMetrics.USER32(00000003), ref: 6C1ECAF9
GetDC.USER32(00000000), ref: 6C1ECB07
GetDeviceCaps.GDI32(00000000,00000058), ref: 6C1ECB12
GetDeviceCaps.GDI32(00000000,0000005A), ref: 6C1ECB1E
ReleaseDC.USER32(00000000,00000000), ref: 6C1ECB2A

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: 06724b1d01a2b42ba914fef3c3503270f819906a78f75efc88268bf95093a9b3
Instruction ID: a3e2a19c4249680e3d0abfe7f519bca739ab67d0dbf03128c3fba84f8c484136
Opcode Fuzzy Hash: 06724b1d01a2b42ba914fef3c3503270f819906a78f75efc88268bf95093a9b3
Instruction Fuzzy Hash: 34F09D75B82714ABEB106FB1980DB5A7A78FB57B12F00492AF603DA580DBB585118F90

Function 6C1E087A Relevance: 10.6, APIs: 7, Instructions: 122windowthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C1E07A6: GetParent.USER32(00000024), ref: 6C1E0803
Part of subcall function 6C1E07A6: GetLastActivePopup.USER32(00000024), ref: 6C1E0816
Part of subcall function 6C1E07A6: IsWindowEnabled.USER32(00000024), ref: 6C1E082A
Part of subcall function 6C1E07A6: EnableWindow.USER32(00000024,00000000), ref: 6C1E083D

EnableWindow.USER32(?,00000001), ref: 6C1E08C5
GetWindowThreadProcessId.USER32(?,?), ref: 6C1E08DB
GetCurrentProcessId.KERNEL32 ref: 6C1E08E5
SendMessageW.USER32(?,00000376,00000000,00000000), ref: 6C1E08FB
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 6C1E0986
MessageBoxW.USER32(?,?,?,6C1C7FF4), ref: 6C1E09A8
EnableWindow.USER32(00000000,00000001), ref: 6C1E09CD

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Window$Enable$MessageProcess$ActiveCurrentEnabledFileLastModuleNameParentPopupSendThread
String ID:
API String ID: 1924968399-0
Opcode ID: f5ba9e4eeeff9759c6ec256502a564f6adb447bea25b7cd078cc36aa57e26d67
Instruction ID: 0d067257ff437bc4ef3d99637c01fc36db635036989094ef6b9089d49662c719
Opcode Fuzzy Hash: f5ba9e4eeeff9759c6ec256502a564f6adb447bea25b7cd078cc36aa57e26d67
Instruction Fuzzy Hash: 4F41A171A4265D9BEB10CF28CC88BEAB7B8EB19704F1001A9E51DE7640DB70DE80DF50

Function 6C1E4C62 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 119registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C1E4C6C
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?), ref: 6C1E4D71
RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6C1E4D8E
RegCloseKey.ADVAPI32(?), ref: 6C1E4DAF
RegQueryValueW.ADVAPI32(80000001,?,?,?), ref: 6C1E4DCA

Strings

Software\, xrefs: 6C1E4CD9

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: CloseEnumH_prolog3_OpenQueryValue
String ID: Software\
API String ID: 1666054129-964853688
Opcode ID: ce30ce1d80eb6b13e2fca59bec642cc06a5d24aaff04c4c8cf0fa00faa92aa89
Instruction ID: d7ba081e338f976181764f82cf4f603d7215abefef212e7c28c279b1718e4252
Opcode Fuzzy Hash: ce30ce1d80eb6b13e2fca59bec642cc06a5d24aaff04c4c8cf0fa00faa92aa89
Instruction Fuzzy Hash: 6F412E72902569ABDF209BE4DC98BEE76BCAF19318F1401A9E505E3640DB349E84CF54

Function 6C1E4AC1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 6C1E4ACB
RegOpenKeyExW.ADVAPI32(?,00000010,00000000,0002001F,?,00000228), ref: 6C1E4B71

Part of subcall function 6C1E49FF: __EH_prolog3.LIBCMT ref: 6C1E4A06

RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6C1E4B95
RegCloseKey.ADVAPI32(?), ref: 6C1E4C4A

Strings

Software\Classes\, xrefs: 6C1E4B17

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: CloseEnumH_prolog3H_prolog3_catch_Open
String ID: Software\Classes\
API String ID: 854624316-1121929649
Opcode ID: 0b8885aca04c8ec0af8e68503fcb99dab2f9d7017d8183ef6ac71898eb781091
Instruction ID: 3ea0c370a31f44bc1ad102944eba7d1c328630c1a5023304da5b44dbd2fc7d67
Opcode Fuzzy Hash: 0b8885aca04c8ec0af8e68503fcb99dab2f9d7017d8183ef6ac71898eb781091
Instruction Fuzzy Hash: 4F419F36A01618ABDF11DBA4D888BDDB7B9AF58318F2441D5E909A7741CB349A48CB11

Function 6C1DE994 Relevance: 10.6, APIs: 7, Instructions: 85windowthreadCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000,00000000), ref: 6C1DE9B3
GetParent.USER32(?), ref: 6C1DE9C1
GetWindowThreadProcessId.USER32(?,00000000), ref: 6C1DE9DC
GetCurrentProcessId.KERNEL32 ref: 6C1DE9E2
GetActiveWindow.USER32 ref: 6C1DEA41
SendMessageW.USER32(?,00000006,00000001,00000000), ref: 6C1DEA52
SendMessageW.USER32(?,00000086,00000001,00000000), ref: 6C1DEA6C

Part of subcall function 6C1E525D: EnableWindow.USER32(?,00000024), ref: 6C1E526E

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Window$MessageProcessSend$ActiveCurrentEnableFocusParentThread
String ID:
API String ID: 2169720751-0
Opcode ID: fa855814623c5f02794c2cf70825903aa0d13bd80c9606a4c1d604faad28fab0
Instruction ID: 6f479dcba5ebe408def2ebbcf03604242904c5f74ed19531647eb98e97d491c2
Opcode Fuzzy Hash: fa855814623c5f02794c2cf70825903aa0d13bd80c9606a4c1d604faad28fab0
Instruction Fuzzy Hash: 9231D031341209EBEF159B20CC88B9CBBB9BF13746F214194F5429BAD0CBB4BA448B91

Function 6C238A22 Relevance: 10.6, APIs: 7, Instructions: 85COMMON

Download Yara Rule

APIs

LockWindowUpdate.USER32(00000000,00000004,00000004), ref: 6C238A63
ValidateRect.USER32(?,00000000,0000E800), ref: 6C238A9F
UpdateWindow.USER32(?), ref: 6C238AA8
LockWindowUpdate.USER32(00000000), ref: 6C238AB9
ValidateRect.USER32(?,00000000,0000E800), ref: 6C238AE7
UpdateWindow.USER32(?), ref: 6C238AF0
LockWindowUpdate.USER32(00000000), ref: 6C238B01

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: UpdateWindow$Lock$RectValidate
String ID:
API String ID: 797752328-0
Opcode ID: 1680a68cf9fc053f60e6496facabd0dc117a75614b38b460e2fdab1a9999ad57
Instruction ID: 2cf684a0758c6b426c55494af3b71bbe39879c64163809ac573f5770875abda0
Opcode Fuzzy Hash: 1680a68cf9fc053f60e6496facabd0dc117a75614b38b460e2fdab1a9999ad57
Instruction Fuzzy Hash: C0318FB660171AEFDB008F64C844B4A7BB5FB45745F21556BFC5ADB690EB70E900CB10

Function 6C1D4EC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C1D4ED2
GetTopWindow.USER32(?), ref: 6C1D4EFF
GetDlgCtrlID.USER32(00000000), ref: 6C1D4F11
SendMessageW.USER32(?,00000087,00000000,00000000), ref: 6C1D4F6C
GetWindow.USER32(00000000,00000002), ref: 6C1D4FAE

Strings

pt4l, xrefs: 6C1D4F1A

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Window$CtrlH_prolog3MessageSend
String ID: pt4l
API String ID: 849854284-3870122376
Opcode ID: 7d32d7f93bf73557df7509c8115c1ec9be50fae62ce4efcd97e6561cb142be24
Instruction ID: aa1078aa7e5ffbdba1dc25c97cadbea2c76a374e4e2d0419737e12dd144d9ce1
Opcode Fuzzy Hash: 7d32d7f93bf73557df7509c8115c1ec9be50fae62ce4efcd97e6561cb142be24
Instruction Fuzzy Hash: 2E210835902618ABEF128F65CD40FEEB7BABF56308F110195F915E2A60DF30AE04CB52

Function 6C32495D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,6C324A6C,6C1B22CA,00000000,00000000,6C1E5BE4,6C1B22CC,?,6C3245C6,00000022,FlsSetValue,6C36C124,6C36C12C,6C1E5BE4), ref: 6C324A1E

Strings

ext-ms-, xrefs: 6C3249C8
api-ms-, xrefs: 6C3249B4

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 3af807477b7569c8c4d3b98149f70849b2813099cf3db89d5d55e4afe43402d6
Instruction ID: 2777d6790a1c54e1fd16ba8729a40b842460fd8e93f034cd2b02d7064929eef0
Opcode Fuzzy Hash: 3af807477b7569c8c4d3b98149f70849b2813099cf3db89d5d55e4afe43402d6
Instruction Fuzzy Hash: 87210A36B02251ABDF119B65DC84A8F37BC9B437A8F250214E855B7A80D73AED04CEE4

Function 6C23CEEC Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C23CEF3
DestroyAcceleratorTable.USER32(?), ref: 6C23CF07
GetTopWindow.USER32(?), ref: 6C23CF29
GetWindow.USER32(?,00000002), ref: 6C23CF69
IsWindow.USER32(?), ref: 6C23CF8C
GetParent.USER32(?), ref: 6C23CF97
DestroyWindow.USER32(?), ref: 6C23CFA3

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Window$Destroy$AcceleratorH_prolog3ParentTable
String ID:
API String ID: 2502036937-0
Opcode ID: 71349e342e838eb5ec0b42dc5dbbec2b1539098cc9c5d51d2a99565dcd7eb8d4
Instruction ID: cc0b4853c11c9a72d6ce3e671e7b9c797104624eec491e49f819993207cce16b
Opcode Fuzzy Hash: 71349e342e838eb5ec0b42dc5dbbec2b1539098cc9c5d51d2a99565dcd7eb8d4
Instruction Fuzzy Hash: BB21F4B16007299BEB11BF61CC84B8E77B5BF49709F502619FC5AA7A40CF30E504CB21

Function 6C1D8CA9 Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6C1D8CC6
GetWindowRect.USER32(?,?), ref: 6C1D8CE4
ScreenToClient.USER32(?,?), ref: 6C1D8CF1
ScreenToClient.USER32(?,?), ref: 6C1D8CFE
EqualRect.USER32(?,?), ref: 6C1D8D09
DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 6C1D8D30
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?,?,00000000), ref: 6C1D8D3A

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Window$ClientRectScreen$DeferEqualParent
String ID:
API String ID: 443303494-0
Opcode ID: 3e531a6d9b03be8373b38d61d0980411cd1c31defef9bcacd6fc32f25156550f
Instruction ID: c18f05005920a0c54b1f5bd64d9cfaacfe9a6c4ee0356f64314eb50a577d2dea
Opcode Fuzzy Hash: 3e531a6d9b03be8373b38d61d0980411cd1c31defef9bcacd6fc32f25156550f
Instruction Fuzzy Hash: 7C215E75A01509EFEF00DFA8C884EAEBBBCFF1A705B11411AF902EB150D770A940CBA1

Function 6C24C9ED Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

SelectObject.GDI32(00000000,?), ref: 6C24CA0B

Part of subcall function 6C1E9631: DeleteObject.GDI32(6C1D13E5), ref: 6C1E9643

SelectObject.GDI32(?,?), ref: 6C24CA20
DeleteObject.GDI32(00000000), ref: 6C24CA81
DeleteDC.GDI32(00000000), ref: 6C24CA90
LeaveCriticalSection.KERNEL32(6C3A1B70), ref: 6C24CAA7

Strings

, xrefs: 6C24CA26

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Object$Delete$Select$CriticalLeaveSection
String ID:
API String ID: 3849354926-3916222277
Opcode ID: f9f025e4c08a2deb6349c877748dcfe4243a2c504614e3704c3bfcb104542ba7
Instruction ID: 5dfc4b499783f6ea2de92831d9885e10d63dc4a6816d693efd44b97a9c16549a
Opcode Fuzzy Hash: f9f025e4c08a2deb6349c877748dcfe4243a2c504614e3704c3bfcb104542ba7
Instruction Fuzzy Hash: 9F215431601205CFDF00EFA8C884B9A3779FF02329F108224FD169A5A6D7709889CB51

Function 6C2304C1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

SetCapture.USER32(?), ref: 6C2304D7
GetCursorPos.USER32(?), ref: 6C23051A
LoadCursorW.USER32(00000000,00007F86), ref: 6C23055C
SetCursor.USER32(00000000), ref: 6C230563
GetCursorPos.USER32(?), ref: 6C230570

Strings

0^5l, xrefs: 6C230582

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Cursor$CaptureLoad
String ID: 0^5l
API String ID: 1460996051-1366870978
Opcode ID: 31457687380a6353f88548e43f9e58937b5a5c672ca2c19db5dac69a13a09714
Instruction ID: 21b215383ff5f0aecaa36629727b2ee2e47c7f6c329b57f877001c3aa372cbf1
Opcode Fuzzy Hash: 31457687380a6353f88548e43f9e58937b5a5c672ca2c19db5dac69a13a09714
Instruction Fuzzy Hash: A8218C7570275AAFEF099BA1C808BEDBBB9BF4A705F040115ED0A87341CF74A9118BA1

Function 6C22C589 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C22C590

Part of subcall function 6C1C9B7C: __EH_prolog3.LIBCMT ref: 6C1C9B83

Strings

IDX_OFFICE2007_STYLE, xrefs: 6C22C5A0
SILVER_, xrefs: 6C22C5CF
BLUE_, xrefs: 6C22C5E4
AQUA_, xrefs: 6C22C5D6
BLACK_, xrefs: 6C22C5DD, 6C22C5E9, 6C22C5F1

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: H_prolog3
String ID: AQUA_$BLACK_$BLUE_$IDX_OFFICE2007_STYLE$SILVER_
API String ID: 431132790-2717817858
Opcode ID: 135aa30a895b7dc002a73d6dd73f8df690fcb39b17ad870bac1db53e43a559fc
Instruction ID: 0e1bf2fc3fa8a6d7671d254e66250a4b3bfc13901a0f463b96c5e374b01ac8dc
Opcode Fuzzy Hash: 135aa30a895b7dc002a73d6dd73f8df690fcb39b17ad870bac1db53e43a559fc
Instruction Fuzzy Hash: 3C110B7690010ADBDF00EBA8C940BFE7B71AF94618F144206F911ABB80CF38CA15CB22

Function 6C1D6DB4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll,?,?,00000000,?,6C1D643E,00000000,00000000), ref: 6C1D6DC5
GetProcAddress.KERNEL32(00000000,RegisterTouchWindow), ref: 6C1D6DD7
GetProcAddress.KERNEL32(00000000,UnregisterTouchWindow), ref: 6C1D6DE5

Strings

user32.dll, xrefs: 6C1D6DBC
UnregisterTouchWindow, xrefs: 6C1D6DDD
RegisterTouchWindow, xrefs: 6C1D6DD1

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: RegisterTouchWindow$UnregisterTouchWindow$user32.dll
API String ID: 667068680-2470269259
Opcode ID: f21789d779be332c09826611a5f5c4f3064a7a2ccf4f8b7df02d3231a824fece
Instruction ID: 646c55ec4b20147b7a05dd5755522e86ebe22b8d40d9eee9c78233d919fde3be
Opcode Fuzzy Hash: f21789d779be332c09826611a5f5c4f3064a7a2ccf4f8b7df02d3231a824fece
Instruction Fuzzy Hash: 7401FE3260161ABFCB019BA5CC9869EBEBDFF1E315F010535E909D2D00DF74D8108AE0

Function 6C1ECA7D Relevance: 10.5, APIs: 7, Instructions: 25COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 6C1ECA82
GetSysColor.USER32(00000010), ref: 6C1ECA8D
GetSysColor.USER32(00000014), ref: 6C1ECA98
GetSysColor.USER32(00000012), ref: 6C1ECAA3
GetSysColor.USER32(00000006), ref: 6C1ECAAE
GetSysColorBrush.USER32(0000000F), ref: 6C1ECAB9
GetSysColorBrush.USER32(00000006), ref: 6C1ECAC4

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 47183db1da129f3729bfdd3b415f516c0403255a2a0601d2a187082501cb636b
Instruction ID: 3fb1f43e78a6e5bd0e40f3ac1ad4c84393816d5ad5f1ee08dfe6da1609b8a15b
Opcode Fuzzy Hash: 47183db1da129f3729bfdd3b415f516c0403255a2a0601d2a187082501cb636b
Instruction Fuzzy Hash: 15F09E71A437089BEB206FB1A54D7C6BEF4BF5AB11F040919E3478B980D7F590809F00

Function 6C1FADBA Relevance: 9.3, APIs: 6, Instructions: 333COMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 6C1FAE42
GetClientRect.USER32(?,6C1FA694), ref: 6C1FAE55
GetWindowRect.USER32(00000000,?), ref: 6C1FAE9F
GetParent.USER32(00000000), ref: 6C1FAEA8
GetParent.USER32(00000000), ref: 6C1FB13B
RedrawWindow.USER32(?,00000000,00000000,00000105,?,?,00000000,?,?,?,?,?,?,?,6C1FA694,00000000), ref: 6C1FB16B

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Parent$RectWindow$ClientRedraw
String ID:
API String ID: 443302174-0
Opcode ID: 150c35985385f64f4887d19fbef43e007473a9c3fdfb02be9902e0e7f15963ff
Instruction ID: b3427528b2c003de5f0187397340d06c7a1f12210f9c59a0e9eeb338a8ce0664
Opcode Fuzzy Hash: 150c35985385f64f4887d19fbef43e007473a9c3fdfb02be9902e0e7f15963ff
Instruction Fuzzy Hash: 53D16A35A00619DFDF05CFA4C884BEDBBF5BF4A310F2541A9E826AB690CB34A941CF55

Function 6C1CED68 Relevance: 9.2, APIs: 6, Instructions: 195COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6C1CED8D
InflateRect.USER32(?,?,?), ref: 6C1CEDA9
PtInRect.USER32(?,?,?), ref: 6C1CEE11
PtInRect.USER32(?,?,?), ref: 6C1CEE63
PtInRect.USER32(?,?,?), ref: 6C1CEEC2
PtInRect.USER32(?,?,?), ref: 6C1CEF29

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Rect$ClientInflate
String ID:
API String ID: 256450704-0
Opcode ID: ff9cc2ec63f2ca7540fe5c426450996406eaba11b3d35cc63729e071a996136f
Instruction ID: 1548a616608b2d233ecf722fa79374b3b9788c5c005fddbfac557c775bd4cf97
Opcode Fuzzy Hash: ff9cc2ec63f2ca7540fe5c426450996406eaba11b3d35cc63729e071a996136f
Instruction Fuzzy Hash: AB714831F016099FDB04CFA9C844ADEB7F6BF59304F24816AE819EB210D735AA02CB91

Function 6C1FA4C6 Relevance: 9.2, APIs: 6, Instructions: 167windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 6C1FA554
SendMessageW.USER32(?,0000040C,00000000,00000000), ref: 6C1FA590
SendMessageW.USER32(00000000,0000041C,00000000,?), ref: 6C1FA5C3
SetRectEmpty.USER32(?), ref: 6C1FA629
SendMessageW.USER32(00000000,0000040B,00000000,?), ref: 6C1FA685
RedrawWindow.USER32(00000000,00000000,00000000,00000505), ref: 6C1FA6B4

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: MessageSend$EmptyParentRectRedrawWindow
String ID:
API String ID: 3879113052-0
Opcode ID: f3b72a70ad676fe1cf66286794ae58281633b08cc9278d768cba836c0785e37f
Instruction ID: e5cf1bf0a8d0a99b325d39d115d89c424c91c3c69d546cdf1bbee4a7ccfe3b28
Opcode Fuzzy Hash: f3b72a70ad676fe1cf66286794ae58281633b08cc9278d768cba836c0785e37f
Instruction Fuzzy Hash: A1518D71B016199FDB19CFA4C894BADBBB9FF49304F214129E916A7790DB34A905CF80

Function 6C1F4C23 Relevance: 9.1, APIs: 6, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C1F4C2A
GlobalAlloc.KERNEL32(00000040,00000004), ref: 6C1F4D91
GlobalLock.KERNEL32(00000000), ref: 6C1F4D9E
GlobalUnlock.KERNEL32(00000000), ref: 6C1F4DAF
SetPropW.USER32(?,00000000), ref: 6C1F4DBF
GlobalFree.KERNEL32(00000000), ref: 6C1F4DCA

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Global$AllocFreeH_prolog3LockPropUnlock
String ID:
API String ID: 2329575679-0
Opcode ID: 8367dbd3e4763275f08a6d858b5aac48b7685934547a1d1250e896f996d5aa89
Instruction ID: bbcc6b01b6f92e990913f9bd8fe0308b1929d6f803a778c80865330c5119cbf4
Opcode Fuzzy Hash: 8367dbd3e4763275f08a6d858b5aac48b7685934547a1d1250e896f996d5aa89
Instruction Fuzzy Hash: 1441E0717016059BDB04DFB58954BDE7BB8BF55328F10021AEA2ADBB90CF35D816CBA0

Function 6C224B23 Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C224B2A
SetWindowRgn.USER32(00000000,00000000,00000001), ref: 6C224BA4
CreateRoundRectRgn.GDI32(00000000,00000000,?,?,00000009,00000009), ref: 6C224BE1
CreateRectRgn.GDI32(00000000,00000009,?,?), ref: 6C224C18
CombineRgn.GDI32(?,?,00000000,00000002), ref: 6C224C32
SetWindowRgn.USER32(00000000,00000000,00000001), ref: 6C224C55

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: CreateRectWindow$CombineH_prolog3Round
String ID:
API String ID: 941439308-0
Opcode ID: 3e2f8f718b18ea4f3c8c199c4313d9181d1ffbc0f949b28ea2326416a2921cea
Instruction ID: 641664d99c406a1f2f374c735d3ff3a795520194a0e6c1897c7f5266e21c96c7
Opcode Fuzzy Hash: 3e2f8f718b18ea4f3c8c199c4313d9181d1ffbc0f949b28ea2326416a2921cea
Instruction Fuzzy Hash: 5E31A271A0170AABEF01DFA4CD54FEF77B8AF06719F104519B812E6AC0DB788905CB61

Function 6C210527 Relevance: 9.1, APIs: 6, Instructions: 98windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 6C210531
SetCapture.USER32(?), ref: 6C210545
GetCapture.USER32 ref: 6C210551
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 6C21056F
DispatchMessageW.USER32(?), ref: 6C2105AB
GetCapture.USER32 ref: 6C210609

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Capture$Message$Dispatch
String ID:
API String ID: 3654672037-0
Opcode ID: dad7d3cb7fe23461a37b66e2a9028485582572fadf9100c790f862999b6f8241
Instruction ID: 084aade8e55d1f0992baa9f9aabd91afeeeca002661441d4a8fc266b8e292171
Opcode Fuzzy Hash: dad7d3cb7fe23461a37b66e2a9028485582572fadf9100c790f862999b6f8241
Instruction Fuzzy Hash: 883107316592CE9BCF109B78C408E9F77F8BB82309B10441AFE16D2E04DF309464C761

Function 6C20CB9E Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00000000,?), ref: 6C20CBC6
OffsetRect.USER32(?,?,?), ref: 6C20CBE7
SendMessageW.USER32(00000000,0000000B,00000000,00000000), ref: 6C20CBF4
IsWindowVisible.USER32(00000000), ref: 6C20CBFD
SendMessageW.USER32(00000000,0000000B,00000001,00000000), ref: 6C20CC70
RedrawWindow.USER32(00000000,00000000,00000000,00000105), ref: 6C20CC80

Part of subcall function 6C1E51FB: ShowWindow.USER32(?,00000000,?,?,6C1E29E0,00000000), ref: 6C1E520C

Part of subcall function 6C1E519E: SetWindowPos.USER32(?,00000000,?,00000000,00000115,00000000,00000000,?,?,6C1E2831,00000000,00000002,00000002,00000000,00000000,00000115), ref: 6C1E51C6

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Window$MessageRectSend$OffsetRedrawShowVisible
String ID:
API String ID: 2359670889-0
Opcode ID: bbfe3b05db231168c7436fbb08e54d7af18d049e4ff41f1419c49cdbf111f8b3
Instruction ID: 80776ad413d102a8d164c77e96f464cf2da52dd9f8e3c75e50f30f758ec4b1cf
Opcode Fuzzy Hash: bbfe3b05db231168c7436fbb08e54d7af18d049e4ff41f1419c49cdbf111f8b3
Instruction Fuzzy Hash: 10312D72A00609BFEB11DFA8CD85EBFBBBDFB49704F000619B646E6190D770AD009B21

Function 6C1D488D Relevance: 9.1, APIs: 6, Instructions: 86windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 6C1D48AE
GetWindow.USER32(?,00000005), ref: 6C1D48C5
GetWindowRect.USER32(00000000,?), ref: 6C1D48E0

Part of subcall function 6C1CD2F4: ScreenToClient.USER32(?,00000000), ref: 6C1CD303
Part of subcall function 6C1CD2F4: ScreenToClient.USER32(?,00000008), ref: 6C1CD310

SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015,?), ref: 6C1D4906
GetWindow.USER32(00000000,00000002), ref: 6C1D490F
ScrollWindow.USER32(?,?,?,?,?), ref: 6C1D492B

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Window$ClientScreen$RectScrollVisible
String ID:
API String ID: 1714389229-0
Opcode ID: 376445beb40744b71d2a253817e76e15064e1e290a90f805855a9541088d9d0f
Instruction ID: d9f92c942f9b770fab6c45e3f5e5862ac961b57b79142754aa8367d808227b48
Opcode Fuzzy Hash: 376445beb40744b71d2a253817e76e15064e1e290a90f805855a9541088d9d0f
Instruction Fuzzy Hash: 6D219E35600609AFDF01DF65CC88AAFBBB9FF8A704B154119FA06A7610EB70ED018B50

Function 6C25C8F2 Relevance: 9.1, APIs: 6, Instructions: 70windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C206B59: IsWindow.USER32(?), ref: 6C206B65

SendMessageW.USER32(00000020,0000020A,?,?), ref: 6C25C91E
GetFocus.USER32 ref: 6C25C93C
IsChild.USER32(00000020,?), ref: 6C25C959
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C25C973
IsWindowVisible.USER32(?), ref: 6C25C98C
SendMessageW.USER32(?,0000020A,?,?), ref: 6C25C9AA

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: MessageSend$Window$ChildFocusVisible
String ID:
API String ID: 1252167185-0
Opcode ID: 25a9f014fde8bc76df15c2eb9e5a4cf06ae1fd3b3c30fa112e9b0570ba994eb5
Instruction ID: 6b00e514178e0bdbf6448011f1f155f176ff3888e5d838c13457e4e7bba96f35
Opcode Fuzzy Hash: 25a9f014fde8bc76df15c2eb9e5a4cf06ae1fd3b3c30fa112e9b0570ba994eb5
Instruction Fuzzy Hash: D021D07220260AEBDB11AB24C844F6A7BB4FF0EB06F500025FD5796560EB70E820DB80

Function 6C1DC9D7 Relevance: 9.1, APIs: 6, Instructions: 59COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 6C1DC9E0
GetWindow.USER32(00000000), ref: 6C1DC9E7
GetWindowLongW.USER32(00000000,000000F0), ref: 6C1DCA15
ShowWindow.USER32(00000000,00000000), ref: 6C1DCA30
ShowWindow.USER32(00000000,00000004), ref: 6C1DCA51
GetWindow.USER32(00000000,00000002), ref: 6C1DCA5E

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Window$Show$DesktopLong
String ID:
API String ID: 3178490500-0
Opcode ID: efadace4673514fc8ca5e937123368a716134a7c68b2367e38befc2be165fb62
Instruction ID: e91ae95fcad28bb1713cb83b4814cc9f671d9233f7a6bc88575e62ccd2a7cad8
Opcode Fuzzy Hash: efadace4673514fc8ca5e937123368a716134a7c68b2367e38befc2be165fb62
Instruction Fuzzy Hash: 68112C71206B1567DB12EA219C29B5A3768AF127AAF179B52FD1195680EB60F000C7D4

Function 6C21AA1E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6C21AA28
CloseHandle.KERNEL32(00000000,?,00000000,00000080,6C27C517,?,00000000,?,?,00000000), ref: 6C21AA63

Part of subcall function 6C20D2FC: __EH_prolog3.LIBCMT ref: 6C20D303

GetTempPathW.KERNEL32(00000104,00000000,00000104,?,00000000,00000080,6C27C517,?,00000000,?,?,00000000), ref: 6C21AA84
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,04000100,00000000,000000FF,?,00000104,000000FF,?,?,00000000), ref: 6C21AAD9

Strings

AFX, xrefs: 6C21AAAE

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: CloseCreateFileH_prolog3H_prolog3_catchHandlePathTemp
String ID: AFX
API String ID: 775233504-1300893600
Opcode ID: 427c0fe8df69fd8b1d9710f64a27a69b8c8384ee793c2e980b0dcbe5357558f0
Instruction ID: a3281225a093281cd8bc6f7d50271ee9c6534ee343114138bac713bb9c2bd617
Opcode Fuzzy Hash: 427c0fe8df69fd8b1d9710f64a27a69b8c8384ee793c2e980b0dcbe5357558f0
Instruction Fuzzy Hash: 2C416E70A00149DBDB05DFA4C994FEEB7B8BF65308F104169E916A7BD0DB34AB09CB61

Function 6C218EC6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C218ECD
InflateRect.USER32(?,00000005,00000005), ref: 6C218F0B
Ellipse.GDI32(00000000,?,00000000,?,?), ref: 6C218FD6

Strings

Gu,, xrefs: 6C218F57
(^4l, xrefs: 6C218FF1

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: EllipseH_prolog3_InflateRect
String ID: (^4l$Gu,
API String ID: 3279685039-3311905259
Opcode ID: 57bcf70a7f55da13873792799ab5fa0e048045f8ab028b9167951f823f717799
Instruction ID: c6f313b559d6b5fc6786f79d19b27b7bcb2b9ecd6e2bd49c547194c13198e812
Opcode Fuzzy Hash: 57bcf70a7f55da13873792799ab5fa0e048045f8ab028b9167951f823f717799
Instruction Fuzzy Hash: E0414C31A001089FDF01DFA4C995BEE7BF6AF49304F554069E901A7B90DB34AE08CFA1

Function 6C1D8974 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

__snprintf_s.LIBCMT ref: 6C1D89C0
__snprintf_s.LIBCMT ref: 6C1D89F4
GetClassInfoW.USER32(?,0000007C,?), ref: 6C1D8A24

Strings

Afx:%p:%x, xrefs: 6C1D89B4
Afx:%p:%x:%p:%p:%p, xrefs: 6C1D89EA

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: __snprintf_s$ClassInfo
String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
API String ID: 1341824228-2801496823
Opcode ID: 88b1927948869d69a5354e722bd78eb638d4f70831ed514d9a14ad2bb08afe52
Instruction ID: 6f0c0c53a7bd7eba9f7680d6387e6352f805f253908f8f1fc76ccdde5dbabe40
Opcode Fuzzy Hash: 88b1927948869d69a5354e722bd78eb638d4f70831ed514d9a14ad2bb08afe52
Instruction Fuzzy Hash: 593136B1A00209EFDB01DFAAC844ACE7BF8FF89309F014056E554AB751D734AA548FA2

Function 6C22ED15 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 6C22ED2B
GetCursorPos.USER32(?), ref: 6C22ED6D
SetRectEmpty.USER32(?), ref: 6C22ED7E
IsRectEmpty.USER32(?), ref: 6C22EDA8

Strings

0^5l, xrefs: 6C22ED50

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: EmptyRect$CursorState
String ID: 0^5l
API String ID: 2369637639-1366870978
Opcode ID: 11fa650491c8f3b21d96edb448d9ed78138d378318979d5de2c081e35975783d
Instruction ID: fa2215ac0a0daa4085530996be66cb79fbb9caee1f92ab30c6416a77bdd585bf
Opcode Fuzzy Hash: 11fa650491c8f3b21d96edb448d9ed78138d378318979d5de2c081e35975783d
Instruction Fuzzy Hash: C2214275E0121EAFDF11DFB488849EFBBBDEF09645B100529E805F3240EB349944DBA1

Function 6C1DAF4F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

Edit, xrefs: 6C1DAFA6

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: 3f724b80ce4691737227be6e87d1137ac774faec2c224caff5ebe7d28bb12511
Instruction ID: cbdb3c9dde867c8903db557d800e3f1cf60526b2c1e72fe1af6380d3089d1a9e
Opcode Fuzzy Hash: 3f724b80ce4691737227be6e87d1137ac774faec2c224caff5ebe7d28bb12511
Instruction Fuzzy Hash: 61110870356201ABFF119A35CC04FAE77A8AF02B58F1205E5E6A2D1DA0DB65F440C772

Function 6C210B22 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50libraryfileloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C210B35
GetProcAddress.KERNEL32(00000000,CreateFileTransactedW), ref: 6C210B45
CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 6C210B8E

Strings

kernel32.dll, xrefs: 6C210B30
CreateFileTransactedW, xrefs: 6C210B3F

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: AddressCreateFileHandleModuleProc
String ID: CreateFileTransactedW$kernel32.dll
API String ID: 2580138172-2053874626
Opcode ID: d71589e84930e1dcb57eae02e426575d13a809d5bd8371c37f101e95f3e87ede
Instruction ID: bdb095fa05681061bf97c20a2a5cc3a76a6bb51378ef561f90895a4ee6da2516
Opcode Fuzzy Hash: d71589e84930e1dcb57eae02e426575d13a809d5bd8371c37f101e95f3e87ede
Instruction Fuzzy Hash: 1801257250524EBFDF120E94CC04CAB3FBEFB493AA7104529FA2551820C732CA30EB60

Function 6C318D2B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,8BAE044A,?,?,00000000,6C334D80,000000FF,?,6C318DEC,6C318CC6,?,6C318E88,00000000), ref: 6C318D60
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C318D72
FreeLibrary.KERNEL32(00000000,?,?,00000000,6C334D80,000000FF,?,6C318DEC,6C318CC6,?,6C318E88,00000000), ref: 6C318D94

Strings

CorExitProcess, xrefs: 6C318D6A
mscoree.dll, xrefs: 6C318D59

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d67438d18597893edc83c883bc1ccac9b4548c376c4d80a51d388b2d1705cff1
Instruction ID: 8a38b22facfb13ac6900bf4fea7daa2671f8528f83fe6c790138417b71fd062b
Opcode Fuzzy Hash: d67438d18597893edc83c883bc1ccac9b4548c376c4d80a51d388b2d1705cff1
Instruction Fuzzy Hash: 9E01DB31A15659EFDF029F50CC04FAE7BBCFB06715F010A29F811A2A90DB799900CF94

Function 6C1FE9D7 Relevance: 7.9, APIs: 5, Instructions: 357COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6C1FE9F9
SetRectEmpty.USER32(?), ref: 6C1FEA84
SetRectEmpty.USER32(?), ref: 6C1FECA4
GetClientRect.USER32(?,?), ref: 6C1FED01
GetClientRect.USER32(?,?), ref: 6C1FED17

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Rect$Empty$Client
String ID:
API String ID: 1457177775-0
Opcode ID: 96dcd4f08b01914e37cfd4c148c481cdb5b9a5d1079c0a0b2492197d06b9ed47
Instruction ID: d00fd4fd50f4395e1252592db9a5716472a71baa3e6be05de369efff736236bb
Opcode Fuzzy Hash: 96dcd4f08b01914e37cfd4c148c481cdb5b9a5d1079c0a0b2492197d06b9ed47
Instruction Fuzzy Hash: 05D12931E01619CFCF05CFA8C5946DEBBF2BF4A314F254169E825BB640D771AA46CBA0

Function 6C1DA895 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6C1DA89C
GlobalLock.KERNEL32(00000000), ref: 6C1DA99E
DestroyWindow.USER32(00000000,?,00000000,00000000,6C1DB463,00000000,?,?,00000024), ref: 6C1DAA87
GlobalUnlock.KERNEL32(00000000), ref: 6C1DAA94
GlobalFree.KERNEL32(00000000), ref: 6C1DAA9B

Part of subcall function 6C1F6164: GetStockObject.GDI32(00000011), ref: 6C1F6186
Part of subcall function 6C1F6164: GetStockObject.GDI32(0000000D), ref: 6C1F6192
Part of subcall function 6C1F6164: GetObjectW.GDI32(00000000,0000005C,?), ref: 6C1F61A3
Part of subcall function 6C1F6164: GetDC.USER32(00000000), ref: 6C1F61B2
Part of subcall function 6C1F6164: GetDeviceCaps.GDI32(00000000,0000005A), ref: 6C1F61C9
Part of subcall function 6C1F6164: MulDiv.KERNEL32(?,00000048,00000000), ref: 6C1F61D5
Part of subcall function 6C1F6164: ReleaseDC.USER32(00000000,00000000), ref: 6C1F61E1

Part of subcall function 6C1F6276: GlobalFree.KERNEL32(?), ref: 6C1F627D

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Global$Object$FreeStock$CapsDestroyDeviceH_prolog3_catchLockReleaseUnlockWindow
String ID:
API String ID: 15253214-0
Opcode ID: c6516e9b822e5f11d98dcf18f9e82c7dab180072bfb45e3db6132b38d74810c0
Instruction ID: 9dac1885795a0921f8b3434321a401cd6bc68d0070f73707f82567ca1125300a
Opcode Fuzzy Hash: c6516e9b822e5f11d98dcf18f9e82c7dab180072bfb45e3db6132b38d74810c0
Instruction Fuzzy Hash: AE517230A01619DFDF05DFA4C954BEEBBB4BF19314F124155E812A7790DB34AE05CB90

Function 6C200B9B Relevance: 7.6, APIs: 5, Instructions: 113COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(?,00007904), ref: 6C200BD3
LoadCursorW.USER32(?,00007905), ref: 6C200C06
LoadCursorW.USER32(00000000,00007F86), ref: 6C200C31
CreatePen.GDI32(00000000,00000001,?), ref: 6C200CA9

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: CursorLoad$Create
String ID:
API String ID: 1516763891-0
Opcode ID: dc2789cb6c6197c2e733f3d7423abc11abbed3f738697d6e220bf6d6cd9c2f00
Instruction ID: 48f70c573ea53f6f9854ab03ce4642cb464619b05090acd1dd0ab89815a9cf82
Opcode Fuzzy Hash: dc2789cb6c6197c2e733f3d7423abc11abbed3f738697d6e220bf6d6cd9c2f00
Instruction Fuzzy Hash: D531E670B402469FEB119BB58888FEE36E8AF46319F140177FD19DBB81DF3488058B61

Function 6C284E3A Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 6C284E7A
SendMessageW.USER32(00000000,0000000B,00000000,00000000), ref: 6C284EA4
GetWindowRect.USER32(?,?), ref: 6C284EB7
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6C284F0D
RedrawWindow.USER32(00000000,00000000,00000000,00000185), ref: 6C284F23

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Window$MessageSend$RectRedrawVisible
String ID:
API String ID: 1695962874-0
Opcode ID: 230b10636c2b704f42645a7d8ef4ac2a39637d14a28d9b7bd42624ba19bf8114
Instruction ID: c212ca9d4acbc12264c5c2dd0420f825c777d249aa42b8dc1379e4cc90f51ed6
Opcode Fuzzy Hash: 230b10636c2b704f42645a7d8ef4ac2a39637d14a28d9b7bd42624ba19bf8114
Instruction Fuzzy Hash: D5312F71A0521AAFEB11CF68CD84FAEB7BCFB09315F104659F966A71D0DB70A904CB10

Function 6C25C808 Relevance: 7.6, APIs: 5, Instructions: 81COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 6C25C84F
GetWindowRect.USER32(?,?), ref: 6C25C86A
PtInRect.USER32(?,?,?), ref: 6C25C876
GetWindowRect.USER32(?,?), ref: 6C25C899
PtInRect.USER32(?,?,?), ref: 6C25C8A7

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Rect$Window
String ID:
API String ID: 924285169-0
Opcode ID: ca600d6d6dabfdb4d4193dbdb682c93565cab3ae277638b8df54130be9839ba7
Instruction ID: 34d3f3fba490e9044b2a0c9158c1984e2494ebbe68b9ca0034f14f128b3ad2c3
Opcode Fuzzy Hash: ca600d6d6dabfdb4d4193dbdb682c93565cab3ae277638b8df54130be9839ba7
Instruction Fuzzy Hash: 30216F35A0520E9BDB01EB75C848AAFB7BDBF4A745B504119F906E3600EB3099509B50

Function 6C23AF80 Relevance: 7.6, APIs: 5, Instructions: 77windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C23AF87
IsWindowVisible.USER32(?), ref: 6C23AF9F
IsWindowVisible.USER32(?), ref: 6C23AFAC
IsWindowVisible.USER32(?), ref: 6C23AFDE
SendMessageW.USER32(?,00000085,00000000,00000000), ref: 6C23B042

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: VisibleWindow$H_prolog3MessageSend
String ID:
API String ID: 3429043573-0
Opcode ID: 532544a7336f34fe5afad0cd4e9879a9ddae87c36117edae1321341a745d40ce
Instruction ID: 0f8b8f525192cee08e82b1080107a1b616f1731265c5b39dc86f2ff411d656f8
Opcode Fuzzy Hash: 532544a7336f34fe5afad0cd4e9879a9ddae87c36117edae1321341a745d40ce
Instruction Fuzzy Hash: 1F21A37160162A9FDF00DFA4CD94BEE77B4BF54749B100429E45AA7A90EF34A908CB21

Function 6C1F892F Relevance: 7.6, APIs: 5, Instructions: 74threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C1F8941
SetWindowsHookExW.USER32(00000007,6C1FF8A4,00000000,00000000), ref: 6C1F8951
UnhookWindowsHookEx.USER32(00000000), ref: 6C1F8969
UpdateWindow.USER32(?), ref: 6C1F89E1
SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 6C1F89FD

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: HookWindows$CurrentMessageSendThreadUnhookUpdateWindow
String ID:
API String ID: 1891640330-0
Opcode ID: 0ef450b9ec7669e7562870a54eb7a1e8eac592a129c07bf951e68cc41d5095c7
Instruction ID: 8f01c9cc72dd2a0c30531bfe44a9a4f64a31e150a87cac4de695eaa0e61d7e31
Opcode Fuzzy Hash: 0ef450b9ec7669e7562870a54eb7a1e8eac592a129c07bf951e68cc41d5095c7
Instruction Fuzzy Hash: 0121D8313056029FFF009B55D848B6DBBF9BB87715F110216E43A97A90CB3098168B91

Function 6C1EE9B4 Relevance: 7.6, APIs: 5, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000000,00000000), ref: 6C1EEA11
LocalReAlloc.KERNEL32(00000000,00000000,00000002), ref: 6C1EEA1F
TlsSetValue.KERNEL32 ref: 6C1EEA50
LeaveCriticalSection.KERNEL32(6C1CB283,?,00000000,?,6C1D871F,?,?,?,6C1D3FF4,00000000,00000000,?,?,6C1DBF77,00000004,6C1CB283), ref: 6C1EEA6E

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: AllocLocal$CriticalLeaveSectionValue
String ID:
API String ID: 901235349-0
Opcode ID: 43a32073b8ad214a14302269dc5430582b1ce5b8bf23f3827cdd43e0956be430
Instruction ID: a6efc89885bc1f165a8d5d00d4aa297f61fb76c960be03f98d6e84dcf152278c
Opcode Fuzzy Hash: 43a32073b8ad214a14302269dc5430582b1ce5b8bf23f3827cdd43e0956be430
Instruction Fuzzy Hash: 03116074201A12DFEB249F15C844A5A7BB5FF8A314B14C42DE85ADAA60DB30E944CF91

Function 6C1D0BCD Relevance: 7.6, APIs: 5, Instructions: 56windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 6C1D0BD6
SendMessageW.USER32(?,00000420,00000000,0000E800), ref: 6C1D0BFA
SendMessageW.USER32(?,0000041F,00000000,0000E800), ref: 6C1D0C17
SendMessageW.USER32(?,0000043A,00000000,00000000), ref: 6C1D0C33
InvalidateRect.USER32(?,00000000,00000001,?,6C1D0BBA,?,?,?,?,ToolbarWindow32,00000000,?,?,?,0000E800,00000000), ref: 6C1D0C51

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: MessageSend$InvalidateRectWindow
String ID:
API String ID: 3225880595-0
Opcode ID: 709ad2a31958ca7eb2e445ebdeba51128204f2ba3c908695b1c8121eb964b116
Instruction ID: d816b6e8be696ccd8969e13afb66533a222bfd6875c5fdd4580943d6a7404fbd
Opcode Fuzzy Hash: 709ad2a31958ca7eb2e445ebdeba51128204f2ba3c908695b1c8121eb964b116
Instruction Fuzzy Hash: 27111271201654AFEB148F25D808BBB7BF9FB85741F00892EF99B96150E7B1A850DB20

Function 6C232E3C Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 349windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C232E46
IsWindowVisible.USER32(?), ref: 6C2332A4

Part of subcall function 6C1D460B: GetWindowTextLengthW.USER32(?), ref: 6C1D461D
Part of subcall function 6C1D460B: GetWindowTextW.USER32(?,00000000,00000001), ref: 6C1D4636

Part of subcall function 6C25E6B9: __EH_prolog3.LIBCMT ref: 6C25E6C0

ClientToScreen.USER32(00000000,?), ref: 6C2331A4

Strings

DUMMY, xrefs: 6C232FA9

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Window$Text$ClientH_prolog3H_prolog3_LengthScreenVisible
String ID: DUMMY
API String ID: 1879877427-3097505935
Opcode ID: 3662617f5f40581bf4e3e110763ceb826c05d6769218d288214adee9a3605cf0
Instruction ID: 3e272b6115fc278bd4a06dd603e663975280fca537dfa4d99cefc16c685a2260
Opcode Fuzzy Hash: 3662617f5f40581bf4e3e110763ceb826c05d6769218d288214adee9a3605cf0
Instruction Fuzzy Hash: 9DD19C70A012299FEF05DB68C894BEDB7B9AF49358F100199E81AA77C0DF34AE45CF51

Function 6C232A9F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 6C232AFC
OffsetRect.USER32(?,?,?), ref: 6C232B3D
FillRect.USER32(?,?,-00000098), ref: 6C232B92

Part of subcall function 6C1F6E3A: __EH_prolog3.LIBCMT ref: 6C1F6E41

Strings

0^5l, xrefs: 6C232AD2

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Rect$FillH_prolog3OffsetWindow
String ID: 0^5l
API String ID: 1391168360-1366870978
Opcode ID: 82367190957967a5ccfb5dcfabe9e4f4f62c48bb0bf2343af178851c92cdefab
Instruction ID: d148fdd536ceaf66fc16931b13a23f6df98c1c339e104af033a50485e9365f0d
Opcode Fuzzy Hash: 82367190957967a5ccfb5dcfabe9e4f4f62c48bb0bf2343af178851c92cdefab
Instruction Fuzzy Hash: FD415C72E005199FDF05DFA8D944AEEBBBAFF4A304F150055F806AB210DB71AE05CB91

Function 6C25C9BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 136windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C25C9C1
CreatePopupMenu.USER32 ref: 6C25CA58
GetFocus.USER32 ref: 6C25CB5D

Strings

T}4l2L l, xrefs: 6C25CA5F

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: CreateFocusH_prolog3MenuPopup
String ID: T}4l2L l
API String ID: 1810032065-150602006
Opcode ID: a3b54cf10ecfa62f9d8da5e686d1d221937072051b789afb62044eaaf023d487
Instruction ID: 846e2cf526285820e4e889eba181b25961a43a84bcca2a4bb157c86f7c5054b5
Opcode Fuzzy Hash: a3b54cf10ecfa62f9d8da5e686d1d221937072051b789afb62044eaaf023d487
Instruction Fuzzy Hash: 1F51CE75B0170A8BDF01EF658480ABE7BF5AF4A749F50002AED17A7B50EF309955CB81

Function 6C232464 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128timeCOMMON

Download Yara Rule

APIs

ReleaseCapture.USER32 ref: 6C232471
KillTimer.USER32(?,?), ref: 6C2324A9
ReleaseCapture.USER32 ref: 6C232562

Part of subcall function 6C2320CF: IsWindowVisible.USER32(?), ref: 6C232125
Part of subcall function 6C2320CF: GetParent.USER32(?), ref: 6C23215B
Part of subcall function 6C2320CF: ReleaseCapture.USER32 ref: 6C23223A

Strings

0^5l, xrefs: 6C2324C6

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: CaptureRelease$KillParentTimerVisibleWindow
String ID: 0^5l
API String ID: 3579941792-1366870978
Opcode ID: 915d56e0b3c00af54cb79c748ae752c0d11829cbd7083f299643a9460b616b9a
Instruction ID: 84b9a1312949affc4eca408a720b4255a15a2f94130645634cf6108d90fe6716
Opcode Fuzzy Hash: 915d56e0b3c00af54cb79c748ae752c0d11829cbd7083f299643a9460b616b9a
Instruction Fuzzy Hash: E4412BB53006269BDF099B65C858BEEBB6ABF86705F140039ED0A97781CF709D05CBE1

Function 6C226FA6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

InflateRect.USER32(00000000,00000000,000000FF), ref: 6C227000
InflateRect.USER32(00000000,00000000,000000FD), ref: 6C227058
FillRect.USER32(?,00000000,?), ref: 6C22706E

Strings

(^4l, xrefs: 6C227077

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Rect$Inflate$Fill
String ID: (^4l
API String ID: 309753019-3721299443
Opcode ID: 52c638cbf70f987c04ad13959ccef01cfd6e383b19ad38de0d514a6b6484ff5e
Instruction ID: fd1b21721bf6ae7ef60991028a79005a6ff553297b4d2a547e58af574542e034
Opcode Fuzzy Hash: 52c638cbf70f987c04ad13959ccef01cfd6e383b19ad38de0d514a6b6484ff5e
Instruction Fuzzy Hash: 35312D31A0020E9FDF01DFA8C885AEFBBB5FF0A314F100565F911AB280DB759A05CB91

Function 6C1FCBDB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C1FCBE5
SendMessageW.USER32(00000000,0000040D,00000000,00000000), ref: 6C1FCC10
SendMessageW.USER32(?,0000043A,-00000001,00000030), ref: 6C1FCC58

Strings

0, xrefs: 6C1FCC2C

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: MessageSend$H_prolog3_
String ID: 0
API String ID: 3491702567-4108050209
Opcode ID: a11c5ba9a743bfe26bba0e44886d1213073571f5e6e588fb8ff55c200036cc1f
Instruction ID: a5f313de329c0e6fe8d480fbdceea9138b6b80bf7d84d59c5d1422a5d8d486e4
Opcode Fuzzy Hash: a11c5ba9a743bfe26bba0e44886d1213073571f5e6e588fb8ff55c200036cc1f
Instruction Fuzzy Hash: 5A318074600229AFDB24DB64CC94FEDB7B8BF45308F000299E52DA7690DB706A85DF61

Function 6C2A49C3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C2A49CA
FillRect.USER32(?,?,-000000D0), ref: 6C2A4A0E
FillRect.USER32(00000000,?,?), ref: 6C2A4A6D

Strings

(^4l, xrefs: 6C2A4A8D

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: FillRect$H_prolog3_
String ID: (^4l
API String ID: 2465756759-3721299443
Opcode ID: 431a85cb82158b9e89c58c4a1f9d0c7c68e8c3d886e70d41b22171848dd9dd5c
Instruction ID: e07ec07309eff136a7f9c43f1b0bd57bc5ea629fb185973c321027e5d296e003
Opcode Fuzzy Hash: 431a85cb82158b9e89c58c4a1f9d0c7c68e8c3d886e70d41b22171848dd9dd5c
Instruction Fuzzy Hash: 7E315871A01208AFDB01DFA4C855ADEBBB9EF0A324F144019F815B7751CB34AE09CFA5

Function 6C202DDA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 6C202E1F
ScreenToClient.USER32(?,?), ref: 6C202E2C
SendMessageW.USER32(?,00000030,-0000011C,00000000), ref: 6C202EB4

Strings

,, xrefs: 6C202E43

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: ClientCursorMessageScreenSend
String ID: ,
API String ID: 3733300889-3772416878
Opcode ID: a0219164d39f4459302910805a2a8d5ce6f5787006adf81ae5e0183868c0da4a
Instruction ID: 0e47bd9437b0462ee441f092504f7e65ade8085edf6417acd661fbfb616c37a1
Opcode Fuzzy Hash: a0219164d39f4459302910805a2a8d5ce6f5787006adf81ae5e0183868c0da4a
Instruction Fuzzy Hash: 21315971B02119AFDB05DFA5DC48AAEBBFDEF09319B104027B915EB650DB30A914CBA1

Function 6C1E84C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C1E84C7
LoadCursorW.USER32(00000000,00007F00), ref: 6C1E84EB
GetClassInfoW.USER32(?,?,?), ref: 6C1E8526

Part of subcall function 6C1D8A78: __EH_prolog3_catch.LIBCMT ref: 6C1D8A7F
Part of subcall function 6C1D8A78: GetClassInfoW.USER32(?,?,?), ref: 6C1D8A91

Strings

%Ts:%x:%x:%x:%x, xrefs: 6C1E8511

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: ClassInfo$CursorH_prolog3H_prolog3_catchLoad
String ID: %Ts:%x:%x:%x:%x
API String ID: 937286869-4057404147
Opcode ID: 5114c729c0f109ec95fdfa9b27e69fe5c6af2f4f5183b5fb0e5a0cf725818c57
Instruction ID: a62afdaec0b423e52b4685ee441f4581307aa557ae8197f3dd0f58e145be50f4
Opcode Fuzzy Hash: 5114c729c0f109ec95fdfa9b27e69fe5c6af2f4f5183b5fb0e5a0cf725818c57
Instruction Fuzzy Hash: B021FEB4E41619AFEB40DFA9C884BDEBBF4BF18308F10442AE544E6740DB755944CBA5

Function 6C1D8E3D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C1EC870: EnterCriticalSection.KERNEL32(6C3A0410,?,?,?,?,6C1D8ABC,00000001,?,6C1D8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1EC8A1
Part of subcall function 6C1EC870: InitializeCriticalSection.KERNEL32(00000000,?,6C1D8ABC,00000001,?,6C1D8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1EC8B7
Part of subcall function 6C1EC870: LeaveCriticalSection.KERNEL32(6C3A0410,?,6C1D8ABC,00000001,?,6C1D8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1EC8C5
Part of subcall function 6C1EC870: EnterCriticalSection.KERNEL32(00000000,?,?,?,6C1D8ABC,00000001,?,6C1D8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1EC8D2

Part of subcall function 6C1EEBED: __EH_prolog3_catch.LIBCMT ref: 6C1EEBF4

Part of subcall function 6C1D3CA8: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C1D3CCE
Part of subcall function 6C1D3CA8: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C1D3CDE
Part of subcall function 6C1D3CA8: EncodePointer.KERNEL32(00000000), ref: 6C1D3CE7

GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 6C1D8E7F
FreeLibrary.KERNEL32(?,?,?,6C1D4CCA,?,?,?,?,00000004,00000004), ref: 6C1D8E8F

Strings

hhctrl.ocx, xrefs: 6C1D8E63
HtmlHelpW, xrefs: 6C1D8E79

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: CriticalSection$AddressEnterProc$EncodeFreeH_prolog3_catchHandleInitializeLeaveLibraryModulePointer
String ID: HtmlHelpW$hhctrl.ocx
API String ID: 849444252-3773518134
Opcode ID: 24d9dd50c836ebda199365012edc063af2a7d0699bbc43a85422f1d25f1dfaf2
Instruction ID: 88c789398453268e34cd8ec511a8c6f1eed8425b37ecfee93927ce0f1be304d1
Opcode Fuzzy Hash: 24d9dd50c836ebda199365012edc063af2a7d0699bbc43a85422f1d25f1dfaf2
Instruction Fuzzy Hash: E701AC31500B1BABDB21AFB1CC14B8B7AB5AF05358F01592AF95AD6E50DB34E4109F91

Function 6C2B24D6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45timewindowCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,0000EC1A,?,?,?,6C23A7DE,?,00000001,?), ref: 6C2B2502
GetFocus.USER32 ref: 6C2B250E
RedrawWindow.USER32(?,00000000,00000000,00000105,00000000,?,?,?,6C23A7DE,?,00000001), ref: 6C2B253C

Strings

y, xrefs: 6C2B24E7

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: FocusKillRedrawTimerWindow
String ID: y
API String ID: 1950525498-4225443349
Opcode ID: 0094875034643ad58a201379246bfab57eaa80a92c0361a433fc0ee4bac0bef1
Instruction ID: 687ff2272300d633fd142f408be7a1c51f54ff12f041f800dafa05778428737e
Opcode Fuzzy Hash: 0094875034643ad58a201379246bfab57eaa80a92c0361a433fc0ee4bac0bef1
Instruction Fuzzy Hash: B90126B234531DEBCB294A66C90888EBB38FB4B7AA7048121FC5AA1C10C7B18440CFD0

Function 6C1E4A62 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 6C1E4A75
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 6C1E4A85

Strings

RegDeleteKeyTransactedW, xrefs: 6C1E4A7F
Advapi32.dll, xrefs: 6C1E4A70

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyTransactedW
API String ID: 1646373207-2168864297
Opcode ID: 55f7de3f2944ab7b5700108b0d9e07bd8c7a404f5fd4577028c19cb193e8f286
Instruction ID: 3d4d9fd5de714e5c1d0f8835a5235b7e95709560477e4b5cfdfe04084ab0cf81
Opcode Fuzzy Hash: 55f7de3f2944ab7b5700108b0d9e07bd8c7a404f5fd4577028c19cb193e8f286
Instruction Fuzzy Hash: E9F0BB37301519AFAF115ED4DC4487677EDEBEA2B6711443EF553D1A00C6718C008B64

Function 6C1E8D76 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C1E8D80
SystemParametersInfoW.USER32(00000029,000001F8,?,00000000), ref: 6C1E8DDB
CreateFontIndirectW.GDI32(?), ref: 6C1E8DE8

Strings

D}4l, xrefs: 6C1E8DA4

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: CreateFontH_prolog3_IndirectInfoParametersSystem
String ID: D}4l
API String ID: 3603398567-2520069617
Opcode ID: 79e9a47ed4ab80864789c778fd874a91f62e890240f5bfe2237f1c5c6b50c7e0
Instruction ID: 3e6d818b608d462d6aa387520c400ea32fd67dd42314d931b2bba65e59c3de36
Opcode Fuzzy Hash: 79e9a47ed4ab80864789c778fd874a91f62e890240f5bfe2237f1c5c6b50c7e0
Instruction Fuzzy Hash: 6A016DB1A01359AFDB40DFA8CC49BD9BBBCBB45304F1085AAA219DB641DB749A84CF50

Function 6C32CE93 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,6C32CF2F,?,?,00000000,?,?,?,6C32CDED,00000002,FlsGetValue,6C36C584,6C36C58C), ref: 6C32CEA0
GetLastError.KERNEL32(?,6C32CF2F,?,?,00000000,?,?,?,6C32CDED,00000002,FlsGetValue,6C36C584,6C36C58C,?,?,6C32117D), ref: 6C32CEAA
LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?), ref: 6C32CED2

Strings

api-ms-, xrefs: 6C32CEB7

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 711e20d89ec2b64841e92d4f2228b67709713442c0bb424fa0392880cc55ff37
Instruction ID: 79198bf8b5e43a5687bfa73c6b2f6e26538f7cb9127ce2f95d03106a07a8b0a0
Opcode Fuzzy Hash: 711e20d89ec2b64841e92d4f2228b67709713442c0bb424fa0392880cc55ff37
Instruction Fuzzy Hash: DCE04F703C5208BBFF002A61EC15B4A3F6CAB02B46F344020F90EA8890D766D9508E85

Function 6C24EC79 Relevance: 6.4, APIs: 4, Instructions: 433COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C24EC83
GetObjectW.GDI32(?,00000018,?), ref: 6C24ED53
DeleteObject.GDI32(?), ref: 6C24EE28
DeleteObject.GDI32(?), ref: 6C24F1EA

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Object$Delete$H_prolog3
String ID:
API String ID: 487261545-0
Opcode ID: ee539cf1d8d0e2843ad76f1b6e025fd0c35048bfafd99051e10fc17a9cfe0909
Instruction ID: 4efdb8dda392c2cbc96436cc2951e82703798a65e631b64371d29a040ef7ece6
Opcode Fuzzy Hash: ee539cf1d8d0e2843ad76f1b6e025fd0c35048bfafd99051e10fc17a9cfe0909
Instruction Fuzzy Hash: 0912F774D00719CFDB15CFA9C890B9EFBB5BF49314F10826AE84AA7650EB70A985CF50

Function 6C21682D Relevance: 6.3, APIs: 4, Instructions: 341COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C216834
GetTextColor.GDI32(?), ref: 6C216941

Part of subcall function 6C1CC827: SelectObject.GDI32(?,00000000), ref: 6C1CC847
Part of subcall function 6C1CC827: SelectObject.GDI32(?,00000000), ref: 6C1CC85D

Part of subcall function 6C1CCDCC: MoveToEx.GDI32(?,?,?,?), ref: 6C1CCDED
Part of subcall function 6C1CCDCC: MoveToEx.GDI32(00000000,?,?,?), ref: 6C1CCE03

Part of subcall function 6C1CCE11: MoveToEx.GDI32(?,?,?,00000000), ref: 6C1CCE2C
Part of subcall function 6C1CCE11: LineTo.GDI32(?,?,?), ref: 6C1CCE3B

__EH_prolog3_GS.LIBCMT ref: 6C216B58
FillRect.USER32(?,?,?), ref: 6C216B9F

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Move$H_prolog3_ObjectSelect$ColorFillLineRectText
String ID:
API String ID: 3864112738-0
Opcode ID: 872b1aa5a551703933afb308ccd94fca8b58c0f10f5cda1decae3a2b75b7e85f
Instruction ID: 55c90cdc72cda88f4cd53f2478a9f5c0362981013f6a64f8e2abd270c723b008
Opcode Fuzzy Hash: 872b1aa5a551703933afb308ccd94fca8b58c0f10f5cda1decae3a2b75b7e85f
Instruction Fuzzy Hash: 5BD12375A002099FCF05DFA8C894AEEBBF6FF49314F144159E912A7B90CB35AD05CB61

Function 6C32ABE4 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(8BAE044A,00000000,00000000,?), ref: 6C32AC47

Part of subcall function 6C322501: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6C325CE9,?,00000000,-00000008), ref: 6C322562

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6C32AE99
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C32AEDF
GetLastError.KERNEL32 ref: 6C32AF82

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 8d7cb029e3686a48110e834b3a30fd59085bc0f47fa8b84dbbb67dfa7da7f47a
Instruction ID: 9681b5b95aff4075bf84292761798be3b60e06626ab5984073b3c57faca8ac56
Opcode Fuzzy Hash: 8d7cb029e3686a48110e834b3a30fd59085bc0f47fa8b84dbbb67dfa7da7f47a
Instruction Fuzzy Hash: 73D17BB1E05259AFCF11CFA8C890A9DBBB8FF09314F14416AE465EB741D739A942CF60

Function 6C29EE13 Relevance: 6.3, APIs: 4, Instructions: 315COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C29EE1A
GetTextColor.GDI32(?), ref: 6C29EF27

Part of subcall function 6C1CC827: SelectObject.GDI32(?,00000000), ref: 6C1CC847
Part of subcall function 6C1CC827: SelectObject.GDI32(?,00000000), ref: 6C1CC85D

Part of subcall function 6C1CCDCC: MoveToEx.GDI32(?,?,?,?), ref: 6C1CCDED
Part of subcall function 6C1CCDCC: MoveToEx.GDI32(00000000,?,?,?), ref: 6C1CCE03

Part of subcall function 6C1CCE11: MoveToEx.GDI32(?,?,?,00000000), ref: 6C1CCE2C
Part of subcall function 6C1CCE11: LineTo.GDI32(?,?,?), ref: 6C1CCE3B

FillRect.USER32(?,?,-000000C8), ref: 6C29F13D
FillRect.USER32(?,00000000,?), ref: 6C29F161

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Move$FillObjectRectSelect$ColorH_prolog3_LineText
String ID:
API String ID: 971351308-0
Opcode ID: 62d347033e0cd5671d788e294faaa6e4dc84f9ad5ede1c5f905d47a677039d80
Instruction ID: 438963f2783e8f179fed6a019329310c7256c393321326023c149814f8318633
Opcode Fuzzy Hash: 62d347033e0cd5671d788e294faaa6e4dc84f9ad5ede1c5f905d47a677039d80
Instruction Fuzzy Hash: 3AC17935A002099FDF05DFA9C894AEEBBFABF49314F144159F816A7780CB35AD05CBA1

Function 6C23493B Relevance: 6.3, APIs: 4, Instructions: 283keyboardCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6C234969
GetKeyState.USER32(00000011), ref: 6C234971
IsRectEmpty.USER32(?), ref: 6C2349DB
GetWindowRect.USER32(?,?), ref: 6C234BA7

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Rect$Empty$StateWindow
String ID:
API String ID: 2684165152-0
Opcode ID: ec28d42be1476206e8d1fd5f83053412cd3e67512dfe23bbb1732bd0d8c98b6f
Instruction ID: 4a9812ab465bd12a2684834077573884b5d97c836161e4722bd99c11637d1d24
Opcode Fuzzy Hash: ec28d42be1476206e8d1fd5f83053412cd3e67512dfe23bbb1732bd0d8c98b6f
Instruction Fuzzy Hash: 8BA18F72A0121A9FDF05CFA4C854BEEBBB5FF89314F144059F816A7780DB36A841CBA4

Function 6C210BFC Relevance: 6.2, APIs: 4, Instructions: 216fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 6C210C17
GetLastError.KERNEL32 ref: 6C210C25
GetLastError.KERNEL32 ref: 6C210C42

Part of subcall function 6C2116B5: __EH_prolog3_GS.LIBCMT ref: 6C2116BF
Part of subcall function 6C2116B5: GetFullPathNameW.KERNEL32(?,00000104,?,?,00000268,6C211531,?,?,00000000,?,6C243542,00000024,?,?,?), ref: 6C2116F2

CreateFileW.KERNEL32(?,80000000,?,0000000C,00000003,FFFF7FFF,00000000,?,00000000,?,?,?,?,00000104,00000000), ref: 6C210E3D

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: ErrorFileLast$CreateFullH_prolog3_NamePathPointer
String ID:
API String ID: 2834880015-0
Opcode ID: 38c7a7ff53350ad7c0028a552eb6b434ce809648204586eadc7e72353f91eaa4
Instruction ID: e8ed31e969d09f93e9fb1af55afbb52993fb50412aa8671957548f9b74f57456
Opcode Fuzzy Hash: 38c7a7ff53350ad7c0028a552eb6b434ce809648204586eadc7e72353f91eaa4
Instruction Fuzzy Hash: 41710571A1525DABDB148F24DC48BDE77F8EB49318F10866EFA18D7A40D774DA80CB90

Function 6C208966 Relevance: 6.2, APIs: 4, Instructions: 195COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6C2089BA
InflateRect.USER32(?,00000000,00000000), ref: 6C2089F0
GetSystemMetrics.USER32(00000002), ref: 6C208A77

Part of subcall function 6C1D4A38: SetScrollInfo.USER32(?,?,?,?), ref: 6C1D4A7C

EnableScrollBar.USER32(?,00000002,00000003), ref: 6C208B96

Part of subcall function 6C1E525D: EnableWindow.USER32(?,00000024), ref: 6C1E526E

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: EnableRectScroll$ClientInflateInfoMetricsSystemWindow
String ID:
API String ID: 3090651611-0
Opcode ID: 5931262934b01011a3d6c4c6063419c922eefd54b78f4a31f19e2b5e333c4dca
Instruction ID: 41409cd4e74e1b2ceda6051a4dd7bd0bac8d7f891aad300499e01ca9496cbd46
Opcode Fuzzy Hash: 5931262934b01011a3d6c4c6063419c922eefd54b78f4a31f19e2b5e333c4dca
Instruction Fuzzy Hash: 4C713971A00619DFDF00CFA8C985AEEBBB9FF49304F14016AED09EB645DB71AA45CB50

Function 6C1CE8AE Relevance: 6.2, APIs: 4, Instructions: 158COMMON

Download Yara Rule

APIs

Part of subcall function 6C1CD964: GetDlgCtrlID.USER32(?), ref: 6C1CD972
Part of subcall function 6C1CD964: IsChild.USER32(?,?), ref: 6C1CD980

GetScrollPos.USER32(?,00000002), ref: 6C1CE8F7
GetScrollPos.USER32(?,00000002), ref: 6C1CE923
SetScrollPos.USER32(?,00000002,00000000,00000000), ref: 6C1CE980
SetScrollPos.USER32(?,00000002,00000000,00000000), ref: 6C1CEA02

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Scroll$ChildCtrl
String ID:
API String ID: 656700424-0
Opcode ID: af04214659edd9e90506db3373660f3e2bf0668220e8d8f2e7e9ab303769fda9
Instruction ID: 19078c3b938eea8c6c07ab0e427e681a97f307f1bf1341583e7b909c94e33a99
Opcode Fuzzy Hash: af04214659edd9e90506db3373660f3e2bf0668220e8d8f2e7e9ab303769fda9
Instruction Fuzzy Hash: AA517B35B00229AFDF05DFA4C855BAEBBB5FF49311F10406AE916A7380CB74AE01CB91

Function 6C1CEA64 Relevance: 6.2, APIs: 4, Instructions: 151COMMON

Download Yara Rule

APIs

Part of subcall function 6C1CD964: GetDlgCtrlID.USER32(?), ref: 6C1CD972
Part of subcall function 6C1CD964: IsChild.USER32(?,?), ref: 6C1CD980

GetScrollPos.USER32(?,00000002), ref: 6C1CEAAD
GetScrollPos.USER32(?,00000002), ref: 6C1CEAD9
SetScrollPos.USER32(?,00000002,00000000,00000000), ref: 6C1CEB36
SetScrollPos.USER32(?,00000002,00000000,00000000), ref: 6C1CEBAB

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Scroll$ChildCtrl
String ID:
API String ID: 656700424-0
Opcode ID: 68eaa0a9d1aa0c0d6aeee197e11138965404f8f20d019747c7b7a9c4722860c4
Instruction ID: a3fd20291f11f28aaa8fbafd9b6e124fd516a32fbdceb64f3aca6892466be35c
Opcode Fuzzy Hash: 68eaa0a9d1aa0c0d6aeee197e11138965404f8f20d019747c7b7a9c4722860c4
Instruction Fuzzy Hash: 6E511735B00219AFDF05CFA4C845BAEBBB6BF99310F204059E916B7390C775AA119F91

Function 6C2024AA Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C2024B1
IsWindow.USER32(?), ref: 6C202559
GetParent.USER32(?), ref: 6C202579
GetParent.USER32(?), ref: 6C202595

Part of subcall function 6C24870A: __EH_prolog3_catch_GS.LIBCMT ref: 6C248711
Part of subcall function 6C24870A: CreateCompatibleDC.GDI32(00000000), ref: 6C248751
Part of subcall function 6C24870A: CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C248773
Part of subcall function 6C24870A: FillRect.USER32(?,?,?), ref: 6C2487BD
Part of subcall function 6C24870A: OpenClipboard.USER32(?), ref: 6C2487ED

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: CompatibleCreateParent$BitmapClipboardFillH_prolog3H_prolog3_catch_OpenRectWindow
String ID:
API String ID: 837828968-0
Opcode ID: d3756321177e422b2da094f7daeff6c6e78904d083f0dac58450827575dc2e78
Instruction ID: 4f7ef65c3c587962fc0253d7f327ba08825c8cddec890ffbb7d3a601e1608a71
Opcode Fuzzy Hash: d3756321177e422b2da094f7daeff6c6e78904d083f0dac58450827575dc2e78
Instruction Fuzzy Hash: 2E31D8B2705A0A9BEB089BB4C968B9A76F8BF4530D750042FFD06D7E10DF70E8058B50

Function 6C27CF42 Relevance: 6.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C27CF49

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: H_prolog3_
String ID:
API String ID: 2427045233-0
Opcode ID: af128a94dcfc004c6879f0ba4be45180ea2d388375fff70b0fd6e90a1486cfc1
Instruction ID: 8fca91b980688da80dd431301fc7db02ebe976d1a1d03e1127eb24178ec6cd14
Opcode Fuzzy Hash: af128a94dcfc004c6879f0ba4be45180ea2d388375fff70b0fd6e90a1486cfc1
Instruction Fuzzy Hash: B0318F71E0161A9BDF04EFE8C995AEEBB75BF55305F104019F815BB640DB349909CFA0

Function 6C1C8410 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,-00000002,00000006,00000000,?,00000000,?,?,6C1C83E3,00000000,?,?,?), ref: 6C1C8438
LoadResource.KERNEL32(?,00000000,?,6C1C83E3,00000000,?,?,?), ref: 6C1C844C
LockResource.KERNEL32(00000000,?,6C1C83E3,00000000,?,?,?), ref: 6C1C845E
SizeofResource.KERNEL32(?,00000000,?,6C1C83E3,00000000,?,?,?), ref: 6C1C8470

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 6795c779a47c16e04a359f0fa63b3035e4e2a8d7f9677ed1759f24623b6b70f9
Instruction ID: bb8fa8780d2b1048c85e3ef3225752263d1ebeec187d10681574f9dae84a9e9e
Opcode Fuzzy Hash: 6795c779a47c16e04a359f0fa63b3035e4e2a8d7f9677ed1759f24623b6b70f9
Instruction Fuzzy Hash: 0A21F3317022149BF7205B69CCC4B6B77ACEF66359B15412AFD11CB680EB6DD805C7A2

Function 6C1C8404 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,-00000002,00000006,00000000,?,00000000,?,?,6C1C83E3,00000000,?,?,?), ref: 6C1C8438
LoadResource.KERNEL32(?,00000000,?,6C1C83E3,00000000,?,?,?), ref: 6C1C844C
LockResource.KERNEL32(00000000,?,6C1C83E3,00000000,?,?,?), ref: 6C1C845E
SizeofResource.KERNEL32(?,00000000,?,6C1C83E3,00000000,?,?,?), ref: 6C1C8470

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 60e0adb2735e8e1b44e72c466073fcdda14efc232bf2b6b57fb6ae1472b35716
Instruction ID: b850b7b43b869a288761cf492a4f15c45895e793b41925d73f2212c8faf120e6
Opcode Fuzzy Hash: 60e0adb2735e8e1b44e72c466073fcdda14efc232bf2b6b57fb6ae1472b35716
Instruction Fuzzy Hash: 9021F3727022145BF7205B69CCC5B6B77ACEF62359B15412AFC55CB380EB2DD804C7A2

Function 6C212A94 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

RedrawWindow.USER32(?,00000000,00000000,00000585,?,?,00000000,?,6C212A7F,00000002,00000000,?,?,?,6C1E8704), ref: 6C212AC5
RedrawWindow.USER32(?,00000000,00000000,00000585,?,00000000,?,6C212A7F,00000002,00000000,?,?,?,6C1E8704,?,00000000), ref: 6C212AF2
RedrawWindow.USER32(?,00000000,00000000,00000185,?,00000000,?,6C212A7F,00000002,00000000,?,?,?,6C1E8704,?,00000000), ref: 6C212B2F
RedrawWindow.USER32(?,00000000,00000000,00000585,?,?,?,?,6C1E8704,?,00000000), ref: 6C22E708

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: RedrawWindow
String ID:
API String ID: 2219533335-0
Opcode ID: 1a12c5da3c015e8b75456115607a45405ccd42c6118c2949b4c64dc0cd96bb6c
Instruction ID: a4d1e95daf1522b474e5eddb44bba69c37047ec7ab9d9f626b0957c12f8e74d9
Opcode Fuzzy Hash: 1a12c5da3c015e8b75456115607a45405ccd42c6118c2949b4c64dc0cd96bb6c
Instruction Fuzzy Hash: F021C472745A276BEB225E21DC48F5A36B4BF4AB17F220115FD5177EE0EB60F8009B90

Function 6C206813 Relevance: 6.1, APIs: 4, Instructions: 74windowCOMMON

Download Yara Rule

APIs

DestroyMenu.USER32(?,8BAE044A,?,?,?,Function_00184D80,000000FF), ref: 6C206864
IsWindow.USER32(?), ref: 6C206875
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C206889
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C2068E6

Part of subcall function 6C279817: GetParent.USER32(00000000), ref: 6C27989E

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: ContextExternal$BaseBase::~Concurrency::details::DestroyMenuMessageParentSendWindow
String ID:
API String ID: 3377428259-0
Opcode ID: 57ebac38289384ed01839fffd1b310684bb04d0078a281a5a6557fca0103d2a6
Instruction ID: 1e45701782dce08169a50c81619a74033af1fb98ff60c379ff96b538d4f0f5a6
Opcode Fuzzy Hash: 57ebac38289384ed01839fffd1b310684bb04d0078a281a5a6557fca0103d2a6
Instruction Fuzzy Hash: 05216B742017458BD729DF74C890AEAB7B8FF56758F00482EE86782B80DF79644ACA51

Function 6C1F4A7D Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,00000005), ref: 6C1F4A9B
LoadResource.KERNEL32(?,00000000), ref: 6C1F4AB0
LockResource.KERNEL32(00000000), ref: 6C1F4AC2
GlobalFree.KERNEL32(?), ref: 6C1F4B01

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Resource$FindFreeGlobalLoadLock
String ID:
API String ID: 3898064442-0
Opcode ID: 21ea5ce293c53ae834e9cb92248def7d32788bc68642619e4196caea7339de3d
Instruction ID: e42e0397db21ea74acc66d16b11294762ca903943f9567cdf36f50bc86d2aa45
Opcode Fuzzy Hash: 21ea5ce293c53ae834e9cb92248def7d32788bc68642619e4196caea7339de3d
Instruction Fuzzy Hash: E811E631601A15AFDB119F55C944B9ABBF8EF15368F058268EC2AA7B01CB309C058BE5

Function 6C23EDF5 Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

GdipCreateFromHDC.GDIPLUS(?,?), ref: 6C23EE35
GdipSetInterpolationMode.GDIPLUS(?,?,?,?), ref: 6C23EE46
GdipDeleteGraphics.GDIPLUS(?,?,?,?,?), ref: 6C23EE7C
GdipDisposeImage.GDIPLUS(?), ref: 6C23EE84

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Gdip$CreateDeleteDisposeFromGraphicsImageInterpolationMode
String ID:
API String ID: 3656396538-0
Opcode ID: ee81af83dadef7af622b2e9225cff113c01a4d9f343019829f0034ca92ef004d
Instruction ID: 6b64a65bb42b9da4cf48e230b9a906883530c535204f13aa43b97805208cd660
Opcode Fuzzy Hash: ee81af83dadef7af622b2e9225cff113c01a4d9f343019829f0034ca92ef004d
Instruction Fuzzy Hash: 4A115EB1900229AFCF00DFB8C944DDEBBB8EF09658B104558E819E7650D732DE1A9BD0

Function 6C238CF4 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C238CFB
GetParent.USER32(?), ref: 6C238D2F
GetWindow.USER32(?,00000000), ref: 6C238D54
GetWindow.USER32(?,00000002), ref: 6C238D82

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Window$H_prolog3Parent
String ID:
API String ID: 281833477-0
Opcode ID: e10ca418f22982936ad383d5e71aa5d687033811126cd04b69067dd51f0b788b
Instruction ID: f5cafe7392fc2688128c3f779bf40d0cb953f103d5402fd317d5039a3e8dc2b8
Opcode Fuzzy Hash: e10ca418f22982936ad383d5e71aa5d687033811126cd04b69067dd51f0b788b
Instruction Fuzzy Hash: C1110173A02A2DABEB125BB4CC08FDD33756F45308F590116F905EBA90CF309808C761

Function 6C3189E9 Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,6C318B14,00000000,00000004,00000000), ref: 6C318A38
GetLastError.KERNEL32(?,?,?,6C2627C3,6C262813,00000000,00000000,?,00000000,?,6C1FAB85,00000001,00000000,?,?,6C1FA81B), ref: 6C318A44
__dosmaperr.LIBCMT ref: 6C318A4B

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: b419c98b836b39d61eb09250bedada6d12f5d86024c4aa7123255e1eb50169a5
Instruction ID: ad2c85c015061c4d468587a4ed237321dbb5cf6ccc672d80cd0ad1a9f67169d1
Opcode Fuzzy Hash: b419c98b836b39d61eb09250bedada6d12f5d86024c4aa7123255e1eb50169a5
Instruction Fuzzy Hash: 4401C872606304AFCB058BA5CC04BDE7ABDDF8237AF21421AF520969D0D7708944CAA6

Function 6C230421 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 6C230465
DestroyWindow.USER32(?), ref: 6C23047B
IsWindow.USER32(?), ref: 6C23049E
DestroyWindow.USER32(?), ref: 6C2304AE

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Window$Destroy
String ID:
API String ID: 3707531092-0
Opcode ID: 3f222d5b4086198ee415c37ab2c3055f495371f1751781f8024969c3b7d0ef1a
Instruction ID: 8c1b49d241b00aedce268722165c847c800169a6942ca78cc6d25a8078a95024
Opcode Fuzzy Hash: 3f222d5b4086198ee415c37ab2c3055f495371f1751781f8024969c3b7d0ef1a
Instruction Fuzzy Hash: D011C07520265AABEF015F51D888BD97B79FF8132AF208129FE1E8B541CFB59510CBB0

Function 6C1CAAD1 Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00000000), ref: 6C1CAAE1
GetSubMenu.USER32(00000000,-00000001), ref: 6C1CAAF0
GetMenuItemCount.USER32(00000000), ref: 6C1CAAFD
GetMenuItemID.USER32(00000000,00000000), ref: 6C1CAB13

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Menu$Item$Count
String ID:
API String ID: 879546783-0
Opcode ID: 8dd8fb8051bed6b629d89746b2e7135dec1e2f0df4bb68cf15a05281e78f5368
Instruction ID: 4677441c561192f34b4f842e8894c0546b4437ced95cd782b8ce19395c300268
Opcode Fuzzy Hash: 8dd8fb8051bed6b629d89746b2e7135dec1e2f0df4bb68cf15a05281e78f5368
Instruction Fuzzy Hash: 7F016270B03116AFEB16CF64DD98B9F7AFADF35744F104525F906E6600DA78CA408751

Function 6C280C8F Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6C280CA1
SetRectEmpty.USER32(?), ref: 6C280CAB
SetRectEmpty.USER32(?), ref: 6C280CB5
SetRectEmpty.USER32(?), ref: 6C280CBF

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: 791e64a8b34a9ae37347a0db783f173fefd6ec482cf7233b7841b46b074d1f32
Instruction ID: 5bd207ac6f7e40c3a811508ae55474f05f32abccdefe312b44aa97202f6163cd
Opcode Fuzzy Hash: 791e64a8b34a9ae37347a0db783f173fefd6ec482cf7233b7841b46b074d1f32
Instruction Fuzzy Hash: 72E0C9715117168FEB709F61C449AC677FCFF0631AB900819E187C3911D778E589CB90

Function 6C2A2DEB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C2A2DF2

Part of subcall function 6C1CC5AB: __EH_prolog3.LIBCMT ref: 6C1CC5B2
Part of subcall function 6C1CC5AB: CreateSolidBrush.GDI32(6C1D8A6F), ref: 6C1CC5CD

FillRect.USER32(?,?,?), ref: 6C2A2EB6

Strings

(^4l, xrefs: 6C2A2EBF

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: H_prolog3$BrushCreateFillRectSolid
String ID: (^4l
API String ID: 3708192491-3721299443
Opcode ID: c821d9de1ee0f8518be740b437e3f5e7f4b57fdfd5e8cd13cba2ab7796b4e4d9
Instruction ID: 3879f3d3cbb7e5eaea4ff762d9a48fa6417bc5ae152d9058d55f2432ce6c824a
Opcode Fuzzy Hash: c821d9de1ee0f8518be740b437e3f5e7f4b57fdfd5e8cd13cba2ab7796b4e4d9
Instruction Fuzzy Hash: 7B61937190161ADBCF05DF96C884BDE77B1AF49315F144165FC28EFA90DB30A946CBA0

Function 6C1B2BD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C1B2C06
std::_Lockit::~_Lockit.LIBCPMT ref: 6C1B2D16

Part of subcall function 6C1E57A9: _Yarn.LIBCPMT ref: 6C1E57C9
Part of subcall function 6C1E57A9: _Yarn.LIBCPMT ref: 6C1E57ED

Strings

bad locale name, xrefs: 6C1B2C66

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: LockitYarnstd::_$Lockit::_Lockit::~_
String ID: bad locale name
API String ID: 2070049627-1405518554
Opcode ID: 86e2b66b32206485388f3710da6cfc267971616e13507577469ca00cdd3d86f2
Instruction ID: 5b90beda36ec1189dd9b3354003ad1fec61ecf8474d955107919d23dd881bdfd
Opcode Fuzzy Hash: 86e2b66b32206485388f3710da6cfc267971616e13507577469ca00cdd3d86f2
Instruction Fuzzy Hash: B0416DF1A01B419BDB20CF6AD948B56BBE8BF18604F044629E449D7F40E739E418CFE2

Function 6C26A978 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C26A97F

Part of subcall function 6C2E5BD9: __EH_prolog3.LIBCMT ref: 6C2E5BE0
Part of subcall function 6C2E5BD9: GetProfileIntW.KERNEL32(windows,DragScrollInset,0000000B), ref: 6C2E5C2B
Part of subcall function 6C2E5BD9: GetProfileIntW.KERNEL32(windows,DragScrollDelay,00000032), ref: 6C2E5C3E
Part of subcall function 6C2E5BD9: GetProfileIntW.KERNEL32(windows,DragScrollInterval,00000032), ref: 6C2E5C51

SetRectEmpty.USER32(?), ref: 6C26AB75

Strings

(^4l, xrefs: 6C26A9DD

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: Profile$H_prolog3$EmptyRect
String ID: (^4l
API String ID: 1529447813-3721299443
Opcode ID: 02ad9f5eac476fc567d5e88cb0336b180db1180bfc3beb59939b7ba8d47f7c63
Instruction ID: b1cef4b4fb132ae236e7b23d6eae4708c19552b849e84963aa77e22c265558c3
Opcode Fuzzy Hash: 02ad9f5eac476fc567d5e88cb0336b180db1180bfc3beb59939b7ba8d47f7c63
Instruction Fuzzy Hash: E15165B0A09B46AFD34CCF39A5817D9FBA0BB09304F50822EE56D93740CB7021A5CF98

Function 6C1E8905 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

GetMonitorInfoW.USER32(?,?), ref: 6C1E8972
CopyRect.USER32(?,?), ref: 6C1E8984

Part of subcall function 6C1C9B7C: __EH_prolog3.LIBCMT ref: 6C1C9B83

Strings

(, xrefs: 6C1E896B

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: CopyH_prolog3InfoMonitorRect
String ID: (
API String ID: 76778085-3887548279
Opcode ID: 27d5742127cd242236e6dee8808868a5ba4601dd594bd2626f316780cce2dc46
Instruction ID: 114e56e717bae36ffe510cf367dfb8bf2d7dc5cc4a237fbe8e0bdbf2d0a602e1
Opcode Fuzzy Hash: 27d5742127cd242236e6dee8808868a5ba4601dd594bd2626f316780cce2dc46
Instruction Fuzzy Hash: AD214C71A00609EFCB14DFA8D544A8EB7F9FF48314B10842EE596E3690DB70EA44CB61

Function 6C1E8808 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000014), ref: 6C1E8876
CreateDIBitmap.GDI32(?,00000028,00000004,?,00000028,00000000), ref: 6C1E88EF

Strings

(, xrefs: 6C1E885A

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: BitmapColorCreate
String ID: (
API String ID: 2048008349-3887548279
Opcode ID: ea4ed1e6b99c437930a94cfcedd2801d93fc7d0e9f692eee71ec616c34fc8dfb
Instruction ID: 228842d98eef5bd3778fd2af925603af7a0fc3462ba03eac84efce3818fad9ee
Opcode Fuzzy Hash: ea4ed1e6b99c437930a94cfcedd2801d93fc7d0e9f692eee71ec616c34fc8dfb
Instruction Fuzzy Hash: 00219521A1178CDAEF01DFB88842BDCB7B8BF1A204F14C159E945F7181DF345A88CB65

Function 6C29E4E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

FillRect.USER32(?,/m"l,-000000D0), ref: 6C29E54F
FillRect.USER32(?,/m"l,?), ref: 6C29E584

Strings

/m"l, xrefs: 6C29E57D, 6C29E548, 6C29E54B, 6C29E580

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: FillRect
String ID: /m"l
API String ID: 2175405051-2058113876
Opcode ID: 1b79c5f85323f84183113c053af9548a44b415c4fb3aa39e0a0d50181aefcf7e
Instruction ID: 4e0ee1d47eb05963100ed4fb5eff59e6c106e8e2b39d6293abac373137f26087
Opcode Fuzzy Hash: 1b79c5f85323f84183113c053af9548a44b415c4fb3aa39e0a0d50181aefcf7e
Instruction Fuzzy Hash: 10118E76601109EFEB009B9AC945FDE7BB8FF5A354F148126F805CB651EB34D900CBA1

Function 6C238DB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C238DBB
CreatePopupMenu.USER32 ref: 6C238DFC

Strings

T}4l, xrefs: 6C238E03

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: CreateH_prolog3MenuPopup
String ID: T}4l
API String ID: 2466797239-3324797550
Opcode ID: e1b34f6b0d012e83a51893f095ec7c83a732e856691cc80d0ff93afcb642852d
Instruction ID: 1f34f1fa007597cda1a14e3bb05101f18a3c80eaf696c957fdcb5f88098168c0
Opcode Fuzzy Hash: e1b34f6b0d012e83a51893f095ec7c83a732e856691cc80d0ff93afcb642852d
Instruction Fuzzy Hash: DB21C0B5A0061ADFDF04DFA4C5897EEBBB1AF45304F10006EE91AAB790DF709A44CB91

Function 6C21CE11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C21CE18
FindResourceW.KERNEL32(?,?,STYLE_XML,?,?,00000004,6C1E86F9,?,00000000), ref: 6C21CE56

Strings

STYLE_XML, xrefs: 6C21CE4A

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: FindH_prolog3Resource
String ID: STYLE_XML
API String ID: 3036663282-3909253476
Opcode ID: deceb8447d12a26672aca2651ad132ea3964376fad8796cdd8d990d46a07fed5
Instruction ID: 48add3bea00ae56982983ada768e5b98c45f07fa3cc90a400c7d21d300d7d656
Opcode Fuzzy Hash: deceb8447d12a26672aca2651ad132ea3964376fad8796cdd8d990d46a07fed5
Instruction Fuzzy Hash: 9CF0CDB9A08219DBDB10BBB49840AAF72BCBF9A6187101526FA96D6F40CB34C414DA21

Function 6C1EC870 Relevance: 5.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C3A0410,?,?,?,?,6C1D8ABC,00000001,?,6C1D8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1EC8A1
InitializeCriticalSection.KERNEL32(00000000,?,6C1D8ABC,00000001,?,6C1D8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1EC8B7
LeaveCriticalSection.KERNEL32(6C3A0410,?,6C1D8ABC,00000001,?,6C1D8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1EC8C5
EnterCriticalSection.KERNEL32(00000000,?,?,?,6C1D8ABC,00000001,?,6C1D8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1EC8D2

Part of subcall function 6C1EC908: InitializeCriticalSection.KERNEL32(6C3A0410,?,?,?,6C1D8ABC,00000001,?,6C1D8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1EC920

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: CriticalSection$EnterInitialize$Leave
String ID:
API String ID: 713024617-0
Opcode ID: 208f6e96431b95f33e3202e72df47696f5b1d27735ef994eb2a39d629a37e827
Instruction ID: d848f9a029b2ad234209a0de34182bc85ea900bff7ab8cf039ec4193ee7a75f9
Opcode Fuzzy Hash: 208f6e96431b95f33e3202e72df47696f5b1d27735ef994eb2a39d629a37e827
Instruction Fuzzy Hash: 92F0C2727012189FDA442B94DC58B9D7E7CFB5B32AF440129E103C2841C734C861CEA2

Function 6C1EEAA6 Relevance: 5.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C3A04E0,?,?,?,?,6C1EEBCB,00000000,00000004,6C1E0223,6C1DA338,6C1E419C,?,6C1D871F), ref: 6C1EEAB2
TlsGetValue.KERNEL32(6C3A04C4,?,?,?,?,6C1EEBCB,00000000,00000004,6C1E0223,6C1DA338,6C1E419C,?,6C1D871F), ref: 6C1EEAC6
LeaveCriticalSection.KERNEL32(6C3A04E0,?,?,?,?,6C1EEBCB,00000000,00000004,6C1E0223,6C1DA338,6C1E419C,?,6C1D871F), ref: 6C1EEAE0
LeaveCriticalSection.KERNEL32(6C3A04E0,?,?,?,?,6C1EEBCB,00000000,00000004,6C1E0223,6C1DA338,6C1E419C,?,6C1D871F), ref: 6C1EEAEB

Memory Dump Source

Source File: 00000003.00000002.3551415916.000000006C1B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1B0000, based on PE: true

Associated: 00000003.00000002.3551397153.000000006C1B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551529781.000000006C343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551604983.000000006C398000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551622662.000000006C39B000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551640187.000000006C39F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3551676156.000000006C3A5000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c1b0000_Update.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: e2869a4f90c780110e6a4d0b3d94c3a44eee4e5895b706ac94faf8c2d0a237d1
Instruction ID: d7650932f1dfbfe67fd3dfb52d41ce8982670c59e2a4254acb424efd76130410
Opcode Fuzzy Hash: e2869a4f90c780110e6a4d0b3d94c3a44eee4e5895b706ac94faf8c2d0a237d1
Instruction Fuzzy Hash: 75F09072202525AFDB009F15C89494BF77CFF8B765305401AF806D7A20C770E985CBD1

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 6f0slJzOrF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Bilite\Axialis\IiViS

C:\Users\Public\Bilite\Axialis\Update.dll

C:\Users\Public\Bilite\Axialis\Update.exe

C:\Users\Public\Bilite\Axialis\ypuvomgj.png

C:\Users\Public\Bilite\winrar-x64-700scp.exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\PolicyManagement.xml

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_24qowyrn.gbj.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4uugam2n.3tl.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5dgnzhy4.2a4.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cjh1nwgi.ahl.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jfqxkpyc.1s2.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mxtxivrx.ank.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oxcip0rv.cao.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r552qvtv.xfe.ps1

Windows Analysis Report
6f0slJzOrF.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre