Edit tour

Windows Analysis Report
8R2YjBA8nI.exe

Overview

General Information

Sample name:	8R2YjBA8nI.exe renamed because original name is a hash value
Original sample name:	15D3E848E744AA25B6EDBAEFDF57BF3F.exe
Analysis ID:	1583412
MD5:	15d3e848e744aa25b6edbaefdf57bf3f
SHA1:	d6c429733e1f23b522b908aeb8a47d644f27d3b3
SHA256:	27aaa78d661532a8c2702640a43496f1fa3f19b3af31d2f3d8110860ff2a9a01
Tags:	exeValleyRATuser-abuse_ch
Infos:

Detection

GhostRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GhostRat

AI detected suspicious sample

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Loading BitLocker PowerShell Module

Sigma detected: Execution from Suspicious Folder

Sigma detected: Parent in Public Folder Suspicious Process

Sigma detected: Suspicious Program Location with Network Connections

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

Installs a global mouse hook

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sleep loop found (likely to delay execution)

Stores large binary data to the registry

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

8R2YjBA8nI.exe (PID: 7564 cmdline: "C:\Users\user\Desktop\8R2YjBA8nI.exe" MD5: 15D3E848E744AA25B6EDBAEFDF57BF3F)

cmd.exe (PID: 7700 cmdline: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Update.exe (PID: 7756 cmdline: C:\Users\Public\Bilite\Axialis\Update.exe MD5: FB325C945A08D06FE91681179BDCCC66)

cmd.exe (PID: 4268 cmdline: cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 1216 cmdline: tasklist /FI "IMAGENAME eq Update.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 1220 cmdline: findstr /I "Update.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 7632 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 7804 cmdline: tasklist /FI "IMAGENAME eq Update.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7800 cmdline: findstr /I "Update.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 7940 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 3796 cmdline: tasklist /FI "IMAGENAME eq Update.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 6988 cmdline: findstr /I "Update.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 4088 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 5376 cmdline: tasklist /FI "IMAGENAME eq Update.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 1284 cmdline: findstr /I "Update.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 2176 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cmd.exe (PID: 7260 cmdline: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4624 cmdline: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cmd.exe (PID: 1060 cmdline: cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2472 cmdline: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cleanup

Malware Configuration

Threatname: GhostRat

{"C2 url": ["156.251.17.243:17093", "156.251.17.243:17094"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000003.3067908639.0000000004D51000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.2612748611.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.3235606389.0000000004D51000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.3396873224.0000000004D51000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000002.3557271908.0000000003AB0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000002.3557007107.0000000003220000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.2744056117.0000000004D51000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.3067978820.0000000004D51000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.2907446964.0000000004D51000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000002.3557849730.0000000004D51000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.2907514560.0000000004D51000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.2571536188.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000002.3557383262.0000000003BB0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.3235533822.0000000004D51000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.3396747004.0000000004D51000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.2744000452.0000000004D2D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
Process Memory Space: Update.exe PID: 7756	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author
3.2.Update.exe.3bb05bf.5.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.4d52603.8.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.2.Update.exe.3ab1053.4.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.2.Update.exe.4d52603.7.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.4d52603.13.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.febc3b.1.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.febc3b.3.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.4d52603.15.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.fb9fd3.0.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.4d52603.5.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.4d52603.13.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.4d52603.10.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.4d52603.6.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.2.Update.exe.3221004.3.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.febc3b.1.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.2.Update.exe.4d52603.7.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.4d52603.6.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.4d52603.5.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.2.Update.exe.3d30000.6.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.4d52603.11.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.fb9fd3.0.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.4d52603.14.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.4d52603.12.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.4d52603.9.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.4d52603.8.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.4d52603.10.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.2.Update.exe.3221004.3.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.4d52603.15.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.4d52603.11.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.2.Update.exe.3ab1053.4.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.2.Update.exe.3bb05bf.5.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.4d52603.12.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.2.Update.exe.3d30000.6.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.4d52603.14.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.4d52603.9.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.febc3b.3.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
Click to see the 31 entries

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Bilite\Axialis\Update.exe, CommandLine: C:\Users\Public\Bilite\Axialis\Update.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Bilite\Axialis\Update.exe, NewProcessName: C:\Users\Public\Bilite\Axialis\Update.exe, OriginalFileName: C:\Users\Public\Bilite\Axialis\Update.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7700, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Bilite\Axialis\Update.exe, ProcessId: 7756, ProcessName: Update.exe

Sigma detected: Parent in Public Folder Suspicious Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\Public\Bilite\Axialis\Update.exe, ParentImage: C:\Users\Public\Bilite\Axialis\Update.exe, ParentProcessId: 7756, ParentProcessName: Update.exe, ProcessCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 7260, ProcessName: cmd.exe

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 156.251.17.243, DestinationIsIpv6: false, DestinationPort: 18852, EventID: 3, Image: C:\Users\Public\Bilite\Axialis\Update.exe, Initiated: true, ProcessId: 7756, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49890

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7260, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 4624, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7260, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 4624, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Anonymous RAT CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T17:35:05.903264+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49916	156.251.17.243	17093	TCP
2025-01-02T17:36:15.375847+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49936	156.251.17.243	17093	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: Update.exe.7756.3.memstrmin

Malware Configuration Extractor: GhostRat {"C2 url": ["156.251.17.243:17093", "156.251.17.243:17094"]}

Multi AV Scanner detection for submitted file

Source: 8R2YjBA8nI.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.7% probability

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C356EB0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,CryptReleaseContext,___std_exception_copy,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,___std_exception_copy,	3_2_6C356EB0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C356720 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptReleaseContext,___std_exception_copy,CryptDestroyHash,CryptReleaseContext,___std_exception_copy,CryptDestroyHash,CryptReleaseContext,___std_exception_copy,CryptReleaseContext,___std_exception_copy,CryptDestroyHash,CryptReleaseContext,___std_exception_copy,___std_exception_copy,	3_2_6C356720
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C356520 CryptStringToBinaryA,CryptStringToBinaryA,___std_exception_copy,	3_2_6C356520

Source: 8R2YjBA8nI.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2620733147.000000000797B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: H:\trunk_download\downloader_cn\downloader\bin\ldplayerinst.pdb source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2621978231.0000000007A0F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\MFCLibrary_YSS\Release\Update.pdb source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002B10000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002B10000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.3556319323.0000000000E02000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000003.00000000.1792139291.0000000000E02000.00000002.00000001.01000000.00000005.sdmp, Update.exe.0.dr
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb,X source: powershell.exe, 00000012.00000002.2621978231.0000000007A0F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2612322077.00000000032D1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000012.00000002.2626859991.00000000089F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2626581119.0000000008990000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb((& source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002B10000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.3556319323.0000000000E02000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000003.00000000.1792139291.0000000000E02000.00000002.00000001.01000000.00000005.sdmp, Update.exe.0.dr
Source:	Binary string: H:\trunk_download\downloader_cn\downloader\bin\ldplayerinst.pdbo source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr

Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: z:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: x:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: v:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: t:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: r:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: p:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: n:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: l:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: j:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: h:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: f:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: b:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: y:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: w:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: u:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: s:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: q:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: o:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: m:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: k:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: i:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: g:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: c:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: [:	Jump to behavior

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Code function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_0040301A
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Code function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402B79
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C37F888 FindFirstFileExW,RevokeDragDrop,FindNextFileW,FindClose,FindClose,	3_2_6C37F888
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C37F7D7 FindFirstFileExW,	3_2_6C37F7D7

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_03D380F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,

3_2_03D380F0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49916 -> 156.251.17.243:17093
Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49936 -> 156.251.17.243:17093

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 156.251.17.243:17093
Source: Malware configuration extractor	URLs: 156.251.17.243:17094

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 156.251.17.243 ports 18852,17093,1,2,5,8

Source: global traffic

TCP traffic: 192.168.2.4:49890 -> 156.251.17.243:18852

Source: Joe Sandbox View

ASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK

Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_03D33360 recv,timeGetTime,_memmove,

3_2_03D33360

Source: 8R2YjBA8nI.exe, 00000000.00000003.1789791701.00000000071F0000.00000004.00001000.00020000.00000000.sdmp, 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2495893999.0000000000F7B000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 8R2YjBA8nI.exe, 00000000.00000003.1789791701.00000000071F0000.00000004.00001000.00020000.00000000.sdmp, 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2495893999.0000000000F7B000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 8R2YjBA8nI.exe, 00000000.00000003.1789791701.00000000071F0000.00000004.00001000.00020000.00000000.sdmp, 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2495893999.0000000000F7B000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000011.00000002.2611684461.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2612322077.0000000003335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000012.00000002.2612322077.000000000335E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000012.00000002.2622101039.0000000007A2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 8R2YjBA8nI.exe, 00000000.00000003.1789791701.00000000071F0000.00000004.00001000.00020000.00000000.sdmp, 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 8R2YjBA8nI.exe, 00000000.00000003.1789791701.00000000071F0000.00000004.00001000.00020000.00000000.sdmp, 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2495893999.0000000000F7B000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 8R2YjBA8nI.exe, 00000000.00000003.1789791701.00000000071F0000.00000004.00001000.00020000.00000000.sdmp, 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2495893999.0000000000F7B000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2495893999.0000000000F7B000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 8R2YjBA8nI.exe, 00000000.00000003.1789791701.00000000071F0000.00000004.00001000.00020000.00000000.sdmp, 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: powershell.exe, 00000011.00000002.2617183189.0000000005547000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2617271788.0000000005F67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: 8R2YjBA8nI.exe, 00000000.00000003.1789791701.00000000071F0000.00000004.00001000.00020000.00000000.sdmp, 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2495893999.0000000000F7B000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: 8R2YjBA8nI.exe, 00000000.00000003.1789791701.00000000071F0000.00000004.00001000.00020000.00000000.sdmp, 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2495893999.0000000000F7B000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: 8R2YjBA8nI.exe, 00000000.00000003.1789791701.00000000071F0000.00000004.00001000.00020000.00000000.sdmp, 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 8R2YjBA8nI.exe, 00000000.00000003.1789791701.00000000071F0000.00000004.00001000.00020000.00000000.sdmp, 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2495893999.0000000000F7B000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000012.00000002.2613530425.0000000005056000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000011.00000002.2612360240.0000000004C8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2612360240.0000000004636000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2613530425.0000000005056000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000011.00000002.2612360240.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2613530425.0000000004F01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000011.00000002.2612360240.0000000004C8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2612360240.0000000004636000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2613530425.0000000005056000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000012.00000002.2613530425.0000000005056000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 8R2YjBA8nI.exe, 00000000.00000003.1789791701.00000000071F0000.00000004.00001000.00020000.00000000.sdmp, 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2495893999.0000000000F7B000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://www.ijg.org
Source: powershell.exe, 00000011.00000002.2612360240.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2613530425.0000000004F01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBkq
Source: powershell.exe, 00000012.00000002.2613530425.0000000005056000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2620733147.000000000797B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000012.00000002.2617271788.0000000005F67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000012.00000002.2617271788.0000000005F67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000012.00000002.2617271788.0000000005F67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: powershell.exe, 00000012.00000002.2613530425.0000000005056000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: https://ldapi.ldmnq.com/common/baidu/ocpc
Source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: https://ldapi.ldmnq.com/common/baidu/ocpcbaidu
Source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: https://ldapi.ldmnq.com/mnq/properties?openid=&packageName=https://encdn.ldmnq.com/player_files/open
Source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: https://middledata.ldmnq.com/collection/biz/upload
Source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: https://middledata.ldmnq.com/collection/biz/uploadreport
Source: powershell.exe, 00000011.00000002.2617183189.0000000005547000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2617271788.0000000005F67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: https://res.ldmnq.com/ld/leidianexhttps://res.ldmnq.com/download/release/ldinst4.0.exehttps://res.ld
Source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: https://www.ldmnq.com/?n=6120&bd_vid=logidUrlnewTypepost
Source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: https://www.ldmnq.com/ldy/xukeXieyi.htmldownloader_jumplink_addresshttps://wpa1.qq.com/V7XjWRDy?_typ

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture and log keystrokes

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: [esc]	3_2_03D3E850
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: [esc]	3_2_03D3E850
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: [esc]	3_2_03D3E850
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: [esc]	3_2_03D3E850

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_03D3E850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,

3_2_03D3E850

Source: C:\Users\Public\Bilite\Axialis\Update.exe

3_2_03D3E850

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_03D3BC70 GetDesktopWindow,GetDC,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,_memset,GetDIBits,_memset,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,

3_2_03D3BC70

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_03D3E4F0 Sleep,CreateMutexW,GetLastError,SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,

3_2_03D3E4F0

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_6C356EB0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,CryptReleaseContext,___std_exception_copy,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,___std_exception_copy,

3_2_6C356EB0

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03D3B463 ExitWindowsEx,	3_2_03D3B463
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03D3B41B ExitWindowsEx,	3_2_03D3B41B
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03D3B43F ExitWindowsEx,	3_2_03D3B43F

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Code function: 0_2_00404FAA	0_2_00404FAA
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Code function: 0_2_0041206B	0_2_0041206B
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Code function: 0_2_0041022D	0_2_0041022D
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Code function: 0_2_00411F91	0_2_00411F91
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03D36EE0	3_2_03D36EE0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03D36C50	3_2_03D36C50
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03D48381	3_2_03D48381
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03D4E341	3_2_03D4E341
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03D4EA1D	3_2_03D4EA1D
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03D4F9FF	3_2_03D4F9FF
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03D38900	3_2_03D38900
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03D4D89F	3_2_03D4D89F
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03D4DDF0	3_2_03D4DDF0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03D324B0	3_2_03D324B0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C357E80	3_2_6C357E80
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C362576	3_2_6C362576
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C370D62	3_2_6C370D62
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C382ED3	3_2_6C382ED3
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C362870	3_2_6C362870
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C3758B0	3_2_6C3758B0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C362A4B	3_2_6C362A4B
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C36DBA0	3_2_6C36DBA0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C362BC6	3_2_6C362BC6
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C36C515	3_2_6C36C515
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C387502	3_2_6C387502
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C362638	3_2_6C362638
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C357640	3_2_6C357640
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C362771	3_2_6C362771
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C3657A0	3_2_6C3657A0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C376234	3_2_6C376234
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_1001122F	3_2_1001122F
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_100024B0	3_2_100024B0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_10010CDE	3_2_10010CDE
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_10012D91	3_2_10012D91
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_10011E5C	3_2_10011E5C
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_1000B66A	3_2_1000B66A
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_10011780	3_2_10011780
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_02EB0032	3_2_02EB0032
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_02EC1206	3_2_02EC1206
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_02EBB641	3_2_02EBB641
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_02EC1757	3_2_02EC1757
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_02EC0CB5	3_2_02EC0CB5
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_02EB2487	3_2_02EB2487
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_02EC2D68	3_2_02EC2D68
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03BCF3BE	3_2_03BCF3BE
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03BB82BF	3_2_03BB82BF
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03BCD25E	3_2_03BCD25E
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03BB689F	3_2_03BB689F
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03BCD7AF	3_2_03BCD7AF
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03BB660F	3_2_03BB660F
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03BB1E6F	3_2_03BB1E6F
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03BCDD00	3_2_03BCDD00
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03BC7D40	3_2_03BC7D40

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Bilite\Axialis\Update.exe 0C2CC4513EC9101A28A7988C72A46175EFD82F387BB3BCFB2612E808804282B5

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Code function: String function: 0040243B appears 37 times
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: String function: 6C36C970 appears 53 times
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: String function: 03D44300 appears 32 times

Source: 8R2YjBA8nI.exe

Static PE information: invalid certificate

Source: ldplayer9_ld_6000_ld.exe.0.dr

Static PE information: Resource name: ZIPRES type: 7-zip archive data, version 0.4

Source: 8R2YjBA8nI.exe, 00000000.00000003.1698216304.00000000024DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs 8R2YjBA8nI.exe
Source: 8R2YjBA8nI.exe, 00000000.00000003.1698216304.00000000024DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7zSfxNew.exe< vs 8R2YjBA8nI.exe
Source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002B10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAxII> vs 8R2YjBA8nI.exe
Source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002B10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUpdate.exe vs 8R2YjBA8nI.exe
Source: 8R2YjBA8nI.exe, 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs 8R2YjBA8nI.exe
Source: 8R2YjBA8nI.exe, 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7zSfxNew.exe< vs 8R2YjBA8nI.exe
Source: 8R2YjBA8nI.exe	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs 8R2YjBA8nI.exe
Source: 8R2YjBA8nI.exe	Binary or memory string: OriginalFilename7zSfxNew.exe< vs 8R2YjBA8nI.exe

Source: 8R2YjBA8nI.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@43/29@0/1

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe

Code function: 0_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_00407776

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03D37B70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	3_2_03D37B70
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03D37740 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,	3_2_03D37740
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03D37620 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,	3_2_03D37620

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe

Code function: 0_2_0040118A GetDiskFreeSpaceExW,SendMessageW,

0_2_0040118A

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_03D36050 _memset,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,CloseHandle,

3_2_03D36050

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe

Code function: 0_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_004034C1

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe

Code function: 0_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,

0_2_00401BDF

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe

File created: C:\Users\Public\Bilite

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7708:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4144:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2936:120:WilError_03
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Mutant created: \Sessions\1\BaseNamedObjects\2024.12. 8
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_03

Source: C:\Users\Public\Bilite\Axialis\Update.exe

File created: C:\Users\user\AppData\Local\Temp\monitor.bat

Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"

Source: 8R2YjBA8nI.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'UPDATE.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'UPDATE.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'UPDATE.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'UPDATE.EXE'

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 8R2YjBA8nI.exe

ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe

File read: C:\Users\user\Desktop\8R2YjBA8nI.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\8R2YjBA8nI.exe "C:\Users\user\Desktop\8R2YjBA8nI.exe"
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Bilite\Axialis\Update.exe C:\Users\Public\Bilite\Axialis\Update.exe
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Bilite\Axialis\Update.exe C:\Users\Public\Bilite\Axialis\Update.exe	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1	Jump to behavior

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: update.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: dinput8.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"

Source: ldplayer9_ld_6000_ld.exe.lnk.3.dr

LNK file: ..\..\Public\Bilite\ldplayer9_ld_6000_ld.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 8R2YjBA8nI.exe

Static file information: File size 77302708 > 1048576

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2620733147.000000000797B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: H:\trunk_download\downloader_cn\downloader\bin\ldplayerinst.pdb source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2621978231.0000000007A0F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\MFCLibrary_YSS\Release\Update.pdb source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002B10000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002B10000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.3556319323.0000000000E02000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000003.00000000.1792139291.0000000000E02000.00000002.00000001.01000000.00000005.sdmp, Update.exe.0.dr
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb,X source: powershell.exe, 00000012.00000002.2621978231.0000000007A0F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2612322077.00000000032D1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000012.00000002.2626859991.00000000089F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2626581119.0000000008990000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb((& source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002B10000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.3556319323.0000000000E02000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000003.00000000.1792139291.0000000000E02000.00000002.00000001.01000000.00000005.sdmp, Update.exe.0.dr
Source:	Binary string: H:\trunk_download\downloader_cn\downloader\bin\ldplayerinst.pdbo source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe

Code function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

0_2_00406D5D

Source: Update.dll.0.dr	Static PE information: section name: .00cfg
Source: backup.dll.3.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Code function: 0_2_00411C20 push eax; ret	0_2_00411C4E
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03D44345 push ecx; ret	3_2_03D44358
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03D5A168 push eax; ret	3_2_03D5A119
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03D5A0B8 push eax; ret	3_2_03D5A119
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03D52450 push ebp; retf	3_2_03D52474
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03D52471 push ebp; retf	3_2_03D52474
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03D52470 push ebp; retf	3_2_03D52474
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C36CAF7 push ecx; ret	3_2_6C36CB0A
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_10009DF5 push ecx; ret	3_2_10009E08
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_1001FE9A push ecx; ret	3_2_1001FEBF
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_02EBCAFF push eax; retf	3_2_02EBCB00
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_02EBCB61 pushfd ; retf	3_2_02EBCB64
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_02EBCB0B push 701000CBh; retf	3_2_02EBCB10
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_02EBCB07 pushad ; retf	3_2_02EBCB08
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_02EB9DCC push ecx; ret	3_2_02EB9DDF
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03BC3D04 push ecx; ret	3_2_03BC3D17

Source: C:\Users\Public\Bilite\Axialis\Update.exe	File created: C:\Users\user\AppData\Local\Temp\backup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	File created: C:\Users\Public\Bilite\Axialis\Update.dll	Jump to dropped file
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	File created: C:\Users\Public\Bilite\Axialis\Update.exe	Jump to dropped file
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	File created: C:\Users\Public\Bilite\ldplayer9_ld_6000_ld.exe	Jump to dropped file
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File created: C:\Users\user\AppData\Local\Temp\backup.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_03D3B3C0 OpenEventLogW,OpenEventLogW,ClearEventLogW,CloseEventLog,

3_2_03D3B3C0

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Key value created or modified: HKEY_CURRENT_USER\Console\0 9e9e85e05ee16fc372a0c7df6549fbd4

Jump to behavior

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Window / User API: threadDelayed 5755	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3378	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8652	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 898	Jump to behavior

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Dropped PE file which has not been started: C:\Users\Public\Bilite\ldplayer9_ld_6000_ld.exe			Jump to dropped file
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\backup.dll			Jump to dropped file

Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 7784	Thread sleep time: -73000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 7780	Thread sleep time: -63000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 3320	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 7564	Thread sleep count: 286 > 30	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 5232	Thread sleep count: 5755 > 30	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 5232	Thread sleep time: -57550s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2336	Thread sleep count: 3378 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7332	Thread sleep count: 171 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7724	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4296	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7316	Thread sleep count: 8652 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7320	Thread sleep count: 898 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7700	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 7636	Thread sleep count: 255 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 2284	Thread sleep count: 266 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 7016	Thread sleep count: 267 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 1784	Thread sleep count: 134 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Last function: Thread delayed
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe	Last function: Thread delayed

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Thread sleep count: Count: 5755 delay: -10

Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\Update.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Code function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_0040301A
Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Code function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402B79
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C37F888 FindFirstFileExW,RevokeDragDrop,FindNextFileW,FindClose,FindClose,	3_2_6C37F888
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C37F7D7 FindFirstFileExW,	3_2_6C37F7D7

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_03D380F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,

3_2_03D380F0

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_03D37410 GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

3_2_03D37410

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Thread delayed: delay time: 73000	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: powershell.exe, 00000012.00000002.2613530425.0000000005056000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000012.00000002.2613530425.0000000005056000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000012.00000002.2613530425.0000000005056000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: Update.exe, 00000003.00000003.2907131651.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.3556603652.0000000000F6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\Public\Bilite\Axialis\Update.exe

API call chain: ExitProcess graph end node

graph_3-70668

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_00E015D0 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_00E015D0

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_03D4054D VirtualProtect ?,-00000001,00000104,?

3_2_03D4054D

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe

Code function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

0_2_00406D5D

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_02EB0AE4 mov eax, dword ptr fs:[00000030h]		3_2_02EB0AE4
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03BB00CD mov eax, dword ptr fs:[00000030h]		3_2_03BB00CD

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_03D36790 wsprintfW,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,LookupAccountSidW,GetLastError,GetProcessHeap,HeapFree,

3_2_03D36790

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_00E01764 SetUnhandledExceptionFilter,	3_2_00E01764
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_00E015D0 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00E015D0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_00E01A8F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00E01A8F
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03D3DF10 Sleep,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,Sleep,RegOpenKeyExW,RegQueryValueExW,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,	3_2_03D3DF10
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03D3F00A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_03D3F00A
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03D41F67 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_03D41F67
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C36C85A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C36C85A
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C373AAF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C373AAF
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6C36C4ED SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6C36C4ED
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_10006815 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_10006815
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_10008587 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_10008587
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_02EB67EC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_02EB67EC

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1

Contains functionality to inject code into remote processes

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_03D377E0 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,

3_2_03D377E0

Contains functionality to inject threads in other processes

Source: C:\Users\Public\Bilite\Axialis\Update.exe

3_2_03D377E0

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\SysWOW64\svchost.exe		3_2_03D377E0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe		3_2_03D377E0

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Bilite\Axialis\Update.exe C:\Users\Public\Bilite\Axialis\Update.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1	Jump to behavior

Source: Update.exe, 00000003.00000003.3235533822.0000000004DC3000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.3235606389.0000000004DC3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0 minProgram Manager
Source: Update.exe, 00000003.00000002.3557849730.0000000004DC3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: inProgram Manager
Source: Update.exe, 00000003.00000003.2907446964.0000000004DC3000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.3396747004.0000000004DC3000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.3067978820.0000000004DC3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0 minProgram Managery-
Source: 8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	Binary or memory string: .lnkutility::usystem::resolveShortcutFromFileresolveShortcutFromFile buffer is too smallShell_TrayWndnot traywndutility::usystem::getSystBarHeightit is pcutility::usystem::isNoteBookPCit is notebookutility::usystem::isNoteBookPCShcore.dllGetDpiForMonitorldenvAccept: /

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe

Code function: 0_2_0040D72E cpuid

0_2_0040D72E

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe	Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,	0_2_00401F9D
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,	3_2_03D35430
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: EnumSystemLocalesW,	3_2_6C37CEBE
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,	3_2_6C38682C
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_6C3868D3
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,	3_2_6C3869D9
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,	3_2_6C37C9C3
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_6C38645A
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: EnumSystemLocalesW,	3_2_6C3866AD
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,	3_2_6C38670C
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: EnumSystemLocalesW,	3_2_6C3867E1
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_6C38616E
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: EnumSystemLocalesW,	3_2_6C3863BF

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe

Code function: 0_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_00401626

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_03D45D22 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

3_2_03D45D22

Source: C:\Users\user\Desktop\8R2YjBA8nI.exe

Code function: 0_2_00404FAA GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

0_2_00404FAA

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Update.exe	Binary or memory string: acs.exe
Source: Update.exe	Binary or memory string: vsserv.exe
Source: Update.exe	Binary or memory string: kxetray.exe
Source: Update.exe	Binary or memory string: avcenter.exe
Source: Update.exe	Binary or memory string: KSafeTray.exe
Source: Update.exe	Binary or memory string: cfp.exe
Source: Update.exe	Binary or memory string: avp.exe
Source: Update.exe	Binary or memory string: 360Safe.exe
Source: Update.exe	Binary or memory string: rtvscan.exe
Source: Update.exe	Binary or memory string: 360tray.exe
Source: Update.exe	Binary or memory string: ashDisp.exe
Source: Update.exe	Binary or memory string: TMBMSRV.exe
Source: Update.exe	Binary or memory string: 360Tray.exe
Source: Update.exe	Binary or memory string: avgwdsvc.exe
Source: Update.exe	Binary or memory string: AYAgent.aye
Source: Update.exe	Binary or memory string: RavMonD.exe
Source: Update.exe	Binary or memory string: QUHLPSVC.EXE
Source: Update.exe	Binary or memory string: Mcshield.exe
Source: Update.exe	Binary or memory string: K7TSecurity.exe

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match	File source: 3.2.Update.exe.3bb05bf.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.3ab1053.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.4d52603.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.febc3b.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.febc3b.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.fb9fd3.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.3221004.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.febc3b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.4d52603.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.3d30000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.fb9fd3.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.3221004.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.3ab1053.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.3bb05bf.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.3d30000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.febc3b.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.3067908639.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2612748611.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3235606389.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3396873224.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3557271908.0000000003AB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3557007107.0000000003220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2744056117.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3067978820.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2907446964.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3557849730.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2907514560.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2571536188.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3557383262.0000000003BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3235533822.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3396747004.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2744000452.0000000004D2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Update.exe PID: 7756, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match	File source: 3.2.Update.exe.3bb05bf.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.3ab1053.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.4d52603.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.febc3b.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.febc3b.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.fb9fd3.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.3221004.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.febc3b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.4d52603.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.3d30000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.fb9fd3.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.3221004.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.3ab1053.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.3bb05bf.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.3d30000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.4d52603.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.febc3b.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.3067908639.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2612748611.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3235606389.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3396873224.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3557271908.0000000003AB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3557007107.0000000003220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2744056117.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3067978820.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2907446964.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3557849730.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2907514560.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2571536188.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3557383262.0000000003BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3235533822.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3396747004.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2744000452.0000000004D2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Update.exe PID: 7756, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Replication Through Removable Media	1 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	121 Input Capture	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	1 System Shutdown/Reboot
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	222 Process Injection	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	121 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	38 System Information Discovery	Distributed Component Object Model	2 Clipboard Data	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	31 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Modify Registry	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	222 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Indicator Removal	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
8R2YjBA8nI.exe	34%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

Source	Detection	Scanner
C:\Users\Public\Bilite\Axialis\Update.exe	0%	ReversingLabs
C:\Users\Public\Bilite\ldplayer9_ld_6000_ld.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\backup.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://www.ldmnq.com/?n=6120&bd_vid=logidUrlnewTypepost	0%	Avira URL Cloud	safe
https://www.ldmnq.com/ldy/xukeXieyi.htmldownloader_jumplink_addresshttps://wpa1.qq.com/V7XjWRDy?_typ	0%	Avira URL Cloud	safe
156.251.17.243:17094	0%	Avira URL Cloud	safe
156.251.17.243:17093	0%	Avira URL Cloud	safe
http://www.ijg.org	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
156.251.17.243:17093	true	Avira URL Cloud: safe	unknown
156.251.17.243:17094	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000011.00000002.2617183189.0000000005547000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2617271788.0000000005F67000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000012.00000002.2613530425.0000000005056000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2620733147.000000000797B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ldapi.ldmnq.com/common/baidu/ocpcbaidu	8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false		high
https://sectigo.com/CPS0	8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002B10000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002B10000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002B10000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000012.00000002.2613530425.0000000005056000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000011.00000002.2612360240.0000000004C8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2612360240.0000000004636000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2613530425.0000000005056000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoft	powershell.exe, 00000012.00000002.2622101039.0000000007A2C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000012.00000002.2613530425.0000000005056000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000012.00000002.2617271788.0000000005F67000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000012.00000002.2617271788.0000000005F67000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002B10000.00000004.00000020.00020000.00000000.sdmp	false		high
https://middledata.ldmnq.com/collection/biz/uploadreport	8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false		high
https://aka.ms/pscore6lBkq	powershell.exe, 00000011.00000002.2612360240.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2613530425.0000000004F01000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002B10000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ldmnq.com/?n=6120&bd_vid=logidUrlnewTypepost	8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://middledata.ldmnq.com/collection/biz/upload	8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false		high
https://github.com/Pester/Pester	powershell.exe, 00000012.00000002.2613530425.0000000005056000.00000004.00000800.00020000.00000000.sdmp	false		high
https://curl.haxx.se/docs/http-cookies.html	8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false		high
https://res.ldmnq.com/ld/leidianexhttps://res.ldmnq.com/download/release/ldinst4.0.exehttps://res.ld	8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002B10000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.micro	powershell.exe, 00000012.00000002.2612322077.000000000335E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002B10000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ldmnq.com/ldy/xukeXieyi.htmldownloader_jumplink_addresshttps://wpa1.qq.com/V7XjWRDy?_typ	8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002B10000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000011.00000002.2612360240.0000000004C8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2612360240.0000000004636000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2613530425.0000000005056000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000012.00000002.2617271788.0000000005F67000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000011.00000002.2617183189.0000000005547000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2617271788.0000000005F67000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ldapi.ldmnq.com/common/baidu/ocpc	8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000011.00000002.2612360240.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2613530425.0000000004F01000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ijg.org	8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://ldapi.ldmnq.com/mnq/properties?openid=&packageName=https://encdn.ldmnq.com/player_files/open	8R2YjBA8nI.exe, 00000000.00000003.1787810492.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
156.251.17.243	unknown	Seychelles		132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583412
Start date and time:	2025-01-02 17:32:48 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	8R2YjBA8nI.exe renamed because original name is a hash value
Original Sample Name:	15D3E848E744AA25B6EDBAEFDF57BF3F.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@43/29@0/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 98% Number of executed functions: 162 Number of non-executed functions: 228
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 2472 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4624 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 8R2YjBA8nI.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
POWERLINE-AS-APPOWERLINEDATACENTERHK	Hilix.ppc.elf	Get hash	malicious	Mirai	Browse	45.202.220.139
	Hilix.sh4.elf	Get hash	malicious	Mirai	Browse	45.202.220.141
	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	vcimanagement.armv4l.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.250.157.117
	vcimanagement.armv6l.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.252.64.239
	vcimanagement.mips.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.242.206.56
	vcimanagement.sh4.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.253.238.131
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	154.216.83.124
	spc.elf	Get hash	malicious	Mirai, Moobot	Browse	154.216.83.138
	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	154.218.41.135

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Bilite\Axialis\Update.exe	6f0slJzOrF.exe	Get hash	malicious	GhostRat	Browse
	6f0slJzOrF.exe	Get hash	malicious	Unknown	Browse
	zPJUOck9wt.exe	Get hash	malicious	GhostRat	Browse
	zPJUOck9wt.exe	Get hash	malicious	Unknown	Browse
	MEuu1a2o6n.exe	Get hash	malicious	GhostRat	Browse
	MEuu1a2o6n.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\Public\Bilite\Axialis\IiViS

Download File

Process:	C:\Users\user\Desktop\8R2YjBA8nI.exe
File Type:	openssl enc'd data with salted password, base64 encoded
Category:	dropped
Size (bytes):	64
Entropy (8bit):	5.189464015923012
Encrypted:	false
SSDEEP:	3:iqkaVf3EpDvlLWzdPds1:ilkgDvR0dO1
MD5:	E0B9F50885C9027A8479809E48773FB5
SHA1:	CD1DDCE77B76428A8377DA9DB6C98CD17D26B4A5
SHA-256:	D4100BD47861860EE5B974DA6D1526300EFAD0BEA07A2147DE050F5AB4901AE7
SHA-512:	62FD97F720A6FE77E4A5AFD9AEC2C7B5C537A37F44A6F9D60F44A9EE1783FE8BB3A27EEDE5B8671DACCA8E6057F1CF8A839CEEEEB45065BC08C524E83E36D562
Malicious:	false
Preview:	U2FsdGVkX19ed6jSWQZ87x5UTzuvDSxWy4TvJSbGs4rG0n3V8HGyYgGC1a8KQsHZ

C:\Users\Public\Bilite\Axialis\Update.dll

Download File

Process:	C:\Users\user\Desktop\8R2YjBA8nI.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	340760
Entropy (8bit):	6.542973942124912
Encrypted:	false
SSDEEP:	6144:H66LUtNhlhaEDW8zn0iuAhzRgd5KrS8a1GJAlExz30/KUaCcM:H66LUtNrIAzCKzRgDKrSeRUalM
MD5:	6CDF82D8FE534D835FAB242751200383
SHA1:	72074E82596FBD085BED96EE7F84B291722ECDA3
SHA-256:	144F9C2EB947F7DA86D77FE62B2CA893F8C794CDF5E76AFF8B471DC4220599A9
SHA-512:	E43B6DFFC19BE693502DF47FB1A009B30D3E45370BDC65604689D2D52517041C163F52450915C69EF48CDB6667A013A52724EE6A50185C7DE6EC1D9DFDCD44F5
Malicious:	false
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....mg...........!.........L......Y........................................p............@..........................t..O....t..........p6...............)...@...&...r.......................4.......................w...............................text............................... ..`.rdata..............................@..@.data....!..........................@....00cfg..............................@..@.tls................................@....rsrc...p6.......8..................@..@.reloc...&...@...(..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Bilite\Axialis\Update.exe

Download File

Process:	C:\Users\user\Desktop\8R2YjBA8nI.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	395368
Entropy (8bit):	5.090673225697451
Encrypted:	false
SSDEEP:	6144:I0acLF3rgypB1Grf/TRfiJ7BePaEvLJggZy:Y/TRfi3ePtJRg
MD5:	FB325C945A08D06FE91681179BDCCC66
SHA1:	F5D91B7D75D34E156066AB4099E0FD0DF9227B32
SHA-256:	0C2CC4513EC9101A28A7988C72A46175EFD82F387BB3BCFB2612E808804282B5
SHA-512:	2BB588EBE2FA35D03652AEC4E5D51DABD3A24E996336A4D5EC9C762D6084862D5CD5F530F1DA0B98D2887BA88F4E077697D128071FF497D2967F9F42ADC2F533
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 6f0slJzOrF.exe, Detection: malicious, Browse Filename: 6f0slJzOrF.exe, Detection: malicious, Browse Filename: zPJUOck9wt.exe, Detection: malicious, Browse Filename: zPJUOck9wt.exe, Detection: malicious, Browse Filename: MEuu1a2o6n.exe, Detection: malicious, Browse Filename: MEuu1a2o6n.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:..[...[...[...#l..[.......[.......[.......[.......[..b....[..e....[...0...[...[...[..e....[..e....[...[h..[..e....[..Rich.[..........................PE..L...X..e............................\........ ....@..................................8....@.................................D(.......@..................h(...........!..T............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0.......$..............@....rsrc........@.......&..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

C:\Users\Public\Bilite\Axialis\spyqizkn.png

Download File

Process:	C:\Users\user\Desktop\8R2YjBA8nI.exe
File Type:	data
Category:	dropped
Size (bytes):	73389290
Entropy (8bit):	7.9999949696309285
Encrypted:	true
SSDEEP:	1572864:4vucsY3Q3QOIErZwXrel/HeIk/o2u1wSkOQJAdq0H8TJZy:4vuc5MpVZwXilWIior1ZEA00cTzy
MD5:	1308BAC0A9357B506C13B7861B422E1F
SHA1:	BC58C688070CCCF07BFE8F1BDE8D1A7173F8EFA2
SHA-256:	93FD6B7AD279A5AB9B86BE7813D5510512EF51F7D93671773C13211CE26FDF92
SHA-512:	14F5A66A2149553B2F867B42CC5FA218EDF2648F3281B4FD06BD38C28503AF8BF6668348024A2F4552EDC2654EBB97AAF08389C8478D84CC3D3A73457D08F822
Malicious:	false
Preview:	..>..9..x...@..A.xE..._.g..1.Plj.@...........QP.'......b.c.xd.[...M...4Ct..w...~.-M.f`.Fp.+Xq%.}....;d....$.....5(..A..o].......n..3O..4.u..u4.{.........`yRc......#......$...?.$...oa.Cv ...6...3..[L..^.U....2...`..I..E.D....../........Ilc...efn.u..:sHf..'.......@D.V.o..~.."...a....7ABB.......4....).r2...&...g..d.~c.../.PWcp.&...`9..KtU9.I...'.:y.X. PEd5p-.-.]..1D.(.V#L`1,.........w.2...y:.j..~....*.....i.......c.D:sg.6......\|K..!4..i..0^T.I?A8..[.sxZ.I.#.r.i....S1U.......;<.%....[.....U../.=s..&...bf.\I....R.C.p.....+...C..6.9.$..C_..y.exD..k.2i.-...5..5B...6.g}.}.../".xe4...3t.&N.Q=\|.y.R.. t.wGj.S....o..s.R.8.W...lJ. ..?..."0.!.`J...O.....2..):-../...J.)&%.(...AH`hSck..6..}P....4c.SU.3...X.B.!...v....... _....K...+.^.l..{4...%.S....[.[K.1.69..a...B...:..!lZ+W..Q...)....#....ZP..{._,...47...n.G..P........h?.?D...PY.J4.~..K5..^..T..!.P.=j.3.5...S,..:.2.?.X....o...x.....l..+.S.. .d..cj...<..W..?..6.....G.A.:9..>.Y....(sv

C:\Users\Public\Bilite\ldplayer9_ld_6000_ld.exe

Download File

Process:	C:\Users\user\Desktop\8R2YjBA8nI.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4540512
Entropy (8bit):	7.278249613007746
Encrypted:	false
SSDEEP:	98304:vevwfTovd3ZIdCCFQfUfQ8aA78VREwBwMu:meol3ZIdCxujaAqRgMu
MD5:	EC1580551A183D46B8BE885B7519F1D5
SHA1:	4D5B0038633B92A11C3AAFD33DAAFF54D354FD91
SHA-256:	D0B485BCBD919FA05653281A9F1AB5B574D19A47AACBFAD89D411B946763FA1A
SHA-512:	759C4266DFA1168C6E91791AF71B946F3EE0E217B3CFFDD670BD6E7A811CBB2BECA0F5D9CE7ED06A40BE75C9FE735BBDD767E8A5F1AC6F61F61DB7FA47532D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........r.................E1............n........J............n.....n............n....n.......n.......n...................n.....Rich...........PE..L....:eg.................."..D#...............#...@..........................pF.......E...@..................................K.\|....p,..............D.`R... E..D....#.8............................7).@.............#..............................text...V."......."................. ..`.rdata...d....#..f....#.............@..@.data...............h*.............@....rsrc.......p,.......+.............@..@.reloc...D... E..F....C.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	5.408860214304474
Encrypted:	false
SSDEEP:	24:3yWSKco4KmZjKbmOIKod6emZ9tYs4RPQoUGt/NK3R88bJ02iaEW3b5:CWSU4xympjmZ9tz4RIoUeNWR832qab5
MD5:	AB70D0D47823C49A9410EF2E2C12F557
SHA1:	5010818385312BE76C385BEDAA7A7BDAA5EF8E22
SHA-256:	08171B15FBBD5579D7219B169CA43051CB3F21F892BEEF77EC2B77E47525AA64
SHA-512:	9954AAE8E3351591CF3CCD7A8535EEB83ACBF81CF8C828111A0E607A355B95ED4A0BA5EB03F1FC0D0734975B7912916B7BDDEDAA4777D748F654DD0D39E490EC
Malicious:	false
Preview:	@...e...........................................................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.D....................+.H..!...e........System.Configuration.Ins

C:\Users\user\AppData\Local\PolicyManagement.xml

Download File

Process:	C:\Users\Public\Bilite\Axialis\Update.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1893
Entropy (8bit):	5.212287775015203
Encrypted:	false
SSDEEP:	48:c55XzDl4Q2ZbXL6Q0QFdOFQOzN33O4OiDdKrKsTLXbGMv:O5XzDl4Q2ZbGQhFdOFQOzBdKrKsTLXbV
MD5:	E3FB2ECD2AD10C30913339D97E0E9042
SHA1:	A004CE2B3D398312B80E2955E76BDA69EF9B7203
SHA-256:	1BD6DB55FFF870C9DF7A0AAC11B895B50F57774F20A5744E63BBC3BD40D11F28
SHA-512:	9D6F0C1E344F1DC5A0EF4CAAD86281F92A6C108E1085BACD8D6143F9C742198C2F759CA5BDFFAD4D9E40203E6B0460E84896D1C6B8B1759350452E1DE809B716
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2006-11-10T14:29:55.5851926</Date>. <Author>Microsoft Corporation</Author>. <Description>????? AD RMS ?????????????????? Web ?????????,???????????</Description>. <URI>\AS AMD updata</URI>. <SecurityDescriptor>D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;WD)</SecurityDescriptor>. </RegistrationInfo>. <Triggers>. <LogonTrigger id="06b3f632-87ad-4ac0-9737-48ea5ddbaf11">. <Enabled>true</Enabled>. <Delay>PT30S</Delay>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="AllUsers">. <GroupId>S-1-1-0</GroupId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_353fa0rx.b3u.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bzd50oup.wg0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dvofwrcm.pgw.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g3wrqusa.dbi.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gdt3eysd.rtu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_usprs0ib.2ns.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v1r1nze5.p2o.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wvo0cvbv.iw4.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\backup.dll

Download File

Process:	C:\Users\Public\Bilite\Axialis\Update.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	340760
Entropy (8bit):	6.542973942124912
Encrypted:	false
SSDEEP:	6144:H66LUtNhlhaEDW8zn0iuAhzRgd5KrS8a1GJAlExz30/KUaCcM:H66LUtNrIAzCKzRgDKrSeRUalM
MD5:	6CDF82D8FE534D835FAB242751200383
SHA1:	72074E82596FBD085BED96EE7F84B291722ECDA3
SHA-256:	144F9C2EB947F7DA86D77FE62B2CA893F8C794CDF5E76AFF8B471DC4220599A9
SHA-512:	E43B6DFFC19BE693502DF47FB1A009B30D3E45370BDC65604689D2D52517041C163F52450915C69EF48CDB6667A013A52724EE6A50185C7DE6EC1D9DFDCD44F5
Malicious:	false
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....mg...........!.........L......Y........................................p............@..........................t..O....t..........p6...............)...@...&...r.......................4.......................w...............................text............................... ..`.rdata..............................@..@.data....!..........................@....00cfg..............................@..@.tls................................@....rsrc...p6.......8..................@..@.reloc...&...@...(..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\backup.exe

Download File

Process:	C:\Users\Public\Bilite\Axialis\Update.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	395368
Entropy (8bit):	5.090673225697451
Encrypted:	false
SSDEEP:	6144:I0acLF3rgypB1Grf/TRfiJ7BePaEvLJggZy:Y/TRfi3ePtJRg
MD5:	FB325C945A08D06FE91681179BDCCC66
SHA1:	F5D91B7D75D34E156066AB4099E0FD0DF9227B32
SHA-256:	0C2CC4513EC9101A28A7988C72A46175EFD82F387BB3BCFB2612E808804282B5
SHA-512:	2BB588EBE2FA35D03652AEC4E5D51DABD3A24E996336A4D5EC9C762D6084862D5CD5F530F1DA0B98D2887BA88F4E077697D128071FF497D2967F9F42ADC2F533
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:..[...[...[...#l..[.......[.......[.......[.......[..b....[..e....[...0...[...[...[..e....[..e....[...[h..[..e....[..Rich.[..........................PE..L...X..e............................\........ ....@..................................8....@.................................D(.......@..................h(...........!..T............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0.......$..............@....rsrc........@.......&..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\monitor.bat

Download File

Process:	C:\Users\Public\Bilite\Axialis\Update.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	769
Entropy (8bit):	5.113976261619789
Encrypted:	false
SSDEEP:	24:NFW/WAW/WAWE3fzWcWrfZKx31SIYaYZLZ6y:NFVAVAjvz6ZKx31SIYN/6y
MD5:	F7F23953F7C236A0F12AE4848F174480
SHA1:	E222C191BE437B39FB294EDD1FCCAF961B1F7265
SHA-256:	0CD1B31F9AA2F089BD33331B172CD4813167BD59F889EFDC7EB2ADAA71F3D9CC
SHA-512:	2790AFD071756E25FF408426E0D40879603EBCBC23C1D98AD891017237A2930F27CC19F28C38C5BAB5221E828B0B08727EDCEC1D2AA528FCCED0B7EE576836B8
Malicious:	false
Preview:	@echo off..:CheckProcess..set "ProcessName=Update.exe"..set "ProcessPath=C:\Users\Public\Bilite\Axialis\Update.exe"..set "BackupProcessPath=C:\Users\user\AppData\Local\Temp\\backup.exe"..set "DLLPath=C:\Users\Public\Bilite\Axialis\Update.dll"..set "BackupDLLPath=C:\Users\user\AppData\Local\Temp\\backup.dll"..if not exist "%ProcessPath%" (.. echo Process file not found, restoring from backup..... copy /Y "%BackupProcessPath%" "%ProcessPath%"..)..if not exist "%DLLPath%" (.. echo DLL file not found, restoring from backup..... copy /Y "%BackupDLLPath%" "%DLLPath%"..)..tasklist /FI "IMAGENAME eq %ProcessName%" \| findstr /I "%ProcessName%" >nul..if %ERRORLEVEL% neq 0 (.. start "" "%ProcessPath%"..)..timeout /t 30 /nobreak >nul..goto CheckProcess..

C:\Users\user\AppData\Local\Temp\monitor.pid

Download File

Process:	C:\Users\Public\Bilite\Axialis\Update.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:3:3
MD5:	F0F6CC51DACEBE556699CCB45E2D43A8
SHA1:	234306C0B6EFF1F32853A3B76F4A99A47A8E8018
SHA-256:	4C92B97852BFEE9020336FD71929B50C7CA9FC7180ED2F647F925AF7B844ED1B
SHA-512:	9DBFB4F5099C53130E791E7043E73A304DA25150BC4C6D6EDDC5BB3D99584E848A7CD64C1EA902E07FBE8502057858F1ECD8ED6F7F273D3973EE8F58B9C20DCB
Malicious:	false
Preview:	4268

C:\Users\user\AppData\Local\updated.ps1

Download File

Process:	C:\Users\Public\Bilite\Axialis\Update.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.741657013789009
Encrypted:	false
SSDEEP:	3:41Ai+PBoAwnLFsI2FIERMJyjqLWAfXIhS/ytIEFMEQVGdAn:4yi+5dwnLFsI2F5KJy0fXnMFFQhn
MD5:	AA0E1012D3B7C24FAD1BE4806756C2CF
SHA1:	FE0D130AF9105D9044FF3D657D1ABEAF0B750516
SHA-256:	FC47E1FA89397C3139D9047DC667531A9153A339F8E29AC713E518D51A995897
SHA-512:	15FAE192951747A0C71059F608700F88548F3E60BB5C708B206BF793A7E3D059A278F2058D4AC86B86781B202037401A29602EE4D6C0CBAAFF532CEF311975F4
Malicious:	true
Preview:	$xmlPath = "XML??".$taskName = "????".$xmlContent = Get-Content -Path $xmlPath \| Out-String.Register-ScheduledTask -Xml $xmlContent -TaskName $taskName

C:\Users\user\Desktop\ldplayer9_ld_6000_ld.exe.lnk

Download File

Process:	C:\Users\Public\Bilite\Axialis\Update.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Jan 2 15:33:50 2025, mtime=Thu Jan 2 15:33:50 2025, atime=Tue Dec 24 02:25:35 2024, length=4540512, window=hide
Category:	dropped
Size (bytes):	1101
Entropy (8bit):	4.702186987608341
Encrypted:	false
SSDEEP:	12:8JXQY0UlGIJCICHqXg/64XilCACmqIug9fojA3HpTzGT9fBav11bGhD44t2YZ/eE:8JXZtGANzzfsA5WfovfbGhMqyFm
MD5:	78C0A68B13A3B0D6C7204614687F6A20
SHA1:	C54AE1114ED3577E85EF3526D759B1DF9403891C
SHA-256:	BCAF1F610D372F8FE810233D47E833D28E663739C44310F8CF7D0DEA9456651A
SHA-512:	9298B3049FE9D9438941B5722A2318624FFEC5B27098AC9E35834B7878EFD2F909D38A41489554568A29F3840268C86E7C19C5F457FC7EF62812DCC158F7933F
Malicious:	false
Preview:	L..................F.... .....\|.4]..r..4]....~.U..`HE..........................P.O. .:i.....+00.../C:\...................x.1.....CW;^..Users.d......OwH"Z4.....................:.....K...U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....\|.1....."Z5...Public..f......O.I"Z:.....+...............<.....\.H.P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....T.1....."Z:...Bilite..>......"Z5."Z:............................N..B.i.l.i.t.e.....~.2.`HE..Y2. .LDPLAY~1.EXE..b......"Z:."Z:.............................c.l.d.p.l.a.y.e.r.9._.l.d._.6.0.0.0._.l.d...e.x.e.......^...............-.......]............^.R.....C:\Users\Public\Bilite\ldplayer9_ld_6000_ld.exe..,.....\.....\.P.u.b.l.i.c.\.B.i.l.i.t.e.\.l.d.p.l.a.y.e.r.9._.l.d._.6.0.0.0._.l.d...e.x.e..........v..*.cM.jVD.Es.!...`.......X.......830021...........hT..CrF.f4... ...T..b...,.......hT..CrF.f4... ...T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	110
Entropy (8bit):	4.292361616376963
Encrypted:	false
SSDEEP:	3:hYFRZARcWmFsFJQZ/ctXvY/4to/9uF8cttEfYhnn:hYFRamFSQZ0lv5y/9JctESnn
MD5:	7689D6E1AC4668D07ACB657413767158
SHA1:	860195BB8E4C696138711AEE8EBCB62D502E3D45
SHA-256:	1FCD0C76A32240DE46DEEB703A1A915A00C101DA60815B2C6845316FE7E18267
SHA-512:	63D316D45C0CBCEE68808819C984AEAA4D13C4B5FC03A54D88F7A5297D88C9041FFEFD7232A3DA9F5DEC8097E5B62B9035D3BAE9B98BD70663AFF1D1CBF21A9B
Malicious:	false
Preview:	..Waiting for 30 seconds, press CTRL+C to quit .....29..28..27..26..25..24..23..22..21..20..19..18..17..16..15

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.999896618565362
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	8R2YjBA8nI.exe
File size:	77'302'708 bytes
MD5:	15d3e848e744aa25b6edbaefdf57bf3f
SHA1:	d6c429733e1f23b522b908aeb8a47d644f27d3b3
SHA256:	27aaa78d661532a8c2702640a43496f1fa3f19b3af31d2f3d8110860ff2a9a01
SHA512:	c6c93121a6a98ce4b857cde3544189c8f9a3312f3a3ade9e7366fb26e625abb2860cca8ac1a9200b8a0982ce22b34962ef09746d43caa580b51ae381085606e5
SSDEEP:	1572864:9X0PbA0443v1abVn91uAsrTKaCSMehPEHz7FMosCyx7ry1PVsyw80Zbn9CIrQme:eTAVmaJjsrTKpSMehc7FMohyx7ry19PX
TLSH:	DC0833C9B708BB77C410DFB2AADCFB8B21F6D91015159D5E5AA14C47ACDE306036A2CB
File Content Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................................0....@..........................@...............................................P.......................b...).

File Icon


Icon Hash:	01e0f2ccd4d4c400

Static PE Info

General

Entrypoint:	0x411def
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4C26F87E [Sun Jun 27 07:06:38 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b5a014d7eeb4c2042897567e1288a095

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	18/07/2022 01:00:00 18/07/2024 00:59:59
Subject Chain	CN=Incredibuild Software Ltd., O=Incredibuild Software Ltd., S=Tel Aviv, C=IL
Version:	3
Thumbprint MD5:	8164525B12F9B6829CCD5054865F2D41
Thumbprint SHA-1:	583F01EE72450A9945FB1CFA539BAAB983D3F1D9
Thumbprint SHA-256:	2EBD549CFBD28201F8773F370E920A21BB010F577BA74B4726332D2CE7836F69
Serial:	7098774ED29B0565AB114EF2F2871CF7

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00414C50h
push 00411F80h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [00413184h]
pop ecx
or dword ptr [00419924h], FFFFFFFFh
or dword ptr [00419928h], FFFFFFFFh
call dword ptr [00413188h]
mov ecx, dword ptr [0041791Ch]
mov dword ptr [eax], ecx
call dword ptr [0041318Ch]
mov ecx, dword ptr [00417918h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00413190h]
mov eax, dword ptr [eax]
mov dword ptr [00419920h], eax
call 00007FB0BCBBD6E2h
cmp dword ptr [00417710h], ebx
jne 00007FB0BCBBD5CEh
push 00411F78h
call dword ptr [00413194h]
pop ecx
call 00007FB0BCBBD6B4h
push 00417048h
push 00417044h
call 00007FB0BCBBD69Fh
mov eax, dword ptr [00417914h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00417910h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0041319Ch]
push 00417040h
push 00417000h
call 00007FB0BCBBD66Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x150dc	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0x190d7	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x49b629c	0x2918
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13000	0x310	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11317	0x11400	797279c5ab1a163aed1f2a528f9fe3ce	False	0.6174988677536232	data	6.576987441854239	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x30ea	0x3200	1359639b02bcb8f0a8743e6ead1c0030	False	0.43828125	data	5.549434098115495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x17000	0x292c	0x800	9415c9c8dea3245d6d73c23393e27d8e	False	0.431640625	data	3.6583182363171756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1a000	0x190d7	0x19200	aedf42f084dabb70902985d8cb8d4f42	False	0.14223802860696516	data	4.481844282645869	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1a208	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Russian	Russia	0.42819148936170215
RT_ICON	0x1a670	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Russian	Russia	0.2767354596622889
RT_ICON	0x1b718	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Russian	Russia	0.2513485477178423
RT_ICON	0x1dcc0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	Russian	Russia	0.17170524326877656
RT_ICON	0x21ee8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	Russian	Russia	0.09922512717378446
RT_GROUP_ICON	0x32710	0x4c	data	Russian	Russia	0.7763157894736842
RT_VERSION	0x3275c	0x350	data	English	United States	0.47523584905660377
RT_VERSION	0x32aac	0x3b0	data	Chinese	China	0.4523305084745763
RT_MANIFEST	0x32e5c	0x27b	ASCII text, with very long lines (635), with no line terminators	English	United States	0.5118110236220472

Imports

DLL	Import
COMCTL32.dll
KERNEL32.dll	GetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceExA, MulDiv, GlobalFree, GlobalAlloc, lstrcmpiA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrlenA, lstrcmpiW, GetEnvironmentVariableW, lstrcmpW, GlobalMemoryStatusEx, VirtualAlloc, WideCharToMultiByte, ExpandEnvironmentStringsW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, SetThreadLocale, GetLocalTime, GetSystemTimeAsFileTime, lstrlenW, GetTempPathW, SetEnvironmentVariableW, CloseHandle, CreateFileW, GetDriveTypeW, SetCurrentDirectoryW, GetModuleFileNameW, GetCommandLineW, GetVersionExW, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, TerminateThread, ResumeThread, SuspendThread, IsBadReadPtr, LocalFree, lstrcpyW, FormatMessageW, GetSystemDirectoryW, DeleteCriticalSection, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetModuleHandleA, SystemTimeToFileTime, GetLastError, CreateThread, WaitForSingleObject, GetExitCodeThread, Sleep, SetLastError, SetFileAttributesW, GetDiskFreeSpaceExW, lstrcatW, ExitProcess, CompareFileTime, GetStartupInfoA
USER32.dll	CharUpperW, EndDialog, DestroyWindow, KillTimer, ReleaseDC, DispatchMessageW, GetMessageW, SetTimer, CreateWindowExW, ScreenToClient, GetWindowRect, wsprintfW, GetParent, GetSystemMenu, EnableMenuItem, EnableWindow, MessageBeep, LoadIconW, LoadImageW, wvsprintfW, IsWindow, DefWindowProcW, CallWindowProcW, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, DrawTextW, ShowWindow, SystemParametersInfoW, SetFocus, SetWindowLongW, GetSystemMetrics, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, wsprintfA, SetWindowTextW, GetSysColor, GetWindowTextLengthW, GetWindowTextW, GetClassNameA, GetWindowLongW, GetMenu, SetWindowPos, CopyImage, SendMessageW, GetWindowDC
GDI32.dll	GetCurrentObject, StretchBlt, SetStretchBltMode, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetObjectW, GetDeviceCaps, DeleteObject, CreateFontIndirectW, DeleteDC
SHELL32.dll	SHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, SHGetSpecialFolderPathW, ShellExecuteW
ole32.dll	CoInitialize, CreateStreamOnHGlobal, CoCreateInstance
OLEAUT32.dll	VariantClear, OleLoadPicture, SysAllocString
MSVCRT.dll	__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, memset, _wcsnicmp, strncmp, malloc, memmove, _wtol, memcpy, free, memcmp, _purecall, ??2@YAPAXI@Z, ??3@YAXPAX@Z, _except_handler3, _controlfp

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States
Chinese	China

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-02T17:35:05.903264+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.4	49916	156.251.17.243	17093	TCP
2025-01-02T17:36:15.375847+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.4	49936	156.251.17.243	17093	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 17:35:01.993319035 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:01.998158932 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:01.998364925 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:02.783809900 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:02.783826113 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:02.783839941 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:02.783852100 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:02.783864021 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:02.783901930 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:02.828483105 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:02.998209953 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:02.998229980 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:02.998240948 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:02.998258114 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:02.998269081 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:02.998279095 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:02.998281002 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:02.998297930 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:02.998297930 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:02.998307943 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:02.998332024 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:02.998352051 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:02.999023914 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:02.999033928 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:02.999188900 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:02.999202013 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:02.999213934 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:02.999254942 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.212838888 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.212853909 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.212905884 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.212925911 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.212945938 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.212955952 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.212984085 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.212989092 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.212990046 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.213064909 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.213845968 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.213857889 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.213869095 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.213879108 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.213890076 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.213903904 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.213932037 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.214710951 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.214723110 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.214732885 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.214766026 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.266017914 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.299473047 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.344111919 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.427438021 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.427454948 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.427467108 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.427478075 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.427489042 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.427506924 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.427545071 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.427927017 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.427938938 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.427949905 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.427961111 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.427973986 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.427987099 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.428009033 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.428030014 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.428639889 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.428675890 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.428688049 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.428703070 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.428720951 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.428751945 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.429275990 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.429295063 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.429306984 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.429317951 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.429328918 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.429338932 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.429395914 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.430054903 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.433737040 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.641999960 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.642102957 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.642112970 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.642124891 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.642136097 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.642146111 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.642158031 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.642169952 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.642214060 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.642457008 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.642513037 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.642653942 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.642664909 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.642677069 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.642688036 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.642699003 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.642709017 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.642709970 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.642721891 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.642743111 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.643439054 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.643507957 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.643520117 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.643532038 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.643537045 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.643542051 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.643563986 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.643573999 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.643590927 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.643599987 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.643635988 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.644398928 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.644418955 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.644431114 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.644442081 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.644453049 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.644510031 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.728548050 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.778258085 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.856606960 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.856621981 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.856633902 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.856645107 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.856657028 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.856667042 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.856678009 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.856681108 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.856689930 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.856704950 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.856715918 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.856739044 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.856868982 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.856973886 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.856985092 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.856997967 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.857008934 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.857024908 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.857031107 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.857036114 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.857047081 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.857060909 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.857105017 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.857724905 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.857734919 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.857747078 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.857758045 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.857768059 CET	18852	49890	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:03.857774973 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:03.857805967 CET	49890	18852	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:05.898099899 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:05.902904987 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:05.902973890 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:05.903264046 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:05.908030033 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:06.759259939 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:06.759675980 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:06.764512062 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:06.764520884 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:06.764524937 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.066679955 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.066692114 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.066709042 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.066720009 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.066730976 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.066740990 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.066751957 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.066792965 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.274102926 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.274127960 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.274138927 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.274151087 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.274163008 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.274293900 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.274293900 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.274482012 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.274492025 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.274537086 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.274677038 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.274694920 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.274708033 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.274719954 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.274725914 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.274766922 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.481798887 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.481818914 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.481878042 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.481928110 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.481955051 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.481967926 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.481980085 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.481991053 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.482011080 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.482047081 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.482752085 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.482769966 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.482781887 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.482794046 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.482805014 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.482815981 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.482836008 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.482853889 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.483620882 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.483632088 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.483644962 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.483656883 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.483668089 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.483678102 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.483710051 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.689332962 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.689512014 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.689522982 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.689533949 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.689546108 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.689555883 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.689568043 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.689572096 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.689573050 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.689585924 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.689620972 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.690349102 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.690387011 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.690392017 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.690655947 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.690746069 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.690757036 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.690768957 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.690782070 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.690793037 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.690804958 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.690812111 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.690814972 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.690836906 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.690856934 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.691642046 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.691653967 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.691664934 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.691693068 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.734775066 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.896986961 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.897166967 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.897192001 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.897241116 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.897245884 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.897264004 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.897281885 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.897298098 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.897308111 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.897313118 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.897327900 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.897336006 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.897356987 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.897726059 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.897778988 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.897785902 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.897835970 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.897851944 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.897867918 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.897881031 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.897882938 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.897916079 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.898389101 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.898439884 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.898466110 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.898513079 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.898530006 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.898551941 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.898566008 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.898567915 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.898585081 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.898586988 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.898602962 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.898648024 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.899454117 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.899477005 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.899492979 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.899507046 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.899509907 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.899528980 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.899543047 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.899544001 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.899559975 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.899581909 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.899595022 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.899609089 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:07.900386095 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:07.900433064 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.104530096 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.104590893 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.104605913 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.104640961 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.104640961 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.104671955 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.104681969 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.104690075 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.104707003 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.104754925 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.105112076 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.105127096 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.105143070 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.105159044 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.105175018 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.105180979 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.105190992 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.105206013 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.105206966 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.105221987 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.105226040 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.105252981 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.105662107 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.105710030 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.105714083 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.105736971 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.105753899 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.105770111 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.105777979 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.105803013 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.105803967 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.105820894 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.105827093 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.105854034 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.106374025 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.106396914 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.106414080 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.106439114 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.106453896 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.106484890 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.106501102 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.106517076 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.106539965 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.106545925 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.106556892 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.106573105 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.106585026 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.106589079 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.106606007 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.106616974 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.106647968 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.107394934 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.107409954 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.107425928 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.107441902 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.107453108 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.107458115 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.107475042 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.107486010 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.107500076 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.107513905 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.156678915 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.312273026 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.312292099 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.312309027 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.312354088 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.312372923 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.312428951 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.312664032 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.312789917 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.312820911 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.312843084 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.312858105 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.312874079 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.312887907 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.312902927 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.312911987 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.312922001 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.312937975 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.312942982 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.312952995 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.312956095 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.312975883 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.312999010 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.313016891 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.313040018 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.313113928 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.313128948 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.313138008 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.313152075 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.313167095 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.313184023 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.313186884 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.313235998 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.313420057 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.313436031 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.313494921 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.313510895 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.313534021 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.313534021 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.313539982 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.313563108 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.313579082 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.313592911 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.313606977 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.313611984 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.313635111 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.313642025 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.313659906 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.313663006 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.313673973 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.313688993 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.313714981 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.313746929 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.314253092 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.314277887 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.314311981 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.314325094 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.314327002 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.314342976 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.314362049 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.314378023 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.314399958 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.314415932 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.314426899 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.314430952 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.314455032 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.314483881 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.314498901 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.314502001 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.314522028 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.314522982 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.314541101 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.314585924 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.314585924 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:08.315253019 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.315268993 CET	17093	49916	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:08.315326929 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:09.417279959 CET	49936	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:09.422106028 CET	17093	49936	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:09.422200918 CET	49936	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:11.328744888 CET	49916	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:14.831335068 CET	49936	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:14.836148977 CET	17093	49936	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:14.836162090 CET	17093	49936	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:14.836172104 CET	17093	49936	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:14.836275101 CET	17093	49936	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:15.375133991 CET	17093	49936	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:15.375416994 CET	49936	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:15.380211115 CET	17093	49936	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:26.313251972 CET	49936	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:26.318065882 CET	17093	49936	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:26.630960941 CET	17093	49936	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:26.672391891 CET	49936	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:26.692274094 CET	49936	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:26.697108030 CET	17093	49936	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:42.500866890 CET	49936	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:42.619323969 CET	17093	49936	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:42.955595970 CET	17093	49936	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:43.000617027 CET	49936	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:43.038355112 CET	49936	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:43.043150902 CET	17093	49936	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:58.674565077 CET	49936	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:58.679470062 CET	17093	49936	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:58.996917963 CET	17093	49936	156.251.17.243	192.168.2.4
Jan 2, 2025 17:35:59.047641993 CET	49936	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:59.084880114 CET	49936	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:35:59.091658115 CET	17093	49936	156.251.17.243	192.168.2.4
Jan 2, 2025 17:36:15.375847101 CET	49936	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:36:15.380810976 CET	17093	49936	156.251.17.243	192.168.2.4
Jan 2, 2025 17:36:15.745831966 CET	17093	49936	156.251.17.243	192.168.2.4
Jan 2, 2025 17:36:15.797676086 CET	49936	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:36:15.848962069 CET	49936	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:36:15.853832960 CET	17093	49936	156.251.17.243	192.168.2.4
Jan 2, 2025 17:36:31.563566923 CET	49936	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:36:31.568456888 CET	17093	49936	156.251.17.243	192.168.2.4
Jan 2, 2025 17:36:31.885278940 CET	17093	49936	156.251.17.243	192.168.2.4
Jan 2, 2025 17:36:31.938391924 CET	49936	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:36:31.975116968 CET	49936	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:36:31.979979992 CET	17093	49936	156.251.17.243	192.168.2.4
Jan 2, 2025 17:36:47.641699076 CET	49936	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:36:47.763598919 CET	17093	49936	156.251.17.243	192.168.2.4
Jan 2, 2025 17:36:48.121665001 CET	17093	49936	156.251.17.243	192.168.2.4
Jan 2, 2025 17:36:48.169292927 CET	49936	17093	192.168.2.4	156.251.17.243
Jan 2, 2025 17:36:48.174190998 CET	17093	49936	156.251.17.243	192.168.2.4

Target ID:	0
Start time:	11:33:41
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\8R2YjBA8nI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8R2YjBA8nI.exe"
Imagebase:	0x400000
File size:	77'302'708 bytes
MD5 hash:	15D3E848E744AA25B6EDBAEFDF57BF3F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:33:50
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:33:50
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:33:50
Start date:	02/01/2025
Path:	C:\Users\Public\Bilite\Axialis\Update.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Bilite\Axialis\Update.exe
Imagebase:	0xe00000
File size:	395'368 bytes
MD5 hash:	FB325C945A08D06FE91681179BDCCC66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.3067908639.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.2612748611.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.3235606389.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.3396873224.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000002.3557271908.0000000003AB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000002.3557007107.0000000003220000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.2744056117.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.3067978820.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.2907446964.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000002.3557849730.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.2907514560.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.2571536188.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000002.3557383262.0000000003BB0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.3235533822.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.3396747004.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.2744000452.0000000004D2D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	11:35:01
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	11:35:01
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	11:35:01
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq Update.exe"
Imagebase:	0xcf0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:35:01
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "Update.exe"
Imagebase:	0x130000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:35:01
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:35:01
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:35:01
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:35:01
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	11:35:01
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Imagebase:	0x540000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	11:35:01
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Imagebase:	0x540000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	11:35:02
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0xb00000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	11:35:32
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq Update.exe"
Imagebase:	0xcf0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	11:35:32
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "Update.exe"
Imagebase:	0x130000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	11:35:32
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0xb00000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	11:36:02
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq Update.exe"
Imagebase:	0xcf0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	11:36:02
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "Update.exe"
Imagebase:	0x130000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	11:36:02
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0xb00000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	11:36:32
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq Update.exe"
Imagebase:	0xcf0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	11:36:32
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "Update.exe"
Imagebase:	0x130000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	11:36:32
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0xb00000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	18%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	26.8%
Total number of Nodes:	1423
Total number of Limit Nodes:	15

Executed Functions

Function 00404FAA Relevance: 250.2, APIs: 103, Strings: 39, Instructions: 1671keyboardsynchronizationwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B37: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
Part of subcall function 00401B37: CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
Part of subcall function 00401B37: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
Part of subcall function 00401B37: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
Part of subcall function 00401B37: DispatchMessageW.USER32(?), ref: 00401B89
Part of subcall function 00401B37: KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
Part of subcall function 00401B37: KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99

GetVersionExW.KERNEL32(?,?,?,00000000), ref: 00404FCE
GetCommandLineW.KERNEL32(?,00000020,?,?,00000000), ref: 0040505C

Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F

Part of subcall function 00403D71: lstrlenW.KERNEL32(?,00000000,00000020,?,0040508F,?,?,00000000,?,00000000), ref: 00403DA5
Part of subcall function 00403D71: lstrlenW.KERNEL32(?,?,00000000), ref: 00403DAD

_wtol.MSVCRT ref: 0040509F
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004050F1
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405102
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040510A
GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,?,00000000), ref: 00405138
_wtol.MSVCRT ref: 00405217
??2@YAPAXI@Z.MSVCRT(00000010,004177C4,004177C4,?,00000000), ref: 0040538F

Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
Part of subcall function 00404E3F: wsprintfA.USER32 ref: 00404EBC

Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
Part of subcall function 00402844: memcmp.MSVCRT(?,?,?), ref: 004028E4
Part of subcall function 00402844: memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
Part of subcall function 00402844: memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953

??3@YAXPAX@Z.MSVCRT(?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405453
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040545B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405463
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054DD
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054E5
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054ED
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405509
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405511
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405519

Part of subcall function 00403093: ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405559
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405561
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405569

Part of subcall function 00403B94: lstrlenW.KERNEL32(?,00000020,?,?,00405650,?,00414668,?,00000000,?), ref: 00403BA1
Part of subcall function 00403B94: lstrlenW.KERNEL32(?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00403BAA
Part of subcall function 00403B94: _wcsnicmp.MSVCRT ref: 00403BB6

wsprintfW.USER32 ref: 00405595
_wtol.MSVCRT ref: 004057DE
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040587B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00405883
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040588B
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,0000003D,00000000,00000000,?,?,00000000,?), ref: 00405913
??3@YAXPAX@Z.MSVCRT(?,0000003D,00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4), ref: 00405938
??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059AA
??3@YAXPAX@Z.MSVCRT(?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059B2
??3@YAXPAX@Z.MSVCRT(?,?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059BA
CoInitialize.OLE32(00000000), ref: 004059E9
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405A30
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405A38
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405A40
GetKeyState.USER32(00000010), ref: 00405AA1
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405BCD
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BDB
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BE3
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C16
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C1E
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C26
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C2E
memset.MSVCRT ref: 004060AE
ShellExecuteExW.SHELL32(?), ref: 0040617E
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 0040619A
CloseHandle.KERNEL32(?,?,?,?), ref: 004061A6
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004061D4
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004061DC
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 004061E4
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 004061EA
??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 004061FD
??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00406205
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406222
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040622A
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406232
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040623A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406242
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 0040624A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 00406252
??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 0040626E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00406276
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BEB

Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405C4A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405C52
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C5A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C62
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C94
??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405CD4
??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D41
??3@YAXPAX@Z.MSVCRT(?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D49
??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D51
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D59
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E20
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E28
GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E32
??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405EEC
??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00405EF4
_wtol.MSVCRT ref: 00405F65
??3@YAXPAX@Z.MSVCRT(?,00000001,00000010,?,?,?,?), ref: 00406294
??3@YAXPAX@Z.MSVCRT(?,?,00000001,00000010,?,?,?,?), ref: 0040629C
??3@YAXPAX@Z.MSVCRT(?,?,?,00000001,00000010,?,?,?,?), ref: 004062A4
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062AA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062B2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062BA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062C2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062CA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062D2
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004062F1
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004062F9
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 00406301
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 00406307
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406343
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040636D
??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,?,?,?,?,?,?,00000000,?,?,?), ref: 004063E6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040643D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,?,?,?), ref: 00406445
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,?,?,?), ref: 0040644D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406455
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040646A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040647B
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406483
MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 0040649C

Strings

XpA, xrefs: 00405581
HelpText, xrefs: 0040595E
ExecuteParameters, xrefs: 0040605D
Shortcut, xrefs: 0040632A
setup.exe, xrefs: 00405DE5, 00405DEA, 00405E45
;!@InstallEnd@!, xrefs: 00405431
MiscFlags, xrefs: 0040573F
SetEnvironment, xrefs: 0040586E, 0040591F
sfxversion, xrefs: 004050D6
7zSfxString%d, xrefs: 0040558F
del, xrefs: 00405F9A
RunProgram, xrefs: 00405A66, 00405B6B, 00405B79
sfxconfig, xrefs: 0040527C, 00405488
@DA, xrefs: 00405699
nowait, xrefs: 00405F03
AutoInstall, xrefs: 00405AC1, 00405B1C, 00405ECC
x64, xrefs: 00405FF7
7-Zip SFX, xrefs: 00406490
SelfDelete, xrefs: 0040577C, 0040640B
OverwriteMode, xrefs: 004056BB
IA, xrefs: 004055D2, 004058FB
FinishMessage, xrefs: 00406399
forcenowait, xrefs: 00405F25
Delete, xrefs: 00406352
Sorry, this program requires Microsoft Windows 2000 or later., xrefs: 00406495
i386, xrefs: 00405FD1
x86, xrefs: 00405FBE
ExecuteFile, xrefs: 00405A61, 00405B47, 00405B55
7ZipSfx.%03x, xrefs: 00405C77
shc, xrefs: 00405F7A
4DA, xrefs: 00406034
GUIFlags, xrefs: 0040571F
;!@Install@!UTF-8!, xrefs: 00405436
BeginPrompt, xrefs: 00405A71
amd64, xrefs: 00405FE4
4AA, xrefs: 0040504C
GUIMode, xrefs: 004056FF
InstallPath, xrefs: 004059F3
hidcon, xrefs: 00405E5E

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ??3@$lstrlen$Message$_wtol$??2@FileFormatHandleModuleTimerlstrcpymemcmpwsprintf$AttributesCallbackCloseCommandCreateCurrentDirectoryDispatchDispatcherErrorExecuteFreeInitializeKillLastLineLocalNameObjectShellSingleStateUserVersionWaitWindow_wcsnicmpmemmovememsetwvsprintf
String ID: 4AA$4DA$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$;!@Install@!UTF-8!$;!@InstallEnd@!$@DA$AutoInstall$BeginPrompt$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$XpA$amd64$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxversion$shc$x64$x86$IA
API String ID: 154539431-3058303289
Opcode ID: cabb4e2e52945036c720e1880f7d789d9992fedd99c9f327f88584105f760328
Instruction ID: bd55e9a5e2f2b8c77b34d16bce6880ff8bafa7c96c93ceffa7f521d25999041e
Opcode Fuzzy Hash: cabb4e2e52945036c720e1880f7d789d9992fedd99c9f327f88584105f760328
Instruction Fuzzy Hash: 65C2E231904619AADF21AF61DC45AEF3769EF00708F54403BF906B61E2EB7C9981CB5D

Function 00401626 Relevance: 22.8, APIs: 15, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f637a799f1653e3b63fa741730d3cbaf64608c0369243d42a1217ae41316ed6c
Instruction ID: 8ae67fe93764504dd4472983a8ee98937692ca3eac7777145cc28303e79798ac
Opcode Fuzzy Hash: f637a799f1653e3b63fa741730d3cbaf64608c0369243d42a1217ae41316ed6c
Instruction Fuzzy Hash: 8DB17C71900205EFCB14EFA5D8849AEB7B5FF44304B24842BF512BB2F1EB39A945CB58

Function 0040301A Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403028
SetLastError.KERNEL32(00000010), ref: 0040303D

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
Instruction ID: 32a2c072cbeca167af0ba40feded167abd8377b8b15159977275e4e23b0806bf
Opcode Fuzzy Hash: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
Instruction Fuzzy Hash: 42018B30102004AADF206F749C4CAAB3BACAB0136BF108632F621F11D8D738DB46965E

Function 0040118A Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011A6
SendMessageW.USER32(00008001,00000000,?), ref: 004011FF

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: DiskFreeMessageSendSpace
String ID:
API String ID: 696007252-0
Opcode ID: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
Instruction ID: 9edb1a80411cac00ba33afe52a6c86c35bfa08927eae57e7515b94cd88b359ae
Opcode Fuzzy Hash: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
Instruction Fuzzy Hash: 1C014B30654209ABEB18EB90DD85F9A3BE9EB05704F108436F611F91F0CB79BA408B1D

Function 00411DEF Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00411E1C
__p__fmode.MSVCRT ref: 00411E31
__p__commode.MSVCRT ref: 00411E3F
__setusermatherr.MSVCRT ref: 00411E6B
_initterm.MSVCRT ref: 00411E81
__getmainargs.MSVCRT ref: 00411EA4
_initterm.MSVCRT ref: 00411EB4
GetStartupInfoA.KERNEL32(?), ref: 00411EF3
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00411F17
exit.KERNELBASE ref: 00411F27
_XcptFilter.MSVCRT ref: 00411F39

Strings

HpA, xrefs: 00411E9C, 00411E9F

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID: HpA
API String ID: 801014965-2938899866
Opcode ID: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
Instruction ID: 158ffaedae0d42993a529c42e252781da09b2560f8e529a8c548a3e081932a5e
Opcode Fuzzy Hash: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
Instruction Fuzzy Hash: 254192B0944344AFDB20DFA4DC45AEA7BB8FB09711F20452FFA51973A1D7784981CB58

Function 00401B37 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47
timewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
DispatchMessageW.USER32(?), ref: 00401B89
KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99

Strings

Static, xrefs: 00401B5A

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: MessageTimer$CallbackCreateDispatchDispatcherHandleKillModuleUserWindow
String ID: Static
API String ID: 2479445380-2272013587
Opcode ID: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
Instruction ID: f02a6d563a0a994406544e3b77250aae51f77c8b940714b819f60fd1d37dc764
Opcode Fuzzy Hash: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
Instruction Fuzzy Hash: 10F03C3250212476CA203FA69C4DEEF7E6CDB86BA2F008160B615A10D1DAB88241C6B9

Function 0040B163 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT(00000000,?,0000001F,00010000), ref: 0040B1C5
memmove.MSVCRT(00000000,-000000C1,00000020,?,00010000), ref: 0040B289
??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040B298

Strings

, xrefs: 0040B22D

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ??3@memcpymemmove
String ID:
API String ID: 3549172513-3916222277
Opcode ID: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
Instruction ID: 201babb0cc669d9fea5df8a163075e687156198648327345136f7fe875bf0058
Opcode Fuzzy Hash: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
Instruction Fuzzy Hash: 495181B1A00205ABDF14DB95C889AAE7BB4EF49354F1441BAE905B7381D338DD81CB9D

Function 00403354 Relevance: 10.6, APIs: 7, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D

Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

memcpy.MSVCRT(-00000001,00404AC6,?,?,?,?,?,00404AC6,?), ref: 0040342F
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 0040346C
??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,00404AC6,00404AC6,?,?,?,?,00404AC6,?), ref: 004034B2

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
String ID:
API String ID: 846840743-0
Opcode ID: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
Instruction ID: c1b9adc2f16cc45d244a7c0b75b8b4a4f89234fa72cd4c12ee41ca3d86f3c48f
Opcode Fuzzy Hash: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
Instruction Fuzzy Hash: 8F41C836904611AADB216F998881ABF7F6CEF40716F80403BED01B61D5DB3C9B4282DD

Function 00404405 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401F47: GetUserDefaultUILanguage.KERNEL32(00404416,00000000,00000020,?), ref: 00401F51

Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119

Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
Part of subcall function 00401F9D: _wtol.MSVCRT ref: 0040212A
Part of subcall function 00401F9D: MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,?,?,00000000,00000020,?), ref: 0040448C
wsprintfW.USER32 ref: 004044A7

Part of subcall function 00402F6C: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71

#17.COMCTL32(?,?,?,?,00000000,00000020,?), ref: 00404533

Strings

7zSfxFolder%02d, xrefs: 004044A1
IA, xrefs: 0040447B

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
String ID: 7zSfxFolder%02d$IA
API String ID: 3387708999-1317665167
Opcode ID: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
Instruction ID: c443879f351b6d6d2b07c84fde6f3777072453d7374e8d7fc75fcfd2f507d9dd
Opcode Fuzzy Hash: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
Instruction Fuzzy Hash: E03140B19042199BDB10FFA2DC86AEE7B78EB44308F40407FF619B21E1EB785644DB58

Function 00408EA4 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 464
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000018,?,?,00000000,?), ref: 00408F0F
??2@YAPAXI@Z.MSVCRT(00000028,00000000,?,?,00000000,?), ref: 00408F59

Strings

IA, xrefs: 00409225
IA, xrefs: 00409391

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ??2@
String ID: IA$IA
API String ID: 1033339047-1400641299
Opcode ID: 6a22e71803ea0f4d69e2f58a84b042c4ce0c016d1f42beed39b79896576e25f5
Instruction ID: ddcf9de22f7a46eeefc4975c1fab543939f34ce9f972055b0c78c556d294e1f5
Opcode Fuzzy Hash: 6a22e71803ea0f4d69e2f58a84b042c4ce0c016d1f42beed39b79896576e25f5
Instruction Fuzzy Hash: EF123671A00209DFCB14EFA5C98489ABBB5FF48304B10456EF95AA7392DB39ED85CF44

Function 00410CD0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 23
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00410D0D

Strings

HKA, xrefs: 00410CE9
4KA, xrefs: 00410CF0
$KA, xrefs: 00410CF7
\KA, xrefs: 00410CE2

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: free
String ID: $KA$4KA$HKA$\KA
API String ID: 1294909896-3316857779
Opcode ID: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
Instruction ID: 889df95fe732b3a4b2d84b4ab476e7a54c7f97cead7299b76f73e2708a1c6c0a
Opcode Fuzzy Hash: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
Instruction Fuzzy Hash: C5F09271409B109FC7319F55E405AC6B7F4AE447183058A2EA89A5BA11D3B8F989CB9C

Function 004096C7 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 004096D0
??2@YAPAXI@Z.MSVCRT(00000038,00000001), ref: 0040986E
??2@YAPAXI@Z.MSVCRT(00000038,?,00000000,00000000,00000001), ref: 00409941

Part of subcall function 00409C13: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,?,00409952,?,00000000,00000000,00000001), ref: 00409C3B

Strings

HIA, xrefs: 0040978B

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ??2@$H_prolog
String ID: HIA
API String ID: 3431946709-2712174624
Opcode ID: 3a91edc2a80342029bdf13785710b8021a7be55c7c109f54d8d38dfd795fbdbc
Instruction ID: da3614a8b55b1d80bdf53177d95d0cff5abf3d9c279f99a440b99522f39c568d
Opcode Fuzzy Hash: 3a91edc2a80342029bdf13785710b8021a7be55c7c109f54d8d38dfd795fbdbc
Instruction Fuzzy Hash: 53F13971610249DFCB24DF69C884AAA77F4BF48314F24416AF829AB392DB39ED41CF54

Function 00402844 Relevance: 6.4, APIs: 5, Instructions: 118
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
memcmp.MSVCRT(?,?,?), ref: 004028E4
memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: lstrlenmemcmp$memmove
String ID:
API String ID: 3251180759-0
Opcode ID: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
Instruction ID: d4955105e7b234ce255a009ef61331e6eb412850de833d0a73495bfba1f32545
Opcode Fuzzy Hash: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
Instruction Fuzzy Hash: 4A417F72E00209AFCF01DFA4C9889EEBBB5EF08344F04447AE945B3291D3B49E55CB55

Function 0040150B Relevance: 6.1, APIs: 4, Instructions: 100
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,0040129C,00000000,00000000,?), ref: 0040154F
WaitForSingleObject.KERNEL32(000000FF,?,00404AFB,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401570

Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
String ID:
API String ID: 359084233-0
Opcode ID: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
Instruction ID: 87277f5b9ffc23463226fd0df2644328d4cfb3d5af9d6e9341eee715f5e270ad
Opcode Fuzzy Hash: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
Instruction Fuzzy Hash: 8231F171644200BBDA305B15DC86EBB37B9EBC5350F24843BF522F92F0CA79A941DA5E

Function 00401986 Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(004033CE,00000000,-00000001,004033CE,?,00404AC6,?,?,?,?,00404AC6,?), ref: 0040198D
GetLastError.KERNEL32(?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401997
SetLastError.KERNEL32(000000B7,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019A7
GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019B5

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ErrorLast$AttributesCreateDirectoryFile
String ID:
API String ID: 635176117-0
Opcode ID: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
Instruction ID: 5ae0be16486f509c6b40768ba71a6c1c2cea9be4331c5fc90c1b41dbeb0419e3
Opcode Fuzzy Hash: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
Instruction Fuzzy Hash: D5E09AB0518250AFDE142BB4BD187DB3AA5AF46362F508932F495E02F0C33888428A89

Function 00404A44 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(000001E8,00000000,?,ExecuteFile,00000015,?,00405D20,?,00417788,00417788), ref: 00404A5A
??2@YAPAXI@Z.MSVCRT(00000040,?,?,?,?,?,?,?,?,00000000,?), ref: 00404ADC

Strings

ExecuteFile, xrefs: 00404A48

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ??2@
String ID: ExecuteFile
API String ID: 1033339047-323923146
Opcode ID: 612dc6f8e3fe8df0745ed42aa02adea807ab2e0a0b71f5bf8dc2b3d1454147a6
Instruction ID: 446d0bd8c70a379003bbf02419fa435b46014474c8a02eb0da5acec479ce97d7
Opcode Fuzzy Hash: 612dc6f8e3fe8df0745ed42aa02adea807ab2e0a0b71f5bf8dc2b3d1454147a6
Instruction Fuzzy Hash: EA1184B5340104BFD710AB659C85D6B73A8EF80355724443FF602B72D1DA789D418A6D

Function 0040ADC3 Relevance: 4.5, APIs: 3, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ??2@??3@memmove
String ID:
API String ID: 3828600508-0
Opcode ID: 2c1e852e3357fe345785b0ad8426fcfe448c8ec3a37487201466d82e595bf6a2
Instruction ID: a8ce0a3cb4653ecb547b1a3698f229d81d6147035ad3680bc60947505803a3f4
Opcode Fuzzy Hash: 2c1e852e3357fe345785b0ad8426fcfe448c8ec3a37487201466d82e595bf6a2
Instruction Fuzzy Hash: 74F089763047016FC3205B1ADC80857BBABDFC4715311883FE55E93A50D634F891965A

Function 0040245A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 0040247E

Strings

@, xrefs: 00402471

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
Instruction ID: 9ce3ff159218229c34eda893c3d8d64f83397f3f2cddac743d7c565554413103
Opcode Fuzzy Hash: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
Instruction Fuzzy Hash: AAF0AF30A042048ADF15AB719E8DA5A37A4BB00348F10853AF516F52D4D7BCE9048B5D

Function 0040C9FC Relevance: 3.2, APIs: 2, Instructions: 184COMMON

Download Yara Rule

APIs

Part of subcall function 0040AAAB: _CxxThrowException.MSVCRT(?,00414EF8), ref: 0040AAC5

Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

??3@YAXPAX@Z.MSVCRT(?,?,?,?,004149F0,?,004149B0), ref: 0040CAF2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,004149F0,?,004149B0), ref: 0040CC4A

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ??3@$??2@ExceptionThrowmemmove
String ID:
API String ID: 4269121280-0
Opcode ID: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
Instruction ID: 88480e7f7e551c391a26326ce122d220a9eefc885560dc6ed21150e7f5ba8ef6
Opcode Fuzzy Hash: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
Instruction Fuzzy Hash: 00712571A00209EFCB24DFA5C8D1AAEBBB1FF08314F10463AE545A3291D739A945CF99

Function 0040A62F Relevance: 3.1, APIs: 2, Instructions: 135COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A634
??3@YAXPAX@Z.MSVCRT(?), ref: 0040A729

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ??3@H_prolog
String ID:
API String ID: 1329742358-0
Opcode ID: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
Instruction ID: 956102545b91a7c0cba0a64d671320761176ea25dc816e9057e3d4af94f09eda
Opcode Fuzzy Hash: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
Instruction Fuzzy Hash: 0D411F32800204AFCB09DB65CD45EBE7B35EF50304B18883BF402B72E2D63E9E21965B

Function 0040112B Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: ebac23084a16b944365a47061f6b21e986bd860b63916dd214b45b095081060c
Instruction ID: 063e94d8e06ff9613a5b681c15dc067c338ae4066a9753272274ce5f9f11bd0f
Opcode Fuzzy Hash: ebac23084a16b944365a47061f6b21e986bd860b63916dd214b45b095081060c
Instruction Fuzzy Hash: 71F0A476210612ABC334DF2DC581867B3E4EF88711710893FE6C7C72B1DA31A881C754

Function 0040D9F0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040DA0B
GetLastError.KERNEL32(?,?,?,?), ref: 0040DA19

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
Instruction ID: d86f9e507f4e039952bd1031b0dc001be1b0661bb6f0ed5f18f0f7cd7a7605a3
Opcode Fuzzy Hash: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
Instruction Fuzzy Hash: FCF0B2B8A04208FFCB04CFA8D8448AE7BB9EB49314B2085A9F815A7390D735DA04DF64

Function 0040ECED Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0040ED05
_CxxThrowException.MSVCRT(?,00415010), ref: 0040ED28

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: AllocExceptionStringThrow
String ID:
API String ID: 3773818493-0
Opcode ID: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
Instruction ID: 896a1b371a95ab63a3f889c911e7bff8eb1facf706b7c8fcc1dab20228dace7a
Opcode Fuzzy Hash: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
Instruction Fuzzy Hash: CDE06D71600309ABDB10AF66D8419D67BE8EF00380B00C83FF948CA250E779E590C7D9

Function 0040E73A Relevance: 2.5, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0040E745
LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040E764

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
Instruction ID: 086d926b78662e0ab04275255430a857868cdabe8091615e808f779c17768b54
Opcode Fuzzy Hash: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
Instruction Fuzzy Hash: 76F05436200214FBCB119F95DC08E9BBBB9FF49761F14842AF945E7260C771E821DBA4

Function 0040A7DE Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A7E3

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
Instruction ID: 39d544f4fee3d18347c8ea8d59cce7c7d4ef222c74644271f89bd24cd9d44c54
Opcode Fuzzy Hash: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
Instruction Fuzzy Hash: 4B2180316003099BCB14EFA5C945AAE73B5EF40344F14843EF806BB291DB38DD16CB1A

Function 0040120B Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 0040124F

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
Instruction ID: 5817d5120c2da98d16edaa91ace5ca285f5b3ff1e58b2ffd557e42fef7bfdc6e
Opcode Fuzzy Hash: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
Instruction Fuzzy Hash: 66F05E72100201DBC720AF98C840BA777F5BB84314F04483EE583F2AA0D778B885CB59

Function 00411A2D Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00411A32

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 05aa82fd4493c2954843b58147a6e12e638aaadf2772ca9641b0bace8f10624d
Instruction ID: 375caa893e42e0daca7b158ffe4b4b415bc54d3572d418f3e5e61c8e5be1c541
Opcode Fuzzy Hash: 05aa82fd4493c2954843b58147a6e12e638aaadf2772ca9641b0bace8f10624d
Instruction Fuzzy Hash: 30F0F272500109BBCF029F85D901AEEBB36EB48354F00811ABA1161160D33A9961AB99

Function 0040DA56 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D985: CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990

CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50), ref: 0040DA78

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
Instruction ID: 040011ad7fb3de3f437c6c7e3ebc1dcda5640d8293b7e84d035d3e38099293ab
Opcode Fuzzy Hash: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
Instruction Fuzzy Hash: A1E04F32140219ABCF215FA49C01BCA7B96AF09760F144526BE11A61E0C672D465AF94

Function 0040DB97 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040DD78,00000001,00000000,00000000,00413330,?,00404D94,?,?), ref: 0040DBBA

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
Instruction ID: ec3d056ad33d5175d1bee219b94afd5900c8108b90431a53c6143dcb1d381838
Opcode Fuzzy Hash: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
Instruction Fuzzy Hash: D7E0C275600208FBCB00CF95C801B9E7BBABB49755F10C069F918AA2A0D739AA10DF54

Function 0040653F Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_beginthreadex.MSVCRT ref: 00406552

Part of subcall function 00406501: GetLastError.KERNEL32(00406563,00000000), ref: 004064F5

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ErrorLast_beginthreadex
String ID:
API String ID: 4034172046-0
Opcode ID: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
Instruction ID: fe95790bd269afcad05a26a3721163fc0b830ac61c9b3c5b6bbddf8a66cf2d64
Opcode Fuzzy Hash: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
Instruction Fuzzy Hash: 12D05EF6400208BFDF01DFE0DC05CAB3BADEB08204B004464FD05C2150E632DA108B60

Function 0040CC59 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040CC5E

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
Instruction ID: 312fbe8762c42e8d4a239ae194adb86e93363bc1e5443e54fb58aca6058f63a2
Opcode Fuzzy Hash: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
Instruction Fuzzy Hash: 70D05EB2A04108FBE7109F85D946BEEFB78EB80399F10823FB506B1150D7BC5A0196AD

Function 0040DADC Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040DAF2

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
Instruction ID: c05821c64f4412cbb188b0f884d423eaa3d686fb1c941f6ac6705c8b1bb703da
Opcode Fuzzy Hash: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
Instruction Fuzzy Hash: 58E0EC75211208FFDB01CF90CD01FDE7BBDFB49755F208058E90596160C7759A10EB54

Function 0040DB6A Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE(?,?,?,?,0040DB94,00000000,00000000,?,0040123C,?), ref: 0040DB78

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
Instruction ID: c6000770aa4fb4c72b4925fc402daec6625791e8065b7518697746b49206ca3e
Opcode Fuzzy Hash: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
Instruction Fuzzy Hash: 40C04C3A199105FF8F020F70CD04C1ABBA2AB95722F10C918B199C4070CB328424EB02

Function 0040E9F7 Relevance: 1.3, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

memmove.MSVCRT(?,?,?), ref: 0040EA24

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 97bd8de7a7fe9ad43a3345e9333d2138b4beb196f0434672ce39f7d09e0e15cd
Instruction ID: f56dbf57367ec124b55c1fed62106b1dafce564086f6503587e0b0fbfa293862
Opcode Fuzzy Hash: 97bd8de7a7fe9ad43a3345e9333d2138b4beb196f0434672ce39f7d09e0e15cd
Instruction Fuzzy Hash: EA21A271A00B009FC724CFAAC88485BF7F9FF88724764896EE49A93A40E774B945CB54

Function 0040E5D3 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(?,00414F84), ref: 0040E616

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ExceptionThrow
String ID:
API String ID: 432778473-0
Opcode ID: 85c4e5dde0f8cee934fbe77132b2d5831568e55a053817787dcfc8e06ea2b7f6
Instruction ID: f2b552c6dcb6979234feea5fe890f572eb9d388e9264680fa6f26452196acfb0
Opcode Fuzzy Hash: 85c4e5dde0f8cee934fbe77132b2d5831568e55a053817787dcfc8e06ea2b7f6
Instruction Fuzzy Hash: 20017171600701AFDB28CFBAD805997BBF8EF85314704496EE482D3651E374F946CB50

Function 0040F42D Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040F446

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
Instruction ID: 8ccd5c106adaedd21fdabd868c2a091acccb285e2c6396e7c66228af9079aab7
Opcode Fuzzy Hash: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
Instruction Fuzzy Hash: 68E0ED311087008BEB74DA38A941F97B3DAAB14314F15893FE89AE7690EB74FC448A59

Function 00402F6C Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 76c2607c9262a084594b8968e60506e1095ba5b3921c342d3f15f01c827a8030
Instruction ID: 194059228ff5733793a196764ebf5a0b63d959e09992ce12dff2d54d27d13516
Opcode Fuzzy Hash: 76c2607c9262a084594b8968e60506e1095ba5b3921c342d3f15f01c827a8030
Instruction Fuzzy Hash: 67D0A9313083121ADA5432320A09AAF84848B503A0F10083FB800A32D1DCBE8C81A299

Function 0040D985 Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
Instruction ID: 71cfb53d0268b44c797f7400575dcc0518408263689e7c465582b3111ebcfb94
Opcode Fuzzy Hash: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
Instruction Fuzzy Hash: 95D0127251422156CF646E7CB8849C277D85A06334335176AF0B4E32E4D3749DCB5698

Function 004024C4 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040E4D6,00020000,00000000,?,00000000,?,0040D92B,?,?,00000000,?,0040D96E), ref: 004024E0

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
Instruction ID: 23ad038ad5ccaf642d49e1102795c1c714580f299e31bec6e074b0e2bc220d86
Opcode Fuzzy Hash: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
Instruction Fuzzy Hash: D3C080301443007DED115F505E06B463A916B44717F508065F344540D0C7F484009509

Function 00411388 Relevance: 1.3, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(000000D0), ref: 0041138D

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 08d588780a3caab37cf70573278ad1822b03e6a84bf609910ea5ba04e31b1b9c
Instruction ID: d5b8b2b556814232dc2945b8f7e5995fed121ff751d048b21687cc00dda573f5
Opcode Fuzzy Hash: 08d588780a3caab37cf70573278ad1822b03e6a84bf609910ea5ba04e31b1b9c
Instruction Fuzzy Hash: B4B0123438914504FE5413B208013FB01800F40303F10087B5B02E4DF9FD0884805139

Function 00401B1F Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,0040E561,?,00000004,0040E5B0,?,?,004117E5,?), ref: 00401B2A

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
Instruction ID: 5381ed20748db0b7fd93371e38984c83fa4171db9cf80dc6a42123bab5888d64
Opcode Fuzzy Hash: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
Instruction Fuzzy Hash: 45A002305446007ADE515B10DD05F457F516744B11F20C5547155540E586755654DA09

Function 0040F3FC Relevance: 1.3, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040F400

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
Instruction ID: 7baee4be7330d58fba6a4d3e6254b3dabd4481adb37f3967e502ba2394f26960
Opcode Fuzzy Hash: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
Instruction Fuzzy Hash:

Non-executed Functions

Function 004034C1 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290comCOMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 004034E5
SHGetSpecialFolderPathW.SHELL32(00000000,?,CC5BE863,00000000,004177A0,00000000,00417794), ref: 00403588
??3@YAXPAX@Z.MSVCRT(?,?), ref: 004035F9
??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 00403601
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00403609
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 00403611
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 00403619
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00403621
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403629
_wtol.MSVCRT ref: 0040367F
CoCreateInstance.OLE32(00414BF4,00000000,00000001,00414BE4,00404F9B,.lnk,?,0000005C), ref: 00403720
??3@YAXPAX@Z.MSVCRT(?,0000005C), ref: 004037B8
??3@YAXPAX@Z.MSVCRT(?,?,0000005C), ref: 004037C0
??3@YAXPAX@Z.MSVCRT(?,?,?,0000005C), ref: 004037C8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,0000005C), ref: 004037D0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0000005C), ref: 004037D8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,0000005C), ref: 004037E0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,0000005C), ref: 004037E8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,0000005C), ref: 004037EE
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0000005C), ref: 004037F6

Strings

.lnk, xrefs: 004036FF

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
String ID: .lnk
API String ID: 408529070-24824748
Opcode ID: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
Instruction ID: c4a1d47ac56633071a1bd2db01059e5edb54ffe0bccc65637149caefe5d2277b
Opcode Fuzzy Hash: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
Instruction Fuzzy Hash: 8EA18A71910219ABDF04EFA1CC46DEEBB79EF44705F50442AF502B71A1EB79AA81CB18

Function 00401F9D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 150stringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
wsprintfW.USER32 ref: 00401FFD
GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
GetLastError.KERNEL32 ref: 00402017
??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
GetLastError.KERNEL32 ref: 0040204C
lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
SetLastError.KERNEL32(00000000), ref: 00402098
lstrlenA.KERNEL32(00413FD0), ref: 004020CC
??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
_wtol.MSVCRT ref: 0040212A
MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A

Strings

\3A, xrefs: 00401FDB
7zSfxString%d, xrefs: 00401FF7
XpA, xrefs: 00401FB4

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
String ID: 7zSfxString%d$XpA$\3A
API String ID: 2117570002-3108448011
Opcode ID: 332d11925e247980b34bd098e8b038dc96ba1155979fc83484f9ac8f636b93aa
Instruction ID: 5c0681f152172bce6659d4e02be164ba9bb36eab7c70e8d4f1a0ed4420d73572
Opcode Fuzzy Hash: 332d11925e247980b34bd098e8b038dc96ba1155979fc83484f9ac8f636b93aa
Instruction Fuzzy Hash: 11518471604305AFDB209F74DD899DBBBB9EB08345B11407AF646E62E0E774AA44CB18

Function 00401BDF Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
LockResource.KERNEL32(00000000), ref: 00401C41
LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401C6D
GetProcAddress.KERNEL32(00000000), ref: 00401C76
wsprintfW.USER32 ref: 00401C95
LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401CAA
GetProcAddress.KERNEL32(00000000), ref: 00401CAD

Strings

kernel32, xrefs: 00401C5D, 00401C62, 00401CA9
%04X%c%04X%c, xrefs: 00401C8F
SetThreadPreferredUILanguages, xrefs: 00401CA4
SetProcessPreferredUILanguages, xrefs: 00401C58

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
API String ID: 2639302590-365843014
Opcode ID: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
Instruction ID: 1b367ad183524107b1556f539f271e2bfa11f4d2ebd4ebc35158efee647c5c94
Opcode Fuzzy Hash: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
Instruction Fuzzy Hash: 002153B1944318BBDB109FA59D48F9B7FBCEB48751F118036FA05B72D1D678DA008BA8

Function 00407776 Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON

Download Yara Rule

APIs

wvsprintfW.USER32(?,00000000,?), ref: 0040779A
GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
String ID:
API String ID: 829399097-0
Opcode ID: bf60f95a6a1f59c2bb6c04e2e113b9a1b5cd8de0030c6a868400c9436056581d
Instruction ID: 98041b7e574f1f1c61a73cce3db0a13ad597614178cae5aaf21d0c5f67190c53
Opcode Fuzzy Hash: bf60f95a6a1f59c2bb6c04e2e113b9a1b5cd8de0030c6a868400c9436056581d
Instruction Fuzzy Hash: 85218172804209BEDF14AFA0DC85CEB7BACEB04355B10847BF506A7150EB34EE848BA4

Function 00402B79 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00413454,?,?,?,00000000), ref: 00402BA8
lstrcmpW.KERNEL32(?,00413450,?,0000005C,?,?,?,00000000), ref: 00402BFB
lstrcmpW.KERNEL32(?,00413448,?,?,00000000), ref: 00402C11
SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402C27
DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402C2E
FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402C40
FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402C4F
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402C5A
RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402C63
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C6E
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C79

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 1862581289-0
Opcode ID: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
Instruction ID: 7ffcf375551190f92b7aba4ef5ef3cd4ed0286f9dec59b0789af02bc25bdcc12
Opcode Fuzzy Hash: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
Instruction Fuzzy Hash: A321A230500209BAEB10AF61DE4CFBF7B7C9B0470AF14417AB505B11E0EB78DB459A6C

Function 00406D5D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme,?,00407F57,000004B1,00000000,?,?,?,?,?,0040803E), ref: 00406D65
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00406D76
GetWindow.USER32(?,00000005), ref: 00406D8F
GetWindow.USER32(00000000,00000002), ref: 00406DA5

Strings

SetWindowTheme, xrefs: 00406D70
uxtheme, xrefs: 00406D5E
\EA, xrefs: 00406D98

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: Window$AddressLibraryLoadProc
String ID: SetWindowTheme$\EA$uxtheme
API String ID: 324724604-1613512829
Opcode ID: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
Instruction ID: f2e0bdee1e376373ef12be0a37c87caa708c4cf78f5ebad58458586032015049
Opcode Fuzzy Hash: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
Instruction Fuzzy Hash: 47F0A73274172537C6312A6A6C4CF9B6B9C9FC6B51B070176B905F7280DA6CCD0045BC

Function 0041022D Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
Instruction ID: 2cf66fefa79674a345482580870fbecf2b771b639b37e27eb1fc897e4fc9b441
Opcode Fuzzy Hash: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
Instruction Fuzzy Hash: 44126E31E00129DFDF08CF68C6945ECBBB2EF85345F2585AAD856AB280D6749EC1DF84

Function 0041206B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
Instruction ID: 8743f1180a29be23716da9caa70fae7f7856ace610ba4dfa2102d12747f13ae8
Opcode Fuzzy Hash: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
Instruction Fuzzy Hash: D12129725104255BC711DF1DE8887B7B3E1FFC4319F678A36DA81CB281C629D894C6A0

Function 00411F91 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction ID: 7cc7f0f00d3fdf34bc0739e2af2c3edfb6ca911da6c9eaecf720caf4c907201e
Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction Fuzzy Hash: 0621F53290062587CB12CE6EE4845A7F392FBC436AF134727EE84A3291C62CA855C6A0

Function 0040D72E Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
Instruction ID: 0032c0c3dd355d3b1328166acc4be040b7821e5e83bc1fe28c274bced218c28f
Opcode Fuzzy Hash: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
Instruction Fuzzy Hash: 4EF074B5A05209EFCB09CFA9C49199EFBF5FF48304B1084A9E819E7350E731AA11CF50

Function 00404AFF Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?,?,?), ref: 00404B46
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404B77
WriteFile.KERNEL32(004177C4,?,?,00406437,00000000,del ",:Repeat,00000000), ref: 00404C2C
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C37
CloseHandle.KERNEL32(004177C4), ref: 00404C40
SetFileAttributesW.KERNEL32(00406437,00000000), ref: 00404C57
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00404C69
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C72
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C7E
??3@YAXPAX@Z.MSVCRT(00406437,?), ref: 00404C84
??3@YAXPAX@Z.MSVCRT(00406437,?,?,?,?,?,?,?,?,?,?,?,?,?,00406437,004177C4), ref: 00404CB2

Strings

", xrefs: 00404BB9, 00404BBE, 00404C02
:Repeat, xrefs: 00404B92
7ZSfx%03x.cmd, xrefs: 00404B58
del ", xrefs: 00404B9F, 00404BA4, 00404BED
if exist ", xrefs: 00404BC7
" goto Repeat, xrefs: 00404BE0
open, xrefs: 00404C63

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
API String ID: 3007203151-3467708659
Opcode ID: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
Instruction ID: 7a4c4b622d76ac6c1822c64a370ea4e05d699ec4102568342bfcf68b8c9639ad
Opcode Fuzzy Hash: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
Instruction Fuzzy Hash: DE416171D01119BADB00EBA5ED85DEEBB78EF44358F50803AF511720E1EB78AE85CB58

Function 00404603 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 207stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,0041442C,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004046DF

Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119

_wtol.MSVCRT ref: 004047DC
_wtol.MSVCRT ref: 004047F8

Strings

ErrorTitle, xrefs: 0040467F
MiscFlags, xrefs: 00404771, 00404776, 00404792
ExtractPathTitle, xrefs: 00404801
CancelPrompt, xrefs: 00404831
ExtractPathWidth, xrefs: 004047E5
WarningTitle, xrefs: 00404697
GUIFlags, xrefs: 0040473E, 00404743, 0040475F
Progress, xrefs: 004046C7
ExtractDialogText, xrefs: 004047AD
|wA, xrefs: 0040464B
GUIMode, xrefs: 004046F4
ExtractTitle, xrefs: 004046AF
Title, xrefs: 00404611
OverwriteMode, xrefs: 00404721
ExtractPathText, xrefs: 00404819
ExtractDialogWidth, xrefs: 004047BE
ExtractCancelText, xrefs: 004047A1

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle$|wA
API String ID: 2725485552-3187639848
Opcode ID: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
Instruction ID: a5d789275b7dd46d140941e9fd319bf554fc7ea6ad5da08365fcb0f0a182a74d
Opcode Fuzzy Hash: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
Instruction Fuzzy Hash: 4251B5F1A402047EDB10BB619D86EFF36ACDA85308B64443BF904F32C1E6BC5E854A6D

Function 00402DC0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00402DD3
lstrcmpiA.KERNEL32(?,STATIC), ref: 00402DE6
GetWindowLongW.USER32(?,000000F0), ref: 00402DF3

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

Part of subcall function 00401A85: CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF

??3@YAXPAX@Z.MSVCRT(?), ref: 00402E20
GetParent.USER32(?), ref: 00402E2E
LoadLibraryA.KERNEL32(riched20), ref: 00402E42
GetMenu.USER32(?), ref: 00402E55
SetThreadLocale.KERNEL32(00000419), ref: 00402E62
CreateWindowExW.USER32(00000000,RichEdit20W,0041335C,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 00402E92
DestroyWindow.USER32(?), ref: 00402EA3
SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00402EB8
GetSysColor.USER32(0000000F), ref: 00402EBC
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00402ECA
SendMessageW.USER32(00000000,00000461,?,?), ref: 00402EF5
??3@YAXPAX@Z.MSVCRT(?), ref: 00402EFA
??3@YAXPAX@Z.MSVCRT(?,?), ref: 00402F02

Strings

RichEdit20W, xrefs: 00402E8C
{\rtf, xrefs: 00402E09
STATIC, xrefs: 00402DDD
riched20, xrefs: 00402E3D

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: Window$??3@MessageSend$CharTextUpper$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
String ID: RichEdit20W$STATIC$riched20${\rtf
API String ID: 1731037045-2281146334
Opcode ID: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
Instruction ID: c7c9ca1f65d7473fe19c29f8272bdbb18bb8b251efb89c9ee4785ec66c96c850
Opcode Fuzzy Hash: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
Instruction Fuzzy Hash: FE316072A40119BFDB01AFA5DD49DEF7BBCEF08745F104036F601B21D1DA789A008B68

Function 00401CC8 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON

Download Yara Rule

APIs

GetWindowDC.USER32(00000000), ref: 00401CD4
GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
GetObjectW.GDI32(?,00000018,?), ref: 00401D28
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
CreateCompatibleDC.GDI32(?), ref: 00401D4B
CreateCompatibleDC.GDI32(?), ref: 00401D52
SelectObject.GDI32(00000000,?), ref: 00401D60
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
SelectObject.GDI32(00000000,00000000), ref: 00401D76
SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
SelectObject.GDI32(00000000,?), ref: 00401DB3
SelectObject.GDI32(00000000,?), ref: 00401DB9
DeleteDC.GDI32(00000000), ref: 00401DC2
DeleteDC.GDI32(00000000), ref: 00401DC5
ReleaseDC.USER32(00000000,?), ref: 00401DCC
ReleaseDC.USER32(00000000,?), ref: 00401DDB
CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401DE8

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
String ID:
API String ID: 3462224810-0
Opcode ID: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
Instruction ID: 24730f8ff9b6a3f8d7f0600a39c6f646a54ca28d21b12e05547a6914d757f366
Opcode Fuzzy Hash: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
Instruction Fuzzy Hash: 00313976D00208BBDF215FA19C48EEFBFBDEB48752F108066F604B21A0C6758A50EB64

Function 00401DF3 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00401E05
lstrcmpiA.KERNEL32(?,STATIC), ref: 00401E1C
GetWindowLongW.USER32(?,000000F0), ref: 00401E2F
GetMenu.USER32(?), ref: 00401E44

Part of subcall function 00401BDF: GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
Part of subcall function 00401BDF: SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
Part of subcall function 00401BDF: LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
Part of subcall function 00401BDF: LockResource.KERNEL32(00000000), ref: 00401C41

GlobalAlloc.KERNEL32(00000040,00000010), ref: 00401E76
memcpy.MSVCRT(00000000,00000000,00000010), ref: 00401E83
CoInitialize.OLE32(00000000), ref: 00401E8C
CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00401E98
OleLoadPicture.OLEAUT32(?,00000000,00000000,00414C14,?), ref: 00401EBD
GlobalFree.KERNEL32(00000000), ref: 00401ECD

Part of subcall function 00401CC8: GetWindowDC.USER32(00000000), ref: 00401CD4
Part of subcall function 00401CC8: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
Part of subcall function 00401CC8: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
Part of subcall function 00401CC8: GetObjectW.GDI32(?,00000018,?), ref: 00401D28
Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D4B
Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D52
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401D60
Part of subcall function 00401CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,00000000), ref: 00401D76
Part of subcall function 00401CC8: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
Part of subcall function 00401CC8: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
Part of subcall function 00401CC8: GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB3
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB9
Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC2
Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC5
Part of subcall function 00401CC8: ReleaseDC.USER32(00000000,?), ref: 00401DCC

GetObjectW.GDI32(00000000,00000018,?), ref: 00401EFF
SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 00401F13
SendMessageW.USER32(00000010,00000172,00000000,?), ref: 00401F25
GlobalFree.KERNEL32(00000000), ref: 00401F3A

Strings

STATIC, xrefs: 00401E13
IMAGES, xrefs: 00401E4E

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
String ID: IMAGES$STATIC
API String ID: 4202116410-1168396491
Opcode ID: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
Instruction ID: 08c73d75f8249df6a552952f3d33af28cabbedea74541c6d0cfd8ce2793c0c4e
Opcode Fuzzy Hash: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
Instruction Fuzzy Hash: C7417C71A00218BFCB11DFA1DC49DEEBF7DEF08742B008076FA05A61A0DB758A41DB68

Function 0040813D Relevance: 27.1, APIs: 18, Instructions: 147windowcomtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

GetDlgItem.USER32(?,000004B8), ref: 0040816A
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408179
GetDlgItem.USER32(?,000004B5), ref: 004081C0
GetWindowLongW.USER32(00000000,000000F0), ref: 004081C5
GetDlgItem.USER32(?,000004B5), ref: 004081D5
SetWindowLongW.USER32(00000000), ref: 004081D8
GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 004081FE
EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408210
GetDlgItem.USER32(?,000004B4), ref: 0040821A
SetFocus.USER32(00000000), ref: 0040821D
SetTimer.USER32(?,00000001,00000000,00000000), ref: 0040824C
CoCreateInstance.OLE32(00414C34,00000000,00000001,00414808,00000000), ref: 00408277
GetDlgItem.USER32(?,00000002), ref: 00408294
IsWindow.USER32(00000000), ref: 00408297
GetDlgItem.USER32(?,00000002), ref: 004082A7
EnableWindow.USER32(00000000), ref: 004082AA
GetDlgItem.USER32(?,000004B5), ref: 004082BE
ShowWindow.USER32(00000000), ref: 004082C1

Part of subcall function 00407134: GetDlgItem.USER32(?,000004B6), ref: 00407142

Part of subcall function 00407B33: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
Part of subcall function 00407B33: GetDlgItem.USER32(?,000004B8), ref: 00407B8B
Part of subcall function 00407B33: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
Part of subcall function 00407B33: wsprintfW.USER32 ref: 00407BBB
Part of subcall function 00407B33: ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53

Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: Item$Window$MessageSend$System$EnableHandleLoadLongMenuMetricsModuleShow$??3@CreateFocusIconImageInstanceTimerUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID:
API String ID: 855516470-0
Opcode ID: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
Instruction ID: 3ce0214ef3d03b0ee840dd4ab9c121ae631e901bc0d6870238ad5b6e85178a64
Opcode Fuzzy Hash: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
Instruction Fuzzy Hash: 014174B0644748ABDA206F65DD49F5B7BADEB40B05F00847DF552A62E1CB79B800CA1C

Function 00403093 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 244stringCOMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,hAA,00000000), ref: 004030F6
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,hAA,00000000), ref: 004030FE
strncmp.MSVCRT ref: 004031F1
??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00403255
lstrcmpW.KERNEL32(?,SetEnvironment,00000000), ref: 00403273
??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347

Strings

MiscFlags, xrefs: 004032C0
SetEnvironment, xrefs: 0040326B
{\rtf, xrefs: 004031D6, 004031EB
GUIFlags, xrefs: 004032B2
hAA, xrefs: 0040309E

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ??3@$lstrcmpstrncmp
String ID: GUIFlags$MiscFlags$SetEnvironment$hAA${\rtf
API String ID: 2881732429-172299233
Opcode ID: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
Instruction ID: da55d09168dcf28f6e950782b6654b171f18f9ca5632fa18d2c46afc5d57570a
Opcode Fuzzy Hash: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
Instruction Fuzzy Hash: 23819D31900218ABDF11DFA1CD55BEE7B78AF14305F1040ABE8017B2E6DB78AB05DB59

Function 00406A47 Relevance: 24.3, APIs: 16, Instructions: 270COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 00406A69
GetWindowLongW.USER32(00000000,000000F0), ref: 00406A6E
GetDlgItem.USER32(?,000004B4), ref: 00406AA5
GetWindowLongW.USER32(00000000,000000F0), ref: 00406AAA
GetSystemMetrics.USER32(00000010), ref: 00406B0B
GetSystemMetrics.USER32(00000011), ref: 00406B11
GetSystemMetrics.USER32(00000008), ref: 00406B18
GetSystemMetrics.USER32(00000007), ref: 00406B1F
GetParent.USER32(?), ref: 00406B43
GetClientRect.USER32(00000000,?), ref: 00406B55
ClientToScreen.USER32(?,?), ref: 00406B68
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00406BCE
GetClientRect.USER32(?,?), ref: 00406C55
ClientToScreen.USER32(?,?), ref: 00406B71

Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B

GetSystemMetrics.USER32(00000008), ref: 00406CD6
GetSystemMetrics.USER32(00000007), ref: 00406CDD

Part of subcall function 00406A18: GetDlgItem.USER32(?,?), ref: 00406A36
Part of subcall function 00406A18: SetWindowPos.USER32(00000000), ref: 00406A3D

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
String ID:
API String ID: 747815384-0
Opcode ID: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
Instruction ID: 701d8c843d4ec3579feae24e97f284edc15b0bac0439a5efdbaa5111af673c9b
Opcode Fuzzy Hash: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
Instruction Fuzzy Hash: 7B912D71A00209AFDB14DFB9CD85AEEB7F9EF48704F148529E642F6290D778E9008B64

Function 00407D06 Relevance: 22.7, APIs: 15, Instructions: 231windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
LoadIconW.USER32(00000000), ref: 00407D33
GetSystemMetrics.USER32(00000032), ref: 00407D43
GetSystemMetrics.USER32(00000031), ref: 00407D48
GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
LoadImageW.USER32(00000000), ref: 00407D54
SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
GetWindow.USER32(?,00000005), ref: 00407E76
GetWindow.USER32(?,00000005), ref: 00407E92
GetWindow.USER32(?,00000005), ref: 00407EAA
GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,0040803E), ref: 00407F0A
LoadIconW.USER32(00000000), ref: 00407F0D
GetDlgItem.USER32(?,000004B1), ref: 00407F28
SendMessageW.USER32(00000000), ref: 00407F2F

Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: Window$HandleItemLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
String ID:
API String ID: 1889686859-0
Opcode ID: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
Instruction ID: b6a50195b8a608de49edc5b96f3e83ee8a9b90890169e94b1220211b89b9884f
Opcode Fuzzy Hash: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
Instruction Fuzzy Hash: E861D47064C7096AE9257B61DC4AF3B3699AB40B05F10447FF642B92D2DBBCBC0056AF

Function 00406F37 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00406F45
GetWindowLongW.USER32(00000000), ref: 00406F4C
DefWindowProcW.USER32(?,?,?,?), ref: 00406F62
CallWindowProcW.USER32(?,?,?,?,?), ref: 00406F7F
GetSystemMetrics.USER32(00000031), ref: 00406F91
GetSystemMetrics.USER32(00000032), ref: 00406F98
GetWindowDC.USER32(?), ref: 00406FAA
GetWindowRect.USER32(?,?), ref: 00406FB7
DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 00406FEB
ReleaseDC.USER32(?,00000000), ref: 00406FF3

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
String ID:
API String ID: 2586545124-0
Opcode ID: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
Instruction ID: b1ff7c23223d170b9333fa97acec74f2c9230ee3eabfe87d0be763292bfdf634
Opcode Fuzzy Hash: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
Instruction Fuzzy Hash: 8E210C7650021ABFCF01AFA8DD48DDF7F69FB08351F008565FA15E21A0C775EA209B64

Function 0040677A Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 0040678E
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067A1
GetDlgItem.USER32(?,000004B4), ref: 004067AB
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067B3
SendMessageW.USER32(?,00000401,?,00000000), ref: 004067C3
GetDlgItem.USER32(?,?), ref: 004067CC
SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 004067D4
GetDlgItem.USER32(?,?), ref: 004067DD
SetFocus.USER32(00000000,?,000004B4,74DF0E50,00407E06,000004B4,000004B3,00000000,000004B4,00000000,000004B2,?,000004B7), ref: 004067E0

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ItemMessageSend$Focus
String ID:
API String ID: 3946207451-0
Opcode ID: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
Instruction ID: e7a8c5b21de344c7c4c5496bf688f1d5cc3ba414acf11b32f4788b893cc62525
Opcode Fuzzy Hash: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
Instruction Fuzzy Hash: 6FF04F712403087BEA212B61DD86F5BBA6EEF81B45F018425F340650F0CBF7EC109A28

Function 0040C3D8 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 480COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,00000000), ref: 0040C603

Strings

IA, xrefs: 0040C74D
IA, xrefs: 0040C66E
IA, xrefs: 0040C65E
IA, xrefs: 0040C4D9
IA, xrefs: 0040C4C6
IA, xrefs: 0040C4AF

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ??3@
String ID: IA$IA$IA$IA$IA$IA
API String ID: 613200358-3743982587
Opcode ID: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
Instruction ID: 4cebfcab61734def35128a955d6a3e34031d8899c11ca8f9bd2aeb72941b6852
Opcode Fuzzy Hash: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
Instruction Fuzzy Hash: D2221671900248DFCB24EF65C8D09EEBBB5FF48304F50852EE91AA7291DB38A945CF58

Function 004083B6 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 196COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,00417788,00000000,SetEnvironment), ref: 00408479

Strings

BeginPrompt, xrefs: 004084A4, 004084A9
HelpText, xrefs: 00408598
ErrorTitle, xrefs: 00408511
SetEnvironment, xrefs: 004083BC
WarningTitle, xrefs: 0040853A
FinishMessage, xrefs: 00408417, 00408433

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ??3@
String ID: BeginPrompt$ErrorTitle$FinishMessage$HelpText$SetEnvironment$WarningTitle
API String ID: 613200358-994561823
Opcode ID: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
Instruction ID: 5566f9f9667118f06bc812855c9affabb63102f3a10b3971892d5eca1131561f
Opcode Fuzzy Hash: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
Instruction Fuzzy Hash: CA51D47080420AAACF24AB559E85AFB7774EB20348F54443FF881722E1EF7D5D82D64E

Function 00406DB2 Relevance: 12.1, APIs: 8, Instructions: 69COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,00417410,00000160), ref: 00406DD1
SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 00406DF0
GetDC.USER32(00000000), ref: 00406DFB
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00406E07
MulDiv.KERNEL32(?,00000048,00000000), ref: 00406E16
ReleaseDC.USER32(00000000,?), ref: 00406E24
GetModuleHandleW.KERNEL32(00000000), ref: 00406E4C
DialogBoxIndirectParamW.USER32(00000000,?,?,Function_0000667A), ref: 00406E81

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
String ID:
API String ID: 2693764856-0
Opcode ID: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
Instruction ID: b2c1943609947f3a034a1f42a4fd453b3666a2b5c4d4ccfd9a1c2059c5c1cb6f
Opcode Fuzzy Hash: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
Instruction Fuzzy Hash: C32184B5500218BFDB215F61DC45EEB7B7CFB08746F0040B6F609A1190D7748E948B65

Function 0040695E Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 0040696E
GetSystemMetrics.USER32(0000000B), ref: 0040698A
GetSystemMetrics.USER32(0000003D), ref: 00406993
GetSystemMetrics.USER32(0000003E), ref: 0040699B
SelectObject.GDI32(?,?), ref: 004069B8
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004069D3
SelectObject.GDI32(?,?), ref: 004069F9
ReleaseDC.USER32(?,?), ref: 00406A08

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: MetricsSystem$ObjectSelect$DrawReleaseText
String ID:
API String ID: 2466489532-0
Opcode ID: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
Instruction ID: 7c755332e1b278278a0584394201b19561512224090c74d51841a9ad660c27ee
Opcode Fuzzy Hash: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
Instruction Fuzzy Hash: 6B216871900209EFCB119F65DD84A8EBFF4EF08321F10C46AE559A72A0C7359A50DF40

Function 00407B33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
GetDlgItem.USER32(?,000004B8), ref: 00407B8B
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
wsprintfW.USER32 ref: 00407BBB
??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53

Strings

%d%%, xrefs: 00407BB5

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ??3@ItemMessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID: %d%%
API String ID: 3753976982-1518462796
Opcode ID: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
Instruction ID: b955b8041d8a67620c3180d4911c799512bd6939d195f5b55c3092177650065a
Opcode Fuzzy Hash: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
Instruction Fuzzy Hash: 1D31D371904208BBDB11AFA0CC45EDA7BB9EF48708F10847AFA42B61E1D779B904CB59

Function 0040408B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(hAA,00000020,?,?,00405838,?,?,?,00000000,?), ref: 004040A4

Part of subcall function 00401A85: CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404156
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040415E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 0040416D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404175

Strings

hAA, xrefs: 00404091, 0040409B, 004040A2, 004040B0

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ??3@$CharUpper$lstrlen
String ID: hAA
API String ID: 2587799592-1362906312
Opcode ID: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
Instruction ID: 7f7e13310b21401de90169bcc26cd057e2afddf23eedd5de54135d69024cf91c
Opcode Fuzzy Hash: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
Instruction Fuzzy Hash: D7212772D40215AACF20ABA4CC46AEB77B9DF90354F10407BEB41BB2E1E7789D848658

Function 00404CBC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000001,00000000,00000000,00000001,?,00000000), ref: 00404D3E
??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DA0
??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DB8

Part of subcall function 00403354: lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
Part of subcall function 00403354: GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
Part of subcall function 00403354: GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
Part of subcall function 00403354: ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D

Strings

;!@InstallEnd@!, xrefs: 00404D73
;!@Install@!UTF-8!, xrefs: 00404D59
03A, xrefs: 00404CCF

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ??3@$FileTime$AttributesSystemlstrlen
String ID: 03A$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 4038993085-2279431206
Opcode ID: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
Instruction ID: 637b7b13a9bcd1d52ea1019587bfa2fb4435f6835f564ae220b3123002230846
Opcode Fuzzy Hash: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
Instruction Fuzzy Hash: CE312D71D0021EEACF05EF92CD429EEBBB4BF44318F10042BE911762E1DB785649DB98

Function 0040755F Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000000), ref: 00407579
KillTimer.USER32(?,00000001), ref: 0040758A
SetTimer.USER32(?,00000001,00000000,00000000), ref: 004075B4
SuspendThread.KERNEL32(00000290), ref: 004075CD
ResumeThread.KERNEL32(00000290), ref: 004075EA
EndDialog.USER32(?,00000000), ref: 0040760C

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: DialogThreadTimer$KillResumeSuspend
String ID:
API String ID: 4151135813-0
Opcode ID: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
Instruction ID: ebb94c5c4675b2e6542c2b2cb7d5652cccd5624f9a00d71f737e39ca63bd9789
Opcode Fuzzy Hash: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
Instruction Fuzzy Hash: 9811BF70A08618BBD7212F15EE849E77BBDFB00756B00843AF523A05A0CB39BD00DA1D

Function 00404E3F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85

Part of subcall function 00404343: ??3@YAXPAX@Z.MSVCRT(?,?,?,004177C4,004177C4,?,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 004043B6

??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
wsprintfA.USER32 ref: 00404EBC

Strings

;!@InstallEnd@!, xrefs: 00404E59
;!@Install@!UTF-8!, xrefs: 00404E4A
:Language:%u!, xrefs: 00404EB6

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ??3@$wsprintf
String ID: :Language:%u!$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 2704270482-1550708412
Opcode ID: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
Instruction ID: afe26c372a183c0ca4a1b7edc16cb7be903c3e4040aad79e05e22cec791dc9d0
Opcode Fuzzy Hash: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
Instruction Fuzzy Hash: D8115E71B00018BBCF00FB95CC42EFE77ADAB84705B10402EBA15E3182DB78AB028799

Function 00403880 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000,00000000), ref: 004038C6
??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000), ref: 00403904
??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405), ref: 0040392A
??3@YAXPAX@Z.MSVCRT(00000000,00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788), ref: 00403932

Strings

%%T\, xrefs: 004038A6
%%T/, xrefs: 004038E4

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ??3@
String ID: %%T/$%%T\
API String ID: 613200358-2679640699
Opcode ID: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
Instruction ID: 53c9ca64f2466311d4136dbbff57d229d1af9e29f5fa76e56e45344ae10c91f3
Opcode Fuzzy Hash: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
Instruction Fuzzy Hash: 5011DD3190410EBACF05FFA1D857CEDBB79AE00708F50806AB511760E1EF79A785DB98

Function 0040393B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403981
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 004039BF
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405), ref: 004039E5
??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784), ref: 004039ED

Strings

%%S/, xrefs: 0040399F
%%S\, xrefs: 00403961

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ??3@
String ID: %%S/$%%S\
API String ID: 613200358-358529586
Opcode ID: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
Instruction ID: c240205f9e12946546b7747d8fd44f392230bc1153c6614d6b8016afa5fd7689
Opcode Fuzzy Hash: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
Instruction Fuzzy Hash: 1D11AD3190410EBACF05FFA1D856CEDBB79AE00708F51806AB511760E1EF78A789DB98

Function 004039F6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403A3C
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 00403A7A
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405), ref: 00403AA0
??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784), ref: 00403AA8

Strings

%%M\, xrefs: 00403A1C
%%M/, xrefs: 00403A5A

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ??3@
String ID: %%M/$%%M\
API String ID: 613200358-4143866494
Opcode ID: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
Instruction ID: 5f6947e2f47a7d655e02fb84317d9747a35bc7200d49f7273ebe403b31479b31
Opcode Fuzzy Hash: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
Instruction Fuzzy Hash: C911AD3190410EBACF05FFA1D956CEDBB79AE00708F51806AB511760E1EF78A789DB58

Function 0040E456 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00000000,00414CFC), ref: 0040E4EE

Strings

hJA, xrefs: 0040E49A
$JA, xrefs: 0040E4B6
xJA, xrefs: 0040E493
4JA, xrefs: 0040E4AF
DJA, xrefs: 0040E4A8
TJA, xrefs: 0040E4A1

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ExceptionThrow
String ID: $JA$4JA$DJA$TJA$hJA$xJA
API String ID: 432778473-803145960
Opcode ID: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
Instruction ID: 5492ea6659e041f1bcf420c4685f7038b08242b420f8f2c51a6428b2159ddc92
Opcode Fuzzy Hash: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
Instruction Fuzzy Hash: 7211A5F0541B419BC7308F16E544587FBF8AF907587218A1FD0AA9BA51D3F8A1888B9C

Function 0040C0DC Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 243COMMON

Download Yara Rule

APIs

Part of subcall function 0040BA46: ??2@YAPAXI@Z.MSVCRT(0000000C,?,0040C20C,004149B0,00000001,?,?,00000000), ref: 0040BA4B

??3@YAXPAX@Z.MSVCRT(00000000,004149B0,00000001,?,?,00000000), ref: 0040C20D

Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

??2@YAPAXI@Z.MSVCRT(00000014,00000000,004149B0,00000001,?,?,00000000), ref: 0040C245

Strings

IA, xrefs: 0040C12D
IA, xrefs: 0040C11B
IA, xrefs: 0040C0EC

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ??2@$??3@$memmove
String ID: IA$IA$IA
API String ID: 4294387087-924693538
Opcode ID: 3ef1446a3f9eae3cfdc2853b922aca3bc2f9cc2cd28dfb990552d7283ffc15f1
Instruction ID: 38d37476858cbe2739f158cf8086d9562841ccd83740beefedbf55b6536d6dac
Opcode Fuzzy Hash: 3ef1446a3f9eae3cfdc2853b922aca3bc2f9cc2cd28dfb990552d7283ffc15f1
Instruction Fuzzy Hash: 20B1C1B1900209DFCB54EFAAC8819DEBBB5BF48304F50852EF919A7291DB38A945CF54

Function 0040E811 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00100EC3,00414CFC), ref: 0040E83C
??2@YAPAXI@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E864
memcpy.MSVCRT(00000000,?,?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?), ref: 0040E88D
??3@YAXPAX@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E898

Strings

IA, xrefs: 0040E818, 0040E841

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ??2@??3@ExceptionThrowmemcpy
String ID: IA
API String ID: 3462485524-3293647318
Opcode ID: 6b78721643db57d5e00a8af36ebe01533f1ba9cf87e040577b2ff72779c9c95d
Instruction ID: e9362666a157510f6fc1816af10740f0f0ab3f4ff6eb75305f8b2a096945a613
Opcode Fuzzy Hash: 6b78721643db57d5e00a8af36ebe01533f1ba9cf87e040577b2ff72779c9c95d
Instruction Fuzzy Hash: 6811E5736003009BCB28AF57D880D6BFBE9AB84354714C83FEA59A7290D779E8954794

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00401029
wsprintfW.USER32 ref: 00401049
lstrcatW.KERNEL32(?,?), ref: 0040105C
ExitProcess.KERNEL32 ref: 00401084

Strings

0x%p, xrefs: 00401043

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: wsprintf$ExitProcesslstrcat
String ID: 0x%p
API String ID: 2530384128-1745605757
Opcode ID: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
Instruction ID: 6c9eba3c29ae2a0cc7ccd16f79f39b6d6218d418ab2b897ff95ca6c62132cda7
Opcode Fuzzy Hash: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
Instruction Fuzzy Hash: CF019E7580020CAFDB20AFA0DC45FDA777CBF44305F04486AF945A2081D738F6948FAA

Function 00407A3A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000B), ref: 004071E0
Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000C), ref: 004071E9

GetSystemMetrics.USER32(00000007), ref: 00407A51
GetSystemMetrics.USER32(00000007), ref: 00407A62
??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 00407B29

Strings

100%% , xrefs: 00407A81, 00407A88, 00407AE1

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: MetricsSystem$??3@
String ID: 100%%
API String ID: 2562992111-568723177
Opcode ID: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
Instruction ID: d2e8aa6d75c6757367bbc63d1236441fd7733528c0e5853e38aed7656a5d7d9b
Opcode Fuzzy Hash: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
Instruction Fuzzy Hash: 0D31D771A047059FCB24DFA9C9419AEB7F4EF40308B00012EE542A26E1DB78FE44CF99

Function 00407998 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00407A12

Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B

GetDlgItem.USER32(?,000004B3), ref: 004079C6

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 004079E4

Strings

(%u%s), xrefs: 00407A0C

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: TextWindow$ItemLength$??3@wsprintf
String ID: (%u%s)
API String ID: 3595513934-2496177969
Opcode ID: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
Instruction ID: 1b031bef2a273fddd3247fbc9e57f9590cc69a100d620b238320e5a3a24b3f72
Opcode Fuzzy Hash: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
Instruction Fuzzy Hash: 1401C8B15042147FDB107B65DC46EAF777CAF44708F10807FF516A21E2DB7CA9448A68

Function 004021ED Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,0000003C,?,?,?,?,?,?,00406130,?,00000000,?,?,?), ref: 0040220A
GetProcAddress.KERNEL32(00000000), ref: 00402211

Strings

kernel32, xrefs: 00402205
GetNativeSystemInfo, xrefs: 00402200

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32
API String ID: 2574300362-3846845290
Opcode ID: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
Instruction ID: b757a3d5c4c17e34abb063926c294d8abaed4bc4edbc3347b9308a3de004b423
Opcode Fuzzy Hash: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
Instruction Fuzzy Hash: 88F0B432E1521495CF20BBF48B0D6EF66E89A19349B1004BBD852F31D0E5FCCE8141EE

Function 00402185 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,004061B1,?,?,?), ref: 00402198
GetProcAddress.KERNEL32(00000000), ref: 0040219F

Strings

kernel32, xrefs: 00402193
Wow64RevertWow64FsRedirection, xrefs: 0040218E

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32
API String ID: 2574300362-3900151262
Opcode ID: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
Instruction ID: b94e249185ae4a70534d65e1a66e6cdcdba3a47a1e4784fabdbc91f5644b18b3
Opcode Fuzzy Hash: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
Instruction Fuzzy Hash: AFD0C934294201DBDB125FA0EE0E7EA3AB9FB04B0BF458035A920A00F0CBBC9644CA5C

Function 004021B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040223A), ref: 004021CA
GetProcAddress.KERNEL32(00000000), ref: 004021D1

Strings

Wow64DisableWow64FsRedirection, xrefs: 004021C0
kernel32, xrefs: 004021C5

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32
API String ID: 2574300362-736604160
Opcode ID: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
Instruction ID: 817513c890d082da38b6284c2862a66e2f32a8da2897575df7e5c1eb8648f331
Opcode Fuzzy Hash: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
Instruction Fuzzy Hash: 0DD012342443009BDB515FA09E0D7DA3EB4B705B07F508076A520E11D1CBFCA244C7AC

Function 00402A69 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F

Part of subcall function 0040272E: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402ACD,?,?,00000000,00000000,00000000), ref: 00402760

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ??3@$ByteCharMultiWide
String ID:
API String ID: 1731127917-0
Opcode ID: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
Instruction ID: 3903ebf3ba6088976d83fc344d3b185d6a20d7f45533e28e7dbc13297377a7b4
Opcode Fuzzy Hash: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
Instruction Fuzzy Hash: 2831B3729041156ACB14FFA6DD81DEFB3BCEF00714B51403FF952B31E1EA38AA458658

Function 00403F85 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406437,00000000,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FA8
GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FC5
wsprintfW.USER32 ref: 00403FFB
GetFileAttributesW.KERNEL32(?), ref: 00404016

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: PathTemp$AttributesFilewsprintf
String ID:
API String ID: 1746483863-0
Opcode ID: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
Instruction ID: 4b01c17e8612d334da970e7aef70975a1f373095b445c13461924cc76c43a46f
Opcode Fuzzy Hash: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
Instruction Fuzzy Hash: 1B113672100204BFCB01AF59CC85AADB7F8FF88755F50802EF905972E1DB78AA008B88

Function 00401A85 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B03
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B13

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: CharUpper
String ID:
API String ID: 9403516-0
Opcode ID: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
Instruction ID: 0ba0c8867aa888139ba8faa8f8ff432121b60ad667f2455bf366b55ac651d143
Opcode Fuzzy Hash: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
Instruction Fuzzy Hash: 02112E34A11269ABCF108F99C8446BAB7E8FF44356B504467F881E3290D77CDE51EB64

Function 00407FA5 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00407FED
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 0040800D
GetDlgItem.USER32(?,000004B7), ref: 00408020
SetWindowLongW.USER32(00000000,000000FC,Function_00006F37), ref: 0040802E

Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92

Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ItemWindow$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoLongShow
String ID:
API String ID: 2538916108-0
Opcode ID: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
Instruction ID: 9218ed989044434557cb474aaa53437228351995edfdd36a91d94446a14b3a18
Opcode Fuzzy Hash: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
Instruction Fuzzy Hash: 7D1186B1A402146BCB10BBB99D09F9EB7FDEB84B04F00446EB652E31C0D6B8DA008B54

Function 004067ED Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 00406814
GetSystemMetrics.USER32(00000031), ref: 0040683A
CreateFontIndirectW.GDI32(?), ref: 00406849
DeleteObject.GDI32(00000000), ref: 00406878

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
String ID:
API String ID: 1900162674-0
Opcode ID: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
Instruction ID: e152b01862f646c7a4819b14062263d5307cf72e2961abd6127bac75ebed32e6
Opcode Fuzzy Hash: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
Instruction Fuzzy Hash: A9116376A00205AFDB10DF94DC88FEAB7B8EB08300F0180AAED06A7291DB74DE54CF54

Function 0040748A Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040749F
SHBrowseForFolderW.SHELL32(?), ref: 004074B8
SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 004074D4
SHGetMalloc.SHELL32(00000000), ref: 004074FE

Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: BrowseFocusFolderFromItemListMallocPathmemset
String ID:
API String ID: 1557639607-0
Opcode ID: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
Instruction ID: 30b51fec80d89fd3ac1614d0428bedaa433d1aa4d1a510c8e8bcd0531de43efe
Opcode Fuzzy Hash: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
Instruction Fuzzy Hash: 43112171A00114ABDB10EBA5DD48BDE77FCAB84715F1040A9E505E7280DB78EF05CB75

Function 004027C7 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 004027F8
??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00402801

Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000,?,00000000,00000000,00000000), ref: 00402819
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00402839

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ??3@$EnvironmentExpandStrings$??2@
String ID:
API String ID: 612612615-0
Opcode ID: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
Instruction ID: 71972da321696c7643696fa2d61077c4bfdb6251f9c85b9dd911fab2e4c9aeed
Opcode Fuzzy Hash: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
Instruction Fuzzy Hash: EF017976D00118BADB04AB55DD41DDEB7BCEF48714B10417BF901B31D1EB746A4086A8

Function 00403AB1 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

??3@YAXPAX@Z.MSVCRT(?,?,?,00413550,00413558), ref: 00403AFD
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00413550,00413558), ref: 00403B05
SetWindowTextW.USER32(?,?), ref: 00403B12
??3@YAXPAX@Z.MSVCRT(?), ref: 00403B1D

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ??3@TextWindow$Length
String ID:
API String ID: 2308334395-0
Opcode ID: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
Instruction ID: 2cc122b1f520d7f8021a056a959bf32eecafdcf33a956e59961b1277582e5a57
Opcode Fuzzy Hash: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
Instruction Fuzzy Hash: 2EF0FF32D0410DBACF01FBA5DD46CDE7B79EF04705B10406BF501720A1EA79AB559B98

Function 0040702A Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000005C,?), ref: 00407045
CreateFontIndirectW.GDI32(?), ref: 0040705B
GetDlgItem.USER32(?,000004B5), ref: 0040706F
SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 0040707B

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: CreateFontIndirectItemMessageObjectSend
String ID:
API String ID: 2001801573-0
Opcode ID: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
Instruction ID: 5c236ef126686a3da9008926c30106754acf3bfa0ff8e01310dffb34f405da6a
Opcode Fuzzy Hash: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
Instruction Fuzzy Hash: 35F05475900704ABDB209BA4DC09F8B7BFCAB48B01F048139BD51E11D4D7B4E5018B19

Function 00401BA3 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00401BA8
GetWindowRect.USER32(?,?), ref: 00401BC1
ScreenToClient.USER32(00000000,?), ref: 00401BCF
ScreenToClient.USER32(00000000,?), ref: 00401BD6

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: ClientScreen$ParentRectWindow
String ID:
API String ID: 2099118873-0
Opcode ID: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
Instruction ID: 3a6f634f9500a9f0e676680e31990ed58166cb62974d534a535afb1fb6b8d00a
Opcode Fuzzy Hash: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
Instruction Fuzzy Hash: 09E04F722052116BCB10AFA5AC88C8BBF6DDFC5723700447AF941A2220D7709D109A61

Function 00403C63 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 00403C89

Strings

[G@, xrefs: 00403C64, 00403C88
GUIFlags, xrefs: 00403C68

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: _wtol
String ID: GUIFlags$[G@
API String ID: 2131799477-2126219683
Opcode ID: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
Instruction ID: b6302b9691b8fcfec91ee3c39af82f4337802e9cb3a6f407b943601295de961a
Opcode Fuzzy Hash: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
Instruction Fuzzy Hash: 6DF03C3611C1635AFB342E0994187B6AA9CEB05793FE4443BE9C3F12D0C37C8E82825D

Function 00402F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?O@,?,00000001,004177A0,00000000,00417794,?,?,00404F3F,?,?,?,?,?), ref: 00402F26
GetEnvironmentVariableW.KERNEL32(?,00000000,?,00000001,00000002,?,?,00404F3F,?,?,?,?,?), ref: 00402F52

Strings

?O@, xrefs: 00402F23

Memory Dump Source

Source File: 00000000.00000002.1793079674.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1793065756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793097629.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793111971.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793127768.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8R2YjBA8nI.jbxd

Similarity

API ID: EnvironmentVariable
String ID: ?O@
API String ID: 1431749950-3511380453
Opcode ID: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
Instruction ID: 315e17eccb05daff3adc91fa9074d23558c2207180d60d9b2b56ce26dbf77fcb
Opcode Fuzzy Hash: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
Instruction Fuzzy Hash: 24F06272200118BFDB00AFA9DC458AEB7EDEF88764B51402BF904D72A1D7B4AD008B98

Analysis Process: Update.exePID: 7756, Parent PID: 7700COMMON

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	25.6%
Signature Coverage:	5.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	53

Executed Functions

Function 03D35430 Relevance: 93.2, APIs: 40, Strings: 13, Instructions: 440
stringnetworklibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03D3F707: _malloc.LIBCMT ref: 03D3F721

_memset.LIBCMT ref: 03D3546C
_memset.LIBCMT ref: 03D35485
_memset.LIBCMT ref: 03D35495
gethostname.WS2_32(?,00000032), ref: 03D354A3
gethostbyname.WS2_32(?), ref: 03D354AD
inet_ntoa.WS2_32 ref: 03D354C5
_strcat_s.LIBCMT ref: 03D354D8
_strcat_s.LIBCMT ref: 03D354F1
inet_ntoa.WS2_32 ref: 03D3551A
_strcat_s.LIBCMT ref: 03D3552D
_strcat_s.LIBCMT ref: 03D35546
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 03D35573
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000002,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 03D35587
GetLastInputInfo.USER32(?), ref: 03D3559A
GetTickCount.KERNEL32 ref: 03D355A0
wsprintfW.USER32 ref: 03D355D5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 03D355E8
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000296,00000000), ref: 03D355FC
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 03D35653
wsprintfW.USER32 ref: 03D3566C
GetForegroundWindow.USER32 ref: 03D35695
GetWindowTextW.USER32(00000000,000006CE,000000FA), ref: 03D356AC
lstrlenW.KERNEL32(000008CC), ref: 03D356D3
lstrlenW.KERNEL32(00000994), ref: 03D35739
GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 03D357AA
GetProcAddress.KERNEL32(00000000), ref: 03D357B1
GetNativeSystemInfo.KERNEL32(?), ref: 03D357C2
GetSystemInfo.KERNEL32(?), ref: 03D357CD
wsprintfW.USER32 ref: 03D35806
GetCurrentProcessId.KERNEL32 ref: 03D35818
OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 03D3582E
K32GetProcessImageFileNameW.KERNEL32(00000000,?,00000104), ref: 03D3584B
CloseHandle.KERNEL32(03D55164), ref: 03D3587F
GetTickCount.KERNEL32 ref: 03D358E9
__time64.LIBCMT ref: 03D358F8
__localtime64.LIBCMT ref: 03D3592F
wsprintfW.USER32 ref: 03D35968
GetLocaleInfoW.KERNEL32(00000800,00000002,00000F46,00000040), ref: 03D3597D
GetSystemDirectoryW.KERNEL32(00001184,00000032), ref: 03D3598C
GetCurrentHwProfileW.ADVAPI32(?), ref: 03D35999

Part of subcall function 03D380F0: GetLogicalDriveStringsW.KERNEL32(000003E8,?,75BF73E0,00000AD4,00000000), ref: 03D38132
Part of subcall function 03D380F0: lstrcmpiW.KERNEL32(?,A:\), ref: 03D38166
Part of subcall function 03D380F0: lstrcmpiW.KERNEL32(?,B:\), ref: 03D38176
Part of subcall function 03D380F0: QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 03D381A6
Part of subcall function 03D380F0: lstrlenW.KERNEL32(?), ref: 03D381B7
Part of subcall function 03D380F0: __wcsnicmp.LIBCMT ref: 03D381CE
Part of subcall function 03D380F0: lstrcpyW.KERNEL32(00000AD4,?), ref: 03D38204

Strings

X86, xrefs: 03D359B1, 03D359D3
X86 %s, xrefs: 03D35800
GROUP, xrefs: 03D356E0
x86, xrefs: 03D357F4, 03D357F9
2024.12. 8, xrefs: 03D35758
1.0, xrefs: 03D35702
GetNativeSystemInfo, xrefs: 03D3576A
Network, xrefs: 03D356C2, 03D35728
REMARK, xrefs: 03D35746
%d min, xrefs: 03D355CF
x64, xrefs: 03D357ED
AppEvents, xrefs: 03D356B6, 03D3571C
kernel32.dll, xrefs: 03D3576F

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Info$ByteCharMultiSystemWide_strcat_swsprintf$Process_memsetlstrlen$CountCurrentHandleTickWindowinet_ntoalstrcmpi$AddressCloseDeviceDirectoryDriveFileForegroundImageInputLastLocaleLogicalModuleNameNativeOpenProcProfileQueryStringsText__localtime64__time64__wcsnicmp_mallocgethostbynamegethostnamelstrcpy
String ID: %d min$1.0$2024.12. 8$AppEvents$GROUP$GetNativeSystemInfo$Network$REMARK$X86$X86 %s$kernel32.dll$x64$x86
API String ID: 1101047656-235578928
Opcode ID: b26b9442b08c01f612667f77a7297dbcc6135675fcbd1e8f0bd715f52b1f76c7
Instruction ID: e53522db38479fa1d03e90debb9b375a423ec811dc1895255a07394ac4ac7bc9
Opcode Fuzzy Hash: b26b9442b08c01f612667f77a7297dbcc6135675fcbd1e8f0bd715f52b1f76c7
Instruction Fuzzy Hash: 58F1B5F6940304AFDB24EB64DC85FDBB7B9EF45700F004558F61AA7281EA70AA48CF65

Function 6C357E80 Relevance: 76.9, APIs: 19, Strings: 24, Instructions: 1627fileprocessCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104,?), ref: 6C357ED6
_strlen.LIBCMT ref: 6C357EF2
_strlen.LIBCMT ref: 6C3581F6
_strlen.LIBCMT ref: 6C3587FD
_strlen.LIBCMT ref: 6C358A61
CopyFileA.KERNEL32(6C369F47,?,00000000), ref: 6C358C17
_strlen.LIBCMT ref: 6C358C7B
CopyFileA.KERNEL32(00000000,?,00000000), ref: 6C358E42
_strlen.LIBCMT ref: 6C35848C

Part of subcall function 6C3511B0: _strlen.LIBCMT ref: 6C3511E3

_strlen.LIBCMT ref: 6C358EDD
OpenProcess.KERNEL32(00000410,00000000,00000000,00000000,?,00000001,00000040,00000001), ref: 6C359143
CloseHandle.KERNEL32(00000000), ref: 6C35914E
CreateProcessA.KERNEL32 ref: 6C359199
_strlen.LIBCMT ref: 6C3591C3
CloseHandle.KERNEL32(?,?,00000002,00000040,00000001), ref: 6C359417
CloseHandle.KERNEL32(?), ref: 6C35941F
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C35946E
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C3594BD
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C359596

Strings

set "ProcessName=, xrefs: 6C358151
.pid, xrefs: 6C3592DF
set "BackupProcessPath=, xrefs: 6C3581C3
echo Process file not found, restoring from backup..., xrefs: 6C3586C9
cmd.exe /B /c "%s", xrefs: 6C35899C
if %ERRORLEVEL% neq 0 (, xrefs: 6C358769
set "DLLPath=, xrefs: 6C358422
tor., xrefs: 6C3592E7
if not exist "%DLLPath%" (, xrefs: 6C358705
start "" "%ProcessPath%", xrefs: 6C35877D
set "ProcessPath=, xrefs: 6C358186
Failed to create backup EXE. Please check the EXE path: , xrefs: 6C358E56
copy /Y "%BackupDLLPath%" "%DLLPath%", xrefs: 6C35872D
:CheckProcess, xrefs: 6C35813D
goto CheckProcess, xrefs: 6C3587B9
copy /Y "%BackupProcessPath%" "%ProcessPath%", xrefs: 6C3586DD
@echo off, xrefs: 6C358129
Failed to create backup DLL. Please check the DLL path: , xrefs: 6C358C2B
tasklist /FI "IMAGENAME eq %ProcessName%" | findstr /I "%ProcessName%" >nul, xrefs: 6C358755
b79l, xrefs: 6C358B3E
if not exist "%ProcessPath%" (, xrefs: 6C3586BB
set "BackupDLLPath=, xrefs: 6C358459
timeout /t 30 /nobreak >nul, xrefs: 6C3587A5
echo DLL file not found, restoring from backup..., xrefs: 6C358719

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: _strlen$CloseHandleIos_base_dtorstd::ios_base::_$CopyFileProcess$CreateOpenPathTemp
String ID: copy /Y "%BackupDLLPath%" "%DLLPath%"$ copy /Y "%BackupProcessPath%" "%ProcessPath%"$ echo DLL file not found, restoring from backup...$ echo Process file not found, restoring from backup...$ start "" "%ProcessPath%"$.pid$:CheckProcess$@echo off$Failed to create backup DLL. Please check the DLL path: $Failed to create backup EXE. Please check the EXE path: $b79l$cmd.exe /B /c "%s"$goto CheckProcess$if %ERRORLEVEL% neq 0 ($if not exist "%DLLPath%" ($if not exist "%ProcessPath%" ($set "BackupDLLPath=$set "BackupProcessPath=$set "DLLPath=$set "ProcessName=$set "ProcessPath=$tasklist /FI "IMAGENAME eq %ProcessName%" | findstr /I "%ProcessName%" >nul$timeout /t 30 /nobreak >nul$tor.
API String ID: 321380216-3707476029
Opcode ID: 30e9a15902ef31d4de487e6fee93a9195b1e5693754cfed816a9f9910bdde6a9
Instruction ID: 76d06deb41e1d10edf198075a83c21cdd4461d2e78c52944cf538e0a0cc1f703
Opcode Fuzzy Hash: 30e9a15902ef31d4de487e6fee93a9195b1e5693754cfed816a9f9910bdde6a9
Instruction Fuzzy Hash: 24E2AEB1510B408BE324CF34C884BA7B7E6BF95308F444A2DD49A8BB81E775E559CF92

Function 02EB0032 Relevance: 70.8, APIs: 2, Strings: 38, Instructions: 795memoryCOMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 02EB04AE
VirtualAlloc.KERNEL32(?,?,00003000,00000004), ref: 02EB04DE

Strings

fo, xrefs: 02EB022C
Cach, xrefs: 02EB01FA
Lo, xrefs: 02EB00FC
Syst, xrefs: 02EB0219
p, xrefs: 02EB00F7
tNat, xrefs: 02EB020A
ushI, xrefs: 02EB019B
Rt, xrefs: 02EB0233
a, xrefs: 02EB013E
oc, xrefs: 02EB0154
st, xrefs: 02EB01AD
ee, xrefs: 02EB00F0
yA, xrefs: 02EB0125
a, xrefs: 02EB016D
tu, xrefs: 02EB0137
Fu, xrefs: 02EB025A
A, xrefs: 02EB0244
Ta, xrefs: 02EB027D
a, xrefs: 02EB0103
mI, xrefs: 02EB0221
F, xrefs: 02EB018C
t, xrefs: 02EB0187
b, xrefs: 02EB0113
Li, xrefs: 02EB010C
Vi, xrefs: 02EB012C
ucti, xrefs: 02EB01BE
tu, xrefs: 02EB0166
otec, xrefs: 02EB017F
A, xrefs: 02EB0147
a, xrefs: 02EB011C
ctio, xrefs: 02EB026B
b, xrefs: 02EB0287
P, xrefs: 02EB0176
Via, xrefs: 02EB0312
iv, xrefs: 02EB0212
G, xrefs: 02EB0205
S, xrefs: 02EB00E7
o, xrefs: 02EB01C9

Memory Dump Source

Source File: 00000003.00000002.3556845860.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2eb0000_Update.jbxd

Similarity

API ID: AllocInfoNativeSystemVirtual
String ID: A$A$Cach$F$Fu$G$Li$Lo$P$Rt$S$Syst$Ta$Vi$Via$a$a$a$a$b$b$ctio$ee$fo$iv$mI$o$oc$otec$p$st$t$tNat$tu$tu$ucti$ushI$yA
API String ID: 2032221330-2899676511
Opcode ID: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
Instruction ID: cdecba79d141958df7d0edf7cd11b10bdcb1631ebeafb2bc0721f404c43e3ac5
Opcode Fuzzy Hash: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
Instruction Fuzzy Hash: 94629B715483858FD732CF24C840BABBBE4FF95708F04992DE9C99B251E770A948CB96

Function 03D3DF10 Relevance: 61.6, APIs: 24, Strings: 11, Instructions: 354
sleepregistrysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03D40542: __fassign.LIBCMT ref: 03D40538

Sleep.KERNEL32(00000000), ref: 03D3DF64
CloseHandle.KERNEL32(00000000), ref: 03D3DF91
GetLocalTime.KERNEL32(?), ref: 03D3DFA9
wsprintfW.USER32 ref: 03D3DFE0
SetUnhandledExceptionFilter.KERNEL32(03D375B0), ref: 03D3DFEE
CloseHandle.KERNEL32(00000000), ref: 03D3E007

Part of subcall function 03D3F707: _malloc.LIBCMT ref: 03D3F721

EnumWindows.USER32(03D35CC0,?), ref: 03D3E19D
Sleep.KERNEL32(00004E20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 03D3E1AA
EnumWindows.USER32(03D35CC0,?), ref: 03D3E1BE
Sleep.KERNEL32(00000BB8), ref: 03D3E1F5
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 03D3E241
Sleep.KERNEL32(00000FA0), ref: 03D3E2C4
RegOpenKeyExW.KERNEL32(80000001,Console,00000000,00020019,?), ref: 03D3E2EB
RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 03D3E30B
CloseHandle.KERNEL32(?), ref: 03D3E35D
Sleep.KERNEL32(000003E8,?,?), ref: 03D3E3A4
WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 03D3E3D0
CloseHandle.KERNEL32(?,?,?), ref: 03D3E3D7
Sleep.KERNEL32(000003E8,?,?), ref: 03D3E3E2
CloseHandle.KERNEL32(?), ref: 03D3E400
WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 03D3E425
CloseHandle.KERNEL32(?,?,?), ref: 03D3E42C
Sleep.KERNEL32(00000000,?,?,?), ref: 03D3E446
CloseHandle.KERNEL32(?), ref: 03D3E464

Strings

156.251.17.243, xrefs: 03D3E07B, 03D3E0C3, 03D3E121, 03D3E1E5, 03D3E253
17094, xrefs: 03D3E0D0
156.251.17.243, xrefs: 03D3E071
17093, xrefs: 03D3E08F, 03D3E0D7, 03D3E135, 03D3E1CE, 03D3E20C
156.251.17.243, xrefs: 03D3E117
17095, xrefs: 03D3E12E
%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 03D3DFDA
156.251.17.243, xrefs: 03D3E0B9
17093, xrefs: 03D3E088
Console, xrefs: 03D3E2D5
IpDatespecial, xrefs: 03D3E305

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: CloseHandleSleep$EnumObjectSingleWaitWindows$CreateEventExceptionFilterLocalOpenQueryTimeUnhandledValue__fassign_mallocwsprintf
String ID: %4d.%2d.%2d-%2d:%2d:%2d$156.251.17.243$156.251.17.243$156.251.17.243$156.251.17.243$17093$17093$17094$17095$Console$IpDatespecial
API String ID: 1511462596-327302196
Opcode ID: 29b454360fa4ed015d24cfb28f054b40b862a714ebbf77cfd221076266b50911
Instruction ID: ac3ec4c6246f756372952e19bfa8886c84c327720922fdfb6ad7425e0a30b105
Opcode Fuzzy Hash: 29b454360fa4ed015d24cfb28f054b40b862a714ebbf77cfd221076266b50911
Instruction Fuzzy Hash: 06D1E7B69483409FD320FF64DC46E6AB7A9FBC6B04F044A1DF56596384D7709A08CB63

Function 03D3BC70 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 351
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDesktopWindow.USER32 ref: 03D3BC8F
GetDC.USER32(00000000), ref: 03D3BC9C
CreateCompatibleDC.GDI32(00000000), ref: 03D3BCA2
GetDC.USER32(00000000), ref: 03D3BCAD
GetDeviceCaps.GDI32(00000000,00000008), ref: 03D3BCBA
GetDeviceCaps.GDI32(00000000,00000076), ref: 03D3BCC2
ReleaseDC.USER32(00000000,00000000), ref: 03D3BCD3
GetSystemMetrics.USER32(0000004E), ref: 03D3BCF8
GetSystemMetrics.USER32(0000004F), ref: 03D3BD26
GetSystemMetrics.USER32(0000004C), ref: 03D3BD78
GetSystemMetrics.USER32(0000004D), ref: 03D3BD8D
CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 03D3BDA6
SelectObject.GDI32(?,00000000), ref: 03D3BDB4
SetStretchBltMode.GDI32(?,00000003), ref: 03D3BDC0
GetSystemMetrics.USER32(0000004F), ref: 03D3BDCD
GetSystemMetrics.USER32(0000004E), ref: 03D3BDE0
StretchBlt.GDI32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,00000000), ref: 03D3BE07
_memset.LIBCMT ref: 03D3BE7A
GetDIBits.GDI32(?,?,00000000,00000000,?,00000028,00000000), ref: 03D3BE97
_memset.LIBCMT ref: 03D3BEAF

Part of subcall function 03D3F707: _malloc.LIBCMT ref: 03D3F721

DeleteObject.GDI32(?), ref: 03D3BF23
DeleteObject.GDI32(?), ref: 03D3BF2D
ReleaseDC.USER32(00000000,?), ref: 03D3BF39
DeleteObject.GDI32(?), ref: 03D3BFDF
DeleteObject.GDI32(?), ref: 03D3BFE9
ReleaseDC.USER32(00000000,?), ref: 03D3BFF5

Strings

(, xrefs: 03D3BE3E
6, xrefs: 03D3BE61
gfff, xrefs: 03D3BD10
gfff, xrefs: 03D3BD38

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: MetricsSystem$Object$Delete$Release$CapsCompatibleCreateDeviceStretch_memset$BitmapBitsDesktopModeSelectWindow_malloc
String ID: ($6$gfff$gfff
API String ID: 3293817703-713438465
Opcode ID: db58d1dbef851d44c2fffd19f8d37cd680f738d1d3199e43be33ca4f39408084
Instruction ID: 2fd71d44b9902882ed8bd9b6beb26001cb1465b27be4a62be0aaec4a4595e81e
Opcode Fuzzy Hash: db58d1dbef851d44c2fffd19f8d37cd680f738d1d3199e43be33ca4f39408084
Instruction Fuzzy Hash: A0D16CB6D01308AFDB14EFE9E885A9EBBB9FF49700F144529F505AB340D770A905CBA1

Function 6C356720 Relevance: 44.3, APIs: 22, Strings: 3, Instructions: 566
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextW.ADVAPI32 ref: 6C356806
CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 6C35686C
CryptHashData.ADVAPI32(00000000,00000000,00000000,00000000), ref: 6C35688D
CryptHashData.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 6C3568F6
CryptGetHashParam.ADVAPI32(00000000,00000004,00000000,00000004,00000000), ref: 6C356921
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 6C35698E
CryptDestroyHash.ADVAPI32(00000000), ref: 6C356999

Strings

g99l, xrefs: 6C356DC5
P~5l, xrefs: 6C356750, 6C356784, 6C356785
o89l, xrefs: 6C356E2D

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: Crypt$Hash$DataParam$AcquireContextCreateDestroy
String ID: P~5l$g99l$o89l
API String ID: 2113037386-4058109380
Opcode ID: 76bfcff349b6b16e4a525c0e6c03b7717d00021bfa85d448c0d31b53ed59ba98
Instruction ID: 6d130e54158737667f60498bf5600dd04dc81b494b5c498aeca71478ee1e2d01
Opcode Fuzzy Hash: 76bfcff349b6b16e4a525c0e6c03b7717d00021bfa85d448c0d31b53ed59ba98
Instruction Fuzzy Hash: C32278B2E002189FDF14CFA4CD45BEEBBB9BF49304F144158E505A7740EB7699588FA1

Function 6C356EB0 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 536
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6C356520: CryptStringToBinaryA.CRYPT32(n5l,00000000,00000001,00000000,00000000,00000000,00000000), ref: 6C356570
Part of subcall function 6C356520: CryptStringToBinaryA.CRYPT32(n5l,00000000,00000001,00000000,00000000,00000000,00000000), ref: 6C35660E

CryptAcquireContextW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000008), ref: 6C356FCE
CryptImportKey.ADVAPI32(00000000,00000208,00000014,00000000,00000000,00000000), ref: 6C357024
CryptSetKeyParam.ADVAPI32(00000000,00000001,00000000,00000000), ref: 6C35703C
CryptSetKeyParam.ADVAPI32(00000000,00000004,00000001,00000000), ref: 6C357062
CryptDecrypt.ADVAPI32(00000000,00000000,00000001,00000000,00000000,?), ref: 6C357123
CryptDestroyKey.ADVAPI32(00000000), ref: 6C35712E
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6C357139
___std_exception_copy.LIBVCRUNTIME ref: 6C3573FF

Part of subcall function 6C36D2B3: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?), ref: 6C36D314

Part of subcall function 6C3526C0: _strlen.LIBCMT ref: 6C352718

Strings

ed__, xrefs: 6C356F24
499l, xrefs: 6C35753C
O99l, xrefs: 6C35758C
Salt, xrefs: 6C356F1D
o89l, xrefs: 6C3573E6

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: Crypt$BinaryContextParamString$AcquireDecryptDestroyExceptionImportRaiseRelease___std_exception_copy_strlen
String ID: 499l$O99l$Salt$ed__$o89l
API String ID: 1577403515-3977143112
Opcode ID: fb8df7eee9a6894bfec2bc6ab564c56e50d90fa44603aea23e9dfbe94b6a95c4
Instruction ID: 57b468aed1df44217cd3b80108ff0e7ca2f9a6ffbbe7b562035a7755496db334
Opcode Fuzzy Hash: fb8df7eee9a6894bfec2bc6ab564c56e50d90fa44603aea23e9dfbe94b6a95c4
Instruction Fuzzy Hash: CB22E1B2D102189FEB14CFA4CC45BEEBBB5FF45314F148159E809A7780EB759A488FA1

Function 03D380F0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 114stringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsW.KERNEL32(000003E8,?,75BF73E0,00000AD4,00000000), ref: 03D38132
lstrcmpiW.KERNEL32(?,A:\), ref: 03D38166
lstrcmpiW.KERNEL32(?,B:\), ref: 03D38176
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 03D381A6
lstrlenW.KERNEL32(?), ref: 03D381B7
__wcsnicmp.LIBCMT ref: 03D381CE
lstrcpyW.KERNEL32(00000AD4,?), ref: 03D38204
lstrcpyW.KERNEL32(?,?), ref: 03D38228
lstrcatW.KERNEL32(?,00000000), ref: 03D38233

Strings

B:\, xrefs: 03D38170
A:\, xrefs: 03D38160

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: lstrcmpilstrcpy$DeviceDriveLogicalQueryStrings__wcsnicmplstrcatlstrlen
String ID: A:\$B:\
API String ID: 950920757-1009255891
Opcode ID: 609ed3e478698530effc046395194ad098bbde1187988142cd435c734815293a
Instruction ID: 052327fe27adabcab36804552971021be012fdcb1aba514aa8bc293cd7d5e6ad
Opcode Fuzzy Hash: 609ed3e478698530effc046395194ad098bbde1187988142cd435c734815293a
Instruction Fuzzy Hash: A6416476A012189BDB20DF64DD84BEEB3BCEF45710F044599E90AA7244E770EE0DDBA4

Function 6C362576 Relevance: 18.7, APIs: 6, Strings: 4, Instructions: 1207COMMON

Download Yara Rule

Strings

, xrefs: 6C363F10
', xrefs: 6C364DC9
6, xrefs: 6C36274B
jIk, xrefs: 6C363E27

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID:
String ID: $'$jIk$6
API String ID: 0-3404073836
Opcode ID: 35aae919c54773ca8a754c1dfb37a2bf8940e93550c72f94958906ed323100fc
Instruction ID: 58ce7fbaded738cf8043a32ecc1da916ccae4cb1c1989ee72a35a3544faf19dd
Opcode Fuzzy Hash: 35aae919c54773ca8a754c1dfb37a2bf8940e93550c72f94958906ed323100fc
Instruction Fuzzy Hash: 53C2CD71D102688BEB24CF25CC947EDBBB2BF46308F158298D4496BB85DB715AC8CF91

Function 6C362638 Relevance: 18.6, APIs: 6, Strings: 4, Instructions: 1140COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6C3629DC

Strings

,, xrefs: 6C363D12
6, xrefs: 6C36274B
, xrefs: 6C363E96
jIk, xrefs: 6C363E27

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: _strlen
String ID: $,$jIk$6
API String ID: 4218353326-1611763776
Opcode ID: 33072046d92c3b23b961a467dfb6951f32e92b34a6489304aa2a337558573442
Instruction ID: cf65811e2701b93a8193182234b91a0d2ea747188dd63d8cdea6606e04813c2e
Opcode Fuzzy Hash: 33072046d92c3b23b961a467dfb6951f32e92b34a6489304aa2a337558573442
Instruction Fuzzy Hash: 8CB2CD71D102688BEB24CF25CC947EDBBB2BF46308F158298D449ABB85DB715AC4CF91

Function 03D36790 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 116memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03D35320: InterlockedDecrement.KERNEL32(00000008), ref: 03D3536F
Part of subcall function 03D35320: SysFreeString.OLEAUT32(00000000), ref: 03D35384
Part of subcall function 03D35320: SysAllocString.OLEAUT32(03D55148), ref: 03D353D5

GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,?,03D55148,03D369A4,03D55148,00000000,75BF73E0), ref: 03D367F4
GetLastError.KERNEL32 ref: 03D367FE
GetProcessHeap.KERNEL32(00000008,?), ref: 03D36816
HeapAlloc.KERNEL32(00000000), ref: 03D3681D
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,?,?), ref: 03D3683F
LookupAccountSidW.ADVAPI32(00000000,?,?,00000100,?,00000100,?), ref: 03D36871
GetLastError.KERNEL32 ref: 03D3687B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 03D368E6
HeapFree.KERNEL32(00000000), ref: 03D368ED

Strings

NONE_MAPPED, xrefs: 03D36888

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Heap$AllocErrorFreeInformationLastProcessStringToken$AccountDecrementInterlockedLookup
String ID: NONE_MAPPED
API String ID: 1317816589-2950899194
Opcode ID: a6a78f382e56cf45c11d8e2e172698c35d9bcd0540558a4ea3f3f0f08a82a859
Instruction ID: 5052795edc5fdec48dedc2b291a3de33e2fd9c03d033ee67c739990a101e36d1
Opcode Fuzzy Hash: a6a78f382e56cf45c11d8e2e172698c35d9bcd0540558a4ea3f3f0f08a82a859
Instruction Fuzzy Hash: 9C4188B6A00318AFDB20DB64DC84FEE777DEB8A700F404598F609A7140DA709E898F75

Function 03D36C50 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?,74DEDF80,00000000,75BF73E0), ref: 03D36C8B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 03D36CAA
_memset.LIBCMT ref: 03D36CE1
GlobalMemoryStatusEx.KERNEL32(?), ref: 03D36CF4
swprintf.LIBCMT ref: 03D36D39
swprintf.LIBCMT ref: 03D36D4C

Strings

@, xrefs: 03D36CED
:, xrefs: 03D36C80
HDD:%d, xrefs: 03D36D2E
%sFree%d Gb , xrefs: 03D36D41

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: swprintf$DiskDriveFreeGlobalMemorySpaceStatusType_memset
String ID: %sFree%d Gb $:$@$HDD:%d
API String ID: 3202570353-3501811827
Opcode ID: 08ac6349cc274600a00228909088b86328b61528ed5d8137e7e5c5f6b4514030
Instruction ID: 8c52267c98aaa2ab12ae92cdc0dadc89e22a4889cc095449c21639c9e6d9583a
Opcode Fuzzy Hash: 08ac6349cc274600a00228909088b86328b61528ed5d8137e7e5c5f6b4514030
Instruction Fuzzy Hash: 80315EB6E0030C9BDB14DFE5DC45BEEB7B9FB49700F50421DE91AA7241D6746905CB50

Function 6C362870 Relevance: 16.8, APIs: 6, Strings: 3, Instructions: 1091COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6C3629DC

Strings

,, xrefs: 6C363D12
, xrefs: 6C363E96
jIk, xrefs: 6C363E27

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: _strlen
String ID: $,$jIk
API String ID: 4218353326-2946808363
Opcode ID: 6981441c7ec7932385ddb91d0c54d98ac3e1c19543942318fc918e7912f9155c
Instruction ID: a35db618e2d3161dcdcc09ead580cee24921633405965f7c0c36ca23cfd04437
Opcode Fuzzy Hash: 6981441c7ec7932385ddb91d0c54d98ac3e1c19543942318fc918e7912f9155c
Instruction Fuzzy Hash: 89A2CD71D102688BEB24CF25CC947EDBBB2BF46308F158298D449ABA85DB715EC4CF91

Function 6C362771 Relevance: 16.8, APIs: 6, Strings: 3, Instructions: 1091COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6C3629DC

Strings

,, xrefs: 6C363D12
, xrefs: 6C363E96
jIk, xrefs: 6C363E27

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: _strlen
String ID: $,$jIk
API String ID: 4218353326-2946808363
Opcode ID: a90a2d9121b300a10a9141698bc042c2470f23b030e06093a7334c34084d359a
Instruction ID: 74604d01f62ca4f7051d090477628c19ba8af30f87a92b5565bd61eedf4af9d6
Opcode Fuzzy Hash: a90a2d9121b300a10a9141698bc042c2470f23b030e06093a7334c34084d359a
Instruction Fuzzy Hash: 49B2CD71D102688BEB24CF25CC947EDBBB2BF46308F158298D449ABA85DB715EC4CF91

Function 03D36EE0 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 410COMMON

Download Yara Rule

APIs

CreateDXGIFactory.DXGI(03D5579C,?,E832A845,74DEDF80,00000000,75BF73E0), ref: 03D36F4A
swprintf.LIBCMT ref: 03D3711E
std::_Xinvalid_argument.LIBCPMT ref: 03D371C7

Strings

%s%s %d*%d , xrefs: 03D37337
%s%s %d %d , xrefs: 03D37113
vector<T> too long, xrefs: 03D371C2

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: CreateFactoryXinvalid_argumentstd::_swprintf
String ID: %s%s %d %d $%s%s %d*%d $vector<T> too long
API String ID: 3803070356-257307503
Opcode ID: dec22b9dc41a8daeca446b79dfb413a3ff57f1b2c40d82b897b2c30f1fdef33e
Instruction ID: 175844b5dfdfeb03a0bd66f9f0f9ed25f08d8536acb2e0e73d16362b4837f86e
Opcode Fuzzy Hash: dec22b9dc41a8daeca446b79dfb413a3ff57f1b2c40d82b897b2c30f1fdef33e
Instruction Fuzzy Hash: 78E174B1E006259FDF24CE64CC80BEEB3B5FB46700F1442E9E959A7284D770AE858F91

Function 6C362A4B Relevance: 15.0, APIs: 5, Strings: 3, Instructions: 998sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 6C361070: SetFileAttributesA.KERNEL32(?,00000001,?,0000000A,00000000,?,00000022,00000040,00000001), ref: 6C361124
Part of subcall function 6C361070: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C36115F

Sleep.KERNEL32(000000C8), ref: 6C362B0D
_strlen.LIBCMT ref: 6C362B53

Strings

,, xrefs: 6C363D12
, xrefs: 6C363E96
jIk, xrefs: 6C363E27

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: AttributesFileIos_base_dtorSleep_strlenstd::ios_base::_
String ID: $,$jIk
API String ID: 3921760320-2946808363
Opcode ID: 1835a1463d4ddf6e1588ca2ed03227142b4c02ade42b39e40f6782f84ec6f47d
Instruction ID: 07b71f2e032246ac4524bedcccdeec185f1797e660131d96354f8036f1129272
Opcode Fuzzy Hash: 1835a1463d4ddf6e1588ca2ed03227142b4c02ade42b39e40f6782f84ec6f47d
Instruction Fuzzy Hash: 99A2CB71D102688BEB24CF25CC947EDBBB2BF46308F158298D449ABA85DB715EC4CF91

Function 6C362BC6 Relevance: 13.2, APIs: 3, Strings: 4, Instructions: 933COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6C362E9B

Strings

,, xrefs: 6C363D12
SPV, xrefs: 6C362C18
, xrefs: 6C363E96
jIk, xrefs: 6C363E27

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: _strlen
String ID: $,$SPV$jIk
API String ID: 4218353326-3917736278
Opcode ID: 8f1dc0e72407a631ff1e6e506e6270808504b0ce4ef36ab2fb82f1c6354f2878
Instruction ID: d1774e9dcfb863c6e3fa5db3e078af366212b088c780d6f73ef9342a48456e30
Opcode Fuzzy Hash: 8f1dc0e72407a631ff1e6e506e6270808504b0ce4ef36ab2fb82f1c6354f2878
Instruction Fuzzy Hash: 5B92CC71D102688BEB24CF65CC943EDBBB2BF46308F158298D449ABA85DB715EC4CF91

Function 03D37410 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,03D37523), ref: 03D3743D
GetProcAddress.KERNEL32(00000000), ref: 03D37444
GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,03D37523), ref: 03D37452
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,03D37523), ref: 03D3745A

Strings

kernel32.dll, xrefs: 03D3741D
GetNativeSystemInfo, xrefs: 03D37418

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: InfoSystem$AddressHandleModuleNativeProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 3433367815-192647395
Opcode ID: 036b42e125acd63040f686d1827d20fe35cf2bc763a657af9e6bb3857dfe0f34
Instruction ID: 78876777462c15e8fdd1d7127f56a16bd4e16a197824d971eedf6e1792cdcf33
Opcode Fuzzy Hash: 036b42e125acd63040f686d1827d20fe35cf2bc763a657af9e6bb3857dfe0f34
Instruction Fuzzy Hash: 19014BB1D003099FCF50EFB89944AAEBBF5EB09700F5449A9E959E3240EB359A04CF61

Function 03D36050 Relevance: 9.1, APIs: 6, Instructions: 86processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03D3607C
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 03D36088
Process32FirstW.KERNEL32(00000000,00000000), ref: 03D360B9
Process32NextW.KERNEL32(00000000,0000022C), ref: 03D3610F
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 03D36116

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memset
String ID:
API String ID: 2526126748-0
Opcode ID: b161ee86d2e692e534607d16236cf1ffa5c646cc5230c28a6cf6a951fb48013d
Instruction ID: 487147458744d9f1b4a4731b544786249e767b24abfd4dcd29a43bfd5f84196f
Opcode Fuzzy Hash: b161ee86d2e692e534607d16236cf1ffa5c646cc5230c28a6cf6a951fb48013d
Instruction Fuzzy Hash: FA21C932A01219ABDB20EF74DC96BEEB379EF1A710F044695DC0A97280EB31DF18C651

Function 03D33360 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(?,?,00000000), ref: 03D33413
_memmove.LIBCMT ref: 03D334A5

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Time_memmovetime
String ID:
API String ID: 1463837790-0
Opcode ID: c624ab2e228b54d0b00b8994f762377aefdcf4ab7489f3d45f1a9591cce54d4a
Instruction ID: 3e7da1fca991f4bfb8ef9664deff2e88739d54c2a8d6cec5122af90cc8d8b52f
Opcode Fuzzy Hash: c624ab2e228b54d0b00b8994f762377aefdcf4ab7489f3d45f1a9591cce54d4a
Instruction Fuzzy Hash: 8F51B27AB002069FD711DF79CAC0A6AB7A9FF46214718866CE9198B704DB31FC55CB90

Function 100054C0 Relevance: 45.8, APIs: 16, Strings: 10, Instructions: 263
registrymemorysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,00020019,?), ref: 10005507
RegQueryValueExW.ADVAPI32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000003), ref: 1000552E
_memset.LIBCMT ref: 10005548
RegQueryValueExW.ADVAPI32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000003), ref: 10005563
VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 10005586
RegCloseKey.ADVAPI32(?), ref: 100055B1
VirtualFree.KERNEL32(03BB0000,00000000,00008000), ref: 10005605
_memset.LIBCMT ref: 10005669
_memset.LIBCMT ref: 1000568D
_memset.LIBCMT ref: 1000569F
VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 10005726
RegCreateKeyW.ADVAPI32(80000001,Console\0,?), ref: 10005799
RegDeleteValueW.KERNEL32(?,9e9e85e05ee16fc372a0c7df6549fbd4), ref: 100057AC
RegSetValueExW.KERNEL32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000065), ref: 100057C4
RegCloseKey.KERNEL32(?), ref: 100057CE
Sleep.KERNEL32(00000BB8), ref: 100057FE

Strings

l, xrefs: 10005644
Console\0, xrefs: 100054F3, 1000578F
i, xrefs: 10005658
{vU_, xrefs: 10005626
0d3b34577c0a66584d5bdc849e214016, xrefs: 100055BA
9e9e85e05ee16fc372a0c7df6549fbd4, xrefs: 10005528, 1000555D, 100057A6, 100057BE
!jWW, xrefs: 10005630
., xrefs: 1000563A
e, xrefs: 100054DC
_, xrefs: 1000564E

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Value_memset$Virtual$AllocCloseQuery$CreateDeleteFreeOpenSleep
String ID: !jWW$.$0d3b34577c0a66584d5bdc849e214016$9e9e85e05ee16fc372a0c7df6549fbd4$Console\0$_$e$i$l${vU_
API String ID: 354323817-737951744
Opcode ID: be3d857457f6c34cc49a9ce7b94368c024c206f60fa141a8346ca6c642e4ce58
Instruction ID: 005816a77294032e0ea7aedf6318117014c310f5a4f2017eaf50af4860f80873
Opcode Fuzzy Hash: be3d857457f6c34cc49a9ce7b94368c024c206f60fa141a8346ca6c642e4ce58
Instruction Fuzzy Hash: 5891D475A00718ABF710CF60CC84FAB77BAFB88741F508158FA089B245DB75EA40CB51

Function 03D39E50 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 314
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GdipGetImagePixelFormat.GDIPLUS(Function_00009A30,?,?,00000000), ref: 03D39E7B
GdipGetImageHeight.GDIPLUS(Function_00009A30,?,?,00000000), ref: 03D39EFC
GdipGetImageWidth.GDIPLUS(Function_00009A30,?,?,00000000), ref: 03D39F24
GdipGetImagePaletteSize.GDIPLUS(Function_00009A30,?,?,00000000), ref: 03D39F7F
_malloc.LIBCMT ref: 03D39FC0

Part of subcall function 03D3F673: __FF_MSGBANNER.LIBCMT ref: 03D3F68C
Part of subcall function 03D3F673: __NMSG_WRITE.LIBCMT ref: 03D3F693
Part of subcall function 03D3F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,03D44500,00000000,00000001,00000000,?,03D48DE6,00000018,03D56448,0000000C,03D48E76), ref: 03D3F6B8

_free.LIBCMT ref: 03D3A000
GdipGetImagePalette.GDIPLUS(?,00000008,?,?,00000000), ref: 03D3A028
SetDIBColorTable.GDI32(?,00000000,?,?,?,00000000), ref: 03D3A0B7
GdipBitmapLockBits.GDIPLUS(Function_00009A30,?,00000001,?,?,?,00000000), ref: 03D3A112
_free.LIBCMT ref: 03D3A134
_memcpy_s.LIBCMT ref: 03D3A183
GdipBitmapUnlockBits.GDIPLUS(?,?,?,00000000), ref: 03D3A1D0
GdipCreateBitmapFromScan0.GDIPLUS(?,?,03D55A78,00022009,?,00000000,?,00000000), ref: 03D3A22C
GdipGetImageGraphicsContext.GDIPLUS(00000000,00022009,?,00000000), ref: 03D3A24C
GdipDrawImageI.GDIPLUS(00000000,Function_00009A30,00000000,00000000,?,00000000), ref: 03D3A267
GdipDeleteGraphics.GDIPLUS(?,?,00000000), ref: 03D3A274
GdipDisposeImage.GDIPLUS(00000000,?,00000000), ref: 03D3A27B
_free.LIBCMT ref: 03D3A296

Strings

&, xrefs: 03D39EE1

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Gdip$Image$Bitmap_free$BitsGraphicsPalette$AllocateColorContextCreateDeleteDisposeDrawFormatFromHeapHeightLockPixelScan0SizeTableUnlockWidth_malloc_memcpy_s
String ID: &
API String ID: 640422297-3042966939
Opcode ID: 432c31a4ae4f6237fea00e540cdf0583a7a159e0e693437c460fc04acfe0c2e7
Instruction ID: f11d881bd2a596cba5aeb1a4d0c63c1cda2b85c8433591f771bdcceddc4e295c
Opcode Fuzzy Hash: 432c31a4ae4f6237fea00e540cdf0583a7a159e0e693437c460fc04acfe0c2e7
Instruction Fuzzy Hash: 75D171F5A002199FDB20DF55CC90B9AB3B8FF49704F0485ADE609A7201D774AE85CFA5

Function 10002D80 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203
networkstringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResetEvent.KERNEL32(?), ref: 10002D9B
InterlockedExchange.KERNEL32(?,00000000), ref: 10002DA7
timeGetTime.WINMM ref: 10002DAD
socket.WS2_32(00000002,00000001,00000006), ref: 10002DDA
lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 10002E06
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 10002E12
lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 10002E31
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 10002E3D
gethostbyname.WS2_32(00000000), ref: 10002E4B
htons.WS2_32(?), ref: 10002E6D
connect.WS2_32(?,?,00000010), ref: 10002E8B

Strings

0u, xrefs: 10002EFC

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
String ID: 0u
API String ID: 640718063-3203441087
Opcode ID: 94c689521af4947466c8b86645af49a3b04e56d54b71338c9307917d991564e9
Instruction ID: d5696d751933d4553be470da2890fc26df070c3c16b6f4ec0f7763c80930fe30
Opcode Fuzzy Hash: 94c689521af4947466c8b86645af49a3b04e56d54b71338c9307917d991564e9
Instruction Fuzzy Hash: 136152B1A40304BFE710DFA4CC85FAAB7B9FF49711F104629F646AB2D0D7B1A9048B64

Function 03D32DA0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203
networkstringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResetEvent.KERNEL32(?), ref: 03D32DBB
InterlockedExchange.KERNEL32(?,00000000), ref: 03D32DC7
timeGetTime.WINMM ref: 03D32DCD
socket.WS2_32(00000002,00000001,00000006), ref: 03D32DFA
lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 03D32E26
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 03D32E32
lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 03D32E51
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 03D32E5D
gethostbyname.WS2_32(00000000), ref: 03D32E6B
htons.WS2_32(?), ref: 03D32E8D
connect.WS2_32(?,?,00000010), ref: 03D32EAB

Strings

0u, xrefs: 03D32F1C

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
String ID: 0u
API String ID: 640718063-3203441087
Opcode ID: 97628d6fa66b5c414380ff4f7f44716be5acf3e914921f98a36b25c3acd55278
Instruction ID: 962b6449e6a1878a14e664442c4f17d05bffb7478313cc7f14f9bebde03b1020
Opcode Fuzzy Hash: 97628d6fa66b5c414380ff4f7f44716be5acf3e914921f98a36b25c3acd55278
Instruction Fuzzy Hash: 33613E72A40304AFE720EFA4DC45FABB7B8FF49B10F10451DF655AB2D0D6B0A9098B64

Function 03D36A70 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 141
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(75BF73E0), ref: 03D36A94
wsprintfW.USER32 ref: 03D36AA7

Part of subcall function 03D36910: GetCurrentProcessId.KERNEL32(E832A845,00000000,00000000,75BF73E0,?,00000000,03D510DB,000000FF,?,03D36AB3,00000000), ref: 03D36938
Part of subcall function 03D36910: OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,03D510DB,000000FF,?,03D36AB3,00000000), ref: 03D36947
Part of subcall function 03D36910: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,03D510DB,000000FF,?,03D36AB3,00000000), ref: 03D36960
Part of subcall function 03D36910: CloseHandle.KERNEL32(00000000,?,00000000,03D510DB,000000FF,?,03D36AB3,00000000), ref: 03D3696B

_memset.LIBCMT ref: 03D36AC2
GetVersionExW.KERNEL32(?), ref: 03D36ADB
GetCurrentProcess.KERNEL32(00000008,?), ref: 03D36B12
OpenProcessToken.ADVAPI32(00000000), ref: 03D36B19
GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 03D36B3F
GetLastError.KERNEL32 ref: 03D36B49
LocalAlloc.KERNEL32(00000040,?), ref: 03D36B5D
GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 03D36B85
GetSidSubAuthorityCount.ADVAPI32 ref: 03D36B98
GetSidSubAuthority.ADVAPI32(00000000), ref: 03D36BA6
LocalFree.KERNEL32(?), ref: 03D36BB5
CloseHandle.KERNEL32(?), ref: 03D36BC2
wsprintfW.USER32 ref: 03D36C1B

Strings

-N/, xrefs: 03D36BEF
None/%s, xrefs: 03D36BE7
NO/, xrefs: 03D36BDF

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Process$Token$CurrentOpen$AuthorityCloseHandleInformationLocalwsprintf$AllocCountErrorFreeLastVersion_memset
String ID: -N/$NO/$None/%s
API String ID: 3036438616-3095023699
Opcode ID: 67952fb3a3fe2ffef4c30c009da962b41c2f9a440821adc5a558252db34d89be
Instruction ID: 0a01159cc03f7e4dde8415b01aa771ffb520527aa6663808addd1e6b03216bef
Opcode Fuzzy Hash: 67952fb3a3fe2ffef4c30c009da962b41c2f9a440821adc5a558252db34d89be
Instruction Fuzzy Hash: EF41B572900314BFDB21DB64DCC8FEA7B78EB0A711F084495F54696241DA34DD98CF61

Function 03D3AD10 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 346
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Console,00000000,00020019,?), ref: 03D3AD53
RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 03D3AD73

Strings

Console\0, xrefs: 03D3B0DC
%s_bin, xrefs: 03D3AE33
Console, xrefs: 03D3AD39
IpDatespecial, xrefs: 03D3AD6D

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: OpenQueryValue
String ID: %s_bin$Console$Console\0$IpDatespecial
API String ID: 4153817207-1338088003
Opcode ID: d0a45cc09220abd19cfe82084274832ed97c378d8431e4b7e96649537c52a581
Instruction ID: 15df80de29ae146f16060d2cdc11e681cbf0c1ca1ee14da2d12ece1bd9039dbe
Opcode Fuzzy Hash: d0a45cc09220abd19cfe82084274832ed97c378d8431e4b7e96649537c52a581
Instruction Fuzzy Hash: 0DC1E4B6B003009BE710EF24DC45F6BB3A9EF95B14F080568F985AB281E771ED15C7A2

Function 03D36150 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 222
stringcomregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 03D3618B
lstrcatW.KERNEL32(03D61F10,03D5510C,?,E832A845,00000AD4,00000000,75BF73E0), ref: 03D361CD
lstrcatW.KERNEL32(03D61F10,03D5535C,?,E832A845,00000AD4,00000000,75BF73E0), ref: 03D361D9
CoCreateInstance.OLE32(03D52480,00000000,00000017,03D5578C,?,?,E832A845,00000AD4,00000000,75BF73E0), ref: 03D36220
_memset.LIBCMT ref: 03D362CE
wsprintfW.USER32 ref: 03D36336
RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 03D3635F
_memset.LIBCMT ref: 03D36376

Part of subcall function 03D36050: _memset.LIBCMT ref: 03D3607C
Part of subcall function 03D36050: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 03D36088

Strings

Windows Defender IOfficeAntiVirus implementation , xrefs: 03D36186, 03D361C8, 03D361D4, 03D363C9, 03D363D5, 03D36422, 03D36436, 03D3645A
CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}, xrefs: 03D36330

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: _memset$Createlstrcat$InstanceOpenSnapshotToolhelp32wsprintf
String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
API String ID: 1221949200-1583895642
Opcode ID: 39c180f8dca81d5da33f3775476a77590ca675a51a96ce35f08174df6d84da01
Instruction ID: 4611dee9c7331e81ba18ce59d21ce2f4875279651ff4aa42cdc51df2fcd1fe34
Opcode Fuzzy Hash: 39c180f8dca81d5da33f3775476a77590ca675a51a96ce35f08174df6d84da01
Instruction Fuzzy Hash: 238165B2A00228AFDB20DB64CC81FAEB77CEB49704F0445C9F659A7255D7B4AE44CF64

Function 03D35F40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 88
sleepstringsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32(00000000,00000000,2024.12. 8), ref: 03D35F66
GetLastError.KERNEL32 ref: 03D35F6E
Sleep.KERNEL32(000003E8), ref: 03D35F85
CreateMutexW.KERNEL32(00000000,00000000,2024.12. 8), ref: 03D35F90
GetLastError.KERNEL32 ref: 03D35F92
_memset.LIBCMT ref: 03D35FB9
lstrlenW.KERNEL32(?), ref: 03D35FC6
lstrcmpW.KERNEL32(?,03D55328), ref: 03D35FED
Sleep.KERNEL32(000003E8), ref: 03D35FF8
GetModuleHandleW.KERNEL32(00000000), ref: 03D36005
GetConsoleWindow.KERNEL32 ref: 03D3600F

Strings

open, xrefs: 03D35FCD
2024.12. 8, xrefs: 03D35F5D, 03D35F87
key, xrefs: 03D35FD2

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutexSleep$ConsoleHandleModuleWindow_memsetlstrcmplstrlen
String ID: 2024.12. 8$key$open
API String ID: 2922109467-247484233
Opcode ID: b8ccb35ad68b57b26d8126222e929c446f2f28ac5055a7df2cede14fbf92e5ec
Instruction ID: 62cf7effa3bf05d3f0b70ebac09f67020857001a42390741e1fb064de7740f7c
Opcode Fuzzy Hash: b8ccb35ad68b57b26d8126222e929c446f2f28ac5055a7df2cede14fbf92e5ec
Instruction Fuzzy Hash: E621D6779443059BE614FB74EC86B5EB398EB86B00F140819F605972C0DBB0EA09CBA3

Function 6C368A70 Relevance: 21.5, APIs: 9, Strings: 3, Instructions: 539
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNEL32(?), ref: 6C368CD2
SHGetFolderPathA.SHELL32 ref: 6C368CEF
_strlen.LIBCMT ref: 6C368D13
GetFileAttributesA.KERNEL32(?), ref: 6C369092
CoInitialize.OLE32(00000000), ref: 6C3690A3
CoCreateInstance.OLE32(6C38F3C0,00000000,00000001,6C38EC50,?), ref: 6C3690BB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000104), ref: 6C3690EA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000104), ref: 6C369139
CoUninitialize.COMBASE ref: 6C36915D

Strings

\, xrefs: 6C368AED
n79l, xrefs: 6C368F33
e\, xrefs: 6C368AC2

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: AttributesByteCharFileMultiWide$CreateFolderInitializeInstancePathUninitialize_strlen
String ID: \$e\$n79l
API String ID: 1074249417-697121670
Opcode ID: adc07487fdc361d05d897be7825df8e842b675633a0e793602c9b7a966e3a125
Instruction ID: ba49eed500f2c709fe1ab03204b5fdd3d2a13c33c4c14adb52ce106889ddb9f9
Opcode Fuzzy Hash: adc07487fdc361d05d897be7825df8e842b675633a0e793602c9b7a966e3a125
Instruction Fuzzy Hash: 8F320371D042188FDB24CF24CC887EEBBB5FF46304F144699E459ABA95DB319A84CF91

Function 03D362B6 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 125
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 03D362CE
wsprintfW.USER32 ref: 03D36336
RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 03D3635F
_memset.LIBCMT ref: 03D36376
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 03D363B2
lstrcatW.KERNEL32(03D61F10,?), ref: 03D363CE
lstrcatW.KERNEL32(03D61F10,03D5535C), ref: 03D363DA
RegCloseKey.ADVAPI32(00000000), ref: 03D363E3
lstrlenW.KERNEL32(03D61F10,?,E832A845,00000AD4,00000000,75BF73E0), ref: 03D36427
lstrcatW.KERNEL32(03D61F10,03D553D4,?,E832A845,00000AD4,00000000,75BF73E0), ref: 03D3643B

Strings

Windows Defender IOfficeAntiVirus implementation , xrefs: 03D363C9, 03D363D5, 03D36422, 03D36436, 03D3645A
CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}, xrefs: 03D36330

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: lstrcat$_memset$CloseOpenQueryValuelstrlenwsprintf
String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
API String ID: 1671694837-1583895642
Opcode ID: 0776b6ccd16cf99b1c05188b5dc27fc185a95152fcd22cd50e914cc4c666b1ae
Instruction ID: 75335733960c2279367ba244aae9944f3a07971fdc07f82b45f0c1006442b270
Opcode Fuzzy Hash: 0776b6ccd16cf99b1c05188b5dc27fc185a95152fcd22cd50e914cc4c666b1ae
Instruction Fuzzy Hash: DC4185F2A002286FDB24DB54CC91FEEB7B8AB49705F0441C8F359A7181D6749E84CF64

Function 03D37490 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 99registrylibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ntdll.dll,75BF73E0,?,?,?,03D35611,0000035E,000002FA), ref: 03D3749C
GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 03D374B2
swprintf.LIBCMT ref: 03D374EF

Part of subcall function 03D37410: GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,03D37523), ref: 03D3743D
Part of subcall function 03D37410: GetProcAddress.KERNEL32(00000000), ref: 03D37444
Part of subcall function 03D37410: GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,03D37523), ref: 03D37452

RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,000002FA), ref: 03D37547
RegQueryValueExW.KERNEL32(000002FA,ProductName,00000000,00000001,00000000,?), ref: 03D37563
RegCloseKey.KERNEL32(000002FA), ref: 03D37586
FreeLibrary.KERNEL32(00000000,?,?,?,03D35611,0000035E,000002FA), ref: 03D37598

Strings

ProductName, xrefs: 03D3755D
%d.%d.%d, xrefs: 03D374E7
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 03D3753D
RtlGetNtVersionNumbers, xrefs: 03D374AC
ntdll.dll, xrefs: 03D37497

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$CloseFreeHandleInfoLoadModuleNativeOpenQuerySystemValueswprintf
String ID: %d.%d.%d$ProductName$RtlGetNtVersionNumbers$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
API String ID: 2158625971-3190923360
Opcode ID: 3522116dd11aed44463220173b59995d2a394810473f930eed108e69cccc15a2
Instruction ID: 1fa6e08ebb4f93df1ac170404778ddafa5c25a62b80c5409fc4f9fbc8d4a0a3a
Opcode Fuzzy Hash: 3522116dd11aed44463220173b59995d2a394810473f930eed108e69cccc15a2
Instruction Fuzzy Hash: 2D31B6B6A413087FDB18EBA4DC45FAF7B7DDF49740F140519BA06A6245EA70DA04C7A0

Function 03D3C060 Relevance: 19.7, APIs: 13, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000002,?,E832A845,?,00000000,?), ref: 03D3C09E
GlobalLock.KERNEL32(00000000), ref: 03D3C0AA
GlobalUnlock.KERNEL32(00000000), ref: 03D3C0BF
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 03D3C0D5
EnterCriticalSection.KERNEL32(03D5FB64), ref: 03D3C113
LeaveCriticalSection.KERNEL32(03D5FB64), ref: 03D3C124

Part of subcall function 03D39DE0: GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 03D39E04
Part of subcall function 03D39DE0: GdipDisposeImage.GDIPLUS(?), ref: 03D39E18

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 03D3C14C

Part of subcall function 03D3A460: GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 03D3A48D
Part of subcall function 03D3A460: _free.LIBCMT ref: 03D3A503

GetHGlobalFromStream.OLE32(?,?), ref: 03D3C16D
GlobalLock.KERNEL32(?), ref: 03D3C177
GlobalFree.KERNEL32(00000000), ref: 03D3C18F

Part of subcall function 03D39BA0: DeleteObject.GDI32(?), ref: 03D39BD2
Part of subcall function 03D39BA0: EnterCriticalSection.KERNEL32(03D5FB64,?,?,?,03D39B7B), ref: 03D39BE3
Part of subcall function 03D39BA0: EnterCriticalSection.KERNEL32(03D5FB64,?,?,?,03D39B7B), ref: 03D39BF8
Part of subcall function 03D39BA0: GdiplusShutdown.GDIPLUS(00000000,?,?,?,03D39B7B), ref: 03D39C04
Part of subcall function 03D39BA0: LeaveCriticalSection.KERNEL32(03D5FB64,?,?,?,03D39B7B), ref: 03D39C15
Part of subcall function 03D39BA0: LeaveCriticalSection.KERNEL32(03D5FB64,?,?,?,03D39B7B), ref: 03D39C1C

GlobalSize.KERNEL32(00000000), ref: 03D3C1A5
GlobalUnlock.KERNEL32(?), ref: 03D3C221
GlobalFree.KERNEL32(00000000), ref: 03D3C249

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Global$CriticalSection$Stream$CreateEnterGdipLeave$FreeFromImageLockSizeUnlock$AllocBitmapDeleteDisposeEncodersGdiplusObjectShutdown_free
String ID:
API String ID: 1483550337-0
Opcode ID: 8683813889fbcbb0e59bd0d4673bca4909c4c9576d9e47f04408870b436d362c
Instruction ID: a010fa66f534da425b38d640e8f7067f86b1bbf7125fd83ba4f254c1b8e80dc3
Opcode Fuzzy Hash: 8683813889fbcbb0e59bd0d4673bca4909c4c9576d9e47f04408870b436d362c
Instruction Fuzzy Hash: 0B612BB6D00318EFCB10EFA9D88499EBBB9FF49710F144529E915AB345DB34A905CF60

Function 6C369B10 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 353threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6C3693E0: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 6C36941E
Part of subcall function 6C3693E0: _strlen.LIBCMT ref: 6C36943A

_strlen.LIBCMT ref: 6C369B62
_strlen.LIBCMT ref: 6C369CD0
CreateThread.KERNEL32(00000000,00000000,6C368770,6C39C338,00000000,00000000), ref: 6C369E21
CreateThread.KERNEL32(00000000,00000000,6C3680E0,00000000,00000000,00000000), ref: 6C369E36
WaitForSingleObject.KERNEL32(00000000,00011170), ref: 6C369E48
CloseHandle.KERNEL32(00000000), ref: 6C369E56
CreateThread.KERNEL32(00000000,00000000,6C362090,00000000,00000000,00000000), ref: 6C369F65

Strings

IiViS, xrefs: 6C369B5E, 6C369B61
Update.d, xrefs: 6C369EF5, 6C369EFE
dll, xrefs: 6C369EB3
Update.d, xrefs: 6C369F87

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: CreateThread_strlen$CloseFileHandleModuleNameObjectSingleWait
String ID: IiViS$Update.d$Update.d$dll
API String ID: 632893256-1826472805
Opcode ID: 6b79ae4172367afbcd4805302301abe3719f85dd4055a8d4b112d6a9c758ad1c
Instruction ID: 2793b1c222d64994671b2ced781efb886506c63746bf5646a11df9a0b94e2683
Opcode Fuzzy Hash: 6b79ae4172367afbcd4805302301abe3719f85dd4055a8d4b112d6a9c758ad1c
Instruction Fuzzy Hash: ADD156B2D003089BDB14DFA4DC44BEEB7B5EF45304F144528E456ABB84E775AA48CF92

Function 03D36490 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 144registrystringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03D364C2
RegOpenKeyExW.KERNEL32(80000001,Software\Tencent\Plugin\VAS,00000000,000F003F,?), ref: 03D364E2
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 03D36524
_memset.LIBCMT ref: 03D36560
_memset.LIBCMT ref: 03D3658E
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000AD4,75BF73E0), ref: 03D365BA
lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75BF73E0), ref: 03D365C3
lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75BF73E0), ref: 03D365D5
RegCloseKey.ADVAPI32(?,00000000,00000AD4,75BF73E0), ref: 03D36625
lstrlenW.KERNEL32(?), ref: 03D36635

Strings

Software\Tencent\Plugin\VAS, xrefs: 03D364D8

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: _memsetlstrlen$CloseEnumInfoOpenQuery
String ID: Software\Tencent\Plugin\VAS
API String ID: 2921034913-3343197220
Opcode ID: e7cb220bc14ea75cca068ece08bb5d84bde8b1b3d0ecf4fc9263cd3571f03a7d
Instruction ID: 7f51c5b09153a7663a711a6c6c1532e7a95affa9e8e6583bb529038ae1438182
Opcode Fuzzy Hash: e7cb220bc14ea75cca068ece08bb5d84bde8b1b3d0ecf4fc9263cd3571f03a7d
Instruction Fuzzy Hash: D04194F6A40318ABDB24DB54CD85FEAB37CDB49700F0045D9E709B7181EA70AA898B64

Function 03D3A460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 150windowCOMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 03D3A48D
_malloc.LIBCMT ref: 03D3A4D1
_free.LIBCMT ref: 03D3A503
GdipGetImageEncoders.GDIPLUS(?,?,00000008), ref: 03D3A522
GdipSaveImageToStream.GDIPLUS(00000000,?,?,00000000), ref: 03D3A594
GdipDisposeImage.GDIPLUS(00000000), ref: 03D3A59F
GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 03D3A5C5
GdipDisposeImage.GDIPLUS(00000000), ref: 03D3A5DD

Strings

&, xrefs: 03D3A579

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Gdip$Image$DisposeEncoders$BitmapCreateFromSaveSizeStream_free_malloc
String ID: &
API String ID: 2794124522-3042966939
Opcode ID: 3e5f68dfb33f2c37f9a1dff3e986b1ac86cf8908dab7f927d9ab39602289a3f7
Instruction ID: 30516305f4ca336416cdf16923346cc15180e621baf520bb82cc9a0450d9676f
Opcode Fuzzy Hash: 3e5f68dfb33f2c37f9a1dff3e986b1ac86cf8908dab7f927d9ab39602289a3f7
Instruction Fuzzy Hash: 495151B6E002199FDB04DFA4C844EEEB7B8EF49700F048159E945BB250D734ED45CBA1

Function 100052B0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 123registrysleepCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 10005382
RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 10005392
RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,1001C6E0,000012A0), ref: 100053B0
RegCloseKey.KERNEL32(?), ref: 100053BB
OpenProcess.KERNEL32(00000400,00000000,?), ref: 1000540F
GetExitCodeProcess.KERNEL32(00000000,?), ref: 1000541B
Sleep.KERNEL32(00000BB8), ref: 10005434

Strings

SOFTWARE, xrefs: 10005378
IpDates_info, xrefs: 1000538C, 100053AA

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: OpenProcessValue$CloseCodeDeleteExitSleep
String ID: IpDates_info$SOFTWARE
API String ID: 864241144-2243437601
Opcode ID: fa41b33889329ce33d54072f6f587efc439d217482355cea30f751f095a89e77
Instruction ID: c351098f3a10662c2abe80f3babca39824d4604c0415f8e3891e9891bb32f169
Opcode Fuzzy Hash: fa41b33889329ce33d54072f6f587efc439d217482355cea30f751f095a89e77
Instruction Fuzzy Hash: 184146316442819FF310CF308C45F6B7BB5FB453C6F994068E581CA186D3B2EA42C7A2

Function 100052D9 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 84registrysleepCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 10005382
RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 10005392
RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,1001C6E0,000012A0), ref: 100053B0
RegCloseKey.KERNEL32(?), ref: 100053BB
OpenProcess.KERNEL32(00000400,00000000,?), ref: 1000540F
GetExitCodeProcess.KERNEL32(00000000,?), ref: 1000541B
Sleep.KERNEL32(00000BB8), ref: 10005434

Strings

SOFTWARE, xrefs: 10005378
IpDates_info, xrefs: 1000538C, 100053AA

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: OpenProcessValue$CloseCodeDeleteExitSleep
String ID: IpDates_info$SOFTWARE
API String ID: 864241144-2243437601
Opcode ID: e48445a0fb638aff792993f9711fe44b6994354607bef0c7859c4fe8ed55e572
Instruction ID: f7f7705b5b84b7b191dcdb77494346d14e222b8940c5b100b936b40375e1b217
Opcode Fuzzy Hash: e48445a0fb638aff792993f9711fe44b6994354607bef0c7859c4fe8ed55e572
Instruction Fuzzy Hash: B731C1306443819FF315CF308848B6B7BF6FB493C6F9944A8F5859A146D3B2DA46C761

Function 6C368000 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6C369F53,Update.d), ref: 6C368017
FindResourceW.KERNEL32(00000000,004F0043), ref: 6C368066
LoadResource.KERNEL32(00000000,00000000), ref: 6C368074
SizeofResource.KERNEL32(00000000,00000000), ref: 6C36807E
LockResource.KERNEL32(00000000), ref: 6C368087

Part of subcall function 6C366B10: _strlen.LIBCMT ref: 6C366B9F

Strings

C, xrefs: 6C368036
I, xrefs: 6C368026
T, xrefs: 6C368055
N, xrefs: 6C36802E

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: Resource$FindHandleLoadLockModuleSizeof_strlen
String ID: C$I$N$T
API String ID: 415223560-3924500842
Opcode ID: 84c950d56874df013f2e3624253d0145f7b35cb67a481984f94f7451afb2e969
Instruction ID: db7784b9a8ad9b36b6371c86e1e2f0d2236d4df2c534830162f4e3c241750c7d
Opcode Fuzzy Hash: 84c950d56874df013f2e3624253d0145f7b35cb67a481984f94f7451afb2e969
Instruction Fuzzy Hash: A711C6B0A09340ABD7009F358D49A7B77ECEF8B208F001919F88996641FB75DA44CBA7

Function 6C389BE7 Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C389FEC: CreateFileW.KERNEL32(FFFFFFFF,00000000,?,6C389C90,?,?,00000000,?,6C389C90,FFFFFFFF,0000000C), ref: 6C38A009

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C389CFB
__dosmaperr.LIBCMT ref: 6C389D02
GetFileType.KERNEL32(00000000), ref: 6C389D0E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C389D18
__dosmaperr.LIBCMT ref: 6C389D21
CloseHandle.KERNEL32(00000000), ref: 6C389D41
CloseHandle.KERNEL32(6C3807FB), ref: 6C389E8E
GetLastError.KERNEL32 ref: 6C389EC0
__dosmaperr.LIBCMT ref: 6C389EC7

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: fad6174fcebd22a99dcc33826f6494b4fcb670a99d85c14ae7148fc709fab9f3
Instruction ID: 63528a133f869af045a70653434b75c5d5265556d88b425ccdbf1232ed1481fe
Opcode Fuzzy Hash: fad6174fcebd22a99dcc33826f6494b4fcb670a99d85c14ae7148fc709fab9f3
Instruction Fuzzy Hash: 36A12632A252549FCF199F68DC51B9D3BB4AB07318F14025AF8129F7D0D7369806CF56

Function 6C362CEC Relevance: 13.1, APIs: 3, Strings: 4, Instructions: 894COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6C362E9B

Strings

,, xrefs: 6C363D12
, xrefs: 6C363E96
., xrefs: 6C362CEF
jIk, xrefs: 6C363E27

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: _strlen
String ID: $,$.$jIk
API String ID: 4218353326-3923260969
Opcode ID: b06e0fedbac8b6cfb950d6324891bf67d740249ecc89647c2411f4d9caf607a6
Instruction ID: 68ddd9f3ff5b22b5159c3cd3fef6c09fa8529f30bce2420c4f1b1dc5f174014a
Opcode Fuzzy Hash: b06e0fedbac8b6cfb950d6324891bf67d740249ecc89647c2411f4d9caf607a6
Instruction Fuzzy Hash: E582CC71D102688BEB24CF25CC947EDBBB2BF86304F158298D449ABA85DB715EC4CF91

Function 03D3CA70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,000F003F,03D512F8,E832A845,00000001,00000000,00000000), ref: 03D3CAB1
RegQueryInfoKeyW.ADVAPI32(03D512F8,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 03D3CAE0
_memset.LIBCMT ref: 03D3CB44
_memset.LIBCMT ref: 03D3CB53
RegEnumValueW.KERNEL32(03D512F8,?,00000000,?,00000000,?,00000000,?), ref: 03D3CB72

Part of subcall function 03D3F707: _malloc.LIBCMT ref: 03D3F721

Part of subcall function 03D3F707: std::exception::exception.LIBCMT ref: 03D3F756
Part of subcall function 03D3F707: std::exception::exception.LIBCMT ref: 03D3F770
Part of subcall function 03D3F707: __CxxThrowException@8.LIBCMT ref: 03D3F781

RegCloseKey.KERNEL32(03D512F8,?,?,?,?,?,?,?,?,?,?,?,00000000,03D512F8,000000FF), ref: 03D3CC83

Strings

Console\0, xrefs: 03D3CAA4

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: _memsetstd::exception::exception$CloseEnumException@8InfoOpenQueryThrowValue_malloc
String ID: Console\0
API String ID: 1348767993-1253790388
Opcode ID: c1c5f714e8d060f1bb7d024d17f7a3b285709df7ad3dd6b4c2611041a2e11aad
Instruction ID: c2e899ea847441c9feb3dbaab87a827152703b3ea65141adf46fb95aa0b05447
Opcode Fuzzy Hash: c1c5f714e8d060f1bb7d024d17f7a3b285709df7ad3dd6b4c2611041a2e11aad
Instruction Fuzzy Hash: D7612EB6D00219AFDB04DFA8D880EAEB7B9FB49310F144569F915EB341D774AD01CBA0

Function 03D3BB00 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 03D3F707: _malloc.LIBCMT ref: 03D3F721

_memset.LIBCMT ref: 03D3BB21
GetLastInputInfo.USER32(?), ref: 03D3BB37
GetTickCount.KERNEL32 ref: 03D3BB3D
wsprintfW.USER32 ref: 03D3BB66
GetForegroundWindow.USER32 ref: 03D3BB6F
GetWindowTextW.USER32(00000000,00000020,000000FA), ref: 03D3BB83

Strings

%d min, xrefs: 03D3BB60

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Window$CountForegroundInfoInputLastTextTick_malloc_memsetwsprintf
String ID: %d min
API String ID: 3754759880-1947832151
Opcode ID: 932ae0da505f5863b370de54b55616590415d009a89f1d1a9e2ec45b1faddcec
Instruction ID: 3958f4e106cc7c39dcb7b5783ef453fc374cf009cd576949e2677d346fc6fcdd
Opcode Fuzzy Hash: 932ae0da505f5863b370de54b55616590415d009a89f1d1a9e2ec45b1faddcec
Instruction Fuzzy Hash: CF4180B6D00218AFDB10EFA4D889E9FBBB9EF45700F088565F9099B345D6749E04CBE1

Function 03D36910 Relevance: 12.1, APIs: 8, Instructions: 128COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(E832A845,00000000,00000000,75BF73E0,?,00000000,03D510DB,000000FF,?,03D36AB3,00000000), ref: 03D36938
OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,03D510DB,000000FF,?,03D36AB3,00000000), ref: 03D36947
OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,03D510DB,000000FF,?,03D36AB3,00000000), ref: 03D36960
CloseHandle.KERNEL32(00000000,?,00000000,03D510DB,000000FF,?,03D36AB3,00000000), ref: 03D3696B
SysStringLen.OLEAUT32(00000000), ref: 03D369BE
SysStringLen.OLEAUT32(00000000), ref: 03D369CC
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,03D510DB,000000FF), ref: 03D36A2E
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,03D510DB,000000FF), ref: 03D36A34

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$OpenString$CurrentToken
String ID:
API String ID: 429299433-0
Opcode ID: 693b762789c09df0b5f23766709ab91327e938424f7f35121a2a9f80372ab304
Instruction ID: f51e4c637681474929de70f771b105e71de176564b33009ff2fb3a480560104a
Opcode Fuzzy Hash: 693b762789c09df0b5f23766709ab91327e938424f7f35121a2a9f80372ab304
Instruction Fuzzy Hash: 214192B6900218ABCB10DFA8CC80AAEF7B8FB45710F14466AE955E7340D7759D04CBB1

Function 6C366B10 Relevance: 11.0, APIs: 2, Strings: 4, Instructions: 507COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6C366B9F
_strlen.LIBCMT ref: 6C366D84

Strings

18852, xrefs: 6C367075, 6C3670B9
156.251.17.243, xrefs: 6C366D3F, 6C366FD2
IP=, xrefs: 6C366B5D
Port, xrefs: 6C366DB4

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: _strlen
String ID: 156.251.17.243$18852$IP=$Port
API String ID: 4218353326-2804002942
Opcode ID: 2c8a7bcd36ca752026adf9cef8b680d8c8426569605211fa2f9ab2107ed174b5
Instruction ID: b7de2bc1a56c5e5a835f571c386d875a09949b0e4b1cd2855dd90304a96b9e66
Opcode Fuzzy Hash: 2c8a7bcd36ca752026adf9cef8b680d8c8426569605211fa2f9ab2107ed174b5
Instruction Fuzzy Hash: C112B1B2910B008BD724CF39C890796B7F6FB89318F544A2DD49A87F84EB75E5488F51

Function 6C3680F0 Relevance: 10.7, APIs: 7, Instructions: 180processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C3680FE
Process32FirstW.KERNEL32(00000000,0000022C), ref: 6C368139
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000), ref: 6C36816C
_strlen.LIBCMT ref: 6C36818B
Process32NextW.KERNEL32(?,?), ref: 6C3682EF
CloseHandle.KERNEL32(00000000), ref: 6C3682FD
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 6C368313

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: CloseHandleProcess32$ByteCharCreateFirstMultiNextSnapshotToolhelp32Wide_strlen
String ID:
API String ID: 1292832681-0
Opcode ID: c9f07b1dc9fc49b85144c36ec7b8bfa5584c175bd19c066ce7900977cb049c2d
Instruction ID: e7d8742a69842939e1c968f174b99724579d97d3869c1d90a6bc9ba40ea18013
Opcode Fuzzy Hash: c9f07b1dc9fc49b85144c36ec7b8bfa5584c175bd19c066ce7900977cb049c2d
Instruction Fuzzy Hash: 09512B729053105BE3109F159C80BDFB7D9AF8E318F15062AF98997E85E771D9088FA3

Function 03D36D70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89registrystringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03D36DD9
RegOpenKeyExW.KERNEL32(80000001,03D55164,00000000,00020019,75BF73E0), ref: 03D36DFC
RegQueryValueExW.KERNEL32(75BF73E0,GROUP,00000000,00000001,?,00000208), ref: 03D36E4A
lstrcmpW.KERNEL32(?,03D55148), ref: 03D36E60
lstrcpyW.KERNEL32(03D356EA,?), ref: 03D36E72

Strings

GROUP, xrefs: 03D36E42

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: OpenQueryValue_memsetlstrcmplstrcpy
String ID: GROUP
API String ID: 2102619503-2593425013
Opcode ID: 1bddfc8cb42ff44962715253bec41d5a7d6c02d9fb24be2ddb2ebf2aa9530a49
Instruction ID: bd0b943d8f287f130e3eb9060ce3a93adae7d63981a9660e9a3981910780096a
Opcode Fuzzy Hash: 1bddfc8cb42ff44962715253bec41d5a7d6c02d9fb24be2ddb2ebf2aa9530a49
Instruction Fuzzy Hash: 36317871901319BBDB20DF94DD89B9EB7B8EB09B10F104699E515A7280DB74EE48CF60

Function 1000721B Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 10007240
__calloc_crt.LIBCMT ref: 1000724C
__getptd.LIBCMT ref: 10007259
CreateThread.KERNEL32(?,?,100071B6,00000000,?,?), ref: 10007290
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 1000729A
_free.LIBCMT ref: 100072A3
__dosmaperr.LIBCMT ref: 100072AE

Part of subcall function 1000710D: __getptd_noexit.LIBCMT ref: 1000710D

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
String ID:
API String ID: 155776804-0
Opcode ID: d853c5aad6a4ca1283704040be1a2fdba58bd4e9b88c6b00cf5b9d9771d5e89a
Instruction ID: e2e0b3d062d787f99d787063b624e9a47e01a5ceed69b34c49d3f3bc16e6f751
Opcode Fuzzy Hash: d853c5aad6a4ca1283704040be1a2fdba58bd4e9b88c6b00cf5b9d9771d5e89a
Instruction Fuzzy Hash: C911E136604746AFF711DFA8DC41D8B37E8FF453E0B110029F95C8A19ADB79E8008AA0

Function 03D3FA29 Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 03D3FA4E
__calloc_crt.LIBCMT ref: 03D3FA5A
__getptd.LIBCMT ref: 03D3FA67
CreateThread.KERNEL32(00000000,00000000,03D3F9C4,00000000,00000000,03D3E003), ref: 03D3FA9E
GetLastError.KERNEL32(?,00000000,?,?,03D3E003,00000000,00000000,03D35F40,00000000,00000000,00000000), ref: 03D3FAA8
_free.LIBCMT ref: 03D3FAB1
__dosmaperr.LIBCMT ref: 03D3FABC

Part of subcall function 03D3F91B: __getptd_noexit.LIBCMT ref: 03D3F91B

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
String ID:
API String ID: 155776804-0
Opcode ID: 78ac48766017b0514bca1ddccc249f130e4ab4c1dc8328825def2d851e9c95aa
Instruction ID: 8a21687d230d3649d4eeaf064f1a0f754c54373a0f2eecd868803214a69288ef
Opcode Fuzzy Hash: 78ac48766017b0514bca1ddccc249f130e4ab4c1dc8328825def2d851e9c95aa
Instruction Fuzzy Hash: 7511CE3A60470EAFDB10EFA9AC40E9B379DEF06B60B14442AF9058A190DB70DC118A70

Function 100071B6 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 100071BC

Part of subcall function 10009754: TlsGetValue.KERNEL32(00000000,100098AD,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000), ref: 1000975D
Part of subcall function 10009754: DecodePointer.KERNEL32(?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA,0000000D), ref: 1000976F
Part of subcall function 10009754: TlsSetValue.KERNEL32(00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA), ref: 1000977E

___fls_getvalue@4.LIBCMT ref: 100071C7

Part of subcall function 10009734: TlsGetValue.KERNEL32(?,?,100071CC,00000000), ref: 10009742

___fls_setvalue@8.LIBCMT ref: 100071DA

Part of subcall function 10009788: DecodePointer.KERNEL32(?,?,?,100071DF,00000000,?,00000000), ref: 10009799

GetLastError.KERNEL32(00000000,?,00000000), ref: 100071E3
ExitThread.KERNEL32 ref: 100071EA
GetCurrentThreadId.KERNEL32 ref: 100071F0
__freefls@4.LIBCMT ref: 10007210

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID:
API String ID: 2383549826-0
Opcode ID: 9534965ccca21370a2365faca07fc43a5bbbcb8b41f594eb418147c089430495
Instruction ID: 9ef8d05c11a244158b1ee883055881acaa61a2209176cdde4bb0df2a080a06ba
Opcode Fuzzy Hash: 9534965ccca21370a2365faca07fc43a5bbbcb8b41f594eb418147c089430495
Instruction Fuzzy Hash: 7EF09679404240ABF304DFB5C94988E7BA9FF482C4725C458F90C8B21BDB39E8428790

Function 03D3F9C4 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 03D3F9CA

Part of subcall function 03D43CA0: TlsGetValue.KERNEL32(00000000,03D43DF9,?,03D44500,00000000,00000001,00000000,?,03D48DE6,00000018,03D56448,0000000C,03D48E76,00000000,00000000), ref: 03D43CA9
Part of subcall function 03D43CA0: DecodePointer.KERNEL32(?,03D44500,00000000,00000001,00000000,?,03D48DE6,00000018,03D56448,0000000C,03D48E76,00000000,00000000,?,03D43F06,0000000D), ref: 03D43CBB
Part of subcall function 03D43CA0: TlsSetValue.KERNEL32(00000000,?,03D44500,00000000,00000001,00000000,?,03D48DE6,00000018,03D56448,0000000C,03D48E76,00000000,00000000,?,03D43F06), ref: 03D43CCA

___fls_getvalue@4.LIBCMT ref: 03D3F9D5

Part of subcall function 03D43C80: TlsGetValue.KERNEL32(?,?,03D3F9DA,00000000), ref: 03D43C8E

___fls_setvalue@8.LIBCMT ref: 03D3F9E8

Part of subcall function 03D43CD4: DecodePointer.KERNEL32(?,?,?,03D3F9ED,00000000,?,00000000), ref: 03D43CE5

GetLastError.KERNEL32(00000000,?,00000000), ref: 03D3F9F1
ExitThread.KERNEL32 ref: 03D3F9F8
GetCurrentThreadId.KERNEL32 ref: 03D3F9FE
__freefls@4.LIBCMT ref: 03D3FA1E

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID:
API String ID: 2383549826-0
Opcode ID: b9da882cc80dd0104a9ab4ea51caa8c626107cb02766f368a8211ea51209c222
Instruction ID: ee013c56fc5e1611515ab10a94a62b6cfb549fae2e25c04d01857ca2c929a764
Opcode Fuzzy Hash: b9da882cc80dd0104a9ab4ea51caa8c626107cb02766f368a8211ea51209c222
Instruction Fuzzy Hash: 07F06D7DA00344BBC708FF75CA0880E7BACEF492413248958F9098B205DB34D846CBB1

Function 6C362F01 Relevance: 9.5, APIs: 2, Strings: 3, Instructions: 778COMMON

Download Yara Rule

Strings

,, xrefs: 6C363D12
, xrefs: 6C363E96
jIk, xrefs: 6C363E27

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID:
String ID: $,$jIk
API String ID: 0-2946808363
Opcode ID: 7fa520a6ba5848778dd9acea97daedc55081b8f22a7d2d18fb006b2a5e725f57
Instruction ID: 9eaa772a65475bf8a592b0034d3c1b6a0362d3d48d9dbf3d15594dc5b067e0c7
Opcode Fuzzy Hash: 7fa520a6ba5848778dd9acea97daedc55081b8f22a7d2d18fb006b2a5e725f57
Instruction Fuzzy Hash: B372BB71D142688BEB24CF25CC947EDBBB2AF86304F148298D4497BA85DB715EC8CF91

Function 6C363024 Relevance: 9.5, APIs: 2, Strings: 3, Instructions: 738COMMON

Download Yara Rule

Strings

,, xrefs: 6C363D12
, xrefs: 6C363E96
jIk, xrefs: 6C363E27

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID:
String ID: $,$jIk
API String ID: 0-2946808363
Opcode ID: c39d65573c6e237096705d445b58cab5d345b0e3c935b4e7e5514714e2602468
Instruction ID: 783ef140d6c744d6146a228874b53c52239067f20d7f26c73c5873a7f9263393
Opcode Fuzzy Hash: c39d65573c6e237096705d445b58cab5d345b0e3c935b4e7e5514714e2602468
Instruction Fuzzy Hash: C472DD71D142688BDB68CF24CC947EDBBB2AF86304F148298D4497BA85DB715EC8CF91

Function 6C3821F6 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea0d2b78b27ee4fab49393d5ab1e21f936fac5ee55595b050fd5efb5eb891298
Instruction ID: b2e4b20bf4f8269b56f73582dcfde3c7e55669e1393e92d6bd00dfb8b38a41ad
Opcode Fuzzy Hash: ea0d2b78b27ee4fab49393d5ab1e21f936fac5ee55595b050fd5efb5eb891298
Instruction Fuzzy Hash: 96B134B0A06249AFDF01CFA8CA48BADBBB4BF4A318F544149E451AB781C7779941CF71

Function 100032E0 Relevance: 9.0, APIs: 6, Instructions: 32synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 100032F1
Sleep.KERNEL32(00000258), ref: 100032FE
InterlockedExchange.KERNEL32(?,00000000), ref: 10003306
WaitForSingleObject.KERNEL32(?,000000FF), ref: 10003312
WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000331A
Sleep.KERNEL32(0000012C), ref: 1000332B

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: ObjectSingleWait$Sleep$ExchangeInterlocked
String ID:
API String ID: 3137405945-0
Opcode ID: 90501a451cf47964b750dce1617d56ac3a73a9eb1c931f81fede124cf76ff774
Instruction ID: f89297930b1253133b9af3f62c08b225611c8876bcc0692efb07df5bac526d50
Opcode Fuzzy Hash: 90501a451cf47964b750dce1617d56ac3a73a9eb1c931f81fede124cf76ff774
Instruction Fuzzy Hash: 65F08971104314AFD610DBE9CCC4D46F3B8AF89331B144709F221872D0CAB1E8018BA0

Function 03D36690 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 03D3669B
CoCreateInstance.OLE32(03D546FC,00000000,00000001,03D5471C,?,?,?,?,?,?,?,?,?,?,03D3588A), ref: 03D366B2
SysFreeString.OLEAUT32(?), ref: 03D3674C
CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,03D3588A), ref: 03D3677D

Strings

FriendlyName, xrefs: 03D3673B

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: CreateFreeInitializeInstanceStringUninitialize
String ID: FriendlyName
API String ID: 841178590-3623505368
Opcode ID: f3a235953c1a80e68928d9031bdc4b5af445ad703a578cca23a39e6e7a530f81
Instruction ID: 8ab89b43848942c83fbd178b5567c9f218bb35608eb5bdd7087808252afacb88
Opcode Fuzzy Hash: f3a235953c1a80e68928d9031bdc4b5af445ad703a578cca23a39e6e7a530f81
Instruction Fuzzy Hash: 2E314C75700209AFDB00DBA9DC80EAEB7B9EF89704F148598F905EB254DA71ED45CB60

Function 03D3F707 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 03D3F721

Part of subcall function 03D3F673: __FF_MSGBANNER.LIBCMT ref: 03D3F68C
Part of subcall function 03D3F673: __NMSG_WRITE.LIBCMT ref: 03D3F693
Part of subcall function 03D3F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,03D44500,00000000,00000001,00000000,?,03D48DE6,00000018,03D56448,0000000C,03D48E76), ref: 03D3F6B8

std::exception::exception.LIBCMT ref: 03D3F756
std::exception::exception.LIBCMT ref: 03D3F770
__CxxThrowException@8.LIBCMT ref: 03D3F781

Strings

bad allocation, xrefs: 03D3F74F

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID: bad allocation
API String ID: 615853336-2104205924
Opcode ID: 293b355cb2efefda98c542d43c49aa15ed3c49d73c84839545ce764ab899f2fa
Instruction ID: 6ce3ffebbca7829be10657ac90e87826761d72e1c6da612e78dc49e523229405
Opcode Fuzzy Hash: 293b355cb2efefda98c542d43c49aa15ed3c49d73c84839545ce764ab899f2fa
Instruction Fuzzy Hash: A2F081B6D0030DABCF05FB64DC25A5E77ADEB42654F140059E850DA291DB709E49CBA0

Function 00E01C50 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(00000001), ref: 00E01C61
CommandLineToArgvW.SHELL32(00000000), ref: 00E01C68
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00E00000), ref: 00E01CD3
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 00E01CF3
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,00E00000,00000000,00000000,00000000,00E02778,00000014), ref: 00E01D25

Memory Dump Source

Source File: 00000003.00000002.3556290818.0000000000E01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.3556263696.0000000000E00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556319323.0000000000E02000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556351733.0000000000E03000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556384480.0000000000E04000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556384480.0000000000E46000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Update.jbxd

Similarity

API ID: ByteCharCommandLineMultiWide$ArgvFreeLocal
String ID:
API String ID: 4060259846-0
Opcode ID: 0fa7a62a9e63d43a50a969cf181cf966205ce37ecf003a4e5aa3adb6a233370e
Instruction ID: 63ffa5f9e1c291db2a0a5a47a0c5d9d526b6787d6e5e62a84556418e55d89f16
Opcode Fuzzy Hash: 0fa7a62a9e63d43a50a969cf181cf966205ce37ecf003a4e5aa3adb6a233370e
Instruction Fuzzy Hash: E831C170604305AFE710EF68AC85B1B77E4EF84715F104A2CFA55AB2C1E731ED488B62

Function 6C36D04E Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 6C36D08B
dllmain_crt_dispatch.LIBCMT ref: 6C36D0A2
dllmain_raw.LIBCMT ref: 6C36D0EA
dllmain_crt_dispatch.LIBCMT ref: 6C36D0FD
dllmain_raw.LIBCMT ref: 6C36D110

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: beff8605b2729e1a2f48045952afa58c566571185cc05b56c30c08324a71a3a4
Instruction ID: 13c56519d10e8f58eef583b43d735080dfc284f74f8982bb247b6ed2e0a4b27e
Opcode Fuzzy Hash: beff8605b2729e1a2f48045952afa58c566571185cc05b56c30c08324a71a3a4
Instruction Fuzzy Hash: 7C21AE72D05219ABDF219F57CC40AEF3A79EB85A98F214119F8945BE18C7728D028FE1

Function 10002D10 Relevance: 7.5, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 10002D3C
CancelIo.KERNEL32(?), ref: 10002D46
InterlockedExchange.KERNEL32(00000000,00000000), ref: 10002D4F
closesocket.WS2_32(?), ref: 10002D59
SetEvent.KERNEL32(00000001), ref: 10002D63

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
String ID:
API String ID: 1486965892-0
Opcode ID: 2ceef8d7a9cb16c2b8d4c923c9bd50e46f51888a66d7a8a6949057e86b5d425b
Instruction ID: c3dd280d0a222891198d8956340d5cd90ea8efbda93af296f9b36197db09124c
Opcode Fuzzy Hash: 2ceef8d7a9cb16c2b8d4c923c9bd50e46f51888a66d7a8a6949057e86b5d425b
Instruction Fuzzy Hash: 95F04F75100710EFE320DF94CC89F5677B8FB49B12F148659F6829B690C7B1F9048BA0

Function 6C36403B Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 181processCOMMON

Download Yara Rule

APIs

WinExec.KERNEL32(00000000,00000000), ref: 6C36416E

Strings

&, xrefs: 6C364250
', xrefs: 6C364DC9
j)wh, xrefs: 6C364190

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: Exec
String ID: &$'$j)wh
API String ID: 459137531-3604346523
Opcode ID: d810316f07087057d21709daaa72419736fb6fd0f117854c5281509f2ac0a456
Instruction ID: 46d72c95f5c3f0fea39461c55b51374299c17534550867887d4a6945234437c1
Opcode Fuzzy Hash: d810316f07087057d21709daaa72419736fb6fd0f117854c5281509f2ac0a456
Instruction Fuzzy Hash: 9071F371C042588BDB14CFA4C8583EEBB72BF41308F14465CD0957BB85DBB55AC88FA2

Function 10006F17 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 10006F31

Part of subcall function 10006E83: __FF_MSGBANNER.LIBCMT ref: 10006E9C
Part of subcall function 10006E83: __NMSG_WRITE.LIBCMT ref: 10006EA3
Part of subcall function 10006E83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F), ref: 10006EC8

std::exception::exception.LIBCMT ref: 10006F66
std::exception::exception.LIBCMT ref: 10006F80
__CxxThrowException@8.LIBCMT ref: 10006F91

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID:
API String ID: 615853336-0
Opcode ID: d1b741ba0380379decb7d1b22a74743c7f5a7046d8fc72408544d039aac17dad
Instruction ID: bc3bc25b656f4220cb3330c80879dd0d2e796a6a37b49e0188f73f67aa49fa4f
Opcode Fuzzy Hash: d1b741ba0380379decb7d1b22a74743c7f5a7046d8fc72408544d039aac17dad
Instruction Fuzzy Hash: C5F02D3980425BAAFB00DBA4DC91AAD3AE7EB496C0F300025F4149E0D5DFB1EBC0C740

Function 6C366410 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6C36642F

Strings

156.251.17.243, xrefs: 6C3664DB, 6C36651E, 6C36688A, 6C3668A2, 6C3668E8, 6C366967, 6C366975, 6C366984
18852, xrefs: 6C36653B, 6C366584, 6C3668EF, 6C366907, 6C36694D, 6C366954, 6C366962, 6C366983

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: _strlen
String ID: 156.251.17.243$18852
API String ID: 4218353326-1308403728
Opcode ID: 7a5b0940f5dc559a11d2a5ed3215ae1df853b39988ae11aa72815fd5903c58ef
Instruction ID: 371d5d2836eae61c8a3fd71d457a9910caa5e610245b5321427dac85da644e53
Opcode Fuzzy Hash: 7a5b0940f5dc559a11d2a5ed3215ae1df853b39988ae11aa72815fd5903c58ef
Instruction Fuzzy Hash: 784147B15002105FDB24EF25E884B9A7BB9FB46348F150A2DE145CBF45E73AD9488BA2

Function 6C3688B9 Relevance: 4.7, APIs: 3, Instructions: 194sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000BB8), ref: 6C3688BF
_strlen.LIBCMT ref: 6C3688DD
_strlen.LIBCMT ref: 6C368916

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: _strlen$Sleep
String ID:
API String ID: 2737124692-0
Opcode ID: 9e21af3cc113b3ccfb31ee46756bd65c9300f444572b88d363d2df7a0cf23f57
Instruction ID: d3057760001f9ab80fc9ff0e4a89a9ade28cb22d24a11c55ca6e1f10728c19e1
Opcode Fuzzy Hash: 9e21af3cc113b3ccfb31ee46756bd65c9300f444572b88d363d2df7a0cf23f57
Instruction Fuzzy Hash: 1D6159B2C012549BDB10CF65DC407DD7BB1FF4A318F15032AE855A7B84E7759A488FA2

Function 6C363D3E Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 115sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 6C361070: SetFileAttributesA.KERNEL32(?,00000001,?,0000000A,00000000,?,00000022,00000040,00000001), ref: 6C361124
Part of subcall function 6C361070: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C36115F

Sleep.KERNEL32(000000C8), ref: 6C363DFC

Strings

, xrefs: 6C363E96
jIk, xrefs: 6C363E27

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: AttributesFileIos_base_dtorSleepstd::ios_base::_
String ID: $jIk
API String ID: 3742752172-1761899760
Opcode ID: 358b47e2981f8e7075a2c93e06165ee5a85264b8ad1fb4906ba72afcb929bb96
Instruction ID: a5464d535e5be01ac70f323bcd619d04badb252f0e46c6a75b09f02f311b4185
Opcode Fuzzy Hash: 358b47e2981f8e7075a2c93e06165ee5a85264b8ad1fb4906ba72afcb929bb96
Instruction Fuzzy Hash: 4E5102B1D042948FDB10CF64C8407EDBBB2BF5A304F158299D88877646EBB46AC9CF91

Function 03D33160 Relevance: 4.6, APIs: 3, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 03D3316B
InterlockedExchange.KERNEL32(?,00000001), ref: 03D33183
GetCurrentThreadId.KERNEL32 ref: 03D3322F

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: CurrentThread$ExchangeInterlocked
String ID:
API String ID: 4033114805-0
Opcode ID: 3e074674ce42a29a1a2e3f3ae78482f564663f5ff326e03437d71b0137db3307
Instruction ID: b6f9e7f2b3526f07f35553f58da45f845b7adfe8220898fdc94c9bdc224d18c4
Opcode Fuzzy Hash: 3e074674ce42a29a1a2e3f3ae78482f564663f5ff326e03437d71b0137db3307
Instruction Fuzzy Hash: 42319A79200702AFDB28EF69CA84A66B3E8FF45704B14C56DE85ACB614D731FC45CB90

Function 100011B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 100011E9
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 10001226
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 10001255

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Virtual$AllocFree__floor_pentium4
String ID:
API String ID: 2605973128-0
Opcode ID: 7c8a02711727f2d10f68a554ded2e2394815aae473f82a087a4a6f69535250f3
Instruction ID: 68b1d39f7c788df30121c4cd9fa650265093b70568a06a1b8131812e88253602
Opcode Fuzzy Hash: 7c8a02711727f2d10f68a554ded2e2394815aae473f82a087a4a6f69535250f3
Instruction Fuzzy Hash: EB21D170A00709AFEB14DFA9DC85B9EFBF4FF44745F00C5ADE949E2644EA30A8108790

Function 03D311B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 03D311E9
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 03D31226
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 03D31255

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree__floor_pentium4
String ID:
API String ID: 2605973128-0
Opcode ID: 59468bf6377db75804b393ef7387b39fd2ba22b4faba2d5203c1a248fb738291
Instruction ID: b44899b1d6a942739910dd1c1d45a7b68b2d7590486f3e442252560c34ba36cc
Opcode Fuzzy Hash: 59468bf6377db75804b393ef7387b39fd2ba22b4faba2d5203c1a248fb738291
Instruction Fuzzy Hash: 7F21A475E007099FDB10EFADD845B6EF7F9EF41B05F0089ADE859E2640E630AD148750

Function 10001100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 1000112F
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 1000115F
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 10001192

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Virtual$AllocFree__floor_pentium4
String ID:
API String ID: 2605973128-0
Opcode ID: 9a9a6dbc4d50d479c69aa6d6b662a424f68bc22565965440325d2e32c173b15c
Instruction ID: ccfbffdb8cfccccbf267e057733e19453fb850e329b77576dd89ff791b5dae30
Opcode Fuzzy Hash: 9a9a6dbc4d50d479c69aa6d6b662a424f68bc22565965440325d2e32c173b15c
Instruction Fuzzy Hash: 77119670A00709ABEB14DFA9DC86B9EF7F4FF04745F008569EE59D2240E671A9148750

Function 03D31100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 03D3112F
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 03D3115F
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 03D31192

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree__floor_pentium4
String ID:
API String ID: 2605973128-0
Opcode ID: 78486ef1c3f11141ff5937245c999dd12bec9580338e1fd7d88c4de80fe07cd7
Instruction ID: 76010a51a1af646b7d9576d4b9912505d6d0481ba9eaf121c90e3d3e342a5651
Opcode Fuzzy Hash: 78486ef1c3f11141ff5937245c999dd12bec9580338e1fd7d88c4de80fe07cd7
Instruction Fuzzy Hash: B4119371E00709AFDB10AFA9DC85B6EFBF8FF05705F0085A9E959E2240E670A9148751

Function 03D39DE0 Relevance: 4.5, APIs: 3, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 03D39E04
GdipDisposeImage.GDIPLUS(?), ref: 03D39E18
GdipDisposeImage.GDIPLUS(?), ref: 03D39E3B

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Gdip$DisposeImage$BitmapCreateFromStream
String ID:
API String ID: 800915452-0
Opcode ID: ea7965a8e23e5a419d1fd9bc524e70a4042b08eaef4b600e750a4c90791a0427
Instruction ID: e46a23290415b03c53595a801fc25f4131f80f4c9e7b059c5ef1533683adedae
Opcode Fuzzy Hash: ea7965a8e23e5a419d1fd9bc524e70a4042b08eaef4b600e750a4c90791a0427
Instruction Fuzzy Hash: 2BF08C72D01229AB8B10EF94D8448AEF7B9EB49B11B00864AFC05BB340D7709E09CBE0

Function 03D39AC0 Relevance: 4.5, APIs: 3, Instructions: 36COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(03D5FB64), ref: 03D39ADC
GdiplusStartup.GDIPLUS(03D5FB60,?,?), ref: 03D39B15
LeaveCriticalSection.KERNEL32(03D5FB64), ref: 03D39B26

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterGdiplusLeaveStartup
String ID:
API String ID: 389129658-0
Opcode ID: 50ba9c20d885b128c8676328cbe3993d67278f3886b1f9ce0140aea6c1493079
Instruction ID: 74089abc337b9b9901426ad1a6b07e03f1341dfc6e67b8ac22884fd216ff318b
Opcode Fuzzy Hash: 50ba9c20d885b128c8676328cbe3993d67278f3886b1f9ce0140aea6c1493079
Instruction Fuzzy Hash: 67F0CD32941309DFDB01EFE1E87A7AEB7BCF705701F400299E82456240C7B24648CBA1

Function 6C38357E Relevance: 4.5, APIs: 3, Instructions: 17fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(6C3751D8,?,6C3751D8,?,?,?,0000000F), ref: 6C383586
GetLastError.KERNEL32(?,6C3751D8,?,?,?,0000000F), ref: 6C383590
__dosmaperr.LIBCMT ref: 6C383597

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: DeleteErrorFileLast__dosmaperr
String ID:
API String ID: 1545401867-0
Opcode ID: 603ced8a0b1df31991b00b2eeb56012b940cf978025155a7103a8cdaaecb46d5
Instruction ID: de00600561331a776904c78234d67c7fc76eee2f4d1c89e705ee74a0f0167cdd
Opcode Fuzzy Hash: 603ced8a0b1df31991b00b2eeb56012b940cf978025155a7103a8cdaaecb46d5
Instruction Fuzzy Hash: 28D0C932209108A78E101EB6AC0D95A3BAC9A823793240655F42DC65D0EA27C8509961

Function 10003200 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 15sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 10003200

Strings

17093, xrefs: 10020254
156.251.17.243, xrefs: 1002026C

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Sleep
String ID: 156.251.17.243$17093
API String ID: 3472027048-3225327204
Opcode ID: 4513ec0b7f0e3245ec74d41a3833d4d9c4567df1cbadf7205a2421670dd53040
Instruction ID: d4922cd372dd7236031f7b79510b5f56ce2b8beeb54c8bf7640301d5853f9da9
Opcode Fuzzy Hash: 4513ec0b7f0e3245ec74d41a3833d4d9c4567df1cbadf7205a2421670dd53040
Instruction Fuzzy Hash: C9D023F0604871CBE928C500DC5447A7375F7C42513940105FC479B144CB74FC08D550

Function 10007156 Relevance: 4.5, APIs: 3, Instructions: 11threadCOMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 1000715B

Part of subcall function 10009896: GetLastError.KERNEL32(00000001,00000000,10007112,10006F0C,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F), ref: 1000989A
Part of subcall function 10009896: ___set_flsgetvalue.LIBCMT ref: 100098A8
Part of subcall function 10009896: __calloc_crt.LIBCMT ref: 100098BC
Part of subcall function 10009896: DecodePointer.KERNEL32(00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA), ref: 100098D6
Part of subcall function 10009896: GetCurrentThreadId.KERNEL32 ref: 100098EC
Part of subcall function 10009896: SetLastError.KERNEL32(00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA), ref: 10009904

__freeptd.LIBCMT ref: 10007165

Part of subcall function 10009A58: TlsGetValue.KERNEL32(?,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009A79
Part of subcall function 10009A58: TlsGetValue.KERNEL32(?,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009A8B
Part of subcall function 10009A58: DecodePointer.KERNEL32(00000000,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009AA1
Part of subcall function 10009A58: __freefls@4.LIBCMT ref: 10009AAC
Part of subcall function 10009A58: TlsSetValue.KERNEL32(0000001F,00000000,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009ABE

ExitThread.KERNEL32 ref: 1000716E

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Value$DecodeErrorLastPointerThread$CurrentExit___set_flsgetvalue__calloc_crt__freefls@4__freeptd__getptd_noexit
String ID:
API String ID: 4224061863-0
Opcode ID: 13d03437f215ed93d40a7d70e196fa756bd6aa96be3d41e5933ba2785ed1d9c5
Instruction ID: 88b9861ec1dd8ad2b25034eab61c1c94f8d4b81d5381debfb6d8fd2c6c03db1f
Opcode Fuzzy Hash: 13d03437f215ed93d40a7d70e196fa756bd6aa96be3d41e5933ba2785ed1d9c5
Instruction Fuzzy Hash: 79C02B3050060C7BFB00A776CC0E95F3A8DDF811C1F668010F80CC5159EE38FC008291

Function 6C364915 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 374fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?), ref: 6C364924

Strings

', xrefs: 6C364DC9

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: DeleteFile
String ID: '
API String ID: 4033686569-1997036262
Opcode ID: e6891a2af0921ce2b8b695b68244b525be374e52c3ce6aec3c1c4da91092cda0
Instruction ID: 6698aea1e67c3925cfbfc1e9edc4e7941cce3133a92d7d794b69ca9c08621980
Opcode Fuzzy Hash: e6891a2af0921ce2b8b695b68244b525be374e52c3ce6aec3c1c4da91092cda0
Instruction Fuzzy Hash: 25C12C72D200244BDB2CDA25CCA47ADBA63EF41314F194768E45AA7FD8CB319EC48F91

Function 6C366840 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 6C36685B

Strings

156.251.17.243, xrefs: 6C3664DB, 6C36651E, 6C36688A, 6C3668A2, 6C3668E8, 6C366967, 6C366975, 6C366984

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: Startup
String ID: 156.251.17.243
API String ID: 724789610-3008411706
Opcode ID: e565b792454f9c0a0e265ffac5ba3aac4ed26416fdd6a3387a183f48cda87f54
Instruction ID: f569c8a448f12cef828d77886a4221f8492bc665a24f7c317567775aa114f8b3
Opcode Fuzzy Hash: e565b792454f9c0a0e265ffac5ba3aac4ed26416fdd6a3387a183f48cda87f54
Instruction Fuzzy Hash: 0BE065714183419BE300DF11C908BABBAF8EFDA30CF015B0DF4C455181D3B956888B57

Function 03BB01CB Relevance: 3.3, APIs: 2, Instructions: 267memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 03BB022B

Memory Dump Source

Source File: 00000003.00000002.3557383262.0000000003BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3bb0000_Update.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
Instruction ID: 06347bd5fea93960385c3ec9b4a641d986c9673ada9abfb1a32f8722ef4a503d
Opcode Fuzzy Hash: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
Instruction Fuzzy Hash: 19A14D70A00606EFDB14DFA9C884ABEB7B5FF48308F1881B9E455D7251DBB0EA51CB90

Function 6C360D50 Relevance: 3.2, APIs: 2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 456794935966b840b6179626dd84585e3184b1579eebac781d3ef3b74d832189
Instruction ID: 1f14294338ad31745c095728d8fa0d29473f4bd21cf7f95f65a7d27c0ce3ae2f
Opcode Fuzzy Hash: 456794935966b840b6179626dd84585e3184b1579eebac781d3ef3b74d832189
Instruction Fuzzy Hash: 39911E74A00744CFDB04CF29C880B9ABBB2FF89314F148669E8599BB95D731E945CFA1

Function 6C38121C Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C3815C6: GetConsoleOutputCP.KERNEL32(CDB86E77,00000000,00000000,?), ref: 6C381629

WriteFile.KERNEL32(?,6C3807FB,00000000,6C38B0A5,00000000,6C3807FB,00000000,00000000,?,6C38B0A5,00000000,00000000,6C38AFE2,6C3807FB,00000000,?), ref: 6C3813A1
GetLastError.KERNEL32(?,6C38B0A5,00000000,00000000,6C38AFE2,6C3807FB,00000000,?,6C38A281,00000000,6C3807FB), ref: 6C3813AB

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: e1404d6bb19af682fb5cc47c18aec296e1f9c8899ed470d4a57bda9a93bb1d2c
Instruction ID: 2e16bee645d65bda0b3e0b04f7f52104b94752463c2a9df704534674b65d5ee7
Opcode Fuzzy Hash: e1404d6bb19af682fb5cc47c18aec296e1f9c8899ed470d4a57bda9a93bb1d2c
Instruction Fuzzy Hash: B561B472D16119AFDF01CFA8C840EEEBBB9AF4A30CF140189E961A7645D372D905CFA1

Function 6C35A8B0 Relevance: 3.2, APIs: 2, Instructions: 173COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 6C35AA36
__fread_nolock.LIBCMT ref: 6C35AA59

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: bb58a6a0a802cbbd7d4787d1b2aa3885e63c8cef58e2f1b244c96a4b348c1e1e
Instruction ID: 66c41ed2ce3d017a41aeec4d9ff2abea72f2369e13bb36596966f4e9e25a6a64
Opcode Fuzzy Hash: bb58a6a0a802cbbd7d4787d1b2aa3885e63c8cef58e2f1b244c96a4b348c1e1e
Instruction Fuzzy Hash: 475127757042148FC7008E2DC880F6AB3E5AF89718F56862DF899CB790D632EC15CFA1

Function 10003350 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(?,?,00000000), ref: 10003403
_memmove.LIBCMT ref: 10003495

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Time_memmovetime
String ID:
API String ID: 1463837790-0
Opcode ID: aa203b2cbda9aec0713802ee616a91a989bc0421ef3b69a448573314bddc25cc
Instruction ID: 7472951ecdc6142c721ad3348498c8fe017ad8d952fa801f9fd3c423b9f36496
Opcode Fuzzy Hash: aa203b2cbda9aec0713802ee616a91a989bc0421ef3b69a448573314bddc25cc
Instruction Fuzzy Hash: A5519F767006029FE316CF69C8C0A9BB7A9FF48294715C669E919CB709DB31FC51CB90

Function 6C351A30 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 137sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 6C373EF1: GetSystemTimeAsFileTime.KERNEL32(6C351A64,?,?,?,?,?,6C351A64,00000000), ref: 6C373F06
Part of subcall function 6C373EF1: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C373F25

Sleep.KERNEL32(00000064), ref: 6C351B6C

Strings

gfff, xrefs: 6C351A9E

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: Time$FileSleepSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: gfff
API String ID: 2563648476-1553575800
Opcode ID: 1bd66941009d79cca3a537edd904f6f71920f42d7adde81799d11f061b76c0fb
Instruction ID: 0be2b36267e80a147f55d19b77a5580346ebb7d1fb810c26dc0f38aa337a8b7c
Opcode Fuzzy Hash: 1bd66941009d79cca3a537edd904f6f71920f42d7adde81799d11f061b76c0fb
Instruction Fuzzy Hash: 4C51E2B1E002488FDB14CFA9D804BEDBBB8EB05318F848229D015E7B90F7759559CFA2

Function 6C36CE1B Relevance: 3.1, APIs: 2, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6C36CE68

Part of subcall function 6C36D21A: InitializeSListHead.KERNEL32(6C39CA10,6C36CE72,6C399C08,00000010,6C36D00B,?,00000000,?,00000007,6C399C28,00000010,6C36D01E,?,?,6C36D0A7,?), ref: 6C36D21F

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6C36CED2

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: c82b5133a77572ed366aa80486bdb4e882869a6ab18ac1bc9f957fdaa18b0fa1
Instruction ID: f373bfe47975cbade857248f89de7153d40c1e44e1a691c20ecdde805c7fdaf8
Opcode Fuzzy Hash: c82b5133a77572ed366aa80486bdb4e882869a6ab18ac1bc9f957fdaa18b0fa1
Instruction Fuzzy Hash: 8C2107323452519ADF00BFBAB8007D837B0AB4776DF204819D4856BFC5EB7750098E67

Function 10002FB0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 10003023
recv.WS2_32(?,?,00040000,00000000), ref: 10003044

Part of subcall function 1000710D: __getptd_noexit.LIBCMT ref: 1000710D

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: __getptd_noexitrecvselect
String ID:
API String ID: 4248608111-0
Opcode ID: 5f82ec4551d51fc2b9ede6d926e0403675d3e155566f9d28381eb2444e2c218b
Instruction ID: 1cbb114b02e0d86a534962cf0a51f77a1151a50c8d60f66bd4e8238187776ab9
Opcode Fuzzy Hash: 5f82ec4551d51fc2b9ede6d926e0403675d3e155566f9d28381eb2444e2c218b
Instruction Fuzzy Hash: 7F21E770A01318EBFB11DF64DC95B9B73B8EF053D0F1081A5E5095B199DBB1AD84CBA1

Function 03D32FD0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 03D33043
recv.WS2_32(?,?,00040000,00000000), ref: 03D33064

Part of subcall function 03D3F91B: __getptd_noexit.LIBCMT ref: 03D3F91B

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: __getptd_noexitrecvselect
String ID:
API String ID: 4248608111-0
Opcode ID: a39362b39482b5f069decb85f970ea69a2e6154a6a4edfe49f0e8cafa729b486
Instruction ID: 1c6a93f4612efeda28a04a6d160b24783c034f90bf7e4fd7b9af4e549313253e
Opcode Fuzzy Hash: a39362b39482b5f069decb85f970ea69a2e6154a6a4edfe49f0e8cafa729b486
Instruction Fuzzy Hash: 6521B475A003089BDB20EF69DD84BDA77A8EF06710F1805A4E5449F290D7B0AD94CBB1

Function 6C3819F5 Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,6C381387,?,6C38A281,6C3807FB,00000000,6C3807FB,00000000), ref: 6C381A91
GetLastError.KERNEL32(?,6C381387,?,6C38A281,6C3807FB,00000000,6C3807FB,00000000,00000000,?,6C38B0A5,00000000,00000000,6C38AFE2,6C3807FB,00000000), ref: 6C381AB7

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: fcabaabfa0c25b7d8a7e0d3b4bc77d7b536c0df0c2c71408f724a269e30cbb5e
Instruction ID: fdc5670d04144bb49096b2a58f178d0b42ed5cdc868993fccbd2c3d46acff7d9
Opcode Fuzzy Hash: fcabaabfa0c25b7d8a7e0d3b4bc77d7b536c0df0c2c71408f724a269e30cbb5e
Instruction Fuzzy Hash: D321F132A112589FCF19CF29C8809DAB7BAEB49305F1441AAE956D7300E734EE46CF61

Function 6C361070 Relevance: 3.1, APIs: 2, Instructions: 79COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(?,00000001,?,0000000A,00000000,?,00000022,00000040,00000001), ref: 6C361124
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C36115F

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: AttributesFileIos_base_dtorstd::ios_base::_
String ID:
API String ID: 2738015347-0
Opcode ID: 3e22448656397829638dfdc4760c4f2e3cfafc603839e0775d713defbfd44432
Instruction ID: 1cb5b82088869c12e7adf904a06ac7c7e8cfb917f93eba029851fd3ecadba420
Opcode Fuzzy Hash: 3e22448656397829638dfdc4760c4f2e3cfafc603839e0775d713defbfd44432
Instruction Fuzzy Hash: 66314875601B009FE724CF29C845B96BBA5FB45724F408A1CE5AA8BB91D731E944CF81

Function 6C36CF22 Relevance: 3.1, APIs: 2, Instructions: 75COMMONLIBRARYCODE

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6C36CF69
___scrt_uninitialize_crt.LIBCMT ref: 6C36CF83

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: c592ed8bcf4a649811c67f08d2f9d36c460a5a5e3fd0a4e5c5583e1971f8446b
Instruction ID: f0ccf62f8a6efb2e52a8b21a89caec41d325307404c06231a8fd2f5e83ae94cd
Opcode Fuzzy Hash: c592ed8bcf4a649811c67f08d2f9d36c460a5a5e3fd0a4e5c5583e1971f8446b
Instruction Fuzzy Hash: F721F673A082559BCF00BFBBA8003DD7BA4EB0675DF20441AD09496E88DB7685058FA6

Function 03D33260 Relevance: 3.1, APIs: 2, Instructions: 60networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,00040000,00000000), ref: 03D33291
send.WS2_32(?,?,?,00000000), ref: 03D332CE

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 4f435bf9f94639cb08317499c90ab71670c6eaee3839a63989ad8aa6f8b20a4e
Instruction ID: 951d2db36f2f761d4d50e423152db15ee0fbc4454882d10dcf55b82911f187d3
Opcode Fuzzy Hash: 4f435bf9f94639cb08317499c90ab71670c6eaee3839a63989ad8aa6f8b20a4e
Instruction Fuzzy Hash: FC11E57FB09304BBD760CA6EDE88B5EB799FB42764F184025E918DB290D270AE418750

Function 6C37FE7C Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,?,00008000,6C35BBBA,00008000,6C3807FB,?,?,?,6C37FD04,6C3807FB,?,00000000,6C35BBBA,?), ref: 6C37FEB8
GetLastError.KERNEL32(00000000,?,?,?,6C37FD04,6C3807FB,?,00000000,6C35BBBA,?,00000000,00008000,6C3807FB,?,?,6C389C04), ref: 6C37FEC5

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: bcdc69f0feb8e582d2a328e50e7e51ff2ecef5cb4df282427b4a2b7a86c44b84
Instruction ID: 84c3dc0b7e4bfe4a2d7226bbe142bbebef2d1fd8321fc26fe1ed2ef9df7b28af
Opcode Fuzzy Hash: bcdc69f0feb8e582d2a328e50e7e51ff2ecef5cb4df282427b4a2b7a86c44b84
Instruction Fuzzy Hash: 05012632628255AFCF158F59CC4989E3B79EF8A324B240248F8519BAD1E676D941CFA0

Function 100030C0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 100030EA
timeGetTime.WINMM ref: 10003104

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: 306b1d3a46dce6522edd8cfdaf26c6c38e0bc8121be3e04cf2ef1a2578d2637d
Instruction ID: 27fac5dcdbeed923c3366fb10e8a319fa95706dbc2a1d72b4a6ad2049d896b26
Opcode Fuzzy Hash: 306b1d3a46dce6522edd8cfdaf26c6c38e0bc8121be3e04cf2ef1a2578d2637d
Instruction Fuzzy Hash: B501DF31A00206AFE302DF65C8C4BABB3F9FB99381F108624D1018B294C771ADD6C7E1

Function 03D330E0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 03D3310A
timeGetTime.WINMM ref: 03D33124

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: ad748ac81baa980ffddc9e33949654f93e5d34086a3ca516bf61842d2155d36e
Instruction ID: 0eb13372e96858476a41caf295afdaa0c0fc076156ff5a714611e99549f3271b
Opcode Fuzzy Hash: ad748ac81baa980ffddc9e33949654f93e5d34086a3ca516bf61842d2155d36e
Instruction Fuzzy Hash: DA01F739600205AFD311DF28C8C8B69F7B5FB5A701F184264D10447294C771ADCAC7D1

Function 10006410 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000004,00000000,00000000,?,00000000,10005AF2), ref: 1000642B
_free.LIBCMT ref: 10006466

Part of subcall function 10001280: __CxxThrowException@8.LIBCMT ref: 10001290
Part of subcall function 10001280: DeleteCriticalSection.KERNEL32(00000000,?,10017E78), ref: 100012A1

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
String ID:
API String ID: 1116298128-0
Opcode ID: a128095ffdd49348268c3586f1fd9261e0840fd0acd737389bb6af715d81e8f7
Instruction ID: d75aab6d42964042dd9719b22c7254e4122bf8c787039a32894d973a0e8f9c7d
Opcode Fuzzy Hash: a128095ffdd49348268c3586f1fd9261e0840fd0acd737389bb6af715d81e8f7
Instruction Fuzzy Hash: D6017EF4A00B408FD321CF6A8884A47FAF9FF98750B104A1EE2DAC7A10D770A545CF55

Function 03D3CD00 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000004,00000000,00000000,03D3E04E,00000000,03D39800,?,?,?,00000000,03D5125B,000000FF,?,03D3E04E), ref: 03D3CD1B
_free.LIBCMT ref: 03D3CD56

Part of subcall function 03D31280: __CxxThrowException@8.LIBCMT ref: 03D31290
Part of subcall function 03D31280: DeleteCriticalSection.KERNEL32(00000000,03D3D3E6,03D56624,?,?,03D3D3E6,?,?,?,?,03D55A40,00000000), ref: 03D312A1

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
String ID:
API String ID: 1116298128-0
Opcode ID: 350c9da8389c817fcc26b88aa61753701413a2874bf6cd7b5f6dbd18a18e51ee
Instruction ID: 84f35b2c2d555b276ff96d4de8dde360341de9f2a5643f8b477334dd62ba7449
Opcode Fuzzy Hash: 350c9da8389c817fcc26b88aa61753701413a2874bf6cd7b5f6dbd18a18e51ee
Instruction Fuzzy Hash: 32017AB5A00B448FC730DF6A9844A17FAE8FF99700B504A1EE2DACBB20D370A505CF65

Function 03D3E480 Relevance: 3.0, APIs: 2, Instructions: 21synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,03D3DF10,00000000,00000000,00000000), ref: 03D3E49B
WaitForSingleObject.KERNEL32(00000000,000000FF,?,03D41168,?,?,?,?,?,?,03D56298,0000000C,03D41210,?), ref: 03D3E4A9

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: CreateObjectSingleThreadWait
String ID:
API String ID: 1891408510-0
Opcode ID: 60a76517948e20c7ae8a74cf73e0760ad942780e67e3978e028ff010031263b2
Instruction ID: 65e4f7d0626aec4bd04571c9c4f298cd76028526f2c2811a59ed5e9d8b036848
Opcode Fuzzy Hash: 60a76517948e20c7ae8a74cf73e0760ad942780e67e3978e028ff010031263b2
Instruction Fuzzy Hash: 74E012B2444309BFDB10EB65AC85E3633ACD709730B104615FA21D2388D531DD548A70

Function 10007175 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 10007181

Part of subcall function 1000990F: __getptd_noexit.LIBCMT ref: 10009912
Part of subcall function 1000990F: __amsg_exit.LIBCMT ref: 1000991F

Part of subcall function 10007156: __getptd_noexit.LIBCMT ref: 1000715B
Part of subcall function 10007156: __freeptd.LIBCMT ref: 10007165
Part of subcall function 10007156: ExitThread.KERNEL32 ref: 1000716E

__XcptFilter.LIBCMT ref: 100071A2

Part of subcall function 10009C41: __getptd_noexit.LIBCMT ref: 10009C47

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
String ID:
API String ID: 418257734-0
Opcode ID: 297936fcc0dbf5f526c0e08448a2f351abf61589ee907ea93caa2c8fedee672a
Instruction ID: 91050fa4c4edb40f5b5d990f834f761f3b027d6385ed46559f27b3ea4901cb17
Opcode Fuzzy Hash: 297936fcc0dbf5f526c0e08448a2f351abf61589ee907ea93caa2c8fedee672a
Instruction Fuzzy Hash: 76E0ECB9904604DFF718DBA0C956E6E7775EF44241F210049F1015B2A6CB35B940DB24

Function 03D3F983 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 03D3F98F

Part of subcall function 03D43E5B: __getptd_noexit.LIBCMT ref: 03D43E5E
Part of subcall function 03D43E5B: __amsg_exit.LIBCMT ref: 03D43E6B

Part of subcall function 03D3F964: __getptd_noexit.LIBCMT ref: 03D3F969
Part of subcall function 03D3F964: __freeptd.LIBCMT ref: 03D3F973
Part of subcall function 03D3F964: ExitThread.KERNEL32 ref: 03D3F97C

__XcptFilter.LIBCMT ref: 03D3F9B0

Part of subcall function 03D4418F: __getptd_noexit.LIBCMT ref: 03D44195

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
String ID:
API String ID: 418257734-0
Opcode ID: 16634501e7087382aec08351a494c9c1f2c4952906f8809a28393a6f6492ff0d
Instruction ID: 74a561165c9d6995dc9df97e76885c76e855039d658042f9c6afb64d368e2d56
Opcode Fuzzy Hash: 16634501e7087382aec08351a494c9c1f2c4952906f8809a28393a6f6492ff0d
Instruction Fuzzy Hash: B3E0ECB9940704EFDB18EBA5D805F7D7779EF45A11F200148E1016F2A1CB799944DA30

Function 03D46403 Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 03D4641B

Part of subcall function 03D48E5B: __mtinitlocknum.LIBCMT ref: 03D48E71
Part of subcall function 03D48E5B: __amsg_exit.LIBCMT ref: 03D48E7D
Part of subcall function 03D48E5B: EnterCriticalSection.KERNEL32(00000000,00000000,?,03D43F06,0000000D,03D56340,00000008,03D43FFF,00000000,?,03D410F0,00000000,03D56278,00000008,03D41155,?), ref: 03D48E85

__tzset_nolock.LIBCMT ref: 03D4642C

Part of subcall function 03D45D22: __lock.LIBCMT ref: 03D45D44
Part of subcall function 03D45D22: ____lc_codepage_func.LIBCMT ref: 03D45D8B
Part of subcall function 03D45D22: __getenv_helper_nolock.LIBCMT ref: 03D45DAD
Part of subcall function 03D45D22: _free.LIBCMT ref: 03D45DE4
Part of subcall function 03D45D22: _strlen.LIBCMT ref: 03D45DEB
Part of subcall function 03D45D22: __malloc_crt.LIBCMT ref: 03D45DF2
Part of subcall function 03D45D22: _strlen.LIBCMT ref: 03D45E08
Part of subcall function 03D45D22: _strcpy_s.LIBCMT ref: 03D45E16
Part of subcall function 03D45D22: __invoke_watson.LIBCMT ref: 03D45E2B
Part of subcall function 03D45D22: _free.LIBCMT ref: 03D45E3A

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: __lock_free_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__invoke_watson__malloc_crt__mtinitlocknum__tzset_nolock_strcpy_s
String ID:
API String ID: 1828324828-0
Opcode ID: 39c238c4606e00bf903e7cbeffba88b18a83f059629d32f28c4390f499e357b6
Instruction ID: 0718f9778ae7a69e4b701af8bda0fc30d3e7b8758ff1fe8e5663fd96511b7108
Opcode Fuzzy Hash: 39c238c4606e00bf903e7cbeffba88b18a83f059629d32f28c4390f499e357b6
Instruction Fuzzy Hash: 32E0123ADC9714D7CA62FBF1B50660C7270EB95F21F944159E46529184CAB04581D673

Function 1000474C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 12stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(|p1:156.251.17.243|o1:17093|t1:1|p2:156.251.17.243|o2:17094|t2:1|p3:156.251.17.243|o3:17095|t3:1|dd:1|cl:1|fz:), ref: 10004755

Part of subcall function 10003260: __wcsrev.LIBCMT ref: 10020655

Strings

|p1:156.251.17.243|o1:17093|t1:1|p2:156.251.17.243|o2:17094|t2:1|p3:156.251.17.243|o3:17095|t3:1|dd:1|cl:1|fz:, xrefs: 10004750

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: __wcsrevlstrlen
String ID: |p1:156.251.17.243|o1:17093|t1:1|p2:156.251.17.243|o2:17094|t2:1|p3:156.251.17.243|o3:17095|t3:1|dd:1|cl:1|fz:
API String ID: 4062721203-1085766062
Opcode ID: ef503d5516fdfa215c481ae33ec846e637023be3d257a54ad483c27845c77df4
Instruction ID: 3065bb4344b1789bcecd08ba6036c617636919b35652953f12b0e4d8e139a27a
Opcode Fuzzy Hash: ef503d5516fdfa215c481ae33ec846e637023be3d257a54ad483c27845c77df4
Instruction Fuzzy Hash: EFC08C72208214CFF202E3D4988876D7359EB33722F608039FA00CD012E672CC8097B1

Function 03D36EBC Relevance: 3.0, APIs: 2, Instructions: 8registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(80000001,03D36E9A), ref: 03D36EC9
RegCloseKey.ADVAPI32(75BF73E0), ref: 03D36ED2

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 71e57066c1ddd63a9281c11c50f10788a13085dd6f77470bec794dfa5515879a
Instruction ID: d01206319dcfe9272a69493a67c463d79e3f08ed22d8ad914285549d40f676d9
Opcode Fuzzy Hash: 71e57066c1ddd63a9281c11c50f10788a13085dd6f77470bec794dfa5515879a
Instruction Fuzzy Hash: 94C09B73D0113857CF50F7A8FD4494D77B85F4C210F1144C2A104A3114C634BD41CF90

Function 6C37A9E4 Relevance: 2.6, APIs: 2, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,6C372F09,6C37CFC1,?,?,6C37A8E0,00000001,00000364,?,00000006,000000FF,?,?,6C375151), ref: 6C37A9E8
SetLastError.KERNEL32(00000000,6C351A6D,00000000), ref: 6C37AA8A

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: f47e3496a0c53a97bd4e9f5348858925421f994ab6554e5d90e5b74e2e1bf278
Instruction ID: b5045a26e5588815be28841cc9c8fca077214c8c397cfe449b049dd78db9ec6a
Opcode Fuzzy Hash: f47e3496a0c53a97bd4e9f5348858925421f994ab6554e5d90e5b74e2e1bf278
Instruction Fuzzy Hash: C011E93175C1146F9FB17AB59DC4E9B37ACAB036AC7101220F42196A90FB1EC808AF79

Function 6C380EF2 Relevance: 2.6, APIs: 2, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,6C380EE1,6C389DDA,?,00000000,00000000), ref: 6C380F48
GetLastError.KERNEL32(?,00000000,?,6C380EE1,6C389DDA,?,00000000,00000000), ref: 6C380F52

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 2101ba91b7f890d77681d43432b0b0194f765cf8db5a04c3737500d900f06dae
Instruction ID: a07080596f79e74473a6c398f38cd7599c0d51a5865f14227d1b51340f8cacc1
Opcode Fuzzy Hash: 2101ba91b7f890d77681d43432b0b0194f765cf8db5a04c3737500d900f06dae
Instruction Fuzzy Hash: B9116B3362F1902AD60517759A4979D37AD8F8373CF254349E82CCBAC0EB33C4498A91

Function 6C367590 Relevance: 1.7, APIs: 1, Instructions: 199COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C3677F3

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 323602529-0
Opcode ID: 08ce54f674a75fbf9a98568e073b73221e41f6a6b90a91e5293409461cea46f1
Instruction ID: ae56eb196f496eee8e4f16ed360813cb0ec1b42668a17becc0b5c77c8cc97a23
Opcode Fuzzy Hash: 08ce54f674a75fbf9a98568e073b73221e41f6a6b90a91e5293409461cea46f1
Instruction Fuzzy Hash: 1E8178B1910B018BD324CF25C880BA6B7E5FF49308F548A2DD4AA87F80E771B588CF91

Function 6C380307 Relevance: 1.7, APIs: 1, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8673709664c162c8c2f13b8aab13228326c1c3842221c57f7e7391fcc264150f
Instruction ID: ee7ceaa430b1bd02bf130a948cfca564c1f7209674ff4f960cb219104ed972e2
Opcode Fuzzy Hash: 8673709664c162c8c2f13b8aab13228326c1c3842221c57f7e7391fcc264150f
Instruction Fuzzy Hash: 6351F570A42144AFDB10CF58C881A9D7FB5EF8A328F288158F8496B751D372DE41CF91

Function 6C38069D Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 6C3807F6

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: e269c99f12212e1bd70c502856553c5b6a404997cee200d4a904e8695fd62ab2
Instruction ID: beba76c23755ae4f3f3c107159085c339a832ed99695f798073bc8923dfcb983
Opcode Fuzzy Hash: e269c99f12212e1bd70c502856553c5b6a404997cee200d4a904e8695fd62ab2
Instruction Fuzzy Hash: 5E114871A0520AAFCF05DF58E94099B7BF9EF88308F1540A9F809AB311DA71E911CFA5

Function 03D4A6F2 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,03D4454A,00000000,00000001,00000000,00000000,00000000,?,03D43E0D,00000001,00000214,?,03D44500), ref: 03D4A735

Part of subcall function 03D3F91B: __getptd_noexit.LIBCMT ref: 03D3F91B

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 217299023c9aae79c279f9b5ba9b7bdae510e827bd92a4f85cd494e57ea8993b
Instruction ID: 28f8a0b3ee832ae48f68e53cb7d7df590c587d72796a4daea4ddb44b8e35ce1e
Opcode Fuzzy Hash: 217299023c9aae79c279f9b5ba9b7bdae510e827bd92a4f85cd494e57ea8993b
Instruction Fuzzy Hash: A001D43A2813159FEF34DF25DD44B6B37B8AB81BA0F198569E815CB294D774D401CB50

Function 1000E555 Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,10009FFA,00000000,00000001,00000000,00000000,00000000,?,100098C1,00000001,00000214,?,10009FB0), ref: 1000E598

Part of subcall function 1000710D: __getptd_noexit.LIBCMT ref: 1000710D

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: d06f835299f278651632b800e6ea60e14773797a6a441bb7e279904f59b9ce12
Instruction ID: 103cc215c0c144a9a87f3cbc911116c8ac8a7c4356fc0ca5ef77af160fbe558d
Opcode Fuzzy Hash: d06f835299f278651632b800e6ea60e14773797a6a441bb7e279904f59b9ce12
Instruction Fuzzy Hash: E9012435205A958EFB18CF24CC54B5A37D4EB853E6F018929E815AA0D4EB70DC00CB80

Function 6C383515 Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C37A641: RtlAllocateHeap.NTDLL(00000000,6C37DBE2,?,?,6C37DBE2,00000220,?,?,?), ref: 6C37A673

RtlReAllocateHeap.NTDLL(00000000,00000000,?,6C372C0C,00000000,?,6C37FC77,00000000,6C372C0C,000000FF,?,?,?,6C372CE6,?,000000FF), ref: 6C383572

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 281d925f38cac31b6bdcd93332545ed8c0537b226dc96eeb4c90e835c228811d
Instruction ID: 8cd62388161afe139d417ed33277c6916e7f3a4d4724e95051729dc16c53858f
Opcode Fuzzy Hash: 281d925f38cac31b6bdcd93332545ed8c0537b226dc96eeb4c90e835c228811d
Instruction Fuzzy Hash: 6AF0C272207104A6DF611A2AAC00ABA27AC8FC2A68B204115E86497FD0EB26D7448DB6

Function 6C37CF6F Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,6C37A8E0,00000001,00000364,?,00000006,000000FF,?,?,6C375151,?,6C351A6D,00000000), ref: 6C37CFB0

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 672912008e3cc8dc837c3636caab3fc85eda4fb05d69aa29b191b8d3ff713ee6
Instruction ID: bd96a969f1d274cf9b48248402642f176b41d7d97a09d7ad081fa83452fbc78f
Opcode Fuzzy Hash: 672912008e3cc8dc837c3636caab3fc85eda4fb05d69aa29b191b8d3ff713ee6
Instruction Fuzzy Hash: C2F0E93264652457EF317E36B804B4BB79CAF42768B248122EC14D6980EB3AD8048FB9

Function 6C37A641 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,6C37DBE2,?,?,6C37DBE2,00000220,?,?,?), ref: 6C37A673

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9275e6788365b323641de6e9769af3340034fe0ce070158340df5c2db0b1c579
Instruction ID: ad2951472cc99efe3c865f15d84bf42b8fddb67d120d5d5dcd72200d7970c4fd
Opcode Fuzzy Hash: 9275e6788365b323641de6e9769af3340034fe0ce070158340df5c2db0b1c579
Instruction Fuzzy Hash: B2E0653225521056EB312A659C04F8636AC9B526A9F116111EC5896D84EB1EC400CEBE

Function 1000608A Relevance: 1.5, APIs: 1, Instructions: 25registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32 ref: 100060A0

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ce9d18141ac8a2415a65a9b8a38807c62c68c0f35cc9388145c160860f9cea29
Instruction ID: d3b2713253b45803e0e36550a0a091f6b3b019736998aa0157c013c20421de29
Opcode Fuzzy Hash: ce9d18141ac8a2415a65a9b8a38807c62c68c0f35cc9388145c160860f9cea29
Instruction Fuzzy Hash: B2E09274908216EADB25DB80C984BFE73B5FB64385F30814DE8042F094D375AE84AA91

Function 6C389FEC Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(FFFFFFFF,00000000,?,6C389C90,?,?,00000000,?,6C389C90,FFFFFFFF,0000000C), ref: 6C38A009

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f89ca6c086737c78af0acfedc64680ba5807f8525458caac3d1ca94c6f338edf
Instruction ID: 23273448dd040d09c3bf898e958ffb224656e3ccb9e8f8d2c130b439a7d5fb7c
Opcode Fuzzy Hash: f89ca6c086737c78af0acfedc64680ba5807f8525458caac3d1ca94c6f338edf
Instruction Fuzzy Hash: 12D06C3210020DBBDF028E84DC06EDA3BAAFB48714F014000BA1856060C732E862EB94

Function 10005E07 Relevance: 1.5, APIs: 1, Instructions: 14registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32 ref: 1001F0F9

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: bc9ecc6ca19783af6d6fbb40ca28845bcba02b8ce6e2273daa9cad6eb9c5806e
Instruction ID: fe46c43de78f47d222b333b3703367a29387d0af8959c827854050506a177f75
Opcode Fuzzy Hash: bc9ecc6ca19783af6d6fbb40ca28845bcba02b8ce6e2273daa9cad6eb9c5806e
Instruction Fuzzy Hash: 26C08C30C4C75EE2D032E8101C0A1BDB3E4E778299F3005BFAC452D884E4F4A9C0B6EA

Function 100060DF Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 1001FAB1

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: aaf3e0f0d0f8f1f3a4ac2f5b8bd5fab41d3eaa100fa15abfee4d2d644b7fd40f
Instruction ID: 723c430d69d621f95a846468934f8435ff5600678504d51602c72318876ab3a6
Opcode Fuzzy Hash: aaf3e0f0d0f8f1f3a4ac2f5b8bd5fab41d3eaa100fa15abfee4d2d644b7fd40f
Instruction Fuzzy Hash: B9D012B8104910C7E310DB50C4C465EB2E1FF58300F30C519E92D8B615C738F8C18652

Function 10004274 Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_00006110,00000000), ref: 10020693

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 13c8da13fabdb43a0039df29cdbc36604e7b86c2d4870efbc9606bf7f6935c8f
Instruction ID: caee183b5a6c68c45fee89ce5ab94ef9cb690e012967d693a85690ee7ea4d081
Opcode Fuzzy Hash: 13c8da13fabdb43a0039df29cdbc36604e7b86c2d4870efbc9606bf7f6935c8f
Instruction Fuzzy Hash: 20C04C3424C314E9F430D1442C46B5C1401F75EB65EB543177B205E4D74D7040C13553

Function 00E01000 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

TCGamerUpdateMain.UPDATE(?,?), ref: 00E0100B

Memory Dump Source

Source File: 00000003.00000002.3556290818.0000000000E01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.3556263696.0000000000E00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556319323.0000000000E02000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556351733.0000000000E03000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556384480.0000000000E04000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556384480.0000000000E46000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Update.jbxd

Similarity

API ID: GamerMainUpdate
String ID:
API String ID: 3533789159-0
Opcode ID: 0dc032e54f475a4c8a862538ffc73d883b9d6e7095286aea5a65631e74e2db75
Instruction ID: eeb0654fedab2d3b4910ad65ed97d0a4dc47ebdeade23ea537cefc48a249cf9e
Opcode Fuzzy Hash: 0dc032e54f475a4c8a862538ffc73d883b9d6e7095286aea5a65631e74e2db75
Instruction Fuzzy Hash: F6B092B656020C6BCB44EAD8EC42C9A33DC5A88750B408054BE0C8F281E936FA9087A1

Function 1001F63D Relevance: 1.5, APIs: 1, Instructions: 3networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 1001F63D

Memory Dump Source

Source File: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: b133ea7d05f53c3c11ad6334d0588478f261473ccb87b5617e28918120fa56af
Instruction ID: 6b957aef4a72e5dc30e8cb3213a85d60c43ac51bc1e09057d618b7ba0e2fc2ae
Opcode Fuzzy Hash: b133ea7d05f53c3c11ad6334d0588478f261473ccb87b5617e28918120fa56af
Instruction Fuzzy Hash: 8D900238288511FAA2124A2158897593654D6145423185418DC02C9010D631C2806514

Function 6C3518C0 Relevance: 1.4, APIs: 1, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24023d1166c22654ab83cd1d1d873daf5044b5c6ec0023676bce91ffc362033e
Instruction ID: 45243553951e407c8de5ace5b559ee39af74788db49f69a21134e1084e128d6c
Opcode Fuzzy Hash: 24023d1166c22654ab83cd1d1d873daf5044b5c6ec0023676bce91ffc362033e
Instruction Fuzzy Hash: 0B61E4B1A046069BC714CF79C490A59B3B5FF46328F908329D06597F90E731E8A5CFD2

Function 10005EB2 Relevance: 1.3, APIs: 1, Instructions: 15sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 10005EB2

Part of subcall function 10006F17: _malloc.LIBCMT ref: 10006F31

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Sleep_malloc
String ID:
API String ID: 617756273-0
Opcode ID: bd1a2801bd1f1b37b244e82fcf0364694be79379b717d5536a6d8ec7b8dccb93
Instruction ID: c703cf204976232012e29921027dce2d5ea17eb50e6b597cbfa29dc34b4da51f
Opcode Fuzzy Hash: bd1a2801bd1f1b37b244e82fcf0364694be79379b717d5536a6d8ec7b8dccb93
Instruction Fuzzy Hash: 6CD0A772D08202CBE7B0EDD048C403D6052A758284F74803DD6059D001D5718D849382

Function 6C3680E0 Relevance: 1.3, APIs: 1, Instructions: 4sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00011D28), ref: 6C3680E5

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 330ef356695b0d601c8734bc0de9cfb02cf9050ce6b262b7ed7aefbe5bae77b1
Instruction ID: a6341314313e4a499cbccbd3693adfa23432e71e6e6c89eb76b4075d95c354e9
Opcode Fuzzy Hash: 330ef356695b0d601c8734bc0de9cfb02cf9050ce6b262b7ed7aefbe5bae77b1
Instruction Fuzzy Hash: 0BA002B17521044647146B74580EC8665E89FAA71674185217311D9184EA754090D929

Non-executed Functions

Function 03D3E850 Relevance: 72.1, APIs: 36, Strings: 5, Instructions: 311stringfilesynchronizationCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03D3E8A9
Sleep.KERNEL32(00000001,?,?,?,03D3604D), ref: 03D3E8B3
GetTickCount.KERNEL32 ref: 03D3E8BF
GetTickCount.KERNEL32 ref: 03D3E8D2
InterlockedExchange.KERNEL32(03D61F08,00000000), ref: 03D3E8DA
OpenClipboard.USER32(00000000), ref: 03D3E8E2
GetClipboardData.USER32(0000000D), ref: 03D3E8EA
GlobalSize.KERNEL32(00000000), ref: 03D3E8FB
GlobalLock.KERNEL32(00000000), ref: 03D3E90C
wsprintfW.USER32 ref: 03D3E985
_memset.LIBCMT ref: 03D3E9A3
GlobalUnlock.KERNEL32(00000000), ref: 03D3E9AC
CloseClipboard.USER32 ref: 03D3E9B2
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 03D3E9CA
CreateFileW.KERNEL32(03D60D80,40000000,00000002,00000000,00000004,00000002,00000000), ref: 03D3E9E4
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 03D3EA02
lstrlenW.KERNEL32(03D55B48,?,00000000), ref: 03D3EA16
WriteFile.KERNEL32(00000000,03D55B48,00000000), ref: 03D3EA25
CloseHandle.KERNEL32(00000000), ref: 03D3EA2C
ReleaseMutex.KERNEL32(00000000), ref: 03D3EA38
GetKeyState.USER32(00000014), ref: 03D3EABC
lstrlenW.KERNEL32(03D5B4A8), ref: 03D3EB0B
wsprintfW.USER32 ref: 03D3EB1D
lstrlenW.KERNEL32(03D5B4D0), ref: 03D3EB3E
lstrlenW.KERNEL32(03D5B4D0), ref: 03D3EB61
wsprintfW.USER32 ref: 03D3EB7F
wsprintfW.USER32 ref: 03D3EB95
wsprintfW.USER32 ref: 03D3EBBF
lstrlenW.KERNEL32(00000000), ref: 03D3EC0B
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 03D3EC21
CreateFileW.KERNEL32(03D60D80,40000000,00000002,00000000,00000004,00000002,00000000), ref: 03D3EC3B
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 03D3EC59
lstrlenW.KERNEL32(00000000,?,00000000), ref: 03D3EC69
WriteFile.KERNEL32(00000000,00000000,00000000), ref: 03D3EC74
CloseHandle.KERNEL32(00000000), ref: 03D3EC7B
ReleaseMutex.KERNEL32(00000000), ref: 03D3EC88

Strings

%s%s, xrefs: 03D3EB8F
[, xrefs: 03D3E97F
%s%s, xrefs: 03D3EB17, 03D3EB79
[esc], xrefs: 03D3EB4E, 03D3EB77, 03D3EB8D, 03D3EBB7
%s%s, xrefs: 03D3EBB9

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Filelstrlen$wsprintf$ClipboardCloseGlobal$CountCreateHandleMutexObjectPointerReleaseSingleTickWaitWrite_memset$DataExchangeInterlockedLockOpenSizeSleepStateUnlock
String ID: [$%s%s$%s%s$%s%s$[esc]
API String ID: 1637302245-2373594894
Opcode ID: ab000e4aa9df68102f7897cc1d3bd6837ac2e7b9ead524dac8af46ac7c442d09
Instruction ID: 5da8cdfeb1031d69976d32bc0846e1d1fd315e3764a19b00b632d33f4c3df2d5
Opcode Fuzzy Hash: ab000e4aa9df68102f7897cc1d3bd6837ac2e7b9ead524dac8af46ac7c442d09
Instruction Fuzzy Hash: 98C1C376500301AFD731EF64DC89FAA77B8FB09B01F044959F56AD62C4D7B09988CB60

Function 03D377E0 Relevance: 68.5, APIs: 30, Strings: 9, Instructions: 240libraryloaderinjectionCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03D37804
_memset.LIBCMT ref: 03D37850
GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 03D37864

Part of subcall function 03D38720: _vswprintf_s.LIBCMT ref: 03D38731

GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 03D37893
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000214,00000000,00000000,00000044,?), ref: 03D378DA

Part of subcall function 03D37740: GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,?,?,?,03D378FC), ref: 03D37756
Part of subcall function 03D37740: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,03D378FC,?,?,?,?,?,?,74DF0630), ref: 03D3775D

OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 03D3790A
_memset.LIBCMT ref: 03D37923
LoadLibraryA.KERNEL32(Kernel32.dll,OpenProcess,?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 03D3793B
GetProcAddress.KERNEL32(00000000), ref: 03D37944
LoadLibraryA.KERNEL32(Kernel32.dll,ExitProcess,?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 03D37956
GetProcAddress.KERNEL32(00000000), ref: 03D37959
LoadLibraryA.KERNEL32(Kernel32.dll,WinExec,?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 03D3796B
GetProcAddress.KERNEL32(00000000), ref: 03D3796E
LoadLibraryA.KERNEL32(Kernel32.dll,WaitForSingleObject,?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 03D37980
GetProcAddress.KERNEL32(00000000), ref: 03D37983
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 03D3798B
GetProcessId.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 03D37992
_memset.LIBCMT ref: 03D379B4
GetModuleFileNameA.KERNEL32(00000000,?,000000FA,?,?,?,?,?,?,?,?,?,?,?,?,74DF0630), ref: 03D379CA
VirtualAllocEx.KERNEL32(00000000,00000000,00000118,00003000,00000040), ref: 03D379FF
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000118,00000000), ref: 03D37A1B
VirtualProtectEx.KERNEL32(00000000,00000000,00000118,00000001,?), ref: 03D37A43
VirtualAllocEx.KERNEL32(00000000,00000000,00001000,00003000,00000040), ref: 03D37A58
WriteProcessMemory.KERNEL32(00000000,00000000,03D376F0,00001000,00000000), ref: 03D37A72
VirtualProtectEx.KERNEL32(00000000,00000000,00001000,00000001,00000000), ref: 03D37A90
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000), ref: 03D37AA1
Sleep.KERNEL32(0000EA60,?,?,?,?,?,?,?,?,?,?,?,?,?,?,74DF0630), ref: 03D37ABA
VirtualProtectEx.KERNEL32(00000000,00000000,00000118,00000040,00000000), ref: 03D37AD6
VirtualProtectEx.KERNEL32(00000000,00000000,00001000,00000040,00000000), ref: 03D37AE8
ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,74DF0630), ref: 03D37AF1

Strings

Kernel32.dll, xrefs: 03D37936, 03D3794B, 03D37960, 03D37975
Windows\System32\svchost.exe, xrefs: 03D378A4
D, xrefs: 03D37840
OpenProcess, xrefs: 03D37931
WinExec, xrefs: 03D3795B
%s%s, xrefs: 03D37876, 03D378AA
WaitForSingleObject, xrefs: 03D37970
Windows\SysWOW64\svchost.exe, xrefs: 03D37870
ExitProcess, xrefs: 03D37946

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Process$Virtual$AddressLibraryLoadProcProtect_memset$AllocCreateCurrentFileMemoryOpenThreadWrite$AttributesDirectoryModuleNameRemoteResumeSleepSystemToken_vswprintf_s
String ID: %s%s$D$ExitProcess$Kernel32.dll$OpenProcess$WaitForSingleObject$WinExec$Windows\SysWOW64\svchost.exe$Windows\System32\svchost.exe
API String ID: 4176418925-3213446972
Opcode ID: 01b2ea06eed1c28a2d071c4d42fc6f359629b7f004d6ebebbcdeaccd959ec1fe
Instruction ID: 26ee8dda3e504caebc825da0a0d6b9b360f98bad121306f69e643279549baaa1
Opcode Fuzzy Hash: 01b2ea06eed1c28a2d071c4d42fc6f359629b7f004d6ebebbcdeaccd959ec1fe
Instruction Fuzzy Hash: 7C81B8B2A403587BDB21EB659C45FDF777CEF96B00F000498F609A6181DAB0AB48CF64

Function 10005820 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 135threadinjectionprocessCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 10005849
_memset.LIBCMT ref: 10005868
_memset.LIBCMT ref: 1000589D
GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 100058B1

Part of subcall function 100059E0: _vswprintf_s.LIBCMT ref: 100059F1

GetFileAttributesA.KERNEL32(?), ref: 100058E0
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 10005928
VirtualAllocEx.KERNEL32(?,00000000,000311BF,00003000,00000040,74DF0630), ref: 1000594E
WriteProcessMemory.KERNEL32(?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,74DF0630), ref: 10005968
GetThreadContext.KERNEL32(?,?,?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,74DF0630), ref: 10005987
SetThreadContext.KERNEL32(?,00010007,?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,74DF0630), ref: 100059A2
ResumeThread.KERNEL32(?,?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,74DF0630), ref: 100059C1

Strings

Windows\SysWOW64\tracerpt.exe, xrefs: 100058BD
%s%s, xrefs: 100058C3, 100058F7
D, xrefs: 1000587C
Windows\System32\tracerpt.exe, xrefs: 100058EB

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Thread_memset$ContextProcess$AllocAttributesCreateDirectoryFileMemoryResumeSystemVirtualWrite_vswprintf_s
String ID: %s%s$D$Windows\SysWOW64\tracerpt.exe$Windows\System32\tracerpt.exe
API String ID: 2170139861-1986163084
Opcode ID: c8561399999e88f50518954755fe2256d0c041f48f054e3226c8471d41118f6d
Instruction ID: 983fe607fc0b82aa02984a3f7cf9d741954c75fc9833714969104a2613b4b09b
Opcode Fuzzy Hash: c8561399999e88f50518954755fe2256d0c041f48f054e3226c8471d41118f6d
Instruction Fuzzy Hash: C8418EB0A00318EFE720CF60DC85FAA77B8EF48745F10859DF64D9B185DBB1AA848B54

Function 03D37E50 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 131threadinjectionprocessCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03D37E73
_memset.LIBCMT ref: 03D37E9F
_memset.LIBCMT ref: 03D37ED4
GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 03D37EE8

Part of subcall function 03D38720: _vswprintf_s.LIBCMT ref: 03D38731

GetFileAttributesA.KERNEL32(?), ref: 03D37F15
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 03D37F65
VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 03D37F92
WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,00003000,00000040), ref: 03D37FAA
GetThreadContext.KERNEL32(?,?,?,00000000,?,00003000,00000040), ref: 03D37FCC
SetThreadContext.KERNEL32(?,00010007,?,00000000,?,00003000,00000040), ref: 03D37FEA
ResumeThread.KERNEL32(?,?,00000000,?,00003000,00000040), ref: 03D37FFF

Strings

Windows\System32\svchost.exe, xrefs: 03D37F26
%s%s, xrefs: 03D37EFA, 03D37F2C
D, xrefs: 03D37EB3
Windows\SysWOW64\svchost.exe, xrefs: 03D37EEE

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Thread_memset$ContextProcess$AllocAttributesCreateDirectoryFileMemoryResumeSystemVirtualWrite_vswprintf_s
String ID: %s%s$D$Windows\SysWOW64\svchost.exe$Windows\System32\svchost.exe
API String ID: 2170139861-2473635271
Opcode ID: fac8cc7f870e48b7ba4ddabdbd14fe6dfc1999a4b85a9b3a03478556eb8093f3
Instruction ID: 692d4685042d11b58f0ae1c8bc47c4878b17110d31943f4dc371500f2ce4341b
Opcode Fuzzy Hash: fac8cc7f870e48b7ba4ddabdbd14fe6dfc1999a4b85a9b3a03478556eb8093f3
Instruction Fuzzy Hash: C84198B5A40358ABDB21DB64DC95FDE77BDEB45B00F0041D9F60DA6280DAB09B88CF64

Function 03D3E4F0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 143synchronizationfilekeyboardCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,03D60D80,74DEE010,74DF2FA0,74DF0F00,?,03D36028,?,?), ref: 03D3E519
lstrcatW.KERNEL32(03D60D80,\DisplaySessionContainers.log,?,03D36028,?,?), ref: 03D3E529
CreateMutexW.KERNEL32(00000000,00000000,03D60D80,?,03D36028,?,?), ref: 03D3E538
WaitForSingleObject.KERNEL32(00000000,000000FF,?,03D36028,?,?), ref: 03D3E546
CreateFileW.KERNEL32(03D60D80,40000000,00000002,00000000,00000004,00000080,00000000,?,03D36028,?,?), ref: 03D3E563
GetFileSize.KERNEL32(00000000,00000000,?,03D36028,?,?), ref: 03D3E56E
CloseHandle.KERNEL32(00000000,?,03D36028,?,?), ref: 03D3E577
DeleteFileW.KERNEL32(03D60D80,?,03D36028,?,?), ref: 03D3E58A
ReleaseMutex.KERNEL32(00000000,?,03D36028,?,?), ref: 03D3E597
DirectInput8Create.DINPUT8(?,00000800,03D54934,03D61220,00000000,?,03D36028,?,?), ref: 03D3E5B2
GetTickCount.KERNEL32 ref: 03D3E665
GetKeyState.USER32(00000014), ref: 03D3E672

Strings

\DisplaySessionContainers.log, xrefs: 03D3E51F
<, xrefs: 03D3E637

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: CreateFile$Mutex$CloseCountDeleteDirectFolderHandleInput8ObjectPathReleaseSingleSizeStateTickWaitlstrcat
String ID: <$\DisplaySessionContainers.log
API String ID: 1095970075-1170057892
Opcode ID: b29a1947c330dda0a2d8524dd7d2fd9aa27e617e2e8ad6c583beb1b9a3902221
Instruction ID: bec84a47dc063e4560c9ed0d7cd1c8ea7da4be62a7848b848c82502614944062
Opcode Fuzzy Hash: b29a1947c330dda0a2d8524dd7d2fd9aa27e617e2e8ad6c583beb1b9a3902221
Instruction Fuzzy Hash: 6D417D76740305AFD700EFA8EC46F9E7BA8AB4D704F504508F625DB385C6B1E9498FA4

Function 03D37620 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 69libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000020,?,?,?,?,?,?,?,?,03D3DFA4), ref: 03D37637
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,03D3DFA4), ref: 03D3763E
LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 03D3765A
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 03D37677
CloseHandle.KERNEL32(?), ref: 03D37681
GetModuleHandleA.KERNEL32(NtDll.dll,NtSetInformationProcess,?,?,?,?,?,?,?,03D3DFA4), ref: 03D37691
GetProcAddress.KERNEL32(00000000), ref: 03D37698
GetCurrentProcessId.KERNEL32 ref: 03D376BA
OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 03D376C7

Strings

NtDll.dll, xrefs: 03D3768C
NtSetInformationProcess, xrefs: 03D37687
SeDebugPrivilege, xrefs: 03D3764C

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Process$CurrentHandleOpenToken$AddressAdjustCloseLookupModulePrivilegePrivilegesProcValue
String ID: NtDll.dll$NtSetInformationProcess$SeDebugPrivilege
API String ID: 1802016953-1577477132
Opcode ID: 750aa7175da141c7ee186ae508f873413199f16cee41b47d7617a394f6d0ee06
Instruction ID: 006ab90d7470b5c424f782f0ac03a8e8a19e7c5066d2a5b64ae33b1f6707b6e5
Opcode Fuzzy Hash: 750aa7175da141c7ee186ae508f873413199f16cee41b47d7617a394f6d0ee06
Instruction Fuzzy Hash: 06217573A41309AFDB10EBE4DC0AFBE7778EB09711F404509FA05AA2C4DBB05948CBA5

Function 03D4054D Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 92memorylibraryloaderCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 03D40576
GetSystemInfo.KERNEL32(?), ref: 03D4058E
GetModuleHandleW.KERNEL32(kernel32.dll), ref: 03D4059E
GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 03D405AE
VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004), ref: 03D40600
VirtualProtect.KERNEL32(?,-00000001,00000104,?), ref: 03D40615

Strings

SetThreadStackGuarantee, xrefs: 03D405A8
kernel32.dll, xrefs: 03D40597

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Virtual$AddressAllocHandleInfoModuleProcProtectQuerySystem
String ID: SetThreadStackGuarantee$kernel32.dll
API String ID: 3290314748-423161677
Opcode ID: 935a2564ccff722e00f9a681ba255913822a42df1569ab50f8f74a7a5074f217
Instruction ID: 9578879698a9f21f3d7fc2a5daea16e7b054cd4c4416440004ad7eac1078f2d2
Opcode Fuzzy Hash: 935a2564ccff722e00f9a681ba255913822a42df1569ab50f8f74a7a5074f217
Instruction Fuzzy Hash: BD316272E41219AFDB10EBA4DC84AEFF7B9EB44B45F180515FA12E7144DB70EA48CB90

Function 03D37B70 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 03D37B89
OpenProcessToken.ADVAPI32(00000000), ref: 03D37B90
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 03D37BB6
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 03D37BCC
GetLastError.KERNEL32 ref: 03D37BD2
CloseHandle.KERNEL32(?), ref: 03D37BE0
CloseHandle.KERNEL32(?), ref: 03D37BFB

Strings

SeShutdownPrivilege, xrefs: 03D37BA2

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3435690185-3733053543
Opcode ID: fc77425187db70a3545ae914dfef79be2af636e54bf2e4e1e10bf77bf019ba8d
Instruction ID: dc040bb548dd04eee5ca5497bd5f6599835e63a407875f79e0190f67b3517bed
Opcode Fuzzy Hash: fc77425187db70a3545ae914dfef79be2af636e54bf2e4e1e10bf77bf019ba8d
Instruction Fuzzy Hash: 2F11AB73A403099BDB10EFB4DC0AFAE7778EB04700F404559F905A7280CB719E04C7A1

Function 6C38616E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C37A893: GetLastError.KERNEL32(?,?,6C375151,?,6C351A6D,00000000), ref: 6C37A897
Part of subcall function 6C37A893: SetLastError.KERNEL32(00000000,6C351A6D,00000000), ref: 6C37A939

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 6C386276
IsValidCodePage.KERNEL32(00000000), ref: 6C3862B4
IsValidLocale.KERNEL32(?,00000001), ref: 6C3862C7
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6C38630F
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6C38632A

Strings

PX9lE, xrefs: 6C386223

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: PX9lE
API String ID: 415426439-348934192
Opcode ID: 27d402981f67a106b5bee4c2778f6911176afcab59726ed946dd38a6d7952454
Instruction ID: 3174b210c5cdc4e3b6306bb2ad4eb8e36c240100302bf9c2e470769aa06106e0
Opcode Fuzzy Hash: 27d402981f67a106b5bee4c2778f6911176afcab59726ed946dd38a6d7952454
Instruction Fuzzy Hash: B8518271A12215ABEF10DFA4CC45AEE77B8FF15708F1044A9E960E7690EBB1DA04CF61

Function 6C356520 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 127encryptionCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(n5l,00000000,00000001,00000000,00000000,00000000,00000000), ref: 6C356570
CryptStringToBinaryA.CRYPT32(n5l,00000000,00000001,00000000,00000000,00000000,00000000), ref: 6C35660E
___std_exception_copy.LIBVCRUNTIME ref: 6C35666D

Strings

Failed to calculate base64 decoded size., xrefs: 6C356630
n5l, xrefs: 6C356529, 6C35656F, 6C35660D
P~5l, xrefs: 6C3566A7

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: BinaryCryptString$___std_exception_copy
String ID: Failed to calculate base64 decoded size.$P~5l$n5l
API String ID: 2515837927-4280734454
Opcode ID: 09a0577b97db1e53a1b081d8151f99bbc28c079c3670b87aae7d5ced35c016b4
Instruction ID: a7c0f3367dc6639a91f4c9fde709bea08ce9d5502c72363b3d0e79240fd63dc5
Opcode Fuzzy Hash: 09a0577b97db1e53a1b081d8151f99bbc28c079c3670b87aae7d5ced35c016b4
Instruction Fuzzy Hash: B7419CB1941308ABEB10CF94CC45FDEBBB8FB04714F544529E905ABB80E7B5A558CFA2

Function 03D3B3C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 26COMMON

Download Yara Rule

APIs

OpenEventLogW.ADVAPI32(00000000,03D558BC), ref: 03D3B3E7
ClearEventLogW.ADVAPI32(00000000,00000000), ref: 03D3B3F2
CloseEventLog.ADVAPI32(00000000), ref: 03D3B3F9

Strings

System, xrefs: 03D3B3D6
Security, xrefs: 03D3B3CE
Application, xrefs: 03D3B3C6

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Event$ClearCloseOpen
String ID: Application$Security$System
API String ID: 1391105993-2169399579
Opcode ID: 9348c15f70a5b26451a8f40a424934beb66bc1ce977fc5ce078923e9070ce48f
Instruction ID: 16515f61772dd39a1ed08c0a7ec130db6799bfa45cebc9b8c00eb5675c22bca4
Opcode Fuzzy Hash: 9348c15f70a5b26451a8f40a424934beb66bc1ce977fc5ce078923e9070ce48f
Instruction Fuzzy Hash: 70E06533A0632457D212DB19A84571EFBE5FBCA716F14061AF94956304C67089158B96

Function 00E015D0 Relevance: 9.1, APIs: 6, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00E015DC
memset.VCRUNTIME140(?,00000000,00000003), ref: 00E01602
memset.VCRUNTIME140(?,00000000,00000050), ref: 00E0168C
IsDebuggerPresent.KERNEL32 ref: 00E016A8
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E016C8
UnhandledExceptionFilter.KERNEL32(?), ref: 00E016D2

Memory Dump Source

Source File: 00000003.00000002.3556290818.0000000000E01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.3556263696.0000000000E00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556319323.0000000000E02000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556351733.0000000000E03000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556384480.0000000000E04000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556384480.0000000000E46000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Update.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$DebuggerFeatureProcessor
String ID:
API String ID: 1045392073-0
Opcode ID: 33fc93f420c2e087b6f222892d8721508b836b4742036059ed63554425b43853
Instruction ID: 25456771d8653382a43b8032a6be18f0a4436639fa8d49aa221af1a94a8355a4
Opcode Fuzzy Hash: 33fc93f420c2e087b6f222892d8721508b836b4742036059ed63554425b43853
Instruction Fuzzy Hash: C5310775D053189BDB21DFA4D9897CCBBF8AF08304F1041EAE509AB290EB719A88CF04

Function 6C3868D3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,6C3862A4,00000002,00000000,?,?,?,6C3862A4,?,00000000), ref: 6C38696C
GetLocaleInfoW.KERNEL32(00000000,20001004,6C3862A4,00000002,00000000,?,?,?,6C3862A4,?,00000000), ref: 6C386995
GetACP.KERNEL32(?,?,6C3862A4,?,00000000), ref: 6C3869AA

Strings

OCP, xrefs: 6C386927
ACP, xrefs: 6C3868F1

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 89d908c24b3a998ab5a5862ca9286fdb1c5093ec9ca6629d7fe7de415a1690b4
Instruction ID: 258c71ceded39f0097715f3a608f5b2d3e667c295c887e5b408e567eabb0def1
Opcode Fuzzy Hash: 89d908c24b3a998ab5a5862ca9286fdb1c5093ec9ca6629d7fe7de415a1690b4
Instruction Fuzzy Hash: 6321C132627101A6D7148F19C905A87B3BAAF41B68B668164E909DBA80F733DE00CF90

Function 03D37740 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,?,?,?,03D378FC), ref: 03D37756
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,03D378FC,?,?,?,?,?,?,74DF0630), ref: 03D3775D
LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 03D37785
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 03D377B9

Strings

SeDebugPrivilege, xrefs: 03D3777E

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID: SeDebugPrivilege
API String ID: 2349140579-2896544425
Opcode ID: 82e6fca3852751dbb02d32942244a8aa6fdd9c05e086e23fdc8d0e4e48d14d2d
Instruction ID: ba8afab41b4ba2345f0d04367efe01be2f4aa53a7122562bea0f8ea93a968753
Opcode Fuzzy Hash: 82e6fca3852751dbb02d32942244a8aa6fdd9c05e086e23fdc8d0e4e48d14d2d
Instruction Fuzzy Hash: F9116572E4030DABDF00DFE8DC45BEEB7B8EB09701F104558E505AB280DB759919CB60

Function 10006815 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 1000793D
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 10007952
UnhandledExceptionFilter.KERNEL32(10015350), ref: 1000795D
GetCurrentProcess.KERNEL32(C0000409), ref: 10007979
TerminateProcess.KERNEL32(00000000), ref: 10007980

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 57dfde80044b951cb17f91093e50248a3407fe2147c9df5aa397585be7e6a5f4
Instruction ID: 193b6f3057f50b32987db54b87c2b31a729b11eea6cfb014211f1eca9ce5fffe
Opcode Fuzzy Hash: 57dfde80044b951cb17f91093e50248a3407fe2147c9df5aa397585be7e6a5f4
Instruction Fuzzy Hash: 7221AFB4818264EFF702DF68CDC96597BE5FB0A355F509019E5088B261EB75D5C0CF81

Function 03D3F00A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 03D4131C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 03D41331
UnhandledExceptionFilter.KERNEL32(03D525B8), ref: 03D4133C
GetCurrentProcess.KERNEL32(C0000409), ref: 03D41358
TerminateProcess.KERNEL32(00000000), ref: 03D4135F

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 0d2b12e570bfd7170977914cfefbb332124d583d144aa64cb6665cd8874675a1
Instruction ID: c998999b300a1324bb41cca9e7c14ac7600a416c6bbed8a9eb4c08cfcb164691
Opcode Fuzzy Hash: 0d2b12e570bfd7170977914cfefbb332124d583d144aa64cb6665cd8874675a1
Instruction Fuzzy Hash: 3921AEBB844345DFC741FF29F584A693BA8BB58300F90446AF908CB388EB709694CF55

Function 6C3758B0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73040311bb29c5914551622f8c1703dce3cbee9cddaee4a5e747c8be854a9458
Instruction ID: 9d56ac6128909304561982d11af61d81d247a51f3c3e6ebf46e2032940225304
Opcode Fuzzy Hash: 73040311bb29c5914551622f8c1703dce3cbee9cddaee4a5e747c8be854a9458
Instruction Fuzzy Hash: 36025B71E012199BDB18CFA9C88079EBBB1FF48318F24826AD519EB740D735A901CFA4

Function 6C37F888 Relevance: 6.2, APIs: 4, Instructions: 205COMMONLIBRARYCODE

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C37F978

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 638e07c02f6ac0a6619e9b701217afc8fb18f96c525f4091de0f8b9bf6af9a59
Instruction ID: d8518a474c8d148b9d36d8ade70aa3c07b9966f6da64cf2e3a6d9d9056037288
Opcode Fuzzy Hash: 638e07c02f6ac0a6619e9b701217afc8fb18f96c525f4091de0f8b9bf6af9a59
Instruction Fuzzy Hash: 5771D87190515D6FDF309F28CC88AEAB7B8BF09308F1441D9D059A7650DB3A8E85DF29

Function 6C36C85A Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00000001), ref: 6C36C866
IsDebuggerPresent.KERNEL32 ref: 6C36C932
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6C36C94B
UnhandledExceptionFilter.KERNEL32(?), ref: 6C36C955

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 0486b1152aa87a9586bf60cac629fc4a1e6fa5cd37658de663fa7e81af8cc860
Instruction ID: 010ba4e5cd29ff84aa4c40f98c0a8e40eb574a16e534cca3c8d08596147e574a
Opcode Fuzzy Hash: 0486b1152aa87a9586bf60cac629fc4a1e6fa5cd37658de663fa7e81af8cc860
Instruction Fuzzy Hash: E3311675D053189BDF20EFA5D9497CDBBB8AF08304F1041AAE40DAB680EB719A848F85

Function 6C373AAF Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6C373BA7
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6C373BB1
UnhandledExceptionFilter.KERNEL32(-00000325,?,?,?,?,?,00000000), ref: 6C373BBE

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 42722dfc386bd0a68aca24d744b4629a008012bd74943eea6085519a19d8ebd5
Instruction ID: 88045e8e556a93a75034ee667a23096fe16878f62ad06db78dbc7ae10d21f944
Opcode Fuzzy Hash: 42722dfc386bd0a68aca24d744b4629a008012bd74943eea6085519a19d8ebd5
Instruction Fuzzy Hash: C531E77491122CABCF61DF25D8887DCBBB8BF08314F5041EAE41CA7650E7749B858F45

Function 03D3B463 Relevance: 1.5, APIs: 1, Instructions: 13shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 03D37B70: GetCurrentProcess.KERNEL32(00000028,?), ref: 03D37B89
Part of subcall function 03D37B70: OpenProcessToken.ADVAPI32(00000000), ref: 03D37B90
Part of subcall function 03D37B70: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 03D37BB6
Part of subcall function 03D37B70: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 03D37BCC
Part of subcall function 03D37B70: GetLastError.KERNEL32 ref: 03D37BD2
Part of subcall function 03D37B70: CloseHandle.KERNEL32(?), ref: 03D37BE0

ExitWindowsEx.USER32(00000005,00000000), ref: 03D3B471

Part of subcall function 03D37B70: CloseHandle.KERNEL32(?), ref: 03D37BFB

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID:
API String ID: 681424410-0
Opcode ID: 24730fabf86a511c8b67de44db1f2409e6d8d7626771bbeda4cc0a8dbba5d3e9
Instruction ID: ed0b46e091a4f4f2f12548e9e81e3c431b584774ff9d7bf4523fde036932c556
Opcode Fuzzy Hash: 24730fabf86a511c8b67de44db1f2409e6d8d7626771bbeda4cc0a8dbba5d3e9
Instruction Fuzzy Hash: CCC08C3734074802E214B2B47C22B6AB350DF96322F00042FA70E8C0C00C62C89401B6

Function 03D3B41B Relevance: 1.5, APIs: 1, Instructions: 13shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 03D37B70: GetCurrentProcess.KERNEL32(00000028,?), ref: 03D37B89
Part of subcall function 03D37B70: OpenProcessToken.ADVAPI32(00000000), ref: 03D37B90
Part of subcall function 03D37B70: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 03D37BB6
Part of subcall function 03D37B70: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 03D37BCC
Part of subcall function 03D37B70: GetLastError.KERNEL32 ref: 03D37BD2
Part of subcall function 03D37B70: CloseHandle.KERNEL32(?), ref: 03D37BE0

ExitWindowsEx.USER32(00000004,00000000), ref: 03D3B429

Part of subcall function 03D37B70: CloseHandle.KERNEL32(?), ref: 03D37BFB

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID:
API String ID: 681424410-0
Opcode ID: 227eb9b7f8d0fa2e086ffb6a8351dcb4d28e59d6be107a434028eba64a846097
Instruction ID: 94196280c8ef232e7bb3a86b722254d8ba0929db55a879a1194f08f6a45c6d4b
Opcode Fuzzy Hash: 227eb9b7f8d0fa2e086ffb6a8351dcb4d28e59d6be107a434028eba64a846097
Instruction Fuzzy Hash: 1AC08C7734030806E214B3B47C22B69B350DF96322F00042BA70E8C0C00C72C89401BA

Function 00E01764 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00001770,00E010D3), ref: 00E01769

Memory Dump Source

Source File: 00000003.00000002.3556290818.0000000000E01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.3556263696.0000000000E00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556319323.0000000000E02000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556351733.0000000000E03000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556384480.0000000000E04000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556384480.0000000000E46000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Update.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 895288b33c075362780be8bddbf688db9290f24ba9df154979c6cf557369f9d6
Instruction ID: bc72e98c5ff01825f421afaefc268dca2081c3776d2c3145ddbb95495055f0a1
Opcode Fuzzy Hash: 895288b33c075362780be8bddbf688db9290f24ba9df154979c6cf557369f9d6
Instruction Fuzzy Hash:

Function 03D3B556 Relevance: 43.9, APIs: 8, Strings: 17, Instructions: 161registrysleepCOMMON

Download Yara Rule

APIs

Part of subcall function 03D3F707: _malloc.LIBCMT ref: 03D3F721

RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002,?), ref: 03D3B586
RegDeleteValueW.ADVAPI32(?,IpDate), ref: 03D3B596
RegSetValueExW.ADVAPI32(?,IpDate,00000000,00000003,00000002,?), ref: 03D3B5B3
_memset.LIBCMT ref: 03D3B5D4
RegCloseKey.ADVAPI32(?), ref: 03D3B61B
_memset.LIBCMT ref: 03D3B63C
RegCloseKey.ADVAPI32(?), ref: 03D3B72C
Sleep.KERNEL32(000007D0), ref: 03D3B737

Part of subcall function 03D3F707: std::exception::exception.LIBCMT ref: 03D3F756
Part of subcall function 03D3F707: std::exception::exception.LIBCMT ref: 03D3F770
Part of subcall function 03D3F707: __CxxThrowException@8.LIBCMT ref: 03D3F781

Strings

t2:, xrefs: 03D3B6E0
156.251.17.243, xrefs: 03D3B6ED
o3:, xrefs: 03D3B704
17095, xrefs: 03D3B6FF
p1:, xrefs: 03D3B683
Console, xrefs: 03D3B57C
o1:, xrefs: 03D3B695
o2:, xrefs: 03D3B6CE
p2:, xrefs: 03D3B6B9
17094, xrefs: 03D3B6C9
156.251.17.243, xrefs: 03D3B67E
p3:, xrefs: 03D3B6F2
IpDate, xrefs: 03D3B590, 03D3B5AD
t3:, xrefs: 03D3B719
156.251.17.243, xrefs: 03D3B6B4
17093, xrefs: 03D3B690
t1:, xrefs: 03D3B6A7

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: CloseValue_memsetstd::exception::exception$DeleteException@8OpenSleepThrow_malloc
String ID: 156.251.17.243$156.251.17.243$156.251.17.243$17093$17094$17095$Console$IpDate$o1:$o2:$o3:$p1:$p2:$p3:$t1:$t2:$t3:
API String ID: 1186799303-3799049431
Opcode ID: 9b3295fe8b3703d6f46d03c57a202697dcd777fb4c90abdd61621d9a2690641a
Instruction ID: f602b011a63a234464c2bde73fcc0de27504f7c5337b426462c916c5fa14b6c5
Opcode Fuzzy Hash: 9b3295fe8b3703d6f46d03c57a202697dcd777fb4c90abdd61621d9a2690641a
Instruction Fuzzy Hash: 8341A3767803007FEA11FB20AC46F9E7355DF46B11F144014FE156E283E6E5BA2D86BA

Function 10009AC6 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,100075E2,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009ACE
__mtterm.LIBCMT ref: 10009ADA

Part of subcall function 100097A5: DecodePointer.KERNEL32(00000009,100076A5,1000768B,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 100097B6
Part of subcall function 100097A5: TlsFree.KERNEL32(0000001F,100076A5,1000768B,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 100097D0
Part of subcall function 100097A5: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,100076A5,1000768B,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 1000C031
Part of subcall function 100097A5: _free.LIBCMT ref: 1000C034
Part of subcall function 100097A5: DeleteCriticalSection.KERNEL32(0000001F,?,?,100076A5,1000768B,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 1000C05B

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 10009AF0
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 10009AFD
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 10009B0A
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 10009B17
TlsAlloc.KERNEL32(?,?,100075E2,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009B67
TlsSetValue.KERNEL32(00000000,?,?,100075E2,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009B82
__init_pointers.LIBCMT ref: 10009B8C
EncodePointer.KERNEL32(?,?,100075E2,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009B9D
EncodePointer.KERNEL32(?,?,100075E2,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009BAA
EncodePointer.KERNEL32(?,?,100075E2,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009BB7
EncodePointer.KERNEL32(?,?,100075E2,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009BC4
DecodePointer.KERNEL32(Function_00009929,?,?,100075E2,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009BE5
__calloc_crt.LIBCMT ref: 10009BFA
DecodePointer.KERNEL32(00000000,?,?,100075E2,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009C14
GetCurrentThreadId.KERNEL32 ref: 10009C26

Strings

KERNEL32.DLL, xrefs: 10009AC9
FlsAlloc, xrefs: 10009AEA
FlsSetValue, xrefs: 10009AFF
FlsFree, xrefs: 10009B0C
FlsGetValue, xrefs: 10009AF2

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: f6145c8d2fc98865c4004398df4a04ed430af6cefd03571db8e2710a2f51a93a
Instruction ID: 476fdbd6443a42851c863cb18b7173c2f7dcf4e8a02e7ba59ea7a710cfe5bbe7
Opcode Fuzzy Hash: f6145c8d2fc98865c4004398df4a04ed430af6cefd03571db8e2710a2f51a93a
Instruction Fuzzy Hash: 94313B35840A35EAF721DF758D88B1A3EE6EB493A1B14C526E414D72B4FB36D481CF50

Function 03D44014 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,03D40FC1,03D56278,00000008,03D41155,?,?,?,03D56298,0000000C,03D41210,?), ref: 03D4401C
__mtterm.LIBCMT ref: 03D44028

Part of subcall function 03D43CF1: DecodePointer.KERNEL32(0000000A,03D41084,03D4106A,03D56278,00000008,03D41155,?,?,?,03D56298,0000000C,03D41210,?), ref: 03D43D02
Part of subcall function 03D43CF1: TlsFree.KERNEL32(00000021,03D41084,03D4106A,03D56278,00000008,03D41155,?,?,?,03D56298,0000000C,03D41210,?), ref: 03D43D1C
Part of subcall function 03D43CF1: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,03D41084,03D4106A,03D56278,00000008,03D41155,?,?,?,03D56298,0000000C,03D41210,?), ref: 03D48D48
Part of subcall function 03D43CF1: _free.LIBCMT ref: 03D48D4B
Part of subcall function 03D43CF1: DeleteCriticalSection.KERNEL32(00000021,?,?,03D41084,03D4106A,03D56278,00000008,03D41155,?,?,?,03D56298,0000000C,03D41210,?), ref: 03D48D72

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 03D4403E
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 03D4404B
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 03D44058
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 03D44065
TlsAlloc.KERNEL32(?,?,03D40FC1,03D56278,00000008,03D41155,?,?,?,03D56298,0000000C,03D41210,?), ref: 03D440B5
TlsSetValue.KERNEL32(00000000,?,?,03D40FC1,03D56278,00000008,03D41155,?,?,?,03D56298,0000000C,03D41210,?), ref: 03D440D0
__init_pointers.LIBCMT ref: 03D440DA
EncodePointer.KERNEL32(?,?,03D40FC1,03D56278,00000008,03D41155,?,?,?,03D56298,0000000C,03D41210,?), ref: 03D440EB
EncodePointer.KERNEL32(?,?,03D40FC1,03D56278,00000008,03D41155,?,?,?,03D56298,0000000C,03D41210,?), ref: 03D440F8
EncodePointer.KERNEL32(?,?,03D40FC1,03D56278,00000008,03D41155,?,?,?,03D56298,0000000C,03D41210,?), ref: 03D44105
EncodePointer.KERNEL32(?,?,03D40FC1,03D56278,00000008,03D41155,?,?,?,03D56298,0000000C,03D41210,?), ref: 03D44112
DecodePointer.KERNEL32(Function_00013E75,?,?,03D40FC1,03D56278,00000008,03D41155,?,?,?,03D56298,0000000C,03D41210,?), ref: 03D44133
__calloc_crt.LIBCMT ref: 03D44148
DecodePointer.KERNEL32(00000000,?,?,03D40FC1,03D56278,00000008,03D41155,?,?,?,03D56298,0000000C,03D41210,?), ref: 03D44162
GetCurrentThreadId.KERNEL32 ref: 03D44174

Strings

FlsFree, xrefs: 03D4405A
FlsGetValue, xrefs: 03D44040
KERNEL32.DLL, xrefs: 03D44017
FlsSetValue, xrefs: 03D4404D
FlsAlloc, xrefs: 03D44038

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: 8bc5f8d5ab9fc11779bf435fc065eaa44085993fe6d7611505a66bcd6dbff6a3
Instruction ID: 5ee58b84da8b3dba030226a2eae22292d037f662ec386651730ef707ef495702
Opcode Fuzzy Hash: 8bc5f8d5ab9fc11779bf435fc065eaa44085993fe6d7611505a66bcd6dbff6a3
Instruction Fuzzy Hash: 1D3164B7909314AFDB51FF76AC18A197FB4EB447A0B44051AE830C3358EB708099DF61

Function 03D3C3A0 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 170stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03D3C3C2
_wcsrchr.LIBCMT ref: 03D3C3CA
_memset.LIBCMT ref: 03D3C401
_wcsrchr.LIBCMT ref: 03D3C409
lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 03D3C416
_memset.LIBCMT ref: 03D3C484
wsprintfW.USER32 ref: 03D3C49C
_memset.LIBCMT ref: 03D3C4B0
_memset.LIBCMT ref: 03D3C4CB
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,00000002), ref: 03D3C501
lstrcatW.KERNEL32(?,03D5535C), ref: 03D3C549
lstrcatW.KERNEL32(?,?), ref: 03D3C553
_memset.LIBCMT ref: 03D3C56A

Strings

WinSta0\Default, xrefs: 03D3C582
"%1, xrefs: 03D3C50D
%s\shell\open\command, xrefs: 03D3C496
D, xrefs: 03D3C576

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: _memset$_wcsrchrlstrcat$EnvironmentExpandStringslstrlenwsprintf
String ID: "%1$%s\shell\open\command$D$WinSta0\Default
API String ID: 3970221696-33419044
Opcode ID: e694b7176fb8a28a245bf1d42cd1339caabe0a483718fef4c970ff6c88d46b01
Instruction ID: 1b25b0a45bef261a021fb5083c82acc3057246fcdb2dce29f42dad51be48e8e0
Opcode Fuzzy Hash: e694b7176fb8a28a245bf1d42cd1339caabe0a483718fef4c970ff6c88d46b01
Instruction Fuzzy Hash: E651B8B695031966DB20E770CD45FEF7378DF55700F004595A60ABA180EAB1EA88CBB6

Function 03D37C80 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 141libraryloaderfileCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wininet.dll), ref: 03D37CC3
GetProcAddress.KERNEL32(00000000,InternetOpenW), ref: 03D37CD7
FreeLibrary.KERNEL32(00000000), ref: 03D37CF7
GetProcAddress.KERNEL32(00000000,InternetOpenUrlW), ref: 03D37D16
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 03D37D53
_memset.LIBCMT ref: 03D37D7E
GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 03D37D8C
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 03D37DDB
CloseHandle.KERNEL32(?), ref: 03D37DF9
Sleep.KERNEL32(00000001), ref: 03D37E01
GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 03D37E0D
FreeLibrary.KERNEL32(00000000), ref: 03D37E28

Strings

InternetOpenW, xrefs: 03D37CD1
wininet.dll, xrefs: 03D37CA6
MSIE 6.0, xrefs: 03D37CE1
InternetOpenUrlW, xrefs: 03D37D10
InternetReadFile, xrefs: 03D37D86
InternetCloseHandle, xrefs: 03D37E07

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FileFree$CloseCreateHandleLoadSleepWrite_memset
String ID: InternetCloseHandle$InternetOpenUrlW$InternetOpenW$InternetReadFile$MSIE 6.0$wininet.dll
API String ID: 1463273941-1099148085
Opcode ID: 276a1d01963d9be2cc1b90043bf89d06805feea37873b8fb7e40e7ad60c7d3c5
Instruction ID: b75d227e3d2660bdd39530de087a195af01cc59814ab1b8f79a3f64bf9b339e3
Opcode Fuzzy Hash: 276a1d01963d9be2cc1b90043bf89d06805feea37873b8fb7e40e7ad60c7d3c5
Instruction Fuzzy Hash: C1418376A4021CABDB60EB649C41FEEB3F8BF45700F14C5A5F649A6280DE709E498F94

Function 03D34530 Relevance: 27.2, APIs: 18, Instructions: 247threadnetworksleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 03D3455A
timeGetTime.WINMM ref: 03D3457B
GetCurrentThreadId.KERNEL32 ref: 03D3459B
InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 03D345BD
SwitchToThread.KERNEL32 ref: 03D345D7
SetEvent.KERNEL32(?), ref: 03D34620
CloseHandle.KERNEL32(?), ref: 03D34644
send.WS2_32(?,03D549C0,00000010,00000000), ref: 03D34668
SetEvent.KERNEL32(?), ref: 03D34686
InterlockedExchange.KERNEL32(?,00000000), ref: 03D34691
WSACloseEvent.WS2_32(?), ref: 03D3469F
shutdown.WS2_32(?,00000001), ref: 03D346B3
closesocket.WS2_32(?), ref: 03D346BD
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000139F), ref: 03D346F6
SetLastError.KERNEL32(000005B4), ref: 03D3470A
GetCurrentThreadId.KERNEL32 ref: 03D3472B
InterlockedExchange.KERNEL32(?,00000001), ref: 03D34743

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: EventExchangeInterlockedThread$CloseCurrentErrorLast$CompareHandleSleepSwitchTimeclosesocketsendshutdowntime
String ID:
API String ID: 1692523546-0
Opcode ID: 4befca92619bc11816da0241d3608cba1de7ac60c9c58076bc2d7fb07b78e526
Instruction ID: fc0f2b14fdaeae28973c7aa56c1c140786753cc471b09f7d244b5a033255145d
Opcode Fuzzy Hash: 4befca92619bc11816da0241d3608cba1de7ac60c9c58076bc2d7fb07b78e526
Instruction Fuzzy Hash: C991BF75600702ABC724EF26D888BAAF7B9FF46B01F088519E5168B644C738FD95CBD0

Function 03D3A6F0 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 254COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03D3A748
_memset.LIBCMT ref: 03D3A788
_memset.LIBCMT ref: 03D3A80E
swprintf.LIBCMT ref: 03D3A82D

Part of subcall function 03D3F707: _malloc.LIBCMT ref: 03D3F721

_memset.LIBCMT ref: 03D3A905
swprintf.LIBCMT ref: 03D3A924
_memset.LIBCMT ref: 03D3A986
swprintf.LIBCMT ref: 03D3A9A5

Strings

onlyloadinmyself, xrefs: 03D3A71C
%s %s, xrefs: 03D3A81C, 03D3A890, 03D3A913, 03D3A994
plugmark, xrefs: 03D3A75B

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: _memset$swprintf$_malloc
String ID: %s %s$onlyloadinmyself$plugmark
API String ID: 1873853019-591889663
Opcode ID: 181efb87db7967286ea24112073f3085242fa736ec620a73b6e7bd651342f7af
Instruction ID: 5e7e8001868050a2daa29c749c7c52db78899e3a0e4d12dd479bc2fdc350b01e
Opcode Fuzzy Hash: 181efb87db7967286ea24112073f3085242fa736ec620a73b6e7bd651342f7af
Instruction Fuzzy Hash: 3681D2B9A40304ABEB10EF64DC86F6B7764EF46710F084064FD596F382E671ED1586B2

Function 03D35CC0 Relevance: 24.7, APIs: 2, Strings: 12, Instructions: 164windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 03D35CD3

Strings

Wireshark, xrefs: 03D35DB7
Sniff, xrefs: 03D35E49
Port, xrefs: 03D35D8B
Malwarebytes, xrefs: 03D35D33
Fiddler, xrefs: 03D35E0F
TaskExplorer, xrefs: 03D35D5F
Process, xrefs: 03D35E6D
Capsa, xrefs: 03D35E37, 03D35E5B
Metascan, xrefs: 03D35DA1
ApateDNS, xrefs: 03D35D1D
TCPEye, xrefs: 03D35D49
CurrPorts, xrefs: 03D35D75

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: VisibleWindow
String ID: ApateDNS$Capsa$CurrPorts$Fiddler$Malwarebytes$Metascan$Port$Process$Sniff$TCPEye$TaskExplorer$Wireshark
API String ID: 1208467747-3439171801
Opcode ID: 309d03d51cf1eb377de974c74b5c931ea03d6f5b661054a6fbec7573b83cb025
Instruction ID: d4f594fd8f7938689fc6630cf21db31e10bf3a370df07eff06ed5fe271116a04
Opcode Fuzzy Hash: 309d03d51cf1eb377de974c74b5c931ea03d6f5b661054a6fbec7573b83cb025
Instruction Fuzzy Hash: 984182B6E427116BDEA2F531BD02F9F614E4D23987F080065FD1DB8105F64AA72981FE

Function 10004530 Relevance: 24.2, APIs: 16, Instructions: 180threadnetworksleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 1000455A
timeGetTime.WINMM ref: 1000457B
GetCurrentThreadId.KERNEL32 ref: 1000459B
InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 100045BD
SwitchToThread.KERNEL32 ref: 100045D7
SetEvent.KERNEL32(?), ref: 10004620
CloseHandle.KERNEL32(?), ref: 10004644
send.WS2_32(?,10017440,00000010,00000000), ref: 10004668
SetEvent.KERNEL32(?), ref: 10004686
InterlockedExchange.KERNEL32(?,00000000), ref: 10004691
WSACloseEvent.WS2_32(?), ref: 1000469F
shutdown.WS2_32(?,00000001), ref: 100046B3
closesocket.WS2_32(?), ref: 100046BD
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000139F), ref: 100046F6
SetLastError.KERNEL32(000005B4), ref: 1000470A
GetCurrentThreadId.KERNEL32 ref: 1001FA44

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: EventThread$CloseCurrentErrorExchangeInterlockedLast$CompareHandleSleepSwitchTimeclosesocketsendshutdowntime
String ID:
API String ID: 3448239111-0
Opcode ID: 8d79b15aa9448fa8a40132b16a0a16f3e48fc421b71208ac07a5b091827d0d03
Instruction ID: f154daa7adb366bc59dc3c87c5a832f84626f43c2ad915a7de221fbbd04ec74e
Opcode Fuzzy Hash: 8d79b15aa9448fa8a40132b16a0a16f3e48fc421b71208ac07a5b091827d0d03
Instruction Fuzzy Hash: CC51F4B4600A22EFE311DF60CCC8B99B7A5FF09782F114115E5058B694DB72F8A0CBD5

Function 03D3DA30 Relevance: 21.3, APIs: 14, Instructions: 254COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D,?,?,?,?,?,?,03D3A8C1,?,?), ref: 03D3DA43
SetLastError.KERNEL32(000000C1,?,?,?,?,?,?,03D3A8C1,?,?), ref: 03D3DA62

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 9d122c60a30e87a336af0d2d90526b228c5249101df5c432eac739841eddaf25
Instruction ID: eb0b606cf797b8b9baf22fb89ea02bda3b7282649b40bdf1a87b60422c83bc73
Opcode Fuzzy Hash: 9d122c60a30e87a336af0d2d90526b228c5249101df5c432eac739841eddaf25
Instruction Fuzzy Hash: 8281FE767003049FD720DFA9EC84B6AB7EAFB49715F084569E909CB740E7B1E914CBA0

Function 03D3C5E0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 164registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03D3C63D
_memset.LIBCMT ref: 03D3C64C
RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,00000000), ref: 03D3C66F

Part of subcall function 03D3C81E: RegCloseKey.ADVAPI32(80000000,03D3C7FA), ref: 03D3C82B
Part of subcall function 03D3C81E: RegCloseKey.ADVAPI32(00000000), ref: 03D3C834

Strings

%08X, xrefs: 03D3C7D5

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Close_memset$Open
String ID: %08X
API String ID: 4292648718-3773563069
Opcode ID: c48286af2e85d38dc3a6cc07caf6d997d77da5afd035e066e7fea01d35298013
Instruction ID: 619688a6cfb32d586cfd42ba6e7e07be0e58e2be31e088b0f43828a3a833d606
Opcode Fuzzy Hash: c48286af2e85d38dc3a6cc07caf6d997d77da5afd035e066e7fea01d35298013
Instruction Fuzzy Hash: 44513FF2910318ABDB24EF60DC85FEAB778EB45704F444599F609AB180D774AF48CBA4

Function 100036F0 Relevance: 21.1, APIs: 14, Instructions: 141networkstringCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000002,00000011), ref: 10003710
WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 10003749
setsockopt.WS2_32(?,0000FFFF,000000FB,?,00000004), ref: 10003766
setsockopt.WS2_32(?,0000FFFF,00000004,?,00000004), ref: 10003779
WSACreateEvent.WS2_32 ref: 1000377B
lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,1001D990), ref: 1000378D
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,1001D990), ref: 10003799
lstrlenW.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,1001D990), ref: 100037B8
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,1001D990), ref: 100037C4
gethostbyname.WS2_32(00000000), ref: 100037D2
htons.WS2_32(?), ref: 100037F8
WSAEventSelect.WS2_32(?,?,00000030), ref: 10003816
connect.WS2_32(?,?,00000010), ref: 1000382B
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,1001D990), ref: 1000383A

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: ByteCharEventMultiWidelstrlensetsockopt$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
String ID:
API String ID: 1455939504-0
Opcode ID: 717cd69355dde577bb5fef79b8aa358efc8542f3cb33ac356917f685119aa9e6
Instruction ID: 3f7f27d39b3a29da93cc6ce51bc3e722b1ee51b6efc1866e7789f3871d2ad327
Opcode Fuzzy Hash: 717cd69355dde577bb5fef79b8aa358efc8542f3cb33ac356917f685119aa9e6
Instruction Fuzzy Hash: E74160B1A40205ABE711DBA4CC89F6FB7B8EB48711F108619FA159B2D0DA71A904CB60

Function 03D336F0 Relevance: 21.1, APIs: 14, Instructions: 141networkstringCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000002,00000011), ref: 03D33710
WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 03D33749
setsockopt.WS2_32(?,0000FFFF,000000FB,?,00000004), ref: 03D33766
setsockopt.WS2_32(?,0000FFFF,00000004,?,00000004), ref: 03D33779
WSACreateEvent.WS2_32 ref: 03D3377B
lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,03D61F0C), ref: 03D3378D
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,03D61F0C), ref: 03D33799
lstrlenW.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,03D61F0C), ref: 03D337B8
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,03D61F0C), ref: 03D337C4
gethostbyname.WS2_32(00000000), ref: 03D337D2
htons.WS2_32(?), ref: 03D337F8
WSAEventSelect.WS2_32(?,?,00000030), ref: 03D33816
connect.WS2_32(?,?,00000010), ref: 03D3382B
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,03D61F0C), ref: 03D3383A

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: ByteCharEventMultiWidelstrlensetsockopt$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
String ID:
API String ID: 1455939504-0
Opcode ID: a1233d3bfc141721389dad471d8857286f4b29712e646272e0e4faf1dca1d867
Instruction ID: cb3fa5cd891c3fdf08a31d8dd73e5cbbbf8d6977cf6204c4efad2661a440760c
Opcode Fuzzy Hash: a1233d3bfc141721389dad471d8857286f4b29712e646272e0e4faf1dca1d867
Instruction Fuzzy Hash: 48416FB6A00305ABE724EBA4DC89F7FB7B8FB49B10F104519F615AA2C0C674A904CB60

Function 03D3AA10 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 190sleeptimeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,E832A845), ref: 03D3AA58
wsprintfW.USER32 ref: 03D3AA8F
_memset.LIBCMT ref: 03D3AAA7
_memset.LIBCMT ref: 03D3AABA

Part of subcall function 03D38020: lstrlenW.KERNEL32(?), ref: 03D38038
Part of subcall function 03D38020: _memset.LIBCMT ref: 03D38042
Part of subcall function 03D38020: lstrlenW.KERNEL32(?), ref: 03D3804B
Part of subcall function 03D38020: lstrlenW.KERNEL32(?), ref: 03D38056

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 03D3ABBE
Sleep.KERNEL32(000003E8,?,?,?,?,?,?), ref: 03D3AC6E
CloseHandle.KERNEL32(?), ref: 03D3ACAA

Part of subcall function 03D3F707: _malloc.LIBCMT ref: 03D3F721

Part of subcall function 03D39730: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,E832A845,00000000,?,?,?,00000000,03D5125B,000000FF,?,03D3E04E,00000000), ref: 03D39773
Part of subcall function 03D39730: InitializeCriticalSectionAndSpinCount.KERNEL32(03D3E1AE,00000000,?,?,?,00000000,03D5125B,000000FF,?,03D3E04E), ref: 03D39812
Part of subcall function 03D39730: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,03D5125B,000000FF,?,03D3E04E), ref: 03D39850

Strings

p1:, xrefs: 03D3AACE
%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 03D3AA89
t1:, xrefs: 03D3AAF3
o1:, xrefs: 03D3AAE2

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: CreateEvent_memsetlstrlen$CloseCountCriticalHandleInitializeLocalSectionSleepSpinTime_mallocwsprintf
String ID: %4d.%2d.%2d-%2d:%2d:%2d$o1:$p1:$t1:
API String ID: 1254190970-1225219777
Opcode ID: abab60a9dfed5bc82febafef1bb38c92d2932c2fcb809d02b027056383479418
Instruction ID: a66d6a4d960006df18fe67cad16a2df5bd7aa3cdad19b72edfeb7794471764e5
Opcode Fuzzy Hash: abab60a9dfed5bc82febafef1bb38c92d2932c2fcb809d02b027056383479418
Instruction Fuzzy Hash: 84618FB5608340AFD760DF64D881AABB7E9FB8A614F004A1DF5D997280E7349944CBA3

Function 03D3C860 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 66registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,AppEvents,00000000,00000002,?), ref: 03D3C889
RegDeleteValueW.ADVAPI32(?), ref: 03D3C894
RegCloseKey.ADVAPI32(?), ref: 03D3C8A4
RegCreateKeyW.ADVAPI32(80000001,AppEvents,?), ref: 03D3C8C3
lstrlenW.KERNEL32(?), ref: 03D3C8D1
RegSetValueExW.ADVAPI32(?,?,00000000,00000003,?,00000000), ref: 03D3C8E4
RegCloseKey.ADVAPI32(?,?,00000000,00000003,?,00000000), ref: 03D3C8F2
RegCloseKey.ADVAPI32(?), ref: 03D3C900

Strings

AppEvents, xrefs: 03D3C86F, 03D3C883, 03D3C8AD, 03D3C8BD
Network, xrefs: 03D3C876, 03D3C8B4

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Close$Value$CreateDeleteOpenlstrlen
String ID: AppEvents$Network
API String ID: 3935456190-3733486940
Opcode ID: 010b5213e91110bee61fe9d264ce7457ba6a1ba60e23c7e35e0391cce6008cb9
Instruction ID: bea4449381b4cf862155f07c4f431599de4226a84bae9660c6ebb534a93bfd94
Opcode Fuzzy Hash: 010b5213e91110bee61fe9d264ce7457ba6a1ba60e23c7e35e0391cce6008cb9
Instruction Fuzzy Hash: E5118277A01204FBE720DAA8EC89FABB76CEB05711F100548FA01A7340DA71AE14D7A4

Function 10005A20 Relevance: 16.7, APIs: 11, Instructions: 227timeCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,D9F8D1C9), ref: 10005A65
InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 10005B04
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 10005B42
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 10005B67
InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 10005C5F
InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 10005C80
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 10005B8C

Part of subcall function 10001280: __CxxThrowException@8.LIBCMT ref: 10001290
Part of subcall function 10001280: DeleteCriticalSection.KERNEL32(00000000,?,10017E78), ref: 100012A1

InterlockedExchange.KERNEL32(?,00000000), ref: 10005CF1
timeGetTime.WINMM ref: 10005CF7
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 10005D0B
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 10005D14

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CreateEvent$CriticalSection$CountInitializeSpin$DeleteException@8ExchangeInterlockedThrowTimetime
String ID:
API String ID: 1400036169-0
Opcode ID: c8c359a865a91754db648c7caefba5610723c896864770a6932f917ef1d9d91d
Instruction ID: f393ff6f41c53dec0a4a663a217bd1082015950f507b03806f4406e75142b299
Opcode Fuzzy Hash: c8c359a865a91754db648c7caefba5610723c896864770a6932f917ef1d9d91d
Instruction Fuzzy Hash: 7AA1D7B0A01A56AFE354CF6AC8C479AFBE8FB08344F50862EE11DD7640D775A964CF90

Function 10004C90 Relevance: 16.7, APIs: 11, Instructions: 156COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000139F,D9F8D1C9,745947A0,?,?,00000001), ref: 10004CC6
EnterCriticalSection.KERNEL32(?,D9F8D1C9,745947A0,?,?,00000001), ref: 10004CED
SetLastError.KERNEL32(0000139F), ref: 10004D01
LeaveCriticalSection.KERNEL32(?), ref: 10004D08

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: f9e9e3c5f85a9396c58d0e811c6a772e6e8b8bf194744a3e55c98ac89ef18c7f
Instruction ID: f936773d66b76d96f3ecbf8df82172045f4aecfa059d2fdb31757c61ce649d4c
Opcode Fuzzy Hash: f9e9e3c5f85a9396c58d0e811c6a772e6e8b8bf194744a3e55c98ac89ef18c7f
Instruction Fuzzy Hash: 5351BCB6A04601DFE311DFA8D985B6AB7F4FF48751F01462EE90A8B740DB36E8008B91

Function 03D34CB0 Relevance: 16.7, APIs: 11, Instructions: 156COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000139F,E832A845,?,?,?,?,00000000,000000FF,00000000), ref: 03D34CE6
EnterCriticalSection.KERNEL32(?,E832A845,?,?,?,?,00000000,000000FF,00000000), ref: 03D34D0D
SetLastError.KERNEL32(0000139F,?,?,00000000,000000FF), ref: 03D34D21
LeaveCriticalSection.KERNEL32(?,?,?,00000000,000000FF), ref: 03D34D28

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: 63369916a4da51506ed68703d36deae567350f1b5812fe748959432fda28448a
Instruction ID: d4d53de5bd41ca0cf63a7862d3081007c3c5bc5bda3c47d057666439f329db3d
Opcode Fuzzy Hash: 63369916a4da51506ed68703d36deae567350f1b5812fe748959432fda28448a
Instruction Fuzzy Hash: DB51AE7AA047049FD724EFA9E484B6AF7F4FF48710F04496EE91AC7740D735A9048B51

Function 03D3E730 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 74stringtimeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03D3E751
GetForegroundWindow.USER32(?,74DF23A0,00000000), ref: 03D3E759
GetWindowTextW.USER32(00000000,03D616F0,00000800), ref: 03D3E76F
_memset.LIBCMT ref: 03D3E78D
lstrlenW.KERNEL32(03D616F0,?,?,?,?,74DF23A0,00000000), ref: 03D3E7AC
GetLocalTime.KERNEL32(?,?,?,?,?,74DF23A0,00000000), ref: 03D3E7BD
wsprintfW.USER32 ref: 03D3E804

Part of subcall function 03D3E6B0: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,?,03D3E815,?,?,?,?,74DF23A0,00000000), ref: 03D3E6BD
Part of subcall function 03D3E6B0: CreateFileW.KERNEL32(03D60D80,40000000,00000002,00000000,00000004,00000002,00000000,?,?,03D3E815,?,?,?,?,74DF23A0,00000000), ref: 03D3E6D7
Part of subcall function 03D3E6B0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 03D3E6F2
Part of subcall function 03D3E6B0: lstrlenW.KERNEL32(?,00000000,00000000), ref: 03D3E6FF
Part of subcall function 03D3E6B0: WriteFile.KERNEL32(00000000,?,00000000), ref: 03D3E70A
Part of subcall function 03D3E6B0: CloseHandle.KERNEL32(00000000), ref: 03D3E711
Part of subcall function 03D3E6B0: ReleaseMutex.KERNEL32(00000000), ref: 03D3E71E

_memset.LIBCMT ref: 03D3E820

Strings

[, xrefs: 03D3E7FE

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: File_memset$Windowlstrlen$CloseCreateForegroundHandleLocalMutexObjectPointerReleaseSingleTextTimeWaitWritewsprintf
String ID: [
API String ID: 2192163267-4056885943
Opcode ID: 543bb8ab196e4fa8946cf49ba3e0db7fff7e2b115650ca93579a4054d1cfb80d
Instruction ID: 60b450c09f447f6c02de55655668d5ed439a490c01e67244fd9c81ad2c320921
Opcode Fuzzy Hash: 543bb8ab196e4fa8946cf49ba3e0db7fff7e2b115650ca93579a4054d1cfb80d
Instruction Fuzzy Hash: 6421B77A900218ABD760EFA4DC05BBA77BDFF04701F048195F55596284DE706989CBF4

Function 03D33DE0 Relevance: 15.1, APIs: 10, Instructions: 117memorynetworkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,03D3398D,?,00000000,000000FF,00000000), ref: 03D33E05
LeaveCriticalSection.KERNEL32(?,?,?,03D3398D,?,00000000,000000FF,00000000), ref: 03D33E50
send.WS2_32(?,000000FF,00000000,00000000), ref: 03D33E6E
EnterCriticalSection.KERNEL32(?), ref: 03D33E81
LeaveCriticalSection.KERNEL32(?), ref: 03D33E94
HeapFree.KERNEL32(00000000,00000000,?,?,?,03D3398D,?,00000000,000000FF,00000000), ref: 03D33EBC
WSAGetLastError.WS2_32(?,?,03D3398D,?,00000000,000000FF,00000000), ref: 03D33EC7
EnterCriticalSection.KERNEL32(?,?,?,03D3398D,?,00000000,000000FF,00000000), ref: 03D33EDB
LeaveCriticalSection.KERNEL32(?), ref: 03D33F14
HeapFree.KERNEL32(00000000,00000000,?), ref: 03D33F51

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$FreeHeap$ErrorLastsend
String ID:
API String ID: 1701177279-0
Opcode ID: 3b98a162d89a32374f207e6e234c41d389a7abc38a77dd46e5102a17f135bb1b
Instruction ID: a38eb4f6b9e5f7d99594a0f6edd530d8ca898b20638fb3be1948285691746c4e
Opcode Fuzzy Hash: 3b98a162d89a32374f207e6e234c41d389a7abc38a77dd46e5102a17f135bb1b
Instruction Fuzzy Hash: 2F41487A5057059FC724DF78DA88AA7B7F8FB0A300F44896DE86ECB240E731E9048B50

Function 10004F10 Relevance: 15.1, APIs: 10, Instructions: 114timenetworkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(0000000D), ref: 10004F43
EnterCriticalSection.KERNEL32(?), ref: 10004F58
WSASetLastError.WS2_32(00002746), ref: 10004F6A
LeaveCriticalSection.KERNEL32(?), ref: 10004F71
timeGetTime.WINMM ref: 10004F9F
timeGetTime.WINMM ref: 10004FC7
SetEvent.KERNEL32(?), ref: 10005005
InterlockedExchange.KERNEL32(?,00000001), ref: 10005011
LeaveCriticalSection.KERNEL32(?), ref: 10005018
LeaveCriticalSection.KERNEL32(?), ref: 1000502B

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEventExchangeInterlocked
String ID:
API String ID: 1979691958-0
Opcode ID: 0eddb7f70435084fad788b00feb35f5cb1569ae860eba9b4df7dc0cd97004f8a
Instruction ID: 4b24d02a6ebada58952bd9850e7d83bafc68aeb9978cf5702291cfe2885936af
Opcode Fuzzy Hash: 0eddb7f70435084fad788b00feb35f5cb1569ae860eba9b4df7dc0cd97004f8a
Instruction Fuzzy Hash: 91410971600242DFF320DF68C988B5AB7F5FF48395F068569E54ACB255EB76EC408B81

Function 03D34F30 Relevance: 15.1, APIs: 10, Instructions: 114timenetworkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(0000000D,00000000,000000FF,00000000,000000FF,00000000), ref: 03D34F63
EnterCriticalSection.KERNEL32(000002FF,00000000,000000FF,00000000,000000FF,00000000), ref: 03D34F78
WSASetLastError.WS2_32(00002746), ref: 03D34F8A
LeaveCriticalSection.KERNEL32(000002FF), ref: 03D34F91
timeGetTime.WINMM ref: 03D34FBF
timeGetTime.WINMM ref: 03D34FE7
SetEvent.KERNEL32(?), ref: 03D35025
InterlockedExchange.KERNEL32(?,00000001), ref: 03D35031
LeaveCriticalSection.KERNEL32(000002FF), ref: 03D35038
LeaveCriticalSection.KERNEL32(000002FF), ref: 03D3504B

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEventExchangeInterlocked
String ID:
API String ID: 1979691958-0
Opcode ID: 16dc4789a9dbb0dc003811090f8c102e599b4154e8d3c68d934fd941e0fc72da
Instruction ID: b5ff198ba2517d77909bcd2fb67b9feacca89f3e9affb58fcab41d437489449e
Opcode Fuzzy Hash: 16dc4789a9dbb0dc003811090f8c102e599b4154e8d3c68d934fd941e0fc72da
Instruction Fuzzy Hash: 794108326003049FD720EF69D548A6AB7F9FF4A714F0C4999E84AC7751E339EC548B40

Function 03D3C270 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98filestringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03D3C2AE
CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 03D3C2CC
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 03D3C309
CloseHandle.KERNEL32(00000000), ref: 03D3C314
lstrlenW.KERNEL32(?), ref: 03D3C321
wsprintfW.USER32 ref: 03D3C345

Strings

%s %s, xrefs: 03D3C33F

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite_memsetlstrlenwsprintf
String ID: %s %s
API String ID: 1326869720-2939940506
Opcode ID: 97574590727fc250714306d07a59a10673f26f580e0b4df487c5ef6d9a544722
Instruction ID: b9be9f65795f449cf04e6e1ef210b73aa819d4b17a6c70bc6a4923cba9efa363
Opcode Fuzzy Hash: 97574590727fc250714306d07a59a10673f26f580e0b4df487c5ef6d9a544722
Instruction Fuzzy Hash: B7319236A503186BDB24EB64DC84FEB736CEB46711F400699B606B7180DA30AF48CFA1

Function 03D3C980 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 88processstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 03D3C98D
_wcsrchr.LIBCMT ref: 03D3C9C7

Part of subcall function 03D37C80: LoadLibraryW.KERNEL32(wininet.dll), ref: 03D37CC3
Part of subcall function 03D37C80: GetProcAddress.KERNEL32(00000000,InternetOpenW), ref: 03D37CD7
Part of subcall function 03D37C80: FreeLibrary.KERNEL32(00000000), ref: 03D37CF7

GetFileAttributesW.KERNEL32(-00000002), ref: 03D3C9E6
GetLastError.KERNEL32 ref: 03D3C9F1
_memset.LIBCMT ref: 03D3CA04
CreateProcessW.KERNEL32(00000000,-00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 03D3CA31

Strings

WinSta0\Default, xrefs: 03D3CA2A
D, xrefs: 03D3CA23

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Library$AddressAttributesCreateErrorFileFreeLastLoadProcProcess_memset_wcsrchrlstrlen
String ID: D$WinSta0\Default
API String ID: 174883095-1101385590
Opcode ID: fb0bc4571a31cd2cc1a555297a8608f9e3cd1e6ae91985de53915a2ddda83abb
Instruction ID: 335b67595c9d6e2e9a9b82a7a729b93d3a957c77b3c43a7a329abd0ae91f95ac
Opcode Fuzzy Hash: fb0bc4571a31cd2cc1a555297a8608f9e3cd1e6ae91985de53915a2ddda83abb
Instruction Fuzzy Hash: F811BBB790020867D724E6B89C45FAFB76DEB46710F040535FA06EB384E675DD05C6B2

Function 03D38159 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 58stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,A:\), ref: 03D38166
lstrcmpiW.KERNEL32(?,B:\), ref: 03D38176
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 03D381A6
lstrlenW.KERNEL32(?), ref: 03D381B7
__wcsnicmp.LIBCMT ref: 03D381CE
lstrcpyW.KERNEL32(00000AD4,?), ref: 03D38204
lstrcpyW.KERNEL32(?,?), ref: 03D38228
lstrcatW.KERNEL32(?,00000000), ref: 03D38233

Strings

B:\, xrefs: 03D38170
A:\, xrefs: 03D38160

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: lstrcmpilstrcpy$DeviceQuery__wcsnicmplstrcatlstrlen
String ID: A:\$B:\
API String ID: 4249875308-1009255891
Opcode ID: 3cdf1d3eaad03d77a7e34092933a004484cff3b3d68a5c8bca3c6160550214bb
Instruction ID: c2235a78f3234207bb5460ac79399c6a75ffe421d3a5a44cea48ba69f508dd8b
Opcode Fuzzy Hash: 3cdf1d3eaad03d77a7e34092933a004484cff3b3d68a5c8bca3c6160550214bb
Instruction Fuzzy Hash: DB114F76A012199BDB24EF60DD44BEEB379EF45710F044498EE1AB7240E770AA0DCBA5

Function 03D39730 Relevance: 13.7, APIs: 9, Instructions: 195timeCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,E832A845,00000000,?,?,?,00000000,03D5125B,000000FF,?,03D3E04E,00000000), ref: 03D39773
InitializeCriticalSectionAndSpinCount.KERNEL32(03D3E1AE,00000000,?,?,?,00000000,03D5125B,000000FF,?,03D3E04E), ref: 03D39812
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,03D5125B,000000FF,?,03D3E04E), ref: 03D39850
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,03D5125B,000000FF,?,03D3E04E), ref: 03D39875
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,03D5125B,000000FF,?,03D3E04E), ref: 03D3989A

Part of subcall function 03D31280: __CxxThrowException@8.LIBCMT ref: 03D31290
Part of subcall function 03D31280: DeleteCriticalSection.KERNEL32(00000000,03D3D3E6,03D56624,?,?,03D3D3E6,?,?,?,?,03D55A40,00000000), ref: 03D312A1

Part of subcall function 03D3CE10: InitializeCriticalSectionAndSpinCount.KERNEL32(03D3E076,00000000,E832A845,03D3E04E,74DF2F60,00000000,?,03D3E226,03D5110B,000000FF,?,03D3994A,03D3E226), ref: 03D3CE67
Part of subcall function 03D3CE10: InitializeCriticalSectionAndSpinCount.KERNEL32(03D3E08E,00000000,?,03D3E226,03D5110B,000000FF,?,03D3994A,03D3E226,?,?,?,00000000,03D5125B,000000FF), ref: 03D3CE83

InterlockedExchange.KERNEL32(03D3E066,00000000), ref: 03D399A0
timeGetTime.WINMM(?,?,?,00000000,03D5125B,000000FF,?,03D3E04E), ref: 03D399A6
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00000000,03D5125B,000000FF,?,03D3E04E), ref: 03D399B4
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,03D5125B,000000FF,?,03D3E04E), ref: 03D399BD

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: CreateEvent$CriticalSection$CountInitializeSpin$DeleteException@8ExchangeInterlockedThrowTimetime
String ID:
API String ID: 1400036169-0
Opcode ID: 2dcb134a823b29d6b0d7d6b661764e462efb0ac23ef3034eb6405f2f44ac5f36
Instruction ID: 00d33b58cb9d31b5fb5a1b5fa294c9e27780ee5287e96bd02977f97d9280fd34
Opcode Fuzzy Hash: 2dcb134a823b29d6b0d7d6b661764e462efb0ac23ef3034eb6405f2f44ac5f36
Instruction Fuzzy Hash: 7D81D5B1A05B46BFE344DF7A888479AFBA8FB09304F50462EE12C97640D774A964CF90

Function 10003500 Relevance: 13.6, APIs: 9, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 10003660: CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 10003667
Part of subcall function 10003660: _free.LIBCMT ref: 1000369C
Part of subcall function 10003660: _malloc.LIBCMT ref: 100036D7
Part of subcall function 10003660: _memset.LIBCMT ref: 100036E5

InterlockedIncrement.KERNEL32(1001D990), ref: 10003565
InterlockedIncrement.KERNEL32(1001D990), ref: 10003573
setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 1000359A
setsockopt.WS2_32(?,0000FFFF,00001002,?,00000004), ref: 100035B3
ResetEvent.KERNEL32(?,?,?,1001D990), ref: 100035EE
SetLastError.KERNEL32(00000000), ref: 10003621
GetLastError.KERNEL32 ref: 10003639

Part of subcall function 10003F60: GetCurrentThreadId.KERNEL32 ref: 10003F65
Part of subcall function 10003F60: send.WS2_32(?,10017440,00000010,00000000), ref: 10003FC6
Part of subcall function 10003F60: SetEvent.KERNEL32(?), ref: 10003FE9
Part of subcall function 10003F60: InterlockedExchange.KERNEL32(?,00000000), ref: 10003FF5
Part of subcall function 10003F60: WSACloseEvent.WS2_32(?), ref: 10004003
Part of subcall function 10003F60: shutdown.WS2_32(?,00000001), ref: 1000401B
Part of subcall function 10003F60: closesocket.WS2_32(?), ref: 10004025

SetLastError.KERNEL32(00000000), ref: 10003649

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: ErrorEventInterlockedLast$Incrementsetsockopt$CloseCreateCurrentExchangeResetThreadTimerWaitable_free_malloc_memsetclosesocketsendshutdown
String ID:
API String ID: 127459856-0
Opcode ID: 27567248ad9cb40579700c88c4b0573dbe1feeef2cc9a6d62e2a760125df68bb
Instruction ID: 683d4fe1a0db9e8cd201fdded36c2c75d02b426da01d37e97b5f8f569f7a2aba
Opcode Fuzzy Hash: 27567248ad9cb40579700c88c4b0573dbe1feeef2cc9a6d62e2a760125df68bb
Instruction Fuzzy Hash: 8041AFB5600704AFE360EF69CC81B9BB7E8FB48341F50882EE646D7690D7B1F8448B90

Function 03D33500 Relevance: 13.6, APIs: 9, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 03D33660: CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 03D33667
Part of subcall function 03D33660: _free.LIBCMT ref: 03D3369C
Part of subcall function 03D33660: _malloc.LIBCMT ref: 03D336D7
Part of subcall function 03D33660: _memset.LIBCMT ref: 03D336E5

InterlockedIncrement.KERNEL32(03D61F0C), ref: 03D33565
InterlockedIncrement.KERNEL32(03D61F0C), ref: 03D33573
setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 03D3359A
setsockopt.WS2_32(?,0000FFFF,00001002,?,00000004), ref: 03D335B3
ResetEvent.KERNEL32(?,?,?,03D61F0C), ref: 03D335EE
SetLastError.KERNEL32(00000000), ref: 03D33621
GetLastError.KERNEL32 ref: 03D33639

Part of subcall function 03D33F60: GetCurrentThreadId.KERNEL32 ref: 03D33F65
Part of subcall function 03D33F60: send.WS2_32(?,03D549C0,00000010,00000000), ref: 03D33FC6
Part of subcall function 03D33F60: SetEvent.KERNEL32(?), ref: 03D33FE9
Part of subcall function 03D33F60: InterlockedExchange.KERNEL32(?,00000000), ref: 03D33FF5
Part of subcall function 03D33F60: WSACloseEvent.WS2_32(?), ref: 03D34003
Part of subcall function 03D33F60: shutdown.WS2_32(?,00000001), ref: 03D3401B
Part of subcall function 03D33F60: closesocket.WS2_32(?), ref: 03D34025

SetLastError.KERNEL32(00000000), ref: 03D33649

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: ErrorEventInterlockedLast$Incrementsetsockopt$CloseCreateCurrentExchangeResetThreadTimerWaitable_free_malloc_memsetclosesocketsendshutdown
String ID:
API String ID: 127459856-0
Opcode ID: b7d4e5f6a274889837658a29eb6df37290e61cc3156f7bccb14a7c3e7c5608b0
Instruction ID: 6dcfda2ddf60dfa85615f5ad2e9c61d7a64e115ec357fe5b2105c12076fe1e1f
Opcode Fuzzy Hash: b7d4e5f6a274889837658a29eb6df37290e61cc3156f7bccb14a7c3e7c5608b0
Instruction Fuzzy Hash: 72419FBA640704AFD360EF69DD81B6AB7E8FF49711F10092EE646D7740D7B4E9088B60

Function 10004430 Relevance: 13.6, APIs: 9, Instructions: 93synchronizationtimeCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?), ref: 10004443
ResetEvent.KERNEL32(?), ref: 1000444C
timeGetTime.WINMM ref: 1000444E
InterlockedExchange.KERNEL32(?,00000000), ref: 1000445D
WaitForSingleObject.KERNEL32(?,00001770), ref: 100044AB
ResetEvent.KERNEL32(?), ref: 100044C8

Part of subcall function 10003F60: GetCurrentThreadId.KERNEL32 ref: 10003F65
Part of subcall function 10003F60: send.WS2_32(?,10017440,00000010,00000000), ref: 10003FC6
Part of subcall function 10003F60: SetEvent.KERNEL32(?), ref: 10003FE9
Part of subcall function 10003F60: InterlockedExchange.KERNEL32(?,00000000), ref: 10003FF5
Part of subcall function 10003F60: WSACloseEvent.WS2_32(?), ref: 10004003
Part of subcall function 10003F60: shutdown.WS2_32(?,00000001), ref: 1000401B
Part of subcall function 10003F60: closesocket.WS2_32(?), ref: 10004025

ResetEvent.KERNEL32(?), ref: 100044DC

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Event$Reset$ExchangeInterlocked$CloseCurrentObjectSingleThreadTimeWaitclosesocketsendshutdowntime
String ID:
API String ID: 542259498-0
Opcode ID: f834a32b78aad868db6c3b299e2b280971fbcefdd6bd4d0406109023f8606c47
Instruction ID: e23a36aee9568f488b14e02ccbdce45cc04d01c91958f2c1d86c028973892dd3
Opcode Fuzzy Hash: f834a32b78aad868db6c3b299e2b280971fbcefdd6bd4d0406109023f8606c47
Instruction Fuzzy Hash: 592173B6640704ABD220EF79DC85B97B3E8FF89751F104A1EF58AC7654DA71F8008BA4

Function 03D34430 Relevance: 13.6, APIs: 9, Instructions: 93synchronizationtimeCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?), ref: 03D34443
ResetEvent.KERNEL32(?), ref: 03D3444C
timeGetTime.WINMM ref: 03D3444E
InterlockedExchange.KERNEL32(?,00000000), ref: 03D3445D
WaitForSingleObject.KERNEL32(?,00001770), ref: 03D344AB
ResetEvent.KERNEL32(?), ref: 03D344C8

Part of subcall function 03D33F60: GetCurrentThreadId.KERNEL32 ref: 03D33F65
Part of subcall function 03D33F60: send.WS2_32(?,03D549C0,00000010,00000000), ref: 03D33FC6
Part of subcall function 03D33F60: SetEvent.KERNEL32(?), ref: 03D33FE9
Part of subcall function 03D33F60: InterlockedExchange.KERNEL32(?,00000000), ref: 03D33FF5
Part of subcall function 03D33F60: WSACloseEvent.WS2_32(?), ref: 03D34003
Part of subcall function 03D33F60: shutdown.WS2_32(?,00000001), ref: 03D3401B
Part of subcall function 03D33F60: closesocket.WS2_32(?), ref: 03D34025

ResetEvent.KERNEL32(?), ref: 03D344DC

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Event$Reset$ExchangeInterlocked$CloseCurrentObjectSingleThreadTimeWaitclosesocketsendshutdowntime
String ID:
API String ID: 542259498-0
Opcode ID: 8f576650fd926aa3a51ffa1ffd47ddd5c969dc6faf22eb28986215ae38d8c855
Instruction ID: af45a0ead89f587818c5e582e890b952af64c25e25c47597370c09ba88e4ddf4
Opcode Fuzzy Hash: 8f576650fd926aa3a51ffa1ffd47ddd5c969dc6faf22eb28986215ae38d8c855
Instruction Fuzzy Hash: 49216F766007046BC230EF79EC84F97B3F8EF89B10F100A1EE58AC7640D675E8048BA0

Function 10004E60 Relevance: 13.6, APIs: 9, Instructions: 70COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000139F,?), ref: 10004E79
TryEnterCriticalSection.KERNEL32(?,?), ref: 10004E98
TryEnterCriticalSection.KERNEL32(?), ref: 10004EA2
SetLastError.KERNEL32(0000139F), ref: 10004EB9
LeaveCriticalSection.KERNEL32(?), ref: 10004EC2
LeaveCriticalSection.KERNEL32(00000002), ref: 10004EC9

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: 6720494b42b4f7a77260b90f8de04f87c6be7c2df52100a175db74c353f41269
Instruction ID: b6eaa0d5c2d22c0db505b760e803bdb0fa2ef48d94b0f961ed90457994499652
Opcode Fuzzy Hash: 6720494b42b4f7a77260b90f8de04f87c6be7c2df52100a175db74c353f41269
Instruction Fuzzy Hash: 36118272700354DBE320DBB9DC85A6BB3ECFB88392B41063EE645C7550DA72E804CBA5

Function 03D34E80 Relevance: 13.6, APIs: 9, Instructions: 70COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000139F,?), ref: 03D34E99
TryEnterCriticalSection.KERNEL32(?,?), ref: 03D34EB8
TryEnterCriticalSection.KERNEL32(?), ref: 03D34EC2
SetLastError.KERNEL32(0000139F), ref: 03D34ED9
LeaveCriticalSection.KERNEL32(?), ref: 03D34EE2
LeaveCriticalSection.KERNEL32(?), ref: 03D34EE9

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: da4beb9b2eeef9ed78656fab5f51ec2ce10fcb4486104aea7504d744f20c990e
Instruction ID: 0c75b56dfe987932ab5ba5111f5c65ed6417ce351ca11949d0379f1d11685de8
Opcode Fuzzy Hash: da4beb9b2eeef9ed78656fab5f51ec2ce10fcb4486104aea7504d744f20c990e
Instruction Fuzzy Hash: 261182377043048BD320EB7AEC8496BF3ECFB89721B08092EE645D2650DA75ED04C7A5

Function 03D3DD10 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F), ref: 03D3DD32
SetLastError.KERNEL32(0000007F), ref: 03D3DE35

Strings

Main, xrefs: 03D3DD1F, 03D3DD5C

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID: Main
API String ID: 1452528299-521822810
Opcode ID: b41e2bbda27694de643c530638d0cbf56e2a3a611c29f5b437ac3253b408932c
Instruction ID: b1ced09d3fcb90a1d9047356ff7b3f839de356edb1bae2d1262995384a9e3b82
Opcode Fuzzy Hash: b41e2bbda27694de643c530638d0cbf56e2a3a611c29f5b437ac3253b408932c
Instruction Fuzzy Hash: 8241D132A00305DFD720DF58EC80B6AB7EAFF95714F0845A9E8459B311E771E945CB90

Function 6C37CC10 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,CDB86E77,QQ7l,6C37CD1F,QQ7l,?,00000000), ref: 6C37CCD1

Strings

api-ms-, xrefs: 6C37CC67
QQ7l, xrefs: 6C37CC12
ext-ms-, xrefs: 6C37CC7B

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: FreeLibrary
String ID: QQ7l$api-ms-$ext-ms-
API String ID: 3664257935-1992630856
Opcode ID: 96871eaa3e5962ebd3e43c469d829b5c98f42bd392e0f993a4a197bba74748c6
Instruction ID: c7afd4720e9a2ce6247c7e1744fddf826a562662fc6e4fc600f02901632aa372
Opcode Fuzzy Hash: 96871eaa3e5962ebd3e43c469d829b5c98f42bd392e0f993a4a197bba74748c6
Instruction Fuzzy Hash: 83212B31A42212A7DB21BF6DAC54A4A377CDF43764F240210E915B7680E736ED02CEF4

Function 6C36CB29 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 6C36CB70
__alloca_probe_16.LIBCMT ref: 6C36CB9C
MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 6C36CBDB
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C36CBF8
LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 6C36CC37
__alloca_probe_16.LIBCMT ref: 6C36CC54
LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 6C36CC96
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6C36CCB9

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: a4ebd9dd1d0fe9e6a05624f4bd14e5bec0ce197c82a90e92bb173d439c037266
Instruction ID: 0f7b0704b9d3c07239914474303f6ef4f7d00103248a50152440489c1c872bfa
Opcode Fuzzy Hash: a4ebd9dd1d0fe9e6a05624f4bd14e5bec0ce197c82a90e92bb173d439c037266
Instruction Fuzzy Hash: AD51B172601206ABEF106F6ADC44FAB3BB8EF4675CF204424F92096998E771D911DF60

Function 10003F60 Relevance: 12.1, APIs: 8, Instructions: 79networkthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 10003F65
SetLastError.KERNEL32(0000139F,?,74DEDFA0,10003648), ref: 10004054

Part of subcall function 10002B80: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 10002B96
Part of subcall function 10002B80: SwitchToThread.KERNEL32 ref: 10002BAA

send.WS2_32(?,10017440,00000010,00000000), ref: 10003FC6
SetEvent.KERNEL32(?), ref: 10003FE9
InterlockedExchange.KERNEL32(?,00000000), ref: 10003FF5
WSACloseEvent.WS2_32(?), ref: 10004003
shutdown.WS2_32(?,00000001), ref: 1000401B
closesocket.WS2_32(?), ref: 10004025

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: EventExchangeInterlockedThread$CloseCompareCurrentErrorLastSwitchclosesocketsendshutdown
String ID:
API String ID: 3254528666-0
Opcode ID: 5b0e511d635cae701d0a261cd8daf94e2af27413da8a227727d1db7110453b86
Instruction ID: f90f9a9b3ecf0f3d74d2563f24973b51980f03fc9dc1a8ff13de2f0f8c7e6f1d
Opcode Fuzzy Hash: 5b0e511d635cae701d0a261cd8daf94e2af27413da8a227727d1db7110453b86
Instruction Fuzzy Hash: 822148B56007109BE321DF64C888B9BB7F9FB44791F04891DF6869B690CBB6F845CB50

Function 03D33F60 Relevance: 12.1, APIs: 8, Instructions: 79networkthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 03D33F65
SetLastError.KERNEL32(0000139F,?,74DEDFA0,03D33648), ref: 03D34054

Part of subcall function 03D32BC0: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 03D32BD6
Part of subcall function 03D32BC0: SwitchToThread.KERNEL32 ref: 03D32BEA

send.WS2_32(?,03D549C0,00000010,00000000), ref: 03D33FC6
SetEvent.KERNEL32(?), ref: 03D33FE9
InterlockedExchange.KERNEL32(?,00000000), ref: 03D33FF5
WSACloseEvent.WS2_32(?), ref: 03D34003
shutdown.WS2_32(?,00000001), ref: 03D3401B
closesocket.WS2_32(?), ref: 03D34025

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: EventExchangeInterlockedThread$CloseCompareCurrentErrorLastSwitchclosesocketsendshutdown
String ID:
API String ID: 3254528666-0
Opcode ID: 9316b744e5126566d261bce32b77920cd36bde3ba887374889d86d45eccbf8e1
Instruction ID: 05a0bc365f42b1075c9c8ff7fcde2100dd01725ea9bffcbd54c04d8786e4f74f
Opcode Fuzzy Hash: 9316b744e5126566d261bce32b77920cd36bde3ba887374889d86d45eccbf8e1
Instruction Fuzzy Hash: BE2117762007009BD330EB69D988B9BB7B9FB45B11F580D1CE69287784C7B9E849CB50

Function 10004060 Relevance: 12.1, APIs: 8, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,10004039,?,74DEDFA0,10003648), ref: 10004074
ResetEvent.KERNEL32(?,?,00000000,10004039,?,74DEDFA0,10003648), ref: 10004087
ResetEvent.KERNEL32(?,?,00000000,10004039,?,74DEDFA0,10003648), ref: 10004090
ResetEvent.KERNEL32(?,?,00000000,10004039,?,74DEDFA0,10003648), ref: 10004099

Part of subcall function 10001350: HeapFree.KERNEL32(?,00000000,?,?,?,100040A6,?,00000000,10004039,?,74DEDFA0,10003648), ref: 10001390

Part of subcall function 10001420: HeapFree.KERNEL32(?,00000000,?,?,?,100040B1,?,00000000,10004039,?,74DEDFA0,10003648), ref: 1000143D
Part of subcall function 10001420: _free.LIBCMT ref: 10001459

HeapDestroy.KERNEL32(?,?,00000000,10004039,?,74DEDFA0,10003648), ref: 100040B9
HeapCreate.KERNEL32(?,?,?,?,00000000,10004039,?,74DEDFA0,10003648), ref: 100040D4
SetEvent.KERNEL32(?,?,00000000,10004039,?,74DEDFA0,10003648), ref: 10004150
LeaveCriticalSection.KERNEL32(?,?,00000000,10004039,?,74DEDFA0,10003648), ref: 10004157

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: EventHeap$Reset$CriticalFreeSection$CreateDestroyEnterLeave_free
String ID:
API String ID: 1219087420-0
Opcode ID: a47338e344b9415d0666abf4aacaa3da54f4cea86e3874ea6b078b9e747c069c
Instruction ID: 23a0d0040592214b09f8a584f6cc232509badf453808b3f4ba03db8ba96dcbd9
Opcode Fuzzy Hash: a47338e344b9415d0666abf4aacaa3da54f4cea86e3874ea6b078b9e747c069c
Instruction Fuzzy Hash: 043143B0200A02EFE705CB64C898B96F7A8FF48351F058249E4298B264CB35F951CFD0

Function 03D34060 Relevance: 12.1, APIs: 8, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,03D34039,?,74DEDFA0,03D33648), ref: 03D34074
ResetEvent.KERNEL32(?,?,00000000,03D34039,?,74DEDFA0,03D33648), ref: 03D34087
ResetEvent.KERNEL32(?,?,00000000,03D34039,?,74DEDFA0,03D33648), ref: 03D34090
ResetEvent.KERNEL32(?,?,00000000,03D34039,?,74DEDFA0,03D33648), ref: 03D34099

Part of subcall function 03D31350: HeapFree.KERNEL32(?,00000000,?,?,?,03D340A6,?,00000000,03D34039,?,74DEDFA0,03D33648), ref: 03D31390

Part of subcall function 03D31420: HeapFree.KERNEL32(?,00000000,?,?,?,03D340B1,?,00000000,03D34039,?,74DEDFA0,03D33648), ref: 03D3143D
Part of subcall function 03D31420: _free.LIBCMT ref: 03D31459

HeapDestroy.KERNEL32(?,?,00000000,03D34039,?,74DEDFA0,03D33648), ref: 03D340B9
HeapCreate.KERNEL32(?,?,?,?,00000000,03D34039,?,74DEDFA0,03D33648), ref: 03D340D4
SetEvent.KERNEL32(?,?,00000000,03D34039,?,74DEDFA0,03D33648), ref: 03D34150
LeaveCriticalSection.KERNEL32(?,?,00000000,03D34039,?,74DEDFA0,03D33648), ref: 03D34157

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: EventHeap$Reset$CriticalFreeSection$CreateDestroyEnterLeave_free
String ID:
API String ID: 1219087420-0
Opcode ID: e186b95648283b8c64be2590f00c4de8ee43b4de958b1dcc63f6f5abb6a14502
Instruction ID: 5d8473fb2c3150fb1febab2716113eb4fbf3745152320ce76ab88c387dfcd27b
Opcode Fuzzy Hash: e186b95648283b8c64be2590f00c4de8ee43b4de958b1dcc63f6f5abb6a14502
Instruction Fuzzy Hash: 62314775200A06AFD705EF79D898B96F7B8FF49310F048649E4298B250CB39B919CFE0

Function 00E0101B Relevance: 12.1, APIs: 8, Instructions: 56COMMON

Download Yara Rule

APIs

_set_app_type.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000002), ref: 00E0101E
_set_fmode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000002), ref: 00E01029
__p__commode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000002), ref: 00E01035
__RTC_Initialize.LIBCMT ref: 00E0104D
_configure_narrow_argv.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00E017FA), ref: 00E01062

Part of subcall function 00E0155C: InitializeSListHead.KERNEL32(00E030C0,00E01072), ref: 00E01561

__setusermatherr.API-MS-WIN-CRT-MATH-L1-1-0(Function_0000154F), ref: 00E01080
_configthreadlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(00000000), ref: 00E0109B
_initialize_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E010AA

Memory Dump Source

Source File: 00000003.00000002.3556290818.0000000000E01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.3556263696.0000000000E00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556319323.0000000000E02000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556351733.0000000000E03000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556384480.0000000000E04000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556384480.0000000000E46000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Update.jbxd

Similarity

API ID: Initialize$HeadList__p__commode__setusermatherr_configthreadlocale_configure_narrow_argv_initialize_narrow_environment_set_app_type_set_fmode
String ID:
API String ID: 1933938900-0
Opcode ID: c817ba2512be2031d322d9c2297e7c2dbb61fa4f9f8897e9c827081e75bb5268
Instruction ID: 44a8a1d9d8b7da258a08b01050d921d49fe4c84aa06eba29950b985451e2cc9c
Opcode Fuzzy Hash: c817ba2512be2031d322d9c2297e7c2dbb61fa4f9f8897e9c827081e75bb5268
Instruction Fuzzy Hash: C401CD80A4038251E92433F91C43AAE12CA4FC17A8F0439CAF882BF0C3EE65C4C044B3

Function 6C37EB85 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 6C37EC0B

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: a85807fc997ee618783a6036bf783e221dda6a75a837a72a657676350f801317
Instruction ID: 4d0160e44ae8592100970800607038e176037fd695272873800febd88f7660d8
Opcode Fuzzy Hash: a85807fc997ee618783a6036bf783e221dda6a75a837a72a657676350f801317
Instruction Fuzzy Hash: 36B13232A053569FEB218E68CC81BEEBBA5EF06318F144555E840AFB81D3799901CFF5

Function 10002140 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 303COMMON

Download Yara Rule

APIs

Part of subcall function 10001610: __vswprintf.LIBCMT ref: 10001646

_malloc.LIBCMT ref: 10002330

Part of subcall function 10006E83: __FF_MSGBANNER.LIBCMT ref: 10006E9C
Part of subcall function 10006E83: __NMSG_WRITE.LIBCMT ref: 10006EA3
Part of subcall function 10006E83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F), ref: 10006EC8

Strings

input psh: sn=%lu ts=%lu, xrefs: 100022DF
[RI] %d bytes, xrefs: 1000216F
input ack: sn=%lu rtt=%ld rto=%ld, xrefs: 100022AC
input wins: %lu, xrefs: 100023CF
input probe, xrefs: 100023A1

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: AllocateHeap__vswprintf_malloc
String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
API String ID: 3723585974-868042568
Opcode ID: 5cf1fff9a3ed07831e4285ee8707500ca474442d0b2f18c7a61f986e26f0da37
Instruction ID: eab6198d38b35a21c7eee27abceaedf30942dd101684ecb5fd47972168577aa1
Opcode Fuzzy Hash: 5cf1fff9a3ed07831e4285ee8707500ca474442d0b2f18c7a61f986e26f0da37
Instruction Fuzzy Hash: A4B19075A002059BEB08CF68D8806AE7BE5FF44390F1546AEED499B34ADB31ED45CB90

Function 03D32140 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 303COMMON

Download Yara Rule

APIs

Part of subcall function 03D31610: __vswprintf.LIBCMT ref: 03D31646

_malloc.LIBCMT ref: 03D32330

Part of subcall function 03D3F673: __FF_MSGBANNER.LIBCMT ref: 03D3F68C
Part of subcall function 03D3F673: __NMSG_WRITE.LIBCMT ref: 03D3F693
Part of subcall function 03D3F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,03D44500,00000000,00000001,00000000,?,03D48DE6,00000018,03D56448,0000000C,03D48E76), ref: 03D3F6B8

Strings

input psh: sn=%lu ts=%lu, xrefs: 03D322DF
input probe, xrefs: 03D323A1
[RI] %d bytes, xrefs: 03D3216F
input wins: %lu, xrefs: 03D323CF
input ack: sn=%lu rtt=%ld rto=%ld, xrefs: 03D322AC

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: AllocateHeap__vswprintf_malloc
String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
API String ID: 3723585974-868042568
Opcode ID: ec4a52f397e58f0a59b0f700799ebfa69e5fd8756d0dbb54a274c236a73da952
Instruction ID: 479d27a9f3cb7390d1f16c98c2831c826b3a79c792b4bd6e702f85d93f38d0e4
Opcode Fuzzy Hash: ec4a52f397e58f0a59b0f700799ebfa69e5fd8756d0dbb54a274c236a73da952
Instruction Fuzzy Hash: 18B1CF75E002098BCF18DF68C8806AAB7A5FF86710F084ABEDD599B346D731DD44CBA1

Function 10001830 Relevance: 10.7, APIs: 7, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 10001878
_free.LIBCMT ref: 100018B6
_free.LIBCMT ref: 100018F5
_free.LIBCMT ref: 10001935
_free.LIBCMT ref: 1000195D
_free.LIBCMT ref: 10001981
_free.LIBCMT ref: 100019B9

Part of subcall function 10006E49: HeapFree.KERNEL32(00000000,00000000,?,10009900,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F), ref: 10006E5F
Part of subcall function 10006E49: GetLastError.KERNEL32(00000000,?,10009900,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000), ref: 10006E71

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6beac5a88b0ea45cad91d564d56e12dc9c07d13e28084cda825bb388b8fc93ec
Instruction ID: a8bd5bf31f2101c09de15a5e31c6c05fc03f2a154fed00425f0cdbd26510a762
Opcode Fuzzy Hash: 6beac5a88b0ea45cad91d564d56e12dc9c07d13e28084cda825bb388b8fc93ec
Instruction Fuzzy Hash: 9C511C76A00211CFE704DF58C5D4899BBE6FF89294726C0ADD5096B326CB32BD42CB91

Function 03D31830 Relevance: 10.7, APIs: 7, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 03D31878
_free.LIBCMT ref: 03D318B6
_free.LIBCMT ref: 03D318F5
_free.LIBCMT ref: 03D31935
_free.LIBCMT ref: 03D3195D
_free.LIBCMT ref: 03D31981
_free.LIBCMT ref: 03D319B9

Part of subcall function 03D3F639: RtlFreeHeap.NTDLL(00000000,00000000,?,03D43E4C,00000000,?,03D44500,00000000,00000001,00000000,?,03D48DE6,00000018,03D56448,0000000C,03D48E76), ref: 03D3F64F
Part of subcall function 03D3F639: GetLastError.KERNEL32(00000000,?,03D43E4C,00000000,?,03D44500,00000000,00000001,00000000,?,03D48DE6,00000018,03D56448,0000000C,03D48E76,00000000), ref: 03D3F661

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2e23a68f7bcd1745e2d823a19940f1c625a7792bf46a9cc7ee6174a435443fee
Instruction ID: 63fcbcc990d9a7b0f8178b58398509c0deb9dc3f8f30a2a6d94a628eacdd3d9b
Opcode Fuzzy Hash: 2e23a68f7bcd1745e2d823a19940f1c625a7792bf46a9cc7ee6174a435443fee
Instruction Fuzzy Hash: 88515FB6A00216DFC704EF58C584965BBA6FF8A21471980ADC52A5F321C732BD42CFA1

Function 03D33870 Relevance: 10.6, APIs: 7, Instructions: 149threadnetworktimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 03D33883
SetWaitableTimer.KERNEL32(?,?,?,00000000,00000000,00000000,?,00000000,FFFFD8F0,000000FF), ref: 03D338C4
WSAWaitForMultipleEvents.WS2_32(00000004,?,00000000,000000FF,00000000), ref: 03D33931
GetCurrentThreadId.KERNEL32 ref: 03D3395C
GetLastError.KERNEL32(?,00000000,000000FF,00000000), ref: 03D339F4
SetLastError.KERNEL32(0000139F,?,00000000,000000FF,00000000), ref: 03D33A22
WSAGetLastError.WS2_32(?,00000000,000000FF,00000000), ref: 03D33A39

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: ErrorLast$CurrentThread$EventsMultipleTimerWaitWaitable
String ID:
API String ID: 3058130114-0
Opcode ID: 3d47395a5f646ca1d56249c6efab2d19dbf3fd28ee1072236fba5a555dd81c06
Instruction ID: f68c9963b516f2619ca97fabdac43c8b9d6d1e83bba47a58e3f110faffbef1b3
Opcode Fuzzy Hash: 3d47395a5f646ca1d56249c6efab2d19dbf3fd28ee1072236fba5a555dd81c06
Instruction Fuzzy Hash: EC5192B9604701DBDB20DF24CA84BAAB7E8FF06B14F144929E956DB380DB34ED44CB61

Function 6C36DA10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6C36DA47
___except_validate_context_record.LIBVCRUNTIME ref: 6C36DA4F
_ValidateLocalCookies.LIBCMT ref: 6C36DAD8
__IsNonwritableInCurrentImage.LIBCMT ref: 6C36DB03
_ValidateLocalCookies.LIBCMT ref: 6C36DB58

Strings

csm, xrefs: 6C36DAED

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 0821064b77a1ea6eb35bf266c76f0abc52ca6632d82196fc1c04c8617eeb712c
Instruction ID: b1c61ba608e0a948ca1293ea37359f7b1c0d4070a3eba997a66969be6ffff92f
Opcode Fuzzy Hash: 0821064b77a1ea6eb35bf266c76f0abc52ca6632d82196fc1c04c8617eeb712c
Instruction Fuzzy Hash: BE41E330A042089BCF00CF2AC880ADE7BB5EF45328F248155E8549BF99E736EA05CFD5

Function 03D3E6B0 Relevance: 10.5, APIs: 7, Instructions: 44filesynchronizationstringCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,?,03D3E815,?,?,?,?,74DF23A0,00000000), ref: 03D3E6BD
CreateFileW.KERNEL32(03D60D80,40000000,00000002,00000000,00000004,00000002,00000000,?,?,03D3E815,?,?,?,?,74DF23A0,00000000), ref: 03D3E6D7
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 03D3E6F2
lstrlenW.KERNEL32(?,00000000,00000000), ref: 03D3E6FF
WriteFile.KERNEL32(00000000,?,00000000), ref: 03D3E70A
CloseHandle.KERNEL32(00000000), ref: 03D3E711
ReleaseMutex.KERNEL32(00000000), ref: 03D3E71E

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleMutexObjectPointerReleaseSingleWaitWritelstrlen
String ID:
API String ID: 4202892810-0
Opcode ID: 38ec2e4a1c7893306da59d1ea2fccd080e32138e08b49e4d6063a403d7f3fa4a
Instruction ID: e7e39673814a749e2b01d868033f15822fad3c2f43aab53f0d9c0881a684725d
Opcode Fuzzy Hash: 38ec2e4a1c7893306da59d1ea2fccd080e32138e08b49e4d6063a403d7f3fa4a
Instruction Fuzzy Hash: 30014477241314BBE224BBA4AC4FF5A366CEB09B25F504604F725A62C4D7B0A9188775

Function 100097E2 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,10017C00,00000008,100098EA,00000000,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C), ref: 100097F3
__lock.LIBCMT ref: 10009827

Part of subcall function 1000C144: __mtinitlocknum.LIBCMT ref: 1000C15A
Part of subcall function 1000C144: __amsg_exit.LIBCMT ref: 1000C166
Part of subcall function 1000C144: EnterCriticalSection.KERNEL32(00000000,00000000,?,100099BA,0000000D,10017C28,00000008,10009AB1,00000000,?,10007711,00000000,10017B60,00000008,10007776,?), ref: 1000C16E

InterlockedIncrement.KERNEL32(?), ref: 10009834
__lock.LIBCMT ref: 10009848
___addlocaleref.LIBCMT ref: 10009866

Strings

KERNEL32.DLL, xrefs: 100097EE

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: 2fd8a646381f8c1273ec5aa8b514110e131a74dbccaeb09b5e4df53804c3848b
Instruction ID: 89763b3cff33ace5d26e8772c174daa1abf762224351bfae7625883661725aa5
Opcode Fuzzy Hash: 2fd8a646381f8c1273ec5aa8b514110e131a74dbccaeb09b5e4df53804c3848b
Instruction Fuzzy Hash: 1A016D75804B00DFE320DF69C84574ABBE0EF41361F14890EE49A9B3A5CBB4F680CB55

Function 03D43D2E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,03D56318,00000008,03D43E36,00000000,00000000,?,03D44500,00000000,00000001,00000000,?,03D48DE6,00000018,03D56448,0000000C), ref: 03D43D3F
__lock.LIBCMT ref: 03D43D73

Part of subcall function 03D48E5B: __mtinitlocknum.LIBCMT ref: 03D48E71
Part of subcall function 03D48E5B: __amsg_exit.LIBCMT ref: 03D48E7D
Part of subcall function 03D48E5B: EnterCriticalSection.KERNEL32(00000000,00000000,?,03D43F06,0000000D,03D56340,00000008,03D43FFF,00000000,?,03D410F0,00000000,03D56278,00000008,03D41155,?), ref: 03D48E85

InterlockedIncrement.KERNEL32(?), ref: 03D43D80
__lock.LIBCMT ref: 03D43D94
___addlocaleref.LIBCMT ref: 03D43DB2

Strings

KERNEL32.DLL, xrefs: 03D43D3A

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: b83666d61351a78063ffbf0b735e1661c920fc161d660abcdadab12be95db207
Instruction ID: 1b30f71c35bbf6a70b353ffe1822bd99070f874dd5176d8e0b1e434f57118f98
Opcode Fuzzy Hash: b83666d61351a78063ffbf0b735e1661c920fc161d660abcdadab12be95db207
Instruction Fuzzy Hash: 9B016D7A841700EFDB20EFB9D804749BBF0EF50714F10890EE49A5B790CBB5A644CB25

Function 03D3B78C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002), ref: 03D3B7A7
RegDeleteValueW.ADVAPI32(?,IpDatespecial), ref: 03D3B7B7
RegSetValueExW.ADVAPI32(?,IpDatespecial,00000000,00000003,?,00000004), ref: 03D3B7CE
RegCloseKey.ADVAPI32(?,?,00000004), ref: 03D3B7D9

Strings

Console, xrefs: 03D3B79D
IpDatespecial, xrefs: 03D3B7B1, 03D3B7C8

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Value$CloseDeleteOpen
String ID: Console$IpDatespecial
API String ID: 3183427449-1840232981
Opcode ID: e89b583ce4bc1d638e0694ecd39e582684b1796f8f7b00349f7ebf9bba6e73a0
Instruction ID: 8c1e60f1b4259689a7788d439fe77e9e01b779d8b9eef6386735ed86cfbf7b19
Opcode Fuzzy Hash: e89b583ce4bc1d638e0694ecd39e582684b1796f8f7b00349f7ebf9bba6e73a0
Instruction Fuzzy Hash: F0F02033341340FFE325A774AC0FF1ABB64FB89B01F404E0DFB816628086A0B118C626

Function 100133F1 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 10013412

Part of subcall function 1000990F: __getptd_noexit.LIBCMT ref: 10009912
Part of subcall function 1000990F: __amsg_exit.LIBCMT ref: 1000991F

__getptd.LIBCMT ref: 10013423
__getptd.LIBCMT ref: 10013431

Strings

RCC, xrefs: 100133FD
csm, xrefs: 1001340B
MOC, xrefs: 10013404

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: 6cafc6eb67b1167ca934f12c74b901a19b36c58c2209ef507fb1707306695bdb
Instruction ID: 786e14bf1501c0e18a8257e8a75f03574bdb54e2dd84c562cebc2d2ff3df38bd
Opcode Fuzzy Hash: 6cafc6eb67b1167ca934f12c74b901a19b36c58c2209ef507fb1707306695bdb
Instruction Fuzzy Hash: 86E01A345042488FE720DB68C04AB5933E4FBC8294F5680A5F41ECF226C738FD908942

Function 03D502FC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 03D5031D

Part of subcall function 03D43E5B: __getptd_noexit.LIBCMT ref: 03D43E5E
Part of subcall function 03D43E5B: __amsg_exit.LIBCMT ref: 03D43E6B

__getptd.LIBCMT ref: 03D5032E
__getptd.LIBCMT ref: 03D5033C

Strings

RCC, xrefs: 03D50308
csm, xrefs: 03D50316
MOC, xrefs: 03D5030F

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: a1f0d33c8d38bd48e94782b4de51ff7935ea793739f44933f6f473294c896614
Instruction ID: 123c9f91ccdd09cec7e4b25882894846f5db5e90c3d3d864446cd1a4d4213c4f
Opcode Fuzzy Hash: a1f0d33c8d38bd48e94782b4de51ff7935ea793739f44933f6f473294c896614
Instruction Fuzzy Hash: 68E09239914305CFDB20DBACC14AB6836D9FB54B15F5945B1E80CCF221D738D5949552

Function 10005060 Relevance: 9.1, APIs: 6, Instructions: 107networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,D9F8D1C9,?,?,10014228,000000FF), ref: 100050AA
WSASetLastError.WS2_32(0000139F,?,?,?,?,D9F8D1C9,?,?,10014228,000000FF), ref: 100050C2
LeaveCriticalSection.KERNEL32(?), ref: 100050CC

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: e00a6cd020c07df668690f03d4002b5b8c2a1b96598de1bbe6df2cd43adfd620
Instruction ID: 94e9e828bd4e4f39969e9d0b2c4f8dfc3b4d38cc2041e0ad1404f002baf5890c
Opcode Fuzzy Hash: e00a6cd020c07df668690f03d4002b5b8c2a1b96598de1bbe6df2cd43adfd620
Instruction Fuzzy Hash: DE316D76A04644EBE711CF95DD86BABB3E8FB48752F008A1AF906C7645D776E800CB90

Function 03D35080 Relevance: 9.1, APIs: 6, Instructions: 107networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(000002FF), ref: 03D350CA
WSASetLastError.WS2_32(0000139F), ref: 03D350E2
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000,000000FF), ref: 03D350EC

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: 5a7c684cb64d51328d7b44ccf100a904fbe0a7d1240ba5de0a2e324aee13c1e4
Instruction ID: b0c20f6a98876eefc4df5f8948b9cc40cc9a08a723f1c2c39ffe17b247e04522
Opcode Fuzzy Hash: 5a7c684cb64d51328d7b44ccf100a904fbe0a7d1240ba5de0a2e324aee13c1e4
Instruction Fuzzy Hash: CB31EF76A04708ABD710DF94E885B6AB3E9FB4AB10F00495EFC16C7780E736E904CB60

Function 1000485A Relevance: 9.1, APIs: 6, Instructions: 91sleepsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,E484B528,?,?,?), ref: 100048E1
WaitForSingleObject.KERNEL32(?,000000FF,?,E484B528,?,?,?), ref: 100048EC
Sleep.KERNEL32(00000258,?,E484B528,?,?,?), ref: 100048F9
CloseHandle.KERNEL32(?,?,E484B528,?,?,?), ref: 10004914
CloseHandle.KERNEL32(?,?,E484B528,?,?,?), ref: 1000491D
Sleep.KERNEL32(0000012C,?,E484B528,?,?,?), ref: 1000492E

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CloseHandleObjectSingleSleepWait
String ID:
API String ID: 640476663-0
Opcode ID: f4c70dc776f0c36d6c3e242216426f5c740d9caf6da259f6a897f5b04df83c22
Instruction ID: db8a483aedded49ec56de4fe6a38a5b8db7edc3383aabb911f028b40afcbc516
Opcode Fuzzy Hash: f4c70dc776f0c36d6c3e242216426f5c740d9caf6da259f6a897f5b04df83c22
Instruction Fuzzy Hash: E6216AB61046548FD750EBA8CC8498BF3F9FF893507198B08E5948B395CA34DC05CBA4

Function 6C3793B0 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,6C3793A7,6C379BB5,?,?,?,?,6C36D5F2,?,?,?,?,?,00000000,00000000), ref: 6C3793BE
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6C3793CC
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6C3793E5
SetLastError.KERNEL32(00000000,?,?,6C36D5F2,?,?,?,?,?,00000000,00000000,00000000,?,?,?), ref: 6C379437

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e3534f811fe96eb06e5d5a971e7c2a4058f0534f2c395f430d86065eb08d584b
Instruction ID: 1e819512c9387c1122ff4a0f96b39336ef947355f18b6998f5fb0034cb62e176
Opcode Fuzzy Hash: e3534f811fe96eb06e5d5a971e7c2a4058f0534f2c395f430d86065eb08d584b
Instruction Fuzzy Hash: 1101B53231E7269FAA741E795C859972BACEB0667C720032AE5204AAD0FF1788158D79

Function 6C379CA3 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 6C379DC2
CallUnexpected.LIBVCRUNTIME ref: 6C37A03B

Strings

csm, xrefs: 6C379CE0
csm, xrefs: 6C379D4D
csm, xrefs: 6C379DF9

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: 8ad8d88741687de559914d19a923e820d28b13e784c9eef518a0b63f81827a64
Instruction ID: 071f288406d566cb97640d8bcbb0e3ee5da9a81698cf1ca02e0b47805196fdcd
Opcode Fuzzy Hash: 8ad8d88741687de559914d19a923e820d28b13e784c9eef518a0b63f81827a64
Instruction Fuzzy Hash: 45B17A31800309EFCF24CFA5C980ADEB7B5FF04319B14425AE8556BA15D33ADA55CFAA

Function 100136A3 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 100136CB

Part of subcall function 1001325B: __getptd.LIBCMT ref: 10013269
Part of subcall function 1001325B: __getptd.LIBCMT ref: 10013277

__getptd.LIBCMT ref: 100136D5

Part of subcall function 1000990F: __getptd_noexit.LIBCMT ref: 10009912
Part of subcall function 1000990F: __amsg_exit.LIBCMT ref: 1000991F

__getptd.LIBCMT ref: 100136E3
__getptd.LIBCMT ref: 100136F1
__getptd.LIBCMT ref: 100136FC
_CallCatchBlock2.LIBCMT ref: 10013722

Part of subcall function 10013300: __CallSettingFrame@12.LIBCMT ref: 1001334C

Part of subcall function 100137C9: __getptd.LIBCMT ref: 100137D8
Part of subcall function 100137C9: __getptd.LIBCMT ref: 100137E6

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 9bbf850cd10a9d142d7ef01923f7ba9f09fdf63f4c6847773a26cfd91f606182
Instruction ID: 22efbb8b190092b33748bf873c8b025e1b03d977775ae1c5574abea826c94994
Opcode Fuzzy Hash: 9bbf850cd10a9d142d7ef01923f7ba9f09fdf63f4c6847773a26cfd91f606182
Instruction Fuzzy Hash: 06112BB5C04209DFDF10DFA4D445AEEBBB1FF48310F10806AF864AB251DB38AA559F50

Function 03D505AE Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 03D505D6

Part of subcall function 03D500B7: __getptd.LIBCMT ref: 03D500C5
Part of subcall function 03D500B7: __getptd.LIBCMT ref: 03D500D3

__getptd.LIBCMT ref: 03D505E0

Part of subcall function 03D43E5B: __getptd_noexit.LIBCMT ref: 03D43E5E
Part of subcall function 03D43E5B: __amsg_exit.LIBCMT ref: 03D43E6B

__getptd.LIBCMT ref: 03D505EE
__getptd.LIBCMT ref: 03D505FC
__getptd.LIBCMT ref: 03D50607
_CallCatchBlock2.LIBCMT ref: 03D5062D

Part of subcall function 03D5015C: __CallSettingFrame@12.LIBCMT ref: 03D501A8

Part of subcall function 03D506D4: __getptd.LIBCMT ref: 03D506E3
Part of subcall function 03D506D4: __getptd.LIBCMT ref: 03D506F1

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 6eea26d243c4843de531fb239ff070473d7571be2fd683889e0d9753e6040131
Instruction ID: 53ecb9e8200e5a5b6aa1ecf17c7e393eebf60f5246de5cf90cc094a7dd048f60
Opcode Fuzzy Hash: 6eea26d243c4843de531fb239ff070473d7571be2fd683889e0d9753e6040131
Instruction Fuzzy Hash: E711D4B9D01309DFDF10EFA4D484BADBBB0FF08314F108169E829AB250DB389A559F60

Function 1000D9BE Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 1000D9CA

Part of subcall function 1000990F: __getptd_noexit.LIBCMT ref: 10009912
Part of subcall function 1000990F: __amsg_exit.LIBCMT ref: 1000991F

__amsg_exit.LIBCMT ref: 1000D9EA
__lock.LIBCMT ref: 1000D9FA
InterlockedDecrement.KERNEL32(?), ref: 1000DA17
_free.LIBCMT ref: 1000DA2A
InterlockedIncrement.KERNEL32(03662830), ref: 1000DA42

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 4e920ccd90d0088b349a7666ce33f112c59c5ff822d0f6e49aec8d69fe8d2c9d
Instruction ID: a4a3804e7546e288cb55bc9b4da126fdc171610eea7e5ea66b0b3240b360b7e5
Opcode Fuzzy Hash: 4e920ccd90d0088b349a7666ce33f112c59c5ff822d0f6e49aec8d69fe8d2c9d
Instruction Fuzzy Hash: E2019235A057219BF701EF64988579EB3A1FF057D0F018116F851AB289CB34BA81CBE6

Function 03D44885 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 03D44891

Part of subcall function 03D43E5B: __getptd_noexit.LIBCMT ref: 03D43E5E
Part of subcall function 03D43E5B: __amsg_exit.LIBCMT ref: 03D43E6B

__amsg_exit.LIBCMT ref: 03D448B1
__lock.LIBCMT ref: 03D448C1
InterlockedDecrement.KERNEL32(?), ref: 03D448DE
_free.LIBCMT ref: 03D448F1
InterlockedIncrement.KERNEL32(03E52830), ref: 03D44909

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: cab84db88aeed5900917773dd30bb9a5d1bae3e81e5a1b30933174e64d5cfad4
Instruction ID: daa1e953a9caf86590ddf9d16c75cc91cc68d2f367a4f58047118103b690ac55
Opcode Fuzzy Hash: cab84db88aeed5900917773dd30bb9a5d1bae3e81e5a1b30933174e64d5cfad4
Instruction Fuzzy Hash: FA016D36D02751EBDB20EB6A940875DB7B0FF04B20F084115E814AB284CB3499C5CBE2

Function 100048C7 Relevance: 9.0, APIs: 6, Instructions: 44sleepsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,E484B528,?,?,?), ref: 100048E1
WaitForSingleObject.KERNEL32(?,000000FF,?,E484B528,?,?,?), ref: 100048EC
Sleep.KERNEL32(00000258,?,E484B528,?,?,?), ref: 100048F9
CloseHandle.KERNEL32(?,?,E484B528,?,?,?), ref: 10004914
CloseHandle.KERNEL32(?,?,E484B528,?,?,?), ref: 1000491D
Sleep.KERNEL32(0000012C,?,E484B528,?,?,?), ref: 1000492E

Part of subcall function 10003F60: GetCurrentThreadId.KERNEL32 ref: 10003F65
Part of subcall function 10003F60: send.WS2_32(?,10017440,00000010,00000000), ref: 10003FC6
Part of subcall function 10003F60: SetEvent.KERNEL32(?), ref: 10003FE9
Part of subcall function 10003F60: InterlockedExchange.KERNEL32(?,00000000), ref: 10003FF5
Part of subcall function 10003F60: WSACloseEvent.WS2_32(?), ref: 10004003
Part of subcall function 10003F60: shutdown.WS2_32(?,00000001), ref: 1000401B
Part of subcall function 10003F60: closesocket.WS2_32(?), ref: 10004025

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Close$EventHandleObjectSingleSleepWait$CurrentExchangeInterlockedThreadclosesocketsendshutdown
String ID:
API String ID: 1019945655-0
Opcode ID: 3a30db2477d7f785b2e787c45e20f2cfe3e7392a271029e59f364346de097013
Instruction ID: b3bd2b528433ae293362b27f5e3b1343b14dca1381540b702c4300f5d31fb9dc
Opcode Fuzzy Hash: 3a30db2477d7f785b2e787c45e20f2cfe3e7392a271029e59f364346de097013
Instruction Fuzzy Hash: 1AF096762046149BD210EBA9CC84D4BF3E9EFC8761B158B19F26987694CA71FC01CBA0

Function 03D39BA0 Relevance: 9.0, APIs: 6, Instructions: 42COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 03D39BD2
EnterCriticalSection.KERNEL32(03D5FB64,?,?,?,03D39B7B), ref: 03D39BE3
EnterCriticalSection.KERNEL32(03D5FB64,?,?,?,03D39B7B), ref: 03D39BF8
GdiplusShutdown.GDIPLUS(00000000,?,?,?,03D39B7B), ref: 03D39C04
LeaveCriticalSection.KERNEL32(03D5FB64,?,?,?,03D39B7B), ref: 03D39C15
LeaveCriticalSection.KERNEL32(03D5FB64,?,?,?,03D39B7B), ref: 03D39C1C

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$DeleteGdiplusObjectShutdown
String ID:
API String ID: 4268643673-0
Opcode ID: b07d9f2b0567304069487d203d2cef1a05c14308ce05dbe46beac19bf67f44cc
Instruction ID: 326111f0d36a4624947aaf3ea3eef1f9a9816e01ffdd6017684b0bade8deefd1
Opcode Fuzzy Hash: b07d9f2b0567304069487d203d2cef1a05c14308ce05dbe46beac19bf67f44cc
Instruction Fuzzy Hash: 51011AB6901304EFCB05EF6AA890419BBA8FA4971536485AEF529CB306C772D807CF95

Function 03D348D0 Relevance: 9.0, APIs: 6, Instructions: 36sleepsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 03D348E1
WaitForSingleObject.KERNEL32(?,000000FF), ref: 03D348EC
Sleep.KERNEL32(00000258), ref: 03D348F9
CloseHandle.KERNEL32(?), ref: 03D34914
CloseHandle.KERNEL32(?), ref: 03D3491D
Sleep.KERNEL32(0000012C), ref: 03D3492E

Part of subcall function 03D33F60: GetCurrentThreadId.KERNEL32 ref: 03D33F65
Part of subcall function 03D33F60: send.WS2_32(?,03D549C0,00000010,00000000), ref: 03D33FC6
Part of subcall function 03D33F60: SetEvent.KERNEL32(?), ref: 03D33FE9
Part of subcall function 03D33F60: InterlockedExchange.KERNEL32(?,00000000), ref: 03D33FF5
Part of subcall function 03D33F60: WSACloseEvent.WS2_32(?), ref: 03D34003
Part of subcall function 03D33F60: shutdown.WS2_32(?,00000001), ref: 03D3401B
Part of subcall function 03D33F60: closesocket.WS2_32(?), ref: 03D34025

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Close$EventHandleObjectSingleSleepWait$CurrentExchangeInterlockedThreadclosesocketsendshutdown
String ID:
API String ID: 1019945655-0
Opcode ID: e084b4ec2cb929dcb8c2136d53b3e2c5899c0d6cfced25fc50f6d3c991af9fc7
Instruction ID: 064aaf7a073c2e488ebfc70560e9d93bc38eb1ee8e7aa606f653a0476016d469
Opcode Fuzzy Hash: e084b4ec2cb929dcb8c2136d53b3e2c5899c0d6cfced25fc50f6d3c991af9fc7
Instruction Fuzzy Hash: 9BF0307A2047045BC624EBA9DD84D4AF3E9EFC9720B254B09E26987394CA75EC05CBA0

Function 03D33300 Relevance: 9.0, APIs: 6, Instructions: 32synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 03D33311
Sleep.KERNEL32(00000258), ref: 03D3331E
InterlockedExchange.KERNEL32(?,00000000), ref: 03D33326
WaitForSingleObject.KERNEL32(?,000000FF), ref: 03D33332
WaitForSingleObject.KERNEL32(?,000000FF), ref: 03D3333A
Sleep.KERNEL32(0000012C), ref: 03D3334B

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: ObjectSingleWait$Sleep$ExchangeInterlocked
String ID:
API String ID: 3137405945-0
Opcode ID: f718c1d3b90d1664f321832ba1c6b6d1e3f102952192a07f702e70f074173b07
Instruction ID: 7f557fa1be286648370493d93c0f7e5c660bfc96a6028d20c8a9d0948119ec9b
Opcode Fuzzy Hash: f718c1d3b90d1664f321832ba1c6b6d1e3f102952192a07f702e70f074173b07
Instruction Fuzzy Hash: 86F01C762047146BD620ABA9DC84E56F3E8AF99734B204B09F265933D4CAB5E805CBA0

Function 00E01D6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E01D85
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E01D92
_CxxThrowException.VCRUNTIME140(?,00E027B4), ref: 00E01E99
_CxxThrowException.VCRUNTIME140(?,00E02808), ref: 00E01EB6

Strings

Unknown exception, xrefs: 00E01EC3

Memory Dump Source

Source File: 00000003.00000002.3556290818.0000000000E01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.3556263696.0000000000E00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556319323.0000000000E02000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556351733.0000000000E03000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556384480.0000000000E04000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556384480.0000000000E46000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Update.jbxd

Similarity

API ID: ExceptionThrow$_callnewhmalloc
String ID: Unknown exception
API String ID: 4113974480-410509341
Opcode ID: bb7dd929ebf786b3bea81b4e0fe90aa7d80236b20e886daccd8b83b9541287c8
Instruction ID: af18a1f82e8eb20361ce491baccc24de2cabcdabfe7e50e76677bb8713f36a72
Opcode Fuzzy Hash: bb7dd929ebf786b3bea81b4e0fe90aa7d80236b20e886daccd8b83b9541287c8
Instruction Fuzzy Hash: 1BF0813560430E66CB04AAE8DC069AD77ED5E00355B60A5E9F914BE0D1EB71EAD6C1D0

Function 10013A50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 10013A63

Part of subcall function 100139BE: ___BuildCatchObjectHelper.LIBCMT ref: 100139F4

_UnwindNestedFrames.LIBCMT ref: 10013A7A
___FrameUnwindToState.LIBCMT ref: 10013A88

Strings

csm, xrefs: 10013A5F, 10013A74, 10013A87, 10013AA5, 10013AB5
csm, xrefs: 10013A52

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
Instruction ID: e6390535bab9e49693186baa48b022ad9d19c19648d68c038876df6954aae2ed
Opcode Fuzzy Hash: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
Instruction Fuzzy Hash: AE01F675401109BBDF12DF51CC45EAB7F6AEF08390F508024FD5819121D776E9B1DBA1

Function 6C37260F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,CDB86E77,?,?,00000000,6C38C7DD,000000FF,?,6C3726D0,6C3725AA,?,6C37276C,00000000), ref: 6C372644
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C372656
FreeLibrary.KERNEL32(00000000,?,?,00000000,6C38C7DD,000000FF,?,6C3726D0,6C3725AA,?,6C37276C,00000000), ref: 6C372678

Strings

CorExitProcess, xrefs: 6C37264E
mscoree.dll, xrefs: 6C37263D

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d82f296681e4fb02b92f459ba583f04f00b985b406459a966a1268a0bfc25878
Instruction ID: 3018993f6d1cdc8862c029edc4d241d58e248ac1c557b26ea394dd259dca4da6
Opcode Fuzzy Hash: d82f296681e4fb02b92f459ba583f04f00b985b406459a966a1268a0bfc25878
Instruction Fuzzy Hash: 6E018B31514659EFDF119F50CC09FAE7BBCFB05715F000929F822A26C0EB7A9900CE94

Function 03D5095B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 03D5096E

Part of subcall function 03D508C9: ___BuildCatchObjectHelper.LIBCMT ref: 03D508FF

_UnwindNestedFrames.LIBCMT ref: 03D50985
___FrameUnwindToState.LIBCMT ref: 03D50993

Strings

csm, xrefs: 03D5095D
csm, xrefs: 03D5096A, 03D5097F, 03D50992, 03D509B0, 03D509C0

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: a4ec08a577bcb042cc7356b16b645f83b0b4d35d15726398ffe3570c0dbe416a
Instruction ID: 71143e9514be7364a88b02588df0052f64951fefa1c90a59b86c05e2dd55b4ea
Opcode Fuzzy Hash: a4ec08a577bcb042cc7356b16b645f83b0b4d35d15726398ffe3570c0dbe416a
Instruction Fuzzy Hash: B601F2B5401209BBEF12AF51CC44EAABF6AFF09390F088024FD5819164DB36D9B1DBA0

Function 6C380B20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

PeekConsoleInputA.KERNEL32(?,gfff,6C399D70,00000000,?,6C373746,00000000,0000000C,6C399D70,66666667,?,?,6C3733F4,6C399D70,0000000C,6C351B27), ref: 6C380B35
GetLastError.KERNEL32(?,6C373746,00000000,0000000C,6C399D70,66666667,?,?,6C3733F4,6C399D70,0000000C,6C351B27), ref: 6C380B41

Part of subcall function 6C380C1D: CloseHandle.KERNEL32(FFFFFFFF,6C380B05,?,6C3736DC,0000000C,66666667,?,?,6C3733F4,6C399D70,0000000C,6C351B27), ref: 6C380C2D

___initconin.LIBCMT ref: 6C380B51

Part of subcall function 6C380BFE: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,6C380A79,6C3736CB,66666667,?,?,6C3733F4,6C399D70,0000000C,6C351B27), ref: 6C380C11

PeekConsoleInputA.KERNEL32(?,?,FFFFFFFF,?,6C373746,00000000,0000000C,6C399D70,66666667,?,?,6C3733F4,6C399D70,0000000C,6C351B27), ref: 6C380B65

Strings

gfff, xrefs: 6C380B29

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: ConsoleInputPeek$CloseCreateErrorFileHandleLast___initconin
String ID: gfff
API String ID: 1545762386-1553575800
Opcode ID: 17b21d469809209df9fda145fc55a6aa42256eab1ac39d7f5e557aa4cc64408a
Instruction ID: cf999231c3a56f140dcf8c4db2106d30307be4518fb9bd44d28e3892ed4aab45
Opcode Fuzzy Hash: 17b21d469809209df9fda145fc55a6aa42256eab1ac39d7f5e557aa4cc64408a
Instruction Fuzzy Hash: 45F0C03690615DBB8F122FD5DC049DD3F7AFB0A769B044110F91996620E733C8609F91

Function 03D3B7E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002), ref: 03D3B800
RegDeleteValueW.ADVAPI32(?,IpDatespecial), ref: 03D3B810
RegCloseKey.ADVAPI32(?), ref: 03D3B81B

Strings

Console, xrefs: 03D3B7F6
IpDatespecial, xrefs: 03D3B80A

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: CloseDeleteOpenValue
String ID: Console$IpDatespecial
API String ID: 849931509-1840232981
Opcode ID: 7146e940ba950477d3f4aa3b5fd750aa2798b9bf13010c119db34301001e7c83
Instruction ID: 99ad48b2b00d6e2034ae0aacc1197fc1aec0616354974dad3202e95ff2d6f198
Opcode Fuzzy Hash: 7146e940ba950477d3f4aa3b5fd750aa2798b9bf13010c119db34301001e7c83
Instruction Fuzzy Hash: 09E08673246340AFD324A674BC4FF9D7764F78C711F00495DFA85A12418552E518C665

Function 6C37D3A5 Relevance: 7.7, APIs: 5, Instructions: 197COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6C37D42A
__alloca_probe_16.LIBCMT ref: 6C37D4F3
__freea.LIBCMT ref: 6C37D55A

Part of subcall function 6C37A641: RtlAllocateHeap.NTDLL(00000000,6C37DBE2,?,?,6C37DBE2,00000220,?,?,?), ref: 6C37A673

__freea.LIBCMT ref: 6C37D56D
__freea.LIBCMT ref: 6C37D57A

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 506fb620f0a2eb73750dc901a595de2aafad21097f89a796812df520353573fc
Instruction ID: 119a686c76fdd361016cea4f2d43d2f938578aae6694b90821595b52cab6d6ac
Opcode Fuzzy Hash: 506fb620f0a2eb73750dc901a595de2aafad21097f89a796812df520353573fc
Instruction Fuzzy Hash: 6051B3B26012066FEB208E65DC40EBB3BADDF4476CB210528FD1497A10EB39DD14CE75

Function 03D3B990 Relevance: 7.6, APIs: 5, Instructions: 116processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,E832A845), ref: 03D3B9DA
_memset.LIBCMT ref: 03D3B9FB
_memset.LIBCMT ref: 03D3BA4B
Process32FirstW.KERNEL32(00000000,?), ref: 03D3BA65
Process32NextW.KERNEL32(00000000,0000022C), ref: 03D3BAB7

Part of subcall function 03D3F707: _malloc.LIBCMT ref: 03D3F721

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Process32_memset$CreateFirstNextSnapshotToolhelp32_malloc
String ID:
API String ID: 2416807333-0
Opcode ID: 18af85b80dad1380376f58e3fa6fa26ec4ef5a4956046142d9a8675c850b55e5
Instruction ID: 01bd352a7fc7462b970d620d0bcaa6212f21a4818f352be358ae79b344f996f8
Opcode Fuzzy Hash: 18af85b80dad1380376f58e3fa6fa26ec4ef5a4956046142d9a8675c850b55e5
Instruction Fuzzy Hash: DF41C471900605AFEB10DF64CC85FAAB7B8FF16B14F044296E9159B2C0E7B59E44CBA1

Function 6C354CA0 Relevance: 7.6, APIs: 5, Instructions: 107COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C354CD5
std::_Lockit::_Lockit.LIBCPMT ref: 6C354CEF
std::_Lockit::~_Lockit.LIBCPMT ref: 6C354D10
__Getctype.LIBCPMT ref: 6C354DC4
std::_Lockit::~_Lockit.LIBCPMT ref: 6C354DF7

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Getctype
String ID:
API String ID: 3087743877-0
Opcode ID: 6307cfab759e476178303b77da506d02dc3d3c41461296ce6a181d407976bca1
Instruction ID: a061c9b9268fb7bc3373028f994e70f32f4122460b4427b4386ce090a0f5a091
Opcode Fuzzy Hash: 6307cfab759e476178303b77da506d02dc3d3c41461296ce6a181d407976bca1
Instruction Fuzzy Hash: A1416A71E002248FCB14DF99D850BEEB7B4FF44718F544119D859ABB41E736A914CF92

Function 03D33CA0 Relevance: 7.6, APIs: 5, Instructions: 98networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,00000598,00000000), ref: 03D33CBF
SetLastError.KERNEL32(00000000,?,?,03D3399F,?,?,00000000,000000FF,00000000), ref: 03D33CFA
GetLastError.KERNEL32(00000000), ref: 03D33D45
WSAGetLastError.WS2_32(?,?,03D3399F,?,?,00000000,000000FF,00000000), ref: 03D33D7B
WSASetLastError.WS2_32(0000000D,?,?,03D3399F,?,?,00000000,000000FF,00000000), ref: 03D33DA2

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: ErrorLast$recv
String ID:
API String ID: 316788870-0
Opcode ID: 6baa188deffcfcd673b5b9291fbcee554c73143d664dd22e31666cb67c995181
Instruction ID: a59c0054f1246e278ee5f44a06d86e7beab0d458ff35f29f07c75af857112cc0
Opcode Fuzzy Hash: 6baa188deffcfcd673b5b9291fbcee554c73143d664dd22e31666cb67c995181
Instruction Fuzzy Hash: 4C31F47A6043008FEB64DF68E9C8B6A77A9FB86320F04056AED05CB389D775DC848B51

Function 1000E5D7 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1000E5E5

Part of subcall function 10006E83: __FF_MSGBANNER.LIBCMT ref: 10006E9C
Part of subcall function 10006E83: __NMSG_WRITE.LIBCMT ref: 10006EA3
Part of subcall function 10006E83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F), ref: 10006EC8

_free.LIBCMT ref: 1000E5F8

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 073510cd7888ec162256f41c4b27844541b3ac2ad2a228e050a5b5aba56439fd
Instruction ID: 99b6cfc0e9903126c7bed8e87128f69c37c5ff73db012c927cbf40cb5b0e6f66
Opcode Fuzzy Hash: 073510cd7888ec162256f41c4b27844541b3ac2ad2a228e050a5b5aba56439fd
Instruction Fuzzy Hash: 2F113A36900A61ABFB229BB4BC0564E37D5FF443F1B214525F848BB198DF36DD404B94

Function 03D40EEB Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 03D40EF9

Part of subcall function 03D3F673: __FF_MSGBANNER.LIBCMT ref: 03D3F68C
Part of subcall function 03D3F673: __NMSG_WRITE.LIBCMT ref: 03D3F693
Part of subcall function 03D3F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,03D44500,00000000,00000001,00000000,?,03D48DE6,00000018,03D56448,0000000C,03D48E76), ref: 03D3F6B8

_free.LIBCMT ref: 03D40F0C

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 02e141149021855cacc687559d48ca1e50b304c047f35ae008a1f3f31f7f2c88
Instruction ID: 2210a2ab5a2360c98ff114b9f32d0c1bef5ba3ceb99d43a960e273ed3b89c7af
Opcode Fuzzy Hash: 02e141149021855cacc687559d48ca1e50b304c047f35ae008a1f3f31f7f2c88
Instruction Fuzzy Hash: B611E337808719AFCB21BF74A80465EB79DDF452A0B184836EA899F250DB30C98287B4

Function 10002BD0 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 10002BFF
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 10002C15
TranslateMessage.USER32(?), ref: 10002C24
DispatchMessageW.USER32(?), ref: 10002C2A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 10002C38

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Message$Peek$DispatchMultipleObjectsTranslateWait
String ID:
API String ID: 2015114452-0
Opcode ID: dbe9700d19ae9a12251f89c422866142aee7b4545ced7af6ef9db51ab6727882
Instruction ID: 0e3c485fe407bbf507bfa30b8d40781191f7ce2fd7dbe990fe93c7e11cc8c17a
Opcode Fuzzy Hash: dbe9700d19ae9a12251f89c422866142aee7b4545ced7af6ef9db51ab6727882
Instruction Fuzzy Hash: 8901A972A80319F6F610EB948D91FAE736CEB04B91F504511FF04EE0D9DAB1E80587B4

Function 03D32C10 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 03D32C3F
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 03D32C55
TranslateMessage.USER32(?), ref: 03D32C64
DispatchMessageW.USER32(?), ref: 03D32C6A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 03D32C78

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchMultipleObjectsTranslateWait
String ID:
API String ID: 2015114452-0
Opcode ID: 128767ef5686b2d0e66940020f641e2b33b2cae491dc99e6571ab1195446b867
Instruction ID: 5a9d03d54c0035b8134a5837e9eb6d993c6293a18fc96883b165ae65de0bb398
Opcode Fuzzy Hash: 128767ef5686b2d0e66940020f641e2b33b2cae491dc99e6571ab1195446b867
Instruction Fuzzy Hash: 36018677E5030DB6E610E694DC81FBA736CAB05B10F504911FB40EB1C4D6A5E90587A5

Function 10004B50 Relevance: 7.5, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000), ref: 10004B63
EnterCriticalSection.KERNEL32(?,?,00000000), ref: 10004B6D
LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 10004B80
LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 10004B83

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 3c4cb16bca3ae15824b6f58c01f312d0d5f5bcc1af3ff3d380ee54a514ce913b
Instruction ID: aa03fd3e3b24d4ff679a20f9d9d19219b814eae2566e95c25fa4737bddb7a95c
Opcode Fuzzy Hash: 3c4cb16bca3ae15824b6f58c01f312d0d5f5bcc1af3ff3d380ee54a514ce913b
Instruction Fuzzy Hash: 4A0184765006109FE310DB75ECC8B9BB3E8EB8C355F064819E10687100C735FC458AA4

Function 03D34B70 Relevance: 7.5, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000), ref: 03D34B83
EnterCriticalSection.KERNEL32(?,?,00000000), ref: 03D34B8D
LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 03D34BA0
LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 03D34BA3

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 4cd9871afe01f07fb66924bdb0205dce9095d808c09bcd5bc31d321fac7b5d04
Instruction ID: 5992c0b9cfa9f82e7700272a204c0b4443cc37f7a0750a3108ff40a97414bc6d
Opcode Fuzzy Hash: 4cd9871afe01f07fb66924bdb0205dce9095d808c09bcd5bc31d321fac7b5d04
Instruction Fuzzy Hash: 3E018F7B2003149BD721EB2AFCC4B5BB7F8EB89754F054869E14683204C738ED49CA60

Function 6C36B2CF Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C36B2D6
std::_Lockit::_Lockit.LIBCPMT ref: 6C36B2E1
std::_Lockit::~_Lockit.LIBCPMT ref: 6C36B34F

Part of subcall function 6C36B1D8: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6C36B1F0

std::locale::_Setgloballocale.LIBCPMT ref: 6C36B2FC
_Yarn.LIBCPMT ref: 6C36B312

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: fb14b32e13500793f5dceee9a7f4aca681123774f9dc06365953a1a95fcebe6f
Instruction ID: 29abf9097a507ba1f734c7fc216ad46c37d011e9bb6cd44bd7e2d7dea210be0f
Opcode Fuzzy Hash: fb14b32e13500793f5dceee9a7f4aca681123774f9dc06365953a1a95fcebe6f
Instruction Fuzzy Hash: 1E01F275701221DBCB06EF22D8046BC7B75BF81248B240008E8515BF84EF35AE0ADFC2

Function 03D32D30 Relevance: 7.5, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 03D32D5C
CancelIo.KERNEL32(?), ref: 03D32D66
InterlockedExchange.KERNEL32(00000000,00000000), ref: 03D32D6F
closesocket.WS2_32(?), ref: 03D32D79
SetEvent.KERNEL32(00000001), ref: 03D32D83

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
String ID:
API String ID: 1486965892-0
Opcode ID: 3bdde51e9bd645ba97d8f330b081b0fa6a162b67443ec4eacb5ae40a6c7877a6
Instruction ID: 8fae26a0f77400844e8f93f4ee999e17d20f5b99002934baedd7bbcebd6ce04f
Opcode Fuzzy Hash: 3bdde51e9bd645ba97d8f330b081b0fa6a162b67443ec4eacb5ae40a6c7877a6
Instruction Fuzzy Hash: 46F03C76500704ABD224AF54ED49F6777B8BB49B11F100A1CF69296784C6B0B9088BA0

Function 1000E13F Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 1000E14B

Part of subcall function 1000990F: __getptd_noexit.LIBCMT ref: 10009912
Part of subcall function 1000990F: __amsg_exit.LIBCMT ref: 1000991F

__getptd.LIBCMT ref: 1000E162
__amsg_exit.LIBCMT ref: 1000E170
__lock.LIBCMT ref: 1000E180
__updatetlocinfoEx_nolock.LIBCMT ref: 1000E194

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 0522d91088f6fb7310532faddd65fc2dc9ce4b376bceba7dbe74de096dd3a9dc
Instruction ID: 612b0c8b07e52b5ee846fa9c2d173a4fa9df34f322aac77c2402261cad3e7578
Opcode Fuzzy Hash: 0522d91088f6fb7310532faddd65fc2dc9ce4b376bceba7dbe74de096dd3a9dc
Instruction Fuzzy Hash: 59F090369446249BF721EBB8980278D32F0EF40BE0F118149F494771DACB74AD40CA56

Function 03D45006 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 03D45012

Part of subcall function 03D43E5B: __getptd_noexit.LIBCMT ref: 03D43E5E
Part of subcall function 03D43E5B: __amsg_exit.LIBCMT ref: 03D43E6B

__getptd.LIBCMT ref: 03D45029
__amsg_exit.LIBCMT ref: 03D45037
__lock.LIBCMT ref: 03D45047
__updatetlocinfoEx_nolock.LIBCMT ref: 03D4505B

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 0ed979b98fe39bd1ab0741bea5f3be69bb0b2d181dfdc8e57bf426e7507a9af9
Instruction ID: 53354e42338e0237c53c029a9771db87e6994924af32802117c292d90c96346b
Opcode Fuzzy Hash: 0ed979b98fe39bd1ab0741bea5f3be69bb0b2d181dfdc8e57bf426e7507a9af9
Instruction Fuzzy Hash: 41F0B43ED45700DBDB70FBB8A405B4D73B1EF01F20F144219E515AF2C0CB3484918AA6

Function 03D3C910 Relevance: 7.5, APIs: 5, Instructions: 33processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,000001FE), ref: 03D3C932
GetCommandLineW.KERNEL32 ref: 03D3C938
GetStartupInfoW.KERNEL32(?), ref: 03D3C947
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 03D3C96F
ExitProcess.KERNEL32 ref: 03D3C977

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
String ID:
API String ID: 3421218197-0
Opcode ID: 844a06727a5b0873600f5da264abca8613863c5e101c8d18f81e7bab3ba3421b
Instruction ID: 8e7b586040044f213da99f9e170283df27b881a5225e5293c97c0eefa62b0003
Opcode Fuzzy Hash: 844a06727a5b0873600f5da264abca8613863c5e101c8d18f81e7bab3ba3421b
Instruction Fuzzy Hash: 79F05473585318BBEB20ABA4DC4DFEB7778FB04B01F100694B719A61D4DA706A48CF54

Function 03D375B0 Relevance: 7.5, APIs: 5, Instructions: 33processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,000001FE), ref: 03D375D2
GetCommandLineW.KERNEL32 ref: 03D375D8
GetStartupInfoW.KERNEL32(?), ref: 03D375E7
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 03D3760F
ExitProcess.KERNEL32 ref: 03D37617

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
String ID:
API String ID: 3421218197-0
Opcode ID: b61c036bfbd5020a9d6175b0dd022dfd2f9ae9ce6d1d9ca5b6d9c1be65700322
Instruction ID: 4290d7f3bdb9621ac5f80834a2253765185ea34473d65f8ac356c39ce2a908a8
Opcode Fuzzy Hash: b61c036bfbd5020a9d6175b0dd022dfd2f9ae9ce6d1d9ca5b6d9c1be65700322
Instruction Fuzzy Hash: DEF05473585319BBE720ABA4DC4DFDA7778EB04B01F500694B719A61C4D6706A48CF54

Function 100071AA Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON

Download Yara Rule

APIs

Part of subcall function 100082F0: _doexit.LIBCMT ref: 100082FC

___set_flsgetvalue.LIBCMT ref: 100071BC

Part of subcall function 10009754: TlsGetValue.KERNEL32(00000000,100098AD,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000), ref: 1000975D
Part of subcall function 10009754: DecodePointer.KERNEL32(?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA,0000000D), ref: 1000976F
Part of subcall function 10009754: TlsSetValue.KERNEL32(00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA), ref: 1000977E

___fls_getvalue@4.LIBCMT ref: 100071C7

Part of subcall function 10009734: TlsGetValue.KERNEL32(?,?,100071CC,00000000), ref: 10009742

___fls_setvalue@8.LIBCMT ref: 100071DA

Part of subcall function 10009788: DecodePointer.KERNEL32(?,?,?,100071DF,00000000,?,00000000), ref: 10009799

GetLastError.KERNEL32(00000000,?,00000000), ref: 100071E3
ExitThread.KERNEL32 ref: 100071EA
GetCurrentThreadId.KERNEL32 ref: 100071F0
__freefls@4.LIBCMT ref: 10007210

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
String ID:
API String ID: 781180411-0
Opcode ID: 0a01c43476d108d4c9d86bcd5ae0e752dcea8e710ecd95c49a8faa49c4d187ed
Instruction ID: 877ff296740ff87ffef8dcd6d6c63871bb1eb85cd0bb9270c275db20a0a7633c
Opcode Fuzzy Hash: 0a01c43476d108d4c9d86bcd5ae0e752dcea8e710ecd95c49a8faa49c4d187ed
Instruction Fuzzy Hash: 22E04F3A81865967FB01ABF18D4E8CF366CEF052D5B158420FA189701BDB38E90146A1

Function 03D3F9B8 Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON

Download Yara Rule

APIs

Part of subcall function 03D41CD0: _doexit.LIBCMT ref: 03D41CDC

___set_flsgetvalue.LIBCMT ref: 03D3F9CA

Part of subcall function 03D43CA0: TlsGetValue.KERNEL32(00000000,03D43DF9,?,03D44500,00000000,00000001,00000000,?,03D48DE6,00000018,03D56448,0000000C,03D48E76,00000000,00000000), ref: 03D43CA9
Part of subcall function 03D43CA0: DecodePointer.KERNEL32(?,03D44500,00000000,00000001,00000000,?,03D48DE6,00000018,03D56448,0000000C,03D48E76,00000000,00000000,?,03D43F06,0000000D), ref: 03D43CBB
Part of subcall function 03D43CA0: TlsSetValue.KERNEL32(00000000,?,03D44500,00000000,00000001,00000000,?,03D48DE6,00000018,03D56448,0000000C,03D48E76,00000000,00000000,?,03D43F06), ref: 03D43CCA

___fls_getvalue@4.LIBCMT ref: 03D3F9D5

Part of subcall function 03D43C80: TlsGetValue.KERNEL32(?,?,03D3F9DA,00000000), ref: 03D43C8E

___fls_setvalue@8.LIBCMT ref: 03D3F9E8

Part of subcall function 03D43CD4: DecodePointer.KERNEL32(?,?,?,03D3F9ED,00000000,?,00000000), ref: 03D43CE5

GetLastError.KERNEL32(00000000,?,00000000), ref: 03D3F9F1
ExitThread.KERNEL32 ref: 03D3F9F8
GetCurrentThreadId.KERNEL32 ref: 03D3F9FE
__freefls@4.LIBCMT ref: 03D3FA1E

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
String ID:
API String ID: 781180411-0
Opcode ID: 8d2cdd95e371e80df5564dca792d75e1dd7ff445141c5f54999ced69a114312b
Instruction ID: 1fbe4379d9bb5377c39f0c122f168a9aa674e3a4f56fa24386672e59cd1bd1ee
Opcode Fuzzy Hash: 8d2cdd95e371e80df5564dca792d75e1dd7ff445141c5f54999ced69a114312b
Instruction Fuzzy Hash: 16E0863EE003597BCF00B7F69D0D84F7A1CEE01291F148400FA049B104DE24D92187B1

Function 6C368330 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 305fileCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32 ref: 6C368378
_strlen.LIBCMT ref: 6C36839C
DeleteFileA.KERNEL32(?), ref: 6C3686B4

Strings

n79l, xrefs: 6C36856C

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: DeleteFileFolderPath_strlen
String ID: n79l
API String ID: 1809683544-2434338032
Opcode ID: 887ee8e46ba9e42fd64878d6bea2a5a1a5d30751b5672acc22c58ec6358893f3
Instruction ID: 1a63d6ffca78fdcb237d9c5f95a13704df61df5d9648d8a11a77b3c7ee5259d6
Opcode Fuzzy Hash: 887ee8e46ba9e42fd64878d6bea2a5a1a5d30751b5672acc22c58ec6358893f3
Instruction Fuzzy Hash: 99C113B1D003548FDB10CFA9C9807EEBBB1BF4A308F144629D445ABB85E7759A84CF92

Function 6C3511B0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 291COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6C3511E3

Strings

ios_base::badbit set, xrefs: 6C3514F4, 6C35151A
ios_base::eofbit set, xrefs: 6C3514E4
ios_base::failbit set, xrefs: 6C3514E9

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: _strlen
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4218353326-1866435925
Opcode ID: e2b2fb8afe44fd2b81157048a5a54c35addb53d340716df6d459df27ec0d80f0
Instruction ID: 0dc730f0571a26c49cb2687ab46cdc919dca9136727c781e8631df44f61aa43f
Opcode Fuzzy Hash: e2b2fb8afe44fd2b81157048a5a54c35addb53d340716df6d459df27ec0d80f0
Instruction Fuzzy Hash: D3C15875A006159FDB04CF68C880B9DBBF2BF48328F688258E815AB795C335ED55CF90

Function 6C385872 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C37A893: GetLastError.KERNEL32(?,?,6C375151,?,6C351A6D,00000000), ref: 6C37A897
Part of subcall function 6C37A893: SetLastError.KERNEL32(00000000,6C351A6D,00000000), ref: 6C37A939

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,6C37B1CB,?,?,?,00000055,?,-00000050,?,?,?), ref: 6C385931
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,6C37B1CB,?,?,?,00000055,?,-00000050,?,?), ref: 6C385968

Strings

utf8, xrefs: 6C385A3A
PX9lE, xrefs: 6C3858E5

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: PX9lE$utf8
API String ID: 943130320-988321041
Opcode ID: 8a2a1bc55f0879296ef93671fd968d4b5f557116336c951575e83a1aaec107a0
Instruction ID: f986b1b3a4a6355f21eacbe76f1f7e8f4fa22d0bc52e906c507ddc7525c7448b
Opcode Fuzzy Hash: 8a2a1bc55f0879296ef93671fd968d4b5f557116336c951575e83a1aaec107a0
Instruction Fuzzy Hash: 26513632607301AAF7159B75CCC1BE673A8EF45708F14042AE59797A80F77AD6448FA2

Function 6C35BD70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 6C36B2CF: __EH_prolog3.LIBCMT ref: 6C36B2D6
Part of subcall function 6C36B2CF: std::_Lockit::_Lockit.LIBCPMT ref: 6C36B2E1
Part of subcall function 6C36B2CF: std::locale::_Setgloballocale.LIBCPMT ref: 6C36B2FC
Part of subcall function 6C36B2CF: _Yarn.LIBCPMT ref: 6C36B312
Part of subcall function 6C36B2CF: std::_Lockit::~_Lockit.LIBCPMT ref: 6C36B34F

Part of subcall function 6C354CA0: std::_Lockit::_Lockit.LIBCPMT ref: 6C354CD5
Part of subcall function 6C354CA0: std::_Lockit::_Lockit.LIBCPMT ref: 6C354CEF
Part of subcall function 6C354CA0: std::_Lockit::~_Lockit.LIBCPMT ref: 6C354D10
Part of subcall function 6C354CA0: __Getctype.LIBCPMT ref: 6C354DC4
Part of subcall function 6C354CA0: std::_Lockit::~_Lockit.LIBCPMT ref: 6C354DF7

std::ios_base::_Addstd.LIBCPMT ref: 6C35BE72

Strings

ios_base::badbit set, xrefs: 6C35BEA4, 6C35BEC7
ios_base::eofbit set, xrefs: 6C35BE95
ios_base::failbit set, xrefs: 6C35BE9A

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$AddstdGetctypeH_prolog3SetgloballocaleYarnstd::ios_base::_std::locale::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3375204848-1866435925
Opcode ID: 716dce46fcf853831fdfb82cd7025a7d699ad8750d746278b7c339540e4fdf94
Instruction ID: 94dbf71e515e86baf8dc3aca531a2dfa5bb98cb0d8d0b8008691eb6ee063d2a5
Opcode Fuzzy Hash: 716dce46fcf853831fdfb82cd7025a7d699ad8750d746278b7c339540e4fdf94
Instruction Fuzzy Hash: 0C51E0B4A017498FDB04CF64D845BAEBBB0FF45318F14822CE91A6BB90E731A945CF91

Function 6C3526C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 6C36B51D: std::invalid_argument::invalid_argument.LIBCONCRT ref: 6C36B529

_strlen.LIBCMT ref: 6C352718

Strings

Y.5l, xrefs: 6C3526DB, 6C3526D3, 6C352717, 6C352740
ios_base::badbit set, xrefs: 6C3526D5
string too long, xrefs: 6C3526C0

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: _strlenstd::invalid_argument::invalid_argument
String ID: Y.5l$ios_base::badbit set$string too long
API String ID: 4097767454-873314978
Opcode ID: 1763c5afea24cbb33d808690f29f8b6a78befe3bd99690b27de8db0d798a7ff4
Instruction ID: 3f55d453845cfc7e33c29bbf1497e72086df5fcfe5043ee3db40fb15b148b7f6
Opcode Fuzzy Hash: 1763c5afea24cbb33d808690f29f8b6a78befe3bd99690b27de8db0d798a7ff4
Instruction Fuzzy Hash: 2141D5B2C002589FCB10CFA4DD84BDEBBB9EF48314F550225E844A7B41E3369958CFA1

Function 03D384B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 03D384C9

Part of subcall function 03D3EF86: std::exception::exception.LIBCMT ref: 03D3EF9B
Part of subcall function 03D3EF86: __CxxThrowException@8.LIBCMT ref: 03D3EFB0
Part of subcall function 03D3EF86: std::exception::exception.LIBCMT ref: 03D3EFC1

std::_Xinvalid_argument.LIBCPMT ref: 03D384E7

Strings

invalid string position, xrefs: 03D384C4
string too long, xrefs: 03D384E2

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: invalid string position$string too long
API String ID: 963545896-4289949731
Opcode ID: fde69f5cdb59c3d20491ba3f2f7db4ddb40761d4284ad0326eb1ebe93cddaab1
Instruction ID: 832aa1fde6a11f6e07e9f6098e098987460c3152bbc89ada476c279a3a876744
Opcode Fuzzy Hash: fde69f5cdb59c3d20491ba3f2f7db4ddb40761d4284ad0326eb1ebe93cddaab1
Instruction Fuzzy Hash: B9217F76700306AF8B14DF6CE880C59B3AAFF893147144669F916CB641EB70EE58C7A1

Function 00E01770 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__current_exception.VCRUNTIME140 ref: 00E017AF
__current_exception_context.VCRUNTIME140 ref: 00E017B9
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E017C0

Strings

csm, xrefs: 00E0177A

Memory Dump Source

Source File: 00000003.00000002.3556290818.0000000000E01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.3556263696.0000000000E00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556319323.0000000000E02000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556351733.0000000000E03000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556384480.0000000000E04000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556384480.0000000000E46000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Update.jbxd

Similarity

API ID: __current_exception__current_exception_contextterminate
String ID: csm
API String ID: 2542180945-1018135373
Opcode ID: 41fdafd931ad9aaddf137b82d0d58c14b10d2b972e8e795f6593ee17b9bb6dd7
Instruction ID: a205a7f81fb782ca9f7a20a1a7ea7d579afcc716d66cf7aa909ee3f18c238d11
Opcode Fuzzy Hash: 41fdafd931ad9aaddf137b82d0d58c14b10d2b972e8e795f6593ee17b9bb6dd7
Instruction Fuzzy Hash: 79F082354002008FCB345E29948551DB7ADAEA336539C24D7F484AFA90CB70EDD1C6D1

Function 6C383E91 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,6C383F2D,?,?,00000000,?,?,?,6C383DEB,00000002,FlsGetValue,6C3917C4,6C3917CC), ref: 6C383E9E
GetLastError.KERNEL32(?,6C383F2D,?,?,00000000,?,?,?,6C383DEB,00000002,FlsGetValue,6C3917C4,6C3917CC,?,?,6C3793D1), ref: 6C383EA8
LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,?), ref: 6C383ED0

Strings

api-ms-, xrefs: 6C383EB5

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: a2892f4408eda00a6e5507c7a085ba52eecf1f2e5c5cfb5d8456330cf6382c09
Instruction ID: dfa7250df6c720a3a2cadedad7edc00ec9ee5f3bad4ef4144c0febaf2264b878
Opcode Fuzzy Hash: a2892f4408eda00a6e5507c7a085ba52eecf1f2e5c5cfb5d8456330cf6382c09
Instruction Fuzzy Hash: 9FE04F32386208BBEF511E61DC0AB993B79AB02B45F208420FA0CE9DD1E763F5109E94

Function 6C36AADF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6C39C354,G.5l,?,6C352362,6C39C244,?,00000001,?,?,?,?,?,?,?), ref: 6C36AAE9
ReleaseSRWLockExclusive.KERNEL32(6C39C354,?,6C352362,6C39C244,?,00000001,?,?,?,?,?,?,?), ref: 6C36AB1C
WakeAllConditionVariable.KERNEL32(6C39C350,?,6C352362,6C39C244,?,00000001,?,?,?,?,?,?,?), ref: 6C36AB27

Strings

G.5l, xrefs: 6C36AAE2

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: ExclusiveLock$AcquireConditionReleaseVariableWake
String ID: G.5l
API String ID: 1466638765-4083235767
Opcode ID: 219e4b7e9a0fdd73e2db63af583defdbc9511ec813f9851a9777c88b9c8922b1
Instruction ID: b9ceb2ea86b2f953cc52bf83401859594b78292762c770a51dc092e84380229c
Opcode Fuzzy Hash: 219e4b7e9a0fdd73e2db63af583defdbc9511ec813f9851a9777c88b9c8922b1
Instruction Fuzzy Hash: A5F0ED75701650DFCB15EF58E588D6477BDFB0B314B05405AF90987741EB366801CF95

Function 03D3D830 Relevance: 6.4, APIs: 5, Instructions: 140COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000014), ref: 03D3D868
IsBadReadPtr.KERNEL32(?,00000014), ref: 03D3D938
SetLastError.KERNEL32(0000007F), ref: 03D3D963

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Read$ErrorLast
String ID:
API String ID: 2715074504-0
Opcode ID: 48f84403086f8c57697d738f9e4e929390e18b66b829cd649c7dc3eeb64877f9
Instruction ID: 3dc918b1a17d396217b47410ceb71243eb6e1fff20e47a781b16efe49e7e55c2
Opcode Fuzzy Hash: 48f84403086f8c57697d738f9e4e929390e18b66b829cd649c7dc3eeb64877f9
Instruction Fuzzy Hash: C1419CB1A00209ABDB10CF99D880B6AF3FAFF89714F1885A9D84997350D770F911CFA0

Function 6C3815C6 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(CDB86E77,00000000,00000000,?), ref: 6C381629

Part of subcall function 6C37A751: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6C37D550,?,00000000,-00000008), ref: 6C37A7B2

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6C38187B
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C3818C1
GetLastError.KERNEL32 ref: 6C381964

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 4e597b79ea5876224e06987a23c00c5d072e2d4d70eb5a4ef1ae4a47ec287d86
Instruction ID: 72b072e3b534c21b16863f4c25605787d3801fda032215f8e833cc6d3eb132e5
Opcode Fuzzy Hash: 4e597b79ea5876224e06987a23c00c5d072e2d4d70eb5a4ef1ae4a47ec287d86
Instruction Fuzzy Hash: 3DD15B75E052489FCF05CFA8C880AEDBBB9EF09314F24416AE466AB741E731E945CF60

Function 6C3799CA Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6C379A91
___AdjustPointer.LIBCMT ref: 6C379AB4
___AdjustPointer.LIBCMT ref: 6C379B50

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: b2884c0d2eb7cc42eb52e7cb7886c3140c0320c443fbae133d8977d77caa582a
Instruction ID: fe0c9b9d5492327621a31a3c39e8847a840f2c341ff19aff095f438a93949593
Opcode Fuzzy Hash: b2884c0d2eb7cc42eb52e7cb7886c3140c0320c443fbae133d8977d77caa582a
Instruction Fuzzy Hash: BC51D072606706AFDF249F15C880BAA73B4EF45318F204729D85547A90E73AE844CFB9

Function 6C355280 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6C3552FB
Concurrency::cancel_current_task.LIBCPMT ref: 6C3553A7
Concurrency::cancel_current_task.LIBCPMT ref: 6C3553B3
Concurrency::cancel_current_task.LIBCPMT ref: 6C3553BF

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: Concurrency::cancel_current_task$_strlen
String ID:
API String ID: 3047427315-0
Opcode ID: 89b9c0be83b5809f2fa7096451b2df44988ce7056f5b6246d86f2bf4ec770376
Instruction ID: dd2206160a76f392eb2d6834ff5ead0feced2057045e9adc2e36ffa051740a79
Opcode Fuzzy Hash: 89b9c0be83b5809f2fa7096451b2df44988ce7056f5b6246d86f2bf4ec770376
Instruction Fuzzy Hash: B441E4B1C003888FDB10CFA4D841B9EBBB4AF05318F084529E4995BB51E7B5E618CFA2

Function 1000E425 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 1000E459
__isleadbyte_l.LIBCMT ref: 1000E48C
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 1000E4BD
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 1000E52B

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: faff6b0e24b146ed5f76b5f803dc00f384076012b6a75b333959b6e0697892ea
Instruction ID: 678bb179593d23e830fa626ca8f93fbb1acc7737e5ff7f739f33e090e4c13c79
Opcode Fuzzy Hash: faff6b0e24b146ed5f76b5f803dc00f384076012b6a75b333959b6e0697892ea
Instruction Fuzzy Hash: 9731AE71A042D6EFEB10CFA4C884AAD3BE6EF013D1B1585A9E4A4AB099D730DD40DB51

Function 6C354E70 Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C354EA5
std::_Lockit::_Lockit.LIBCPMT ref: 6C354EC2
std::_Lockit::~_Lockit.LIBCPMT ref: 6C354EE3
std::_Lockit::~_Lockit.LIBCPMT ref: 6C354F79

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: a45d4f1d03c7bf15de1660b860364b22fe0641a98a64314e83b8b6a1f7affcec
Instruction ID: 2adf04b4143e9664c079350bd75afe8be770494e85e6c95285619d499dec94a7
Opcode Fuzzy Hash: a45d4f1d03c7bf15de1660b860364b22fe0641a98a64314e83b8b6a1f7affcec
Instruction Fuzzy Hash: 00417B71E002188FCF05DF99D844BEEB7B4FB09328F444229E8546BB50E736A964CF91

Function 03D4A5C2 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 03D4A5F6
__isleadbyte_l.LIBCMT ref: 03D4A629
MultiByteToWideChar.KERNEL32(00000080,00000009,03D5FBA0,?,03D52564,00000000,?,?,?,?,03D5FBA0,03D52564), ref: 03D4A65A
MultiByteToWideChar.KERNEL32(00000080,00000009,03D5FBA0,00000001,03D52564,00000000,?,?,?,?,03D5FBA0,03D52564), ref: 03D4A6C8

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: dfd5505b5dfa0bebef902232b624045d88e704a8e98c09da16138392f358648b
Instruction ID: 938bf7c38b6b36f402712b50a21362ebb994e762a672cca5445d81e438bbd9b7
Opcode Fuzzy Hash: dfd5505b5dfa0bebef902232b624045d88e704a8e98c09da16138392f358648b
Instruction Fuzzy Hash: EF31B071A40356EFDB21DFA4C890ABE7BB9FF01711F1985A9E4618B191E730DD40CB50

Function 6C352EB0 Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C352EE5
std::_Lockit::_Lockit.LIBCPMT ref: 6C352EFF
std::_Lockit::~_Lockit.LIBCPMT ref: 6C352F20
std::_Lockit::~_Lockit.LIBCPMT ref: 6C352FF5

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: 95dce12b872f25db8ffbfaefc8a7524f2f370ef02c66e19a653af73aba41d10e
Instruction ID: ff9234dd6920c9b76fd976377e65a547065a2ddb5e03e18698411ea60588fc71
Opcode Fuzzy Hash: 95dce12b872f25db8ffbfaefc8a7524f2f370ef02c66e19a653af73aba41d10e
Instruction Fuzzy Hash: 87416971E002248FCB10DF95D554BDEB7B4FF49B18F448219D899ABB90E736A904CF92

Function 6C35CB70 Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C35CBA5
std::_Lockit::_Lockit.LIBCPMT ref: 6C35CBBF
std::_Lockit::~_Lockit.LIBCPMT ref: 6C35CBE0
std::_Lockit::~_Lockit.LIBCPMT ref: 6C35CCB5

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: 02f39ec4259e6628810387b443888688627abdc2bc4b3051ba457f3448739ad6
Instruction ID: 5ffdffd3028850dd641bff58f1a5b39303bf30b5b275ea290525c4636c5d3285
Opcode Fuzzy Hash: 02f39ec4259e6628810387b443888688627abdc2bc4b3051ba457f3448739ad6
Instruction Fuzzy Hash: EA417971E002188FCF00EF98D550B9EB7B4FF48B18F444119D899ABB80E736A945CFA2

Function 6C35B4E0 Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C35B515
std::_Lockit::_Lockit.LIBCPMT ref: 6C35B52F
std::_Lockit::~_Lockit.LIBCPMT ref: 6C35B550
std::_Lockit::~_Lockit.LIBCPMT ref: 6C35B625

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: 326f9aa1faa9b4b9c6ba08e4ea9d597f37fcb053945753ba1f3f5f8be94ba448
Instruction ID: 3e4f7013c694309beada06de8ee59bdf9a7c4d325987b564efe71db0f0cef017
Opcode Fuzzy Hash: 326f9aa1faa9b4b9c6ba08e4ea9d597f37fcb053945753ba1f3f5f8be94ba448
Instruction Fuzzy Hash: 0A415871E002188FDF14DF95D450BAEBBB4FF45718F844219D899ABB84EB36A904CF92

Function 03D38020 Relevance: 6.1, APIs: 4, Instructions: 91stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 03D38038
_memset.LIBCMT ref: 03D38042
lstrlenW.KERNEL32(?), ref: 03D3804B
lstrlenW.KERNEL32(?), ref: 03D38056

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: lstrlen$_memset
String ID:
API String ID: 2425037729-0
Opcode ID: c82cf4ed43a9dd9f8bff1359099ded3c00e2078c96f9a5af5af153413db0c827
Instruction ID: b5eee58a7e9b504861b41addb2eb32b71beede9eb410df191f9db988f3f0178b
Opcode Fuzzy Hash: c82cf4ed43a9dd9f8bff1359099ded3c00e2078c96f9a5af5af153413db0c827
Instruction Fuzzy Hash: 8C21F876B002089BCF14DE68DC809FEB3A9EBC5B20B29406DFD0987601F771DD6996A0

Function 6C37F665 Relevance: 6.1, APIs: 4, Instructions: 82COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C37A751: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6C37D550,?,00000000,-00000008), ref: 6C37A7B2

GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 6C37F6C9
__dosmaperr.LIBCMT ref: 6C37F6D0
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 6C37F70A
__dosmaperr.LIBCMT ref: 6C37F711

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 6cfb3b808bafebfcc401d42a6af3781a0c2d7bcd1f73aa7228cde1c40e000203
Instruction ID: 615986eca1b7f1c26acb208682955722044f7e4ba74887ffe9f320dd33c0881e
Opcode Fuzzy Hash: 6cfb3b808bafebfcc401d42a6af3781a0c2d7bcd1f73aa7228cde1c40e000203
Instruction Fuzzy Hash: 6A218371604245AFDB309FA6CC8499AB7BDFF093AC7048619E85497B50E73AEC108F79

Function 6C36F93F Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 320c949b8fc211e69c6a920fb377696dd2d880cd4efc4bd1db6d4879c7e8a3fd
Instruction ID: ca8d0a599ceed4892aa4f53c595e5470b88dd8ce6856e71de3950070b133466b
Opcode Fuzzy Hash: 320c949b8fc211e69c6a920fb377696dd2d880cd4efc4bd1db6d4879c7e8a3fd
Instruction Fuzzy Hash: 64218032204206BB8B10AF678C84A8A77FDAF0A36C7148615E856D7F44EB32DC00CF61

Function 6C380C88 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6C380C90

Part of subcall function 6C37A751: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6C37D550,?,00000000,-00000008), ref: 6C37A7B2

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6C380CC8
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6C380CE8

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 1a16e369bb25be90d6e766cd540d3c1c844e8e0b31ee07c1b7bc7b2a57b1fc39
Instruction ID: 0a93b9cc4cbd7adea4104a3d015d2e85dc85d02f82fcdd64a24f525ba3d94fc0
Opcode Fuzzy Hash: 1a16e369bb25be90d6e766cd540d3c1c844e8e0b31ee07c1b7bc7b2a57b1fc39
Instruction Fuzzy Hash: FC11D6B26075597FA7112BB68C8DCAF69BCCF4A29C3101115F801D1600FF79ED048D76

Function 6C3607B0 Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,-00000A64,?,00000000,?,6C360BAE,?), ref: 6C3607C6
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?), ref: 6C360803
WideCharToMultiByte.KERNEL32 ref: 6C360833
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 6C360862

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 0ff682b2a20d65e405d3e0ed312c9b866b415eb74f7b711ff6009e1aa6420377
Instruction ID: ebc8e8249b05f8e789a5007d179937e4b0fc6a445cc2671ada0ed61a1161a838
Opcode Fuzzy Hash: 0ff682b2a20d65e405d3e0ed312c9b866b415eb74f7b711ff6009e1aa6420377
Instruction Fuzzy Hash: D5112E717443047BF7105F219C09F573AACDB87778F150715F6685A2D0FB75A9088AA2

Function 10004380 Relevance: 6.1, APIs: 4, Instructions: 70networkCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000139F), ref: 100043EC

Part of subcall function 100013A0: HeapAlloc.KERNEL32(00000000,00000000,?,?,?,?), ref: 100013CB

Part of subcall function 10004C50: HeapFree.KERNEL32(?,00000000,?,00000000,10004E35,?,100042C8,10004E35,00000000,?,00000001,10004E35,?), ref: 10004C77

SetLastError.KERNEL32(00000000,?), ref: 100043D7
SetLastError.KERNEL32(00000057), ref: 10004401
WSAGetLastError.WS2_32(?), ref: 10004410

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: ErrorLast$Heap$AllocFree
String ID:
API String ID: 1906775185-0
Opcode ID: 127eb3da1a419b9376193c7e08546e54e028199608b7fbb35670fae08a1c63d3
Instruction ID: af902972c3ae3a33560ac4961c645c5895ff77c926fb996934c7b8e77325769a
Opcode Fuzzy Hash: 127eb3da1a419b9376193c7e08546e54e028199608b7fbb35670fae08a1c63d3
Instruction Fuzzy Hash: CA11CA76B055289BE700DFA9E8845DEB7A8EF883B2B0541B6FD0CD7204DA35DD0546D4

Function 03D34380 Relevance: 6.1, APIs: 4, Instructions: 70networkCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000139F), ref: 03D343EC

Part of subcall function 03D313A0: HeapAlloc.KERNEL32(00000000,00000000,?,?,?,?), ref: 03D313CB

Part of subcall function 03D341E0: EnterCriticalSection.KERNEL32(03D34FB5,03D34E55,03D342BE,00000000,?,?,03D34E55,?,?,?,?,00000000,000000FF), ref: 03D341E8
Part of subcall function 03D341E0: LeaveCriticalSection.KERNEL32(03D34FB5,?,?,?,00000000,000000FF), ref: 03D341F6

Part of subcall function 03D34C70: HeapFree.KERNEL32(?,00000000,?,00000000,03D34E55,?,03D342C8,03D34E55,00000000,?,?,03D34E55,?), ref: 03D34C97

SetLastError.KERNEL32(00000000,?), ref: 03D343D7
SetLastError.KERNEL32(00000057), ref: 03D34401
WSAGetLastError.WS2_32(?), ref: 03D34410

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: ErrorLast$CriticalHeapSection$AllocEnterFreeLeave
String ID:
API String ID: 2060118545-0
Opcode ID: 9739e87d5bbd74516c5c7fb5a0309c9ff7f1457d9aed7f5037284b07a9b65177
Instruction ID: 357687e8c66cdd02485819aa36ec39560f2ef738a61ec3668cc498249e8fa92d
Opcode Fuzzy Hash: 9739e87d5bbd74516c5c7fb5a0309c9ff7f1457d9aed7f5037284b07a9b65177
Instruction Fuzzy Hash: 5411A33BE056189B9710FE7AF8845DEB7A8EF85722B0845AAEC0CD7200E6359E0546E1

Function 03D3DE70 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 03D3DE93
_free.LIBCMT ref: 03D3DED5
GetProcessHeap.KERNEL32(00000000,00000000,03D3DC95), ref: 03D3DEFC
HeapFree.KERNEL32(00000000), ref: 03D3DF03

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Heap_free$FreeProcess
String ID:
API String ID: 1072109031-0
Opcode ID: c4a63ec683f3afac98e3cf20c79ccac8eff858e5ff9b142854cf5060e2825afd
Instruction ID: 3ee77c54b81b44a1cae70b572423e4257ebec68869481dfc638aada77530823f
Opcode Fuzzy Hash: c4a63ec683f3afac98e3cf20c79ccac8eff858e5ff9b142854cf5060e2825afd
Instruction Fuzzy Hash: 93115B756417009FD730DB64CC45B27B3AABB85B10F18891CE59A97A90D774F842CFA1

Function 10003BF0 Relevance: 6.1, APIs: 4, Instructions: 58networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(10003ABB,00000001,00000023), ref: 10003C02
WSAGetLastError.WS2_32 ref: 10003C0D
send.WS2_32(00000001,00000000,00000000,00000000), ref: 10003C58
WSAGetLastError.WS2_32 ref: 10003C63

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: ErrorLast$EventSelectsend
String ID:
API String ID: 259408233-0
Opcode ID: 2fb520420096818f033348b16f08926af932f2b6a4c880f47cd01b5ee34dc08f
Instruction ID: 2cb4a202ed201c3bbb9feb76d4ba786ae7603a0bc4fad51836a507335b835d1f
Opcode Fuzzy Hash: 2fb520420096818f033348b16f08926af932f2b6a4c880f47cd01b5ee34dc08f
Instruction Fuzzy Hash: 19116AB6600710ABE320CB79C8C8A47B7E9FB88750B014A2DE956C7690C732E8008B50

Function 03D33BF0 Relevance: 6.1, APIs: 4, Instructions: 58networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,03D33ABB,00000023), ref: 03D33C02
WSAGetLastError.WS2_32 ref: 03D33C0D
send.WS2_32(?,00000000,00000000,00000000), ref: 03D33C58
WSAGetLastError.WS2_32 ref: 03D33C63

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: ErrorLast$EventSelectsend
String ID:
API String ID: 259408233-0
Opcode ID: 2750fc36fc4fee70ce968cfba938431a2baa18494dc0d20d89f1d5925f7aaed9
Instruction ID: 14fbe408c7dcae37a45f1da1e003a8ceeb60777822b5050a533513d6a7225068
Opcode Fuzzy Hash: 2750fc36fc4fee70ce968cfba938431a2baa18494dc0d20d89f1d5925f7aaed9
Instruction Fuzzy Hash: 9A115EBAA007009BD720DF79D988A57B6F9FB89B10F150A2DF566C7680DB35E800CB60

Function 1000F361 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 1000F387

Part of subcall function 1000F1B3: __fltout2.LIBCMT ref: 1000F1DE

__cftog_l.LIBCMT ref: 1000F3AD
__cftoe_l.LIBCMT ref: 1000F3DF

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 466f4f1e7ae25f0961f396d3557a49c78803b8d6a6677ae74fd306ec2772594f
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 08114E3640018AFBDF129E84CC41CEE3F62FB083A4B558419FE6859439C336DAB1BB81

Function 03D4BDEB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 03D4BE11

Part of subcall function 03D4BC3D: __fltout2.LIBCMT ref: 03D4BC68

__cftog_l.LIBCMT ref: 03D4BE37
__cftoe_l.LIBCMT ref: 03D4BE69

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 94e7694aa9d3e371fc0d995a1b5445238152d83f09105b8aecd660e33bc33af1
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 4C114C3600014EBBCF169E94CC51CEE3F67BB68650B588866FA9859130C736C5B1AB91

Function 03D341E0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(03D34FB5,03D34E55,03D342BE,00000000,?,?,03D34E55,?,?,?,?,00000000,000000FF), ref: 03D341E8
LeaveCriticalSection.KERNEL32(03D34FB5,?,?,?,00000000,000000FF), ref: 03D341F6
LeaveCriticalSection.KERNEL32(03D34FB5), ref: 03D34257
SetEvent.KERNEL32(8520468B), ref: 03D34272

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterEvent
String ID:
API String ID: 3394196147-0
Opcode ID: f34c4f6bc4e682b369259fa6a44d94cf8331d03ab92865795c9f1c10aa7571c8
Instruction ID: e227b793f8ef302fc7bd3e98b6b2ea9bb3c2e875c77619e5bf1456e7826fb37e
Opcode Fuzzy Hash: f34c4f6bc4e682b369259fa6a44d94cf8331d03ab92865795c9f1c10aa7571c8
Instruction Fuzzy Hash: 811145B9604B049FC724CF75C584A96BBF9BF49300B54C96DE45E8B301EB34EA01CB00

Function 10004AE0 Relevance: 6.0, APIs: 4, Instructions: 45timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(00000001,?,00000001,?,10003C4F,?,?,00000001), ref: 10004AF5
InterlockedIncrement.KERNEL32(?), ref: 10004B04
InterlockedIncrement.KERNEL32(?), ref: 10004B11
timeGetTime.WINMM(?,00000001,?,10003C4F,?,?,00000001), ref: 10004B28

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: IncrementInterlockedTimetime
String ID:
API String ID: 159728177-0
Opcode ID: ecc8ba4fb7d149bb0e17cd39b255899764ae90b27ed04fa3fbe9ab010b97b0d8
Instruction ID: 0a1d15bd5f988d4bea10877f224db5579cb700bf5039280ae9249a62ae1a06e8
Opcode Fuzzy Hash: ecc8ba4fb7d149bb0e17cd39b255899764ae90b27ed04fa3fbe9ab010b97b0d8
Instruction Fuzzy Hash: E20116B5601705AFD720DFBAC88098AFBF9EF4C650701892EE549CB611E771EA448FE0

Function 03D34B00 Relevance: 6.0, APIs: 4, Instructions: 45timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(00000001,?,00000001,?,03D33C4F,?,?,00000001), ref: 03D34B15
InterlockedIncrement.KERNEL32(00000001), ref: 03D34B24
InterlockedIncrement.KERNEL32(00000001), ref: 03D34B31
timeGetTime.WINMM(?,03D33C4F,?,?,00000001), ref: 03D34B48

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: IncrementInterlockedTimetime
String ID:
API String ID: 159728177-0
Opcode ID: ada15f5589eaaadfb53b1b7630fb8a052695c8ba67156ca8add3795932f7e0a9
Instruction ID: 0d13af5faaffdeb032acd021d5b08e1cdd1c72a8ea84eceaa1f05f8cfe1e5c4d
Opcode Fuzzy Hash: ada15f5589eaaadfb53b1b7630fb8a052695c8ba67156ca8add3795932f7e0a9
Instruction Fuzzy Hash: F701C8B66007059FC760EF6AD88094AFBF9EF59650700892EE549C7710E674EA448FA0

Function 10003660 Relevance: 6.0, APIs: 4, Instructions: 42timeCOMMON

Download Yara Rule

APIs

CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 10003667
_free.LIBCMT ref: 1000369C

Part of subcall function 10006E49: HeapFree.KERNEL32(00000000,00000000,?,10009900,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F), ref: 10006E5F
Part of subcall function 10006E49: GetLastError.KERNEL32(00000000,?,10009900,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000), ref: 10006E71

_malloc.LIBCMT ref: 100036D7
_memset.LIBCMT ref: 100036E5

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CreateErrorFreeHeapLastTimerWaitable_free_malloc_memset
String ID:
API String ID: 3340475617-0
Opcode ID: 391cc94a781e731dd4c35f2c6748f9c6c817e77f81a08f70d75bdfa6bee01c3e
Instruction ID: 20f9dc9dccf48a4f32705b4407c0702e844904f7cd1830b54ea69625ce22a711
Opcode Fuzzy Hash: 391cc94a781e731dd4c35f2c6748f9c6c817e77f81a08f70d75bdfa6bee01c3e
Instruction Fuzzy Hash: 8401DEF5900B44DFE360CF7AD881B97B7E9EB45254F11882EE5AE87302DA31A8048F60

Function 03D33660 Relevance: 6.0, APIs: 4, Instructions: 42timeCOMMON

Download Yara Rule

APIs

CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 03D33667
_free.LIBCMT ref: 03D3369C

Part of subcall function 03D3F639: RtlFreeHeap.NTDLL(00000000,00000000,?,03D43E4C,00000000,?,03D44500,00000000,00000001,00000000,?,03D48DE6,00000018,03D56448,0000000C,03D48E76), ref: 03D3F64F
Part of subcall function 03D3F639: GetLastError.KERNEL32(00000000,?,03D43E4C,00000000,?,03D44500,00000000,00000001,00000000,?,03D48DE6,00000018,03D56448,0000000C,03D48E76,00000000), ref: 03D3F661

_malloc.LIBCMT ref: 03D336D7
_memset.LIBCMT ref: 03D336E5

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: CreateErrorFreeHeapLastTimerWaitable_free_malloc_memset
String ID:
API String ID: 3340475617-0
Opcode ID: b039a63549e92509bca327c131f49f04ccd9ce727bba74ace8857d8511f59d27
Instruction ID: b079f537a5d6d5c9fb1a733a624a9d46f6c4b03176b71ca5b9288baab7652800
Opcode Fuzzy Hash: b039a63549e92509bca327c131f49f04ccd9ce727bba74ace8857d8511f59d27
Instruction Fuzzy Hash: A901DAF5940B04DFE360DF7A9881B97BBE9EB86214F14482ED5AE87301D630A8058F20

Function 10006490 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 10001420: HeapFree.KERNEL32(?,00000000,?,?,?,100040B1,?,00000000,10004039,?,74DEDFA0,10003648), ref: 1000143D
Part of subcall function 10001420: _free.LIBCMT ref: 10001459

HeapDestroy.KERNEL32(00000000), ref: 100064A3
HeapCreate.KERNEL32(?,?,?), ref: 100064B5
_free.LIBCMT ref: 100064C5
HeapDestroy.KERNEL32 ref: 100064F2

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Heap$Destroy_free$CreateFree
String ID:
API String ID: 4097506873-0
Opcode ID: 93927da24fa2970c59e2ba275e76658273f805c74c1ab82e82c9513be7b43463
Instruction ID: e941b2b67b7b789b38fb12685925c4a960f3707d906db07a4445c0daadc26747
Opcode Fuzzy Hash: 93927da24fa2970c59e2ba275e76658273f805c74c1ab82e82c9513be7b43463
Instruction Fuzzy Hash: 28F032B9600702ABE710CF65D848B53B7FAFF88791F218528E86987244DB35F851CBA0

Function 03D3CD80 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03D31420: HeapFree.KERNEL32(?,00000000,?,?,?,03D340B1,?,00000000,03D34039,?,74DEDFA0,03D33648), ref: 03D3143D
Part of subcall function 03D31420: _free.LIBCMT ref: 03D31459

HeapDestroy.KERNEL32(00000000), ref: 03D3CD93
HeapCreate.KERNEL32(?,?,?), ref: 03D3CDA5
_free.LIBCMT ref: 03D3CDB5
HeapDestroy.KERNEL32 ref: 03D3CDE2

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Heap$Destroy_free$CreateFree
String ID:
API String ID: 4097506873-0
Opcode ID: 49828bcd7bc66f7b9de45a8eae37c39433611b0ca6b77ab3d06efd6f1c227005
Instruction ID: f80d3d282a7b42f7e7ec166861fbae2784eb5fd5d58dd5fafe84aef453f1be8c
Opcode Fuzzy Hash: 49828bcd7bc66f7b9de45a8eae37c39433611b0ca6b77ab3d06efd6f1c227005
Instruction Fuzzy Hash: 6DF049BA100702ABD710EF24E808B63FBB8FF85B50F144919E859DB740DB34E955CBA0

Function 6C38B1F7 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,6C3807FB,00000000,00000000,00000000,?,6C38A519,00000000,00000001,00000000,?,?,6C3819B8,?,00000000,00000000), ref: 6C38B20E
GetLastError.KERNEL32(?,6C38A519,00000000,00000001,00000000,?,?,6C3819B8,?,00000000,00000000,?,?,?,6C3812FE,?), ref: 6C38B21A

Part of subcall function 6C38B26B: CloseHandle.KERNEL32(FFFFFFFE,6C38B22A,?,6C38A519,00000000,00000001,00000000,?,?,6C3819B8,?,00000000,00000000,?,?), ref: 6C38B27B

___initconout.LIBCMT ref: 6C38B22A

Part of subcall function 6C38B24C: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C38B1E8,6C38A506,?,?,6C3819B8,?,00000000,00000000,?), ref: 6C38B25F

WriteConsoleW.KERNEL32(00000000,6C3807FB,00000000,00000000,?,6C38A519,00000000,00000001,00000000,?,?,6C3819B8,?,00000000,00000000,?), ref: 6C38B23F

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: ab0e4659e59ed8bd99a425d241b14a49ef6155e9c364b9270129be4b0ec422a9
Instruction ID: ecfacaff163ad78d7eeb0ea437169f778c315373fb173cd99b9328328cc59dbc
Opcode Fuzzy Hash: ab0e4659e59ed8bd99a425d241b14a49ef6155e9c364b9270129be4b0ec422a9
Instruction Fuzzy Hash: 03F0AC36605115BBCF122FA5DC0998E7F7AFB0B3A9B454111FA1899560D73389209FD1

Function 6C380A88 Relevance: 6.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

ReadConsoleInputW.KERNEL32(0000000C,6C399D90,6C373444,00000000,?,6C3734C8,00000000,00000001,?,6C399DB0,00000038,6C373444,6C399D90,0000000C,6C351B30), ref: 6C380A9D
GetLastError.KERNEL32(?,6C3734C8,00000000,00000001,?,6C399DB0,00000038,6C373444,6C399D90,0000000C,6C351B30), ref: 6C380AA9

Part of subcall function 6C380C1D: CloseHandle.KERNEL32(FFFFFFFF,6C380B05,?,6C3736DC,0000000C,66666667,?,?,6C3733F4,6C399D70,0000000C,6C351B27), ref: 6C380C2D

___initconin.LIBCMT ref: 6C380AB9

Part of subcall function 6C380BFE: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,6C380A79,6C3736CB,66666667,?,?,6C3733F4,6C399D70,0000000C,6C351B27), ref: 6C380C11

ReadConsoleInputW.KERNEL32(0000000C,6C399D90,6C373444,?,6C3734C8,00000000,00000001,?,6C399DB0,00000038,6C373444,6C399D90,0000000C,6C351B30), ref: 6C380ACD

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: ConsoleInputRead$CloseCreateErrorFileHandleLast___initconin
String ID:
API String ID: 838051604-0
Opcode ID: fe83a6ede68fa075988afcf0d3c659fe3afa275578876a7e650e5173e856e38a
Instruction ID: 3ea118ed41e9bf695525ec69f2f75acb3109866cbdaabdaafbe4035e128f9354
Opcode Fuzzy Hash: fe83a6ede68fa075988afcf0d3c659fe3afa275578876a7e650e5173e856e38a
Instruction Fuzzy Hash: A7F03036103058BBCF122FD5CC049E93F7AFB4A364B054050FE28A6220EB37C8209F81

Function 6C36D1C7 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000001), ref: 6C36D1D9
GetCurrentThreadId.KERNEL32 ref: 6C36D1E8
GetCurrentProcessId.KERNEL32 ref: 6C36D1F1
QueryPerformanceCounter.KERNEL32(?), ref: 6C36D1FE

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 7c888f0824c5de01cf898d49028607955329e546d115220a57ce9fac82c63dfb
Instruction ID: 5b360878183620c1387ccbeb55e236ec30f43e982f4ae47b35806150e3851bb8
Opcode Fuzzy Hash: 7c888f0824c5de01cf898d49028607955329e546d115220a57ce9fac82c63dfb
Instruction Fuzzy Hash: 82F05F74D1020DEBCF00DFB4C64999EBBF8EF1E200B914596A412E6140E630AA44DF50

Function 6C380ADA Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetNumberOfConsoleInputEvents.KERNEL32(?,?,?,6C3736DC,0000000C,66666667,?,?,6C3733F4,6C399D70,0000000C,6C351B27), ref: 6C380AE9
GetLastError.KERNEL32(?,6C3736DC,0000000C,66666667,?,?,6C3733F4,6C399D70,0000000C,6C351B27), ref: 6C380AF5

Part of subcall function 6C380C1D: CloseHandle.KERNEL32(FFFFFFFF,6C380B05,?,6C3736DC,0000000C,66666667,?,?,6C3733F4,6C399D70,0000000C,6C351B27), ref: 6C380C2D

___initconin.LIBCMT ref: 6C380B05

Part of subcall function 6C380BFE: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,6C380A79,6C3736CB,66666667,?,?,6C3733F4,6C399D70,0000000C,6C351B27), ref: 6C380C11

GetNumberOfConsoleInputEvents.KERNEL32(?,?,6C3736DC,0000000C,66666667,?,?,6C3733F4,6C399D70,0000000C,6C351B27), ref: 6C380B13

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: ConsoleEventsInputNumber$CloseCreateErrorFileHandleLast___initconin
String ID:
API String ID: 1600138625-0
Opcode ID: 6167f06320d74fcab8e1903f1cb06a849d20a66f3f4acc1d0ec177f331439040
Instruction ID: c8fb313b5d6ef5d4a50c8e12be166dfe5a6ed5dd16620a2c4d452a85d2e9a13f
Opcode Fuzzy Hash: 6167f06320d74fcab8e1903f1cb06a849d20a66f3f4acc1d0ec177f331439040
Instruction Fuzzy Hash: 92E04F326061587B8F132FA9D8089C93E7DEB077A97450120F90993610EB23C850CFD1

Function 6C380B72 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(0000000C,?,?,6C3734A7,?,6C399DB0,00000038,6C373444,6C399D90,0000000C,6C351B30), ref: 6C380B81
GetLastError.KERNEL32(?,6C3734A7,?,6C399DB0,00000038,6C373444,6C399D90,0000000C,6C351B30), ref: 6C380B8D

Part of subcall function 6C380C1D: CloseHandle.KERNEL32(FFFFFFFF,6C380B05,?,6C3736DC,0000000C,66666667,?,?,6C3733F4,6C399D70,0000000C,6C351B27), ref: 6C380C2D

___initconin.LIBCMT ref: 6C380B9D

Part of subcall function 6C380BFE: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,6C380A79,6C3736CB,66666667,?,?,6C3733F4,6C399D70,0000000C,6C351B27), ref: 6C380C11

GetConsoleMode.KERNEL32(0000000C,?,6C3734A7,?,6C399DB0,00000038,6C373444,6C399D90,0000000C,6C351B30), ref: 6C380BAB

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: ConsoleMode$CloseCreateErrorFileHandleLast___initconin
String ID:
API String ID: 3067319862-0
Opcode ID: f5b3bfc959f535ddf46d3569375a2c0e365f5ce77ad21ae2606cbbf69ea4201e
Instruction ID: 3bb8d116e6b1bc84af9a5bdcc714054d837613fad738a10ca96eaa60dcb0f6b3
Opcode Fuzzy Hash: f5b3bfc959f535ddf46d3569375a2c0e365f5ce77ad21ae2606cbbf69ea4201e
Instruction Fuzzy Hash: 2BE04F366062697B8F223F96D8199C93F79EB07BAD7050160F90993710EA23C851CFD1

Function 6C380BB8 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

SetConsoleMode.KERNEL32(0000000C,00000000,?,6C3734AF,00000000,?,6C399DB0,00000038,6C373444,6C399D90,0000000C,6C351B30), ref: 6C380BC7
GetLastError.KERNEL32(?,6C3734AF,00000000,?,6C399DB0,00000038,6C373444,6C399D90,0000000C,6C351B30), ref: 6C380BD3

Part of subcall function 6C380C1D: CloseHandle.KERNEL32(FFFFFFFF,6C380B05,?,6C3736DC,0000000C,66666667,?,?,6C3733F4,6C399D70,0000000C,6C351B27), ref: 6C380C2D

___initconin.LIBCMT ref: 6C380BE3

Part of subcall function 6C380BFE: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,6C380A79,6C3736CB,66666667,?,?,6C3733F4,6C399D70,0000000C,6C351B27), ref: 6C380C11

SetConsoleMode.KERNEL32(0000000C,?,6C3734AF,00000000,?,6C399DB0,00000038,6C373444,6C399D90,0000000C,6C351B30), ref: 6C380BF1

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: ConsoleMode$CloseCreateErrorFileHandleLast___initconin
String ID:
API String ID: 3067319862-0
Opcode ID: 531041baf857d3ce39d7b6cc1d68b73e4ba721e855294b3438b5cec2eed51f48
Instruction ID: 5f36002e5ddd050187f8df1acd28fe1423563b803657e141f567244ebf3d2996
Opcode Fuzzy Hash: 531041baf857d3ce39d7b6cc1d68b73e4ba721e855294b3438b5cec2eed51f48
Instruction Fuzzy Hash: 0DE0BF366471646B8F122FD5DC089D93E79EB477B97450160F90997610EA23C8909FD1

Function 6C36BCAF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 204COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6C36BE51

Strings

0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 6C36BD7C, 6C36BD81, 6C36BD9D, 6C36BDD2, 6C36BDD7
-, xrefs: 6C36BE7F

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: __aulldiv
String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3732870572-1956417402
Opcode ID: 9ae0cd0f19ab7aac5bc81fff766c41003aa5ed03cf0baebfaf7d5a05d0076354
Instruction ID: 2b0ff100fa6cea58db5ed8fbe8270edfac6adfbb4292d8e629a7457fea985e16
Opcode Fuzzy Hash: 9ae0cd0f19ab7aac5bc81fff766c41003aa5ed03cf0baebfaf7d5a05d0076354
Instruction Fuzzy Hash: B3610670E442499FDB118E6BC4807AEBBF9AF4530CF244099F590EFE48D77589419F61

Function 6C373691 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6C373709
__freea.LIBCMT ref: 6C3737A1

Strings

gfff, xrefs: 6C3737AD

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: __alloca_probe_16__freea
String ID: gfff
API String ID: 1635606685-1553575800
Opcode ID: fb215a2d254c8aaa5eaa0ce01f524322453ae9e53b142db81232724c21c3e3f9
Instruction ID: da28404dc71e1ac793f06dda4376921f9366ee1ba3487427511194449a2f82cf
Opcode Fuzzy Hash: fb215a2d254c8aaa5eaa0ce01f524322453ae9e53b142db81232724c21c3e3f9
Instruction Fuzzy Hash: FB315EB2A056919BCB708E69C88065FB7B89F4571CB210529C860D7E40E73FD5058FB9

Function 6C37A0C7 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,6C379FC8,?,?,00000000,00000000,00000000,?), ref: 6C37A0EC

Strings

RCC, xrefs: 6C37A106
MOC, xrefs: 6C37A0FE

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 74876166b3b30da34ff77e0fb0ce76588c1b0a0962d87fe59a9053b4886f94c3
Instruction ID: a2f44db02812177c2f3927921e9dcda52821277723543deaa9102376dd8677d2
Opcode Fuzzy Hash: 74876166b3b30da34ff77e0fb0ce76588c1b0a0962d87fe59a9053b4886f94c3
Instruction Fuzzy Hash: 95416871901209AFEF15CF94C880AEEBBB5FF48308F244159F91467651D33AD950DFA5

Function 6C3530B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C3530E6
std::_Lockit::~_Lockit.LIBCPMT ref: 6C353222

Part of subcall function 6C36B0F3: _Yarn.LIBCPMT ref: 6C36B113
Part of subcall function 6C36B0F3: _Yarn.LIBCPMT ref: 6C36B137

Strings

bad locale name, xrefs: 6C353166

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: LockitYarnstd::_$Lockit::_Lockit::~_
String ID: bad locale name
API String ID: 2070049627-1405518554
Opcode ID: d344264df1b64d7d64e26cc0d01610254629121dbda2ad7e1a388ba5ebd99e06
Instruction ID: e8a84f3693d370a940f23702887cc0a2d8f32889d60c4fae6d9090ff02d5f42b
Opcode Fuzzy Hash: d344264df1b64d7d64e26cc0d01610254629121dbda2ad7e1a388ba5ebd99e06
Instruction Fuzzy Hash: 48413CF1A006459BEB10DF69D804B57BAF8BF04708F004528E4999BB40E37AE518CFE6

Function 6C379933 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 6C379BAA

Strings

csm, xrefs: 6C379BCC
csm, xrefs: 6C379C3D

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 1cf300b58179cf41d951945e14d076bb32e9ceecc22e84eb1d7450c051c02caf
Instruction ID: db1712fcb0bea52102d4764e2303730f8e1d53f7260b8fa8671084dbaf363d42
Opcode Fuzzy Hash: 1cf300b58179cf41d951945e14d076bb32e9ceecc22e84eb1d7450c051c02caf
Instruction Fuzzy Hash: 9431B47141431AAFCF329F51CC8099A3BA9FF09329B18435AFC5449520C33BC861DFAA

Function 6C3526D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6C352718

Strings

Y.5l, xrefs: 6C3526DB, 6C3526D3, 6C352717, 6C352740
ios_base::badbit set, xrefs: 6C3526D5

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: _strlen
String ID: Y.5l$ios_base::badbit set
API String ID: 4218353326-1301851943
Opcode ID: f439333f6ff6cf16906ab3648569f5365b45e7ff09f59dda0341d6df1964763f
Instruction ID: ef63d8aa9990eaabfeab94dbcc2fe3f757bed286d5ef40c9ce4e0afc4eeb206e
Opcode Fuzzy Hash: f439333f6ff6cf16906ab3648569f5365b45e7ff09f59dda0341d6df1964763f
Instruction Fuzzy Hash: F131A2B2D002589BDB10DFA4DD84BDEBBB5FF48324F540229E844A7781E3365A94CFA1

Function 03D3B19D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 03D3BC70: GetDesktopWindow.USER32 ref: 03D3BC8F
Part of subcall function 03D3BC70: GetDC.USER32(00000000), ref: 03D3BC9C
Part of subcall function 03D3BC70: CreateCompatibleDC.GDI32(00000000), ref: 03D3BCA2
Part of subcall function 03D3BC70: GetDC.USER32(00000000), ref: 03D3BCAD
Part of subcall function 03D3BC70: GetDeviceCaps.GDI32(00000000,00000008), ref: 03D3BCBA
Part of subcall function 03D3BC70: GetDeviceCaps.GDI32(00000000,00000076), ref: 03D3BCC2
Part of subcall function 03D3BC70: ReleaseDC.USER32(00000000,00000000), ref: 03D3BCD3
Part of subcall function 03D3BC70: GetSystemMetrics.USER32(0000004C), ref: 03D3BD78
Part of subcall function 03D3BC70: GetSystemMetrics.USER32(0000004D), ref: 03D3BD8D
Part of subcall function 03D3BC70: CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 03D3BDA6
Part of subcall function 03D3BC70: SelectObject.GDI32(?,00000000), ref: 03D3BDB4
Part of subcall function 03D3BC70: SetStretchBltMode.GDI32(?,00000003), ref: 03D3BDC0
Part of subcall function 03D3BC70: GetSystemMetrics.USER32(0000004F), ref: 03D3BDCD
Part of subcall function 03D3BC70: GetSystemMetrics.USER32(0000004E), ref: 03D3BDE0

Part of subcall function 03D3F707: _malloc.LIBCMT ref: 03D3F721

_memset.LIBCMT ref: 03D3B1E1
swprintf.LIBCMT ref: 03D3B204

Strings

%s %s, xrefs: 03D3B1F3

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: MetricsSystem$CapsCompatibleCreateDevice$BitmapDesktopModeObjectReleaseSelectStretchWindow_malloc_memsetswprintf
String ID: %s %s
API String ID: 1028806752-581060391
Opcode ID: b5392ec592fc09d24ffeb030a6afa8494c62c49a072f86717750b8cf39bdda0c
Instruction ID: 6c358ae27bd3ac1ab702d7b9e7f94dc229a7c92f632bd8c3fdd0c8f9bb337630
Opcode Fuzzy Hash: b5392ec592fc09d24ffeb030a6afa8494c62c49a072f86717750b8cf39bdda0c
Instruction Fuzzy Hash: EC21B4B6904340ABD611EB65DC81E5FB7E8EFDA710F08052EF4895B241E661D908C7B3

Function 03D39100 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 03D39115

Part of subcall function 03D3EF39: std::exception::exception.LIBCMT ref: 03D3EF4E
Part of subcall function 03D3EF39: __CxxThrowException@8.LIBCMT ref: 03D3EF63
Part of subcall function 03D3EF39: std::exception::exception.LIBCMT ref: 03D3EF74

std::_Xinvalid_argument.LIBCPMT ref: 03D39128

Strings

string too long, xrefs: 03D39110, 03D39123

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: string too long
API String ID: 963545896-2556327735
Opcode ID: 2545b8a5286953ea14ae6488629a1fa9406c5951f874ebbf4ae4a34aadd55d9b
Instruction ID: 002137df32c62d742bac0a10e7a026e5a6ba0c6d7093a086cc26322c91efb791
Opcode Fuzzy Hash: 2545b8a5286953ea14ae6488629a1fa9406c5951f874ebbf4ae4a34aadd55d9b
Instruction Fuzzy Hash: A71190763047408BC321CE2CE814B1AB7E9EBA7A61F140A6AE5919B781C7B1DC09C3B4

Function 03D393F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 03D3941D
std::_Xinvalid_argument.LIBCPMT ref: 03D3944A

Strings

invalid string position, xrefs: 03D39445

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_
String ID: invalid string position
API String ID: 3614006799-1799206989
Opcode ID: b3f4398294c30fe8f6e8b4ad621c24dc8f8a496de32b09c44f52aa02ed9cf61a
Instruction ID: aae800bf79d516978a1d02b641b6619a6ca336cffd240e9769b36c95aae3378d
Opcode Fuzzy Hash: b3f4398294c30fe8f6e8b4ad621c24dc8f8a496de32b09c44f52aa02ed9cf61a
Instruction Fuzzy Hash: E001F2336003045BC724EE78D89079AF39AEF42620F140A29F5629F680D7F1ED8483A4

Function 00E01AB7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00E01AC2
___raise_securityfailure.LIBCMT ref: 00E01BAA

Strings

0, xrefs: 00E01BA5

Memory Dump Source

Source File: 00000003.00000002.3556290818.0000000000E01000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000003.00000002.3556263696.0000000000E00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556319323.0000000000E02000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556351733.0000000000E03000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556384480.0000000000E04000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3556384480.0000000000E46000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e00000_Update.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 0
API String ID: 3761405300-4015486719
Opcode ID: cbcea1874721053ac6b2c0e4635107c00a9ca3643fbd05de90df007ab14e3b98
Instruction ID: a4412e85e88a0a41f351c5aa2bd628330a6a5c951b2d43e64444e381bd186c46
Opcode Fuzzy Hash: cbcea1874721053ac6b2c0e4635107c00a9ca3643fbd05de90df007ab14e3b98
Instruction Fuzzy Hash: 6621B7B86122059ED314CF27E946A407BECBB0D314F10906AE959BA3A1E7B397C8CF44

Function 03D3F7BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

__output_l.LIBCMT ref: 03D3F815

Part of subcall function 03D3F91B: __getptd_noexit.LIBCMT ref: 03D3F91B

Strings

B, xrefs: 03D3F80E

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: __getptd_noexit__output_l
String ID: B
API String ID: 2141734944-1255198513
Opcode ID: 5bc75878e19a99f8b3291bc09011d637415e77d2edc72ea821797cd9c84227ee
Instruction ID: 586b88d19c54552adac90d33f91c4ec4bd937514b3c567f6a28da6edc5e8002d
Opcode Fuzzy Hash: 5bc75878e19a99f8b3291bc09011d637415e77d2edc72ea821797cd9c84227ee
Instruction Fuzzy Hash: C0016DB5D0024DABDF00DFA5DC41AEEBBB8EB05364F144156F924AA280D7749911CBB5

Function 03D39570 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 03D3957F

Part of subcall function 03D3EF86: std::exception::exception.LIBCMT ref: 03D3EF9B
Part of subcall function 03D3EF86: __CxxThrowException@8.LIBCMT ref: 03D3EFB0
Part of subcall function 03D3EF86: std::exception::exception.LIBCMT ref: 03D3EFC1

_memmove.LIBCMT ref: 03D395B5

Strings

invalid string position, xrefs: 03D3957A

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: 3e6dd9a766c7b9c631fc7422387354dea18d2d82db5b3701ab52d11176afbaf9
Instruction ID: ad471f00f08dc167cc9bc4dd20f9d49b2518cbdc4696651538a384b9336de705
Opcode Fuzzy Hash: 3e6dd9a766c7b9c631fc7422387354dea18d2d82db5b3701ab52d11176afbaf9
Instruction Fuzzy Hash: A7014F317047418BD725DA7CE9A471AB3E79FC65047684A28D092CB689D7F1DC8247A4

Function 03D3D1C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 03D3D1D4

Part of subcall function 03D3EF39: std::exception::exception.LIBCMT ref: 03D3EF4E
Part of subcall function 03D3EF39: __CxxThrowException@8.LIBCMT ref: 03D3EF63
Part of subcall function 03D3EF39: std::exception::exception.LIBCMT ref: 03D3EF74

_memmove.LIBCMT ref: 03D3D20D

Strings

vector<T> too long, xrefs: 03D3D1CF

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: 712a44c5b737c1158eb3bd5e6097f7e1081334e1313900049e5beaedb9d790df
Instruction ID: 4748b1661b78bb79abbe0c58d01d5deb70cf4444e10a19648b23ebc039ddc393
Opcode Fuzzy Hash: 712a44c5b737c1158eb3bd5e6097f7e1081334e1313900049e5beaedb9d790df
Instruction Fuzzy Hash: 590184B7A002025FC704EE6EE891C6EB7A8E751251349423AEC36D7749E7B0ED158BB1

Function 03D38430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 03D38443

Part of subcall function 03D3EF39: std::exception::exception.LIBCMT ref: 03D3EF4E
Part of subcall function 03D3EF39: __CxxThrowException@8.LIBCMT ref: 03D3EF63
Part of subcall function 03D3EF39: std::exception::exception.LIBCMT ref: 03D3EF74

_memmove.LIBCMT ref: 03D3846E

Strings

vector<T> too long, xrefs: 03D3843E

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: a8728631c30db226ffcf1559cc42b45afa2a504eab3a5b82edef0ea7d68117fb
Instruction ID: c8dc59a42a30fa727683d497774608a87aa69d34fed64458a2ef897f32970c7c
Opcode Fuzzy Hash: a8728631c30db226ffcf1559cc42b45afa2a504eab3a5b82edef0ea7d68117fb
Instruction Fuzzy Hash: 6101A2B2A003099FCB24DFB8DC9196BB3E9EB55610318492DE856CB740E670FC058B61

Function 100137C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 100132AE: __getptd.LIBCMT ref: 100132B4
Part of subcall function 100132AE: __getptd.LIBCMT ref: 100132C4

__getptd.LIBCMT ref: 100137D8

Part of subcall function 1000990F: __getptd_noexit.LIBCMT ref: 10009912
Part of subcall function 1000990F: __amsg_exit.LIBCMT ref: 1000991F

__getptd.LIBCMT ref: 100137E6

Strings

csm, xrefs: 100137F4

Memory Dump Source

Source File: 00000003.00000002.3557923063.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3557906665.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557943423.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557960696.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557977980.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3557996680.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: f0e1e4535676af74e2e30162e3fe80640730f6540ac6db6f2fff18db7859968d
Instruction ID: 7ab74b7057de6af6c41b09604486a57fd509075c87a44dfcf8772f30d13ae725
Opcode Fuzzy Hash: f0e1e4535676af74e2e30162e3fe80640730f6540ac6db6f2fff18db7859968d
Instruction Fuzzy Hash: 2001283A8013468FDB24DF26C44069CB3F6FF00651F51842DF4955A6A1CF34EAD1CA11

Function 03D506D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 03D5010A: __getptd.LIBCMT ref: 03D50110
Part of subcall function 03D5010A: __getptd.LIBCMT ref: 03D50120

__getptd.LIBCMT ref: 03D506E3

Part of subcall function 03D43E5B: __getptd_noexit.LIBCMT ref: 03D43E5E
Part of subcall function 03D43E5B: __amsg_exit.LIBCMT ref: 03D43E6B

__getptd.LIBCMT ref: 03D506F1

Strings

csm, xrefs: 03D506FF

Memory Dump Source

Source File: 00000003.00000002.3557458220.0000000003D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 03D30000, based on PE: true

Associated: 00000003.00000002.3557458220.0000000003D64000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3d30000_Update.jbxd

Yara matches

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
Instruction ID: bb99b8d06cf8ed71b9c8fdbe9043b569476b5b3099fa000ab5b0b1dc83d2177d
Opcode Fuzzy Hash: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
Instruction Fuzzy Hash: 0201A938801301CFCF34DF64C484AACB3BAAF00B11F28496EE8599A290CB308590CF61

Function 6C36AA90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6C39C354,?,G.5l,?,6C35233F,6C39C244,ios_base::badbit set,?,6C352E47,?,00000001), ref: 6C36AA9B
ReleaseSRWLockExclusive.KERNEL32(6C39C354,?,6C35233F,6C39C244,ios_base::badbit set,?,6C352E47,?,00000001,?,?,?,?,?,?,?), ref: 6C36AAD5

Strings

G.5l, xrefs: 6C36AA93

Memory Dump Source

Source File: 00000003.00000002.3558036799.000000006C351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C350000, based on PE: true

Associated: 00000003.00000002.3558017188.000000006C350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558073057.000000006C38D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558092477.000000006C39B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3558109546.000000006C3A0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c350000_Update.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: G.5l
API String ID: 17069307-4083235767
Opcode ID: f8e724b335def437d08e8868f0c735e00d3f9b4aedf53769f94f9ba38071337b
Instruction ID: 223f125aa50b7ad91c0714b707c09bde33839ca83d55ac2b8062b821018cc221
Opcode Fuzzy Hash: f8e724b335def437d08e8868f0c735e00d3f9b4aedf53769f94f9ba38071337b
Instruction Fuzzy Hash: 2EF08C35200265CFCB20AF1AC544A64B7B8FB87738F14022AEAA543E80E7361842CE61

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8R2YjBA8nI.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GhostRat

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Bilite\Axialis\IiViS

C:\Users\Public\Bilite\Axialis\Update.dll

C:\Users\Public\Bilite\Axialis\Update.exe

C:\Users\Public\Bilite\Axialis\spyqizkn.png

C:\Users\Public\Bilite\ldplayer9_ld_6000_ld.exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\PolicyManagement.xml

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_353fa0rx.b3u.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bzd50oup.wg0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dvofwrcm.pgw.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g3wrqusa.dbi.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gdt3eysd.rtu.psm1

Windows Analysis Report
8R2YjBA8nI.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre