Edit tour

Windows Analysis Report
K3UtwU3CH9.msi

Overview

General Information

Sample name:	K3UtwU3CH9.msi renamed because original name is a hash value
Original sample name:	468ff3b01cb98f3bb68e99b07d04c29869abc2e5c4ba3b8f075658e6121d0cd4.msi
Analysis ID:	1586718
MD5:	81907fbd20c219c1890c775c91468215
SHA1:	37731a1a70b620d8a0694bfc15b78d31179742ad
SHA256:	468ff3b01cb98f3bb68e99b07d04c29869abc2e5c4ba3b8f075658e6121d0cd4
Tags:	msiuser-crep1x
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

PE file has a writeable .text section

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 6928 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\K3UtwU3CH9.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7040 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7136 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 67D8AB6401B6284E54A24D810952612F C MD5: 9D09DC1EDA745A5F87553048E57620CF)

ISBEW64.exe (PID: 4008 cmdline: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DACCFEC1-0F8E-4735-B9C7-A60DBEC446EA} MD5: 40F3A092744E46F3531A40B917CCA81E)

ISBEW64.exe (PID: 2056 cmdline: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8C031A3B-AD25-4CE4-AB49-01F87FDEE881} MD5: 40F3A092744E46F3531A40B917CCA81E)

ISBEW64.exe (PID: 5844 cmdline: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{56D245EC-76C4-4C26-9039-E4C34B0EC544} MD5: 40F3A092744E46F3531A40B917CCA81E)

ISBEW64.exe (PID: 1748 cmdline: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D0C64754-86B5-489E-9A24-32FD984CC512} MD5: 40F3A092744E46F3531A40B917CCA81E)

ISBEW64.exe (PID: 5796 cmdline: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{49CF2577-EEA4-4712-85B8-C177FE73A996} MD5: 40F3A092744E46F3531A40B917CCA81E)

ISBEW64.exe (PID: 4076 cmdline: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2288B9E7-ABB0-459A-A1F0-65CF795FB7C4} MD5: 40F3A092744E46F3531A40B917CCA81E)

ISBEW64.exe (PID: 6336 cmdline: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{06852D7C-4042-4D98-A431-F2C81FD3913D} MD5: 40F3A092744E46F3531A40B917CCA81E)

ISBEW64.exe (PID: 6912 cmdline: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D0CC5960-99B5-429C-9C5D-234075E07B82} MD5: 40F3A092744E46F3531A40B917CCA81E)

ISBEW64.exe (PID: 772 cmdline: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{19A60243-752F-4575-BE1B-A4589A300ACF} MD5: 40F3A092744E46F3531A40B917CCA81E)

ISBEW64.exe (PID: 1448 cmdline: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F15C916D-5F9E-4609-A30F-4848C97C342B} MD5: 40F3A092744E46F3531A40B917CCA81E)

Dashboard.exe (PID: 5756 cmdline: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe MD5: 704925ECFDB24EF81190B82DE0E5453C)

Dashboard.exe (PID: 1908 cmdline: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe MD5: 704925ECFDB24EF81190B82DE0E5453C)

cmd.exe (PID: 5796 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MLE_Config_beta.exe (PID: 4904 cmdline: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe MD5: 967F4470627F823F4D7981E511C9824F)

Dashboard.exe (PID: 6696 cmdline: "C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe" MD5: 704925ECFDB24EF81190B82DE0E5453C)

cmd.exe (PID: 5180 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Dashboard.exe (PID: 6568 cmdline: "C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe" MD5: 704925ECFDB24EF81190B82DE0E5453C)

cmd.exe (PID: 6644 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MLE_Config_beta.exe (PID: 2692 cmdline: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe MD5: 967F4470627F823F4D7981E511C9824F)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000D.00000002.1722528788.00000000093D7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000001C.00000002.2272864695.00000000093CC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000001F.00000002.2605314044.00000000025BE000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000E.00000002.1780617372.00000000093E9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000017.00000002.2213346540.0000000002C10000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000016.00000002.2159661824.00000000093C5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 5796	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: MLE_Config_beta.exe PID: 4904	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 5180	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 6644	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
23.2.cmd.exe.2c107f8.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.2.cmd.exe.2c107f8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x10f60:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x10f28:$s2: Elevation:Administrator!new:
23.2.cmd.exe.4bc4acd.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.2.cmd.exe.4bc4acd.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f223:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f2ae:$s1: CoGetObject 0x25f207:$s2: Elevation:Administrator!new:
31.2.MLE_Config_beta.exe.260a6ed.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
31.2.MLE_Config_beta.exe.260a6ed.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e623:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e6ae:$s1: CoGetObject 0x25e607:$s2: Elevation:Administrator!new:
23.2.cmd.exe.4bc56cd.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.2.cmd.exe.4bc56cd.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e623:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e6ae:$s1: CoGetObject 0x25e607:$s2: Elevation:Administrator!new:
29.2.cmd.exe.4d7aa00.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
29.2.cmd.exe.4d7aa00.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a42f0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a437b:$s1: CoGetObject 0x2a42d4:$s2: Elevation:Administrator!new:
29.2.cmd.exe.4dc06cd.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
29.2.cmd.exe.4dc06cd.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e623:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e6ae:$s1: CoGetObject 0x25e607:$s2: Elevation:Administrator!new:
21.2.MLE_Config_beta.exe.2654aed.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
21.2.MLE_Config_beta.exe.2654aed.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f223:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f2ae:$s1: CoGetObject 0x25f207:$s2: Elevation:Administrator!new:
31.2.MLE_Config_beta.exe.2609aed.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
31.2.MLE_Config_beta.exe.2609aed.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f223:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f2ae:$s1: CoGetObject 0x25f207:$s2: Elevation:Administrator!new:
23.2.cmd.exe.4b7fa00.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.2.cmd.exe.4b7fa00.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a42f0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a437b:$s1: CoGetObject 0x2a42d4:$s2: Elevation:Administrator!new:
29.2.cmd.exe.4dbfacd.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
29.2.cmd.exe.4dbfacd.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f223:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f2ae:$s1: CoGetObject 0x25f207:$s2: Elevation:Administrator!new:
15.2.cmd.exe.544ca00.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.cmd.exe.544ca00.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a42f0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a437b:$s1: CoGetObject 0x2a42d4:$s2: Elevation:Administrator!new:
21.2.MLE_Config_beta.exe.260fa20.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
21.2.MLE_Config_beta.exe.260fa20.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a42f0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a437b:$s1: CoGetObject 0x2a42d4:$s2: Elevation:Administrator!new:
21.2.MLE_Config_beta.exe.26556ed.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
21.2.MLE_Config_beta.exe.26556ed.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e623:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e6ae:$s1: CoGetObject 0x25e607:$s2: Elevation:Administrator!new:
15.2.cmd.exe.5491acd.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.cmd.exe.5491acd.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f223:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f2ae:$s1: CoGetObject 0x25f207:$s2: Elevation:Administrator!new:
31.2.MLE_Config_beta.exe.25c4a20.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
31.2.MLE_Config_beta.exe.25c4a20.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a42f0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a437b:$s1: CoGetObject 0x2a42d4:$s2: Elevation:Administrator!new:
15.2.cmd.exe.54926cd.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.cmd.exe.54926cd.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e623:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e6ae:$s1: CoGetObject 0x25e607:$s2: Elevation:Administrator!new:
Click to see the 27 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\xvjmsqbp	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\snfgsgf	Joe Sandbox ML: detected

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 23.2.cmd.exe.2c107f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.cmd.exe.4bc4acd.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.MLE_Config_beta.exe.260a6ed.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.cmd.exe.4bc56cd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.cmd.exe.4d7aa00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.cmd.exe.4dc06cd.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.MLE_Config_beta.exe.2654aed.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.MLE_Config_beta.exe.2609aed.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.cmd.exe.4b7fa00.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.cmd.exe.4dbfacd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.544ca00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.MLE_Config_beta.exe.260fa20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.MLE_Config_beta.exe.26556ed.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.5491acd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.MLE_Config_beta.exe.25c4a20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.54926cd.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.1722528788.00000000093D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2272864695.00000000093CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2605314044.00000000025BE000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1780617372.00000000093E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2213346540.0000000002C10000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2159661824.00000000093C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MLE_Config_beta.exe PID: 4904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6644, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe

File opened: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\msvcr80.dll

Jump to behavior

Source:	Binary string: ntdll.pdb source: MLE_Config_beta.exe, 00000015.00000002.2137645351.000000000543C000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2136896029.0000000004E33000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132086318.00000000021C7000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2138365672.0000000005C3F000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2138555440.0000000005E3A000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2137466035.000000000523C000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2139077290.0000000006430000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2139757228.0000000006C3A000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2140082920.0000000007039000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2135298838.000000000443E000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2139242183.0000000006633000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2136061978.0000000004C38000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2135495477.0000000004638000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2138191367.0000000005A3C000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132931895.0000000002B40000.00000004.00001000.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2139915740.0000000006E3A000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2138915984.0000000006237000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2134578448.0000000003E3C000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2138737191.0000000006037000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2138028436.0000000005837000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2135085639.0000000004231000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2139561373.0000000006A31000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2135874843.0000000004A3A000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2139398502.0000000006836000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2137849745.000000000563F000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2137091371.0000000005033000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2134793630.0000000004032000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.
Source:	Binary string: UXCore.pdb0;p8 source: Dashboard.exe, 0000000D.00000002.1723540876.0000000070301000.00000020.00000001.01000000.00000005.sdmp, Dashboard.exe, 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Dashboard.exe, 00000016.00000002.2161871698.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Dashboard.exe, 0000001C.00000002.2274641957.0000000070301000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: wntdll.pdbUGP source: Dashboard.exe, 0000000D.00000002.1711569840.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000D.00000002.1723268048.00000000096D0000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1781256800.00000000096E0000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1776454119.0000000000C85000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1781547133.0000000009A9F000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2028008383.0000000005980000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027481864.0000000005090000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2150911668.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2160681691.0000000009A71000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2160384217.00000000096C0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2214116522.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213433190.00000000047D0000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2273794480.0000000009A72000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2268495789.0000000000C12000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2273499374.00000000096C0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504796011.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504103025.00000000049CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: MLE_Config_beta.exe, 00000015.00000002.2137645351.000000000543C000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2136896029.0000000004E33000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132086318.00000000021C7000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2138365672.0000000005C3F000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2138555440.0000000005E3A000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2137466035.000000000523C000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2139077290.0000000006430000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2139757228.0000000006C3A000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2140082920.0000000007039000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2135298838.000000000443E000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2139242183.0000000006633000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2136061978.0000000004C38000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2135495477.0000000004638000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2138191367.0000000005A3C000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132931895.0000000002B40000.00000004.00001000.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2139915740.0000000006E3A000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2138915984.0000000006237000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2134578448.0000000003E3C000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2138737191.0000000006037000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2138028436.0000000005837000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2135085639.0000000004231000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2139561373.0000000006A31000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2135874843.0000000004A3A000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2139398502.0000000006836000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2137849745.000000000563F000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2137091371.0000000005033000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2134793630.0000000004032000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.000000
Source:	Binary string: wntdll.pdb source: Dashboard.exe, 0000000D.00000002.1711569840.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000D.00000002.1723268048.00000000096D0000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1781256800.00000000096E0000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1776454119.0000000000C85000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1781547133.0000000009A9F000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2028008383.0000000005980000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027481864.0000000005090000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2150911668.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2160681691.0000000009A71000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2160384217.00000000096C0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2214116522.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213433190.00000000047D0000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2273794480.0000000009A72000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2268495789.0000000000C12000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2273499374.00000000096C0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504796011.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504103025.00000000049CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Dashboard.pdb source: Dashboard.exe, Dashboard.exe, 0000000D.00000000.1700565003.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Dashboard.exe, 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Dashboard.exe, 0000000E.00000002.1776784365.0000000001001000.00000020.00000001.01000000.00000007.sdmp, Dashboard.exe, 0000000E.00000000.1709046549.0000000001001000.00000020.00000001.01000000.00000007.sdmp, Dashboard.exe, 00000016.00000002.2151347870.0000000001001000.00000020.00000001.01000000.00000007.sdmp, Dashboard.exe, 00000016.00000000.2091087309.0000000001001000.00000020.00000001.01000000.00000007.sdmp, Dashboard.exe, 0000001C.00000002.2268714527.0000000001001000.00000020.00000001.01000000.00000007.sdmp, Dashboard.exe, 0000001C.00000000.2211863871.0000000001001000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: ISBEW64.exe, 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000003.00000000.1690551243.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000004.00000000.1691220232.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000004.00000002.1693257249.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000005.00000000.1691860250.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000005.00000002.1695605425.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000006.00000002.1696309871.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000006.00000000.1692654175.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000007.00000000.1694453663.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000007.00000002.1697407295.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000008.00000002.1718243220.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000008.00000000.1696177645.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000009.00000002.1699092395.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000009.00000000.1697351758.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000A.00000000.1698052577.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000A.00000002.1699820460.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000B.00000002.1700643366.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000B.00000000.1698727830.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000C.00000002.1702721653.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000C.00000000.1699370730.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: UXCore.pdb source: Dashboard.exe, Dashboard.exe, 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Dashboard.exe, 00000016.00000002.2161871698.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Dashboard.exe, 0000001C.00000002.2274641957.0000000070301000.00000020.00000001.01000000.00000008.sdmp

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_000000014000A5E0 GetDlgItem,SendMessageW,SendMessageW,SendMessageW,wsprintfW,GetClientRect,SendMessageW,FindFirstFileW,lstrlenW,SendMessageW,FindNextFileW,FindClose,		21_2_000000014000A5E0
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_0000000140007628 FindClose,lstrlenW,lstrcpyW,FindFirstFileW,GetFullPathNameW,FindClose,SetLastError,lstrlenW,		21_2_0000000140007628

Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe

Code function: 21_2_000000014000D848 GetLogicalDriveStringsW,GetDlgItem,GetDriveTypeW,_cwprintf_s_l,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SHGetSpecialFolderPathW,lstrlenW,SHGetSpecialFolderPathW,lstrlenW,SendMessageW,SendMessageW,GetDlgItem,SendMessageW,SendMessageW,GetDlgItem,SendMessageW,RegOpenKeyExW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,SendMessageW,SendMessageW,SendMessageW,RegCloseKey,

21_2_000000014000D848

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.4:51697 -> 162.159.36.2:53

Source: unknown

DNS traffic detected: query: plerukilo0.site replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: plerukilo0.site

Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Dashboard.exe	String found in binary or memory: http://ie.search.msn.com/
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Dashboard.exe	String found in binary or memory: http://runonce.msn.com/?v=msgrv75
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000000.1952616443.00000001401E0000.00000002.00000001.01000000.0000000D.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.???.xx/?search=%s
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Dashboard.exe, 0000000D.00000002.1722528788.000000000913B000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.000000000914D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.00000000053FD000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.00000000025C0000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.0000000009129000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B30000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009130000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000000.1952616443.00000001401E0000.00000002.00000001.01000000.0000000D.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com
Source: cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com/?Download=Find.Same.Images.OK
Source: cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com/?Freeware/Find.Same.Images.OK
Source: cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com/?Freeware/Find.Same.Images.OK/History
Source: cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com/?seite=faq-Find.Same.Images.OK&faq=0
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000000.1952616443.00000001401E0000.00000002.00000001.01000000.0000000D.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de
Source: cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de/?Download=Find.Same.Images.OK
Source: cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de/?Freeware/Find.Same.Images.OK
Source: cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de/?Freeware/Find.Same.Images.OK/History
Source: cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0
Source: cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.surfok.de/
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: MLE_Config_beta.exe, 00000015.00000002.2131691175.000000000048A000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2115376077.00000000004CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/
Source: MLE_Config_beta.exe, 00000015.00000003.2119331870.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2121519247.00000000004D1000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2119562347.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2120026657.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2119825749.00000000004CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/.M
Source: MLE_Config_beta.exe, 00000015.00000003.2121519247.00000000004D1000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2120026657.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2119825749.00000000004CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/2M
Source: MLE_Config_beta.exe, 00000015.00000003.2127632449.00000000004C9000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2121519247.00000000004D1000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2120026657.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2119825749.00000000004CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/6M
Source: MLE_Config_beta.exe, 00000015.00000003.2125904304.00000000004CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/:M
Source: MLE_Config_beta.exe, 00000015.00000003.2121519247.00000000004D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/BM
Source: MLE_Config_beta.exe, 00000015.00000003.2125904304.00000000004CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/FM
Source: MLE_Config_beta.exe, 00000015.00000002.2131867899.00000000004C9000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2131389036.00000000004C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/L
Source: MLE_Config_beta.exe, 00000015.00000003.2127632449.00000000004C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/LzM
Source: MLE_Config_beta.exe, 00000015.00000003.2124413253.00000000004CB000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2124349794.00000000004C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/N&M
Source: MLE_Config_beta.exe, 00000015.00000003.2125904304.00000000004CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/NNM
Source: MLE_Config_beta.exe, 00000015.00000003.2127632449.00000000004C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/RM
Source: MLE_Config_beta.exe, 00000015.00000003.2125904304.00000000004CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/ZM
Source: MLE_Config_beta.exe, 00000015.00000002.2131867899.00000000004C9000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2131389036.00000000004C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/bM
Source: MLE_Config_beta.exe, 00000015.00000002.2131691175.0000000000498000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/environment-canaY
Source: MLE_Config_beta.exe, 00000015.00000002.2131691175.00000000004AA000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2115376077.00000000004CA000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2119825749.00000000004CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/environment-canada-s-biosphere?vmkjypkrumtk=ey7u2s8PuxSar298wfGYABIRHbA4eVhz
Source: MLE_Config_beta.exe, 00000015.00000003.2122929016.00000000004CC000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2123102167.00000000004D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/fM
Source: MLE_Config_beta.exe, 00000015.00000002.2131691175.000000000048A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/g
Source: MLE_Config_beta.exe, 00000015.00000003.2116592118.00000000004CA000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2117988162.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2117930955.00000000004C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/jM
Source: MLE_Config_beta.exe, 00000015.00000002.2131691175.000000000048A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/k
Source: MLE_Config_beta.exe, 00000015.00000003.2116592118.00000000004CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/nM
Source: MLE_Config_beta.exe, 00000015.00000003.2116592118.00000000004CA000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2117988162.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2121519247.00000000004D1000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2117930955.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2120026657.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2119825749.00000000004CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/rM
Source: MLE_Config_beta.exe, 00000015.00000003.2124413253.00000000004CB000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2124349794.00000000004C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/vM
Source: MLE_Config_beta.exe, 00000015.00000003.2119913004.00000000004A4000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2116633662.00000000004A4000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2119384391.00000000004A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site:443
Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0

Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe

Code function: 21_2_0000000140007860 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SetClipboardData,CloseClipboard,

21_2_0000000140007860

Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe

Code function: 21_2_0000000140007860 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SetClipboardData,CloseClipboard,

21_2_0000000140007860

Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe

Code function: 21_2_0000000140007274 GetDlgItem,GetDlgItem,GetWindowRect,ScreenToClient,ScreenToClient,GetClientRect,CreateDIBSection,GetDC,CreateCompatibleDC,SelectObject,SelectObject,ReleaseDC,SendMessageW,

21_2_0000000140007274

Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe

Code function: 21_2_00000001400038A8 KillTimer,GetAsyncKeyState,SetTimer,

21_2_00000001400038A8

System Summary

Malicious sample detected (through community Yara rule)

Source: 23.2.cmd.exe.2c107f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 23.2.cmd.exe.4bc4acd.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.MLE_Config_beta.exe.260a6ed.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 23.2.cmd.exe.4bc56cd.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 29.2.cmd.exe.4d7aa00.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 29.2.cmd.exe.4dc06cd.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 21.2.MLE_Config_beta.exe.2654aed.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.MLE_Config_beta.exe.2609aed.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 23.2.cmd.exe.4b7fa00.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 29.2.cmd.exe.4dbfacd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.cmd.exe.544ca00.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 21.2.MLE_Config_beta.exe.260fa20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 21.2.MLE_Config_beta.exe.26556ed.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.cmd.exe.5491acd.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.MLE_Config_beta.exe.25c4a20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.cmd.exe.54926cd.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

PE file has a writeable .text section

Source: ISRT.dll.2.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe

Code function: 21_2_000000014011FF38 CreateFileW,malloc,ReadFile,NtClose,

21_2_000000014011FF38

Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe

Code function: 13_2_0100CCC8 ExitWindowsEx,

13_2_0100CCC8

Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Code function: 3_2_00007FF6DC601AD0	3_2_00007FF6DC601AD0
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Code function: 3_2_00007FF6DC604230	3_2_00007FF6DC604230
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Code function: 3_2_00007FF6DC604E10	3_2_00007FF6DC604E10
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Code function: 3_2_00007FF6DC60D308	3_2_00007FF6DC60D308
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Code function: 3_2_00007FF6DC6142FC	3_2_00007FF6DC6142FC
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Code function: 3_2_00007FF6DC60CC64	3_2_00007FF6DC60CC64
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Code function: 3_2_00007FF6DC60F11C	3_2_00007FF6DC60F11C
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Code function: 3_2_00007FF6DC60FCE4	3_2_00007FF6DC60FCE4
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Code function: 14_2_7032F010	14_2_7032F010
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Code function: 14_2_70323800	14_2_70323800
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Code function: 14_2_7031F860	14_2_7031F860
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Code function: 14_2_70320080	14_2_70320080
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Code function: 14_2_7032EA00	14_2_7032EA00
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Code function: 14_2_70324BA0	14_2_70324BA0
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Code function: 14_2_70316B80	14_2_70316B80
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Code function: 14_2_7036948F	14_2_7036948F
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Code function: 14_2_70316DF0	14_2_70316DF0
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_000000014000BFFC	21_2_000000014000BFFC
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_000000014001D000	21_2_000000014001D000
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_000000014000B824	21_2_000000014000B824
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_000000014002F838	21_2_000000014002F838
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_000000014000D848	21_2_000000014000D848
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_0000000140021068	21_2_0000000140021068
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_000000014000909C	21_2_000000014000909C
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00000001400238F8	21_2_00000001400238F8
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_000000014001A9B8	21_2_000000014001A9B8
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00000001400041C8	21_2_00000001400041C8
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00000001400231CC	21_2_00000001400231CC
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_0000000140021A00	21_2_0000000140021A00
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_000000014000E214	21_2_000000014000E214
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_0000000140024A78	21_2_0000000140024A78
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_000000014001F2A4	21_2_000000014001F2A4
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_000000014000A378	21_2_000000014000A378
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_0000000140122B98	21_2_0000000140122B98
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_0000000140013390	21_2_0000000140013390
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_0000000140020BB8	21_2_0000000140020BB8
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_0000000140001424	21_2_0000000140001424
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_0000000140008C3C	21_2_0000000140008C3C
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_0000000140005450	21_2_0000000140005450
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_000000014000D458	21_2_000000014000D458
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_000000014011B450	21_2_000000014011B450
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_000000014001048C	21_2_000000014001048C
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00000001400EE4C4	21_2_00000001400EE4C4
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00000001400FC53C	21_2_00000001400FC53C
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_000000014000A5E0	21_2_000000014000A5E0
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_0000000140022E30	21_2_0000000140022E30
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_000000014002267C	21_2_000000014002267C
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_000000014001AE88	21_2_000000014001AE88
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_0000000140011EF4	21_2_0000000140011EF4
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00000001400FF714	21_2_00000001400FF714
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_000000014001DF44	21_2_000000014001DF44
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_0000000140040F48	21_2_0000000140040F48
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_0000000140018790	21_2_0000000140018790
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D93FEC0	21_2_00007FF75D93FEC0
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D93D640	21_2_00007FF75D93D640
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D93DE00	21_2_00007FF75D93DE00
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75DA96D30	21_2_00007FF75DA96D30
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D9450C0	21_2_00007FF75D9450C0
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75DA7F240	21_2_00007FF75DA7F240
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75DB8AA10	21_2_00007FF75DB8AA10
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75DA7DA10	21_2_00007FF75DA7DA10
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D93F960	21_2_00007FF75D93F960
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75DA7ECF0	21_2_00007FF75DA7ECF0
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D935490	21_2_00007FF75D935490
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D93F6C0	21_2_00007FF75D93F6C0
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D9346A2	21_2_00007FF75D9346A2
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D97E6A0	21_2_00007FF75D97E6A0
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D9346A2	21_2_00007FF75D9346A2
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D93B640	21_2_00007FF75D93B640
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D941E40	21_2_00007FF75D941E40
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D93260F	21_2_00007FF75D93260F
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D93C620	21_2_00007FF75D93C620
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D995680	21_2_00007FF75D995680
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D97EDD0	21_2_00007FF75D97EDD0
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D9445A0	21_2_00007FF75D9445A0
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D933E00	21_2_00007FF75D933E00
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D93260F	21_2_00007FF75D93260F
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75DA69600	21_2_00007FF75DA69600
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D943D40	21_2_00007FF75D943D40
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75DA7D8A0	21_2_00007FF75DA7D8A0
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D96A8B0	21_2_00007FF75D96A8B0
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D939110	21_2_00007FF75D939110
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D940110	21_2_00007FF75D940110
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D946820	21_2_00007FF75D946820
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D93A829	21_2_00007FF75D93A829
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D981030	21_2_00007FF75D981030
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D944875	21_2_00007FF75D944875
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D982070	21_2_00007FF75D982070
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D93EFC0	21_2_00007FF75D93EFC0
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D9817D0	21_2_00007FF75D9817D0
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D968FA0	21_2_00007FF75D968FA0
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D93CFF0	21_2_00007FF75D93CFF0
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D939740	21_2_00007FF75D939740
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D998750	21_2_00007FF75D998750
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D93874B	21_2_00007FF75D93874B
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D97EF20	21_2_00007FF75D97EF20
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D945790	21_2_00007FF75D945790
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D938AA0	21_2_00007FF75D938AA0
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D981AB0	21_2_00007FF75D981AB0
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D933AFD	21_2_00007FF75D933AFD
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D93423E	21_2_00007FF75D93423E
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D93DA40	21_2_00007FF75D93DA40
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D940240	21_2_00007FF75D940240
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D93AA50	21_2_00007FF75D93AA50
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D93421E	21_2_00007FF75D93421E
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D969A20	21_2_00007FF75D969A20
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D941230	21_2_00007FF75D941230
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D945230	21_2_00007FF75D945230
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D96D27C	21_2_00007FF75D96D27C
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D9379C0	21_2_00007FF75D9379C0
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D9469D0	21_2_00007FF75D9469D0
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D9D1A10	21_2_00007FF75D9D1A10
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D939940	21_2_00007FF75D939940
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D93411A	21_2_00007FF75D93411A
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D93B160	21_2_00007FF75D93B160
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D93C4B0	21_2_00007FF75D93C4B0
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D981CB0	21_2_00007FF75D981CB0
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D9404E0	21_2_00007FF75D9404E0
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D93B4F0	21_2_00007FF75D93B4F0
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D998450	21_2_00007FF75D998450
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D981430	21_2_00007FF75D981430
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D939C80	21_2_00007FF75D939C80
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D93EC90	21_2_00007FF75D93EC90
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D97EC90	21_2_00007FF75D97EC90
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D93545D	21_2_00007FF75D93545D
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D93F45D	21_2_00007FF75D93F45D
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D932C66	21_2_00007FF75D932C66
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D995C70	21_2_00007FF75D995C70
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D97E3B0	21_2_00007FF75D97E3B0
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D995400	21_2_00007FF75D995400
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D93CC00	21_2_00007FF75D93CC00
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75DA6A400	21_2_00007FF75DA6A400
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D9443E0	21_2_00007FF75D9443E0
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75DA7DBE0	21_2_00007FF75DA7DBE0
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D939350	21_2_00007FF75D939350
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D942B20	21_2_00007FF75D942B20
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D935377	21_2_00007FF75D935377
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D943370	21_2_00007FF75D943370

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91

Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	Code function: String function: 0100880F appears 56 times
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Code function: String function: 7033F554 appears 47 times
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Code function: String function: 70336A33 appears 75 times

Source: MSI3B8B.tmp.0.dr	Static PE information: Resource name: PUBLICKEY type: b.out overlay separate pure segmented executable V2.3 186 286 286 386 Large Text Large Data Huge Objects Enabled
Source: MLE_Config_beta.exe.15.dr	Static PE information: Resource name: ZIP type: Zip archive data (empty)

Source: xvjmsqbp.15.dr	Static PE information: Number of sections : 12 > 10
Source: snfgsgf.29.dr	Static PE information: Number of sections : 12 > 10

Source: 23.2.cmd.exe.2c107f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 23.2.cmd.exe.4bc4acd.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.MLE_Config_beta.exe.260a6ed.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 23.2.cmd.exe.4bc56cd.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 29.2.cmd.exe.4d7aa00.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 29.2.cmd.exe.4dc06cd.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 21.2.MLE_Config_beta.exe.2654aed.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.MLE_Config_beta.exe.2609aed.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 23.2.cmd.exe.4b7fa00.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 29.2.cmd.exe.4dbfacd.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.cmd.exe.544ca00.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 21.2.MLE_Config_beta.exe.260fa20.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 21.2.MLE_Config_beta.exe.26556ed.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.cmd.exe.5491acd.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.MLE_Config_beta.exe.25c4a20.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.cmd.exe.54926cd.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: ISRT.dll.2.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: ISRT.dll.2.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: IU.sln

Source: classification engine

Classification label: mal88.expl.evad.winMSI@43/25@2/0

Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe

Code function: 13_2_0100CC59 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,

13_2_0100CC59

Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe

Code function: 3_2_00007FF6DC603140 CoCreateInstance,

3_2_00007FF6DC603140

Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe

Code function: 3_2_00007FF6DC605870 LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

3_2_00007FF6DC605870

Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe

File created: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5000:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSI3996.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	Command line argument: WLXS\Dashboard	13_2_0100769A
Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	Command line argument: DashboardRes	13_2_0100769A
Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	Command line argument: 1.0.0.1	13_2_0100769A
Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	Command line argument: DashboardLoc	13_2_0100769A

Source: C:\Windows\SysWOW64\msiexec.exe

File read: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\IsConfig.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Dashboard.exe	String found in binary or memory: Button-HELP;Button
Source: MLE_Config_beta.exe	String found in binary or memory: -install -runas
Source: MLE_Config_beta.exe	String found in binary or memory: -install
Source: MLE_Config_beta.exe	String found in binary or memory: -install -nolisense

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\K3UtwU3CH9.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 67D8AB6401B6284E54A24D810952612F C
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DACCFEC1-0F8E-4735-B9C7-A60DBEC446EA}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8C031A3B-AD25-4CE4-AB49-01F87FDEE881}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{56D245EC-76C4-4C26-9039-E4C34B0EC544}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D0C64754-86B5-489E-9A24-32FD984CC512}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{49CF2577-EEA4-4712-85B8-C177FE73A996}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2288B9E7-ABB0-459A-A1F0-65CF795FB7C4}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{06852D7C-4042-4D98-A431-F2C81FD3913D}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D0CC5960-99B5-429C-9C5D-234075E07B82}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{19A60243-752F-4575-BE1B-A4589A300ACF}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F15C916D-5F9E-4609-A30F-4848C97C342B}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe
Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	Process created: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe "C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe"
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe "C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe"
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 67D8AB6401B6284E54A24D810952612F C	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DACCFEC1-0F8E-4735-B9C7-A60DBEC446EA}	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8C031A3B-AD25-4CE4-AB49-01F87FDEE881}	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{56D245EC-76C4-4C26-9039-E4C34B0EC544}	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D0C64754-86B5-489E-9A24-32FD984CC512}	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{49CF2577-EEA4-4712-85B8-C177FE73A996}	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2288B9E7-ABB0-459A-A1F0-65CF795FB7C4}	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{06852D7C-4042-4D98-A431-F2C81FD3913D}	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D0CC5960-99B5-429C-9C5D-234075E07B82}	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{19A60243-752F-4575-BE1B-A4589A300ACF}	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F15C916D-5F9E-4609-A30F-4848C97C342B}	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	Process created: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	Section loaded: uxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: uxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: uxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: comsvcs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmlua.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: uxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: oxstqvsuk.15.dr

LNK file: ..\..\Roaming\LoadupdateXi_alpha\Dashboard.exe

Source: C:\Windows\SysWOW64\msiexec.exe

File written: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\IsConfig.ini

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Jump to behavior

Source: K3UtwU3CH9.msi

Static file information: File size 9586644 > 1048576

Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe

File opened: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\msvcr80.dll

Jump to behavior

Source:	Binary string: ntdll.pdb source: MLE_Config_beta.exe, 00000015.00000002.2137645351.000000000543C000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2136896029.0000000004E33000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132086318.00000000021C7000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2138365672.0000000005C3F000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2138555440.0000000005E3A000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2137466035.000000000523C000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2139077290.0000000006430000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2139757228.0000000006C3A000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2140082920.0000000007039000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2135298838.000000000443E000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2139242183.0000000006633000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2136061978.0000000004C38000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2135495477.0000000004638000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2138191367.0000000005A3C000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132931895.0000000002B40000.00000004.00001000.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2139915740.0000000006E3A000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2138915984.0000000006237000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2134578448.0000000003E3C000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2138737191.0000000006037000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2138028436.0000000005837000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2135085639.0000000004231000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2139561373.0000000006A31000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2135874843.0000000004A3A000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2139398502.0000000006836000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2137849745.000000000563F000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2137091371.0000000005033000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2134793630.0000000004032000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.
Source:	Binary string: UXCore.pdb0;p8 source: Dashboard.exe, 0000000D.00000002.1723540876.0000000070301000.00000020.00000001.01000000.00000005.sdmp, Dashboard.exe, 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Dashboard.exe, 00000016.00000002.2161871698.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Dashboard.exe, 0000001C.00000002.2274641957.0000000070301000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: wntdll.pdbUGP source: Dashboard.exe, 0000000D.00000002.1711569840.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000D.00000002.1723268048.00000000096D0000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1781256800.00000000096E0000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1776454119.0000000000C85000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1781547133.0000000009A9F000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2028008383.0000000005980000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027481864.0000000005090000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2150911668.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2160681691.0000000009A71000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2160384217.00000000096C0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2214116522.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213433190.00000000047D0000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2273794480.0000000009A72000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2268495789.0000000000C12000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2273499374.00000000096C0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504796011.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504103025.00000000049CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: MLE_Config_beta.exe, 00000015.00000002.2137645351.000000000543C000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2136896029.0000000004E33000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132086318.00000000021C7000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2138365672.0000000005C3F000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2138555440.0000000005E3A000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2137466035.000000000523C000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2139077290.0000000006430000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2139757228.0000000006C3A000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2140082920.0000000007039000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2135298838.000000000443E000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2139242183.0000000006633000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2136061978.0000000004C38000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2135495477.0000000004638000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2138191367.0000000005A3C000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132931895.0000000002B40000.00000004.00001000.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2139915740.0000000006E3A000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2138915984.0000000006237000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2134578448.0000000003E3C000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2138737191.0000000006037000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2138028436.0000000005837000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2135085639.0000000004231000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2139561373.0000000006A31000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2135874843.0000000004A3A000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2139398502.0000000006836000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2137849745.000000000563F000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2137091371.0000000005033000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2134793630.0000000004032000.00000004.00000001.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.000000
Source:	Binary string: wntdll.pdb source: Dashboard.exe, 0000000D.00000002.1711569840.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000D.00000002.1723268048.00000000096D0000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1781256800.00000000096E0000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1776454119.0000000000C85000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1781547133.0000000009A9F000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2028008383.0000000005980000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027481864.0000000005090000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2150911668.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2160681691.0000000009A71000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2160384217.00000000096C0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2214116522.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213433190.00000000047D0000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2273794480.0000000009A72000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2268495789.0000000000C12000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2273499374.00000000096C0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504796011.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504103025.00000000049CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Dashboard.pdb source: Dashboard.exe, Dashboard.exe, 0000000D.00000000.1700565003.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Dashboard.exe, 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Dashboard.exe, 0000000E.00000002.1776784365.0000000001001000.00000020.00000001.01000000.00000007.sdmp, Dashboard.exe, 0000000E.00000000.1709046549.0000000001001000.00000020.00000001.01000000.00000007.sdmp, Dashboard.exe, 00000016.00000002.2151347870.0000000001001000.00000020.00000001.01000000.00000007.sdmp, Dashboard.exe, 00000016.00000000.2091087309.0000000001001000.00000020.00000001.01000000.00000007.sdmp, Dashboard.exe, 0000001C.00000002.2268714527.0000000001001000.00000020.00000001.01000000.00000007.sdmp, Dashboard.exe, 0000001C.00000000.2211863871.0000000001001000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: ISBEW64.exe, 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000003.00000000.1690551243.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000004.00000000.1691220232.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000004.00000002.1693257249.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000005.00000000.1691860250.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000005.00000002.1695605425.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000006.00000002.1696309871.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000006.00000000.1692654175.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000007.00000000.1694453663.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000007.00000002.1697407295.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000008.00000002.1718243220.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000008.00000000.1696177645.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000009.00000002.1699092395.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000009.00000000.1697351758.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000A.00000000.1698052577.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000A.00000002.1699820460.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000B.00000002.1700643366.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000B.00000000.1698727830.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000C.00000002.1702721653.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000C.00000000.1699370730.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: UXCore.pdb source: Dashboard.exe, Dashboard.exe, 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Dashboard.exe, 00000016.00000002.2161871698.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Dashboard.exe, 0000001C.00000002.2274641957.0000000070301000.00000020.00000001.01000000.00000008.sdmp

Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe

Code function: 3_2_00007FF6DC606B00 LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,

3_2_00007FF6DC606B00

Source: initial sample

Static PE information: section where entry point is pointing to: .rsrc

Source: MSI3B8B.tmp.0.dr	Static PE information: real checksum: 0x0 should be: 0x285c7f
Source: xvjmsqbp.15.dr	Static PE information: real checksum: 0x28e4d4 should be: 0x28e3f3
Source: UXCore.dll.2.dr	Static PE information: real checksum: 0xd0519 should be: 0xd1e93
Source: UXCore.dll.13.dr	Static PE information: real checksum: 0xd0519 should be: 0xd1e93
Source: snfgsgf.29.dr	Static PE information: real checksum: 0x28e4d4 should be: 0x28e3f3
Source: _isres_0x0409.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x1c5ec2

Source: MSI3B8B.tmp.0.dr	Static PE information: section name: .orpc
Source: MLE_Config_beta.exe.15.dr	Static PE information: section name: Shared
Source: xvjmsqbp.15.dr	Static PE information: section name: .xdata
Source: xvjmsqbp.15.dr	Static PE information: section name: hwafy
Source: snfgsgf.29.dr	Static PE information: section name: .xdata
Source: snfgsgf.29.dr	Static PE information: section name: hwafy

Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	Code function: 13_2_010088FB push ecx; ret	13_2_0100890E
Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	Code function: 13_2_010086D9 push ecx; ret	13_2_010086EC
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Code function: 14_2_7038FC63 push ecx; ret	14_2_7038FC76
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Code function: 14_2_7038FCED push ecx; ret	14_2_7038FD00
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_000000014001282D push 8B480014h; retf	21_2_0000000140012832
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_000000014001D949 push rsp; ret	21_2_000000014001D94B
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_0000000140013D4C pushfq ; ret	21_2_0000000140013D4D
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_0000000140013DE5 pushfq ; ret	21_2_0000000140013DE6
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_0000000140013F26 pushfq ; ret	21_2_0000000140013F27
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D931F2D push rdi; ret	21_2_00007FF75D931F2E

Source: ISRT.dll.2.dr

Static PE information: section name: .text entropy: 7.9838191086194135

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI3996.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	File created: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\msvcr80.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\xvjmsqbp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\UXCore.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI3B8B.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISRT.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\_isres_0x0409.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\snfgsgf	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	File created: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\msvcr80.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	File created: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\UXCore.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\xvjmsqbp			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\snfgsgf			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe

Code function: 21_2_00000001400853D4 GetPrivateProfileStringW,lstrlenW,

21_2_00000001400853D4

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\XVJMSQBP
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\SNFGSGF

Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe

Code function: 3_2_00007FF6DC607180 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_00007FF6DC607180

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	API/Special instruction interceptor: Address: 6C3D7C44
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	API/Special instruction interceptor: Address: 6C3D7C44
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	API/Special instruction interceptor: Address: 6C3D7945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6C3D3B54
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	API/Special instruction interceptor: Address: 6C537C44
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	API/Special instruction interceptor: Address: 6C537945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6C533B54

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI3996.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\msvcr80.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xvjmsqbp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI3B8B.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISRT.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\_isres_0x0409.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\snfgsgf	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\msvcr80.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_3-8987

Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe

API coverage: 1.3 %

Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe TID: 5900	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe TID: 1820	Thread sleep time: -210000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_000000014000A5E0 GetDlgItem,SendMessageW,SendMessageW,SendMessageW,wsprintfW,GetClientRect,SendMessageW,FindFirstFileW,lstrlenW,SendMessageW,FindNextFileW,FindClose,		21_2_000000014000A5E0
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_0000000140007628 FindClose,lstrlenW,lstrcpyW,FindFirstFileW,GetFullPathNameW,FindClose,SetLastError,lstrlenW,		21_2_0000000140007628

Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe

21_2_000000014000D848

Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe

Code function: 21_2_00007FF75DA7DA10 GetSystemInfo,

21_2_00007FF75DA7DA10

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: MLE_Config_beta.exe, 00000015.00000002.2131691175.000000000045C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllff

Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	API call chain: ExitProcess graph end node	graph_3-8988
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	API call chain: ExitProcess graph end node	graph_21-21186
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	API call chain: ExitProcess graph end node	graph_21-21169
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	API call chain: ExitProcess graph end node	graph_21-21092
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	API call chain: ExitProcess graph end node	graph_21-21128

Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe

Code function: 3_2_00007FF6DC60AB1C IsDebuggerPresent,__crtUnhandledException,GetCurrentProcess,TerminateProcess,

3_2_00007FF6DC60AB1C

Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe

Code function: 3_2_00007FF6DC613008 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

3_2_00007FF6DC613008

Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe

Code function: 3_2_00007FF6DC606B00 LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,

3_2_00007FF6DC606B00

Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe

Code function: 3_2_00007FF6DC60CAE4 GetProcessHeap,

3_2_00007FF6DC60CAE4

Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Code function: 3_2_00007FF6DC6107D8 SetUnhandledExceptionFilter,	3_2_00007FF6DC6107D8
Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	Code function: 3_2_00007FF6DC60DCD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FF6DC60DCD4
Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	Code function: 13_2_010087FB IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	13_2_010087FB
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Code function: 14_2_7038FBA1 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	14_2_7038FBA1
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Code function: 21_2_00007FF75D9311B5 Sleep,exit,SetUnhandledExceptionFilter,exit,	21_2_00007FF75D9311B5

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtReadVirtualMemory: Direct from: 0x7FF7AFD38157	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	NtQuerySystemInformation: Direct from: 0x703B69BD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7AFB083C4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtQueryValueKey: Direct from: 0x14011D93E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtQueryInformationProcess: Direct from: 0x7FF7AFC3DBC6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtClose: Indirect: 0x14012000F
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtAllocateVirtualMemory: Direct from: 0x7FF75D9354B2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7AFAFD662	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7AFBCFAA7	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtCreateThreadEx: Direct from: 0x7FF7AFAF58E9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7AFB089F2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtQueryInformationToken: Direct from: 0x7FF75DA0FAA7	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtProtectVirtualMemory: Direct from: 0x7FF75DB8A53B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtSetInformationProcess: Direct from: 0x7FF7AFBB1488	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtAllocateVirtualMemory: Direct from: 0x7FF75D93F982	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtProtectVirtualMemory: Direct from: 0x7FF75DB8C696	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtClose: Direct from: 0x7FF7AFD3B06D
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtAllocateVirtualMemory: Direct from: 0x7FFE221C26A1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtCreateThreadEx: Direct from: 0x7FF75D935763	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtSetInformationProcess: Direct from: 0x7FF75D9F1488	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtAllocateVirtualMemory: Direct from: 0x7FF75D9489F2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7AFC08EFB	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	NtProtectVirtualMemory: Direct from: 0x6BC1E702	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtProtectVirtualMemory: Direct from: 0x7FF75D9DF77B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtMapViewOfSection: Direct from: 0x7FF7AFD3C1EE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtClose: Direct from: 0x7FF7AFD3D883
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtAllocateVirtualMemory: Direct from: 0x14011D808	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtQueryValueKey: Direct from: 0x7FF75DA12D50	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtClose: Direct from: 0x7FF75DB7D86F
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtCreateFile: Direct from: 0x7FF75DB7B04F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtReadFile: Direct from: 0x7FF7AFBAB9B1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtCreateFile: Direct from: 0x7FF75DB78306	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtQueryInformationProcess: Direct from: 0x7FF7AFD43CF1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7AFC0CA8A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtSetInformationProcess: Direct from: 0x7FF7AFBB2A59	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtQueryInformationToken: Direct from: 0x7FF75DA48EFB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtReadFile: Direct from: 0x7FF75D9EB9B1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtClose: Direct from: 0x7FF7AFD3D891
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7AFC10D29	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	NtSetInformationThread: Direct from: 0x70305A36	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtProtectVirtualMemory: Direct from: 0x7FF75D9E3CC4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtSetInformationProcess: Direct from: 0x7FF75D9F2A59	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtReadVirtualMemory: Direct from: 0x7FF75DB78157	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7AFC0B813	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtOpenKeyEx: Direct from: 0x7FF7AFBD2816	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtQueryValueKey: Direct from: 0x7FF7AFBD358A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtQuerySystemInformation: Direct from: 0x7FF75D9DF231	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtCreateFile: Direct from: 0x7FF75D9E3AED	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtAllocateVirtualMemory: Direct from: 0x7FF75D93D662	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7AFBAD5CD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtQueryValueKey: Direct from: 0x7FF75DA13891	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7AFD3C61C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	NtProtectVirtualMemory: Direct from: 0x6C502CCC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtCreateFile: Direct from: 0x7FF7AFBA3AED	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtProtectVirtualMemory: Direct from: 0x7FF75DB7C1EE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtClose: Direct from: 0x7FF75DB7D883
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtClose: Direct from: 0x7FF7AFBD3107
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtAllocateVirtualMemory: Direct from: 0x7FF75D9ED5CD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7AFAF54B2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtQueryValueKey: Direct from: 0x7FF7AFBD323C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7AFB9F231	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtClose: Direct from: 0x7FF75DB7B06D
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtProtectVirtualMemory: Direct from: 0x7FF75DB8C5BE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtClose: Direct from: 0x14011D864
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtCreateThreadEx: Direct from: 0x7FF75D9358E9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtAllocateVirtualMemory: Direct from: 0x7FFE221E4B5E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtAllocateVirtualMemory: Direct from: 0x7FF75DA50D29	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtAllocateVirtualMemory: Direct from: 0x7FF75DA4B813	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtClose: Direct from: 0x7FF7AFBB20AB
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtProtectVirtualMemory: Direct from: 0x7FF75D9D43A1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtQueryInformationProcess: Direct from: 0x7FF75D9F1568	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtClose: Direct from: 0x7FF75DB7D891
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtSetInformationThread: Direct from: 0x7FF7AFD4A53B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtQueryValueKey: Direct from: 0x7FF75DA1323C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtQueryInformationProcess: Direct from: 0x7FF7AFBB1568	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtAllocateVirtualMemory: Direct from: 0x7FF75D9F20AB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtQuerySystemInformation: Direct from: 0x7FF75DB83CF1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtCreateThreadEx: Direct from: 0x7FF7AFAF5763	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtClose: Direct from: 0x7FF75DA13107
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtSetInformationProcess: Direct from: 0x7FF7AFB943A1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtOpenKeyEx: Direct from: 0x7FF75DA12816	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtQueryValueKey: Direct from: 0x7FF75DA1358A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtAllocateVirtualMemory: Direct from: 0x7FF75DB7C61C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	NtProtectVirtualMemory: Direct from: 0x6C342D61	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtQueryInformationProcess: Direct from: 0x7FF7AFBB1B62	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7AFB0C1E1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtReadFile: Direct from: 0x14011D832	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtQueryInformationProcess: Direct from: 0x7FF75D9F1B62	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtQueryValueKey: Direct from: 0x7FF7AFBD3891	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtSetInformationProcess: Direct from: 0x7FF7AFB9F77B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtAllocateVirtualMemory: Direct from: 0x7FF75D9EB954	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtQuerySystemInformation: Direct from: 0x7FF75DA4CA8A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtCreateFile: Direct from: 0x14011D7A4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtQuerySystemInformation: Direct from: 0x7FF75DA7DBC6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtQueryValueKey: Direct from: 0x7FF7AFBD2D50	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtCreateFile: Direct from: 0x7FF7AFD3B04F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtClose: Direct from: 0x7FF7AFD3D86F
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7AFBAB954	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtAllocateVirtualMemory: Direct from: 0x140120A3C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	NtCreateFile: Direct from: 0x7FF7AFD38306	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe protection: read write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe base: 14011BC08	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe base: 3BD010	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe base: 14011BC08	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe base: 305010	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe

Code function: 21_2_000000014000BFFC CharLowerW,lstrcmpiW,lstrcmpiW,lstrlenW,lstrlenW,lstrcmpiW,lstrcmpW,lstrlenW,GetActiveWindow,GetTempPathW,lstrlenW,GetModuleFileNameW,CopyFileW,MessageBoxW,lstrlenW,ShellExecuteW,GetModuleFileNameW,CharLowerW,lstrlenW,

21_2_000000014000BFFC

Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	Jump to behavior

Source: Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: )[%d] Shell_TrayWndTrayNotifyWnd

Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe

Code function: 13_2_01015935 cpuid

13_2_01015935

Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe

Code function: GetThreadLocale,GetLocaleInfoA,GetACP,

13_2_0100821F

Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe

Code function: 3_2_00007FF6DC611128 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_00007FF6DC611128

Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe

Code function: 21_2_000000014000EE50 GetDlgItem,GetUserNameW,wsprintfW,GetDlgItem,SetWindowTextW,GetDlgItem,SetWindowTextW,

21_2_000000014000EE50

Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe

Code function: 21_2_0000000140026184 GetTimeZoneInformation,

21_2_0000000140026184

Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe

Code function: 13_2_0100737C __EH_prolog3_GS,GetVersionExW,

13_2_0100737C

Source: C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	Code function: 13_2_0101289C __EH_prolog3_GS,?StartDefer@Element@DirectUI@@SGXXZ,??2@YAPAXI@Z,??0CRMDUIParser@@QAE@XZ,?LoadAndCreateElement@CRMDUIParser@@QAEJIPB_WPAPAVElement@DirectUI@@PAV23@K0@Z,GetForegroundWindow,?Initialize@NativeHWNDHost@DirectUI@@QAEJPB_W0PAUHWND__@@PAUHICON__@@HHHHHHHPAUHINSTANCE__@@I@Z,?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ,?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ,GetSystemMenu,RemoveMenu,?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ,SetWindowPos,?RMLoadIcon@@YGPAUHICON__@@PB_WK0@Z,?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ,SendMessageW,?RMLoadString@@YGIIPA_WIKPB_W@Z,?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ,SetWindowTextW,?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ,?Create@HWNDElement@DirectUI@@SGJPAUHWND__@@_NI1PAPAVElement@2@@Z,?Host@NativeHWNDHost@DirectUI@@QAEXPAVElement@2@@Z,?AddListener@Element@DirectUI@@QAEJPAUIElementListener@2@@Z,?Add@Element@DirectUI@@QAEJPAV12@@Z,?Attach@CRMDUIParser@@QAEJPAVElement@DirectUI@@@Z,?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ,BuildDropTarget,?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ,?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ,PostMessageW,?EndDefer@Element@DirectUI@@SGXXZ,	13_2_0101289C
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Code function: 14_2_7031401E ??0?$ListenedElementPtr@VElement@DirectUI@@@DirectUI@@QAE@PAVElement@1@@Z,?AddListener@Element@DirectUI@@QAEJPAUIElementListener@2@@Z,	14_2_7031401E
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Code function: 14_2_70314074 ?OnListenerDetach@?$ListenedElementPtr@VElement@DirectUI@@@DirectUI@@UAEXPAVElement@2@@Z,	14_2_70314074
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Code function: 14_2_70314048 ??1?$ListenedElementPtr@VElement@DirectUI@@@DirectUI@@QAE@XZ,?RemoveListener@Element@DirectUI@@QAEXPAUIElementListener@2@@Z,	14_2_70314048
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Code function: 14_2_703140BA ??0?$IElementListenerImpl@VDialogHWNDHost@DirectUI@@@DirectUI@@QAE@ABV01@@Z,	14_2_703140BA
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Code function: 14_2_70314080 ?OnListenedWindowMessage@?$IElementListenerImpl@VElement@DirectUI@@@DirectUI@@UAE_NPAVElement@2@PAUHWND__@@IIJPAJ@Z,	14_2_70314080
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Code function: 14_2_703140D8 ??4?$IElementListenerImpl@VElement@DirectUI@@@DirectUI@@QAEAAV01@ABV01@@Z,	14_2_703140D8
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Code function: 14_2_703140CA ??0?$IElementListenerImpl@VDialogHWNDHost@DirectUI@@@DirectUI@@QAE@XZ,	14_2_703140CA
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Code function: 14_2_703141B1 ??1PopupWindow@DirectUI@@UAE@XZ,__EH_prolog3,??1?$ListenedElementPtr@VElement@DirectUI@@@DirectUI@@QAE@XZ,	14_2_703141B1
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Code function: 14_2_703141F2 ??_F?$ListenedElementPtr@VElement@DirectUI@@@DirectUI@@QAEXXZ,	14_2_703141F2
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Code function: 14_2_7033F27F ?AddListener@Element@DirectUI@@QAEJPAUIElementListener@2@@Z,	14_2_7033F27F
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Code function: 14_2_7033F2E8 ?RemoveListener@Element@DirectUI@@QAEXPAUIElementListener@2@@Z,	14_2_7033F2E8
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Code function: 14_2_70313E26 ??0?$ListenedElementPtr@VElement@DirectUI@@@DirectUI@@QAE@ABV01@@Z,	14_2_70313E26
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Code function: 14_2_70313E18 ??0?$IElementListenerImpl@VElement@DirectUI@@@DirectUI@@QAE@XZ,	14_2_70313E18
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Code function: 14_2_70313E08 ??0?$IElementListenerImpl@VElement@DirectUI@@@DirectUI@@QAE@ABV01@@Z,	14_2_70313E08
Source: C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	Code function: 14_2_70313E45 ??4?$ListenedElementPtr@VElement@DirectUI@@@DirectUI@@QAEAAV01@ABV01@@Z,	14_2_70313E45

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	2 Native API	11 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	11 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	3 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	1 Abuse Elevation Control Mechanism	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 DLL Side-Loading	3 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	11 Input Capture	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Access Token Manipulation	2 Software Packing	NTDS	5 File and Directory Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	11 DLL Side-Loading	LSA Secrets	146 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	131 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
K3UtwU3CH9.msi	8%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\xvjmsqbp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\snfgsgf	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI3996.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI3B8B.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISRT.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\_isres_0x0409.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\UXCore.dll	9%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\msvcr80.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\UXCore.dll	9%	ReversingLabs
C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\msvcr80.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://plerukilo0.site/LzM	0%	Avira URL Cloud	safe
https://plerukilo0.site/bM	0%	Avira URL Cloud	safe
https://plerukilo0.site/6M	0%	Avira URL Cloud	safe
https://plerukilo0.site/fM	0%	Avira URL Cloud	safe
https://plerukilo0.site/2M	0%	Avira URL Cloud	safe
http://www.softwareok.de/?Download=Find.Same.Images.OK	0%	Avira URL Cloud	safe
https://plerukilo0.site/ZM	0%	Avira URL Cloud	safe
https://plerukilo0.site/	0%	Avira URL Cloud	safe
https://plerukilo0.site/vM	0%	Avira URL Cloud	safe
https://plerukilo0.site/environment-canaY	0%	Avira URL Cloud	safe
https://plerukilo0.site/.M	0%	Avira URL Cloud	safe
https://plerukilo0.site/rM	0%	Avira URL Cloud	safe
http://ie.search.msn.com/	0%	Avira URL Cloud	safe
https://plerukilo0.site/g	0%	Avira URL Cloud	safe
https://plerukilo0.site/nM	0%	Avira URL Cloud	safe
http://www.softwareok.de/?Freeware/Find.Same.Images.OK	0%	Avira URL Cloud	safe
https://plerukilo0.site/jM	0%	Avira URL Cloud	safe
http://runonce.msn.com/?v=msgrv75	0%	Avira URL Cloud	safe
https://plerukilo0.site/NNM	0%	Avira URL Cloud	safe
https://plerukilo0.site:443	0%	Avira URL Cloud	safe
https://plerukilo0.site/k	0%	Avira URL Cloud	safe
http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0	0%	Avira URL Cloud	safe
http://www.softwareok.de/?Freeware/Find.Same.Images.OK/History	0%	Avira URL Cloud	safe
https://plerukilo0.site/:M	0%	Avira URL Cloud	safe
https://plerukilo0.site/environment-canada-s-biosphere?vmkjypkrumtk=ey7u2s8PuxSar298wfGYABIRHbA4eVhz	0%	Avira URL Cloud	safe
https://plerukilo0.site/N&M	0%	Avira URL Cloud	safe
https://plerukilo0.site/L	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
plerukilo0.site	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://plerukilo0.site/fM	MLE_Config_beta.exe, 00000015.00000003.2122929016.00000000004CC000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2123102167.00000000004D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vmware.com/0	Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	false		high
https://plerukilo0.site/bM	MLE_Config_beta.exe, 00000015.00000002.2131867899.00000000004C9000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2131389036.00000000004C9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.com/?Freeware/Find.Same.Images.OK/History	cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	false		high
https://plerukilo0.site/LzM	MLE_Config_beta.exe, 00000015.00000003.2127632449.00000000004C9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.com/?Freeware/Find.Same.Images.OK	cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.softwareok.de/?Download=Find.Same.Images.OK	cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site/ZM	MLE_Config_beta.exe, 00000015.00000003.2125904304.00000000004CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vmware.com/0/	Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	false		high
https://plerukilo0.site/6M	MLE_Config_beta.exe, 00000015.00000003.2127632449.00000000004C9000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2121519247.00000000004D1000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2120026657.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2119825749.00000000004CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site/vM	MLE_Config_beta.exe, 00000015.00000003.2124413253.00000000004CB000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2124349794.00000000004C9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.com/?seite=faq-Find.Same.Images.OK&faq=0	cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	false		high
https://plerukilo0.site/	MLE_Config_beta.exe, 00000015.00000002.2131691175.000000000048A000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2115376077.00000000004CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site/2M	MLE_Config_beta.exe, 00000015.00000003.2121519247.00000000004D1000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2120026657.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2119825749.00000000004CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site/environment-canaY	MLE_Config_beta.exe, 00000015.00000002.2131691175.0000000000498000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site/rM	MLE_Config_beta.exe, 00000015.00000003.2116592118.00000000004CA000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2117988162.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2121519247.00000000004D1000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2117930955.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2120026657.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2119825749.00000000004CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.???.xx/?search=%s	Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000000.1952616443.00000001401E0000.00000002.00000001.01000000.0000000D.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ie.search.msn.com/	Dashboard.exe	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/cps0(	Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	false		high
https://plerukilo0.site/.M	MLE_Config_beta.exe, 00000015.00000003.2119331870.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2121519247.00000000004D1000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2119562347.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2120026657.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2119825749.00000000004CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site/nM	MLE_Config_beta.exe, 00000015.00000003.2116592118.00000000004CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site/NNM	MLE_Config_beta.exe, 00000015.00000003.2125904304.00000000004CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site/jM	MLE_Config_beta.exe, 00000015.00000003.2116592118.00000000004CA000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2117988162.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2117930955.00000000004C7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://runonce.msn.com/?v=msgrv75	Dashboard.exe	false	Avira URL Cloud: safe	unknown
http://www.softwareok.de/?Freeware/Find.Same.Images.OK	cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site/FM	MLE_Config_beta.exe, 00000015.00000003.2125904304.00000000004CA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://plerukilo0.site/g	MLE_Config_beta.exe, 00000015.00000002.2131691175.000000000048A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site:443	MLE_Config_beta.exe, 00000015.00000003.2119913004.00000000004A4000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2116633662.00000000004A4000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2119384391.00000000004A4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site/BM	MLE_Config_beta.exe, 00000015.00000003.2121519247.00000000004D1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://plerukilo0.site/k	MLE_Config_beta.exe, 00000015.00000002.2131691175.000000000048A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/rpa00	Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0	cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.de	Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000000.1952616443.00000001401E0000.00000002.00000001.01000000.0000000D.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	false		high
https://plerukilo0.site/environment-canada-s-biosphere?vmkjypkrumtk=ey7u2s8PuxSar298wfGYABIRHbA4eVhz	MLE_Config_beta.exe, 00000015.00000002.2131691175.00000000004AA000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2115376077.00000000004CA000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2119825749.00000000004CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site/:M	MLE_Config_beta.exe, 00000015.00000003.2125904304.00000000004CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.info-zip.org/	Dashboard.exe, 0000000D.00000002.1722528788.000000000913B000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.000000000914D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.00000000053FD000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.00000000025C0000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.0000000009129000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B30000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009130000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D2B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.softwareok.de/?Freeware/Find.Same.Images.OK/History	cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site/N&M	MLE_Config_beta.exe, 00000015.00000003.2124413253.00000000004CB000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2124349794.00000000004C9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.com/?Download=Find.Same.Images.OK	cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	false		high
https://plerukilo0.site/RM	MLE_Config_beta.exe, 00000015.00000003.2127632449.00000000004C9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.surfok.de/	cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	false		high
https://plerukilo0.site/L	MLE_Config_beta.exe, 00000015.00000002.2131867899.00000000004C9000.00000004.00000020.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000003.2131389036.00000000004C9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.com	Dashboard.exe, 0000000D.00000002.1722528788.0000000009191000.00000004.00000020.00020000.00000000.sdmp, Dashboard.exe, 0000000E.00000002.1780617372.00000000091A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, MLE_Config_beta.exe, 00000015.00000000.1952616443.00000001401E0000.00000002.00000001.01000000.0000000D.sdmp, MLE_Config_beta.exe, 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Dashboard.exe, 00000016.00000002.2159661824.000000000917F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Dashboard.exe, 0000001C.00000002.2272864695.0000000009186000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1586718
Start date and time:	2025-01-09 14:50:56 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	K3UtwU3CH9.msi renamed because original name is a hash value
Original Sample Name:	468ff3b01cb98f3bb68e99b07d04c29869abc2e5c4ba3b8f075658e6121d0cd4.msi
Detection:	MAL
Classification:	mal88.expl.evad.winMSI@43/25@2/0
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 173.222.162.32, 13.107.253.45
Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, www.bing.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Dashboard.exe, PID 1908 because there are no executed function
Execution Graph export aborted for target Dashboard.exe, PID 5756 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: K3UtwU3CH9.msi

Simulations

Behavior and APIs

Time	Type	Description
08:52:12	API Interceptor	1x Sleep call for process: cmd.exe modified
08:52:24	API Interceptor	40x Sleep call for process: MLE_Config_beta.exe modified
13:52:07	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT85B3.tmp
13:52:21	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AltnodeSC_alphav1.lnk

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe	24EPV9vjc5.exe	Get hash	malicious	Unknown	Browse
	VmjvNTbD5J.exe	Get hash	malicious	Unknown	Browse
	1wrLmYiC62.exe	Get hash	malicious	Unknown	Browse
	vV5EOx0ipU.exe	Get hash	malicious	Unknown	Browse
	kXzODlqJak.exe	Get hash	malicious	Unknown	Browse
	8Rmoal0v85.exe	Get hash	malicious	Unknown	Browse
	cLm7ThwEvh.msi	Get hash	malicious	Unknown	Browse
	LVkAi4PBv6.exe	Get hash	malicious	Unknown	Browse
	w3245.exe	Get hash	malicious	Unknown	Browse
	w3245.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2364728
Entropy (8bit):	6.606009669324617
Encrypted:	false
SSDEEP:	49152:lbCT2kOGRpfJMi3kLRQrjYgeeZyTDwMHfDYZNBi:TkOKMiY0BZMHfDYZNBi
MD5:	967F4470627F823F4D7981E511C9824F
SHA1:	416501B096DF80DDC49F4144C3832CF2CADB9CB2
SHA-256:	B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91
SHA-512:	8883EAD428C9D4B415046DE9F8398AA1F65AE81FE7945A840C822620E18F6F9930CCE2E10ACFF3B5DA8B9C817ADE3DABC1DE576CBD255087267F77341900A41C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 24EPV9vjc5.exe, Detection: malicious, Browse Filename: VmjvNTbD5J.exe, Detection: malicious, Browse Filename: 1wrLmYiC62.exe, Detection: malicious, Browse Filename: vV5EOx0ipU.exe, Detection: malicious, Browse Filename: kXzODlqJak.exe, Detection: malicious, Browse Filename: 8Rmoal0v85.exe, Detection: malicious, Browse Filename: cLm7ThwEvh.msi, Detection: malicious, Browse Filename: LVkAi4PBv6.exe, Detection: malicious, Browse Filename: w3245.exe, Detection: malicious, Browse Filename: w3245.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:<..To..To..To.:.o..To...o..To.:9o..To.:.o..To.:/o..To..Uoe.To...o\|.To...o..To...o..To...o..ToRich..To................PE..d...^.?e..........#......H.....................@..............................%.....h.$.....................................................XW..,........q...p..$h....#.8)......................................(....................`...............................text...RG.......H.................. ..`.rdata..R/...`...0...L..............@..@.data................\|..............@....pdata..$h...p...j..................@..@Shared...............p..............@....tls.................x..............@....rsrc....q.......r...z..............@..@................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI3996.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	176032
Entropy (8bit):	6.237539940128702
Encrypted:	false
SSDEEP:	3072:opnAfE+giQ322hTQxecDHudFJhIA+iM7kD5zZPE5oytDMu:oRUQth08oa7JsOJ3owu
MD5:	A0E940A3D3C1523416675125E3B0C07E
SHA1:	2E29EEBA6DA9A4023BC8071158FEEE3B0277FD1B
SHA-256:	B8FA7AA425E4084EA3721780A13D11E08B8D53D1C5414B73F22FAECA1BFD314F
SHA-512:	736EA06824388372AEEF1938C6B11E66F4595E0B0589D7B4A87FF4ABBABE52E82DFF64D916293EAB47AA869CF372CED2C66755DD8A8471B2AB0D3A37BA91D0B2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h`....S...S...S...S...SA..S...S...S...S...S...S.~.S...S...S...S.~.S...SA..S...SA..S...SA..S...S...S...SA..S...SRich...S........PE..L...J.,a...........!......................................................................@..........................B..a...t5..........h...............................................................@............................................text............................... ..`.rdata..............................@..@.data...41...P......................@....rsrc...h............@..............@..@.reloc..rH.......J...F..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI3B8B.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2639799
Entropy (8bit):	7.016165064226519
Encrypted:	false
SSDEEP:	49152:faOS6j4wt3618wn6DNEYJEImTRCjE0/NWOkBHM9jmOl2r3Nb7Sm:1S6j4wt36yFD3JlXJfwdXR
MD5:	60FAE6ACF78AEFCB6AB22DD0C98776CA
SHA1:	994DB94E2320587CF4C6BE70FF3D2A90FEF1D645
SHA-256:	2CD8DD23C4DE532047C214E14392D3E3B1B736D9F2412C981A5B5D3087AA893C
SHA-512:	E968F2E54952E4175CE098D07200DDBB9D24184D5991A2028B5FD797052DA355991A208DBB517A12FAE1153581608F020BFF95CD6B1F3EAA492C51BB97538D7D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........h.[...[...[.......R.......C.......Z.......................\.......Z......^.......L...[...........#.......Z.......Z...[..Z.......Z...Rich[...........................PE..L.....,a...........!.....N...........C.......p...............................P............@.........................@Z..g;..l4.......@....................... ...6...w..8...........................H...@............p..0... /.......................text...bI.......J.................. ..`.orpc... ....`.......N.............. ..`.rdata...%...p...&...R..............@..@.data...8............x..............@....rsrc........@.......f..............@..@.reloc...$... ...&...F..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\cf3a1739

Download File

Process:	C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe
File Type:	data
Category:	dropped
Size (bytes):	5740087
Entropy (8bit):	7.746216716550298
Encrypted:	false
SSDEEP:	98304:YnkHU0+KWpIm3UgMh/anD/xiwqKGutajFkMAQpGxI99YIwtSUzlKikAcP26qQ3P8:4T/xiwdjYjFkMOXB9kvP2NQ3PFoEw
MD5:	87FF4265A46BC23CFC4D5080FFFFDD30
SHA1:	EDD714111384FB49BAE02393C74C7B1F3935E8A4
SHA-256:	94B5BD5FBB6ED427B8152DD1FD81654E07A3B5BDDF44D56B3C777AC871544733
SHA-512:	439E030B0381828859FE912BC64416A86D35B65F2A5D390E40C389974FA02CF3527943CC2DD2FD492FF6979E87FDFCAA1FEB64DF97B6A91158617F44AE8FECA5
Malicious:	false
Preview:	...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...].........4...........9......./..8......./......./...]...]...]...]...]...]...]...]...]...]...]...]...3...<...8...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...].../...8...)...8...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]......x...>...2...........8...6...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...m...j...]...]...]...]...]...]...]...]...]...]...]

C:\Users\user\AppData\Local\Temp\e59d9e24

Download File

Process:	C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe
File Type:	data
Category:	dropped
Size (bytes):	5740087
Entropy (8bit):	7.746216683209702
Encrypted:	false
SSDEEP:	98304:HnkHU0+KWpIm3UgMh/anD/xiwqKGutajFkMAQpGxI99YIwtSUzlKikAcP26qQ3P8:3T/xiwdjYjFkMOXB9kvP2NQ3PFoEw
MD5:	B3769C1E5DAE1CFB7C9929A987296BF0
SHA1:	0D25BABEE640500D58F1713A9022FC7B77E4683D
SHA-256:	EA9A0449D275C308FF6BC0657848384F4ADB64A35068F55E415034117999B2C4
SHA-512:	F58CF79971D02031818897393D5419A799C3F2E6C7BBABAFEF33BDD37D5B91CDD594A0C9F4A851D92933156DE3FF19751F2841FB272291AC667DF5D049F33D30
Malicious:	false
Preview:	...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...].........4...........9......./..8......./......./...]...]...]...]...]...]...]...]...]...]...]...]...3...<...8...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...].../...8...)...8...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]......x...>...2...........8...6...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...m...j...]...]...]...]...]...]...]...]...]...]...]

C:\Users\user\AppData\Local\Temp\eca08140

Download File

Process:	C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe
File Type:	data
Category:	dropped
Size (bytes):	5740087
Entropy (8bit):	7.746216835198383
Encrypted:	false
SSDEEP:	98304:lnkHU0+KWpIm3UgMh/anD/xiwqKGutajFkMAQpGxI99YIwtSUzlKikAcP26qQ3P8:BT/xiwdjYjFkMOXB9kvP2NQ3PFoEw
MD5:	C4C7D539B318793F2BC3381A6BE20BFC
SHA1:	8F2B898B77D2BF801B3A600290CCFEF134D87241
SHA-256:	450107E421173687214B07C068AF0D018BDAD49A60625986EFD5328CFF7054C3
SHA-512:	04875A850ACC4A263A449925C680EA990919B635A91D5711C482180274A58C7EC9D4B6263CC962239A210B7C69AB9509AC409741B3D180A808DB494E8CE06FFC
Malicious:	false
Preview:	...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...].........4...........9......./..8......./......./...]...]...]...]...]...]...]...]...]...]...]...]...3...<...8...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...].../...8...)...8...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]......x...>...2...........8...6...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...m...j...]...]...]...]...]...]...]...]...]...]...]

C:\Users\user\AppData\Local\Temp\oxstqvsuk

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Jan 9 12:51:50 2025, mtime=Thu Jan 9 12:51:50 2025, atime=Thu Jan 9 12:51:48 2025, length=145264, window=hide
Category:	dropped
Size (bytes):	941
Entropy (8bit):	5.0291786030268275
Encrypted:	false
SSDEEP:	12:8MYRfy4I+xHSWCyqdY//ncRSLm/SG2KTLEMrIg9IjAL2mrH5zVJ1aCPBmV:8v9VjW+URsmj2UL5raAn7rBPBm
MD5:	0695ECFB28C6D302402C84FE90E2A6CC
SHA1:	28B3F99007C0EE886FD028E4F36E682F648A6CE8
SHA-256:	AF8262BA151D9C20E2C9E49A15AEA035E9991677ACB4E819A786EBD33950C094
SHA-512:	2133BC05DCC1C908E7B3CAEDD3C4F51F46A6FF8C9927D332D4A252EB312DDB7EE0CA9A3EE74A66500EB28AF05E2259913191441CC003BFF0421370CEB4A8A9E3
Malicious:	false
Preview:	L..................F.... ........b....M..b..!...b..p7........................:..DG..Yr?.D..U..k0.&...&......vk.v....6tF..b.....b......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^)Zwn...........................%..A.p.p.D.a.t.a...B.V.1.....)Zzn..Roaming.@......CW.^)Zzn..........................'z..R.o.a.m.i.n.g.....n.1.....)Zzn..LOADUP~1..V......)Zzn)Zzn..........................~...L.o.a.d.u.p.d.a.t.e.X.i._.a.l.p.h.a.....h.2.p7..)Zyn .DASHBO~1.EXE..L......)Zzn)Zzn....%.........................D.a.s.h.b.o.a.r.d...e.x.e.......n...............-.......m............Q.......C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe........\.....\.R.o.a.m.i.n.g.\.L.o.a.d.u.p.d.a.t.e.X.i._.a.l.p.h.a.\.D.a.s.h.b.o.a.r.d...e.x.e.`.......X.......965543...........hT..CrF.f4... ...T..b...,.......hT..CrF.f4... ...T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Local\Temp\snfgsgf

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2642944
Entropy (8bit):	6.7314423556583804
Encrypted:	false
SSDEEP:	49152:kkrsBvSl7gM/JK9mZizLmri8lZwREhKR3UX724jkmkz7r9lnxgFwS/LFi9TA8Bb/:BQBvqQL9cK+kRI5LErom
MD5:	618CCBDF42C7361FA8D657C44074C75A
SHA1:	3A38274662D7C947714A4C3A4A379A5004044DAC
SHA-256:	3C6B787B6B1852AF7D40E1407CE548E5B2657FD688BCED5069E3CBE93CF46B6F
SHA-512:	F0D6F0F3D0130D7CA448CD70A1FB8ECC5E503C096613F95E118E9EDE2DBC4EF47B5ABC31C6D0A08AD294126E4C27E348C5F3646A90CA436513F42933C5B4120D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......[..................%..@(..f..W..........@.............................@/.......(...`... ......................................................./.8.....'..k........... /...............................'.(...................X................................text...8.%.......%.................`..`.data.........%.......%.............@....rdata........&.......&.............@..@.pdata...k....'..l...t'.............@..@.xdata...R....(..T....'.............@..@.bss....`e...p(..........................idata...............4(.............@....CRT....0............:(.............@....tls........../......<(.............@....rsrc...8...../......>(.............@..@.reloc....... /......@(.............@..Bhwafy........0/......D(.............@...................................................................................................................................

C:\Users\user\AppData\Local\Temp\xvjmsqbp

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2642944
Entropy (8bit):	6.7314423556583804
Encrypted:	false
SSDEEP:	49152:kkrsBvSl7gM/JK9mZizLmri8lZwREhKR3UX724jkmkz7r9lnxgFwS/LFi9TA8Bb/:BQBvqQL9cK+kRI5LErom
MD5:	618CCBDF42C7361FA8D657C44074C75A
SHA1:	3A38274662D7C947714A4C3A4A379A5004044DAC
SHA-256:	3C6B787B6B1852AF7D40E1407CE548E5B2657FD688BCED5069E3CBE93CF46B6F
SHA-512:	F0D6F0F3D0130D7CA448CD70A1FB8ECC5E503C096613F95E118E9EDE2DBC4EF47B5ABC31C6D0A08AD294126E4C27E348C5F3646A90CA436513F42933C5B4120D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......[..................%..@(..f..W..........@.............................@/.......(...`... ......................................................./.8.....'..k........... /...............................'.(...................X................................text...8.%.......%.................`..`.data.........%.......%.............@....rdata........&.......&.............@..@.pdata...k....'..l...t'.............@..@.xdata...R....(..T....'.............@..@.bss....`e...p(..........................idata...............4(.............@....CRT....0............:(.............@....tls........../......<(.............@....rsrc...8...../......>(.............@..@.reloc....... /......@(.............@..Bhwafy........0/......D(.............@...................................................................................................................................

C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	182688
Entropy (8bit):	5.754161341636684
Encrypted:	false
SSDEEP:	3072:cIFNKUw8ALJ+C2T0FSmmiYQT4XF2E+JYHdeZ2bgA/qLTM6:wUn0mT8Sc/T4V1b9xg8N6
MD5:	40F3A092744E46F3531A40B917CCA81E
SHA1:	C73F62A44CB3A75933CECF1BE73A48D0D623039B
SHA-256:	561F14CDECE85B38617403E1C525FF0B1B752303797894607A4615D0BD66F97F
SHA-512:	1589B27DB29051C772E5BA56953D9F798EFBF74D75E0524FA8569DF092D28960972779811A7916198D0707D35B1093D3E0DD7669A8179C412CFA7DF7120733B2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.*.!.D.!.D.!.D../..D.D../..(.D../....D.... .D.!.E.[.D......D.....%.D..... .D.!.. .D..... .D.Rich!.D.........................PE..d...#.,a.........."......X...v.................@....................................fU....`..................................................J..........X.......$...................`t..8...............................p............p...............................text....W.......X.................. ..`.rdata.......p.......\..............@..@.data... B...`.......D..............@....pdata..$............`..............@..@.rsrc...X............v..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISRT.dll

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
Category:	dropped
Size (bytes):	436632
Entropy (8bit):	7.972710318865142
Encrypted:	false
SSDEEP:	6144:Ob9ySl0fcsmxCLCN7zRpT6bHJibmR6KSHg2Vb5eeRWTo22tcZ3u/Gszt2A2//Hr5:OlsmH7z/sDR6Dv9vWsIuusw/4+q90
MD5:	8AF02BF8E358E11CAEC4F2E7884B43CC
SHA1:	16BADC6C610EEB08DE121AB268093DD36B56BF27
SHA-256:	58A724D23C63387A2DDA27CCFDBC8CA87FD4DB671BEA8BB636247667F6A5A11E
SHA-512:	D0228A8CC93FF6647C2F4BA645FA224DC9D114E2ADB5B5D01670B6DAFC2258B5B1BE11629868748E77B346E291974325E8E8E1192042D7C04A35FC727AD4E3FD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........A.YA.YA.Yf.mYG.Y..nY].Y..XC.Y..mY@.Y..mY..Y..lY..Y...Y@.Y...YE.YA.Y..Y...YV.Y..lY..Y..iY@.Y..jY@.YA.4Y@.Y..oY@.YRichA.Y................PE..L.....,a...........!.....z...@...............................................@......................................h...................`....................0.........8...................................................4U..@....................text............P......PEC2MO...... ....rsrc....@.......4...T.............. ....reloc.......0......................@...........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\IsConfig.ini

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Generic INItialization configuration [f1]
Category:	dropped
Size (bytes):	173
Entropy (8bit):	5.337626728447826
Encrypted:	false
SSDEEP:	3:sYRvqLCAFmxKmzg/5iERcgdYyfwGzk4d1IBBQRuGzYot/Kt2wKXFMJA14uy:sWCVUxKmM/sE6YVfQQ1qQRzqtuMO+uy
MD5:	1FEEC064551310100E6ABEA6C0D5D0F5
SHA1:	FAD558106C0887B26EE6DD5FFD0481C579A805D9
SHA-256:	10C86001815C8A7F9DA2A53852D35FDAE0C101466DAE9D3FA49559E16037C41C
SHA-512:	84A08E68664AAEC306212B5459B8BE2B0DCE2B60F8B8F0A7B5DD19A99D40C896F32D65518009582562BE32D512B6C7CE0BD24AA4C3CAD34B81C3E3010DE590FF
Malicious:	false
Preview:	[SetupDefaults]..LangID=1033..ProductCode={D5CE2740-095B-41D8-8BD7-CD8C6AF97028}..TempPathGuid={914516C0-85F7-4B8C-8A20-48B90586565C}..[f1]..Function=GetSupportFilePathMSI..

C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\String1033.txt

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (332), with CRLF line terminators
Category:	dropped
Size (bytes):	185882
Entropy (8bit):	3.651612955878899
Encrypted:	false
SSDEEP:	1536:jujZLJ6/K41VBrChTHx8Idy2hWA/z+wuUZU6rPsHnQvvOuyMJice1VOL27pt:jqLm1UTR8YW9Coew
MD5:	082584D94AD26EF710E9EDD4D6E35D65
SHA1:	E3FD6EC5CB5B01D7C6F9F2A7558EF3300E292EAE
SHA-256:	8261FD7A996B078497B1875CD875C4B7A8A551C788EE56F618B7C89B181141AF
SHA-512:	6F81DA8BA3455B426FE8555DA14C0D128BA1E63B19B0BDECC26DDFEC70AFE655290815A0839503A105EF0271DA9DD282E6226236F1A04539D20E4F89996D821B
Malicious:	false
Preview:	..C.O.M.P.A.N.Y._.N.A.M.E.=.Y.o.u.r. .C.o.m.p.a.n.y. .N.a.m.e.....D.N._.A.l.w.a.y.s.I.n.s.t.a.l.l.=.A.l.w.a.y.s. .I.n.s.t.a.l.l.....I.D.P.R.O.P._.E.X.P.R.E.S.S._.L.A.U.N.C.H._.C.O.N.D.I.T.I.O.N._.A.C.R.O.B.A.T.5.F.O.L.D.E.R.=. . . .A.d.o.b.e. .A.c.r.o.b.a.t. .5. .n.e.e.d.s. .t.o. .b.e. .i.n.s.t.a.l.l.e.d. .f.o.r. .t.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. .t.o. .c.o.n.t.i.n.u.e.......I.D.P.R.O.P._.E.X.P.R.E.S.S._.L.A.U.N.C.H._.C.O.N.D.I.T.I.O.N._.A.D.O.B.E.R.E.A.D.E.R.1.0.F.O.L.D.E.R.=.A.d.o.b.e. .R.e.a.d.e.r. .1.0. .n.e.e.d.s. .t.o. .b.e. .i.n.s.t.a.l.l.e.d. .f.o.r. .t.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. .t.o. .c.o.n.t.i.n.u.e.......I.D.P.R.O.P._.E.X.P.R.E.S.S._.L.A.U.N.C.H._.C.O.N.D.I.T.I.O.N._.A.D.O.B.E.R.E.A.D.E.R.1.1.F.O.L.D.E.R.=.A.d.o.b.e. .R.e.a.d.e.r. .1.1. .n.e.e.d.s. .t.o. .b.e. .i.n.s.t.a.l.l.e.d. .f.o.r. .t.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. .t.o. .c.o.n.t.i.n.u.e.......I.D.P.R.O.P._.E.X.P.R.E.S.S._.L.A.U.N.C.H._.C.O.N.D.I.T.I.O.N._.A.D.O.B.E.R.E.A.D.E.R.6.F.O.L.D.E.R.=.A.d.o.b.e. .R.

C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\_isres_0x0409.dll

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1855595
Entropy (8bit):	5.675318942505195
Encrypted:	false
SSDEEP:	12288:ys4d9dfaOdWEINpJCPtjvntnSb8COevQonCLPub+74v8:chrWlNDCPtjvntnSb8COevQonCfo8
MD5:	7DE024BC275F9CDEAF66A865E6FD8E58
SHA1:	5086E4A26F9B80699EA8D9F2A33CEAD28A1819C0
SHA-256:	BD32468EE7E8885323F22EABBFF9763A0F6FFEF3CC151E0BD0481DF5888F4152
SHA-512:	191C57E22EA13D13806DD390C4039029D40C7532918618D185D8A627AABC3969C7AF2E532E3C933BDE8F652B4723D951BF712E9BA0CC0D172DDE693012F5EF1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^..(...{...{...{...{...{,..{J..{...{P..{..{...{,..{...{..{...{Rich...{........PE..L...i!-a...........!.........................................................p...............................................@..(....P..0....................@.......................................................A...............................text...@........................... ..`.rdata........... ..................@..@.data....f.......P..................@....idata.......@....... ..............@....rsrc...0....P.......0..............@..@.reloc...)...@...0... ..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\setup.inx

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	262243
Entropy (8bit):	7.347063969035946
Encrypted:	false
SSDEEP:	3072:j6a1TglJLBkaKuO3VGCHF3dxiwEQNDCGpV5nrVEOWKPYXaaDqUrmluM4Ky7yfu6q:jqlnO3ogywHQBGumlulr6fvdFZtDRIl
MD5:	0B8AEE4D8418249299744D9A5A5D23F4
SHA1:	AD306E2BCCC45D792B18CF8901156EC515A61371
SHA-256:	1C66999D79428FAD90104B9F74486EDD10805219056BBEEB514257465D6C698F
SHA-512:	10EC628CC9FBB33990BFFF8CEC7618F9053DB63A0EB264C7724078620CD931D4D80BEFDB99CC675F977C71D595D2FD3A513D125978015D35C814D0ED36875819
Malicious:	false
Preview:	t.,....(... <$.M. .=..........l.............o.c...gWSl..SW..WS[//d.d l$.XX%.......................q.y}a.!mQ.Y]A..M1.9-!.)........................................}...m..q]}}aMm.U=].E-M.5.=.%.-.......................}.......W.....v.@....qeymee1m.......c.)!!.)g..?.....K.7.+.OH..... .D@..0....e..dXH......P..(..]UU-]......kS.kk.....C.WO7'.[.<X44....,..$.8... ...}..\......@.5km!U.gL.8..g....-....._..k#+G##.LP8.H.@......0...T.......Y..D.........1II.1.o.s..Cg..G.....O.Og.CL<L.P.......p.d$........Y..L......<.. ...III.1..k_.....o.oGO?.....H.,@.X.P. ......p..,...\......m..<.....]YMEE.M..w[..[..{os.....O.C_G.t$l.D8\..........,.......}..]..`.........)5M.5.o.W_...sO3.SGk....h$.`,...4.L.$.<..........@...d...e}}1e.D.....o...S)!!.)g.GsK?..0.....#.h$P(.\\...........x(..am.I...p....H.......=9.!S3.wgksK.......3[C ......(.......,...........q.ayyaa.YQQYYc9E%11%9._.......W{7;wSo.......`(h<......L.4..........ay.q...a}Qii]Q....5MM!5.wSl.-.....w'.+k3/..+d.....

C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	145264
Entropy (8bit):	6.331826441761858
Encrypted:	false
SSDEEP:	3072:fW6vjvEUEzozIGnKyvBhSVeoVdS5jO4yEWzJ1gKs4H+u1ERB:REJWC+SVeoVdSZOqWbgKs4HPQ
MD5:	704925ECFDB24EF81190B82DE0E5453C
SHA1:	1128B3063180419893615CA73AD4F9DD51EBEAC6
SHA-256:	8CC871EE8760A4658189528B4A5D8AFE9824F6A13FAAF1FE7EB56F2A3AD2D04E
SHA-512:	CA187015812DDFCAA6515F3A5B780183B4A772801AA14B3F785D6DEE9B9AA7DB6402A7B346623FD24CF4A28F9856683022B10C3D812F8F2888E25BB218CBF216
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........KC..-..-..-.B.S..-...P..-...@..-...V..-..,./-...C..-...Q..-...U..-.Rich.-.................PE..L....mKF.....................................................................@.................. ...........................v..........(...............p%..........P................................D..@............................................text............................... ..`.data...............................@....rsrc...(...........................@..@................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\UXCore.dll

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	830464
Entropy (8bit):	6.581634247915213
Encrypted:	false
SSDEEP:	12288:PC0Y0yaWduIfHk898h2iKq6vPZTZpKNnSr71O7O7l6qe8/T:q0Y0yVumHRC2JnP1Bp6qe4
MD5:	7B9CE1DE240CA4B496133ABECAC85A4D
SHA1:	CBC2BAA4CB392A0230DDA06D9F14248DA62032E7
SHA-256:	3CCE14427382864A84A9B0E6951779214B90DF92598A146BDA77044528B5CE6C
SHA-512:	73AC9C2077FE73A2F49BDDBC9A8E3CFA5CD0D912FF57A0849DA51A3126689C666675992A630EF7919FE840EF79136AACF82B8F584B6F43A5F8FB9515E62CF7D4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._.0P..^...^...^.......^..._...^.<.%...^... ...^.<.3...^.<.#...^.......^...Q...^.<.$...^.<.0...^.<."...^.<.&...^.Rich..^.........PE..L...w.:F...........!................4........0....0p....................................................................$^...........@..X....................P......................................x...@...........................................text............................... ..`.data........0......................@....rsrc...X....@......................@..@.reloc..X....P......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\hkdsl

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	4608873
Entropy (8bit):	7.960086942320774
Encrypted:	false
SSDEEP:	98304:3styJxNYMjroMCoKRxC5w1UEA4e2l3YJArwjLvBOVR3r2n:35NYMj8MjMqEw2Ns5B9n
MD5:	E6E1FFF4A1855FB662CF8B192D82D269
SHA1:	2DB24675D9CAAE53A4DABD989371FFF04FDE4628
SHA-256:	0C3E5965D44D0933511882C9176DACF4EE2A7D22A4A38560F4B95B26AD34D0C0
SHA-512:	243DAB5DA256C4C8622F5C6A0C1E2B900B4D05067B1C161B515674A112E1657AC4C0BC8D08F6706C24FC797ECACC7FC3863A1C5DE2378C822F53278D8BA15AB1
Malicious:	false
Preview:	kh.i..Q..Qcx..GL..l..`..F.l..I.P.ir].A....k.sE.^F..o.....H..]`.n.L.lA...o^...J...tikQ.P.ZICwA..j..WcW..v.qELV..].U]uMNM..I[.D]..L..HnNo.M.aB.s.Bn...JtSlHIV..._.\...R..`...LS`...X..j.\..fSEl.c]CXj.oSM..LWr.v.ghJiT.].._Nu..H.Q.h..V_.riG..V...uP...b....g^.F..p...c..\...._G..HBEd.j.......c.Ws.^c`.H..LBe...w..ms.h..q..F\..Uf_BIK_^....e.ib...a...R.M...xat.PJ..HK..G_.......pQw...F.qRY.i.UjuP..Pq..h...J.Jo.sZ..p.jJ....p..sh.]tk.JfLmT.v...IFl.pl_s.Fp.G..ZD.f.E...jpv..s...]Z.E.Tn.j.^.....T...mM.h.w..b.^[U.GdZL._.vh.w...^...F.t.WO.T.Nj.....dRQU..^NFCp......GEZ.N.Ax...EF...^uu.NR...\D......._.FY.g.D.yf.`jM.y.X.c.\.B.r.VE.EHkv.f^G.S.W..T........Mk..I.MkH.^Y...m....H.Li.G....a..O..b..Ne....U..E....bZipkrtL.n.MY].w.t.gmmP.Y..h_Qn[.S..PODN.jxR..........f.L........Z.mH.QWsxSGK.m..TbJ.rot.F..g.N...ZN]..^a.LOS......s....vk...JX.S.]..qXSJXRO`BY.Xb.lZpfV.H.i.N.p......Rh..JT`.TD..hj..KZyt.HMn.V....YT.I.GM..Redy.K.oJx.......fR..n.Qr.g.V.....e.c.tg..DC....Qsl.q.k..D.t...].KQG.D.T.a\kn.s.m.f.i...i`...^j.pd..vQ

C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\mgty

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	60694
Entropy (8bit):	4.563580701233227
Encrypted:	false
SSDEEP:	768:9S46jIRCQgaSaLwpWOVDVGv9PI1ksIKXOThuHY5cZhYd+b3VaQwXVJunCVW66e+J:Q16DjwprVxR2uHYEVaQwFPWfe+L+Ur
MD5:	36CD10B0A78053BC4825F49D06815852
SHA1:	20570C9FEB56E663892B05F38B45CC84A14B2295
SHA-256:	DF40ECA893BCDFE0D0ED21104C5ECB2191F44CBFA80F69073042593F90D82650
SHA-512:	9C20313A2930F351BA9B3F29B6FD4C9F3A71D2230019D42D164ADF931F8C60252564533BA40D980F6E47854BC5080392D91C94CC5C0FE7B98A2FB86DA61F2CA5
Malicious:	false
Preview:	tT.G..l...]....DZ.y..DI....eVC.d.g...K^..\y.jPks.p.jiI.g......wD.aL.pmvPOg...a....]M.Xpeiy^wC.Jh..x..[PB.gt.....rgeO.DWkZ..mVvN.T..m.g.pP.c..iMaCcEH..Q..g.wK.ay.....a^...IQY.e...^W.hK.....h..cKP..vsip.YqtE..`JN.k.Obt..scP....[Ok.g.HQ..t.N.NM.E..[.U...A.dg.n.vR....rx.so.E.Db..L...PkIpO...SN...n.d.Ugr.y..Qt.\....Os.......gI.ku...sT.h.....w.D.Ga.....k..Sq..hU[..QVesn..be_...CNQ..H...R.q..f...y.DA.d..x.S..i.]..RQy.sy..X.geNw._.MH..Q..MV..^d.Pc.R..Q.J..TUO.._Q..`.ieM.Zq...I........Hx.o..`^..I.Q.p..SP...EAns...u`....F....XT..M.F.VKp..X..UYA..t.BiRNv_..Mhlo....^uSS.w..dG..Y...ge..I..S.Dh.[r..V.....TTWQt]xY[j...eG......X._k[..Mon...Zc..u..oMkvR.....J.ne.Uq.[w...GW....ftn....w.VB]..C.Ov..\k.....OeM.W.vJrc.....vMa.hS.ot..c..F.f.g.IR.vVX..O..G..yVp..J.J.t............V.s..w.d.Xa.]Z.k..C...[..h.......Q....xV.l..QM...S..v...[..b...N.y..py..I..k.T.V...u.i[I.Ep.NN.yf..aS._...a...Q.._W_.....F..[V..jiZSZ...KIe...K....kkdwABV..SO.OMH^QS..OV^k..R..BLn.Y..G.y.E.H.JT.s...v[C..L...mGX.l.....MA..tHn.E...C.\..

C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\msvcr80.dll

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	626688
Entropy (8bit):	6.840096566307411
Encrypted:	false
SSDEEP:	12288:mxzh9hH5RVKTp0G+vFhr46CI600yZmGyYG:mph9hHzVKOpt6MmGyY
MD5:	43143ABB001D4211FAB627C136124A44
SHA1:	EDB99760AE04BFE68AAACF34EB0287A3C10EC885
SHA-256:	CB8928FF2FAF2921B1EDDC267DCE1BB64E6FEE4D15B68CD32588E0F3BE116B03
SHA-512:	CED96CA5D1E2573DBF21875CF98A8FCB86B5BCDCA4C041680A9CB87374378E04835F02AB569D5243608C68FEB2E9B30FFE39FEB598F5081261A57D1CE97556A6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L.........@................!......;.............d.......................Rich...................PE..L...I^j[...........!.....0...p......+#.......@.....x......................................@..........................q...~..Pc..<....`.......................p..P3...B...............................F..@............@...............................text....'.......0.................. ..`.rdata......@.......@..............@..@.data...Li.......P..................@....rsrc........`.......@..............@..@.reloc...7...p...@...P..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	145264
Entropy (8bit):	6.331826441761858
Encrypted:	false
SSDEEP:	3072:fW6vjvEUEzozIGnKyvBhSVeoVdS5jO4yEWzJ1gKs4H+u1ERB:REJWC+SVeoVdSZOqWbgKs4HPQ
MD5:	704925ECFDB24EF81190B82DE0E5453C
SHA1:	1128B3063180419893615CA73AD4F9DD51EBEAC6
SHA-256:	8CC871EE8760A4658189528B4A5D8AFE9824F6A13FAAF1FE7EB56F2A3AD2D04E
SHA-512:	CA187015812DDFCAA6515F3A5B780183B4A772801AA14B3F785D6DEE9B9AA7DB6402A7B346623FD24CF4A28F9856683022B10C3D812F8F2888E25BB218CBF216
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........KC..-..-..-.B.S..-...P..-...@..-...V..-..,./-...C..-...Q..-...U..-.Rich.-.................PE..L....mKF.....................................................................@.................. ...........................v..........(...............p%..........P................................D..@............................................text............................... ..`.data...............................@....rsrc...(...........................@..@................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\UXCore.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	830464
Entropy (8bit):	6.581634247915213
Encrypted:	false
SSDEEP:	12288:PC0Y0yaWduIfHk898h2iKq6vPZTZpKNnSr71O7O7l6qe8/T:q0Y0yVumHRC2JnP1Bp6qe4
MD5:	7B9CE1DE240CA4B496133ABECAC85A4D
SHA1:	CBC2BAA4CB392A0230DDA06D9F14248DA62032E7
SHA-256:	3CCE14427382864A84A9B0E6951779214B90DF92598A146BDA77044528B5CE6C
SHA-512:	73AC9C2077FE73A2F49BDDBC9A8E3CFA5CD0D912FF57A0849DA51A3126689C666675992A630EF7919FE840EF79136AACF82B8F584B6F43A5F8FB9515E62CF7D4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._.0P..^...^...^.......^..._...^.<.%...^... ...^.<.3...^.<.#...^.......^...Q...^.<.$...^.<.0...^.<."...^.<.&...^.Rich..^.........PE..L...w.:F...........!................4........0....0p....................................................................$^...........@..X....................P......................................x...@...........................................text............................... ..`.data........0......................@....rsrc...X....@......................@..@.reloc..X....P......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\hkdsl

Download File

Process:	C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe
File Type:	data
Category:	dropped
Size (bytes):	4608873
Entropy (8bit):	7.960086942320774
Encrypted:	false
SSDEEP:	98304:3styJxNYMjroMCoKRxC5w1UEA4e2l3YJArwjLvBOVR3r2n:35NYMj8MjMqEw2Ns5B9n
MD5:	E6E1FFF4A1855FB662CF8B192D82D269
SHA1:	2DB24675D9CAAE53A4DABD989371FFF04FDE4628
SHA-256:	0C3E5965D44D0933511882C9176DACF4EE2A7D22A4A38560F4B95B26AD34D0C0
SHA-512:	243DAB5DA256C4C8622F5C6A0C1E2B900B4D05067B1C161B515674A112E1657AC4C0BC8D08F6706C24FC797ECACC7FC3863A1C5DE2378C822F53278D8BA15AB1
Malicious:	false
Preview:	kh.i..Q..Qcx..GL..l..`..F.l..I.P.ir].A....k.sE.^F..o.....H..]`.n.L.lA...o^...J...tikQ.P.ZICwA..j..WcW..v.qELV..].U]uMNM..I[.D]..L..HnNo.M.aB.s.Bn...JtSlHIV..._.\...R..`...LS`...X..j.\..fSEl.c]CXj.oSM..LWr.v.ghJiT.].._Nu..H.Q.h..V_.riG..V...uP...b....g^.F..p...c..\...._G..HBEd.j.......c.Ws.^c`.H..LBe...w..ms.h..q..F\..Uf_BIK_^....e.ib...a...R.M...xat.PJ..HK..G_.......pQw...F.qRY.i.UjuP..Pq..h...J.Jo.sZ..p.jJ....p..sh.]tk.JfLmT.v...IFl.pl_s.Fp.G..ZD.f.E...jpv..s...]Z.E.Tn.j.^.....T...mM.h.w..b.^[U.GdZL._.vh.w...^...F.t.WO.T.Nj.....dRQU..^NFCp......GEZ.N.Ax...EF...^uu.NR...\D......._.FY.g.D.yf.`jM.y.X.c.\.B.r.VE.EHkv.f^G.S.W..T........Mk..I.MkH.^Y...m....H.Li.G....a..O..b..Ne....U..E....bZipkrtL.n.MY].w.t.gmmP.Y..h_Qn[.S..PODN.jxR..........f.L........Z.mH.QWsxSGK.m..TbJ.rot.F..g.N...ZN]..^a.LOS......s....vk...JX.S.]..qXSJXRO`BY.Xb.lZpfV.H.i.N.p......Rh..JT`.TD..hj..KZyt.HMn.V....YT.I.GM..Redy.K.oJx.......fR..n.Qr.g.V.....e.c.tg..DC....Qsl.q.k..D.t...].KQG.D.T.a\kn.s.m.f.i...i`...^j.pd..vQ

C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\mgty

Download File

Process:	C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe
File Type:	data
Category:	dropped
Size (bytes):	60694
Entropy (8bit):	4.563580701233227
Encrypted:	false
SSDEEP:	768:9S46jIRCQgaSaLwpWOVDVGv9PI1ksIKXOThuHY5cZhYd+b3VaQwXVJunCVW66e+J:Q16DjwprVxR2uHYEVaQwFPWfe+L+Ur
MD5:	36CD10B0A78053BC4825F49D06815852
SHA1:	20570C9FEB56E663892B05F38B45CC84A14B2295
SHA-256:	DF40ECA893BCDFE0D0ED21104C5ECB2191F44CBFA80F69073042593F90D82650
SHA-512:	9C20313A2930F351BA9B3F29B6FD4C9F3A71D2230019D42D164ADF931F8C60252564533BA40D980F6E47854BC5080392D91C94CC5C0FE7B98A2FB86DA61F2CA5
Malicious:	false
Preview:	tT.G..l...]....DZ.y..DI....eVC.d.g...K^..\y.jPks.p.jiI.g......wD.aL.pmvPOg...a....]M.Xpeiy^wC.Jh..x..[PB.gt.....rgeO.DWkZ..mVvN.T..m.g.pP.c..iMaCcEH..Q..g.wK.ay.....a^...IQY.e...^W.hK.....h..cKP..vsip.YqtE..`JN.k.Obt..scP....[Ok.g.HQ..t.N.NM.E..[.U...A.dg.n.vR....rx.so.E.Db..L...PkIpO...SN...n.d.Ugr.y..Qt.\....Os.......gI.ku...sT.h.....w.D.Ga.....k..Sq..hU[..QVesn..be_...CNQ..H...R.q..f...y.DA.d..x.S..i.]..RQy.sy..X.geNw._.MH..Q..MV..^d.Pc.R..Q.J..TUO.._Q..`.ieM.Zq...I........Hx.o..`^..I.Q.p..SP...EAns...u`....F....XT..M.F.VKp..X..UYA..t.BiRNv_..Mhlo....^uSS.w..dG..Y...ge..I..S.Dh.[r..V.....TTWQt]xY[j...eG......X._k[..Mon...Zc..u..oMkvR.....J.ne.Uq.[w...GW....ftn....w.VB]..C.Ov..\k.....OeM.W.vJrc.....vMa.hS.ot..c..F.f.g.IR.vVX..O..G..yVp..J.J.t............V.s..w.d.Xa.]Z.k..C...[..h.......Q....xV.l..QM...S..v...[..b...N.y..py..I..k.T.V...u.i[I.Ep.NN.yf..aS._...a...Q.._W_.....F..[V..jiZSZ...KIe...K....kkdwABV..SO.OMH^QS..OV^k..R..BLn.Y..G.y.E.H.JT.s...v[C..L...mGX.l.....MA..tHn.E...C.\..

C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\msvcr80.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	626688
Entropy (8bit):	6.840096566307411
Encrypted:	false
SSDEEP:	12288:mxzh9hH5RVKTp0G+vFhr46CI600yZmGyYG:mph9hHzVKOpt6MmGyY
MD5:	43143ABB001D4211FAB627C136124A44
SHA1:	EDB99760AE04BFE68AAACF34EB0287A3C10EC885
SHA-256:	CB8928FF2FAF2921B1EDDC267DCE1BB64E6FEE4D15B68CD32588E0F3BE116B03
SHA-512:	CED96CA5D1E2573DBF21875CF98A8FCB86B5BCDCA4C041680A9CB87374378E04835F02AB569D5243608C68FEB2E9B30FFE39FEB598F5081261A57D1CE97556A6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L.........@................!......;.............d.......................Rich...................PE..L...I^j[...........!.....0...p......+#.......@.....x......................................@..........................q...~..Pc..<....`.......................p..P3...B...............................F..@............@...............................text....'.......0.................. ..`.rdata......@.......@..............@..@.data...Li.......P..................@....rsrc........`.......@..............@..@.reloc...7...p...@...P..............@..B........................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Blank Project Template, Author: InstallShield, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2021 - Premier Edition with Virtualization Pack 27, Last Saved Time/Date: Thu Dec 19 15:10:32 2024, Create Time/Date: Thu Dec 19 15:10:32 2024, Last Printed: Thu Dec 19 15:10:32 2024, Revision Number: {38167EE4-6F51-464C-B53F-8224570D655F}, Code page: 1252, Template: Intel;1033
Entropy (8bit):	7.547692946114982
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	K3UtwU3CH9.msi
File size:	9'586'644 bytes
MD5:	81907fbd20c219c1890c775c91468215
SHA1:	37731a1a70b620d8a0694bfc15b78d31179742ad
SHA256:	468ff3b01cb98f3bb68e99b07d04c29869abc2e5c4ba3b8f075658e6121d0cd4
SHA512:	edd0cdd6bb76c971c7fbc78b956f1bf8e506e00998314d4d65f506e2dcf983d3cafd242739f92ce7d9cef832b78f6087dec2503b84e40fa0bf9d53cc0d1d7343
SSDEEP:	196608:RO4KevMPrBma/EF3JqOzg5AKuPH9SSkC6A4pLmeuP3wE7:rMPrBTMF3UOzg324e4mAE7
TLSH:	BCA6F111B7D5C032D1AE0271491DB36492BEFE714B3182C7B6983B8EAD716C1AB31B97
File Content Preview:	........................>...................................8........6..........................~..............................................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 14:52:35.100264072 CET	51697	53	192.168.2.4	162.159.36.2
Jan 9, 2025 14:52:35.105231047 CET	53	51697	162.159.36.2	192.168.2.4
Jan 9, 2025 14:52:35.105307102 CET	51697	53	192.168.2.4	162.159.36.2
Jan 9, 2025 14:52:35.110383034 CET	53	51697	162.159.36.2	192.168.2.4
Jan 9, 2025 14:52:35.608274937 CET	51697	53	192.168.2.4	162.159.36.2
Jan 9, 2025 14:52:35.640629053 CET	51697	53	192.168.2.4	162.159.36.2
Jan 9, 2025 14:52:35.645966053 CET	53	51697	162.159.36.2	192.168.2.4
Jan 9, 2025 14:52:35.646084070 CET	51697	53	192.168.2.4	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 14:52:32.711271048 CET	63245	53	192.168.2.4	1.1.1.1
Jan 9, 2025 14:52:32.720031977 CET	53	63245	1.1.1.1	192.168.2.4
Jan 9, 2025 14:52:35.099630117 CET	53	64775	162.159.36.2	192.168.2.4
Jan 9, 2025 14:52:35.649959087 CET	53	56008	1.1.1.1	192.168.2.4
Jan 9, 2025 14:53:20.142921925 CET	61808	53	192.168.2.4	1.1.1.1
Jan 9, 2025 14:53:20.152059078 CET	53	61808	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 14:52:32.711271048 CET	192.168.2.4	1.1.1.1	0x6fcd	Standard query (0)	plerukilo0.site	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:53:20.142921925 CET	192.168.2.4	1.1.1.1	0x3f9f	Standard query (0)	plerukilo0.site	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 14:52:32.720031977 CET	1.1.1.1	192.168.2.4	0x6fcd	Name error (3)	plerukilo0.site	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:53:20.152059078 CET	1.1.1.1	192.168.2.4	0x3f9f	Name error (3)	plerukilo0.site	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	08:51:47
Start date:	09/01/2025
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\K3UtwU3CH9.msi"
Imagebase:	0x7ff7a52f0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:51:48
Start date:	09/01/2025
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff7a52f0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	08:51:48
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 67D8AB6401B6284E54A24D810952612F C
Imagebase:	0xa80000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:51:49
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DACCFEC1-0F8E-4735-B9C7-A60DBEC446EA}
Imagebase:	0x7ff6dc600000
File size:	182'688 bytes
MD5 hash:	40F3A092744E46F3531A40B917CCA81E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:51:49
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8C031A3B-AD25-4CE4-AB49-01F87FDEE881}
Imagebase:	0x7ff6dc600000
File size:	182'688 bytes
MD5 hash:	40F3A092744E46F3531A40B917CCA81E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:51:49
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{56D245EC-76C4-4C26-9039-E4C34B0EC544}
Imagebase:	0x7ff6dc600000
File size:	182'688 bytes
MD5 hash:	40F3A092744E46F3531A40B917CCA81E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:51:49
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D0C64754-86B5-489E-9A24-32FD984CC512}
Imagebase:	0x7ff6dc600000
File size:	182'688 bytes
MD5 hash:	40F3A092744E46F3531A40B917CCA81E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:51:49
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{49CF2577-EEA4-4712-85B8-C177FE73A996}
Imagebase:	0x7ff6dc600000
File size:	182'688 bytes
MD5 hash:	40F3A092744E46F3531A40B917CCA81E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:51:49
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2288B9E7-ABB0-459A-A1F0-65CF795FB7C4}
Imagebase:	0x7ff6dc600000
File size:	182'688 bytes
MD5 hash:	40F3A092744E46F3531A40B917CCA81E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:51:49
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{06852D7C-4042-4D98-A431-F2C81FD3913D}
Imagebase:	0x7ff6dc600000
File size:	182'688 bytes
MD5 hash:	40F3A092744E46F3531A40B917CCA81E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:51:49
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D0CC5960-99B5-429C-9C5D-234075E07B82}
Imagebase:	0x7ff6dc600000
File size:	182'688 bytes
MD5 hash:	40F3A092744E46F3531A40B917CCA81E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:51:49
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{19A60243-752F-4575-BE1B-A4589A300ACF}
Imagebase:	0x7ff6dc600000
File size:	182'688 bytes
MD5 hash:	40F3A092744E46F3531A40B917CCA81E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:51:49
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F15C916D-5F9E-4609-A30F-4848C97C342B}
Imagebase:	0x7ff6dc600000
File size:	182'688 bytes
MD5 hash:	40F3A092744E46F3531A40B917CCA81E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:51:50
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe
Imagebase:	0x1000000
File size:	145'264 bytes
MD5 hash:	704925ECFDB24EF81190B82DE0E5453C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.1722528788.00000000093D7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:51:50
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe
Imagebase:	0x1000000
File size:	145'264 bytes
MD5 hash:	704925ECFDB24EF81190B82DE0E5453C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000002.1780617372.00000000093E9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	08:51:52
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.2027624617.0000000005446000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	08:51:52
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	08:52:15
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe
Imagebase:	0x140000000
File size:	2'364'728 bytes
MD5 hash:	967F4470627F823F4D7981E511C9824F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000015.00000002.2132278802.0000000002609000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	08:52:29
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe"
Imagebase:	0x1000000
File size:	145'264 bytes
MD5 hash:	704925ECFDB24EF81190B82DE0E5453C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000016.00000002.2159661824.00000000093C5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	08:52:29
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000017.00000002.2213346540.0000000002C10000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000017.00000002.2213608056.0000000004B79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	08:52:29
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	08:52:41
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\LoadupdateXi_alpha\Dashboard.exe"
Imagebase:	0x1000000
File size:	145'264 bytes
MD5 hash:	704925ECFDB24EF81190B82DE0E5453C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001C.00000002.2272864695.00000000093CC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	08:52:41
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001D.00000002.2504304283.0000000004D74000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	08:52:41
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	08:53:01
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe
Imagebase:	0x140000000
File size:	2'364'728 bytes
MD5 hash:	967F4470627F823F4D7981E511C9824F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001F.00000002.2605314044.00000000025BE000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.9%
Total number of Nodes:	540
Total number of Limit Nodes:	27

Executed Functions

Function 00007FF6DC601AD0 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 350
windowsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32 ref: 00007FF6DC601B02
CoInitializeEx.COMBASE ref: 00007FF6DC601B0D
GetCurrentThreadId.KERNEL32 ref: 00007FF6DC601B90
StringFromGUID2.OLE32 ref: 00007FF6DC601BF8
SysAllocString.OLEAUT32 ref: 00007FF6DC601C02
SysStringLen.OLEAUT32 ref: 00007FF6DC601C17
SysStringLen.OLEAUT32 ref: 00007FF6DC601C24
CharUpperBuffW.USER32 ref: 00007FF6DC601C2F
CharNextW.USER32 ref: 00007FF6DC601CD2
CharNextW.USER32 ref: 00007FF6DC601CE0
CharNextW.USER32 ref: 00007FF6DC601CF6
lstrcmpiW.KERNELBASE ref: 00007FF6DC601D1A
lstrcmpiW.KERNEL32 ref: 00007FF6DC601D32
CharNextW.USER32 ref: 00007FF6DC601D60
CharNextW.USER32 ref: 00007FF6DC601D6E
CharNextW.USER32 ref: 00007FF6DC601D81
CreateEventW.KERNEL32 ref: 00007FF6DC601DA2
CreateThread.KERNELBASE ref: 00007FF6DC601DD5
StringFromGUID2.OLE32 ref: 00007FF6DC601DF1
SysAllocString.OLEAUT32 ref: 00007FF6DC601DFB
SysFreeString.OLEAUT32 ref: 00007FF6DC601E0F
SysFreeString.OLEAUT32 ref: 00007FF6DC601E17
SysStringLen.OLEAUT32 ref: 00007FF6DC601E28
SysStringLen.OLEAUT32 ref: 00007FF6DC601E35
CharUpperBuffW.USER32 ref: 00007FF6DC601E40
CreateItemMoniker.OLE32 ref: 00007FF6DC601E94
Sleep.KERNEL32 ref: 00007FF6DC601EA5
GetRunningObjectTable.OLE32 ref: 00007FF6DC601ED9
Sleep.KERNEL32 ref: 00007FF6DC601F14
GetMessageW.USER32 ref: 00007FF6DC601F45
DispatchMessageW.USER32 ref: 00007FF6DC601F55
GetMessageW.USER32 ref: 00007FF6DC601F68
SleepEx.KERNELBASE ref: 00007FF6DC601F83
SysFreeString.OLEAUT32 ref: 00007FF6DC601FA4
CoUninitialize.COMBASE ref: 00007FF6DC601FB6
SysFreeString.OLEAUT32 ref: 00007FF6DC601FBF

Strings

UnregServer, xrefs: 00007FF6DC601D10
RegServer, xrefs: 00007FF6DC601D28

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: String$Char$Next$Free$CreateMessageSleep$AllocBuffFromThreadUpperlstrcmpi$CommandCurrentDispatchEventInitializeItemLineMonikerObjectRunningTableUninitialize
String ID: RegServer$UnregServer
API String ID: 1937296366-1360048911
Opcode ID: 5bc4c8443623e7e6876561bb591e32ba5ff234cd11f360b304cdb9faa03ff9cb
Instruction ID: 3b31a185aea82ee5bb1dc68876387f49448ca56354bc9a35e6ca511870835243
Opcode Fuzzy Hash: 5bc4c8443623e7e6876561bb591e32ba5ff234cd11f360b304cdb9faa03ff9cb
Instruction Fuzzy Hash: C2F16025A09BCB81EB169B26E45027D63A0FF94B95F444036DE0E937A8DF3CE466F740

Function 00007FF6DC6013D0 Relevance: 12.2, APIs: 8, Instructions: 221
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6DC60143A
GetModuleFileNameW.KERNEL32 ref: 00007FF6DC6014BC
GetModuleFileNameW.KERNEL32 ref: 00007FF6DC6014E9
LoadTypeLibEx.OLEAUT32 ref: 00007FF6DC6014F9
new.LIBCMT ref: 00007FF6DC601668
EnterCriticalSection.KERNEL32 ref: 00007FF6DC60168E
LeaveCriticalSection.KERNEL32 ref: 00007FF6DC6016A4
LeaveCriticalSection.KERNEL32 ref: 00007FF6DC601715

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: CriticalSection$EnterFileLeaveModuleName$LoadType
String ID:
API String ID: 1214901732-0
Opcode ID: f4cbecc4a7ccbc3adac25dfa60ba73628258adb59bb4a2edbefa53881256ea69
Instruction ID: d6fbef439214a3bfe8174ba71b0a82853f5b4f4ecd627ae058feeacca02196b1
Opcode Fuzzy Hash: f4cbecc4a7ccbc3adac25dfa60ba73628258adb59bb4a2edbefa53881256ea69
Instruction Fuzzy Hash: B3B15236A08BCA82EB26CB16E45066D73A0FB84B94F584137DE4D93768DF3CD566E700

Function 00007FF6DC6017A0 Relevance: 6.0, APIs: 4, Instructions: 29
synchronizationthreadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF6DC6017B7
WaitForSingleObject.KERNEL32 ref: 00007FF6DC6017CA
CloseHandle.KERNELBASE ref: 00007FF6DC6017E4
PostThreadMessageW.USER32 ref: 00007FF6DC6017F7

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: ObjectSingleWait$CloseHandleMessagePostThread
String ID:
API String ID: 3386540786-0
Opcode ID: 79500c9f6d63bc6a94024569c830735f4b117551e5a17f7cb2fa18f5661a4629
Instruction ID: 7c30384120021afb686e030d9fb472960e817b1e19de57b08e10823636405c53
Opcode Fuzzy Hash: 79500c9f6d63bc6a94024569c830735f4b117551e5a17f7cb2fa18f5661a4629
Instruction Fuzzy Hash: 79F04F32A045C986E7119F3AD44472D37A2EB99F6AF485171CA0A86298CF3C9496EB40

Function 00007FF6DC601140 Relevance: 4.6, APIs: 3, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysFreeString.OLEAUT32 ref: 00007FF6DC6012C8
SysStringLen.OLEAUT32 ref: 00007FF6DC6012D4
SysFreeString.OLEAUT32 ref: 00007FF6DC601309

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: String$Free
String ID:
API String ID: 1391021980-0
Opcode ID: 5ea933c3ecd19440366d680d9037e9c8aeb9464f04f2d5fe758aee05ef6e430a
Instruction ID: 687dc446b4568657e3d318cb443468182185530143cb987e140aa6bca67ad1a2
Opcode Fuzzy Hash: 5ea933c3ecd19440366d680d9037e9c8aeb9464f04f2d5fe758aee05ef6e430a
Instruction Fuzzy Hash: A2512B36608BCA82DB259F16E49076D73A4FB89B90F008136DEAD93758DF3CD466E700

Function 00007FF6DC602A40 Relevance: 3.1, APIs: 2, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RaiseException.KERNEL32 ref: 00007FF6DC602AE4
DeleteCriticalSection.KERNEL32 ref: 00007FF6DC602B3A

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: CriticalDeleteExceptionRaiseSection
String ID:
API String ID: 966263044-0
Opcode ID: 97b1c73291426dda37b7fb37eee4591fd4a4fb0cb541bdf71657b9378348bea6
Instruction ID: 24d2467c83d7b590d4104fbd067b1b850a4591c4976837c22fff0fd1f2961d50
Opcode Fuzzy Hash: 97b1c73291426dda37b7fb37eee4591fd4a4fb0cb541bdf71657b9378348bea6
Instruction Fuzzy Hash: DB315E32605B8686EB268F12E45026D73A4FF44B89F494436DF4DA3B54CF3CD462A700

Non-executed Functions

Function 00007FF6DC604E10 Relevance: 56.5, APIs: 25, Strings: 7, Instructions: 539registrystringlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6DC604C50: CharNextW.USER32 ref: 00007FF6DC604C81

lstrcmpiW.KERNEL32(?,00000000,00000000,0000000100002600,00007FF6DC605807,?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC604E9E
lstrcmpiW.KERNEL32(?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC604EB6
CharNextW.USER32(?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC604F08
lstrcmpiW.KERNEL32(?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC604F36
lstrcmpiW.KERNEL32(?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC604FAC
lstrcmpiW.KERNEL32(?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC604FE3
RegOpenKeyExW.ADVAPI32(?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC605096
RegDeleteValueW.ADVAPI32(?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC6050B2
RegCloseKey.ADVAPI32(?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC6050CB
CharNextW.USER32(?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC6050F6
RegOpenKeyExW.ADVAPI32(?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC605169
RegCloseKey.ADVAPI32(?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC60517D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC6051EC
RegCloseKey.ADVAPI32(?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC6051FE
RegCloseKey.ADVAPI32(?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC60529B

Part of subcall function 00007FF6DC604C50: CharNextW.USER32 ref: 00007FF6DC604CCE
Part of subcall function 00007FF6DC604C50: CharNextW.USER32 ref: 00007FF6DC604CEA
Part of subcall function 00007FF6DC604C50: CharNextW.USER32 ref: 00007FF6DC604CFF
Part of subcall function 00007FF6DC604C50: CharNextW.USER32 ref: 00007FF6DC604D0E
Part of subcall function 00007FF6DC604C50: CharNextW.USER32 ref: 00007FF6DC604D6A

RegCreateKeyExW.ADVAPI32(?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC605283
RegOpenKeyExW.ADVAPI32(?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC6053A1
RegCloseKey.ADVAPI32(?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC6053BC
lstrcmpiW.KERNEL32(?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC605507
RegCloseKey.ADVAPI32(?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC60555C
GetModuleHandleW.KERNEL32(?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC60559D
GetProcAddress.KERNEL32(?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC6055B2
RegDeleteKeyW.ADVAPI32 ref: 00007FF6DC6055F0
RegCloseKey.ADVAPI32(?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC605610
RegCloseKey.ADVAPI32(?,00000000,00000000,0000000100002600,00007FF6DC605807,?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC60565A

Strings

ForceRemove, xrefs: 00007FF6DC604EAC
Val, xrefs: 00007FF6DC604FD9
NoRemove, xrefs: 00007FF6DC604FA2
Advapi32.dll, xrefs: 00007FF6DC605596
Delete, xrefs: 00007FF6DC604E94
RegDeleteKeyExW, xrefs: 00007FF6DC6055A8
RegOpenKeyTransactedW, xrefs: 00007FF6DC604F44, 00007FF6DC605519

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: CharCloseNext$lstrcmpi$Open$Delete$AddressCreateHandleModuleProcValue
String ID: Advapi32.dll$Delete$ForceRemove$NoRemove$RegDeleteKeyExW$RegOpenKeyTransactedW$Val
API String ID: 431942798-84292820
Opcode ID: 14e5cbea3e26ee8f8519a2f96e99103b431c102be3cfa58ceec793359c2c87c8
Instruction ID: 5d4e6ddab5a72776efc01afbe396be6457e47eeb472585db4520b2725ba7a448
Opcode Fuzzy Hash: 14e5cbea3e26ee8f8519a2f96e99103b431c102be3cfa58ceec793359c2c87c8
Instruction Fuzzy Hash: 25325131A187CA86FB228B66E45037D63A5EF84794F100137DA4DD7B94EF6CE462BB04

Function 00007FF6DC6142FC Relevance: 44.2, APIs: 24, Strings: 1, Instructions: 460
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__doserrno.LIBCMT ref: 00007FF6DC614352
_errno.LIBCMT ref: 00007FF6DC614359
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC614364

Strings

U, xrefs: 00007FF6DC6148C6

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: __doserrno_errno_invalid_parameter_noinfo
String ID: U
API String ID: 3902385426-4171548499
Opcode ID: e19bac97072c5f6b12ccb88eb5d8fb4586a146a09138471d8271d9c422358717
Instruction ID: ba1d1e639a49ae7b1137c5ae71e315d6d3827dc85aef2225acc4fff412303042
Opcode Fuzzy Hash: e19bac97072c5f6b12ccb88eb5d8fb4586a146a09138471d8271d9c422358717
Instruction Fuzzy Hash: 1A12E832A186CA86EB228F29D44437E67A0FB85796F140537DA4DC369CDF3DE456DB00

Function 00007FF6DC607180 Relevance: 38.6, APIs: 11, Strings: 11, Instructions: 53
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,00007FF6DC606330), ref: 00007FF6DC607194
GetProcAddress.KERNEL32(?,?,?,00007FF6DC606330), ref: 00007FF6DC6071B0
GetProcAddress.KERNEL32(?,?,?,00007FF6DC606330), ref: 00007FF6DC6071C4
GetProcAddress.KERNEL32(?,?,?,00007FF6DC606330), ref: 00007FF6DC6071D8
GetProcAddress.KERNEL32(?,?,?,00007FF6DC606330), ref: 00007FF6DC6071EC
GetProcAddress.KERNEL32(?,?,?,00007FF6DC606330), ref: 00007FF6DC607200
GetProcAddress.KERNEL32(?,?,?,00007FF6DC606330), ref: 00007FF6DC607214
GetProcAddress.KERNEL32(?,?,?,00007FF6DC606330), ref: 00007FF6DC607228
GetProcAddress.KERNEL32(?,?,?,00007FF6DC606330), ref: 00007FF6DC60723C
GetProcAddress.KERNEL32(?,?,?,00007FF6DC606330), ref: 00007FF6DC607250
GetProcAddress.KERNEL32(?,?,?,00007FF6DC606330), ref: 00007FF6DC607264

Strings

SetEntriesInAclW, xrefs: 00007FF6DC6071F2
GetNamedSecurityInfoW, xrefs: 00007FF6DC6071DE
AllocateAndInitializeSid, xrefs: 00007FF6DC60721A
SetNamedSecurityInfoW, xrefs: 00007FF6DC607206
ConvertStringSidToSidW, xrefs: 00007FF6DC6071CA
advapi32.dll, xrefs: 00007FF6DC60718D
CopySid, xrefs: 00007FF6DC607242
FreeSid, xrefs: 00007FF6DC607256
IsValidSid, xrefs: 00007FF6DC6071B6
CreateWellKnownSid, xrefs: 00007FF6DC60722E
LookupAccountNameW, xrefs: 00007FF6DC6071A6

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AllocateAndInitializeSid$ConvertStringSidToSidW$CopySid$CreateWellKnownSid$FreeSid$GetNamedSecurityInfoW$IsValidSid$LookupAccountNameW$SetEntriesInAclW$SetNamedSecurityInfoW$advapi32.dll
API String ID: 667068680-2029814571
Opcode ID: 84e6760860ef51e4eb883a3ce056c1ce833777c9e96e671d10c9c34f4a73f4c6
Instruction ID: 2d749d001d239c06dd1644d068c3d4095ec4ac863470d5f6aac96b5bc1adc05e
Opcode Fuzzy Hash: 84e6760860ef51e4eb883a3ce056c1ce833777c9e96e671d10c9c34f4a73f4c6
Instruction Fuzzy Hash: 8421F974A09B8B96DE26CB15F86416C7360FB18786B445032C90D83B20EF3CE1BADB00

Function 00007FF6DC60F11C Relevance: 24.7, APIs: 16, Instructions: 711COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6DC60B290: _getptd.LIBCMT ref: 00007FF6DC60B2A6
Part of subcall function 00007FF6DC60B290: __updatetlocinfo.LIBCMT ref: 00007FF6DC60B2DB
Part of subcall function 00007FF6DC60B290: __updatetmbcinfo.LIBCMT ref: 00007FF6DC60B302

_errno.LIBCMT ref: 00007FF6DC60F18B

Part of subcall function 00007FF6DC60CA74: _getptd_noexit.LIBCMT ref: 00007FF6DC60CA78

_errno.LIBCMT ref: 00007FF6DC60F19C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC60F1A7
_isleadbyte_l.LIBCMT ref: 00007FF6DC60F3B0
_malloc_crt.LIBCMT ref: 00007FF6DC60F719
DecodePointer.KERNEL32 ref: 00007FF6DC60F759
DecodePointer.KERNEL32 ref: 00007FF6DC60F79A
DecodePointer.KERNEL32 ref: 00007FF6DC60F7BF
write_multi_char.LIBCMT ref: 00007FF6DC60F851
write_string.LIBCMT ref: 00007FF6DC60F86E
write_multi_char.LIBCMT ref: 00007FF6DC60F894
write_char.LIBCMT ref: 00007FF6DC60F8E3
write_string.LIBCMT ref: 00007FF6DC60F928
write_multi_char.LIBCMT ref: 00007FF6DC60F94E
free.LIBCMT ref: 00007FF6DC60F96C
write_char.LIBCMT ref: 00007FF6DC60FA98

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: DecodePointerwrite_multi_char$_errnowrite_charwrite_string$__updatetlocinfo__updatetmbcinfo_getptd_getptd_noexit_invalid_parameter_noinfo_isleadbyte_l_malloc_crtfree
String ID:
API String ID: 448788376-0
Opcode ID: ee41d45d44193d7c82293bbaa842fa1f3ef303905dce10a7c63fdf5fc9b97dc5
Instruction ID: a7bda459c672bc17444b31dd4c5b89169c80e9fcaebdc53670f0f118889834f4
Opcode Fuzzy Hash: ee41d45d44193d7c82293bbaa842fa1f3ef303905dce10a7c63fdf5fc9b97dc5
Instruction Fuzzy Hash: D852D762A0C6CA86FB668B76941027D67A0FF44754F140037FE4DE7694DE3CE862BB42

Function 00007FF6DC604230 Relevance: 10.8, APIs: 7, Instructions: 288COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6DC604C50: CharNextW.USER32 ref: 00007FF6DC604C81

Part of subcall function 00007FF6DC604090: lstrcmpiW.KERNEL32 ref: 00007FF6DC604146

CharNextW.USER32(?,?,?,00000000,?,?,00000000,00007FF6DC6052EA,?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC6042E4
CharNextW.USER32 ref: 00007FF6DC6043E8
CharNextW.USER32 ref: 00007FF6DC604408

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: CharNext$lstrcmpi
String ID:
API String ID: 3586774192-0
Opcode ID: 2140f4e05494fa98469b3810e3718b52fdc8c398a8337b0d38eb12e157c72e0d
Instruction ID: 66b95b56f057fceb8161c00547336d6656c5980daeea7415121a3c8555fb6ad2
Opcode Fuzzy Hash: 2140f4e05494fa98469b3810e3718b52fdc8c398a8337b0d38eb12e157c72e0d
Instruction Fuzzy Hash: 2AC19122A1C6C981EB728B16E4503BEA2A0FB84790F544136DB9DD3AD5EF3CD466B700

Function 00007FF6DC605870 Relevance: 10.6, APIs: 7, Instructions: 130libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00007FF6DC6058C3
LoadLibraryExW.KERNEL32 ref: 00007FF6DC6058DF
FindResourceW.KERNEL32 ref: 00007FF6DC605907
LoadResource.KERNEL32 ref: 00007FF6DC605925

Part of subcall function 00007FF6DC603990: GetLastError.KERNEL32 ref: 00007FF6DC603994

FreeLibrary.KERNEL32 ref: 00007FF6DC605A1F

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: LibraryLoad$Resource$ErrorFindFreeLast
String ID:
API String ID: 328770362-0
Opcode ID: 83fff9b73e1520b67942c86f64d3f9012a5179035259967cec8d8829c2d5b1f2
Instruction ID: 36af477dbdf56fb36f7c1b38a0ff1b4718ced4f8be95520d68a96a7970bdaef5
Opcode Fuzzy Hash: 83fff9b73e1520b67942c86f64d3f9012a5179035259967cec8d8829c2d5b1f2
Instruction Fuzzy Hash: 0051AC21A1DBCA46EA119B1AA44037D63D1FF847A1F105136DA5D93794FF3CD417BB04

Function 00007FF6DC606B00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF6DC606B20
GetProcAddress.KERNEL32 ref: 00007FF6DC606B42
FreeLibrary.KERNEL32 ref: 00007FF6DC606B53

Strings

DriverPackageInstallW, xrefs: 00007FF6DC606B38

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: DriverPackageInstallW
API String ID: 145871493-1557024896
Opcode ID: 46a9f5c091c78e9100da48e87d155cb43ed0e1788d4e547d9361f219d0cc8f2a
Instruction ID: e2156430616a8ef28499b22d31fda372dc4dd9c96a9a86fcfa81624ec25bafc2
Opcode Fuzzy Hash: 46a9f5c091c78e9100da48e87d155cb43ed0e1788d4e547d9361f219d0cc8f2a
Instruction Fuzzy Hash: 19218E71608B8A86DB51CF6AB45026E73E0FB48B94F544136EF8D87B28EF3CD4659B40

Function 00007FF6DC6107D8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6DC61081B

Strings

csm, xrefs: 00007FF6DC6107DF

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID: csm
API String ID: 3192549508-1018135373
Opcode ID: 26733181b269a767bcfd194c7aacfe61cba8f0c3e816cf136ba88d9c33d7f14f
Instruction ID: 0cd291b08cfbe26b9a840e1e160fef235b92af76a08f952764c648306d4a5b7d
Opcode Fuzzy Hash: 26733181b269a767bcfd194c7aacfe61cba8f0c3e816cf136ba88d9c33d7f14f
Instruction Fuzzy Hash: ACE06525F0D18AC5DF9A6A2A848507D26A4EB54705FD00433C20DC2290DE6CA9A3EB41

Function 00007FF6DC603140 Relevance: 1.5, APIs: 1, Instructions: 35comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 00007FF6DC603187

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 641e390d5549719adb4bf73536154c03a74954d90ac29266caf1bde7b342c0c8
Instruction ID: 6da94b4887bebff4f00d39a17e8ce2225174dbf7ff947ae6334d5afa6a56a63d
Opcode Fuzzy Hash: 641e390d5549719adb4bf73536154c03a74954d90ac29266caf1bde7b342c0c8
Instruction Fuzzy Hash: E1014476604E56C2E7128F1AF450169B3A1FB98B85B548032DB8C87724DF39D4A79700

Function 00007FF6DC608250 Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6DC608680: GetLastError.KERNEL32 ref: 00007FF6DC6086E9
Part of subcall function 00007FF6DC608680: SetLastError.KERNEL32 ref: 00007FF6DC608732

GetLastError.KERNEL32 ref: 00007FF6DC6082C5
SetLastError.KERNEL32 ref: 00007FF6DC6082F7
LocalFree.KERNEL32 ref: 00007FF6DC6084A2
LocalFree.KERNEL32 ref: 00007FF6DC6084B2
LocalFree.KERNEL32 ref: 00007FF6DC6084EA
LocalFree.KERNEL32 ref: 00007FF6DC6084FA
GetLastError.KERNEL32 ref: 00007FF6DC608510
SysFreeString.OLEAUT32 ref: 00007FF6DC608525
SysFreeString.OLEAUT32 ref: 00007FF6DC608536
SetLastError.KERNEL32 ref: 00007FF6DC608559
GetLastError.KERNEL32 ref: 00007FF6DC60856F
SysFreeString.OLEAUT32 ref: 00007FF6DC608584
SysFreeString.OLEAUT32 ref: 00007FF6DC608595
SetLastError.KERNEL32 ref: 00007FF6DC6085B8

Strings

Failed to set new security descriptor, last error: 0x%08x, xrefs: 00007FF6DC60847B
Failed to obtain existing security descriptor, last error: 0x%08x, xrefs: 00007FF6DC6083A2
Failed to set explicit access for new ACL, last error: 0x%08x, xrefs: 00007FF6DC6084C3
Setting new security descriptor for '%s', xrefs: 00007FF6DC6083FC
Getting existing security descriptor for '%s', xrefs: 00007FF6DC608311

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: ErrorFreeLast$LocalString
String ID: Failed to obtain existing security descriptor, last error: 0x%08x$Failed to set explicit access for new ACL, last error: 0x%08x$Failed to set new security descriptor, last error: 0x%08x$Getting existing security descriptor for '%s'$Setting new security descriptor for '%s'
API String ID: 2531705008-1991965274
Opcode ID: bcdc3f80537c52efd8b1e5005f2f0d1ed8b14b7b2810b649c61ca880fb6e1029
Instruction ID: 2f2825032b0732be7a0013b1a08dc39044ff53ccec09dd1947c891e690cd9da3
Opcode Fuzzy Hash: bcdc3f80537c52efd8b1e5005f2f0d1ed8b14b7b2810b649c61ca880fb6e1029
Instruction Fuzzy Hash: 8EB16232B04B8685EB11DF65E8802AD7770FB88B98F054136DE4DA3B69DF38D556E700

Function 00007FF6DC607280 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6DC6072DF
SetLastError.KERNEL32 ref: 00007FF6DC607314
GetLastError.KERNEL32 ref: 00007FF6DC607324
SetLastError.KERNEL32 ref: 00007FF6DC607357
LocalAlloc.KERNEL32 ref: 00007FF6DC6073A1
GetLastError.KERNEL32 ref: 00007FF6DC607448
GetLastError.KERNEL32 ref: 00007FF6DC607457
LocalFree.KERNEL32 ref: 00007FF6DC607482
GetLastError.KERNEL32 ref: 00007FF6DC60749A
SysFreeString.OLEAUT32 ref: 00007FF6DC6074AF
SysFreeString.OLEAUT32 ref: 00007FF6DC6074C1
SetLastError.KERNEL32 ref: 00007FF6DC6074E6
GetLastError.KERNEL32 ref: 00007FF6DC6074FC
SysFreeString.OLEAUT32 ref: 00007FF6DC607511
SysFreeString.OLEAUT32 ref: 00007FF6DC607522
SetLastError.KERNEL32 ref: 00007FF6DC607545

Strings

Failed to lookup account name, SID is invalid, last error: 0x%08x, xrefs: 00007FF6DC60744E
ResolveSidForAccountName: looking up account name '%s', xrefs: 00007FF6DC607371
Failed to lookup account name, last error: 0x%08x, xrefs: 00007FF6DC60745D

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$Free$String$Local$Alloc
String ID: Failed to lookup account name, SID is invalid, last error: 0x%08x$Failed to lookup account name, last error: 0x%08x$ResolveSidForAccountName: looking up account name '%s'
API String ID: 1840678336-906081134
Opcode ID: 1be10ffe9af31c367430b31e67318ac0cae0955967b81c4d1fbb6dbcfb8e04ff
Instruction ID: 1bb11f4888c833ae876e3be4a28c784a7863684cc41648917b6fbef9054753ee
Opcode Fuzzy Hash: 1be10ffe9af31c367430b31e67318ac0cae0955967b81c4d1fbb6dbcfb8e04ff
Instruction Fuzzy Hash: 0C916F32A08B8586EB11CF65E8842AD77B0FB84B59F144136DE4D97B68CF3CD566EB00

Function 00007FF6DC603BA0 Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 256COMMON

Download Yara Rule

APIs

wcsstr.LIBCMT ref: 00007FF6DC603C88
CharNextW.USER32(?,?,?,?,?,?,?,?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC603C9A
CharNextW.USER32(?,?,?,?,?,?,?,?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC603CA6
CharNextW.USER32(?,?,?,?,?,?,?,?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC603CB2
CharNextW.USER32(?,?,?,?,?,?,?,?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC603CBE
CharNextW.USER32(?,?,?,?,?,?,?,?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC603D03
CharNextW.USER32(?,?,?,?,?,?,?,?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC603D93
CharNextW.USER32(?,?,?,?,?,?,?,?,?,00000000,00007FF6DC605A15), ref: 00007FF6DC603ED7

Strings

}}, xrefs: 00007FF6DC603D66
HKCR, xrefs: 00007FF6DC603C7E
HKCU{Software{Classes, xrefs: 00007FF6DC603CD0
REGISTRY, xrefs: 00007FF6DC603BAA

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: CharNext$wcsstr
String ID: }}$HKCR$HKCU{Software{Classes$REGISTRY
API String ID: 1366738116-2791478717
Opcode ID: 074a6748b16ed0bfb4cf8bd51e8a3b64cad7256ce1b8570ead8c36fc8906cce4
Instruction ID: 84d68a6e9c02d70a25849d253381e9565a86507fca67b4c2e557acbab758bcbf
Opcode Fuzzy Hash: 074a6748b16ed0bfb4cf8bd51e8a3b64cad7256ce1b8570ead8c36fc8906cce4
Instruction Fuzzy Hash: 7BA19026A096CA81EA729B16E55027D23A0AF54F52F444233DE4ED63D1EF3CE873B700

Function 00007FF6DC607EF0 Relevance: 25.7, APIs: 17, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6DC607580: LocalAlloc.KERNEL32 ref: 00007FF6DC607A94

GetLastError.KERNEL32 ref: 00007FF6DC607F60
SetLastError.KERNEL32 ref: 00007FF6DC607FB0
GetLastError.KERNEL32 ref: 00007FF6DC607FEE
SysFreeString.OLEAUT32 ref: 00007FF6DC608003
SysFreeString.OLEAUT32 ref: 00007FF6DC608015
SetLastError.KERNEL32 ref: 00007FF6DC60803C
GetLastError.KERNEL32 ref: 00007FF6DC60809E
SetLastError.KERNEL32 ref: 00007FF6DC6080CF

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$FreeString$AllocLocal
String ID:
API String ID: 3608337604-0
Opcode ID: 60857f4634bed0177deaa94ad0c8b48c4106235a83ad3e29d2830e47be4e17e8
Instruction ID: eb89c6e658c21f830b32ffe9e30270603890b891ce048c94c9f241022093297b
Opcode Fuzzy Hash: 60857f4634bed0177deaa94ad0c8b48c4106235a83ad3e29d2830e47be4e17e8
Instruction Fuzzy Hash: A3A15F32B08B8589EB11CF65E8502AD73B1FB48759F444236DE5DA3BA4DF38D46AE700

Function 00007FF6DC605A60 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 245COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF6DC605B24
free.LIBCMT ref: 00007FF6DC605B38
GetModuleFileNameW.KERNEL32 ref: 00007FF6DC605B75
free.LIBCMT ref: 00007FF6DC605BB5
free.LIBCMT ref: 00007FF6DC605BC9
GetModuleHandleW.KERNEL32 ref: 00007FF6DC605C2F
memcpy_s.LIBCMT ref: 00007FF6DC605C85
free.LIBCMT ref: 00007FF6DC605CB1
free.LIBCMT ref: 00007FF6DC605CC5

Part of subcall function 00007FF6DC603740: _recalloc.LIBCMT ref: 00007FF6DC60384E
Part of subcall function 00007FF6DC603740: _recalloc.LIBCMT ref: 00007FF6DC60386D

Part of subcall function 00007FF6DC60AC3C: __report_securityfailure.LIBCMT ref: 00007FF6DC60AC45

free.LIBCMT ref: 00007FF6DC605D84
free.LIBCMT ref: 00007FF6DC605D98

Strings

Module_Raw, xrefs: 00007FF6DC605D4B
Module, xrefs: 00007FF6DC605D19
REGISTRY, xrefs: 00007FF6DC605DC2

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: free$Module_recalloc$FileHandleName__report_securityfailurememcpy_s
String ID: Module$Module_Raw$REGISTRY
API String ID: 4185311596-549000027
Opcode ID: fc6a002382f73909d30991a361c5752ec3cbe02e5570742768dd36661009f56e
Instruction ID: 2c0a4dbb8df006903f68a386f7c0bcd2808fa6568c3996f268c4bca4b137657f
Opcode Fuzzy Hash: fc6a002382f73909d30991a361c5752ec3cbe02e5570742768dd36661009f56e
Instruction Fuzzy Hash: 22A1C822A197CA81EB629B12D4902BD63A0FF44780F541537EA4EE7695EF3CE462F704

Function 00007FF6DC6031F0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 234COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF6DC6032B4
free.LIBCMT ref: 00007FF6DC6032C8
GetModuleFileNameW.KERNEL32 ref: 00007FF6DC603305
free.LIBCMT ref: 00007FF6DC603345
free.LIBCMT ref: 00007FF6DC603359
GetModuleHandleW.KERNEL32 ref: 00007FF6DC6033BF
memcpy_s.LIBCMT ref: 00007FF6DC603415
free.LIBCMT ref: 00007FF6DC603441
free.LIBCMT ref: 00007FF6DC603455
free.LIBCMT ref: 00007FF6DC603514
free.LIBCMT ref: 00007FF6DC603528

Strings

Module_Raw, xrefs: 00007FF6DC6034DB
Module, xrefs: 00007FF6DC6034A9
REGISTRY, xrefs: 00007FF6DC603538

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: free$Module$FileHandleNamememcpy_s
String ID: Module$Module_Raw$REGISTRY
API String ID: 407555004-549000027
Opcode ID: ba9889bf9decb8d578d97dd4d759e3e39ad60c85b520a686f8b4db03afad92e4
Instruction ID: 289684489e51b96a71d9b194e973bf7a1a2568bde897b261288d54c0bacfc7eb
Opcode Fuzzy Hash: ba9889bf9decb8d578d97dd4d759e3e39ad60c85b520a686f8b4db03afad92e4
Instruction Fuzzy Hash: B8A1D822A1D6CA85EA629F12D4902BD63A0FF84B81F441537EA4ED7696DF3CD462F700

Function 00007FF6DC606930 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133memorylibraryloaderCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00007FF6DC606962
SysAllocString.OLEAUT32 ref: 00007FF6DC606970
SysFreeString.OLEAUT32 ref: 00007FF6DC606991
SysAllocString.OLEAUT32 ref: 00007FF6DC60699F
SysFreeString.OLEAUT32 ref: 00007FF6DC6069C0
SysAllocString.OLEAUT32 ref: 00007FF6DC6069CE
SysFreeString.OLEAUT32 ref: 00007FF6DC6069F1
SysAllocString.OLEAUT32 ref: 00007FF6DC6069FF
LoadLibraryW.KERNEL32 ref: 00007FF6DC606A78
GetProcAddress.KERNEL32 ref: 00007FF6DC606AA5
FreeLibrary.KERNEL32 ref: 00007FF6DC606AB3
FreeLibrary.KERNEL32 ref: 00007FF6DC606AE7

Part of subcall function 00007FF6DC605FE0: _CxxThrowException.LIBCMT ref: 00007FF6DC605FF4

Strings

DriverPackagePreinstallW, xrefs: 00007FF6DC606A9B

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: String$Free$Alloc$Library$AddressExceptionLoadProcThrow
String ID: DriverPackagePreinstallW
API String ID: 3942836785-4107050277
Opcode ID: b5f73ccbdd6ec436d716cc2720aee4fe7c3d36d0d683c2ee5eaff0d6718158f5
Instruction ID: f3ef913bd5f02282b30197f6a6b3631c3dd7e56f563735f69f3174e48a72f303
Opcode Fuzzy Hash: b5f73ccbdd6ec436d716cc2720aee4fe7c3d36d0d683c2ee5eaff0d6718158f5
Instruction Fuzzy Hash: BE51E825B0DBCA81EB169B56A14113C63A0EF58B80F144136EE4EA7B58DF7CD4A3B704

Function 00007FF6DC60EAAC Relevance: 19.6, APIs: 13, Instructions: 83COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF6DC60EACB

Part of subcall function 00007FF6DC60A4BC: HeapFree.KERNEL32(?,?,00000000,00007FF6DC60EC6E,?,?,?,00007FF6DC60CA7D,?,?,?,?,00007FF6DC60A7EE,?,?,?), ref: 00007FF6DC60A4D2
Part of subcall function 00007FF6DC60A4BC: _errno.LIBCMT ref: 00007FF6DC60A4DC
Part of subcall function 00007FF6DC60A4BC: GetLastError.KERNEL32(?,?,00000000,00007FF6DC60EC6E,?,?,?,00007FF6DC60CA7D,?,?,?,?,00007FF6DC60A7EE,?,?,?), ref: 00007FF6DC60A4E4

free.LIBCMT ref: 00007FF6DC60EAD9
free.LIBCMT ref: 00007FF6DC60EAE7
free.LIBCMT ref: 00007FF6DC60EAF5
free.LIBCMT ref: 00007FF6DC60EB03
free.LIBCMT ref: 00007FF6DC60EB11
free.LIBCMT ref: 00007FF6DC60EB22
free.LIBCMT ref: 00007FF6DC60EB3A
_lock.LIBCMT ref: 00007FF6DC60EB46
free.LIBCMT ref: 00007FF6DC60EB73
_lock.LIBCMT ref: 00007FF6DC60EB85
__freetlocinfo.LIBCMT ref: 00007FF6DC60EBBC
free.LIBCMT ref: 00007FF6DC60EBCF

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: free$_lock$ErrorFreeHeapLast__freetlocinfo_errno
String ID:
API String ID: 439417960-0
Opcode ID: fa421d6db3a778660406ec41066898428794a47d2a567865574af7303690ffb6
Instruction ID: 80550bb3e3f0fa10e7178469f6066c50305617e170cd8c410cc4ac15964ef90d
Opcode Fuzzy Hash: fa421d6db3a778660406ec41066898428794a47d2a567865574af7303690ffb6
Instruction Fuzzy Hash: D2314B15B0E5CA44FE5BAA6681A127C2351AF84BC0F080637E94FA76D7CF1CE863B351

Function 00007FF6DC607B8D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6DC607D83
SetLastError.KERNEL32 ref: 00007FF6DC607DB5
GetLastError.KERNEL32 ref: 00007FF6DC607DBC
GetLastError.KERNEL32 ref: 00007FF6DC607DF2
SysFreeString.OLEAUT32 ref: 00007FF6DC607E07
SysFreeString.OLEAUT32 ref: 00007FF6DC607E18
SetLastError.KERNEL32 ref: 00007FF6DC607E3B
LocalFree.KERNEL32 ref: 00007FF6DC607E44

Strings

Failed to lookup wellknown account, last error: 0x%x, xrefs: 00007FF6DC607DC5

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$Free$String$Local
String ID: Failed to lookup wellknown account, last error: 0x%x
API String ID: 276242039-1017437273
Opcode ID: fd805d4eeaea8dd29ef65f8dacde4d9d53d41a7380c549beb590abe03af0f113
Instruction ID: ab25ac6c41bca75cdd99324df8d3a59e5cf05779d3e9da8c7cca37394004f506
Opcode Fuzzy Hash: fd805d4eeaea8dd29ef65f8dacde4d9d53d41a7380c549beb590abe03af0f113
Instruction Fuzzy Hash: D5416E32B08B858AEB11CF65E4846AC33B4FB44B49F044036DE4D97B98DF38D566E740

Function 00007FF6DC607B75 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6DC607D83
SetLastError.KERNEL32 ref: 00007FF6DC607DB5
GetLastError.KERNEL32 ref: 00007FF6DC607DBC
GetLastError.KERNEL32 ref: 00007FF6DC607DF2
SysFreeString.OLEAUT32 ref: 00007FF6DC607E07
SysFreeString.OLEAUT32 ref: 00007FF6DC607E18
SetLastError.KERNEL32 ref: 00007FF6DC607E3B
LocalFree.KERNEL32 ref: 00007FF6DC607E44

Strings

Failed to lookup wellknown account, last error: 0x%x, xrefs: 00007FF6DC607DC5

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$Free$String$Local
String ID: Failed to lookup wellknown account, last error: 0x%x
API String ID: 276242039-1017437273
Opcode ID: cf3f2168058aecf24eb9c7b669e96b24dad73daa5592df62ebd42dacd0ce913c
Instruction ID: d0739554aeef83f6fd13d6459c06c41775cd4812cf19c7255cfce1f7693105db
Opcode Fuzzy Hash: cf3f2168058aecf24eb9c7b669e96b24dad73daa5592df62ebd42dacd0ce913c
Instruction Fuzzy Hash: CB415D32B08B858AEB11CF65E4946AC33B5FB44B89F044036DE4D97B98DF38D566E704

Function 00007FF6DC607B53 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6DC607D83
SetLastError.KERNEL32 ref: 00007FF6DC607DB5
GetLastError.KERNEL32 ref: 00007FF6DC607DBC
GetLastError.KERNEL32 ref: 00007FF6DC607DF2
SysFreeString.OLEAUT32 ref: 00007FF6DC607E07
SysFreeString.OLEAUT32 ref: 00007FF6DC607E18
SetLastError.KERNEL32 ref: 00007FF6DC607E3B
LocalFree.KERNEL32 ref: 00007FF6DC607E44

Strings

Failed to lookup wellknown account, last error: 0x%x, xrefs: 00007FF6DC607DC5

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$Free$String$Local
String ID: Failed to lookup wellknown account, last error: 0x%x
API String ID: 276242039-1017437273
Opcode ID: fd812567e9577e01c1738429a0f033160fb4034ebf0d87c8d086c1776cf8d419
Instruction ID: e5a8f0057fb2d781f4d6850ae0cb37a567f4dac2d583a61f4cb372dae79b7dbf
Opcode Fuzzy Hash: fd812567e9577e01c1738429a0f033160fb4034ebf0d87c8d086c1776cf8d419
Instruction Fuzzy Hash: 1A416C32B08B858AEB11CF65E4946AC33B5FB44B49F044036DE4D97B98DF38D566EB00

Function 00007FF6DC607C17 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6DC607D83
SetLastError.KERNEL32 ref: 00007FF6DC607DB5
GetLastError.KERNEL32 ref: 00007FF6DC607DBC
GetLastError.KERNEL32 ref: 00007FF6DC607DF2
SysFreeString.OLEAUT32 ref: 00007FF6DC607E07
SysFreeString.OLEAUT32 ref: 00007FF6DC607E18
SetLastError.KERNEL32 ref: 00007FF6DC607E3B
LocalFree.KERNEL32 ref: 00007FF6DC607E44

Strings

Failed to lookup wellknown account, last error: 0x%x, xrefs: 00007FF6DC607DC5

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$Free$String$Local
String ID: Failed to lookup wellknown account, last error: 0x%x
API String ID: 276242039-1017437273
Opcode ID: fed08b9580209316d893bee39cdd5bb29f8a1855689360e9f329db51b5da4fd4
Instruction ID: bd41c0a5188e8edc6444ea2f19fccecc29dc75ea55059b0b1b396a1f087b5a22
Opcode Fuzzy Hash: fed08b9580209316d893bee39cdd5bb29f8a1855689360e9f329db51b5da4fd4
Instruction Fuzzy Hash: 67415D32B08B858AEB11CF65E4946AC33B5FB44B89F044036DE4D97B98DF38D566E704

Function 00007FF6DC607C2F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6DC607D83
SetLastError.KERNEL32 ref: 00007FF6DC607DB5
GetLastError.KERNEL32 ref: 00007FF6DC607DBC
GetLastError.KERNEL32 ref: 00007FF6DC607DF2
SysFreeString.OLEAUT32 ref: 00007FF6DC607E07
SysFreeString.OLEAUT32 ref: 00007FF6DC607E18
SetLastError.KERNEL32 ref: 00007FF6DC607E3B
LocalFree.KERNEL32 ref: 00007FF6DC607E44

Strings

Failed to lookup wellknown account, last error: 0x%x, xrefs: 00007FF6DC607DC5

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$Free$String$Local
String ID: Failed to lookup wellknown account, last error: 0x%x
API String ID: 276242039-1017437273
Opcode ID: 246332e3d8c9c1a2cb36936495cf072ca57cc48215e311b5286cec6add37176a
Instruction ID: ae65cbffc218d6639559d9ecac570127de08a4d184370607174f7703f4dcd330
Opcode Fuzzy Hash: 246332e3d8c9c1a2cb36936495cf072ca57cc48215e311b5286cec6add37176a
Instruction Fuzzy Hash: 5E416D32B08B858AEB11CF65E4846AC33B4FB44B49F044036DE4D97B98DF38D566E740

Function 00007FF6DC607BFF Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6DC607D83
SetLastError.KERNEL32 ref: 00007FF6DC607DB5
GetLastError.KERNEL32 ref: 00007FF6DC607DBC
GetLastError.KERNEL32 ref: 00007FF6DC607DF2
SysFreeString.OLEAUT32 ref: 00007FF6DC607E07
SysFreeString.OLEAUT32 ref: 00007FF6DC607E18
SetLastError.KERNEL32 ref: 00007FF6DC607E3B
LocalFree.KERNEL32 ref: 00007FF6DC607E44

Strings

Failed to lookup wellknown account, last error: 0x%x, xrefs: 00007FF6DC607DC5

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$Free$String$Local
String ID: Failed to lookup wellknown account, last error: 0x%x
API String ID: 276242039-1017437273
Opcode ID: dcb6e8490fac3f7b4910042abcf1eeafe2ef40816db996d6deee2435cbfb7e2a
Instruction ID: fba84739f1569c2a3596646d95cf3e5f69f8e64cd7b3863ac9ce50ade881d787
Opcode Fuzzy Hash: dcb6e8490fac3f7b4910042abcf1eeafe2ef40816db996d6deee2435cbfb7e2a
Instruction Fuzzy Hash: A2415D32B08B858AEB11CF65E4946AC33B5FB44B89F044036DE4D97B98DF38D566E704

Function 00007FF6DC607BE7 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6DC607D83
SetLastError.KERNEL32 ref: 00007FF6DC607DB5
GetLastError.KERNEL32 ref: 00007FF6DC607DBC
GetLastError.KERNEL32 ref: 00007FF6DC607DF2
SysFreeString.OLEAUT32 ref: 00007FF6DC607E07
SysFreeString.OLEAUT32 ref: 00007FF6DC607E18
SetLastError.KERNEL32 ref: 00007FF6DC607E3B
LocalFree.KERNEL32 ref: 00007FF6DC607E44

Strings

Failed to lookup wellknown account, last error: 0x%x, xrefs: 00007FF6DC607DC5

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$Free$String$Local
String ID: Failed to lookup wellknown account, last error: 0x%x
API String ID: 276242039-1017437273
Opcode ID: 30dc27eae12e39a0f4ea31bdaa6e3fe23c65545e337024bd26e94c460bc763d8
Instruction ID: 69eef704629648cd362c1d929be5184907f2c6cff280ea5b9e4a7e88743b9cca
Opcode Fuzzy Hash: 30dc27eae12e39a0f4ea31bdaa6e3fe23c65545e337024bd26e94c460bc763d8
Instruction Fuzzy Hash: 02415D32B08B858AEB11CF65E4946AC33B5FB44B89F044036DE4D97B98DF38D566E704

Function 00007FF6DC607BBA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6DC607D83
SetLastError.KERNEL32 ref: 00007FF6DC607DB5
GetLastError.KERNEL32 ref: 00007FF6DC607DBC
GetLastError.KERNEL32 ref: 00007FF6DC607DF2
SysFreeString.OLEAUT32 ref: 00007FF6DC607E07
SysFreeString.OLEAUT32 ref: 00007FF6DC607E18
SetLastError.KERNEL32 ref: 00007FF6DC607E3B
LocalFree.KERNEL32 ref: 00007FF6DC607E44

Strings

Failed to lookup wellknown account, last error: 0x%x, xrefs: 00007FF6DC607DC5

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$Free$String$Local
String ID: Failed to lookup wellknown account, last error: 0x%x
API String ID: 276242039-1017437273
Opcode ID: 693c4bd5f7b33fc096f213316133fba76ba750c722dbcfb29a60170a2f216654
Instruction ID: 0d2e7b8cd45f72671cea28e6c9071cc952b9f8a74e82c26b9af6c924f5d9c3a3
Opcode Fuzzy Hash: 693c4bd5f7b33fc096f213316133fba76ba750c722dbcfb29a60170a2f216654
Instruction Fuzzy Hash: 8C416E32B08B858AEB11CF65E4846AC33B4FB44B49F044036DE4D97B98DF38D566E740

Function 00007FF6DC607C7E Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6DC607D83
SetLastError.KERNEL32 ref: 00007FF6DC607DB5
GetLastError.KERNEL32 ref: 00007FF6DC607DBC
GetLastError.KERNEL32 ref: 00007FF6DC607DF2
SysFreeString.OLEAUT32 ref: 00007FF6DC607E07
SysFreeString.OLEAUT32 ref: 00007FF6DC607E18
SetLastError.KERNEL32 ref: 00007FF6DC607E3B
LocalFree.KERNEL32 ref: 00007FF6DC607E44

Strings

Failed to lookup wellknown account, last error: 0x%x, xrefs: 00007FF6DC607DC5

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$Free$String$Local
String ID: Failed to lookup wellknown account, last error: 0x%x
API String ID: 276242039-1017437273
Opcode ID: b9990e2c3c67bce92867840fd1c2f645be77ace9138a1ce10f8e994c3d004d8e
Instruction ID: 737afba95a9f3c00ac77d3d19d9605847139ff1e5681cfb9d738a5ea7a0e3dfe
Opcode Fuzzy Hash: b9990e2c3c67bce92867840fd1c2f645be77ace9138a1ce10f8e994c3d004d8e
Instruction Fuzzy Hash: 8F415D32B08B858AEB11CF65E4946AC33B5FB44B89F044036DE4D97B98DF38D566E704

Function 00007FF6DC607C93 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6DC607D83
SetLastError.KERNEL32 ref: 00007FF6DC607DB5
GetLastError.KERNEL32 ref: 00007FF6DC607DBC
GetLastError.KERNEL32 ref: 00007FF6DC607DF2
SysFreeString.OLEAUT32 ref: 00007FF6DC607E07
SysFreeString.OLEAUT32 ref: 00007FF6DC607E18
SetLastError.KERNEL32 ref: 00007FF6DC607E3B
LocalFree.KERNEL32 ref: 00007FF6DC607E44

Strings

Failed to lookup wellknown account, last error: 0x%x, xrefs: 00007FF6DC607DC5

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$Free$String$Local
String ID: Failed to lookup wellknown account, last error: 0x%x
API String ID: 276242039-1017437273
Opcode ID: 05bdd9d4dfa683bc198153fbb89f0b5f81791e1a92e0d1ca645bfbe30e7aff55
Instruction ID: 4844ce26589f1c3066e96db35125f07b934a2fa1461f0fa6e60121ed226349d5
Opcode Fuzzy Hash: 05bdd9d4dfa683bc198153fbb89f0b5f81791e1a92e0d1ca645bfbe30e7aff55
Instruction Fuzzy Hash: F9416D32B08B858AEB11CF65E4946AC33B4FB44B49F044036DE4D97B98DF38D566E740

Function 00007FF6DC607C5C Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6DC607D83
SetLastError.KERNEL32 ref: 00007FF6DC607DB5
GetLastError.KERNEL32 ref: 00007FF6DC607DBC
GetLastError.KERNEL32 ref: 00007FF6DC607DF2
SysFreeString.OLEAUT32 ref: 00007FF6DC607E07
SysFreeString.OLEAUT32 ref: 00007FF6DC607E18
SetLastError.KERNEL32 ref: 00007FF6DC607E3B
LocalFree.KERNEL32 ref: 00007FF6DC607E44

Strings

Failed to lookup wellknown account, last error: 0x%x, xrefs: 00007FF6DC607DC5

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$Free$String$Local
String ID: Failed to lookup wellknown account, last error: 0x%x
API String ID: 276242039-1017437273
Opcode ID: 1f0040e6e1357d21d9cdba0731e024847ab69b30e52a439d9e5b53f575b1197e
Instruction ID: 0bf350a3c36c0d998b6703608030d02d5987d852e6e576f0b33db921d84c9a80
Opcode Fuzzy Hash: 1f0040e6e1357d21d9cdba0731e024847ab69b30e52a439d9e5b53f575b1197e
Instruction Fuzzy Hash: 82416C32B08B858AEB11CF65E4946AC33B5FB44B49F044036DE4D97B98DF38D566EB40

Function 00007FF6DC607CBD Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6DC607D83
SetLastError.KERNEL32 ref: 00007FF6DC607DB5
GetLastError.KERNEL32 ref: 00007FF6DC607DBC
GetLastError.KERNEL32 ref: 00007FF6DC607DF2
SysFreeString.OLEAUT32 ref: 00007FF6DC607E07
SysFreeString.OLEAUT32 ref: 00007FF6DC607E18
SetLastError.KERNEL32 ref: 00007FF6DC607E3B
LocalFree.KERNEL32 ref: 00007FF6DC607E44

Strings

Failed to lookup wellknown account, last error: 0x%x, xrefs: 00007FF6DC607DC5

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$Free$String$Local
String ID: Failed to lookup wellknown account, last error: 0x%x
API String ID: 276242039-1017437273
Opcode ID: 693b532586f308176d3bf9504c91d1c2ec513457d2841a69b1d8d377a0888b53
Instruction ID: 8ea8db6099d65a23a15d519793f7a05ae7f2d1b7c8a80a0c68619c16f7856421
Opcode Fuzzy Hash: 693b532586f308176d3bf9504c91d1c2ec513457d2841a69b1d8d377a0888b53
Instruction Fuzzy Hash: 1D416D32B08B858AEB11CF65E4846AC33B4FB44B49F044036DE4E97B98DF38D566E740

Function 00007FF6DC607CE7 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6DC607D83
SetLastError.KERNEL32 ref: 00007FF6DC607DB5
GetLastError.KERNEL32 ref: 00007FF6DC607DBC
GetLastError.KERNEL32 ref: 00007FF6DC607DF2
SysFreeString.OLEAUT32 ref: 00007FF6DC607E07
SysFreeString.OLEAUT32 ref: 00007FF6DC607E18
SetLastError.KERNEL32 ref: 00007FF6DC607E3B
LocalFree.KERNEL32 ref: 00007FF6DC607E44

Strings

Failed to lookup wellknown account, last error: 0x%x, xrefs: 00007FF6DC607DC5

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$Free$String$Local
String ID: Failed to lookup wellknown account, last error: 0x%x
API String ID: 276242039-1017437273
Opcode ID: ca456e6154c185883a7ab7d204b9b5dee28072816d1342879dafb4ca575ff487
Instruction ID: 22b6de8433753b5e1e225a12362ea91566d943d01ced608c96bc4e26e96dc24f
Opcode Fuzzy Hash: ca456e6154c185883a7ab7d204b9b5dee28072816d1342879dafb4ca575ff487
Instruction Fuzzy Hash: D2414C32B08B858AEB11CF65E4946AC33B5FB44B89F044036DE4D97B98DF38D56AE704

Function 00007FF6DC614A38 Relevance: 15.1, APIs: 10, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF6DC614A63

Part of subcall function 00007FF6DC60CA74: _getptd_noexit.LIBCMT ref: 00007FF6DC60CA78

__doserrno.LIBCMT ref: 00007FF6DC614A5B

Part of subcall function 00007FF6DC60CA04: _getptd_noexit.LIBCMT ref: 00007FF6DC60CA08

__lock_fhandle.LIBCMT ref: 00007FF6DC614AA7
_lseeki64_nolock.LIBCMT ref: 00007FF6DC614AC0
_unlock_fhandle.LIBCMT ref: 00007FF6DC614AE3

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock_unlock_fhandle
String ID:
API String ID: 2644381645-0
Opcode ID: 5643f2ad640c8eb69d91a1124a95a6ce3e52d5571ae8de93a49c8d10b53f987b
Instruction ID: 3a8356c29b5c06862e2c9a25e29fb482de2dbe3a7e756d42f4707a08961358be
Opcode Fuzzy Hash: 5643f2ad640c8eb69d91a1124a95a6ce3e52d5571ae8de93a49c8d10b53f987b
Instruction Fuzzy Hash: 3421F822A081CA55EA136F1A984137D6550AF40BF2F1A4336EA3D973DACE3CA463F715

Function 00007FF6DC61421C Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF6DC614247

Part of subcall function 00007FF6DC60CA74: _getptd_noexit.LIBCMT ref: 00007FF6DC60CA78

__doserrno.LIBCMT ref: 00007FF6DC61423F

Part of subcall function 00007FF6DC60CA04: _getptd_noexit.LIBCMT ref: 00007FF6DC60CA08

__lock_fhandle.LIBCMT ref: 00007FF6DC61428B
_unlock_fhandle.LIBCMT ref: 00007FF6DC6142C5

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_unlock_fhandle
String ID:
API String ID: 2464146582-0
Opcode ID: 7ddf8111dec1d2acb419462a403fd4b886fa9ef18d24a6e5ae1a262345caade3
Instruction ID: 350e6ff8e25f38538edfb971c7cc8a950e90bcec75d2093c32320a57c2b061ec
Opcode Fuzzy Hash: 7ddf8111dec1d2acb419462a403fd4b886fa9ef18d24a6e5ae1a262345caade3
Instruction Fuzzy Hash: 65213732E0C1CA55FA136F5A984137C6550AF817E2F150236EA1C873DACE7CE4A3B711

Function 00007FF6DC6157F8 Relevance: 13.6, APIs: 9, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF6DC615811

Part of subcall function 00007FF6DC60CA74: _getptd_noexit.LIBCMT ref: 00007FF6DC60CA78

__lock_fhandle.LIBCMT ref: 00007FF6DC615859
FlushFileBuffers.KERNEL32(00000001,00000000,00000000,00007FF6DC615002,?,?,00000001,00007FF6DC61512D,?,?,?,?,?,00007FF6DC614059), ref: 00007FF6DC615874
GetLastError.KERNEL32(?,?,00000001,00007FF6DC61512D,?,?,?,?,?,00007FF6DC614059), ref: 00007FF6DC61587E
__doserrno.LIBCMT ref: 00007FF6DC61588E
_errno.LIBCMT ref: 00007FF6DC615895
_unlock_fhandle.LIBCMT ref: 00007FF6DC6158A5

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: _errno$BuffersErrorFileFlushLast__doserrno__lock_fhandle_getptd_noexit_unlock_fhandle
String ID:
API String ID: 2927645455-0
Opcode ID: 5a95f67ae4511fd2b7f7b0cdcb097bcc4a2120927f3b95a3fec189a784014385
Instruction ID: 3f19d9739074720863c6e6f9fe935b8987ff063afa636ef6d13f4aa1181e7302
Opcode Fuzzy Hash: 5a95f67ae4511fd2b7f7b0cdcb097bcc4a2120927f3b95a3fec189a784014385
Instruction Fuzzy Hash: 51212C21E086DE49F6576F6D988127CA650AF80791F080236D50DC73D2EE7CA463B701

Function 00007FF6DC615A10 Relevance: 13.6, APIs: 9, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF6DC615A31

Part of subcall function 00007FF6DC60CA74: _getptd_noexit.LIBCMT ref: 00007FF6DC60CA78

__doserrno.LIBCMT ref: 00007FF6DC615A29

Part of subcall function 00007FF6DC60CA04: _getptd_noexit.LIBCMT ref: 00007FF6DC60CA08

__lock_fhandle.LIBCMT ref: 00007FF6DC615A75
_close_nolock.LIBCMT ref: 00007FF6DC615A88
_unlock_fhandle.LIBCMT ref: 00007FF6DC615AA1

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno_unlock_fhandle
String ID:
API String ID: 2140805544-0
Opcode ID: e185883d29ff37fee1d728bcfbeb3caf632dd640ad265a1f8cd7f0636dbe035f
Instruction ID: 133b81f6ef04b3873c25eefbb25e0a983f9a05f629f840aba4ae9e92d8c91592
Opcode Fuzzy Hash: e185883d29ff37fee1d728bcfbeb3caf632dd640ad265a1f8cd7f0636dbe035f
Instruction Fuzzy Hash: 0B113A22E4C2CE45F617AF29989137CA690AF803A2F150236DA1D872D7DE7CA463B300

Function 00007FF6DC604B90 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 90libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6DC604B05
GetProcAddress.KERNEL32 ref: 00007FF6DC604B1A
GetModuleHandleW.KERNEL32 ref: 00007FF6DC604BCE
GetProcAddress.KERNEL32 ref: 00007FF6DC604BE3

Strings

Advapi32.dll, xrefs: 00007FF6DC604AFE, 00007FF6DC604BC7
RegDeleteKeyTransactedW, xrefs: 00007FF6DC604B10
RegDeleteKeyExW, xrefs: 00007FF6DC604BD9

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExW$RegDeleteKeyTransactedW
API String ID: 1646373207-1053001802
Opcode ID: eea277f1f71c6c2489efe69601a21584980abdb915dae3f5316235e355755337
Instruction ID: 325bf4cf2210e2904fc3e12fafb551c3e769ca23d11db9baed2c7d781c4b65c8
Opcode Fuzzy Hash: eea277f1f71c6c2489efe69601a21584980abdb915dae3f5316235e355755337
Instruction Fuzzy Hash: 32313075A0DAC981EB268B16F45077DA360EB88BC4F184036DE4D87768DF2DD5A6E700

Function 00007FF6DC6120FF Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

__DestructExceptionObject.LIBCMT ref: 00007FF6DC61212A
RaiseException.KERNEL32 ref: 00007FF6DC612153
__DestructExceptionObject.LIBCMT ref: 00007FF6DC6121B4
_getptd.LIBCMT ref: 00007FF6DC612107

Part of subcall function 00007FF6DC60EBE0: _getptd_noexit.LIBCMT ref: 00007FF6DC60EBE6

_getptd.LIBCMT ref: 00007FF6DC6121B9
_getptd.LIBCMT ref: 00007FF6DC6121C5

Strings

csm, xrefs: 00007FF6DC612187

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: Exception_getptd$DestructObject$Raise_getptd_noexit
String ID: csm
API String ID: 2851507484-1018135373
Opcode ID: b5695b636a9301137933f94334d950e4a84ce6f1cca4a2e6f0b5ad8dad319add
Instruction ID: 8086bff15f13800094b847b171372487d7d2796d45de2f3841818daea7b6eda2
Opcode Fuzzy Hash: b5695b636a9301137933f94334d950e4a84ce6f1cca4a2e6f0b5ad8dad319add
Instruction Fuzzy Hash: B421293660868A86D622DF16E04036E73A1FB84BA5F004236DF9D83B95DF3CE456EB40

Function 00007FF6DC60A04C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6DC60A07B
GetProcAddress.KERNEL32 ref: 00007FF6DC60A090
EncodePointer.KERNEL32 ref: 00007FF6DC60A09C
DecodePointer.KERNEL32 ref: 00007FF6DC60A0AB
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF6DC60A0CA

Strings

InitializeCriticalSectionEx, xrefs: 00007FF6DC60A086
kernel32.dll, xrefs: 00007FF6DC60A074

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: Pointer$AddressCountCriticalDecodeEncodeHandleInitializeModuleProcSectionSpin
String ID: InitializeCriticalSectionEx$kernel32.dll
API String ID: 131412094-2762503851
Opcode ID: f228baa645d9034c08075660ba394ddcedfefc4a093bf15476359028fb448dad
Instruction ID: cfed2ce9c21e1e9fee733a5fd616da5534c3156425946e38e9d51e210eae5e95
Opcode Fuzzy Hash: f228baa645d9034c08075660ba394ddcedfefc4a093bf15476359028fb448dad
Instruction Fuzzy Hash: 8F016924B0D7CE85EA569B06B81013D63A0AF98FD1F584436ED4E83755DE3CE563A700

Function 00007FF6DC608760 Relevance: 12.1, APIs: 8, Instructions: 107COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6DC6087BA
SetLastError.KERNEL32 ref: 00007FF6DC608808
GetLastError.KERNEL32 ref: 00007FF6DC60883A
SetLastError.KERNEL32 ref: 00007FF6DC60887F
GetLastError.KERNEL32 ref: 00007FF6DC608895
SysFreeString.OLEAUT32 ref: 00007FF6DC6088AA
SysFreeString.OLEAUT32 ref: 00007FF6DC6088BB
SetLastError.KERNEL32 ref: 00007FF6DC6088DE

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID:
API String ID: 2425351278-0
Opcode ID: 4125032da62b5756a030140f559538396ea528ba8c92d6de4d55c944487ee5c0
Instruction ID: d76cda09b461e2f2e468c2de95fb5672dcb99ab93b3e935a0fc08dcf45a58b4e
Opcode Fuzzy Hash: 4125032da62b5756a030140f559538396ea528ba8c92d6de4d55c944487ee5c0
Instruction Fuzzy Hash: D2516C32B18B819AE711DF65E8906AC7370FB44769F004226DE5D67AA8CF38D52AE304

Function 00007FF6DC609420 Relevance: 12.1, APIs: 8, Instructions: 95COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6DC609477
SetLastError.KERNEL32 ref: 00007FF6DC6094A9

Part of subcall function 00007FF6DC609670: MultiByteToWideChar.KERNEL32 ref: 00007FF6DC6096BF
Part of subcall function 00007FF6DC609670: MultiByteToWideChar.KERNEL32 ref: 00007FF6DC6096F7

GetLastError.KERNEL32 ref: 00007FF6DC6094C6
SetLastError.KERNEL32 ref: 00007FF6DC60950B
GetLastError.KERNEL32 ref: 00007FF6DC609521
SysFreeString.OLEAUT32 ref: 00007FF6DC609536
SysFreeString.OLEAUT32 ref: 00007FF6DC609547
SetLastError.KERNEL32 ref: 00007FF6DC60956A

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$ByteCharFreeMultiStringWide
String ID:
API String ID: 2284902721-0
Opcode ID: 71c7a5411cd3f7243ce6a693d568e214949771d1b599ac70f8f2d65f723928cd
Instruction ID: 90763bbbe92b7e669c99313b9efcdb83973c81df76855bdfbd81752e42396995
Opcode Fuzzy Hash: 71c7a5411cd3f7243ce6a693d568e214949771d1b599ac70f8f2d65f723928cd
Instruction Fuzzy Hash: FE416A32B14B85CAE721CF65E850BAC7375FB44769F404126DEAE93AA4CF38E526D304

Function 00007FF6DC604C50 Relevance: 10.6, APIs: 7, Instructions: 125COMMON

Download Yara Rule

APIs

CharNextW.USER32 ref: 00007FF6DC604C81
CharNextW.USER32 ref: 00007FF6DC604CCE
CharNextW.USER32 ref: 00007FF6DC604CEA
CharNextW.USER32 ref: 00007FF6DC604CFF
CharNextW.USER32 ref: 00007FF6DC604D0E
CharNextW.USER32 ref: 00007FF6DC604D6A

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: ef4bb7b09230f5b24fc89cf32076482d06b0a936b85f5278b4b737d4ff19c5ca
Instruction ID: 0c68254eb1dcdfcb8bd79ef6c6cda3979059de0fc2e1828515e3ae97d710695d
Opcode Fuzzy Hash: ef4bb7b09230f5b24fc89cf32076482d06b0a936b85f5278b4b737d4ff19c5ca
Instruction Fuzzy Hash: 52515222709A9681EB229F66E54013D73E1EB58F95B448432DB4D97794EF3CD8B2E700

Function 00007FF6DC608F70 Relevance: 10.6, APIs: 7, Instructions: 96COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6DC608FC5
SetLastError.KERNEL32 ref: 00007FF6DC608FFE

Part of subcall function 00007FF6DC609420: GetLastError.KERNEL32 ref: 00007FF6DC609477
Part of subcall function 00007FF6DC609420: SetLastError.KERNEL32 ref: 00007FF6DC6094A9
Part of subcall function 00007FF6DC609420: GetLastError.KERNEL32 ref: 00007FF6DC6094C6
Part of subcall function 00007FF6DC609420: SetLastError.KERNEL32 ref: 00007FF6DC60950B
Part of subcall function 00007FF6DC609420: GetLastError.KERNEL32 ref: 00007FF6DC609521
Part of subcall function 00007FF6DC609420: SysFreeString.OLEAUT32 ref: 00007FF6DC609536
Part of subcall function 00007FF6DC609420: SysFreeString.OLEAUT32 ref: 00007FF6DC609547
Part of subcall function 00007FF6DC609420: SetLastError.KERNEL32 ref: 00007FF6DC60956A

GetLastError.KERNEL32 ref: 00007FF6DC60906D
SysFreeString.OLEAUT32 ref: 00007FF6DC609084
SysFreeString.OLEAUT32 ref: 00007FF6DC609097
SetLastError.KERNEL32 ref: 00007FF6DC6090BD
SetLastError.KERNEL32 ref: 00007FF6DC6090CE

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID:
API String ID: 2425351278-0
Opcode ID: 5b1844774a3730a4c401fcdd7eb98e2674964bcd42cd8f461641e1d433cd3978
Instruction ID: 73df3ba55b051944cbd99f241ecd6df3fc83f72dee52884719cabe9ba62d0975
Opcode Fuzzy Hash: 5b1844774a3730a4c401fcdd7eb98e2674964bcd42cd8f461641e1d433cd3978
Instruction Fuzzy Hash: FE419B32608B85C2DB11CF15E88472DB3A4FB84B95F464136DE9E83BA8CF38D466D740

Function 00007FF6DC6121FC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF6DC61221D
_getptd.LIBCMT ref: 00007FF6DC61222B
_getptd.LIBCMT ref: 00007FF6DC61223D

Strings

csm, xrefs: 00007FF6DC612213
MOC, xrefs: 00007FF6DC61220B
RCC, xrefs: 00007FF6DC612203

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: _getptd
String ID: MOC$RCC$csm
API String ID: 3186804695-2671469338
Opcode ID: 52a676c318d9f561739adc68f3d1ab0a26b7cd326f18b110937b7493f301e68e
Instruction ID: 72f4957f481810b2ee7936ffa0750b31a8ea47ce14007f3d4938d33be9cb3285
Opcode Fuzzy Hash: 52a676c318d9f561739adc68f3d1ab0a26b7cd326f18b110937b7493f301e68e
Instruction Fuzzy Hash: 7BF03735D0C18ECAE6277F5581053BC27A0FF58746F858573D248823C2DFBC64A2BA12

Function 00007FF6DC608B10 Relevance: 9.1, APIs: 6, Instructions: 95COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6DC608B60
SetLastError.KERNEL32 ref: 00007FF6DC608B98
GetLastError.KERNEL32 ref: 00007FF6DC608C15
SysFreeString.OLEAUT32 ref: 00007FF6DC608C2C
SysFreeString.OLEAUT32 ref: 00007FF6DC608C3F
SetLastError.KERNEL32 ref: 00007FF6DC608C66

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID:
API String ID: 2425351278-0
Opcode ID: 4169383aa1a8b917174be489ab6bb9fdcfaa1ed987afccb29234c8c0d2333da4
Instruction ID: d4b5f7b26a07e1c8857eb9b80d37cff5c1bd89c3ef7a96d4d7c7554e1f9bc261
Opcode Fuzzy Hash: 4169383aa1a8b917174be489ab6bb9fdcfaa1ed987afccb29234c8c0d2333da4
Instruction Fuzzy Hash: 0F412C32608B8586DB25CF26E49026D7370FB88B91F144236DF9D93B65DF38E466E740

Function 00007FF6DC6048B0 Relevance: 9.1, APIs: 6, Instructions: 95registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF6DC604911
RegCloseKey.ADVAPI32 ref: 00007FF6DC60492B
RegEnumKeyExW.ADVAPI32 ref: 00007FF6DC60497D
RegEnumKeyExW.ADVAPI32 ref: 00007FF6DC6049D5
RegCloseKey.ADVAPI32 ref: 00007FF6DC6049E9
RegCloseKey.ADVAPI32 ref: 00007FF6DC604A11

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: Close$Enum$Open
String ID:
API String ID: 4245071059-0
Opcode ID: 1f91b833b11f9de3fa471eaad69c4379b7c5c87b41c04ef34b25923a1bd4efb5
Instruction ID: 5d61ec23a08445e1bc4c891d3864a8c80170c76e2d5fb59aa89e7e254924d82b
Opcode Fuzzy Hash: 1f91b833b11f9de3fa471eaad69c4379b7c5c87b41c04ef34b25923a1bd4efb5
Instruction Fuzzy Hash: 36411B72608B868AE721CB55F4906AEB7A4FB88784F100136EB8D93A58DF3CD5569B00

Function 00007FF6DC6067D0 Relevance: 9.1, APIs: 6, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00007FF6DC606810
WideCharToMultiByte.KERNEL32 ref: 00007FF6DC6068A1
GetProcAddress.KERNEL32 ref: 00007FF6DC6068BF
FreeLibrary.KERNEL32 ref: 00007FF6DC6068CD
GetLastError.KERNEL32 ref: 00007FF6DC6068D3
FreeLibrary.KERNEL32 ref: 00007FF6DC6068EE

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: Library$Free$AddressByteCharErrorLastLoadMultiProcWide
String ID:
API String ID: 835772407-0
Opcode ID: 4ab0e06239e2a50f8aaadb0ff52f6e927b76035c8d3fb4fcef584dd5444a6b9a
Instruction ID: d36423a8c47798ff8152a15d68269d13bfa244c089832176eac5b6efc3e97306
Opcode Fuzzy Hash: 4ab0e06239e2a50f8aaadb0ff52f6e927b76035c8d3fb4fcef584dd5444a6b9a
Instruction Fuzzy Hash: 6D31A761A04BDA89E7518F66985116D63A0FF04BB4B584336EF6D87BD4DF3CD066E300

Function 00007FF6DC608910 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6DC608940
GetLastError.KERNEL32 ref: 00007FF6DC6089E2
SysFreeString.OLEAUT32 ref: 00007FF6DC6089F9
SysFreeString.OLEAUT32 ref: 00007FF6DC608A0C
SetLastError.KERNEL32 ref: 00007FF6DC608A32
SetLastError.KERNEL32 ref: 00007FF6DC608A3A

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID:
API String ID: 2425351278-0
Opcode ID: 9213b2f951795fd8961727634d81daab6bb791b9985ae766bdb774ed669523d7
Instruction ID: 4f8d77988688605e82d4d4ae7a90066eac010a3a3f97d01873fbab864a7244a3
Opcode Fuzzy Hash: 9213b2f951795fd8961727634d81daab6bb791b9985ae766bdb774ed669523d7
Instruction Fuzzy Hash: A3317322618BC9C2EB51DB25E45026DB760FB84BA1F405332EAAD937E4CF3CD456E700

Function 00007FF6DC603F70 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6DC603F99
GetProcAddress.KERNEL32 ref: 00007FF6DC603FB2
RegCreateKeyExW.ADVAPI32 ref: 00007FF6DC604058

Strings

Advapi32.dll, xrefs: 00007FF6DC603F92
RegCreateKeyTransactedW, xrefs: 00007FF6DC603FA8

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: AddressCreateHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1964897782-2994018265
Opcode ID: d8f9a0690667604f5e7e6616951a74f0432b9bedd44cc4415e60f933078260b4
Instruction ID: 0ee3e25cfd39d2e33cf06b2fafeaf312763b726c16e92864085131334e17eab6
Opcode Fuzzy Hash: d8f9a0690667604f5e7e6616951a74f0432b9bedd44cc4415e60f933078260b4
Instruction Fuzzy Hash: 0821EB72A18B9482E761CB16F45036EB7A1FBC8BD4F544125EB8D47B68DF3CC0929B00

Function 00007FF6DC606C00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF6DC606C20
GetProcAddress.KERNEL32 ref: 00007FF6DC606C42
FreeLibrary.KERNEL32 ref: 00007FF6DC606C53

Strings

DriverPackageUninstallW, xrefs: 00007FF6DC606C38

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: DriverPackageUninstallW
API String ID: 145871493-4209722632
Opcode ID: c35b6b632d625778d604cef2a0bfc001af9ceecfd90e17d9dd12296e960a03a8
Instruction ID: 15c8552210464f21aadd2b388cda69443c39c656f94de808f9de73c8193a31e9
Opcode Fuzzy Hash: c35b6b632d625778d604cef2a0bfc001af9ceecfd90e17d9dd12296e960a03a8
Instruction Fuzzy Hash: CA218E31609B8A86DB51CF6AB45026E73E0FB48B94F544136EF8E83B14EF3CD4559B40

Function 00007FF6DC606D00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF6DC606D18
GetProcAddress.KERNEL32 ref: 00007FF6DC606D45
FreeLibrary.KERNEL32 ref: 00007FF6DC606D53

Strings

DriverPackageGetPathW, xrefs: 00007FF6DC606D3B

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: DriverPackageGetPathW
API String ID: 145871493-341743864
Opcode ID: 8c31dcc0c099f1c29c279d6c039478cd4cf80fd7e32c813887a9d067727bb84c
Instruction ID: b11fc52cf9c3f66abe4b7461862fc989f76eb932f3395dc12ab2b76ce3217b7a
Opcode Fuzzy Hash: 8c31dcc0c099f1c29c279d6c039478cd4cf80fd7e32c813887a9d067727bb84c
Instruction Fuzzy Hash: 5A01C851B08BC582DB45C75BB05023D6390FB88FC1F485036EE4E87758DE2CD4A79700

Function 00007FF6DC606440 Relevance: 7.6, APIs: 6, Instructions: 58COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF6DC606210), ref: 00007FF6DC60646C
SetLastError.KERNEL32(?,?,?,00007FF6DC606210), ref: 00007FF6DC60649F
GetLastError.KERNEL32(?,?,?,00007FF6DC606210), ref: 00007FF6DC6064B0
SetLastError.KERNEL32(?,?,?,00007FF6DC606210), ref: 00007FF6DC6064F3
GetLastError.KERNEL32(?,?,?,00007FF6DC606210), ref: 00007FF6DC606507
SetLastError.KERNEL32(?,?,?,00007FF6DC606210), ref: 00007FF6DC606553

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: d3c9cf2c124d86abc4f4bf1603bc844c388b4e375f4936e04eb0160b51d84189
Instruction ID: a7c372411cfba0b5b8d3d224f9970006c10cbb1ec023062983ef37bfda1a8d91
Opcode Fuzzy Hash: d3c9cf2c124d86abc4f4bf1603bc844c388b4e375f4936e04eb0160b51d84189
Instruction Fuzzy Hash: A2317072504B84CAD350CF24E88035C77A4F744F59F98813ADA8D57758CF39E4AAC758

Function 00007FF6DC6153CC Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF6DC6153DD

Part of subcall function 00007FF6DC60CA74: _getptd_noexit.LIBCMT ref: 00007FF6DC60CA78

__doserrno.LIBCMT ref: 00007FF6DC6153D5

Part of subcall function 00007FF6DC60CA04: _getptd_noexit.LIBCMT ref: 00007FF6DC60CA08

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: _getptd_noexit$__doserrno_errno
String ID:
API String ID: 2964073243-0
Opcode ID: 4d4a87c527eaa8e6bcec8b312dd761cc2aa443e3d2d32b2ae408f33aa7fcd5b4
Instruction ID: 88473b212aee1d624ca15a8734308c5ac06754e8ab14a34a84de748cd14bffb1
Opcode Fuzzy Hash: 4d4a87c527eaa8e6bcec8b312dd761cc2aa443e3d2d32b2ae408f33aa7fcd5b4
Instruction Fuzzy Hash: AF01A261A186CE50EE07AB1A889137CA161AF517A3F514337D72E823E2DE7C7433B611

Function 00007FF6DC60C3E0 Relevance: 7.5, APIs: 5, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF6DC60C3ED

Part of subcall function 00007FF6DC60EBE0: _getptd_noexit.LIBCMT ref: 00007FF6DC60EBE6

_inconsistency.LIBCMT ref: 00007FF6DC60C3FB

Part of subcall function 00007FF6DC60C8BC: DecodePointer.KERNEL32(?,?,?,?,00007FF6DC612805,?,?,?,00007FF6DC60C046), ref: 00007FF6DC60C8C7

_getptd.LIBCMT ref: 00007FF6DC60C400
_inconsistency.LIBCMT ref: 00007FF6DC60C41C
_getptd.LIBCMT ref: 00007FF6DC60C42C

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: _getptd$_inconsistency$DecodePointer_getptd_noexit
String ID:
API String ID: 3566995948-0
Opcode ID: e34250745d6eefdc1ac350af60d0ba6f7176c573dac5c3d1f4a00cbf0f445cfc
Instruction ID: f5cf3d9d3c97134e5c835578faf5a23271f7460d5beb18b9a5df0646ec7cbbae
Opcode Fuzzy Hash: e34250745d6eefdc1ac350af60d0ba6f7176c573dac5c3d1f4a00cbf0f445cfc
Instruction Fuzzy Hash: C2F05422A0C5CAA0EE526B63D1411BC6250BF48BC4F1C4473E68DA73C7DE28E872B216

Function 00007FF6DC6047E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6DC604805
GetProcAddress.KERNEL32 ref: 00007FF6DC60481E

Strings

Advapi32.dll, xrefs: 00007FF6DC6047FE
RegOpenKeyTransactedW, xrefs: 00007FF6DC604814

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 1646373207-3913318428
Opcode ID: d8a62a8aef20563de6babe65901e6294006a460ff679ece6a4f445639764ce31
Instruction ID: 446b987b71702e4d9261fce63562b4663d2743a6f72d81f5b673ecadc9302040
Opcode Fuzzy Hash: d8a62a8aef20563de6babe65901e6294006a460ff679ece6a4f445639764ce31
Instruction Fuzzy Hash: 25114F72A18BC582EB118B16F45032EA3A0FB88BD4F484432EE4D53B68DF7CD4569B00

Function 00007FF6DC615F51 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6DC60C3E0: _getptd.LIBCMT ref: 00007FF6DC60C3ED
Part of subcall function 00007FF6DC60C3E0: _inconsistency.LIBCMT ref: 00007FF6DC60C3FB
Part of subcall function 00007FF6DC60C3E0: _getptd.LIBCMT ref: 00007FF6DC60C400
Part of subcall function 00007FF6DC60C3E0: _inconsistency.LIBCMT ref: 00007FF6DC60C41C

__DestructExceptionObject.LIBCMT ref: 00007FF6DC615F9E
_getptd.LIBCMT ref: 00007FF6DC615FA4
_getptd.LIBCMT ref: 00007FF6DC615FB7

Part of subcall function 00007FF6DC60C470: _getptd.LIBCMT ref: 00007FF6DC60C479

Strings

csm, xrefs: 00007FF6DC615F71

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: _getptd$_inconsistency$DestructExceptionObject
String ID: csm
API String ID: 2821275340-1018135373
Opcode ID: 4ac1e4b1013697ec0e9eee3f9e9a02559197c655822a339b97b8ae9ef60c21a0
Instruction ID: db96d135c21d043f1b3d9cc13a5e9e8c65f2f9c767b15d01cfd2c93745a93364
Opcode Fuzzy Hash: 4ac1e4b1013697ec0e9eee3f9e9a02559197c655822a339b97b8ae9ef60c21a0
Instruction Fuzzy Hash: 3E018B329445C689DB21EF35C4453BC2354EF85799F041533EA4DCA785EF28D8A2F741

Function 00007FF6DC60B410 Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC60B43B
_errno.LIBCMT ref: 00007FF6DC60B430

Part of subcall function 00007FF6DC60CA74: _getptd_noexit.LIBCMT ref: 00007FF6DC60CA78

_errno.LIBCMT ref: 00007FF6DC60B4DE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC60B4E9

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_getptd_noexit
String ID:
API String ID: 1573762532-0
Opcode ID: 9f486efa1b8314dfa2aab75535de57ab10477b20cf78fdbde7df630c2b174037
Instruction ID: 2936213e56439c5f2cbd4ca55afa3f2fff737fd8cba73483e9909090259b3e4f
Opcode Fuzzy Hash: 9f486efa1b8314dfa2aab75535de57ab10477b20cf78fdbde7df630c2b174037
Instruction Fuzzy Hash: 3541C972E182DB81EF669F13954017D6290EF80795F848137DA9CB76C5DE3CE562B700

Function 00007FF6DC608D30 Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b90ce4dfac01c2fc7f3f23f229081737ed7b3ce6534e3892517164148f36f33f
Instruction ID: acbfd700063d53655a7cb4989ddaf13dfbfaec8e83882610d99cb72673d91b6c
Opcode Fuzzy Hash: b90ce4dfac01c2fc7f3f23f229081737ed7b3ce6534e3892517164148f36f33f
Instruction Fuzzy Hash: 70419F22608ACA81EB12CB16D48027D63A1FB94B94F544232DA5D977E5DF3CE867F740

Function 00007FF6DC614DF4 Relevance: 6.1, APIs: 4, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

_isleadbyte_l.LIBCMT ref: 00007FF6DC614E86
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6DC60F8CA), ref: 00007FF6DC614EC5
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6DC60F8CA), ref: 00007FF6DC614F13
_errno.LIBCMT ref: 00007FF6DC614F1D

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: ByteCharMultiWide$_errno_isleadbyte_l
String ID:
API String ID: 693119720-0
Opcode ID: f9ef63f5f9393c33ad6ec1b55359d4d65aae5a494d22769d944872ef39a9e64e
Instruction ID: ace24605601bb12ad3141bd7b16e81a4b41290b517349341356d620a425c5ac8
Opcode Fuzzy Hash: f9ef63f5f9393c33ad6ec1b55359d4d65aae5a494d22769d944872ef39a9e64e
Instruction Fuzzy Hash: CC41B231A087C586EB62CF19914063DB7A1FB84B91F148136EB8D97B99DF3CE8639700

Function 00007FF6DC603640 Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF6DC6036A2
free.LIBCMT ref: 00007FF6DC6036B7
RaiseException.KERNEL32(?,?,?,?,?,?,?,00007FF6DC6032A0), ref: 00007FF6DC6036EC
RaiseException.KERNEL32(?,?,?,00007FF6DC6032A0), ref: 00007FF6DC603702

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: ExceptionRaisefree
String ID:
API String ID: 501637548-0
Opcode ID: 6091e4866e5df5ec72efa5c9ea70e5436eb9a164a20f27cf849220055c386ae6
Instruction ID: 6768efec6db53beea96531797f11c0554bd826190e779ea93025c7c7ad30b5d5
Opcode Fuzzy Hash: 6091e4866e5df5ec72efa5c9ea70e5436eb9a164a20f27cf849220055c386ae6
Instruction Fuzzy Hash: B621B032A1868586EB22DF26E09173C7360FBC0F55F108536DA1A97755CF3CE463A740

Function 00007FF6DC6022F0 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00007FF6DC602330
SysFreeString.OLEAUT32 ref: 00007FF6DC60233A
SysFreeString.OLEAUT32 ref: 00007FF6DC602344
SysFreeString.OLEAUT32 ref: 00007FF6DC60234E

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 9400c879f395e8e1041e99f399ca43ef3155b5eea99d28c3571ed665674c8d41
Instruction ID: a2149301442427196f51819d29028d565e91d06e22afb1ac98521ec471abff17
Opcode Fuzzy Hash: 9400c879f395e8e1041e99f399ca43ef3155b5eea99d28c3571ed665674c8d41
Instruction Fuzzy Hash: C6012131608A4582D7159B1AE55412CB370FB84BA5B144332DF6D83BB0CF7DD4A69700

Function 00007FF6DC602820 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00007FF6DC602860
SysFreeString.OLEAUT32 ref: 00007FF6DC60286A
SysFreeString.OLEAUT32 ref: 00007FF6DC602874
SysFreeString.OLEAUT32 ref: 00007FF6DC60287E

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 71332804fb799d93ff3c92b5373d027f535b9761171e135ce507182e18860e2f
Instruction ID: 387224f8610856f11314ec1e14d35b855bfca52450a3ada187fd020729d1fcf4
Opcode Fuzzy Hash: 71332804fb799d93ff3c92b5373d027f535b9761171e135ce507182e18860e2f
Instruction Fuzzy Hash: 2C01EC35608A8682D7119B1AE95416CB360FB84BA5B144232DF6D83BB5CF7DE4B69700

Function 00007FF6DC60B684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF6DC60B6D5

Part of subcall function 00007FF6DC60CA74: _getptd_noexit.LIBCMT ref: 00007FF6DC60CA78

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6DC60B6E0

Strings

B, xrefs: 00007FF6DC60B70C

Memory Dump Source

Source File: 00000003.00000002.1692378098.00007FF6DC601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6DC600000, based on PE: true

Associated: 00000003.00000002.1692329535.00007FF6DC600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692433854.00007FF6DC617000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC626000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692478292.00007FF6DC62A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1692593822.00007FF6DC62B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff6dc600000_ISBEW64.jbxd

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID: B
API String ID: 1812809483-1255198513
Opcode ID: bbb8f773bab51e8e522d642ffc497e4c7d030a58199116e91c1ffc0167e66120
Instruction ID: 11828243d9bb3b6de600b61d2fc7611a8d54d568dfb926f33eb7619974e19eea
Opcode Fuzzy Hash: bbb8f773bab51e8e522d642ffc497e4c7d030a58199116e91c1ffc0167e66120
Instruction Fuzzy Hash: 9B11C272A1468882EB119B13D4403ADB660FB98FD4F548331EB5C57B95CF3CD151EB00

Analysis Process: Dashboard.exePID: 5756, Parent PID: 7136COMMON

Non-executed Functions

Function 0101289C Relevance: 58.1, APIs: 31, Strings: 2, Instructions: 331windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 010128A6

Part of subcall function 0100C9C9: TlsGetValue.KERNEL32(703B38B8,010128D2,00000224,0100C14A,00000001,Main,?,?,?,?,?,?,?,00000000), ref: 0100C9D0

?StartDefer@Element@DirectUI@@SGXXZ.UXCORE(00000224,0100C14A,00000001,Main,?,?,?,?,?,?,?,00000000), ref: 010128D2
??2@YAPAXI@Z.MSVCR80(00000030), ref: 01012905
??0CRMDUIParser@@QAE@XZ.UXCORE ref: 0101291B
?LoadAndCreateElement@CRMDUIParser@@QAEJIPB_WPAPAVElement@DirectUI@@PAV23@K0@Z.UXCORE(?,?,?,00000000,0000000F,00000000), ref: 01012951
GetForegroundWindow.USER32(6C744143,65637845,0000000D,01003450,00000000), ref: 0101298B
?Initialize@NativeHWNDHost@DirectUI@@QAEJPB_W0PAUHWND__@@PAUHICON__@@HHHHHHHPAUHINSTANCE__@@I@Z.UXCORE(00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 010129C3
?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ.UXCORE(6C744143,65637845,0000000E,01003450,00000000), ref: 01012A02
?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ.UXCORE(00000000), ref: 01012A19
GetSystemMenu.USER32(00000000), ref: 01012A20
RemoveMenu.USER32(00000000,0000F000,00000000), ref: 01012A31
?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ.UXCORE(?,00000000,00000000,00000000,00000000,00000013), ref: 01012A49
SetWindowPos.USER32(00000000), ref: 01012A50
?RMLoadIcon@@YGPAUHICON__@@PB_WK0@Z.UXCORE(?,0000000F,00000000), ref: 01012A68
?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ.UXCORE(00000080,00000001,00000000), ref: 01012A78
SendMessageW.USER32(00000000), ref: 01012A7F
?RMLoadString@@YGIIPA_WIKPB_W@Z.UXCORE(00000000,?,00000104,0000000F,00000000), ref: 01012AA0
?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ.UXCORE(?), ref: 01012AAF
SetWindowTextW.USER32(00000000), ref: 01012AB6
?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ.UXCORE(00000001,00000000,00000000,?), ref: 01012AC9
?Create@HWNDElement@DirectUI@@SGJPAUHWND__@@_NI1PAPAVElement@2@@Z.UXCORE(00000000), ref: 01012AD0

Part of subcall function 010126C4: ?CreateInt@Value@DirectUI@@SGPAV12@H@Z.UXCORE(?,00000000,?,?,01012B77,00000009,Direct UI window,DUI Window Frame,00000001,?), ref: 010126D0

Part of subcall function 01012756: ?CreateUnknown@Value@DirectUI@@SGPAV12@PAUIUnknown@@@Z.UXCORE(?,00000000,?,?,01012BAD,?,?,01004488,?,00000009,Direct UI window,DUI Window Frame,00000001,?), ref: 01012762

Part of subcall function 0100C840: ?CreateBool@Value@DirectUI@@SGPAV12@_N@Z.UXCORE(?,00000000,?,?,01012BC4,00000001,?,?,01004488,?,00000009,Direct UI window,DUI Window Frame,00000001,?), ref: 0100C84C

?Host@NativeHWNDHost@DirectUI@@QAEXPAVElement@2@@Z.UXCORE(?,00000001,?,?,01004488,?,00000009,Direct UI window,DUI Window Frame,00000001,?), ref: 01012BD7
?AddListener@Element@DirectUI@@QAEJPAUIElementListener@2@@Z.UXCORE(?,?,01004488,?,00000009,Direct UI window,DUI Window Frame,00000001,?), ref: 01012BE7
?Add@Element@DirectUI@@QAEJPAV12@@Z.UXCORE(?,?,01004488,?,00000009,Direct UI window,DUI Window Frame,00000001,?), ref: 01012BFF
?Attach@CRMDUIParser@@QAEJPAVElement@DirectUI@@@Z.UXCORE(?,?,01004488,?,00000009,Direct UI window,DUI Window Frame,00000001,?), ref: 01012C1A
?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ.UXCORE(?,01004488,?,00000009,Direct UI window,DUI Window Frame,00000001,?), ref: 01012C32
BuildDropTarget.UXCORE(00000001,00000000,?,01004488,?,00000009,Direct UI window,DUI Window Frame,00000001,?), ref: 01012C3A
?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ.UXCORE(6C744143,65637845,00000010,01003450,80070057), ref: 01012C9C
?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ.UXCORE(00000010,00000000,00000000), ref: 01012CAC
PostMessageW.USER32(00000000), ref: 01012CB3
?EndDefer@Element@DirectUI@@SGXXZ.UXCORE(?), ref: 01012CC8

Strings

DUI Window Frame, xrefs: 01012B3C
Direct UI window, xrefs: 01012B56

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: Direct$Host@$Native$D__@@$Element@$Create$LoadParser@@Value@Window$Defer@Element@2@@MenuMessageN__@@V12@$??2@Add@Attach@Bool@BuildCreate@D__@@_DropE__@@ElementForegroundH_prolog3_I@@@Icon@@Initialize@Int@Listener@Listener@2@@PostRemoveSendStartString@@SystemTargetTextUnknown@Unknown@@@V12@@V12@_V23@Value
String ID: DUI Window Frame$Direct UI window
API String ID: 3618921266-1775726735
Opcode ID: 03c51ac8d8785a96ccd103557a71e794eee43199353ba1f3dd90f38f468ad6f3
Instruction ID: 64156be431880ffba6556d0ffe67c253a3f4e7088df3ab75dac641eaba58ca07
Opcode Fuzzy Hash: 03c51ac8d8785a96ccd103557a71e794eee43199353ba1f3dd90f38f468ad6f3
Instruction Fuzzy Hash: CEC1F671600109AFDB26AFA4D98CEAD7BE6BB48340F254498F2C6D7295CB3ADD41CF11

Function 0100769A Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 247memorywindowthreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000001,00000000,00000000), ref: 010076B1
HeapSetInformation.KERNEL32(00000000), ref: 010076BA
GetProcessHeap.KERNEL32(00000000,?,00000004), ref: 010076CA
HeapSetInformation.KERNEL32(00000000), ref: 010076CD

Part of subcall function 0100653B: __EH_prolog3.LIBCMT ref: 01006542

Part of subcall function 010072FA: __EH_prolog3.LIBCMT ref: 01007301
Part of subcall function 010072FA: CreateMutexW.KERNEL32(00000000,00000000,?,?,?,00000004,010076E9,?), ref: 01007343
Part of subcall function 010072FA: GetLastError.KERNEL32 ref: 0100734F
Part of subcall function 010072FA: CloseHandle.KERNEL32(00000000), ref: 0100735D

GetLastError.KERNEL32(?), ref: 01007700
CoInitializeEx.OLE32(00000000,00000002,?,?), ref: 010077F9
?RMInitialize@@YGXXZ.UXCORE ref: 01007807
?RMUpdateResourceSet@@YG_NPB_WK00@Z.UXCORE(DashboardRes,00000008,00000000,00000000), ref: 0100781C
?RMUpdateResourceSet@@YG_NPB_WK00@Z.UXCORE(DashboardLoc,00000004,1.0.0.1,00000000), ref: 0100784E
?RMUpdateResourceSet@@YG_NPB_WK00@Z.UXCORE(01001AD0,00008002,00000000,00000000), ref: 01007880
UXCoreInitProcess.UXCORE(00000000), ref: 010078A7
UXCoreInitThread.UXCORE(00000000), ref: 010078B4
TranslateMessage.USER32(?), ref: 010078EF
DispatchMessageW.USER32(?), ref: 010078F9

Part of subcall function 010090EF: TraceMessage.ADVAPI32(?,?,0000002B,00000000,00000000,010017F8,00000004,00000000,?,0100795C,6C744143,65637845,00000011,010017F8,00000000,00000000), ref: 0100910A

GetMessageW.USER32(?,00000000,00000000,00000000), ref: 01007906
UXCoreUnInitThread.UXCORE ref: 0100790C
UXCoreUnInitProcess.UXCORE(00000000), ref: 01007936
?RMTerminate@@YGXXZ.UXCORE(00000000), ref: 01007960
CoUninitialize.OLE32 ref: 01007966

Part of subcall function 010049DE: TraceMessage.ADVAPI32(?,?,0000002B,?,?,00000000), ref: 010049F3

CloseHandle.KERNEL32(?), ref: 0100797F

Strings

1.0.0.1, xrefs: 01007842
DashboardRes, xrefs: 01007817
DashboardLoc, xrefs: 01007849
WLXS\Dashboard, xrefs: 01007724

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: Message$CoreHeapInitProcess$K00@ResourceSet@@Update$CloseErrorH_prolog3HandleInformationLastThreadTrace$CreateDispatchInitializeInitialize@@MutexTerminate@@TranslateUninitialize
String ID: 1.0.0.1$DashboardLoc$DashboardRes$WLXS\Dashboard
API String ID: 2320391741-3161801426
Opcode ID: b0b7640e0d6759bdf3b6e056b6aff3e48fdc5acccfe6a9e4f297daa83d35a3af
Instruction ID: 08b694855b39e6496e6f59cceddca6a9dea7f06b922978450260764b005a29ed
Opcode Fuzzy Hash: b0b7640e0d6759bdf3b6e056b6aff3e48fdc5acccfe6a9e4f297daa83d35a3af
Instruction Fuzzy Hash: 6091D470500249BBFB17AFA4CD44FAE7BA9EF44744F144499F6C1960D2C77ADA41CB60

Function 0100737C Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 72COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 01007386
GetVersionExW.KERNEL32(00000114), ref: 010073C6

Strings

Version: %s, xrefs: 0100748C
Unsupported, xrefs: 01007405, 0100740A, 01007461
New, xrefs: 010073FE
Windows XP, xrefs: 0100741C
Windows Vista, xrefs: 0100740D
Indefinite, xrefs: 01007468
Windows 2003, xrefs: 01007423

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: H_prolog3_Version
String ID: Indefinite$New$Unsupported$Version: %s$Windows 2003$Windows Vista$Windows XP
API String ID: 3152847492-2193866653
Opcode ID: 2a15ceeba3357e99c7376be5592d206867398d81c9a1a4da5e0b88e1e5aa7b36
Instruction ID: 8d59f35c0632d355e65b9679e5f98fc215be8b449174d6887c6459e1db327f46
Opcode Fuzzy Hash: 2a15ceeba3357e99c7376be5592d206867398d81c9a1a4da5e0b88e1e5aa7b36
Instruction Fuzzy Hash: 642191309002299BFB77EB14CC017ECBAB4AB29711F0140D9E1C5661C0CF786BA5CFA1

Function 0100CC59 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 0100CC6A
OpenProcessToken.ADVAPI32(00000000), ref: 0100CC71
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0100CC85
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0100CCA4
GetLastError.KERNEL32 ref: 0100CCAA
CloseHandle.KERNEL32(?), ref: 0100CCB8

Strings

SeShutdownPrivilege, xrefs: 0100CC7F

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3398352648-3733053543
Opcode ID: ee0013f882b80b2b7a19fe59f5a101aa25fab3b9e718203e879d761d41fc8881
Instruction ID: 302b449996c1f7a5efa8ccff5f194c8d7dcba89ad3a7b713aaf80952cba0cb84
Opcode Fuzzy Hash: ee0013f882b80b2b7a19fe59f5a101aa25fab3b9e718203e879d761d41fc8881
Instruction Fuzzy Hash: 33F01971601168ABEB22EBA1DD0DEEF7E7CEF41750F100055F986E1145DBB9CA04DBA1

Function 010087FB Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 01008D2E
_crt_debugger_hook.MSVCR80(00000001), ref: 01008D3B
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 01008D43
UnhandledExceptionFilter.KERNEL32(01001CE4), ref: 01008D4E
_crt_debugger_hook.MSVCR80(00000001), ref: 01008D5F
GetCurrentProcess.KERNEL32(C0000409), ref: 01008D6A
TerminateProcess.KERNEL32(00000000), ref: 01008D71

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled_crt_debugger_hook$CurrentDebuggerPresentTerminate
String ID:
API String ID: 3369434319-0
Opcode ID: 7d6ce6bd35bee8a7f2e6959517e5b17b2968080e00cf88af5c1365b4dfdd6eff
Instruction ID: a0f8ed9874d63253848e0c0cdeecc4be2fe3a16b8920436d4c56b97c05f8a7d2
Opcode Fuzzy Hash: 7d6ce6bd35bee8a7f2e6959517e5b17b2968080e00cf88af5c1365b4dfdd6eff
Instruction Fuzzy Hash: B521CBB4A02284DFDB32DF28E9896943BB0FB18310F01551AE48A83249E3BE96858F15

Function 0100821F Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32 ref: 01008232
GetLocaleInfoA.KERNEL32(00000000,00001004,?,00000007), ref: 01008244
GetACP.KERNEL32 ref: 0100826D

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: Locale$InfoThread
String ID:
API String ID: 4232894706-0
Opcode ID: 70f33ab9d729608102f05b2e7a97b5d5e3e1e5541cdeeb8c49c9180d0241caed
Instruction ID: 7c2561d37f4f8e37f3ba00928a2c0b310663c91fd433351266e3a9b238308abd
Opcode Fuzzy Hash: 70f33ab9d729608102f05b2e7a97b5d5e3e1e5541cdeeb8c49c9180d0241caed
Instruction Fuzzy Hash: 94F0FC31F0066C9FE723DBB995156EF77E4BB04B41F00819EEAC2E7280D675A90487D0

Function 0100CCC8 Relevance: 1.5, APIs: 1, Instructions: 14shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 0100CC59: GetCurrentProcess.KERNEL32(00000028,?), ref: 0100CC6A
Part of subcall function 0100CC59: OpenProcessToken.ADVAPI32(00000000), ref: 0100CC71
Part of subcall function 0100CC59: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0100CC85
Part of subcall function 0100CC59: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0100CCA4
Part of subcall function 0100CC59: GetLastError.KERNEL32 ref: 0100CCAA
Part of subcall function 0100CC59: CloseHandle.KERNEL32(?), ref: 0100CCB8

ExitWindowsEx.USER32(?,?), ref: 0100CCDC

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorExitHandleLastLookupOpenPrivilegePrivilegesValueWindows
String ID:
API String ID: 3672536310-0
Opcode ID: 2dc45d28cb94792324e4564fa534f6c9f771541fe6c1a1f6461dc5fb7b7ddf34
Instruction ID: ac00cf5b8632513a42fe9c9415866d1b4a1c37558d9d079e883b4ee4856cca59
Opcode Fuzzy Hash: 2dc45d28cb94792324e4564fa534f6c9f771541fe6c1a1f6461dc5fb7b7ddf34
Instruction Fuzzy Hash: A2C0803118410F6F7F522F75DD04D663F59BB61351F004251F949C50D0DE32D425D750

Function 01014442 Relevance: 164.8, APIs: 47, Strings: 47, Instructions: 275libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,MsiSetInternalUI), ref: 01014493
GetProcAddress.KERNEL32(?,MsiCloseHandle), ref: 010144A3
GetProcAddress.KERNEL32(?,MsiGetActiveDatabase), ref: 010144B0
GetProcAddress.KERNEL32(?,MsiViewExecute), ref: 010144BD
GetProcAddress.KERNEL32(?,MsiViewFetch), ref: 010144CA
GetProcAddress.KERNEL32(?,MsiRecordGetInteger), ref: 010144D7
GetProcAddress.KERNEL32(?,MsiCreateRecord), ref: 010144E4
GetProcAddress.KERNEL32(?,MsiEnableLogW), ref: 010144F1
GetProcAddress.KERNEL32(?,MsiGetProductInfoW), ref: 010144FE
GetProcAddress.KERNEL32(?,MsiGetPropertyW), ref: 0101450B
GetProcAddress.KERNEL32(?,MsiSetPropertyW), ref: 01014518
GetProcAddress.KERNEL32(?,MsiOpenPackageW), ref: 01014525
GetProcAddress.KERNEL32(?,MsiSequenceW), ref: 01014535
GetProcAddress.KERNEL32(?,MsiDoActionW), ref: 01014545
GetProcAddress.KERNEL32(?,MsiSetFeatureStateW), ref: 01014552
GetProcAddress.KERNEL32(?,MsiReinstallFeatureW), ref: 0101455F
GetProcAddress.KERNEL32(?,MsiSetExternalUIW), ref: 0101456C
GetProcAddress.KERNEL32(?,MsiGetTargetPathW), ref: 0101457C
GetProcAddress.KERNEL32(?,MsiSetTargetPathW), ref: 01014589
GetProcAddress.KERNEL32(?,MsiDatabaseOpenViewW), ref: 01014596
GetProcAddress.KERNEL32(?,MsiRecordSetStringW), ref: 010145A3

Strings

MsiRecordSetStringW, xrefs: 0101459B
MsiSourceListAddSourceW, xrefs: 01014602
MsiConfigureProductExW, xrefs: 01014677
MsiGetMode, xrefs: 0101460F
MsiDeterminePatchSequenceW, xrefs: 010146E4
MsiSetExternalUIW, xrefs: 01014561
MsiGetPropertyW, xrefs: 01014500
MsiGetFeatureStateW, xrefs: 0101465D
MsiSetFeatureStateW, xrefs: 01014547
MsiRecordIsNull, xrefs: 01014636
MsiProcessMessage, xrefs: 01014629
MsiGetPatchInfoW, xrefs: 010146D4
MsiRecordDataSize, xrefs: 01014643
MsiGetActiveDatabase, xrefs: 010144A5
MsiQueryProductStateW, xrefs: 010145B5
MsiReinstallProductW, xrefs: 010145E2
MsiCreateRecord, xrefs: 010144D9
MsiDoActionW, xrefs: 01014537
MsiSetInternalUI, xrefs: 0101448B
MsiOpenProductW, xrefs: 01014694
MsiGetProductPropertyW, xrefs: 01014684
MsiGetComponentPathW, xrefs: 0101466A
MsiRecordGetInteger, xrefs: 010144CC
MsiEnableLogW, xrefs: 010144E6
MsiSourceListClearAllW, xrefs: 010145F2
MsiSetTargetPathW, xrefs: 0101457E
MsiEnumRelatedProductsW, xrefs: 01014650
MsiRecordSetInteger, xrefs: 0101461C
MsiGetPatchInfoExW, xrefs: 01014704
MsiSetExternalUIRecordA, xrefs: 010146A4
MsiCloseHandle, xrefs: 01014495
MsiDatabaseOpenViewW, xrefs: 0101458B
MsiInstallProductW, xrefs: 010145D2
MsiApplyMultiplePatchesW, xrefs: 010146F4
MsiDetermineApplicablePatchesW, xrefs: 01014714
MsiRecordGetStringW, xrefs: 010145A5
MsiApplyPatchW, xrefs: 010146BA
MsiSequenceW, xrefs: 01014527
MsiOpenPackageW, xrefs: 0101451A
MsiOpenDatabaseW, xrefs: 010145C2
MsiGetTargetPathW, xrefs: 0101456E
MsiGetProductInfoW, xrefs: 010144F3
MsiSetPropertyW, xrefs: 0101450D
MsiViewFetch, xrefs: 010144BF
MsiReinstallFeatureW, xrefs: 01014554
MsiViewExecute, xrefs: 010144B2
MsiEnumPatchesW, xrefs: 010146C4

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: AddressProc
String ID: MsiApplyMultiplePatchesW$MsiApplyPatchW$MsiCloseHandle$MsiConfigureProductExW$MsiCreateRecord$MsiDatabaseOpenViewW$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiDoActionW$MsiEnableLogW$MsiEnumPatchesW$MsiEnumRelatedProductsW$MsiGetActiveDatabase$MsiGetComponentPathW$MsiGetFeatureStateW$MsiGetMode$MsiGetPatchInfoExW$MsiGetPatchInfoW$MsiGetProductInfoW$MsiGetProductPropertyW$MsiGetPropertyW$MsiGetTargetPathW$MsiInstallProductW$MsiOpenDatabaseW$MsiOpenPackageW$MsiOpenProductW$MsiProcessMessage$MsiQueryProductStateW$MsiRecordDataSize$MsiRecordGetInteger$MsiRecordGetStringW$MsiRecordIsNull$MsiRecordSetInteger$MsiRecordSetStringW$MsiReinstallFeatureW$MsiReinstallProductW$MsiSequenceW$MsiSetExternalUIRecordA$MsiSetExternalUIW$MsiSetFeatureStateW$MsiSetInternalUI$MsiSetPropertyW$MsiSetTargetPathW$MsiSourceListAddSourceW$MsiSourceListClearAllW$MsiViewExecute$MsiViewFetch
API String ID: 190572456-2058816641
Opcode ID: 17b98e4289bb8679fa32b56e0c200408f15fa7c9bde7554e3916c860dd33ed6a
Instruction ID: 0dfad8db0f510d5a1445c7f8a96d36d181f5a67ab7380ec8147bc3a8deb6e94f
Opcode Fuzzy Hash: 17b98e4289bb8679fa32b56e0c200408f15fa7c9bde7554e3916c860dd33ed6a
Instruction Fuzzy Hash: 8DB1BAB4940B85EFEB326F728845917BEF1FF84700B014E2EE5E69AAA0D775A054DF10

Function 01011FBA Relevance: 52.8, APIs: 16, Strings: 14, Instructions: 314windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 01011FC1

Part of subcall function 0100C81B: ?GetValue@Element@DirectUI@@QBEPAVValue@2@PBUPropertyInfo@2@H@Z.UXCORE(703B436C,00000002,?,0100CE37), ref: 0100C825

?StrToID@DirectUI@@YGGPB_W@Z.UXCORE(FLWCloseBtn,?,?,00000000), ref: 0101201C
?StrToID@DirectUI@@YGGPB_W@Z.UXCORE(idClose,?,?,00000000), ref: 0101203A
?StrToID@DirectUI@@YGGPB_W@Z.UXCORE(FLWMinBtn,?,?,00000000), ref: 01012058
?StrToID@DirectUI@@YGGPB_W@Z.UXCORE(idCompletionClose,?,?,00000000), ref: 01012083
?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ.UXCORE(00000BD1,00000000,00000000,?,?,?,?,?,?,00000000), ref: 010122D4
PostMessageW.USER32(00000000), ref: 010122DB

Strings

idProductName, xrefs: 01012345
idResume, xrefs: 01012124
idRestartClose, xrefs: 010122ED
FLWCloseBtn, xrefs: 01012014
ProductNameTextInstalled, xrefs: 0101237A
idFIUListScrollviwer, xrefs: 010121A5, 010121DD, 01012248
idCancel, xrefs: 010120BB
idCompletionClose, xrefs: 0101207B
idConfirmedCancel, xrefs: 01012209
idClose, xrefs: 01012032
idInstall, xrefs: 0101227F
idIgnore, xrefs: 0101218D
FLWMinBtn, xrefs: 01012050
idRetry, xrefs: 010121C5

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: Direct$D__@@Element@H_prolog3Host@Info@2@MessageNativePostPropertyValue@Value@2@
String ID: FLWCloseBtn$FLWMinBtn$ProductNameTextInstalled$idCancel$idClose$idCompletionClose$idConfirmedCancel$idFIUListScrollviwer$idIgnore$idInstall$idProductName$idRestartClose$idResume$idRetry
API String ID: 406392691-3517868946
Opcode ID: 7aedde5c5fcc4f158d7e6129bc11e76acc27ab90c889b047db29f61baf3246d3
Instruction ID: 28a74e90999ffff3238f687737c5f8873f1b61b18ecda8d1f5d9e34d59475477
Opcode Fuzzy Hash: 7aedde5c5fcc4f158d7e6129bc11e76acc27ab90c889b047db29f61baf3246d3
Instruction Fuzzy Hash: 52B1A634740241ABFB67EB18C945FB93BA1BB14710FA48498F6C19F1EACB79D942CB14

Function 0100D5AB Relevance: 47.6, APIs: 5, Strings: 22, Instructions: 346COMMON

Download Yara Rule

APIs

?GetElement@NativeHWNDHost@DirectUI@@QAEPAVElement@2@XZ.UXCORE ref: 0100D5EB
?StrToID@DirectUI@@YGGPB_W@Z.UXCORE(idInstallErrorHelpLink,00000000), ref: 0100D5FB
?RMLoadString@@YGIIPA_WIKPB_W@Z.UXCORE(0000032C,?,00000104,0000000F,00000000), ref: 0100D65A
?RMLoadString@@YGIIPA_WIKPB_W@Z.UXCORE(000000CA,?,00000104,0000000F,00000000,?), ref: 0100D695
?RMLoadCompoundString@@YGIIPA_WIKPB_W@Z.UXCORE(000000CD,?,00000208,0000000F,00000000), ref: 0100D6B0

Part of subcall function 010049DE: TraceMessage.ADVAPI32(?,?,0000002B,?,?,00000000), ref: 010049F3

Part of subcall function 0100D225: _vsnwprintf.MSVCR80 ref: 0100D258

Part of subcall function 0100CA2F: ?CreateString@Value@DirectUI@@SGPAV12@PB_WPAUHINSTANCE__@@I@Z.UXCORE(?,00000000,00000000), ref: 0100CA3F

Part of subcall function 01006C01: TraceMessage.ADVAPI32(?,?,0000002B,?,?,NULL,0000000A,00000000), ref: 01006C5D

Strings

SingleFail, xrefs: 0100D7FD, 0100D821, 0100D8B8, 0100D8D1
AllFail, xrefs: 0100D82E, 0100D995, 0100D99A
MultipleProductPartialSuccess, xrefs: 0100D97A
idRestartClose, xrefs: 0100D9DC
SingleCancelled, xrefs: 0100D76D
idSummaryFooter, xrefs: 0100D99B
InstallComplete, xrefs: 0100D915
NeedReboot, xrefs: 0100D9C3, 0100D9DB
AllSucceeded, xrefs: 0100D7CD
idCompletionClose, xrefs: 0100D9C9
SomeCancelled, xrefs: 0100D7B2
AllCancelled, xrefs: 0100D772
idInstallErrorHelpLink, xrefs: 0100D5F6
SingleProductSuccess, xrefs: 0100D95F
HasError, xrefs: 0100D733
MultipleProductRebootNeeded, xrefs: 0100D96D
SingleProductRebootNeeded, xrefs: 0100D958
MultipleFail, xrefs: 0100D804, 0100D847
SomeSucceeded, xrefs: 0100D7EC
PartialCancel, xrefs: 0100D7BC
MultipleProductSuccess, xrefs: 0100D98E
idErrorMsgCont, xrefs: 0100D738

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: DirectLoadString@@$MessageTrace$CompoundCreateE__@@Element@Element@2@Host@NativeString@V12@Value@_vsnwprintf
String ID: AllCancelled$AllFail$AllSucceeded$HasError$InstallComplete$MultipleFail$MultipleProductPartialSuccess$MultipleProductRebootNeeded$MultipleProductSuccess$NeedReboot$PartialCancel$SingleCancelled$SingleFail$SingleProductRebootNeeded$SingleProductSuccess$SomeCancelled$SomeSucceeded$idCompletionClose$idErrorMsgCont$idInstallErrorHelpLink$idRestartClose$idSummaryFooter
API String ID: 218840918-2671734306
Opcode ID: 78dd9e5f8ca60656dcae873aecfaa4802ba6b4925d1cd117f78a0f96731dd34f
Instruction ID: 2ad8084ce7e743547ef01bbabb4c4eaaf0d8d145b63ff253c7f9afca7e270cf1
Opcode Fuzzy Hash: 78dd9e5f8ca60656dcae873aecfaa4802ba6b4925d1cd117f78a0f96731dd34f
Instruction Fuzzy Hash: 34C1A1306002019BFB679FD8C858FAA7BA6FF44644F1440D9E9C99B2D1CE36D946CB20

Function 01010E59 Relevance: 33.4, APIs: 2, Strings: 17, Instructions: 154registryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 01010E60

Part of subcall function 01010B31: __EH_prolog3.LIBCMT ref: 01010B38

Part of subcall function 0100C55B: RegCreateKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?), ref: 0100C584

Part of subcall function 0100C684: lstrlenW.KERNEL32(00000000), ref: 0100C69F
Part of subcall function 0100C684: RegSetValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0100C6B7

RegSetValueExW.ADVAPI32(?,Use Custom Search URL,00000000,00000004,?,00000004,0000000C), ref: 01010F02

Strings

CustomizeSearch, xrefs: 01010F72
Search Page, xrefs: 01010EA9
Use Search Asst, xrefs: 01010EDB
Software\Microsoft\Internet Explorer\Search, xrefs: 01010F39
msn, xrefs: 01010FF2
Software\Microsoft\Internet Explorer\Main, xrefs: 01010E86
Use Custom Search URL, xrefs: 01010EF7
http://home.microsoft.com/access/autosearch.asp?p=%s, xrefs: 01010FDC
SearchAssistant, xrefs: 01010F8C
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch, xrefs: 01010EA3, 01010EBE
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/saautosearch.aspx, xrefs: 01010F53
Search Bar, xrefs: 01010EBF
Software\Microsoft\Internet Explorer\SearchUrl, xrefs: 01010FC2
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm, xrefs: 01010F87
AutoSearch, xrefs: 01010F58
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm, xrefs: 01010F6D
provider, xrefs: 01010FF7

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: H_prolog3Value$Createlstrlen
String ID: AutoSearch$CustomizeSearch$Search Bar$Search Page$SearchAssistant$Software\Microsoft\Internet Explorer\Main$Software\Microsoft\Internet Explorer\Search$Software\Microsoft\Internet Explorer\SearchUrl$Use Custom Search URL$Use Search Asst$http://home.microsoft.com/access/autosearch.asp?p=%s$http://ie.search.msn.com/{SUB_RFC1766}/srchasst/saautosearch.aspx$http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm$http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm$http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch$msn$provider
API String ID: 3811441507-428694650
Opcode ID: e011f4ff021c6364969040f60b8dcebc4f326af9618f8a9cecb097d1bd4b8a06
Instruction ID: c9a85841fcf569fcd5d360069d0963b317b4f99534134c70db371ef3bb4ee06f
Opcode Fuzzy Hash: e011f4ff021c6364969040f60b8dcebc4f326af9618f8a9cecb097d1bd4b8a06
Instruction Fuzzy Hash: AE410671D40266AAFB33E665CC99EFEB674EBA4B40F11066CF5E17B0C4D9B40E84C690

Function 0100F3E3 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 368stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0100F3ED
lstrcmpiW.KERNEL32(?,Delete,0000042C,0100FE29,0000007B,?,00000000,00000000), ref: 0100F433
lstrcmpiW.KERNEL32(?,ForceRemove), ref: 0100F442
lstrlenW.KERNEL32(?), ref: 0100F8A5

Part of subcall function 0100C53D: RegCloseKey.ADVAPI32(?,?,0100C5A1), ref: 0100C54B

Strings

NoRemove, xrefs: 0100F501
Delete, xrefs: 0100F423
ForceRemove, xrefs: 0100F439
Val, xrefs: 0100F52D

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: lstrcmpi$CloseH_prolog3_lstrlen
String ID: Delete$ForceRemove$NoRemove$Val
API String ID: 989197751-1781481701
Opcode ID: 81c3cbd0e92d524083107f002ca19596d3515cdccc9f9eeb133e889b4df012fc
Instruction ID: da408757ef80bc5ba682544ae8d0336465783bffc6747967f88096f89b6b1a6e
Opcode Fuzzy Hash: 81c3cbd0e92d524083107f002ca19596d3515cdccc9f9eeb133e889b4df012fc
Instruction Fuzzy Hash: 2AD161B1E0022B9BFF339A64CD90BED77B8AF54214F4005E8EA85A71C1DB709E84DB55

Function 0101168F Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 257COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 01011696

Part of subcall function 0100D009: __EH_prolog3.LIBCMT ref: 0100D010
Part of subcall function 0100D009: ??2@YAPAXI@Z.MSVCR80(00000001,00000000,0100FA5D,?), ref: 0100D025

?GetElement@NativeHWNDHost@DirectUI@@QAEPAVElement@2@XZ.UXCORE(?,0000000C,01011A57,?), ref: 010116E7

Strings

CancelFromFeaturePage, xrefs: 01011961
MultipleProductsMode, xrefs: 01011898
SingleProductMode, xrefs: 0101193C, 01011941, 0101194C
idProdListScrollviedwer, xrefs: 0101189D
idHint, xrefs: 0101194D, 01011982
idCompletePageButtonsCont, xrefs: 010117D2, 010118CC
idFIUListScrollviwer, xrefs: 0101183E
idInstallPage, xrefs: 010117E9, 010118E1
idQuestion, xrefs: 01011942, 01011966, 01011976
idProgressPageButtonsCont, xrefs: 010117B9, 010118B5
idErrorMsgCont, xrefs: 01011788
Visible, xrefs: 01011839
idProgressCont, xrefs: 010117A0, 0101185E

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: H_prolog3$??2@DirectElement@Element@2@Host@Native
String ID: CancelFromFeaturePage$MultipleProductsMode$SingleProductMode$Visible$idCompletePageButtonsCont$idErrorMsgCont$idFIUListScrollviwer$idHint$idInstallPage$idProdListScrollviedwer$idProgressCont$idProgressPageButtonsCont$idQuestion
API String ID: 765067690-502158243
Opcode ID: 2acba51a9d7b698485d869466626ae5ddcb7fc31ac8363fb91b90a790004e465
Instruction ID: 576265e94bab847d7a3159c867ff885aa05da33510b2501067602ba9f764034b
Opcode Fuzzy Hash: 2acba51a9d7b698485d869466626ae5ddcb7fc31ac8363fb91b90a790004e465
Instruction Fuzzy Hash: EA810630300702ABFB2B6A798954FAD6A63AB81A40F15495CFBD29F2C5DE7EC8018714

Function 01011039 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 187COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 01011040

Part of subcall function 01010CBA: __EH_prolog3.LIBCMT ref: 01010CC1

Part of subcall function 0100C55B: RegCreateKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?), ref: 0100C584

_wcsicmp.MSVCR80 ref: 010110D1
_wcsicmp.MSVCR80 ref: 01011165
_wcsicmp.MSVCR80 ref: 01011203

Part of subcall function 0100653B: __EH_prolog3.LIBCMT ref: 01006542

Part of subcall function 010106BB: SHGetValueW.SHLWAPI(?,00000000,?,00000000,00000000,?), ref: 010106E0
Part of subcall function 010106BB: SHGetValueW.SHLWAPI(?,00000000,?,00000000,00000000,00000000,?,00000000,00000000,?), ref: 01010714
Part of subcall function 010106BB: ??_V@YAXPAX@Z.MSVCR80(?,?,00000000,00000000,?), ref: 01010730

_wcsicmp.MSVCR80 ref: 01011245

Strings

Search Page, xrefs: 01011093
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/saautosearch.aspx, xrefs: 0101115D
Software\Microsoft\Internet Explorer\Search, xrefs: 01011113
Software\Microsoft\Internet Explorer\SearchUrl, xrefs: 010111A7
msn, xrefs: 0101123D
Software\Microsoft\Internet Explorer\Main, xrefs: 01011077
AutoSearch, xrefs: 01011127
provider, xrefs: 0101120B
http://home.microsoft.com/access/autosearch.asp?p=%s, xrefs: 010111FB
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch, xrefs: 010110C9

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: _wcsicmp$H_prolog3$Value$Create
String ID: AutoSearch$Search Page$Software\Microsoft\Internet Explorer\Main$Software\Microsoft\Internet Explorer\Search$Software\Microsoft\Internet Explorer\SearchUrl$http://home.microsoft.com/access/autosearch.asp?p=%s$http://ie.search.msn.com/{SUB_RFC1766}/srchasst/saautosearch.aspx$http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch$msn$provider
API String ID: 2892520615-2298700832
Opcode ID: f5152bee5913963a1c864a93d74e7dccb2edbd7c721527cac15ae48f85a027fd
Instruction ID: 4b909bb22a64957543d9d646e162473eaaebfac2c8fd8a26875476c2192a1921
Opcode Fuzzy Hash: f5152bee5913963a1c864a93d74e7dccb2edbd7c721527cac15ae48f85a027fd
Instruction Fuzzy Hash: 6E61D771D0025B9AEF27E7A8CC94AFFBAB4AF64711F100259E6E0B71C4D7B90A44C791

Function 01011292 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 201COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0101129C
?StrToID@DirectUI@@YGGPB_W@Z.UXCORE(idChkBoxSetHomePage,00000000), ref: 01011306
?StrToID@DirectUI@@YGGPB_W@Z.UXCORE(idChkBoxSearch,00000000), ref: 01011362
?RMLoadString@@YGIIPA_WIKPB_W@Z.UXCORE(00000007,?,00000104,0000000F,00000000), ref: 01011390

Part of subcall function 010049DE: TraceMessage.ADVAPI32(?,?,0000002B,?,?,00000000), ref: 010049F3

Part of subcall function 0100CA0C: ?GetValue@Element@DirectUI@@QBEPAVValue@2@PBUPropertyInfo@2@H@Z.UXCORE(703B85A8,00000002), ref: 0100CA16

Part of subcall function 0100C81B: ?GetValue@Element@DirectUI@@QBEPAVValue@2@PBUPropertyInfo@2@H@Z.UXCORE(703B436C,00000002,?,0100CE37), ref: 0100C825

Part of subcall function 0100ACC8: EnterCriticalSection.KERNEL32(0101A968), ref: 0100ACDE
Part of subcall function 0100ACC8: LeaveCriticalSection.KERNEL32(0101A968), ref: 0100ACFB

Part of subcall function 01014271: FindAtomW.KERNEL32(0101A528,?,?,0101A004,?,0100ADCE,?), ref: 01014285

Part of subcall function 0100CE8D: ?GetElement@NativeHWNDHost@DirectUI@@QAEPAVElement@2@XZ.UXCORE(0100D2E1), ref: 0100CE90
Part of subcall function 0100CE8D: ?StrToID@DirectUI@@YGGPB_W@Z.UXCORE(00000000), ref: 0100CEA1

?StrToID@DirectUI@@YGGPB_W@Z.UXCORE(idProductListCont,00000000,00000000,00000000), ref: 010114CA

Part of subcall function 0100C2F9: ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.UXCORE(00000000,?,00000000,?,01012820,00000000,?,01012C67,00000000,?,01004488,?,00000009,Direct UI window,DUI Window Frame,00000001), ref: 0100C30C

?StrToID@DirectUI@@YGGPB_W@Z.UXCORE(00000000,00000000,00000000), ref: 010114DE
?Remove@Element@DirectUI@@QAEJPAV12@@Z.UXCORE(00000000,00000000), ref: 010114F1

Part of subcall function 01006C01: TraceMessage.ADVAPI32(?,?,0000002B,?,?,NULL,0000000A,00000000), ref: 01006C5D

Strings

idFeaturesCont, xrefs: 010113D8
idChkBoxSetHomePage, xrefs: 01011301
idChkBoxSearch, xrefs: 0101135D
Checkbox, xrefs: 0101143E
idProductListCont, xrefs: 010114C5

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: Direct$Element@$CriticalFindInfo@2@MessagePropertySectionTraceValue@Value@2@$AtomDescendent@Element@2@EnterH_prolog3_Host@LeaveLoadNativeRemove@String@@V12@V12@@
String ID: Checkbox$idChkBoxSearch$idChkBoxSetHomePage$idFeaturesCont$idProductListCont
API String ID: 2501247302-3429854558
Opcode ID: 4153eefac52b9abbf676dfddcff4d95607ed15e68bd8e8ad2b4ce932740ad836
Instruction ID: 2f4eeeb802b7e7a37a14a191ad2175f0456b7f652372a30653f2b7035d170561
Opcode Fuzzy Hash: 4153eefac52b9abbf676dfddcff4d95607ed15e68bd8e8ad2b4ce932740ad836
Instruction Fuzzy Hash: 0161F830A00216ABFB6BBBB5DD48BAD7AE5AF14340F0541D4EAC5A72D9CB39CD408F50

Function 0101415E Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 76registrylibraryCOMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 010141AE
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020019,?), ref: 010141D9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000208), ref: 010141FD
RegCloseKey.ADVAPI32(?), ref: 0101420B
wcscat_s.MSVCR80 ref: 01014226
wcscpy_s.MSVCR80 ref: 0101423F
LoadLibraryW.KERNEL32(?), ref: 0101424F

Strings

\msi.dll, xrefs: 0101421B
SOFTWARE\Microsoft\Windows\CurrentVersion\Installer, xrefs: 0101417A
msi.dll, xrefs: 01014234
InstallerLocation, xrefs: 01014188

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: CloseLibraryLoadOpenQueryValuememsetwcscat_swcscpy_s
String ID: InstallerLocation$SOFTWARE\Microsoft\Windows\CurrentVersion\Installer$\msi.dll$msi.dll
API String ID: 3826571250-3337234016
Opcode ID: b93aa61194f85a5e295c5fa3633998d0ec36e6f821ce7e7ada797f183a71aa1c
Instruction ID: e7a402fca11ff6e97eafee537c45a6f05cf2e59af719fdfca726a2adcf9cfe46
Opcode Fuzzy Hash: b93aa61194f85a5e295c5fa3633998d0ec36e6f821ce7e7ada797f183a71aa1c
Instruction Fuzzy Hash: 19213B72A00228AFDB21CB55EC4DEDAB7BCFB45310F440095F98DE7085DBB59A84CBA0

Function 0100DB70 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 109COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0100DB77
?GetElement@NativeHWNDHost@DirectUI@@QAEPAVElement@2@XZ.UXCORE(00000008,0100F9E6,?,00000000), ref: 0100DB96
SysFreeString.OLEAUT32(00000000), ref: 0100DCC6

Strings

ProductInstallGreenCheck, xrefs: 0100DBCC
ProductNameText, xrefs: 0100DC1C
ProductNameTextInstalled, xrefs: 0100DC50
ProductInstallErrorCross, xrefs: 0100DC7E

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: DirectElement@Element@2@FreeH_prolog3Host@NativeString
String ID: ProductInstallErrorCross$ProductInstallGreenCheck$ProductNameText$ProductNameTextInstalled
API String ID: 3502837760-1082744444
Opcode ID: 747e6466150a54a847940e5313cbc9099f1150340b29d8cb6787f7d1bb1e2fb1
Instruction ID: 460444cceb9f4f8a0c9b4fa495b0e4b4100cd96c7c7bdc1a3f6420ccccc00133
Opcode Fuzzy Hash: 747e6466150a54a847940e5313cbc9099f1150340b29d8cb6787f7d1bb1e2fb1
Instruction Fuzzy Hash: 4131E63064024AEBFB6B6FD8CD48F6D7EA2AF50740F048498F7C45A1E1CBB6C9409B61

Function 01007529 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 92COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 01007533
GetModuleHandleW.KERNEL32(00000000,?,00000104,0000026C,0100777B,?), ref: 01007563
GetModuleFileNameW.KERNEL32(00000000), ref: 0100756A
free.MSVCR80 ref: 01007676

Strings

InternalName, xrefs: 010075D2
"Not defined!", xrefs: 010075EC, 01007632
Name: %s, Version: %s, Language: %s, xrefs: 01007639
Failed to load version information from the resource. (hr = 0x%08x), xrefs: 010075A9

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: Module$FileH_prolog3_HandleNamefree
String ID: "Not defined!"$Failed to load version information from the resource. (hr = 0x%08x)$InternalName$Name: %s, Version: %s, Language: %s
API String ID: 3143548698-4059656801
Opcode ID: cbab3780e8a25f20b3a3e81b748c3c48a2f37708b0307ea1dec3a86b67e69744
Instruction ID: 800949e0de888b3b4b04df70d34c68c84461ff3b66be47b7a167e636bea11cd9
Opcode Fuzzy Hash: cbab3780e8a25f20b3a3e81b748c3c48a2f37708b0307ea1dec3a86b67e69744
Instruction Fuzzy Hash: 15317071D046699BEF27EBA4CC88AEDB778AF14700F1041D6B5C9A21C0EBB55B88CF54

Function 01014BC5 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 01014BCC
VariantInit.OLEAUT32(?), ref: 01014BFE
VariantClear.OLEAUT32(?), ref: 01014C47
VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 01014C56
SysStringLen.OLEAUT32(?), ref: 01014C6E
SysFreeString.OLEAUT32(?), ref: 01014C7F
VariantClear.OLEAUT32(?), ref: 01014C89

Strings

LaunchComponentId, xrefs: 01014C04

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: Variant$ClearString$ChangeFreeH_prolog3InitType
String ID: LaunchComponentId
API String ID: 1400348697-3941572156
Opcode ID: a2c8681d91920bbe7f845c4d8dec0658d5b4f0c916ea5efa35c601ea41d7af8e
Instruction ID: ef7fa628cb9d3a552248a8ca0adeddc041cca4eb48b692761d585aca36340dc0
Opcode Fuzzy Hash: a2c8681d91920bbe7f845c4d8dec0658d5b4f0c916ea5efa35c601ea41d7af8e
Instruction Fuzzy Hash: 5A21A07090024AAFDB11DFB8C948BDE7BF8AF19301F108094E584EB295DB76DA04CB60

Function 0101015D Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0100E9AF: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,0100EA1A), ref: 0100E9CE

Part of subcall function 0100F025: __EH_prolog3.LIBCMT ref: 0100F02C
Part of subcall function 0100F025: EnterCriticalSection.KERNEL32(00000000,00000000,010102F8,?,Module,00000022), ref: 0100F044
Part of subcall function 0100F025: LeaveCriticalSection.KERNEL32(00000000,00000000,00000000), ref: 0100F069

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 01010222
GetModuleHandleW.KERNEL32(00000000), ref: 01010273

Part of subcall function 0100DF17: lstrlenW.KERNEL32(?), ref: 0100DF1F
Part of subcall function 0100DF17: memcpy_s.MSVCR80 ref: 0100DF36

lstrlenW.KERNEL32(00000022), ref: 010102C6

Strings

Module, xrefs: 010102E7
Module_Raw, xrefs: 01010309
", xrefs: 010102CE
REGISTRY, xrefs: 01010327

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: CriticalSection$Modulelstrlen$DeleteEnterFileH_prolog3HandleLeaveNamememcpy_s
String ID: "$Module$Module_Raw$REGISTRY
API String ID: 332685461-3881418485
Opcode ID: c351b8aa09a13ca807f1a00a270b5964c2643aec74d88fdae1cdfc293cc3a101
Instruction ID: d46999cc658952edaea7454df8a5fe132568ef7091b98177f4d0ba10c9127f31
Opcode Fuzzy Hash: c351b8aa09a13ca807f1a00a270b5964c2643aec74d88fdae1cdfc293cc3a101
Instruction Fuzzy Hash: 27515271A0022A9BDB61EBA4CC84AED73B8AF59200F4405E5F5C5E7149EA3D9FC4CF52

Function 0101035B Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 140stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0100E9AF: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,0100EA1A), ref: 0100E9CE

Part of subcall function 0100F025: __EH_prolog3.LIBCMT ref: 0100F02C
Part of subcall function 0100F025: EnterCriticalSection.KERNEL32(00000000,00000000,010102F8,?,Module,00000022), ref: 0100F044
Part of subcall function 0100F025: LeaveCriticalSection.KERNEL32(00000000,00000000,00000000), ref: 0100F069

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 01010417
GetModuleHandleW.KERNEL32(00000000), ref: 01010468

Part of subcall function 0100DF17: lstrlenW.KERNEL32(?), ref: 0100DF1F
Part of subcall function 0100DF17: memcpy_s.MSVCR80 ref: 0100DF36

lstrlenW.KERNEL32(00000022), ref: 010104BB

Strings

", xrefs: 010104C3
Module, xrefs: 010104DC
Module_Raw, xrefs: 010104FE
REGISTRY, xrefs: 0101051C

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: CriticalSection$Modulelstrlen$DeleteEnterFileH_prolog3HandleLeaveNamememcpy_s
String ID: "$Module$Module_Raw$REGISTRY
API String ID: 332685461-3881418485
Opcode ID: cfa358debf78099171d65b9fc63a9b4aa20d5087ae44e40a0c9ddf0a0767442a
Instruction ID: a6aad74a2c5b9154bc058d32289d94a35c7a930bb73b25fd90c9e60d46a93487
Opcode Fuzzy Hash: cfa358debf78099171d65b9fc63a9b4aa20d5087ae44e40a0c9ddf0a0767442a
Instruction Fuzzy Hash: AD519471A0032A9BDB21EBA4DD849EE73BCAF58300F4405A5F5C5E7149DB399F84CB52

Function 01010CBA Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 128COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 01010CC1

Part of subcall function 0100C55B: RegCreateKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?), ref: 0100C584

Part of subcall function 0100653B: __EH_prolog3.LIBCMT ref: 01006542

Part of subcall function 010106BB: SHGetValueW.SHLWAPI(?,00000000,?,00000000,00000000,?), ref: 010106E0
Part of subcall function 010106BB: SHGetValueW.SHLWAPI(?,00000000,?,00000000,00000000,00000000,?,00000000,00000000,?), ref: 01010714
Part of subcall function 010106BB: ??_V@YAXPAX@Z.MSVCR80(?,?,00000000,00000000,?), ref: 01010730

_wcsicmp.MSVCR80 ref: 01010DFA

Strings

search.live.com, xrefs: 01010D95
Software\Microsoft\Internet Explorer\SearchScopes, xrefs: 01010DAA
Software\Microsoft\Internet Explorer, xrefs: 01010D09
DefaultScope, xrefs: 01010DC2
Version, xrefs: 01010D37

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: H_prolog3Value$Create_wcsicmp
String ID: DefaultScope$Software\Microsoft\Internet Explorer$Software\Microsoft\Internet Explorer\SearchScopes$Version$search.live.com
API String ID: 2459908085-109992249
Opcode ID: 39d4ce0c0504623c10ed6bcf8ed57d580ccf4a711cdf64ef239f728181f1044f
Instruction ID: da91692fbf1bbc0728a7f2577692d3937b43c81839a1a500042604c73adfadcd
Opcode Fuzzy Hash: 39d4ce0c0504623c10ed6bcf8ed57d580ccf4a711cdf64ef239f728181f1044f
Instruction Fuzzy Hash: 7841B47190015AAAEF22EBE9CD54AEEBBB4AF29320F100159F2D1B32C5DB750A44C765

Function 01010B31 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 121registryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 01010B38

Part of subcall function 0100C55B: RegCreateKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?), ref: 0100C584

Part of subcall function 0100653B: __EH_prolog3.LIBCMT ref: 01006542

Part of subcall function 010106BB: SHGetValueW.SHLWAPI(?,00000000,?,00000000,00000000,?), ref: 010106E0
Part of subcall function 010106BB: SHGetValueW.SHLWAPI(?,00000000,?,00000000,00000000,00000000,?,00000000,00000000,?), ref: 01010714
Part of subcall function 010106BB: ??_V@YAXPAX@Z.MSVCR80(?,?,00000000,00000000,?), ref: 01010730

RegSetValueExW.ADVAPI32(?,Version,00000000,00000004,?,00000004,search.live.com,?), ref: 01010C62

Strings

search.live.com, xrefs: 01010C0A
Software\Microsoft\Internet Explorer\SearchScopes, xrefs: 01010C20
Software\Microsoft\Internet Explorer, xrefs: 01010B81
DefaultScope, xrefs: 01010C40
Version, xrefs: 01010BAF, 01010C57

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: Value$H_prolog3$Create
String ID: DefaultScope$Software\Microsoft\Internet Explorer$Software\Microsoft\Internet Explorer\SearchScopes$Version$search.live.com
API String ID: 120277328-109992249
Opcode ID: 95c97ba9765c4079a63bbdd3128ccb205dd6202ad9ffeadd15bc1b53c6cbd093
Instruction ID: 18264d3b9551ec9fb9b8377ce051fc4fd5f89498e1e5bf640c1f9694bde7e341
Opcode Fuzzy Hash: 95c97ba9765c4079a63bbdd3128ccb205dd6202ad9ffeadd15bc1b53c6cbd093
Instruction Fuzzy Hash: 8F419370D1125AAAEF22EBA8CD54AEEBBB4EF29710F100159F2D1B22C4D7750744CBA5

Function 0100D3CE Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

?GetElement@NativeHWNDHost@DirectUI@@QAEPAVElement@2@XZ.UXCORE ref: 0100D3F0
?StrToID@DirectUI@@YGGPB_W@Z.UXCORE(idProductListCont,00000000), ref: 0100D400

Part of subcall function 0100C2F9: ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.UXCORE(00000000,?,00000000,?,01012820,00000000,?,01012C67,00000000,?,01004488,?,00000009,Direct UI window,DUI Window Frame,00000001), ref: 0100C30C

?Add@Element@DirectUI@@QAEJPAV12@@Z.UXCORE(?,?), ref: 0100D496

Strings

ProductLine, xrefs: 0100D427
ProductNameText, xrefs: 0100D43A
idProductListCont, xrefs: 0100D3FB
UnlaunchableProductNameText, xrefs: 0100D472

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: Direct$Element@$Add@Descendent@Element@2@FindHost@NativeV12@V12@@
String ID: ProductLine$ProductNameText$UnlaunchableProductNameText$idProductListCont
API String ID: 2886039252-2033342440
Opcode ID: 381874d1a4e7aa9c4f63e340bc0acaab1d3c72144bc70de579f6a65152f097cc
Instruction ID: 48333047e8f2e7f5581505fc6d3df2c11f652f343825d3b2a55e7844625f4102
Opcode Fuzzy Hash: 381874d1a4e7aa9c4f63e340bc0acaab1d3c72144bc70de579f6a65152f097cc
Instruction Fuzzy Hash: CA219831240146ABBF23BFD9D8C88ED7BA5AB40250F15C47DFAC5861D0DE719A85C762

Function 01010745 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0101074C

Part of subcall function 0100C5B0: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,00000000), ref: 0100C5CC

Strings

Software\Microsoft\Internet Explorer\International, xrefs: 0101076E
AcceptLanguage, xrefs: 010107A6
Start Page, xrefs: 010107FD
Software\Microsoft\Internet Explorer\Main, xrefs: 010107E3
http://go.microsoft.com/fwlink/?linkid=677, xrefs: 010107C5
http://runonce.msn.com/?v=msgrv75, xrefs: 010107BE

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: H_prolog3Open
String ID: AcceptLanguage$Software\Microsoft\Internet Explorer\International$Software\Microsoft\Internet Explorer\Main$Start Page$http://go.microsoft.com/fwlink/?linkid=677$http://runonce.msn.com/?v=msgrv75
API String ID: 94179280-3469362327
Opcode ID: 5494531869df0e860775eec5cea18b9b608a1a2ca1933ceeb8e5fc5e7f4d8457
Instruction ID: b03cea58fb13dbe64b95bf04508e058527b1d262e75d1e3db3d68a84c6778d1e
Opcode Fuzzy Hash: 5494531869df0e860775eec5cea18b9b608a1a2ca1933ceeb8e5fc5e7f4d8457
Instruction Fuzzy Hash: 8721C870E5122B9AFB22EB98CD859FE7A74BF20B10F100569B1D0F61C8DA784784CBD1

Function 01014853 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0101485A
CompareStringW.KERNEL32(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,0000001C), ref: 010148BC
CompareStringW.KERNEL32(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 010148D1
CompareStringW.KERNEL32(00000000,00000001,?), ref: 010148E6
SysFreeString.OLEAUT32(?), ref: 010148FE
SysFreeString.OLEAUT32(00000000), ref: 01014903

Strings

W, xrefs: 01014875

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: String$Compare$Free$H_prolog3
String ID: W
API String ID: 1418015357-655174618
Opcode ID: e39bde786cc5e509e910243a1f7bee8366021e46218f773fdf9285fc12366a50
Instruction ID: 47f769c8fea87ae1cb678e69320621dc2ceae8e0eda54b62641d1dfb7c34f609
Opcode Fuzzy Hash: e39bde786cc5e509e910243a1f7bee8366021e46218f773fdf9285fc12366a50
Instruction Fuzzy Hash: 68217C7190029AEBCF228F99CC84DAFBFB5FF49310F104429F694A71A4C7798A54CB60

Function 01006FF1 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 72COMMON

Download Yara Rule

APIs

swprintf_s.MSVCR80 ref: 0100702D
swprintf_s.MSVCR80 ref: 01007066
free.MSVCR80 ref: 01007086
VerQueryValueW.VERSION(?,?,?,?), ref: 010070A5

Strings

\StringFileInfo\%04X%04X\%s, xrefs: 0100701F
\StringFileInfo\%s\%s, xrefs: 01007056
040904B0, xrefs: 01007038

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: swprintf_s$QueryValuefree
String ID: 040904B0$\StringFileInfo\%04X%04X\%s$\StringFileInfo\%s\%s
API String ID: 58640916-2735271439
Opcode ID: 10e1db9037010f63f168c616480a7b0505c72547c66df70d44e3b384dd55806d
Instruction ID: 9121654ffcc31185a179aebdb9a7bae6dd74d00202f9eb81be755d9591a0e984
Opcode Fuzzy Hash: 10e1db9037010f63f168c616480a7b0505c72547c66df70d44e3b384dd55806d
Instruction Fuzzy Hash: 93214175600218EBEB22DB15DC41FEA77B8EB49701F0441E6B6C9EA0C0DB75EA488F61

Function 01007241 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 01007248
GetCurrentProcess.KERNEL32(00000008,?,00000010,01007323,?,?,00000004,010076E9,?), ref: 0100726C
OpenProcessToken.ADVAPI32(00000000), ref: 01007273
GetTokenInformation.ADVAPI32(?,0000000A(TokenIntegrityLevel),00000000,00000000,?), ref: 01007292
GetTokenInformation.ADVAPI32(00000002,0000000A(TokenIntegrityLevel),00000000,?,?), ref: 010072B0
??_V@YAXPAX@Z.MSVCR80(00000000,?,-%08x%08x,?,?), ref: 010072D3

Strings

-%08x%08x, xrefs: 010072C5

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: Token$InformationProcess$CurrentH_prolog3Open
String ID: -%08x%08x
API String ID: 3011079919-1460627869
Opcode ID: 094dca7fcef6272655e9c9468c71074463a0339e4279d3ced7844b622b4b0cbd
Instruction ID: 14013fa25340ebc3f15318e562f0247be2727f88028aed6a1f8695add1c8e3b5
Opcode Fuzzy Hash: 094dca7fcef6272655e9c9468c71074463a0339e4279d3ced7844b622b4b0cbd
Instruction Fuzzy Hash: 14111A71D0021AAFEB52EFA4CC84DEFBBB9FF54300F108429F685A7190D6359A41CBA0

Function 0100F09B Relevance: 12.2, APIs: 8, Instructions: 236stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0100E200: lstrcmpiW.KERNEL32(?), ref: 0100E26E

lstrlenW.KERNEL32(?), ref: 0100F184
CharNextW.USER32(00000000), ref: 0100F1C6
CharNextW.USER32(00000000), ref: 0100F1DE
HRESULT_FROM_WIN32.COMSUPP ref: 0100F3A4

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: CharNext$lstrcmpilstrlen
String ID:
API String ID: 1051761657-0
Opcode ID: f007392dcc0b97368795c7c681e3556136bea518257d0dca415f9f8329e6f00c
Instruction ID: e78cf0f7e787b2a388ba4b1afe683e8f8685b0032c1eda716b136b0a6e7556b7
Opcode Fuzzy Hash: f007392dcc0b97368795c7c681e3556136bea518257d0dca415f9f8329e6f00c
Instruction Fuzzy Hash: 1491827190021ADBEB36DF64CC49AEDB7B4EB68310F0044EAE789A3180D7749E95DF91

Function 0100853A Relevance: 12.1, APIs: 8, Instructions: 58COMMON

Download Yara Rule

APIs

__set_app_type.MSVCR80 ref: 0100859F
_encode_pointer.MSVCR80(000000FF), ref: 010085A7
__p__fmode.MSVCR80 ref: 010085B9
__p__commode.MSVCR80 ref: 010085C7
__RTC_Initialize.LIBCMT ref: 010085E1
__setusermatherr.MSVCR80 ref: 010085F9
__setdefaultprecision.LIBCMT ref: 01008600
_configthreadlocale.MSVCR80(000000FF), ref: 01008610

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: Initialize__p__commode__p__fmode__set_app_type__setdefaultprecision__setusermatherr_configthreadlocale_encode_pointer
String ID:
API String ID: 2053481123-0
Opcode ID: a64e5e51e68daed2df3a5083e8c40796ea4e3333eb65bcf129c351e50eebb4d4
Instruction ID: df229489038c4b23ceb219302f4a03fdef434e820d14513628d8968e227b3bf0
Opcode Fuzzy Hash: a64e5e51e68daed2df3a5083e8c40796ea4e3333eb65bcf129c351e50eebb4d4
Instruction Fuzzy Hash: 6C21DE74A05241CFEB6B9F68E44C6A837A0FB09362F15856AF1D5872D9DB7E8484CB01

Function 0100EA68 Relevance: 10.6, APIs: 7, Instructions: 105stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0100EA6F
lstrlenW.KERNEL32(?,00000058,0100FD43,?,?), ref: 0100EA93
CoTaskMemFree.OLE32(00000000), ref: 0100EAAF
CharNextW.USER32(00000000), ref: 0100EADC
CharNextW.USER32(?,00000000), ref: 0100EB3A
CharNextW.USER32(?,?,00000000), ref: 0100EB55
CoTaskMemFree.OLE32(?), ref: 0100EB73

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: CharNext$FreeTask$H_prolog3_lstrlen
String ID:
API String ID: 416358153-0
Opcode ID: 0b2cc8b0ca95ee9ccc828c56ca36c7ebe43c033411923d3d826cb913160ee5f3
Instruction ID: 77407f147547ef54938decaa461d41fac9caa3732f36381b43ef8ca3cf38b2ec
Opcode Fuzzy Hash: 0b2cc8b0ca95ee9ccc828c56ca36c7ebe43c033411923d3d826cb913160ee5f3
Instruction Fuzzy Hash: BD313E709046059BFB26AFA8CC44AAEBBF4FF54300F14485DE5C6BB2D5DB7499808B64

Function 0100DA31 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

?GetElement@NativeHWNDHost@DirectUI@@QAEPAVElement@2@XZ.UXCORE ref: 0100DA52
?StrToID@DirectUI@@YGGPB_W@Z.UXCORE(idProgress,00000000), ref: 0100DA62

Part of subcall function 0100C421: ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.UXCORE(?), ref: 0100C434

?RMLoadCompoundString@@YGIIPA_WIKPB_W@Z.UXCORE(00000219,?,00000104,0000000F,00000000), ref: 0100DAAE
?RMLoadCompoundString@@YGIIPA_WIKPB_W@Z.UXCORE(000001FC,?,00000104,0000000F,00000000), ref: 0100DB14

Part of subcall function 0100D225: _vsnwprintf.MSVCR80 ref: 0100D258

Part of subcall function 0100CFBA: ?GetElement@NativeHWNDHost@DirectUI@@QAEPAVElement@2@XZ.UXCORE ref: 0100CFC2
Part of subcall function 0100CFBA: ?StrToID@DirectUI@@YGGPB_W@Z.UXCORE(?,00000000), ref: 0100CFCC

Strings

idProgressText, xrefs: 0100DAE5, 0100DAEA, 0100DAFD
idProgress, xrefs: 0100DA5D, 0100DB4E

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: Direct$Element@$CompoundElement@2@Host@LoadNativeString@@$Descendent@FindV12@_vsnwprintf
String ID: idProgress$idProgressText
API String ID: 1622879431-3864566807
Opcode ID: 5ca6dc815ab63f4628eb3ca0176669c1f24df00391b79aee8dd3d173367796a8
Instruction ID: 9248abb560470032c29b498042893fc5111e7cdd0c223232870edfb5f12c8365
Opcode Fuzzy Hash: 5ca6dc815ab63f4628eb3ca0176669c1f24df00391b79aee8dd3d173367796a8
Instruction Fuzzy Hash: B73192B560021EABFB229BD4DC44FFA77BDAB45310F1041B5AA49E7181EA34DE858B70

Function 0100FE79 Relevance: 10.6, APIs: 7, Instructions: 98libraryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0100FE83
LoadLibraryExW.KERNEL32(?,00000000,00000002), ref: 0100FECA
FindResourceW.KERNEL32(00000000,?,?), ref: 0100FEF5
FreeLibrary.KERNEL32(?), ref: 0100FFE4

Part of subcall function 0100CC3F: GetLastError.KERNEL32(01006B35,?,01001808,?,?), ref: 0100CC3F

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: Library$ErrorFindFreeH_prolog3_catch_LastLoadResource
String ID:
API String ID: 724505223-0
Opcode ID: 2a255d419a8cd9764f616e2a3f2f23f461e79bb551b7f378d87156cb290651a7
Instruction ID: f8d4d4d37ea8e13076e32b856f19b572d4baa903ea9adfc10e0173d023539797
Opcode Fuzzy Hash: 2a255d419a8cd9764f616e2a3f2f23f461e79bb551b7f378d87156cb290651a7
Instruction Fuzzy Hash: 884144B090012DDBEB329F64CC44ADDBBB5AF49704F5044D9E289A3181DB754EC1DFA4

Function 0100B61E Relevance: 9.2, APIs: 6, Instructions: 248COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0100B625

Part of subcall function 010049DE: TraceMessage.ADVAPI32(?,?,0000002B,?,?,00000000), ref: 010049F3

SysFreeString.OLEAUT32(?), ref: 0100B888

Part of subcall function 0100ACC8: EnterCriticalSection.KERNEL32(0101A968), ref: 0100ACDE
Part of subcall function 0100ACC8: LeaveCriticalSection.KERNEL32(0101A968), ref: 0100ACFB

Part of subcall function 01014BC5: __EH_prolog3.LIBCMT ref: 01014BCC
Part of subcall function 01014BC5: VariantInit.OLEAUT32(?), ref: 01014BFE
Part of subcall function 01014BC5: VariantClear.OLEAUT32(?), ref: 01014C47
Part of subcall function 01014BC5: VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 01014C56
Part of subcall function 01014BC5: SysStringLen.OLEAUT32(?), ref: 01014C6E
Part of subcall function 01014BC5: SysFreeString.OLEAUT32(?), ref: 01014C7F
Part of subcall function 01014BC5: VariantClear.OLEAUT32(?), ref: 01014C89

SysFreeString.OLEAUT32 ref: 0100B883
SysFreeString.OLEAUT32(?), ref: 0100B8C2
SysFreeString.OLEAUT32(00000000), ref: 0100B8DF
SysFreeString.OLEAUT32(?), ref: 0100B8E4

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: String$Free$Variant$ClearCriticalH_prolog3Section$ChangeEnterInitLeaveMessageTraceType
String ID:
API String ID: 2015058421-0
Opcode ID: 4d7cddfe775398383c88e6911047bbf7a5b6bb33b1ea23626f0e8af9ac970301
Instruction ID: baaabb00d1101bfc5f673f8e96fd8f20d2257b82d0e0d4b1ae0f655628e2b70b
Opcode Fuzzy Hash: 4d7cddfe775398383c88e6911047bbf7a5b6bb33b1ea23626f0e8af9ac970301
Instruction Fuzzy Hash: 31A12D74E0025AEFEF16DFA8C984AEDBBB5BF48300F144499E584F72A1C7799941CB60

Function 01006656 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0100665D
CommandLineToArgvW.SHELL32(?,?,00000014,01006813,00000000), ref: 0100669F
LocalFree.KERNEL32(00000000,?,?), ref: 010067B5

Strings

W, xrefs: 0100668C

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: ArgvCommandFreeH_prolog3LineLocal
String ID: W
API String ID: 646583325-655174618
Opcode ID: c6e531c2e11936415607fb09a72066b7f559ed272eace614d8533ada9af4e8f0
Instruction ID: c2037d6ca735e8c2fcf5abfbf6f588a1479a6db5a6e75aec73436c4836c6c77c
Opcode Fuzzy Hash: c6e531c2e11936415607fb09a72066b7f559ed272eace614d8533ada9af4e8f0
Instruction Fuzzy Hash: DF41447090020BABEF06EFA4CC94AFE7BB6BF14350F144429F596A72C4DB359A54CB61

Function 0100ED5F Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ.UXCORE ref: 0100ED96
GetWindowPlacement.USER32(?,?), ref: 0100EE09
OffsetRect.USER32(?,?,?), ref: 0100EE48
SetWindowPlacement.USER32(?,0000002C), ref: 0100EE71

Part of subcall function 010049DE: TraceMessage.ADVAPI32(?,?,0000002B,?,?,00000000), ref: 010049F3

Strings

,, xrefs: 0100EE52

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: PlacementWindow$D__@@DirectHost@MessageNativeOffsetRectTrace
String ID: ,
API String ID: 2422741864-3772416878
Opcode ID: d3990d08e9713a60291aa3fb01dcc106f6649d26d8794f03157c310cebab1159
Instruction ID: 151ea1f11fd12e3433d2786e5b73943f56fb14e63ea05fbf54b584d2d45c1a03
Opcode Fuzzy Hash: d3990d08e9713a60291aa3fb01dcc106f6649d26d8794f03157c310cebab1159
Instruction Fuzzy Hash: C1411671A00249AFEF56DFA8C984AAEBFB5FF08300F0044A9EA44F7295D735D904CB50

Function 0100D2C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

Part of subcall function 0100CE8D: ?GetElement@NativeHWNDHost@DirectUI@@QAEPAVElement@2@XZ.UXCORE(0100D2E1), ref: 0100CE90
Part of subcall function 0100CE8D: ?StrToID@DirectUI@@YGGPB_W@Z.UXCORE(00000000), ref: 0100CEA1

?StrToID@DirectUI@@YGGPB_W@Z.UXCORE(idAppToCloseList,00000000), ref: 0100D2E7

Part of subcall function 0100C2F9: ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.UXCORE(00000000,?,00000000,?,01012820,00000000,?,01012C67,00000000,?,01004488,?,00000009,Direct UI window,DUI Window Frame,00000001), ref: 0100C30C

?DestroyAll@Element@DirectUI@@QAEJXZ.UXCORE(?,00000000), ref: 0100D307
?Add@Element@DirectUI@@QAEJPAV12@@Z.UXCORE(?,00000000), ref: 0100D35F

Strings

FileInUseProcess, xrefs: 0100D334
idAppToCloseList, xrefs: 0100D2E2

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: Direct$Element@$Add@All@Descendent@DestroyElement@2@FindHost@NativeV12@V12@@
String ID: FileInUseProcess$idAppToCloseList
API String ID: 3525022571-2046938704
Opcode ID: e9966d58a17102918ce4b63c731e4e87e7c69f47d073d851fb94f02b8b8963e1
Instruction ID: 7ac993181683e2e9e9251bc9cd7b45801f5b3eed484b9137fd60986efe64c7a8
Opcode Fuzzy Hash: e9966d58a17102918ce4b63c731e4e87e7c69f47d073d851fb94f02b8b8963e1
Instruction Fuzzy Hash: 0B31E835A00215EFE7179FE8C584E6DB7B5BF44314F0181A9FA81A72D1C7359D00DBA0

Function 010155ED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 01015612
MonitorFromRect.USER32(?,00000002), ref: 0101561B
memset.MSVCR80 ref: 0101562F
GetMonitorInfoW.USER32(00000000,?), ref: 01015643

Strings

(, xrefs: 0101563C

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: InfoMonitor$FromParametersRectSystemmemset
String ID: (
API String ID: 3123987128-3887548279
Opcode ID: d741c6c5a155b698c32bf338a5ede82430338b792feffbcae73892928b839b31
Instruction ID: e2bdba4887ad33cabea078026ad4d5b052aeca5d00e6cca63a21410aeef5ad0a
Opcode Fuzzy Hash: d741c6c5a155b698c32bf338a5ede82430338b792feffbcae73892928b839b31
Instruction Fuzzy Hash: 1311C872A01704A7E721DF999C45F9F77BDAF8A710F444015BE40AF184D7B6E9048790

Function 01010838 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0101083F

Part of subcall function 0101054D: __EH_prolog3.LIBCMT ref: 01010554

Part of subcall function 01004CF1: wcsstr.MSVCR80 ref: 01004D14

_wcsicmp.MSVCR80 ref: 010108C2

Strings

live.com, xrefs: 010108A8
msn, xrefs: 01010894
http://go.microsoft.com/fwlink/?linkid=677, xrefs: 010108BC

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: H_prolog3$_wcsicmpwcsstr
String ID: http://go.microsoft.com/fwlink/?linkid=677$live.com$msn
API String ID: 833426062-580272
Opcode ID: c04370721e553d7787d839864517dacf586274b057958e95ec4922c90dabcd1f
Instruction ID: 54811ff9200b1456d5c1b90e5079fdb4b0822ae782a457391fb1bf4a4d5d780a
Opcode Fuzzy Hash: c04370721e553d7787d839864517dacf586274b057958e95ec4922c90dabcd1f
Instruction Fuzzy Hash: 8011A03190010AAAEB16EBB5CD40FEE7364AF21330F144619FAE1A71C5DF7466848665

Function 01009783 Relevance: 7.6, APIs: 5, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0100978A

Part of subcall function 010096D9: __EH_prolog3.LIBCMT ref: 010096E0

SysFreeString.OLEAUT32(?), ref: 0100988D
SysFreeString.OLEAUT32(?), ref: 01009892
SysFreeString.OLEAUT32(?), ref: 010098C4
SysFreeString.OLEAUT32(?), ref: 010098C9

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: FreeString$H_prolog3
String ID:
API String ID: 3629739108-0
Opcode ID: e02a6200ded8b7db9cc0e8026aa6b0f8f69c1fd2eb10aab8edaad185103c5dfa
Instruction ID: 48c2d3afbd75c128bde8091f1f95c1a2f5d87b1d543480c31fda6a5090f94283
Opcode Fuzzy Hash: e02a6200ded8b7db9cc0e8026aa6b0f8f69c1fd2eb10aab8edaad185103c5dfa
Instruction Fuzzy Hash: 9A510F71D0024ADFDF02DFD8C9849EEBBB5BF48304F2444A9E249EB291C7359A46DB61

Function 0100E39F Relevance: 7.6, APIs: 5, Instructions: 107COMMON

Download Yara Rule

APIs

CharNextW.USER32(00000000), ref: 0100E3D6
CharNextW.USER32 ref: 0100E442

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: b3424546fbc53943c34953f7ae7028372be4bc65b3d5d4b3abee321f92e1d46b
Instruction ID: 16616e433eb240b509ac8e50b31b0acdb8d5149847edf7b3a836d46a9280c1bd
Opcode Fuzzy Hash: b3424546fbc53943c34953f7ae7028372be4bc65b3d5d4b3abee321f92e1d46b
Instruction Fuzzy Hash: A631AD70600202DBFB279F28C884A6ABBE5EF55355F614C68E8C2E72D2EB70D891C750

Function 010095A3 Relevance: 7.6, APIs: 5, Instructions: 95comCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 010095AA
GetCommandLineW.KERNEL32 ref: 010095FC
CoCreateInstance.OLE32(01001DDC,00000000,00000017,01001E3C), ref: 0100962B
GetCurrentProcessId.KERNEL32(?,?), ref: 0100966F
SysFreeString.OLEAUT32(?), ref: 010096C5

Part of subcall function 010049DE: TraceMessage.ADVAPI32(?,?,0000002B,?,?,00000000), ref: 010049F3

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: CommandCreateCurrentFreeH_prolog3InstanceLineMessageProcessStringTrace
String ID:
API String ID: 631387903-0
Opcode ID: dd798d488336b5684a717e138d2c436395bdac2780f2e75ecb861d8dbafbc93f
Instruction ID: 44c6bbda73d8c30009d73df1ae5140f96420e134551cff5f5282a8c3a6a66a6a
Opcode Fuzzy Hash: dd798d488336b5684a717e138d2c436395bdac2780f2e75ecb861d8dbafbc93f
Instruction Fuzzy Hash: 99314770600245EFFB679B58DE44F6A7BA6BB08308F060484F784AB1E6C77AC910CB54

Function 0100EEFA Relevance: 7.6, APIs: 5, Instructions: 93stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0100EF01
lstrlenW.KERNEL32(00000000,00000024,0100F066,00000000,00000000), ref: 0100EF23
lstrlenW.KERNEL32(00000000), ref: 0100EF69
??_V@YAXPAX@Z.MSVCR80(?), ref: 0100EFFD
??_V@YAXPAX@Z.MSVCR80(?,?), ref: 0100F005

Part of subcall function 0100DF4D: memcpy_s.MSVCR80 ref: 0100DF5E

Part of subcall function 0100EBAB: _recalloc.MSVCR80(?,?,00000004), ref: 0100EBC3

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: lstrlen$H_prolog3_catch_recallocmemcpy_s
String ID:
API String ID: 866230722-0
Opcode ID: bde39072cdf66372d12632a768744ff009ee50771f33cca111ec82214d9dc2e7
Instruction ID: 4a05fd8a4a72c2b3ad31ae83afca6777715ace8a1ed717b12051f600431f0c05
Opcode Fuzzy Hash: bde39072cdf66372d12632a768744ff009ee50771f33cca111ec82214d9dc2e7
Instruction Fuzzy Hash: EC314872D0120AEFEF16DFA8D8018EEFBF4BF48300F14842AE685B6190DA358641DB65

Function 0100D50F Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 0100CE8D: ?GetElement@NativeHWNDHost@DirectUI@@QAEPAVElement@2@XZ.UXCORE(0100D2E1), ref: 0100CE90
Part of subcall function 0100CE8D: ?StrToID@DirectUI@@YGGPB_W@Z.UXCORE(00000000), ref: 0100CEA1

?RMLoadInt@@YGHIHKPB_W@Z.UXCORE(00000065,00000000,0000000F,00000000), ref: 0100D53C
?UpdateAndGetDesiredSize@Element@DirectUI@@QAE?AUtagSIZE@@HH@Z.UXCORE(?,00000000,00007FFF), ref: 0100D557
SetRect.USER32(?,00000000,00000000,?,?), ref: 0100D576
AdjustWindowRectEx.USER32(?,00000000,?,?), ref: 0100D584
SetRect.USER32(?,00000000,00000000,?,?), ref: 0100D59A

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: DirectRect$Element@$AdjustDesiredElement@2@Host@Int@@LoadNativeSize@UpdateUtagWindow
String ID:
API String ID: 1809558269-0
Opcode ID: d3e138a6f4332dea81d1944166ee624c3c0e8700dc19a9ac083cc37b1f3bb87a
Instruction ID: 71f5b1d7fa40daee496e1b61813e65f8cd9f9a99bc4942fbb0048a46c1a82405
Opcode Fuzzy Hash: d3e138a6f4332dea81d1944166ee624c3c0e8700dc19a9ac083cc37b1f3bb87a
Instruction Fuzzy Hash: 8E112BB2600119AFE721EFA8CD84CBEB7ADEF88354B154569F946D7280CA75AD008B60

Function 010156A1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

SHAppBarMessage.SHELL32(00000005,?), ref: 010156D4
GetSystemMetrics.USER32(00000002), ref: 010156EC
IsRectEmpty.USER32(?), ref: 01015780

Strings

$, xrefs: 010156CD

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: EmptyMessageMetricsRectSystem
String ID: $
API String ID: 2292397665-3993045852
Opcode ID: ab05f3a0025eb87d50b3fc758c4437df7dcce06cabbe2307c1029eec0a697a13
Instruction ID: 4c4c7ab558addff8e75fb91731318ce0bdb061bc492359218a73d0da22669bd5
Opcode Fuzzy Hash: ab05f3a0025eb87d50b3fc758c4437df7dcce06cabbe2307c1029eec0a697a13
Instruction Fuzzy Hash: A3413C7190120AEFCF14CFA8E9C59AEBBF4FB89314F24852DE595EB284D734A544CB50

Function 01006F15 Relevance: 6.3, APIs: 5, Instructions: 75stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 01006F32
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,?,00000001), ref: 01006F5F
GetLastError.KERNEL32(?,00000001), ref: 01006F6A
MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,00000001), ref: 01006F83
MultiByteToWideChar.KERNEL32(?,00000000,?,?,?,?,?,00000001), ref: 01006FA9

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: 7792bc38fc12b54c15b8ff1acd53d2e74ddac52a1f7456f07dac181e9d35e7df
Instruction ID: 4d3a4669911ef874adf8f587f61e9c25e1d8e1e6141688ddc47703c6cb7bf9f3
Opcode Fuzzy Hash: 7792bc38fc12b54c15b8ff1acd53d2e74ddac52a1f7456f07dac181e9d35e7df
Instruction Fuzzy Hash: 11117236400128BBDF236F95CC44DEFBE6EEF457A0F118155F9889A150C7728A60DBE0

Function 01011E46 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 01011E4D
?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ.UXCORE(00000000), ref: 01011EBF
GetWindowPlacement.USER32(00000000), ref: 01011EC6

Part of subcall function 01012579: ?OnMessage@NativeHWNDHost@DirectUI@@UAEJIIJAAJ@Z.UXCORE(?,?,?,?), ref: 010125A2

?RMUpdateResourceSet@@YG_NPB_WK00@Z.UXCORE(01001AD0,00008002,00000000,00000000,?,00000034), ref: 01011F68

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: DirectHost@Native$D__@@H_prolog3K00@Message@PlacementResourceSet@@UpdateWindow
String ID:
API String ID: 315737454-0
Opcode ID: 0717c8a198e9a8660e710eff7bc540df8b7ce624521564a8d82b9d1c2acfc164
Instruction ID: 9d7d88f9932502133a2307076172d7e1aac97a1b4a88e38512fd186e791fb1cb
Opcode Fuzzy Hash: 0717c8a198e9a8660e710eff7bc540df8b7ce624521564a8d82b9d1c2acfc164
Instruction Fuzzy Hash: 71418D30900249AFEB6ADBA8D944AAE7BF5BF14300F104899FAC1D71A9C77DD901CB10

Function 0100998A Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 01009991
CoQueryProxyBlanket.OLE32(?,000000FF,000000FF,000000FF,00000000,00000000,00000000,?), ref: 010099C1
CoCopyProxy.OLE32(?,?,?,?,?,?,?,?,?,?,?,00000018), ref: 010099DA
CoSetProxyBlanket.OLE32(?,000000FF,000000FF,000000FF,?,?,00000000,00000800), ref: 01009A1E

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: Proxy$Blanket$CopyH_prolog3Query
String ID:
API String ID: 3551063796-0
Opcode ID: 4275012548692d04ac906b5d7a63ab59788de7de78710f4831b239a1407e0ced
Instruction ID: 41903b7d7c64a8f5f21781c730ef36273c4b5e64886212cb6696ab2502826088
Opcode Fuzzy Hash: 4275012548692d04ac906b5d7a63ab59788de7de78710f4831b239a1407e0ced
Instruction Fuzzy Hash: C1311C71D0025AAFDF11DFA4C8848EEBBB8BB09314F144668E6A5F7291C7359E41CB60

Function 01009A67 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 01009A6E
CoQueryProxyBlanket.OLE32(?,000000FF,000000FF,000000FF,00000000,00000000,00000000,?), ref: 01009A9E
CoCopyProxy.OLE32(?,?,?,?,?,?,?,?,?,?,?,00000018), ref: 01009AB7
CoSetProxyBlanket.OLE32(?,000000FF,000000FF,000000FF,?,?,00000000,00000800), ref: 01009AFB

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: Proxy$Blanket$CopyH_prolog3Query
String ID:
API String ID: 3551063796-0
Opcode ID: 172314b953b9a7d1b148d2341d32dd89e29b9efacd5a817cc37285bc3b44fd09
Instruction ID: be921c3d7fc8882958cd527e8d6fef1735bd3a2ad65cb2cbc1e46acedd93088f
Opcode Fuzzy Hash: 172314b953b9a7d1b148d2341d32dd89e29b9efacd5a817cc37285bc3b44fd09
Instruction Fuzzy Hash: 5B312D7190015AAFDF11DFD4C8848EEBBB9BB08364F544668E6A5F72A1C7358E01CB60

Function 0100CEB6 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

?GetElement@NativeHWNDHost@DirectUI@@QAEPAVElement@2@XZ.UXCORE ref: 0100CED4
?StrToID@DirectUI@@YGGPB_W@Z.UXCORE(?,00000000), ref: 0100CEDC

Part of subcall function 0100C2F9: ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.UXCORE(00000000,?,00000000,?,01012820,00000000,?,01012C67,00000000,?,01004488,?,00000009,Direct UI window,DUI Window Frame,00000001), ref: 0100C30C

?RMLoadCompoundString@@YGIIPA_WIKPB_W@Z.UXCORE(?,?,00000104,0000000F,00000000,00000000), ref: 0100CF07
?RMLoadString@@YGIIPA_WIKPB_W@Z.UXCORE(?,?,00000104,0000000F,00000000,00000000), ref: 0100CF0F

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: Direct$Element@LoadString@@$CompoundDescendent@Element@2@FindHost@NativeV12@
String ID:
API String ID: 235335248-0
Opcode ID: 8987c8f1a83f541c045d08b56a6c6f6a1a15be3daeecaf62f12a828ff5882efe
Instruction ID: ad5c8f6db539d2950be04b08ad1a36d971ce72e0ce9874226a0ba5bcd37f306a
Opcode Fuzzy Hash: 8987c8f1a83f541c045d08b56a6c6f6a1a15be3daeecaf62f12a828ff5882efe
Instruction Fuzzy Hash: FA018471600119ABFB22EBA89908DFE77E8AB08304F1482A9F995D7181DA74DA058791

Function 010072FA Relevance: 6.0, APIs: 4, Instructions: 37synchronizationCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 01007301

Part of subcall function 01007241: __EH_prolog3.LIBCMT ref: 01007248
Part of subcall function 01007241: GetCurrentProcess.KERNEL32(00000008,?,00000010,01007323,?,?,00000004,010076E9,?), ref: 0100726C
Part of subcall function 01007241: OpenProcessToken.ADVAPI32(00000000), ref: 01007273
Part of subcall function 01007241: GetTokenInformation.ADVAPI32(?,0000000A(TokenIntegrityLevel),00000000,00000000,?), ref: 01007292
Part of subcall function 01007241: GetTokenInformation.ADVAPI32(00000002,0000000A(TokenIntegrityLevel),00000000,?,?), ref: 010072B0
Part of subcall function 01007241: ??_V@YAXPAX@Z.MSVCR80(00000000,?,-%08x%08x,?,?), ref: 010072D3

CreateMutexW.KERNEL32(00000000,00000000,?,?,?,00000004,010076E9,?), ref: 01007343
GetLastError.KERNEL32 ref: 0100734F
CloseHandle.KERNEL32(00000000), ref: 0100735D

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: Token$H_prolog3InformationProcess$CloseCreateCurrentErrorHandleLastMutexOpen
String ID:
API String ID: 2019100737-0
Opcode ID: 303ce21a44c0d8aebc3015fff0c757b230a7f6c70e55e9dc2f267ba040c18f33
Instruction ID: ae0a6d27d146b8f236d6626967311901c3c4471adb663e9ba840633361ef39d5
Opcode Fuzzy Hash: 303ce21a44c0d8aebc3015fff0c757b230a7f6c70e55e9dc2f267ba040c18f33
Instruction Fuzzy Hash: 8801F431900216ABEB13EBA0CC44BED3724BF20310F008415FAC5AA2C5CFB89A44CBA5

Function 0100C1EE Relevance: 6.0, APIs: 4, Instructions: 36windowthreadCOMMON

Download Yara Rule

APIs

?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ.UXCORE ref: 0100C21D
PostMessageW.USER32(00000000,00000010,00000000,00000000), ref: 0100C233
GetCurrentThreadId.KERNEL32 ref: 0100C23D
PostThreadMessageW.USER32(00000000), ref: 0100C244

Part of subcall function 010049DE: TraceMessage.ADVAPI32(?,?,0000002B,?,?,00000000), ref: 010049F3

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: Message$PostThread$CurrentD__@@DirectHost@NativeTrace
String ID:
API String ID: 3715929741-0
Opcode ID: b6d016e896c8c75157042b5b4444f27d541605c29e8083bd4ef0f24638bfe6ae
Instruction ID: ff4ca57f39e8e4e014842c23cb95a106e4c376755d47081b3510764b2937bba8
Opcode Fuzzy Hash: b6d016e896c8c75157042b5b4444f27d541605c29e8083bd4ef0f24638bfe6ae
Instruction Fuzzy Hash: 6CF0B431280240ABF7375B5AAE4CE573EA9EBD5752F064198F6C5C74D5CA79C400D720

Function 0100B339 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 0100B41B
SysFreeString.OLEAUT32(00000000), ref: 0100B60C

Strings

W, xrefs: 0100B34F

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: FreeString
String ID: W
API String ID: 3341692771-655174618
Opcode ID: ddcb0aa506ad8cf4e00f3d258a11899f11b4f21955fd123008d8c1f1386de31b
Instruction ID: cb7ce2653f35779e91b58cf3547deb4d51cc3be3ba1d7766bdc9cb81a9597e04
Opcode Fuzzy Hash: ddcb0aa506ad8cf4e00f3d258a11899f11b4f21955fd123008d8c1f1386de31b
Instruction Fuzzy Hash: DC918C34200246EFFF679F69C944FAA7BA6FF04305F154498FA959B1A2C736DA10CB10

Function 010109AF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 010109B6

Strings

Software\Microsoft\Internet Explorer\SearchScopes, xrefs: 010109FB
URL, xrefs: 01010A31

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: H_prolog3
String ID: Software\Microsoft\Internet Explorer\SearchScopes$URL
API String ID: 431132790-2486629086
Opcode ID: 54afd7f4df248b2ffc78b6515565fb262a51a8e53f91164fa96bc0a2f1f73840
Instruction ID: 9c38dd2e8fadd8a17dd919fd0e821342de46d882e91d47f3a67dee6a598af425
Opcode Fuzzy Hash: 54afd7f4df248b2ffc78b6515565fb262a51a8e53f91164fa96bc0a2f1f73840
Instruction Fuzzy Hash: C3419371C0015FEEEF12EBA8C9809FEBB74AF24218F5442A8E5D1731D9DA790E84C761

Function 01008FEA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86windowCOMMON

Download Yara Rule

APIs

TraceMessage.ADVAPI32(?,?,0000002B,?,?,?,00000004,NULL,0000000A,NULL,0000000A,?,00000004,00000000), ref: 010090A9

Strings

NULL, xrefs: 0100902D, 01009092, 01009094
<NULL>, xrefs: 0100903A, 0100907A

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: MessageTrace
String ID: <NULL>$NULL
API String ID: 471583391-888386124
Opcode ID: 7f61009d283e2e659d21aaae52fd51ddf810fde100197fec68c1275282cdf7b1
Instruction ID: 1bd824c114ff281ebb640d63e436bdaea86dad4de0134852e8fd86047675794b
Opcode Fuzzy Hash: 7f61009d283e2e659d21aaae52fd51ddf810fde100197fec68c1275282cdf7b1
Instruction Fuzzy Hash: DF218E7260020A9FFB139F08CC04BAB77A5EB84718F058155FACD9B1D2E775DA958780

Function 0100BF6D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83windowCOMMON

Download Yara Rule

APIs

TraceMessage.ADVAPI32(?,?,0000002B,?,?,NULL,0000000A,NULL,0000000A,?,00000004,00000000), ref: 0100C026

Strings

NULL, xrefs: 0100BFB0, 0100C015, 0100C017
<NULL>, xrefs: 0100BFBD, 0100BFFD

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: MessageTrace
String ID: <NULL>$NULL
API String ID: 471583391-888386124
Opcode ID: 3dabb59c0c737ac5d86dc2b061ef387e5db1db08990746514a7a3027db5af855
Instruction ID: 0a2519baf87128b75f511cef19ec07de9d536b0d010832b69b33b673ce49ba5c
Opcode Fuzzy Hash: 3dabb59c0c737ac5d86dc2b061ef387e5db1db08990746514a7a3027db5af855
Instruction Fuzzy Hash: 3721B33A60020B9AFB275E09C804BB677A5EF84710F158159FAC58B2D1E776DA91CB81

Function 01008E3D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

TraceMessage.ADVAPI32(?,?,0000002B,?,?,NULL,0000000A,NULL,0000000A,00000000), ref: 01008EF0

Strings

NULL, xrefs: 01008E80, 01008EDF, 01008EE1
<NULL>, xrefs: 01008E8D, 01008ECD

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: MessageTrace
String ID: <NULL>$NULL
API String ID: 471583391-888386124
Opcode ID: 25287cbf3099a98601eb92512e40b54c5f3fcf20a72fa3fe7f59891d74479017
Instruction ID: 3e1f6e3ed8e97a7e0e0a9d76ee1d62a807deb9a7654bc221b2dccbd9d3a13181
Opcode Fuzzy Hash: 25287cbf3099a98601eb92512e40b54c5f3fcf20a72fa3fe7f59891d74479017
Instruction Fuzzy Hash: A0219F32E0028ADAFB275E0CCC04AB777A5FB80B50F04C056EAC54B2D0E7B4DE968780

Function 0101439E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0101415E: memset.MSVCR80 ref: 010141AE
Part of subcall function 0101415E: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020019,?), ref: 010141D9
Part of subcall function 0101415E: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000208), ref: 010141FD
Part of subcall function 0101415E: RegCloseKey.ADVAPI32(?), ref: 0101420B
Part of subcall function 0101415E: wcscat_s.MSVCR80 ref: 01014226
Part of subcall function 0101415E: LoadLibraryW.KERNEL32(?), ref: 0101424F

GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 010143B9
FreeLibrary.KERNEL32(00000000), ref: 01014428

Strings

DllGetVersion, xrefs: 010143B3

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: Library$AddressCloseFreeLoadOpenProcQueryValuememsetwcscat_s
String ID: DllGetVersion
API String ID: 991360154-2861820592
Opcode ID: 994e11662d2aff298b4e85e6812ab885a5ba3e27a891f6aad952cc63365b3d27
Instruction ID: cfc15bdceb1a3b2f5e26467cd0a77b0ade2261a63c7bec05a53b44278c5f5d4f
Opcode Fuzzy Hash: 994e11662d2aff298b4e85e6812ab885a5ba3e27a891f6aad952cc63365b3d27
Instruction Fuzzy Hash: 8011EB32F80516ABDB56CFACD8005EF73B6FB80311B158078E982E7128DB78DD018790

Function 010108EA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 010108F1

Part of subcall function 0100C55B: RegCreateKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?), ref: 0100C584

Part of subcall function 0100653B: __EH_prolog3.LIBCMT ref: 01006542

Part of subcall function 010106BB: SHGetValueW.SHLWAPI(?,00000000,?,00000000,00000000,?), ref: 010106E0
Part of subcall function 010106BB: SHGetValueW.SHLWAPI(?,00000000,?,00000000,00000000,00000000,?,00000000,00000000,?), ref: 01010714
Part of subcall function 010106BB: ??_V@YAXPAX@Z.MSVCR80(?,?,00000000,00000000,?), ref: 01010730

Part of subcall function 01010838: __EH_prolog3.LIBCMT ref: 0101083F
Part of subcall function 01010838: _wcsicmp.MSVCR80 ref: 010108C2

Strings

Start Page, xrefs: 01010932
Software\Microsoft\Internet Explorer\Main, xrefs: 01010916

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: H_prolog3$Value$Create_wcsicmp
String ID: Software\Microsoft\Internet Explorer\Main$Start Page
API String ID: 1836341997-3913947842
Opcode ID: 52d59ec6db337541523abd7ad1308f1d8aadfef1d2fecfd2317ea0fac11e4637
Instruction ID: b4d91674ef57e47e30f6b6b160d0088a8d8e7d83e4a2c73a80cf8c836d60de57
Opcode Fuzzy Hash: 52d59ec6db337541523abd7ad1308f1d8aadfef1d2fecfd2317ea0fac11e4637
Instruction Fuzzy Hash: A3113B31D0015A9AFB12E7E8CD94EFFB6B4AF65310F500269E6D0B32C5DA740B40C7A1

Function 0100F992 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0100F999
SysFreeString.OLEAUT32(00000000), ref: 0100FA1B

Strings

Installing, xrefs: 0100F9F1

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: FreeH_prolog3String
String ID: Installing
API String ID: 3825424854-2923966484
Opcode ID: a1aff59e95e1722283882704d4d5f88d6e493d5c5d098211c6458711e85d0406
Instruction ID: c37afc953943eb2493726deb7c0a7b6d7a0f79b7df069bb5bd5c85a460289856
Opcode Fuzzy Hash: a1aff59e95e1722283882704d4d5f88d6e493d5c5d098211c6458711e85d0406
Instruction Fuzzy Hash: 3011A571900207DFEB23EF68D8805EDB761BF95200F15847EE5C5AB2C1CB798A86EB51

Function 01012CF6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

TraceMessage.ADVAPI32(?,?,0000002B,?,?,NULL,0000000A,00000008,00000004,?,00000004,00000000,?,01013482,6C744143,65637845), ref: 01012D5E

Strings

NULL, xrefs: 01012D3B
<NULL>, xrefs: 01012D34, 01012D4F

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: MessageTrace
String ID: <NULL>$NULL
API String ID: 471583391-888386124
Opcode ID: 1980b0b96b6713913cded659485a73495f8bb9013d15c650f2be3d607f3d296b
Instruction ID: 47febf38fc3df86a124bde3ab8ce4f5bbda223d54ad5add3293d6fd8b0bea2b9
Opcode Fuzzy Hash: 1980b0b96b6713913cded659485a73495f8bb9013d15c650f2be3d607f3d296b
Instruction Fuzzy Hash: 7B01A27260020AEBFB16BE48CC05FB73765EB94700F64C055FA855B1E9E7B8EA9083C1

Function 01008F04 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47windowCOMMON

Download Yara Rule

APIs

TraceMessage.ADVAPI32(?,?,0000002B,?,?,NULL,0000000A,?,00000004,00000000), ref: 01008F66

Strings

NULL, xrefs: 01008F49, 01008F57
<NULL>, xrefs: 01008F42

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: MessageTrace
String ID: <NULL>$NULL
API String ID: 471583391-888386124
Opcode ID: 8939b155df5251d13cbd5006e5e94e9137ab6b9bcc9f1b520cb0581d12cf794a
Instruction ID: 80b859377621651450f1c79f4c8cd24ec91a27224500144c5756cc1ca6af00b1
Opcode Fuzzy Hash: 8939b155df5251d13cbd5006e5e94e9137ab6b9bcc9f1b520cb0581d12cf794a
Instruction Fuzzy Hash: 35016232A4020AAAFB175E18CC15FB7376BFB94750F04C05AFB855A1D5D7B0DA918781

Function 01008F77 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47windowCOMMON

Download Yara Rule

APIs

TraceMessage.ADVAPI32(?,?,0000002B,?,?,?,00000004,NULL,0000000A,00000000), ref: 01008FD9

Strings

NULL, xrefs: 01008FBC, 01008FC4
<NULL>, xrefs: 01008FB5

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: MessageTrace
String ID: <NULL>$NULL
API String ID: 471583391-888386124
Opcode ID: c7d6071a655c78495c48a96bf2576d9743c2710dbb788e9cb8cd38e5e491f908
Instruction ID: cc904351b8ef249ffd39a5b3e5007a4b42529226bea6dfb454dc9441b02c85b6
Opcode Fuzzy Hash: c7d6071a655c78495c48a96bf2576d9743c2710dbb788e9cb8cd38e5e491f908
Instruction Fuzzy Hash: 08016D72A4020AAAFB175E18CC01FB7376BFB84710F14C45AFB859B5D1D7B1DAA18781

Function 01006C01 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

TraceMessage.ADVAPI32(?,?,0000002B,?,?,NULL,0000000A,00000000), ref: 01006C5D

Strings

NULL, xrefs: 01006C46, 01006C4E
<NULL>, xrefs: 01006C3F

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: MessageTrace
String ID: <NULL>$NULL
API String ID: 471583391-888386124
Opcode ID: f3164116c202b094245bbc3fcf89ef5ca1fb80c82b3ebc915f3e450abbff13c8
Instruction ID: a1a337fd346edefb4187ada91714bd135d0cfade865ca6000f32359662baf7d6
Opcode Fuzzy Hash: f3164116c202b094245bbc3fcf89ef5ca1fb80c82b3ebc915f3e450abbff13c8
Instruction Fuzzy Hash: 00F0A431A0020EAAFF175E088C11FB73767EB96700F04C051FAC65A1D1DB72DBA18780

Function 010063ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 010063F4
??2@YAPAXI@Z.MSVCR80(00000010,00000004,010066DE,?,?), ref: 0100641E

Strings

W, xrefs: 01006451

Memory Dump Source

Source File: 0000000D.00000002.1711926676.0000000001001000.00000020.00000001.01000000.00000004.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000D.00000002.1711893677.0000000001000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1711971113.000000000101A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000D.00000002.1712011572.000000000101B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_Dashboard.jbxd

Similarity

API ID: ??2@H_prolog3
String ID: W
API String ID: 1489479240-655174618
Opcode ID: 82752f92a90d20f1163ca764032c228d2ba1203ee7b64816ff18d370978619e8
Instruction ID: c52d2d7e637f1112538b85616935d98d4c50e68216f8356b20c1082d18deca0a
Opcode Fuzzy Hash: 82752f92a90d20f1163ca764032c228d2ba1203ee7b64816ff18d370978619e8
Instruction Fuzzy Hash: A70192B190020AAFEB12DF59C4809ECBBA2BF04220F85C56ED1999F2C1CB358605CF51

Analysis Process: Dashboard.exePID: 1908, Parent PID: 5756COMMON

Non-executed Functions

Function 7038FBA1 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 703903F4
_crt_debugger_hook.MSVCR80(00000001), ref: 70390401
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 70390409
UnhandledExceptionFilter.KERNEL32(7030C15C), ref: 70390414
_crt_debugger_hook.MSVCR80(00000001), ref: 70390425
GetCurrentProcess.KERNEL32(C0000409), ref: 70390430
TerminateProcess.KERNEL32(00000000), ref: 70390437

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled_crt_debugger_hook$CurrentDebuggerPresentTerminate
String ID:
API String ID: 3369434319-0
Opcode ID: d76168e55cde50843097b74e69ac2243648ccb328c7da457f17ee0a7972f6fe6
Instruction ID: a04e281d324d5fb59acc84f85d0663863b9f1b86575d00931577e31cd7876d50
Opcode Fuzzy Hash: d76168e55cde50843097b74e69ac2243648ccb328c7da457f17ee0a7972f6fe6
Instruction Fuzzy Hash: 4A21BEB6811204DFC705DF6ACC88F883BBDFB28304F60591AE509D63A4E7B059849F55

Function 7033C64F Relevance: 24.4, APIs: 16, Instructions: 442COMMON

Download Yara Rule

APIs

?GetSheetDependencies@PropertySheetW@DirectUI@@QAEXPAVElement@2@PBUPropertyInfo@2@PAUDepRecs@2@PAVDeferCycle@2@PAJ@Z.UXCORE(?,?,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 7033C693

Part of subcall function 70344107: ?_AddDependency@Element@DirectUI@@SGXPAV12@PBUPropertyInfo@2@HPAUDepRecs@2@PAVDeferCycle@2@PAJ@Z.UXCORE(00000000,00000000,00000002,00000000,00000000,00000000,00000000,?,7033C698,?,?,00000000,00000000,00000000,00000000,00000000), ref: 70344155

?_AddDependency@Element@DirectUI@@SGXPAV12@PBUPropertyInfo@2@HPAUDepRecs@2@PAVDeferCycle@2@PAJ@Z.UXCORE(?,00000003,00000000,00000000,00000000,00000000), ref: 7033C6F3
?_AddDependency@Element@DirectUI@@SGXPAV12@PBUPropertyInfo@2@HPAUDepRecs@2@PAVDeferCycle@2@PAJ@Z.UXCORE(?,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 7033C753
?_AddDependency@Element@DirectUI@@SGXPAV12@PBUPropertyInfo@2@HPAUDepRecs@2@PAVDeferCycle@2@PAJ@Z.UXCORE(?,00000002,00000000,00000000,00000000,?,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 7033C767
?GetSheetScope@PropertySheetW@DirectUI@@QAEXPAVElement@2@PAUDepRecs@2@PAVDeferCycle@2@PAJ@Z.UXCORE(?,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 7033C7EF
?GetSheetScope@PropertySheetW@DirectUI@@QAEXPAVElement@2@PAUDepRecs@2@PAVDeferCycle@2@PAJ@Z.UXCORE(?,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 7033C80C
?_AddDependency@Element@DirectUI@@SGXPAV12@PBUPropertyInfo@2@HPAUDepRecs@2@PAVDeferCycle@2@PAJ@Z.UXCORE(?,00000000,00000002,00000000,00000000,00000000), ref: 7033C845
?_AddDependency@Element@DirectUI@@SGXPAV12@PBUPropertyInfo@2@HPAUDepRecs@2@PAVDeferCycle@2@PAJ@Z.UXCORE(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 7033C8A5
?_AddDependency@Element@DirectUI@@SGXPAV12@PBUPropertyInfo@2@HPAUDepRecs@2@PAVDeferCycle@2@PAJ@Z.UXCORE(00000000,?,00000002,00000000,00000000,00000000), ref: 7033C927
?_AddDependency@Element@DirectUI@@SGXPAV12@PBUPropertyInfo@2@HPAUDepRecs@2@PAVDeferCycle@2@PAJ@Z.UXCORE(?,?,00000002,00000000,?,00000000), ref: 7033CB17

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: Property$Cycle@2@DeferDirectRecs@2@$Info@2@$Dependency@Element@V12@$Sheet$Element@2@$Scope@$Dependencies@
String ID:
API String ID: 2226873572-0
Opcode ID: ff38139056d674bc46f3819e4122404b5cf397f27a40d820aca519acd33abc65
Instruction ID: 758b748bfc4c92716fadbe156d8c121296e49ed885cd803503bcbdc1e91472bc
Opcode Fuzzy Hash: ff38139056d674bc46f3819e4122404b5cf397f27a40d820aca519acd33abc65
Instruction Fuzzy Hash: 7CF16735610209AFEB05CF54C9D5FAEB7B9EF49310F918159F90A8B291DB30EE51CBA0

Function 70314C38 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 234registrycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(7030C174,00000000,00000001,70301D64,?,?,7030C194,?,00000000), ref: 70314C91
StringFromGUID2.OLE32(?,?,00000040,703C177C), ref: 70314CD6
wcscpy_s.MSVCR80 ref: 70314CFA

Part of subcall function 703145D1: wcscat_s.MSVCR80 ref: 703145DF

wcscat_s.MSVCR80 ref: 70314D2A

Part of subcall function 703146C1: RegOpenKeyExW.ADVAPI32(00020019,?,00000000,80000000,00000000,00000080,?,?,70314D68,80000000,?,00020019), ref: 703146DD

RegDeleteKeyW.ADVAPI32(80000000,?), ref: 70314DB2
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,80000000,?,00020019,00000000), ref: 70314D83

Part of subcall function 703146A3: RegCloseKey.ADVAPI32(?,?,703146EE,?,70314D68,80000000,?,00020019), ref: 703146B1

wcscpy_s.MSVCR80 ref: 70314DC5
wcscat_s.MSVCR80 ref: 70314DF5
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,80000000,?,00020019,00000000), ref: 70314E37
RegDeleteKeyW.ADVAPI32(80000000,?), ref: 70314E5E

Strings

\Implemented Categories, xrefs: 70314DE8
\Required Categories, xrefs: 70314D1D
CLSID\, xrefs: 70314CE2, 70314DB8

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: wcscat_s$DeleteInfoQuerywcscpy_s$CloseCreateFromInstanceOpenString
String ID: CLSID\$\Implemented Categories$\Required Categories
API String ID: 309610489-4092563799
Opcode ID: 58533cfb9a2c5b3f5202baede36ab41b87519068f095dadfb58ee4ced8294cad
Instruction ID: d230ee11175a50dc64d03e412f322ef798091870be1011716a7502f8781a87ce
Opcode Fuzzy Hash: 58533cfb9a2c5b3f5202baede36ab41b87519068f095dadfb58ee4ced8294cad
Instruction Fuzzy Hash: ED812D71901619AFEB259F55CC94ADEB7BEAF0A304F1000E9F649AA110FB709EC5CF61

Function 70319120 Relevance: 20.4, APIs: 16, Instructions: 410COMMON

Download Yara Rule

APIs

memmove.MSVCR80(?,?,00000000), ref: 7031920A
memset.MSVCR80 ref: 70319214
memset.MSVCR80 ref: 70319225
memset.MSVCR80 ref: 7031923A
memset.MSVCR80 ref: 70319258
memmove.MSVCR80(?,?,00000000), ref: 7031933E
memset.MSVCR80 ref: 70319348
memset.MSVCR80 ref: 70319359
memmove.MSVCR80(?,?,?), ref: 70319380
memset.MSVCR80 ref: 7031938A
memset.MSVCR80 ref: 7031939B
memmove.MSVCR80(?,FFFFFFFF,?), ref: 703193C2
memset.MSVCR80 ref: 703193CC
memset.MSVCR80 ref: 703193DD
memset.MSVCR80 ref: 703193F5
memset.MSVCR80 ref: 7031941C

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: memset$memmove
String ID:
API String ID: 3527438329-0
Opcode ID: 0b32f18372dd949814b821afb4eb554ca51af11651182e482c237f23e2752b70
Instruction ID: fc0c03228d81b74f921203b67b97511bbbd69b7f8a6d5ebf9733e43b883077fe
Opcode Fuzzy Hash: 0b32f18372dd949814b821afb4eb554ca51af11651182e482c237f23e2752b70
Instruction Fuzzy Hash: E9E1D872E0025AAFCF05CFB8CC85ADEBBB6AF49600F158559F845E7345D630AD46CBA0

Function 70318CE0 Relevance: 20.4, APIs: 16, Instructions: 410COMMON

Download Yara Rule

APIs

memmove.MSVCR80(?,?,00000000), ref: 70318DCA
memset.MSVCR80 ref: 70318DD4
memset.MSVCR80 ref: 70318DE5
memset.MSVCR80 ref: 70318DFA
memset.MSVCR80 ref: 70318E18
memmove.MSVCR80(?,?,00000000), ref: 70318EFE
memset.MSVCR80 ref: 70318F08
memset.MSVCR80 ref: 70318F19
memmove.MSVCR80(?,?,?), ref: 70318F40
memset.MSVCR80 ref: 70318F4A
memset.MSVCR80 ref: 70318F5B
memmove.MSVCR80(?,FFFFFFFF,?), ref: 70318F82
memset.MSVCR80 ref: 70318F8C
memset.MSVCR80 ref: 70318F9D
memset.MSVCR80 ref: 70318FB5
memset.MSVCR80 ref: 70318FDC

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: memset$memmove
String ID:
API String ID: 3527438329-0
Opcode ID: 88a1d63c468b20078c29103663dfc6fcef05e920f0a0958b339107b8aee4725b
Instruction ID: a7c67c73367580dd4e9f3711b988ddcb7d051f23037c6c2b9822a18c29fb53fc
Opcode Fuzzy Hash: 88a1d63c468b20078c29103663dfc6fcef05e920f0a0958b339107b8aee4725b
Instruction Fuzzy Hash: BEE1D572E0025B9FCF05CFB8CC95AEEBBB6AF48600F158559F844A7344D631AD46CBA1

Function 70317600 Relevance: 13.6, APIs: 9, Instructions: 150COMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32(?,0000000E), ref: 70317664
CreateCompatibleDC.GDI32(?), ref: 703176AF
SelectObject.GDI32(00000000), ref: 703176C8
SetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 703176DF
SelectObject.GDI32(00000000,00000000), ref: 703176EB
DeleteDC.GDI32(00000000), ref: 703176EE
GetDeviceCaps.GDI32(?,0000000C), ref: 7031766B

Part of subcall function 70315ADF: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 70315B06
Part of subcall function 70315ADF: GetDIBits.GDI32(?,?,00000000,00000001,00000000,?,00000000), ref: 70315B40
Part of subcall function 70315ADF: GetDIBits.GDI32(?,?,00000000,00000001,00000000,?,00000000), ref: 70315B67
Part of subcall function 70315ADF: DeleteObject.GDI32(?), ref: 70315BB5

CreateDIBSection.GDI32(00000060,?,00000000,?,00000000,00000000), ref: 70317765
DeleteObject.GDI32(00000000), ref: 70317778

Part of subcall function 70336770: TlsGetValue.KERNEL32(FFFFFFFF,?,70317635), ref: 7033677E
Part of subcall function 70336770: TlsSetValue.KERNEL32(00000000,?,70317635), ref: 703367AC

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: Object$CreateDelete$BitsCapsCompatibleDeviceSelectValue$BitmapColorSectionTable
String ID:
API String ID: 3921767866-0
Opcode ID: 594a39c16cc6da78f6cd78a231d5c87281ee917f2e04f3b84b4dccb4b2da1b06
Instruction ID: f618dc2cfcdd92e2532f0315b65c7f9cd0a423c6c9128e4eee7eda09de79d151
Opcode Fuzzy Hash: 594a39c16cc6da78f6cd78a231d5c87281ee917f2e04f3b84b4dccb4b2da1b06
Instruction Fuzzy Hash: 0251BF72600B46AFDB15CF2DCC84BAF7BB9AF49311F154059E9469B241E770EC85CBA0

Function 703499EB Relevance: 13.6, APIs: 9, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(FFFFFFFF), ref: 70349A0B

Part of subcall function 70336A33: HeapAlloc.KERNEL32(00000008,?,?,7034AB42,00000054,?,7034B007,?,?,?,70313B19,00000003,?), ref: 70336A43

TlsSetValue.KERNEL32(00000000,0000001C), ref: 70349A41
?Create@SBAlloc@DirectUI@@SGJIIPAUISBLeak@2@PAPAV12@@Z.UXCORE(0000001C,00000030,00000000,00000008), ref: 70349A50
?Create@FontCache@DirectUI@@SGJIPAPAV12@@Z.UXCORE(00000008,00000010,0000000C,0000001C,00000030,00000000,00000008), ref: 70349A70
InitGadgets.UXCORE(00000014,00000008,00000010,0000000C,0000001C,00000030,00000000,00000008), ref: 70349AB6
GetLastError.KERNEL32(00000014,00000008,00000010,0000000C,0000001C,00000030,00000000,00000008), ref: 70349AC5
?Destroy@SBAlloc@DirectUI@@QAEXXZ.UXCORE(0000001C,00000030,00000000,00000008), ref: 70349AD8
DeleteHandle.UXCORE(?,0000001C,00000030,00000000,00000008), ref: 70349AF1
TlsSetValue.KERNEL32(00000000,00000000,0000001C,00000030,00000000,00000008), ref: 70349B03

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: DirectValue$Alloc@Create@V12@@$AllocCache@DeleteDestroy@ErrorFontGadgetsHandleHeapInitLastLeak@2@
String ID:
API String ID: 2277003108-0
Opcode ID: 1d7c33112523a93564db3c5a9e7d2274e0d92d74c7c4666bb903ea1782002648
Instruction ID: a0f888c5e66a44ec15f9a2557317d1d64578fa3c5d7c09c05a8ba186d4962939
Opcode Fuzzy Hash: 1d7c33112523a93564db3c5a9e7d2274e0d92d74c7c4666bb903ea1782002648
Instruction Fuzzy Hash: C431AF765002459FCB109FB9C8C4E6EB6FDEB44250B26593FF153EF240E634A9468761

Function 70314820 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142memorystringCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 70314886

Part of subcall function 7031465C: GetLastError.KERNEL32(70314897), ref: 7031465C

CharNextW.USER32(?), ref: 703148E2
lstrlenW.KERNEL32(00000000), ref: 70314911
LoadTypeLib.OLEAUT32(?,?), ref: 70314963
LoadTypeLib.OLEAUT32(?,?), ref: 703149B9
SysAllocString.OLEAUT32(?), ref: 703149D2

Strings

.tlb, xrefs: 70314971

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: LoadType$AllocCharErrorFileLastModuleNameNextStringlstrlen
String ID: .tlb
API String ID: 3420921355-1487266626
Opcode ID: ee7199d51cf3637877cea176e45eb16f035c503db88f4846a26bae2199b08b17
Instruction ID: 2d977e69b61f5da43d38c1decc2b0aca3f252277e526e6eb4f230194e284a599
Opcode Fuzzy Hash: ee7199d51cf3637877cea176e45eb16f035c503db88f4846a26bae2199b08b17
Instruction Fuzzy Hash: 9C51A872D0166B9BDB15DF65DC9469E77B9AF0C710F1101A9E80AA7210F7B49EC0CB90

Function 7038B67E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

?StartDefer@Element@DirectUI@@SGXXZ.UXCORE(00000000,?,?,?,7038C160,00000000,?,00000200,?,?,?,?,7031541A,?,?), ref: 7038B6AD
?Included@ItemRange@@QBE_NJ@Z.UXCORE(00000200,?,?,?,?,?,7038C160,00000000,?,00000200,?,?,?,?,7031541A,?), ref: 7038B6FA
?Clear@ItemRange@@QAEXXZ.UXCORE(?,?,?,?,?,7038C160,00000000,?,00000200,?,?,?,?,7031541A,?,?), ref: 7038B752
?Clear@ItemRange@@QAEXXZ.UXCORE(?,?,?,?,?,7038C160,00000000,?,00000200,?,?,?,?,7031541A,?,?), ref: 7038B76B
?Include@ItemRange@@QAEXJJ@Z.UXCORE(00000200,00000200,?,?,?,?,?,7038C160,00000000,?,00000200,?,?,?,?,7031541A), ref: 7038B77A
?EndDefer@Element@DirectUI@@SGXXZ.UXCORE(?,?,?,7038C160,00000000,?,00000200,?,?,?,?,7031541A,?,?), ref: 7038B7C5

Part of subcall function 7037CF5E: memset.MSVCR80 ref: 7037CF70
Part of subcall function 7037CF5E: TraceEvent.ADVAPI32(00000100,?,00000038), ref: 7037CFA9

Strings

, xrefs: 7038B796

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: ItemRange@@$Clear@Defer@DirectElement@$EventInclude@Included@StartTracememset
String ID:
API String ID: 1596628032-3916222277
Opcode ID: 034c3debe145172b63e2b77b03006c090e031d614ed82c0dc30bae48b0151157
Instruction ID: 7ffbd2c86ca3c65147f46d245164040f005d51e2a908bc68016f10a6e1aa2e50
Opcode Fuzzy Hash: 034c3debe145172b63e2b77b03006c090e031d614ed82c0dc30bae48b0151157
Instruction Fuzzy Hash: 1D41B570600306AFEB15CF25C985BAE77AAAFC4304F51849DF84B9B2C2DB75AD068771

Function 70331060 Relevance: 11.0, APIs: 6, Strings: 1, Instructions: 458COMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 70331131
malloc.MSVCR80 ref: 703312B6
malloc.MSVCR80 ref: 703312E9
malloc.MSVCR80 ref: 7033131C
malloc.MSVCR80 ref: 7033134F

Part of subcall function 70318CE0: memmove.MSVCR80(?,?,00000000), ref: 70318DCA
Part of subcall function 70318CE0: memset.MSVCR80 ref: 70318DD4
Part of subcall function 70318CE0: memset.MSVCR80 ref: 70318DFA

memset.MSVCR80 ref: 703314F7

Strings

l, xrefs: 7033114C

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: mallocmemset$memmove
String ID: l
API String ID: 3492948549-2517025534
Opcode ID: 681485e980c602ae4a574baa75d277769d0b2a8956ebeab28e511ed2ee02ac60
Instruction ID: 9f4e82b07b99e9e7edaa48adfc201903490a71f8431e668471f3cf4909a03ede
Opcode Fuzzy Hash: 681485e980c602ae4a574baa75d277769d0b2a8956ebeab28e511ed2ee02ac60
Instruction Fuzzy Hash: 97024975E002599FDF14CFA8C881AEEBBB5FF48314F148269E915EB345D734A942CBA0

Function 703315B0 Relevance: 11.0, APIs: 6, Strings: 1, Instructions: 458COMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 70331681
malloc.MSVCR80 ref: 70331806
malloc.MSVCR80 ref: 70331839
malloc.MSVCR80 ref: 7033186C
malloc.MSVCR80 ref: 7033189F

Part of subcall function 70319120: memmove.MSVCR80(?,?,00000000), ref: 7031920A
Part of subcall function 70319120: memset.MSVCR80 ref: 70319214
Part of subcall function 70319120: memset.MSVCR80 ref: 7031923A

memset.MSVCR80 ref: 70331A47

Strings

l, xrefs: 7033169C

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: mallocmemset$memmove
String ID: l
API String ID: 3492948549-2517025534
Opcode ID: 0b050b141a888601beba62693c38b5e6d31031bb4685167c8a97e122301dd076
Instruction ID: fe7dd419bc28fe704fb62aa4498de81bd4cd8ae0d5b5c9e283904134ca620d8f
Opcode Fuzzy Hash: 0b050b141a888601beba62693c38b5e6d31031bb4685167c8a97e122301dd076
Instruction Fuzzy Hash: 59024C71E002499FDF14CFA9C981AEEBBB5FF48314F148269E915EB345D734A942CBA0

Function 7031B320 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 437COMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 7031B37C
memset.MSVCR80 ref: 7031B5C4

Part of subcall function 70317050: ??_V@YAXPAX@Z.MSVCR80(?,?,7031B3B3), ref: 7031705D
Part of subcall function 70317050: ??_V@YAXPAX@Z.MSVCR80(?,?,7031B3B3), ref: 70317077

Strings

l, xrefs: 7031B394

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: memset
String ID: l
API String ID: 2221118986-2517025534
Opcode ID: 2ba60852916c140167e39e9d209f6eff9e3b4448a897a7e5c1e7a1095f32f6d9
Instruction ID: 5f77202e6cc56332dab34c056f96d4b7f7a0fc07c8a63f1f0978db4272b8c09e
Opcode Fuzzy Hash: 2ba60852916c140167e39e9d209f6eff9e3b4448a897a7e5c1e7a1095f32f6d9
Instruction Fuzzy Hash: 7002D8B5A0061A9FCB04CF99D980ADEBBB9FF8C314F158259F915A7354D730AD41CBA0

Function 7031B7E0 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 437COMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 7031B83C
memset.MSVCR80 ref: 7031BA84

Part of subcall function 70317050: ??_V@YAXPAX@Z.MSVCR80(?,?,7031B3B3), ref: 7031705D
Part of subcall function 70317050: ??_V@YAXPAX@Z.MSVCR80(?,?,7031B3B3), ref: 70317077

Strings

l, xrefs: 7031B854

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: memset
String ID: l
API String ID: 2221118986-2517025534
Opcode ID: a259903c7a70bb3afd632f4a3015574e761deb3fc93f1dce26126d20da91736b
Instruction ID: 92e85781679eb439c9668e2d0f331095cb0205c87eba404b3f8a195b101cb3fc
Opcode Fuzzy Hash: a259903c7a70bb3afd632f4a3015574e761deb3fc93f1dce26126d20da91736b
Instruction Fuzzy Hash: AE02D9B5A006199FCB04CF99D980ADEBBB9FF8C314F158259F915A7354D730AD42CBA0

Function 703773A0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 703773E0

Strings

W, xrefs: 70377501

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: Value
String ID: W
API String ID: 3702945584-655174618
Opcode ID: 2487d05c7ff6d3b9e8edbce2f29aad4fce68a7844ad514e8a79db8bd97a8feff
Instruction ID: 66fa9d90e23f6305180c634f406463f51c13f1360e9a87f27ff7d5556f3288b6
Opcode Fuzzy Hash: 2487d05c7ff6d3b9e8edbce2f29aad4fce68a7844ad514e8a79db8bd97a8feff
Instruction Fuzzy Hash: D871A271900209DFCB02CF66C8C4BAD7BB9FB45323F21E16EE8469A254E7789A41DF51

Function 7038B01F Relevance: 9.4, APIs: 6, Instructions: 407COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 7038B026
??3@YAXPAX@Z.MSVCR80(?,?,?), ref: 7038B2C9

Part of subcall function 70315AAB: malloc.MSVCR80 ref: 70315ABF

??3@YAXPAX@Z.MSVCR80(00000000,?), ref: 7038B29D
?_SetChildren@Element@DirectUI@@IAEJIPAV?$DynamicArray@PAVElement@DirectUI@@@2@@Z.UXCORE(00000001,?,?,00000200,00000000,00000000,?), ref: 7038B421
?Destroy@Element@DirectUI@@QAEJ_N@Z.UXCORE(00000001,?,?,00000200,00000000,00000000,?), ref: 7038B445
?_UpdateDesiredSize@Element@DirectUI@@QAE?AUtagSIZE@@HHPAVSurface@2@@Z.UXCORE(000000FF,00000200,7FFFFFFF,00000001,00000000,?,00000000,?), ref: 7038B1E0

Part of subcall function 7037CF5E: memset.MSVCR80 ref: 7037CF70
Part of subcall function 7037CF5E: TraceEvent.ADVAPI32(00000100,?,00000038), ref: 7037CFA9

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: DirectElement@$??3@$Array@Children@DesiredDestroy@DynamicEventH_prolog3I@@@2@@Size@Surface@2@@TraceUpdateUtagmallocmemset
String ID:
API String ID: 2536493592-0
Opcode ID: e34db16b6e9a3a65eac791adec5c5844365be2d83ccdd68e46398bbf2d9bdd4f
Instruction ID: b57c7833d1ae38bf3752f6bdd56487f7584f86c25159247dd490275136588192
Opcode Fuzzy Hash: e34db16b6e9a3a65eac791adec5c5844365be2d83ccdd68e46398bbf2d9bdd4f
Instruction Fuzzy Hash: C6F16B70A00606DFCB09CF64C995AAEB7FABF48314F2149ADE8569B291D770FD41CB60

Function 7032FA80 Relevance: 9.4, APIs: 5, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 7032FB42
malloc.MSVCR80 ref: 7032FC3E
malloc.MSVCR80 ref: 7032FC6E
malloc.MSVCR80 ref: 7032FC9E
malloc.MSVCR80 ref: 7032FCD9

Part of subcall function 70319120: memmove.MSVCR80(?,?,00000000), ref: 7031920A
Part of subcall function 70319120: memset.MSVCR80 ref: 70319214
Part of subcall function 70319120: memset.MSVCR80 ref: 7031923A

Strings

l, xrefs: 7032FB5D

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: malloc$memset$memmove
String ID: l
API String ID: 340050886-2517025534
Opcode ID: 8fdb87bea2ecf98771fccf7656349a88c6313b1a26a6578bd5e39897cddf276d
Instruction ID: f1f4e9462f3dddb5ced0811603fb805449c9d2985f1b736899d7b1dcad027fed
Opcode Fuzzy Hash: 8fdb87bea2ecf98771fccf7656349a88c6313b1a26a6578bd5e39897cddf276d
Instruction Fuzzy Hash: 4CE13275E002099FDB05CFA8D881AEEBBB6FF89310F158169E905AB355D734B941CFA0

Function 7032F620 Relevance: 9.4, APIs: 5, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 7032F6E2
malloc.MSVCR80 ref: 7032F7DE
malloc.MSVCR80 ref: 7032F80E
malloc.MSVCR80 ref: 7032F83E
malloc.MSVCR80 ref: 7032F879

Part of subcall function 70318CE0: memmove.MSVCR80(?,?,00000000), ref: 70318DCA
Part of subcall function 70318CE0: memset.MSVCR80 ref: 70318DD4
Part of subcall function 70318CE0: memset.MSVCR80 ref: 70318DFA

Strings

l, xrefs: 7032F6FD

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: malloc$memset$memmove
String ID: l
API String ID: 340050886-2517025534
Opcode ID: 35ea781780fe4b55121948190cae4fa92f8beabd6ebbe7e761a5f53238c89c64
Instruction ID: 78b59b3e6d7cf1c3124d6ebc772476153c250332b500ea73d404b9148e2dbc6a
Opcode Fuzzy Hash: 35ea781780fe4b55121948190cae4fa92f8beabd6ebbe7e761a5f53238c89c64
Instruction Fuzzy Hash: 7BE12275E002099FDB04CF98D881EEEBBB6FF89310F158169E919AB345D734A941CFA1

Function 70330340 Relevance: 9.4, APIs: 5, Strings: 1, Instructions: 373COMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 70330401
malloc.MSVCR80 ref: 70330509
malloc.MSVCR80 ref: 70330539
malloc.MSVCR80 ref: 70330569
malloc.MSVCR80 ref: 70330599

Part of subcall function 70319120: memmove.MSVCR80(?,?,00000000), ref: 7031920A
Part of subcall function 70319120: memset.MSVCR80 ref: 70319214
Part of subcall function 70319120: memset.MSVCR80 ref: 7031923A

Strings

l, xrefs: 7033041F

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: malloc$memset$memmove
String ID: l
API String ID: 340050886-2517025534
Opcode ID: 8c6cce7c3f4d32e2fe9df9ebdfdd2e1b99a4bebd82d9d90b8d60e6efeeff8f01
Instruction ID: bfd9430ab654ebacc8e608d6c8e89153f21c3a4230b8cc86ad69ca49f4f94899
Opcode Fuzzy Hash: 8c6cce7c3f4d32e2fe9df9ebdfdd2e1b99a4bebd82d9d90b8d60e6efeeff8f01
Instruction Fuzzy Hash: CAE12875E002099FDB04CFA8C991AEEFBB6FF48310F158169E919AB345D734A941CFA0

Function 70330C00 Relevance: 9.4, APIs: 5, Strings: 1, Instructions: 373COMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 70330CC1
malloc.MSVCR80 ref: 70330DC9
malloc.MSVCR80 ref: 70330DF9
malloc.MSVCR80 ref: 70330E29
malloc.MSVCR80 ref: 70330E59

Part of subcall function 70319120: memmove.MSVCR80(?,?,00000000), ref: 7031920A
Part of subcall function 70319120: memset.MSVCR80 ref: 70319214
Part of subcall function 70319120: memset.MSVCR80 ref: 7031923A

Strings

l, xrefs: 70330CDF

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: malloc$memset$memmove
String ID: l
API String ID: 340050886-2517025534
Opcode ID: 4fa78f9b59b89942d6fb8d896054c59ca8781c67967d67381d445cbd34a6f16e
Instruction ID: 234c8a4827dda4976b0d2d8d3014c7d361e4db3e3eee968f6f3b089d21c80809
Opcode Fuzzy Hash: 4fa78f9b59b89942d6fb8d896054c59ca8781c67967d67381d445cbd34a6f16e
Instruction Fuzzy Hash: 50E13A71E006499FDB04CFA8C991ADEFBB6FF48300F158169F919AB345D734A941CBA0

Function 7032FEE0 Relevance: 9.4, APIs: 5, Strings: 1, Instructions: 373COMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 7032FFA1
malloc.MSVCR80 ref: 703300A9
malloc.MSVCR80 ref: 703300D9
malloc.MSVCR80 ref: 70330109
malloc.MSVCR80 ref: 70330139

Part of subcall function 70318CE0: memmove.MSVCR80(?,?,00000000), ref: 70318DCA
Part of subcall function 70318CE0: memset.MSVCR80 ref: 70318DD4
Part of subcall function 70318CE0: memset.MSVCR80 ref: 70318DFA

Strings

l, xrefs: 7032FFBF

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: malloc$memset$memmove
String ID: l
API String ID: 340050886-2517025534
Opcode ID: cf6d4091effaa0aa2eabbc3abd0c58e57df8c77e1e5a54a03a9debe4b8705e85
Instruction ID: 016b3fcdeff07b1c596cc3479d2f9fc0e1c92157a0ba113dde81a51add144493
Opcode Fuzzy Hash: cf6d4091effaa0aa2eabbc3abd0c58e57df8c77e1e5a54a03a9debe4b8705e85
Instruction Fuzzy Hash: E1E14A75E00209AFDB04CFA9C991ADEFBB6FF48314F158169E919EB341D734A941CBA0

Function 703307A0 Relevance: 9.4, APIs: 5, Strings: 1, Instructions: 373COMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 70330861
malloc.MSVCR80 ref: 70330969
malloc.MSVCR80 ref: 70330999
malloc.MSVCR80 ref: 703309C9
malloc.MSVCR80 ref: 703309F9

Part of subcall function 70318CE0: memmove.MSVCR80(?,?,00000000), ref: 70318DCA
Part of subcall function 70318CE0: memset.MSVCR80 ref: 70318DD4
Part of subcall function 70318CE0: memset.MSVCR80 ref: 70318DFA

Strings

l, xrefs: 7033087F

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: malloc$memset$memmove
String ID: l
API String ID: 340050886-2517025534
Opcode ID: 2970ce81a56e4301363a25018c445a367c83f3dade2e9c335766eaacb51c0068
Instruction ID: 35ce63885f645da92235ef62bfb0b1d4b0c0b0c68c31de40a324b55da5bb7729
Opcode Fuzzy Hash: 2970ce81a56e4301363a25018c445a367c83f3dade2e9c335766eaacb51c0068
Instruction Fuzzy Hash: 19E13871E00209AFDB04CFA8C891ADEFBB6FF48304F158169E919EB355D734A941CBA0

Function 70314AFF Relevance: 9.1, APIs: 6, Instructions: 97stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 70314820: GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 70314886

SysStringLen.OLEAUT32(?), ref: 70314B50

Part of subcall function 703145AA: wcsncpy_s.MSVCR80 ref: 703145BB

lstrlenW.KERNEL32(?), ref: 70314B86
lstrlenW.KERNEL32(00000000), ref: 70314B8B
CharNextW.USER32(?), ref: 70314BB9
RegisterTypeLib.OLEAUT32(?,?,?), ref: 70314BFC
SysFreeString.OLEAUT32(?), ref: 70314C1A

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: Stringlstrlen$CharFileFreeModuleNameNextRegisterTypewcsncpy_s
String ID:
API String ID: 161417994-0
Opcode ID: 1ed86cf458dd15e7fb5a0280387974438773bacfba5810c81ebb18c302baf8de
Instruction ID: 75041ee4f817d56e869bfea837854960fcf8065b927f11ed8566354db36a315a
Opcode Fuzzy Hash: 1ed86cf458dd15e7fb5a0280387974438773bacfba5810c81ebb18c302baf8de
Instruction Fuzzy Hash: DC31947290011D9FDB24EB65CC88ADEB7B9FB58300F5185E9E91AD7250F6709D81CB90

Function 70349B15 Relevance: 9.0, APIs: 6, Instructions: 37COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(FFFFFFFF,?,7031549D,00000002,00000001), ref: 70349B27

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 99bef39afda7e9f977a486098468e5585cfd937b94fe0e007489d2d8d01172b4
Instruction ID: a12da333bb19f7fe6a89b07bb9548b19001d1e35e1eb51d9bc5df56a369367e0
Opcode Fuzzy Hash: 99bef39afda7e9f977a486098468e5585cfd937b94fe0e007489d2d8d01172b4
Instruction Fuzzy Hash: 75F02835001A01DFD7219B34FC84B1EB6EAEF00324F128A1AF4578E5B0CB35BC85C640

Function 7031C8A0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 255COMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 7031C8F8
memset.MSVCR80 ref: 7031CAC2
??_V@YAXPAX@Z.MSVCR80(00000000), ref: 7031CB21
??_V@YAXPAX@Z.MSVCR80(?), ref: 7031CB41

Part of subcall function 70317050: ??_V@YAXPAX@Z.MSVCR80(?,?,7031B3B3), ref: 7031705D
Part of subcall function 70317050: ??_V@YAXPAX@Z.MSVCR80(?,?,7031B3B3), ref: 70317077

Strings

l, xrefs: 7031C910

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: memset
String ID: l
API String ID: 2221118986-2517025534
Opcode ID: 36c574c0ab8fe87dceba16d236693986684ffe57f87807fe530e7c263aed2207
Instruction ID: 30a5f3b68bb6d7965ab386919563795ecc0cc8e2c2b583df5712af72c5f50252
Opcode Fuzzy Hash: 36c574c0ab8fe87dceba16d236693986684ffe57f87807fe530e7c263aed2207
Instruction Fuzzy Hash: D2A1FBB5E006099FCB04CF99D981ADEB7B9FF8C314F148269E919A7344D735AD41CBA0

Function 7031CB70 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 255COMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 7031CBC8
memset.MSVCR80 ref: 7031CD92
??_V@YAXPAX@Z.MSVCR80(00000000), ref: 7031CDF1
??_V@YAXPAX@Z.MSVCR80(?), ref: 7031CE11

Part of subcall function 70317050: ??_V@YAXPAX@Z.MSVCR80(?,?,7031B3B3), ref: 7031705D
Part of subcall function 70317050: ??_V@YAXPAX@Z.MSVCR80(?,?,7031B3B3), ref: 70317077

Strings

l, xrefs: 7031CBE0

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: memset
String ID: l
API String ID: 2221118986-2517025534
Opcode ID: d9279f0070e27cae04400319772f1e9312bfc9a10fd0fe404ae6b1043dd73d83
Instruction ID: f51a3aa75659d8fd391ce934fb6b8901e4a22fec3dfe1554fa07e59f4df7f1f4
Opcode Fuzzy Hash: d9279f0070e27cae04400319772f1e9312bfc9a10fd0fe404ae6b1043dd73d83
Instruction Fuzzy Hash: 75A11CB6E006099FCB04CF99D980ADEB7B9FF8C314F148269E919A7340D735AD51CBA0

Function 7033EA06 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 240COMMON

Download Yara Rule

APIs

?CreateSize@Value@DirectUI@@SGPAV12@HH@Z.UXCORE(00007FFF,?,00000000,00000000,?,?,?,?,?,7033F852,?,00007FFF,00000000,703038D8), ref: 7033EAA7
?_SetValue@Element@DirectUI@@IAEJPBUPropertyInfo@2@HPAVValue@2@_N2@Z.UXCORE(00000001,00000000,00000001,00000000,00007FFF,?,00000000,00000000,?,?,?,?,?,7033F852,?,00007FFF), ref: 7033EABE
?CreateSize@Value@DirectUI@@SGPAV12@HH@Z.UXCORE(00000000,?,000000FF), ref: 7033EC5A
?_SetValue@Element@DirectUI@@IAEJPBUPropertyInfo@2@HPAVValue@2@_N2@Z.UXCORE(00000001,00000000,00000001,00000000,00000000,?,000000FF), ref: 7033EC71

Strings

@R;p, xrefs: 7033EA32

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: DirectValue@$CreateElement@Info@2@PropertySize@V12@Value@2@_
String ID: @R;p
API String ID: 4227704940-402780900
Opcode ID: 75824db1cd57d4c71333e74c33511d758d9ad4be8f2f530340f7cffb31c34bfd
Instruction ID: 9fc9b4053db3e01df5b2bfd5e93c992c061aa6b0aa6e4a3c951df455e689461a
Opcode Fuzzy Hash: 75824db1cd57d4c71333e74c33511d758d9ad4be8f2f530340f7cffb31c34bfd
Instruction Fuzzy Hash: C0A16E71A00209DFCB06CF64C8D1AADFBB6FF48318F55866DE556AB291D730B982CB50

Function 703786FA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,?,?,70377542,?,?,00000000,00000008,00000001,?), ref: 70378707
DeleteObject.GDI32(?), ref: 703787CD

Strings

W, xrefs: 70378721

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: DeleteObjectValue
String ID: W
API String ID: 2418927197-655174618
Opcode ID: 38239026a34f7542bf7302a95f8036a62cf2f88794b2648a931dfc2b47b258e4
Instruction ID: 25b72131acc4f2da7e955d0f5f3f9e658fc0d298f1852d95e3a8ed35fe58da1c
Opcode Fuzzy Hash: 38239026a34f7542bf7302a95f8036a62cf2f88794b2648a931dfc2b47b258e4
Instruction Fuzzy Hash: 85219A76641244EFC709CF25C8C8A8EBBBAEF85354731955DE807DB720E739AA02DB50

Function 7037726B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32(ERROR: Not all DirectUser Contexts were destroyed before EndProcess().,?,7036727E,7031544E), ref: 7037727D
TlsSetValue.KERNEL32(00000000,00000000,?,7036727E,7031544E), ref: 703772BB
CloseHandle.KERNEL32(00000000,?,7036727E,7031544E), ref: 703772CB
TlsFree.KERNEL32(?,7036727E,7031544E), ref: 703772F1

Strings

ERROR: Not all DirectUser Contexts were destroyed before EndProcess()., xrefs: 70377278

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: CloseDebugFreeHandleOutputStringValue
String ID: ERROR: Not all DirectUser Contexts were destroyed before EndProcess().
API String ID: 1275278855-3719588375
Opcode ID: cdf9d80c28edbb50ebc9f30d0698894fcc0a4e8e27dc61e4e6d7177d692d67fb
Instruction ID: ae267e8333895b8a7d43f3fad82ff5190e74bb6c329d8f10f711cbffea595fb4
Opcode Fuzzy Hash: cdf9d80c28edbb50ebc9f30d0698894fcc0a4e8e27dc61e4e6d7177d692d67fb
Instruction Fuzzy Hash: 96014B36902210DFC3169B67CC99F8D3B7EBB15B267317619F45296271CB354852CB90

Function 70375E11 Relevance: 7.7, APIs: 5, Instructions: 191COMMON

Download Yara Rule

APIs

FindAtomW.KERNEL32(?,00000000,?,?), ref: 70375E88

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: AtomFind
String ID:
API String ID: 1223357303-0
Opcode ID: e3c148a89d594d3b4975204eed26f370c3f276078688958259bda4989f596213
Instruction ID: d68e3b806503a8340756d1ca8f2d996beca25a8bd09df98ed7b20702a4277b24
Opcode Fuzzy Hash: e3c148a89d594d3b4975204eed26f370c3f276078688958259bda4989f596213
Instruction Fuzzy Hash: DA813F71905229CFCB19CF14C9D8B9DB3B9FB58310F11959EE81AAB251C774AE81CF90

Function 70379E67 Relevance: 7.6, APIs: 5, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 70376DD6: TlsGetValue.KERNEL32(70379C0B,00000000,?,?,?,703416C1,?,00000000,?,?,7034A363,00000000,00000000,?,7034B01F,?), ref: 70376DDC

SetLastError.KERNEL32(80040014,00000000), ref: 70379E80
SetLastError.KERNEL32(80070057,00000001,00000000,00000000), ref: 70379EA7

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: ErrorLast$Value
String ID:
API String ID: 1883355122-0
Opcode ID: a8b8417f94f98819dd4f5a9d919ee271cd7d5adbe77f156f5312d6aab4e0ceaf
Instruction ID: 37722ffa0fd588adda619cada9a4169e01d159b482f732bcd5aa035d77cc8940
Opcode Fuzzy Hash: a8b8417f94f98819dd4f5a9d919ee271cd7d5adbe77f156f5312d6aab4e0ceaf
Instruction Fuzzy Hash: 72316D31500108EFCF05DF74C8C0DED37BDAA84242B26E65BF906EA558E739E951EB51

Function 7038B4B5 Relevance: 7.6, APIs: 5, Instructions: 97COMMON

Download Yara Rule

APIs

?StartDefer@Element@DirectUI@@SGXXZ.UXCORE(?,?,00000200), ref: 7038B4E9
?GetRootHWND@HWNDElement@DirectUI@@SGPAUHWND__@@PAVElement@2@@Z.UXCORE(?,?,?,00000200), ref: 7038B4F5
GetDC.USER32(00000000), ref: 7038B4FF
ReleaseDC.USER32(00000001,?), ref: 7038B57E
?EndDefer@Element@DirectUI@@SGXXZ.UXCORE(?,?,?,00000200), ref: 7038B589

Part of subcall function 7037CF5E: memset.MSVCR80 ref: 7037CF70
Part of subcall function 7037CF5E: TraceEvent.ADVAPI32(00000100,?,00000038), ref: 7037CFA9

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: DirectElement@$Defer@$D__@@Element@2@@EventReleaseRootStartTracememset
String ID:
API String ID: 2941676253-0
Opcode ID: 97bc9bc2a26673bcf0868569c0398f04928401ee683a632dd83bb7560c4b0c0d
Instruction ID: 9bd79a0e5547091192073133dd22e4b7d96d7ace2bf18c1f0ee9ba495481b304
Opcode Fuzzy Hash: 97bc9bc2a26673bcf0868569c0398f04928401ee683a632dd83bb7560c4b0c0d
Instruction Fuzzy Hash: 9731AD71A01205AFDB159B55CC8AF6EB7BEAB49300F104199F606AB2E1DBB0ED01CB60

Function 7034161E Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON

Download Yara Rule

APIs

CreateGadget.UXCORE(00000000,00000003,?,00000000,00000000,?,?,7034A363,00000000,00000000,?,7034B01F,?), ref: 703416A0

Part of subcall function 70379E67: SetLastError.KERNEL32(80040014,00000000), ref: 70379E80

GetLastError.KERNEL32(00000000,00000003,?,00000000,00000000,?,?,7034A363,00000000,00000000,?,7034B01F,?), ref: 703416AC
DeleteHandle.UXCORE(?,00000000,?,?,7034A363,00000000,00000000,?,7034B01F,?,?,?,?,?,70313B19,00000003), ref: 703416BC
SetGadgetMessageFilter.UXCORE(00000000,00000000,00000011,0000007F,00000000,00000003,?,00000000,00000000,?,?,7034A363,00000000,00000000,?,7034B01F), ref: 703416CE
SetGadgetStyle.UXCORE(?,00000801,00000E63,00000000,00000000,00000011,0000007F,00000000,00000003,?,00000000,00000000,?,?,7034A363,00000000), ref: 703416E0

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: Gadget$ErrorLast$CreateDeleteFilterHandleMessageStyle
String ID:
API String ID: 1859439242-0
Opcode ID: 0189b864825a5573cb4d9d6ca1d3db625eb989109e09c04f3133306dba1bc12e
Instruction ID: 6288522ef4e1aad9263053c50c274f613e586f1752055e581bae68f78aa819e8
Opcode Fuzzy Hash: 0189b864825a5573cb4d9d6ca1d3db625eb989109e09c04f3133306dba1bc12e
Instruction Fuzzy Hash: CB21A371500B405FC3218F7AC8D1A9BFBE9AF55720B249A1EF59ACBA91D775F402CB10

Function 70336861 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

SHCreateShellPalette.SHLWAPI(00000000), ref: 7033686F
GetPaletteEntries.GDI32(00000000,00000000,00000100,?), ref: 70336892
InterlockedExchange.KERNEL32(703C1818,00000000), ref: 7033691E
DeleteObject.GDI32(00000000), ref: 7033692D
SHGetInverseCMAP.SHLWAPI(703C181C,00000004), ref: 70336944

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: Palette$CreateDeleteEntriesExchangeInterlockedInverseObjectShell
String ID:
API String ID: 215163796-0
Opcode ID: 199fe2e14f668de4bece8bf26995f7f2713f0e90272e9feaed7c05fd4109f79b
Instruction ID: 3b862fc7fd2e5b693e5022745d1db89a568c06b8bf6d8d37a7cbc06f2a09dc91
Opcode Fuzzy Hash: 199fe2e14f668de4bece8bf26995f7f2713f0e90272e9feaed7c05fd4109f79b
Instruction Fuzzy Hash: A621FC275482C51FC7034B6888147EE7F7BAB87244F7A80B8DDD29E382D7229C039764

Function 7037779D Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,00000008,?,?,?,?,?,70377472,00000000), ref: 703777C4

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: CreateEvent
String ID:
API String ID: 2692171526-0
Opcode ID: cdd0929627ed84c6a24e99d46aecf1d1bc6e45edb5eb054e4089a99b8bce2590
Instruction ID: 065419a3d44dcb5dd0ef1caf9c38795f02f9f6972d21c74266b3237c6580a7a5
Opcode Fuzzy Hash: cdd0929627ed84c6a24e99d46aecf1d1bc6e45edb5eb054e4089a99b8bce2590
Instruction Fuzzy Hash: E3119372D02124BBD715DBA6CC89FAE3B7DFB00751F22A11AF902E6254E3744910CBE1

Function 7038D9FC Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?,?,00000000,00000044,00000044,?,7038E80F,703D2DB0,?,7038E842,00000001), ref: 7038DA19
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000008,?,?,?,?,00000000,00000044,00000044,?,7038E80F,703D2DB0,?,7038E842), ref: 7038DA40
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,00000000,00000044,00000044,?,7038E80F,703D2DB0,?,7038E842,00000001), ref: 7038DA4F
CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000044,00000044,?,7038E80F,703D2DB0,?,7038E842,00000001), ref: 7038DA58
CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000044,00000044,?,7038E80F,703D2DB0,?,7038E842,00000001), ref: 7038DA61

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: CloseHandle$CompletionEventObjectPostQueuedResetSingleStatusWait
String ID:
API String ID: 1080586081-0
Opcode ID: cca79c6c00c1eaa0527a71fb228612dfbb7215c66eb6c948050b6c80bea2963d
Instruction ID: c8fa53479b3964c7190138c7cd56f499cad313fbb22dd14ea402a4e2791b7d78
Opcode Fuzzy Hash: cca79c6c00c1eaa0527a71fb228612dfbb7215c66eb6c948050b6c80bea2963d
Instruction Fuzzy Hash: E7012872605210AFDB289B56CD09B5EBBBDEF40B10F21459DE957A32E0DBB4ED40CB60

Function 7037214D Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

Part of subcall function 70370658: RegisterGadgetProperty.UXCORE(7030AB6C,70372152,70372505,7036725D,?,?,70315903,?,?), ref: 7037065D

DUserRegisterGuts.UXCORE(703D2360,?,70372505,7036725D,?,?,70315903,?,?), ref: 703721C2

Strings

`#=p, xrefs: 70372165
AlphaFlow, xrefs: 70372186
Flow, xrefs: 70372190

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: Register$GadgetGutsPropertyUser
String ID: AlphaFlow$Flow$`#=p
API String ID: 1627608279-3325882180
Opcode ID: 5a394308cd973dd5527febcfd2f1ce67d878575f8b7dc09af96d02be9b463015
Instruction ID: 9817036b4eb097127182ef6f74d3c2faca6c77139cd092b488c8a23ab4ca3ca1
Opcode Fuzzy Hash: 5a394308cd973dd5527febcfd2f1ce67d878575f8b7dc09af96d02be9b463015
Instruction Fuzzy Hash: 98F03ABA215A019EE7408F3BD855F0937E9B3A2706F70955CE110CA364DBBE5006CB14

Function 70372369 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 26COMMON

Download Yara Rule

APIs

DUserRegisterGuts.UXCORE(703D2450,?,7037253B,7036725D,?,?,70315903,?,?), ref: 703723D3

Strings

LinearInterpolation, xrefs: 70372397
Interpolation, xrefs: 703723A1
P$=p, xrefs: 70372376

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: GutsRegisterUser
String ID: Interpolation$LinearInterpolation$P$=p
API String ID: 554971792-1562919785
Opcode ID: b5d5a9e883f63c63b73acb1fb3ca6356cae487655b986fe6d4698597b4c5ac55
Instruction ID: 19a9d25f9e1eec9af3cb4d3cdd8dfe694e7e72f84254f0360642e97697a63b90
Opcode Fuzzy Hash: b5d5a9e883f63c63b73acb1fb3ca6356cae487655b986fe6d4698597b4c5ac55
Instruction Fuzzy Hash: 7CF0307B1056409EE7408F2BE854F493BF9A361309FB0E518D8408F3A8CFFA504ACB54

Function 7036A541 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 26COMMON

Download Yara Rule

APIs

DUserRegisterGuts.UXCORE(703D224C,?,7036A5DD,70367254,?,?,70315903,?,?), ref: 7036A5AB

Strings

L"=p, xrefs: 7036A54E
Root, xrefs: 7036A56F
Visual, xrefs: 7036A579

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: GutsRegisterUser
String ID: L"=p$Root$Visual
API String ID: 554971792-903910022
Opcode ID: 6fa2c01009d654dc63a4f6349ce9e2f26571e773917f3c446ba44154ee912962
Instruction ID: c1f981fa5b0ed95af74848b10a7e41ba1e9f05c3d57dc28bbfeee89b9da28a35
Opcode Fuzzy Hash: 6fa2c01009d654dc63a4f6349ce9e2f26571e773917f3c446ba44154ee912962
Instruction Fuzzy Hash: 2DF01CBB1056418EE784CF2BE804F0937A9E3A5305B70DA58F1108A2B8D7FA4046CF15

Function 70371DEF Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 26COMMON

Download Yara Rule

APIs

DUserRegisterGuts.UXCORE(703D2478,?,70372544,7036725D,?,?,70315903,?,?), ref: 70371E59

Strings

Interpolation, xrefs: 70371E27
LogInterpolation, xrefs: 70371E1D
x$=p, xrefs: 70371DFC

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: GutsRegisterUser
String ID: Interpolation$LogInterpolation$x$=p
API String ID: 554971792-26083439
Opcode ID: 2a7a97e57b6a92105236f1ca13f210105fd1a77dda17a34caead626ca69bc7f0
Instruction ID: f19686ba6b2736d1c72afaded4d7e7fd9d46cdcb23a08894509cb29a2a14cdcd
Opcode Fuzzy Hash: 2a7a97e57b6a92105236f1ca13f210105fd1a77dda17a34caead626ca69bc7f0
Instruction Fuzzy Hash: 5FF01CBB2146059BE344CF2BD851B0977BEA361308FB1E11CDD118B3A4D7BA4049AB64

Function 7037706F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

DUserSendEvent.UXCORE(()=p,00000000), ref: 7037709D

Part of subcall function 70379670: TlsGetValue.KERNEL32(?,703770A2,()=p,00000000), ref: 703796B6

OutputDebugStringA.KERNEL32(ERROR: RequestInitGdiplus failed,()=p,00000000), ref: 703770AE

Strings

ERROR: RequestInitGdiplus failed, xrefs: 703770A9
()=p, xrefs: 70377092, 70377095

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: DebugEventOutputSendStringUserValue
String ID: ()=p$ERROR: RequestInitGdiplus failed
API String ID: 4003302160-724753262
Opcode ID: 82ebd681e4416a09c82f5632e109d702ad7268b69f6ad486b0955b53a0e1accd
Instruction ID: 2f41cd6ae109c240020314179506c28179a05f236b9d0a9deefa0783f0359f63
Opcode Fuzzy Hash: 82ebd681e4416a09c82f5632e109d702ad7268b69f6ad486b0955b53a0e1accd
Instruction Fuzzy Hash: C6E039716002099BDB10DFA9DC89F9D37BCB744319F204515E502D63A0D7B49596CB62

Function 7031DDE0 Relevance: 6.4, APIs: 3, Strings: 1, Instructions: 410COMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 7031DEDB
malloc.MSVCR80 ref: 7031DFC5
memcpy.MSVCR80(00000000,?,?,00000000), ref: 7031E1E8

Strings

l, xrefs: 7031DEF9

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: mallocmemcpymemset
String ID: l
API String ID: 1097350464-2517025534
Opcode ID: e30bc1f7a2003273da2f4a451d8a0b23d8056f55aeb5d5878bb37f8609abb785
Instruction ID: 4d66582c8cecf1b493d654689f023dea9c4e2a79b1435811e6b97e3824e1221e
Opcode Fuzzy Hash: e30bc1f7a2003273da2f4a451d8a0b23d8056f55aeb5d5878bb37f8609abb785
Instruction Fuzzy Hash: A5F10975E006099FCB08CFA9C981ADEB7F6BF8C314F158269E819AB354D735A942CF50

Function 7031E6E0 Relevance: 6.4, APIs: 3, Strings: 1, Instructions: 410COMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 7031E7DB
malloc.MSVCR80 ref: 7031E8C5
memcpy.MSVCR80(00000000,?,?,00000000), ref: 7031EAE8

Strings

l, xrefs: 7031E7F9

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: mallocmemcpymemset
String ID: l
API String ID: 1097350464-2517025534
Opcode ID: c784d4ab143c4cc5d09966805584bd8c19d5a2efd5a36d5a406728dc0aeb3841
Instruction ID: d72d55fa4e1a81ffd51e4e54c6e793efe1b82bccc37619965bbb7cd86016f9eb
Opcode Fuzzy Hash: c784d4ab143c4cc5d09966805584bd8c19d5a2efd5a36d5a406728dc0aeb3841
Instruction Fuzzy Hash: 4FF10775E006099FCB08CFA8C981ADEBBF6BF8C314F158269E919AB355D731A941CF50

Function 7031E270 Relevance: 6.4, APIs: 3, Strings: 1, Instructions: 398COMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 7031E36A
malloc.MSVCR80 ref: 7031E453
memcpy.MSVCR80(?,?,?,00000000), ref: 7031E649

Strings

l, xrefs: 7031E388

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: mallocmemcpymemset
String ID: l
API String ID: 1097350464-2517025534
Opcode ID: e362ae4783567034c2a2a29c516cf7591777eeb44fcb12e3bfdba701d923d796
Instruction ID: fd708ac47b1f9ee7705d3b43d0b44cb74313953639f0d3142a9bc5d8c5e8027c
Opcode Fuzzy Hash: e362ae4783567034c2a2a29c516cf7591777eeb44fcb12e3bfdba701d923d796
Instruction Fuzzy Hash: EEF11D75E006199FCF08CF99C991AEEBBB6BF88314F158259E819AB344D731AD41CF90

Function 7031EB70 Relevance: 6.4, APIs: 3, Strings: 1, Instructions: 398COMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 7031EC6A
malloc.MSVCR80 ref: 7031ED53
memcpy.MSVCR80(?,?,?,00000000), ref: 7031EF49

Strings

l, xrefs: 7031EC88

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: mallocmemcpymemset
String ID: l
API String ID: 1097350464-2517025534
Opcode ID: a84890a726a0d6f9ac38734c4cd728476ff331bfaf9b1c90f5f550aae7f17d5c
Instruction ID: 85bc66747c0679254adf449acc02ec9c757cba3c718fe54075813834d91310f7
Opcode Fuzzy Hash: a84890a726a0d6f9ac38734c4cd728476ff331bfaf9b1c90f5f550aae7f17d5c
Instruction Fuzzy Hash: DBF10D75E005199FCF08CF98C991AEDBBB6BF88314F158259E815AB394D731AD41CF90

Function 7031F420 Relevance: 6.4, APIs: 3, Strings: 1, Instructions: 379COMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 7031F558
malloc.MSVCR80 ref: 7031F62A
memset.MSVCR80 ref: 7031F7C4

Strings

l, xrefs: 7031F576

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: memset$malloc
String ID: l
API String ID: 1671641884-2517025534
Opcode ID: 5a4165d064ea80c925cba754b5e0680fb8620f61c62f8ccfd3aaa8987bec9c62
Instruction ID: 9d0b599730f6c0f5019a3ba04d0a42fc6c4513514a4e879f6f24285a2c9b99be
Opcode Fuzzy Hash: 5a4165d064ea80c925cba754b5e0680fb8620f61c62f8ccfd3aaa8987bec9c62
Instruction Fuzzy Hash: E2F11976E0061A9FCB18CFA9C981ADEBBB5FF4C310F158269E919A7344D734A941CF90

Function 7031EFE0 Relevance: 6.4, APIs: 3, Strings: 1, Instructions: 379COMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 7031F118
malloc.MSVCR80 ref: 7031F1EA
memset.MSVCR80 ref: 7031F384

Strings

l, xrefs: 7031F136

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: memset$malloc
String ID: l
API String ID: 1671641884-2517025534
Opcode ID: 828062857a7f30f7ad26017f1caf909e5ad9ebab16ade2110c678275d37dee5a
Instruction ID: 5e57b9f0579f094c8828458e5cee751fd0618170051275cb585c2ec1d181a019
Opcode Fuzzy Hash: 828062857a7f30f7ad26017f1caf909e5ad9ebab16ade2110c678275d37dee5a
Instruction Fuzzy Hash: 26F14976E006199FCB08CFA8C981ADEBBB5FF4C314F15822AE919A7345D734A941CF90

Function 7031D9E0 Relevance: 6.4, APIs: 3, Strings: 1, Instructions: 355COMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 7031DAAF
malloc.MSVCR80 ref: 7031DB65

Strings

l, xrefs: 7031DACD

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: mallocmemset
String ID: l
API String ID: 2882185209-2517025534
Opcode ID: 623e22e774c026640218f7bb0fb2ca70a4c149041f52626bd3f7616bf7ad3a87
Instruction ID: 9ce245be0a70dc23dbbc429793ccf90d1f6b5a65a06b05a41318372c9234c6cb
Opcode Fuzzy Hash: 623e22e774c026640218f7bb0fb2ca70a4c149041f52626bd3f7616bf7ad3a87
Instruction Fuzzy Hash: 9FE12875E0060A9FCB08CF99C981AEEBBB6BF8D304F15856DE40AA7354D734A941CB50

Function 7031D5E0 Relevance: 6.4, APIs: 3, Strings: 1, Instructions: 355COMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 7031D6AF
malloc.MSVCR80 ref: 7031D765

Strings

l, xrefs: 7031D6CD

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: mallocmemset
String ID: l
API String ID: 2882185209-2517025534
Opcode ID: e7400a0e082cf121dd91715a9589864e2ee2fcd5f38626cecdb9010a88bba43c
Instruction ID: 76150e82b96f27b5e7984388dcc70810cfc654dcc5214f2b43d23394c98ff605
Opcode Fuzzy Hash: e7400a0e082cf121dd91715a9589864e2ee2fcd5f38626cecdb9010a88bba43c
Instruction Fuzzy Hash: A6E13971E0060A9FCF18CF99C991AEEBBB6BF8C300F25856DE50AA7354D734A941CB50

Function 7031D210 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 335COMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 7031D2E8
malloc.MSVCR80 ref: 7031D39F
memcpy.MSVCR80(?,00000000,?,00000000), ref: 7031D55A

Part of subcall function 7031BE60: memset.MSVCR80 ref: 7031BE90

Strings

l, xrefs: 7031D306

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: memset$mallocmemcpy
String ID: l
API String ID: 1726687030-2517025534
Opcode ID: 1e4eb70bf259e8eea6701463b8ce6af34cbc0047d3f43a7be835a1709a8223a7
Instruction ID: a94d2e9ad712655f5a0712e7ef9173d40a88e4a39f7e15febad39c6a26507664
Opcode Fuzzy Hash: 1e4eb70bf259e8eea6701463b8ce6af34cbc0047d3f43a7be835a1709a8223a7
Instruction Fuzzy Hash: 66D10775E0021A9FCF08CFA9C981AEDBBB6BF8D314F158169E919AB344D734A941CF50

Function 7031CE40 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 335COMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 7031CF18
malloc.MSVCR80 ref: 7031CFCF
memcpy.MSVCR80(?,00000000,?,00000000), ref: 7031D18A

Part of subcall function 7031BCA0: memset.MSVCR80 ref: 7031BCD0

Strings

l, xrefs: 7031CF36

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: memset$mallocmemcpy
String ID: l
API String ID: 1726687030-2517025534
Opcode ID: 864c49e52b29398dfa6b5298242155813762c47ad97e8d1ad802926c42bfcfb1
Instruction ID: 47219da3c92d3048beb3ea45995320362561bbbf721e7618ab4f28aabaacb1f6
Opcode Fuzzy Hash: 864c49e52b29398dfa6b5298242155813762c47ad97e8d1ad802926c42bfcfb1
Instruction Fuzzy Hash: 9FD1F875E0060A9FCF08CFA9C981AEDBBB6BF8D310F158169E919AB344D735A941CF50

Function 7036D534 Relevance: 6.1, APIs: 4, Instructions: 121COMMON

Download Yara Rule

APIs

malloc.MSVCR80 ref: 7036D58B
IntersectRect.USER32(00000000,00000002,00000000), ref: 7036D685

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: IntersectRectmalloc
String ID:
API String ID: 582184699-0
Opcode ID: f3210f1a8efa069aacc1cb7be98a1c3d4bb481e3ed195b2af6f73f0eff269b77
Instruction ID: 347d3184de0270afa2fd299189c57a5b1224813054b9288e125d71ee245af161
Opcode Fuzzy Hash: f3210f1a8efa069aacc1cb7be98a1c3d4bb481e3ed195b2af6f73f0eff269b77
Instruction Fuzzy Hash: 98419271D00219AFEF01DF98CC45EDDB7B9FF08214F10455AF606AB2A4D731A961CB64

Function 703923D1 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

malloc.MSVCR80 ref: 70392455

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 6e4c87f6f74759f8abe91bb3e571dbc1861255a9cc28545ca534b4aa69d7b9a6
Instruction ID: a33bccf969904830250db9f40b3d8562a28ad56b61b386aa855b0eb1e6ed759a
Opcode Fuzzy Hash: 6e4c87f6f74759f8abe91bb3e571dbc1861255a9cc28545ca534b4aa69d7b9a6
Instruction Fuzzy Hash: 0A417CB1910A05DFCB14CF65C881D9EB7F9BF08324F124629E916AB3A1C730ED51CBA8

Function 7038A101 Relevance: 6.1, APIs: 4, Instructions: 109windowCOMMON

Download Yara Rule

APIs

?StartDefer@Element@DirectUI@@SGXXZ.UXCORE(?,?,?,?,?,?,7038B7C5,?,?,?,7038C160,00000000,?,00000200,?), ref: 7038A12F
?Included@ItemRange@@QBE_NJ@Z.UXCORE(00000001,?,?,?,?,?,?,7038B7C5,?,?,?,7038C160,00000000,?,00000200,?), ref: 7038A172
?FocusElement@VirtualListView@@SGXPAVElement@DirectUI@@@Z.UXCORE(00000200,00000001,?,?,?,?,?,?,7038B7C5,?,?,?,7038C160,00000000,?,00000200), ref: 7038A19D

Part of subcall function 7033E879: ?CreateBool@Value@DirectUI@@SGPAV12@_N@Z.UXCORE(00000001,?,?,?,7038A189,?,00000001,?,?,?,?,?,?,7038B7C5), ref: 7033E885

?EndDefer@Element@DirectUI@@SGXXZ.UXCORE(00000001,?,?,?,?,?,?,7038B7C5,?,?,?,7038C160,00000000,?,00000200,?), ref: 7038A20E

Part of subcall function 7037CF5E: memset.MSVCR80 ref: 7037CF70
Part of subcall function 7037CF5E: TraceEvent.ADVAPI32(00000100,?,00000038), ref: 7037CFA9

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: DirectElement@$Defer@$Bool@CreateEventFocusI@@@Included@ItemListRange@@StartTraceV12@_Value@View@@Virtualmemset
String ID:
API String ID: 2460363206-0
Opcode ID: 3bb0cbdcb5709f7910438464459ec39b7c4e7af4a459c8eb2581f8bbf42caeef
Instruction ID: af744cc426e0489db6669e0442fb54e764a7416a4d109895eae903eb28210d5e
Opcode Fuzzy Hash: 3bb0cbdcb5709f7910438464459ec39b7c4e7af4a459c8eb2581f8bbf42caeef
Instruction Fuzzy Hash: 14319F30604A40AFEB16DB65C885FAEB7AAAF41314F01848DE46B5B2E1CB25FC46C770

Function 70367587 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000008,00000001,?,70377566,00000000,00000008,00000001,?), ref: 703675A0
HeapAlloc.KERNEL32(00000000,00000010,?,70377566,00000000,00000008,00000001,?), ref: 703675D1
TlsSetValue.KERNEL32(fu7p,?,70377566,00000000,00000008,00000001,?), ref: 70367668

Part of subcall function 70367349: HeapCreate.KERNEL32(00000000,00040000,00000000,00000001,00000000,?,70367612,?,?,70377566,00000000,00000008,00000001,?), ref: 70367364

Strings

fu7p, xrefs: 703675B0, 70367661

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: HeapValue$AllocCreate
String ID: fu7p
API String ID: 371077168-2905672816
Opcode ID: d505e8fef2a486f3f6a9852b628023310c260f913bb35bd4f11399e94182968f
Instruction ID: ffc2c0134b31534d3181ffb3a5310f19897cca66cdf5b56dc053dcb40b10969e
Opcode Fuzzy Hash: d505e8fef2a486f3f6a9852b628023310c260f913bb35bd4f11399e94182968f
Instruction Fuzzy Hash: 8931C572500B068FC721CF1DC88494E77E9FB40362761CA2EE5A79B268D7709C11CF94

Function 70315ADF Relevance: 6.1, APIs: 4, Instructions: 84windowCOMMON

Download Yara Rule

APIs

CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 70315B06
GetDIBits.GDI32(?,?,00000000,00000001,00000000,?,00000000), ref: 70315B40
GetDIBits.GDI32(?,?,00000000,00000001,00000000,?,00000000), ref: 70315B67
DeleteObject.GDI32(?), ref: 70315BB5

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: Bits$BitmapCompatibleCreateDeleteObject
String ID:
API String ID: 2475891097-0
Opcode ID: 7277b19b43b616eb4fcdbde56030b53d4edc99d2c024fdd76b2a33545abe4dd8
Instruction ID: f10728c37726d34e0039db6dd704e2f8a8c4067346a69cb9e192137ab3cbbd0f
Opcode Fuzzy Hash: 7277b19b43b616eb4fcdbde56030b53d4edc99d2c024fdd76b2a33545abe4dd8
Instruction Fuzzy Hash: B9218D72808249FEEB198F58C884A9EBFBAEB49350F11C06AF5469A240D3719DC68B50

Function 70349C89 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00040000,00000000,?,?,?,70315913,?,?), ref: 70349CC7
TlsAlloc.KERNEL32(?,?,70315913,?,?), ref: 70349CD6
TlsFree.KERNEL32(FFFFFFFF,?,?,70315913,?,?), ref: 70349D61
HeapDestroy.KERNEL32(00000000,?,?,70315913,?,?), ref: 70349D78

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: Heap$AllocCreateDestroyFree
String ID:
API String ID: 1372329789-0
Opcode ID: 62f4afc3ce6ad28bfd7cf9433b82878061e01ca7d8a9f6b6f1bedc3a842297a4
Instruction ID: 0fbb2bc9d12dbe1462b5eaaa59e02593e3bc79a3bbc0d50667412ad263213e68
Opcode Fuzzy Hash: 62f4afc3ce6ad28bfd7cf9433b82878061e01ca7d8a9f6b6f1bedc3a842297a4
Instruction Fuzzy Hash: 74216D72A002009FC710AF6A9C89B6E77EEAB862543701A1BF123CE3B0D775A841DB50

Function 703158E0 Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

?InitProcess@DirectUI@@YGJXZ.UXCORE(?,?), ref: 7031590E
?RMInitialize@@YGXXZ.UXCORE(?,?), ref: 70315917
?Register@WLEditT@@SGJXZ.UXCORE(?,?), ref: 70315925
?Register@VirtualListView@@SGJXZ.UXCORE(?,?), ref: 7031592E

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: Register@$DirectEditInitInitialize@@ListProcess@View@@Virtual
String ID:
API String ID: 3972834298-0
Opcode ID: 9796e2f22000edc52f1074e6779941beb8704f8b7f12d62621f05ef34a23c92f
Instruction ID: df72fe7d64c1c9a26423d6201f7f1ebfbaafe419cbbbf86f66db168b282ea820
Opcode Fuzzy Hash: 9796e2f22000edc52f1074e6779941beb8704f8b7f12d62621f05ef34a23c92f
Instruction Fuzzy Hash: 28E09262641AA7DEF60567BE4B01B4F229C0D782B0B05045BBD47DE310EB10FC8386B7

Function 70379483 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(703D217C,?,00000000,?,7037A9D2,?,00000002,?,?,?,70373B79,7030B14C,70371BFE,703724E1,7036725D), ref: 70379499
LeaveCriticalSection.KERNEL32(703D217C,?,?,?,?,00000000,?,7037A9D2,?,00000002,?,?,?,70373B79,7030B14C,70371BFE), ref: 703794BE

Strings

l!=p, xrefs: 703794A2
|!=p, xrefs: 70379491

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: l!=p$|!=p
API String ID: 3168844106-3185462832
Opcode ID: cc474afef593ebd6d28756045eabf79939665875038845b58780d28aacadacde
Instruction ID: 869148b2879f8eddd35cc24c34547fb08a92e6a362627c4b0395a49599bc12a2
Opcode Fuzzy Hash: cc474afef593ebd6d28756045eabf79939665875038845b58780d28aacadacde
Instruction Fuzzy Hash: BCE01237102514BBC7115B57CD09F5E7BAEAB95262F21C026F71A92260CA354912C6A4

Function 703792BD Relevance: 6.0, APIs: 4, Instructions: 22comCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(703D29B4,00000002,?,703785F9), ref: 703792D0
OleUninitialize.OLE32(00000002,?,703785F9), ref: 703792DB
CoUninitialize.OLE32(00000002,?,703785F9), ref: 703792E6
LeaveCriticalSection.KERNEL32(703D29B4,00000002,?,703785F9), ref: 703792FC

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: CriticalSectionUninitialize$EnterLeave
String ID:
API String ID: 2838938670-0
Opcode ID: 0ff7f05b9a4f99efc87bf667255b001890c77eccd6cc65ba64b2482b301d02dc
Instruction ID: daae03703d6f637862412f114375219a3aaba80ef7729289a04a81c1e3d9d3cf
Opcode Fuzzy Hash: 0ff7f05b9a4f99efc87bf667255b001890c77eccd6cc65ba64b2482b301d02dc
Instruction Fuzzy Hash: 88E092320021489BC3122F63DC9CB683BBDBB96311F36A51FF443912B297790881DB24

Function 7037CF5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 7037CF70
TraceEvent.ADVAPI32(00000100,?,00000038), ref: 7037CFA9

Strings

8, xrefs: 7037CF85

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: EventTracememset
String ID: 8
API String ID: 2224389777-4194326291
Opcode ID: 771f5a9cbee078310e6d704b2a8a3dae2feb38a7bcd89afed17fb4e77a552fd2
Instruction ID: 7494e562c726adc68a9684ba1bfb0759a3655b59f5c59b6fbfae66c2a3c71d01
Opcode Fuzzy Hash: 771f5a9cbee078310e6d704b2a8a3dae2feb38a7bcd89afed17fb4e77a552fd2
Instruction Fuzzy Hash: 7EF0173690124CBACF01DF95E845ACFBF7AEF96310F004056FD00AB250D271A619CBA1

Function 70371824 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

Part of subcall function 70373E0F: RegisterGadgetProperty.UXCORE(7030B15C,70371829,703724EA,7036725D,?,?,70315903,?,?), ref: 70373E14

DUserRegisterGuts.UXCORE(703D22E8,?,703724EA,7036725D,?,?,70315903,?,?), ref: 70371899

Strings

DropTarget, xrefs: 7037185D
"=p, xrefs: 7037183C

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: Register$GadgetGutsPropertyUser
String ID: DropTarget$"=p
API String ID: 1627608279-850056363
Opcode ID: 3d215b2645979c4eda68a035d83ad9c04570d686059831f5a1168cbe9ecfb04b
Instruction ID: fbbed8cd2cdfb2cd179399b62ddc86c1eaf58f9ec29bfb6bd067d2c14b57fd72
Opcode Fuzzy Hash: 3d215b2645979c4eda68a035d83ad9c04570d686059831f5a1168cbe9ecfb04b
Instruction Fuzzy Hash: 1DF05EB72026065AD384CF2BDD80F0E3BA9A765304F70DA18F1208A264D7FA80429B59

Function 703721D4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

Part of subcall function 703708DC: RegisterGadgetProperty.UXCORE(7030AB8C,703721D9,7037250E,7036725D,?,?,70315903,?,?), ref: 703708E1

DUserRegisterGuts.UXCORE(703D2388,?,7037250E,7036725D,?,?,70315903,?,?), ref: 70372249

Strings

RectFlow, xrefs: 7037220D
Flow, xrefs: 70372217

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: Register$GadgetGutsPropertyUser
String ID: Flow$RectFlow
API String ID: 1627608279-2833845405
Opcode ID: 83f39b9537e24b5fdf788231ac1b39d793a6f2ec571ccc3d3f91dae1926919f3
Instruction ID: 85528e92b05bf66e3cc3f53730dbdeec2cd217496e0a9a834aaf63e164ed83e2
Opcode Fuzzy Hash: 83f39b9537e24b5fdf788231ac1b39d793a6f2ec571ccc3d3f91dae1926919f3
Instruction Fuzzy Hash: C0F05EBF2016069FE7048F3BDD42F0A37E9A3A2704F71D628E504DE254D7BE90458B51

Function 7037225B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

Part of subcall function 70370A70: RegisterGadgetProperty.UXCORE(7030AB9C,70372260,70372517,7036725D,?,?,70315903,?,?), ref: 70370A75

DUserRegisterGuts.UXCORE(703D23B0,?,70372517,7036725D,?,?,70315903,?,?), ref: 703722D0

Strings

RotateFlow, xrefs: 70372294
Flow, xrefs: 7037229E

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: Register$GadgetGutsPropertyUser
String ID: Flow$RotateFlow
API String ID: 1627608279-4292475050
Opcode ID: fd21ef5de1af10185776aa96b2cec1d388425a4c5e03663c454fe0f48743bf0d
Instruction ID: ee674ce6326b401278a17325f24d6650b76c6eabd36df8485894d24feaaab556
Opcode Fuzzy Hash: fd21ef5de1af10185776aa96b2cec1d388425a4c5e03663c454fe0f48743bf0d
Instruction Fuzzy Hash: F8F03ABB2096419AE7458F2BDD40F093BE9E3A1704F31E918F500CA2A8DBBE9005DB24

Function 703722E2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

Part of subcall function 70370CE2: RegisterGadgetProperty.UXCORE(7030AB7C,703722E7,70372520,7036725D,?,?,70315903,?,?), ref: 70370CE7

DUserRegisterGuts.UXCORE(703D23D8,?,70372520,7036725D,?,?,70315903,?,?), ref: 70372357

Strings

ScaleFlow, xrefs: 7037231B
Flow, xrefs: 70372325

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: Register$GadgetGutsPropertyUser
String ID: Flow$ScaleFlow
API String ID: 1627608279-4073241970
Opcode ID: 00999291909071fc9337bc3de5bdd5b968810f273be1431125fc1905aa9c3ef9
Instruction ID: 30630a7f8739059bdcac4b81e4e40b82b9a620d57677edee97289877708a589c
Opcode Fuzzy Hash: 00999291909071fc9337bc3de5bdd5b968810f273be1431125fc1905aa9c3ef9
Instruction Fuzzy Hash: 18F0307A2016015BD344CF2BDD94F0E37E9E361704F309A18E111CE254D7FE90498B54

Function 7036A3CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

DUserRegisterGuts.UXCORE(703D2224,?,7036A5D4,70367254,?,?,70315903,?,?), ref: 7036A43F

Strings

Visual, xrefs: 7036A403
$"=p, xrefs: 7036A3E2

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: GutsRegisterUser
String ID: $"=p$Visual
API String ID: 554971792-51452228
Opcode ID: 10f322faa66b63cb9476e0fefa76944af968ea78d699868e5d989a28e174791c
Instruction ID: b0a0b199f28379ddd43d58ae0d977688d29feac28debf502f8ad293278446866
Opcode Fuzzy Hash: 10f322faa66b63cb9476e0fefa76944af968ea78d699868e5d989a28e174791c
Instruction Fuzzy Hash: F5F03A766056098AD3848F67E840F0E37A9A765304F309E28F4108E2A8D7F781428F19

Function 703768B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

Strings

Visual, xrefs: 703768EF
P(=p, xrefs: 703768CD

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID:
String ID: P(=p$Visual
API String ID: 0-1523099900
Opcode ID: 6bf00479dc95042451cc95ac27697aa673f08ce60af51c98dd597ad6d0e8fe2a
Instruction ID: ea6a00f9451605115dd9a4592dd536889ee0ce1c9837a10d6ed76b53aa3add59
Opcode Fuzzy Hash: 6bf00479dc95042451cc95ac27697aa673f08ce60af51c98dd597ad6d0e8fe2a
Instruction Fuzzy Hash: 10E048762019417EE3449B7FCC50B5A73EDAB68305F20547DE412C71B4D7B98846BB12

Function 70372460 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

DUserRegisterGuts.UXCORE(703D2400,?,70372529,7036725D,?,?,70315903,?,?), ref: 703724CA

Strings

Listener, xrefs: 70372498
Sequence, xrefs: 7037248E

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: GutsRegisterUser
String ID: Listener$Sequence
API String ID: 554971792-287765493
Opcode ID: 3704d76e7e61a76b6b3e70e6c357d8645aa8c35f3ed95bd9f7945d7b4a20f4cc
Instruction ID: 006a479f118bfd275819a065cf0ef20134b7bff6a0b01acd2268ff8d89ebf9ee
Opcode Fuzzy Hash: 3704d76e7e61a76b6b3e70e6c357d8645aa8c35f3ed95bd9f7945d7b4a20f4cc
Instruction Fuzzy Hash: 8BF030B71042058AE7408F2BDE54F0D37B9E361308FB0E528D9108B2A9D7FA409A8B65

Function 70371E6B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

DUserRegisterGuts.UXCORE(703D24A0,?,7037254D,7036725D,?,?,70315903,?,?), ref: 70371ED5

Strings

Interpolation, xrefs: 70371EA3
ExpInterpolation, xrefs: 70371E99

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: GutsRegisterUser
String ID: ExpInterpolation$Interpolation
API String ID: 554971792-1694254177
Opcode ID: 094707cab3d8c8ca84c868413909ad90ffc4242e47f0c6195227ec40b524b651
Instruction ID: 536b071c3dd25352029bb96c1337d1571f477926e0231f1475b03ef68d058a80
Opcode Fuzzy Hash: 094707cab3d8c8ca84c868413909ad90ffc4242e47f0c6195227ec40b524b651
Instruction Fuzzy Hash: 49F01CB71046019EE341CF2BD896B0A77BAB7A131CFB2E11CE9028B364D7FA40058B54

Function 70371EE7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

DUserRegisterGuts.UXCORE(703D24C8,?,70372556,7036725D,?,?,70315903,?,?), ref: 70371F51

Strings

SCurveInterpolation, xrefs: 70371F15
Interpolation, xrefs: 70371F1F

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: GutsRegisterUser
String ID: Interpolation$SCurveInterpolation
API String ID: 554971792-356549333
Opcode ID: ddd0f122f76b0764877d2fd4cce0514b08f0f6ad3e1fa7dac73455033fb570cf
Instruction ID: 8a0ebd9bd3fc7cb4ea07c442ff0cfcd958fae6a3f75ab0f556470310f38ac6bf
Opcode Fuzzy Hash: ddd0f122f76b0764877d2fd4cce0514b08f0f6ad3e1fa7dac73455033fb570cf
Instruction Fuzzy Hash: E9F01CB71006058BE744CF2FED50B093BBEB3A1308F72E158E9058B364D7BA40459B24

Function 70376971 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

DUserRegisterSuper.UXCORE(703D2820,?,7037236E,7037253B,7036725D,?,?,70315903,?,?), ref: 703769A8

Strings

Interpolation, xrefs: 7037699E
(=p, xrefs: 7037697E

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: RegisterSuperUser
String ID: (=p$Interpolation
API String ID: 2297203629-1707983260
Opcode ID: 5f285024d040a5d21c415a6a16e814a9e990085d065128ee03843c33b8bbfa56
Instruction ID: dfb5376b4b385bf6b9e6ba7f30f22bb6352afad6febb629b68f0006038e5ca10
Opcode Fuzzy Hash: 5f285024d040a5d21c415a6a16e814a9e990085d065128ee03843c33b8bbfa56
Instruction Fuzzy Hash: A3E08CB2601501AFE74D8B7EE850B49B7EDEB78300B30003EE502C22B0CBB28880B765

Function 70376160 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

DUserRegisterStub.UXCORE(703D26E0,?,703767AD,?,70367269,?,?,70315903,?,?), ref: 703761A4

Part of subcall function 7037BA29: SetLastError.KERNEL32(80070057,?,?,7037614B,703D26F4,?,703767A8,?,70367269,?,?,70315903,?,?), ref: 7037BA5F

Strings

Listener, xrefs: 70376186
&=p, xrefs: 70376165

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: ErrorLastRegisterStubUser
String ID: Listener$&=p
API String ID: 2013390475-3947555299
Opcode ID: 9f50754ff47399666514370cc31ca721240e344033616364e8db528bd33898be
Instruction ID: 1ae85efe8ed3026d8d4b4de0251983f068bef4dba043eb9dda9dc8c86fdba8ba
Opcode Fuzzy Hash: 9f50754ff47399666514370cc31ca721240e344033616364e8db528bd33898be
Instruction Fuzzy Hash: A1E0B6B62153018BE708CF6BDC14F5A3BADA3A0314B30812DA415CB2B1DBFAC4559B60

Function 70376336 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

DUserRegisterStub.UXCORE(703D267C,?,703767C6,?,70367269,?,?,70315903,?,?), ref: 7037637A

Part of subcall function 7037BA29: SetLastError.KERNEL32(80070057,?,?,7037614B,703D26F4,?,703767A8,?,70367269,?,?,70315903,?,?), ref: 7037BA5F

Strings

LinearInterpolation, xrefs: 7037635C
|&=p, xrefs: 7037633B

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: ErrorLastRegisterStubUser
String ID: LinearInterpolation$|&=p
API String ID: 2013390475-949280290
Opcode ID: 17ef757d80962d18f16651220b4a3b803d44046f091870cc6697f1bbd53c7849
Instruction ID: 5c3a5364c4fc9d8e4fd788146abc3cc961d5816b475b28147d72035cf9120d1b
Opcode Fuzzy Hash: 17ef757d80962d18f16651220b4a3b803d44046f091870cc6697f1bbd53c7849
Instruction Fuzzy Hash: F4E09AB61017025AE7488F2BE814B5977A9A7B8314B31412DA805876A0C7F5C411AB24

Function 70376394 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

DUserRegisterStub.UXCORE(703D2668,?,703767CB,?,70367269,?,?,70315903,?,?), ref: 703763D8

Part of subcall function 7037BA29: SetLastError.KERNEL32(80070057,?,?,7037614B,703D26F4,?,703767A8,?,70367269,?,?,70315903,?,?), ref: 7037BA5F

Strings

LogInterpolation, xrefs: 703763BA
h&=p, xrefs: 70376399

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: ErrorLastRegisterStubUser
String ID: LogInterpolation$h&=p
API String ID: 2013390475-2494261804
Opcode ID: 909d55802d61c5e449a994f252e19503968d6ca3ebc5b63d56977527545379ef
Instruction ID: ee4e69fbfd9f592ec2673c883cc1474eac1e505015a7af5e39e97ed3499820a0
Opcode Fuzzy Hash: 909d55802d61c5e449a994f252e19503968d6ca3ebc5b63d56977527545379ef
Instruction Fuzzy Hash: 14E092B6202B018FE7088F2BE854F5A3BA9A7A5715F30416DE505CB6A0CBF5C855DB28

Function 703763F2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

DUserRegisterStub.UXCORE(703D2654,?,703767D0,?,70367269,?,?,70315903,?,?), ref: 70376436

Part of subcall function 7037BA29: SetLastError.KERNEL32(80070057,?,?,7037614B,703D26F4,?,703767A8,?,70367269,?,?,70315903,?,?), ref: 7037BA5F

Strings

T&=p, xrefs: 703763F7
ExpInterpolation, xrefs: 70376418

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: ErrorLastRegisterStubUser
String ID: ExpInterpolation$T&=p
API String ID: 2013390475-3430947370
Opcode ID: d04a5157ce76317443753e6e02a01d633b973d31c759dc95bf0450b3aa103489
Instruction ID: 35796223b029f5cb02402ec870471b3a6f3cb83772f2df9d3b49c82dd8a5dce1
Opcode Fuzzy Hash: d04a5157ce76317443753e6e02a01d633b973d31c759dc95bf0450b3aa103489
Instruction Fuzzy Hash: DAE092F62123818FE7088F2BD844F5A3BA9E7B4314F30516DA505CA6A0CBF6C4568B24

Function 70376450 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

DUserRegisterStub.UXCORE(703D2640,?,703767D5,?,70367269,?,?,70315903,?,?), ref: 70376494

Part of subcall function 7037BA29: SetLastError.KERNEL32(80070057,?,?,7037614B,703D26F4,?,703767A8,?,70367269,?,?,70315903,?,?), ref: 7037BA5F

Strings

SCurveInterpolation, xrefs: 70376476
@&=p, xrefs: 70376455

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: ErrorLastRegisterStubUser
String ID: @&=p$SCurveInterpolation
API String ID: 2013390475-834322660
Opcode ID: 903c367242f664cc0a293751423162a74b7ae2acfeca72f1c054eb9bf6269c83
Instruction ID: c9cf8fb0c35e5c1c04647dd9d1b73d1220460512f781c2eff5464b743f8ca8c9
Opcode Fuzzy Hash: 903c367242f664cc0a293751423162a74b7ae2acfeca72f1c054eb9bf6269c83
Instruction Fuzzy Hash: 2BE092B62093418FE7188F3BD804B5A3BA9A7A4314B31512DE545CA6B0CBF5C4128B24

Function 703764AE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

DUserRegisterStub.UXCORE(703D262C,?,703767DA,?,70367269,?,?,70315903,?,?), ref: 703764F2

Part of subcall function 7037BA29: SetLastError.KERNEL32(80070057,?,?,7037614B,703D26F4,?,703767A8,?,70367269,?,?,70315903,?,?), ref: 7037BA5F

Strings

Animation, xrefs: 703764D4
,&=p, xrefs: 703764B3

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: ErrorLastRegisterStubUser
String ID: ,&=p$Animation
API String ID: 2013390475-4262056056
Opcode ID: 4f18ccebb295ffb613b80817517f481a7b6984a838fe1cb991a31774cae50112
Instruction ID: 0108406d0dcf11d957e19c57547ae7d32d0eb2be040decd9f740cd7408abfac2
Opcode Fuzzy Hash: 4f18ccebb295ffb613b80817517f481a7b6984a838fe1cb991a31774cae50112
Instruction Fuzzy Hash: 7EE0BFF69123008BD7088F6BD884F5977ADE7B4314F35512DA405C7261C7F9C415CB24

Function 70371D07 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

DUserRegisterGuts.UXCORE(703D2338,?,703724FC,7036725D,?,?,70315903,?,?), ref: 70371D69

Part of subcall function 7037B9E1: SetLastError.KERNEL32(80070057,?,?,7036A4B8,703D21D4,?,7036A5C2,70367254,?,?,70315903,?,?), ref: 7037BA17

Strings

8#=p, xrefs: 70371D0C
Flow, xrefs: 70371D2D

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: ErrorGutsLastRegisterUser
String ID: 8#=p$Flow
API String ID: 3989148403-561575188
Opcode ID: 75ff804ed8f869d2c3d25ef2890c181061f28ff642c5b41c7d32055392ed8a3c
Instruction ID: 1ca4fdb5dcd4f7b82cbf3c47376757535e90643b55b22b922d9656c1ccbcaae3
Opcode Fuzzy Hash: 75ff804ed8f869d2c3d25ef2890c181061f28ff642c5b41c7d32055392ed8a3c
Instruction Fuzzy Hash: A6F0C9BF6452449BD354CF6FDC44F193BA9A3A1718F78995CE1048A3A8C7FE80468B15

Function 70371D7B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

DUserRegisterGuts.UXCORE(703D2428,?,70372532,7036725D,?,?,70315903,?,?), ref: 70371DDD

Part of subcall function 7037B9E1: SetLastError.KERNEL32(80070057,?,?,7036A4B8,703D21D4,?,7036A5C2,70367254,?,?,70315903,?,?), ref: 7037BA17

Strings

Interpolation, xrefs: 70371DA1
($=p, xrefs: 70371D80

Memory Dump Source

Source File: 0000000E.00000002.1782303693.0000000070301000.00000020.00000001.01000000.00000008.sdmp, Offset: 70300000, based on PE: true

Associated: 0000000E.00000002.1782276366.0000000070300000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782378900.00000000703B3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782434262.00000000703BF000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782457240.00000000703C0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782481431.00000000703D2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000E.00000002.1782503138.00000000703D4000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_70300000_Dashboard.jbxd

Similarity

API ID: ErrorGutsLastRegisterUser
String ID: ($=p$Interpolation
API String ID: 3989148403-3884189633
Opcode ID: c38d666f742e8ac1cef4c5e1a2756fb0a5df6881fae050fd8c0f919646761dd9
Instruction ID: e13fa39490a22cd32baf41f9082dec3375dd4f1a6d49f131aa0fbcf9d4bf7445
Opcode Fuzzy Hash: c38d666f742e8ac1cef4c5e1a2756fb0a5df6881fae050fd8c0f919646761dd9
Instruction Fuzzy Hash: 14F039B75852008BD354CF2BD894F0A3BB9E3A1318FF0A608D8148B3A4C7F600058B25

Analysis Process: MLE_Config_beta.exePID: 4904, Parent PID: 5796COMMON

Execution Graph

Execution Coverage:	7.8%
Dynamic/Decrypted Code Coverage:	49.9%
Signature Coverage:	2.1%
Total number of Nodes:	373
Total number of Limit Nodes:	12

Executed Functions

Function 000000014011FF38 Relevance: 6.0, APIs: 4, Instructions: 47
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 000000014011FF77
malloc.MSVCRT ref: 000000014011FFAB

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: CreateFilemalloc
String ID:
API String ID: 3010914732-0
Opcode ID: 08291fb8f84a33b773d04131f42d1229c88b2589c06dea98ea13bb42374a242d
Instruction ID: 2d00926db45b5a94333cbffaf12b2d1fc501933b49b87ad3f4aa4d041c57759c
Opcode Fuzzy Hash: 08291fb8f84a33b773d04131f42d1229c88b2589c06dea98ea13bb42374a242d
Instruction Fuzzy Hash: F921C536218B8482D761DF16E44475EBBB1F3C9B94F204219EB9D47BA8DF7AD4449B00

Function 00007FF75D9311B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

exit.MSVCRT ref: 00007FF75D931257
exit.MSVCRT ref: 00007FF75D931333

Strings

0, xrefs: 00007FF75D9311C5

Memory Dump Source

Source File: 00000015.00000002.2141098105.00007FF75D931000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF75D930000, based on PE: true

Associated: 00000015.00000002.2141075525.00007FF75D930000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141576230.00007FF75DB8E000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141627621.00007FF75DB9F000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141680045.00007FF75DBB7000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141680045.00007FF75DBBA000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141680045.00007FF75DC1D000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141903602.00007FF75DC21000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141967096.00007FF75DC23000.00000004.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff75d930000_MLE_Config_beta.jbxd

Similarity

API ID: exit
String ID: 0
API String ID: 2483651598-4108050209
Opcode ID: 9806047a5bf1b5b1efa68b36b15cbb6a6b813d4a6b907c62d5d9039e1853b056
Instruction ID: d13134626950621ea62a7f060271b24ad2bf218394d3138c9e588a6ba620aa9f
Opcode Fuzzy Hash: 9806047a5bf1b5b1efa68b36b15cbb6a6b813d4a6b907c62d5d9039e1853b056
Instruction Fuzzy Hash: A741B775E0DB1689FB41AB95E88036C73B2BB44B84F984436DE0D977A4EF7DE8408760

Function 00007FF75DB8AA10 Relevance: 3.1, APIs: 2, Instructions: 93
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF75D9699C6: ExitProcess.KERNEL32 ref: 00007FF75D9699F1

TlsAlloc.KERNEL32 ref: 00007FF75DB8AB37
TlsSetValue.KERNEL32 ref: 00007FF75DB8AB4F

Memory Dump Source

Source File: 00000015.00000002.2141098105.00007FF75D931000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF75D930000, based on PE: true

Associated: 00000015.00000002.2141075525.00007FF75D930000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141576230.00007FF75DB8E000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141627621.00007FF75DB9F000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141680045.00007FF75DBB7000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141680045.00007FF75DBBA000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141680045.00007FF75DC1D000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141903602.00007FF75DC21000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141967096.00007FF75DC23000.00000004.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff75d930000_MLE_Config_beta.jbxd

Similarity

API ID: AllocExitProcessValue
String ID:
API String ID: 2754199502-0
Opcode ID: b46a69d197219e6e408c84a58ccdc3ff8e93cada09a11a21b366b25cb23b4699
Instruction ID: d20a074a4035d2f61070a65d63ca081526fe0467ffdd111bd939704484464ad8
Opcode Fuzzy Hash: b46a69d197219e6e408c84a58ccdc3ff8e93cada09a11a21b366b25cb23b4699
Instruction Fuzzy Hash: B9312472B2C45247F348B77D9C5617AA9539F85330BEC8738F43ACA6E9EF2CA4010620

Function 00007FF75D93D640 Relevance: 1.7, APIs: 1, Instructions: 406
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF75D93D65D

Memory Dump Source

Source File: 00000015.00000002.2141098105.00007FF75D931000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF75D930000, based on PE: true

Associated: 00000015.00000002.2141075525.00007FF75D930000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141576230.00007FF75DB8E000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141627621.00007FF75DB9F000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141680045.00007FF75DBB7000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141680045.00007FF75DBBA000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141680045.00007FF75DC1D000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141903602.00007FF75DC21000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141967096.00007FF75DC23000.00000004.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff75d930000_MLE_Config_beta.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 9d4a1e6eeaf1f1cdb7226a09114b4d0fe3d4781d08394e3eee49611d3cad540f
Instruction ID: b4f80cb3996d4e565127786744ad3e29489372c51092153ce9337af39284461c
Opcode Fuzzy Hash: 9d4a1e6eeaf1f1cdb7226a09114b4d0fe3d4781d08394e3eee49611d3cad540f
Instruction Fuzzy Hash: 8FF17762F2C64542FB18DBB698712BA66A2DB827F4F549339ED3E9B7D4DE2CD0014700

Function 00007FF75DA7DA10 Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00007FF75DA7F334), ref: 00007FF75DA7DBC4

Memory Dump Source

Source File: 00000015.00000002.2141098105.00007FF75D931000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF75D930000, based on PE: true

Associated: 00000015.00000002.2141075525.00007FF75D930000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141576230.00007FF75DB8E000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141627621.00007FF75DB9F000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141680045.00007FF75DBB7000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141680045.00007FF75DBBA000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141680045.00007FF75DC1D000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141903602.00007FF75DC21000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141967096.00007FF75DC23000.00000004.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff75d930000_MLE_Config_beta.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 5d371ad9e8605828d13a16163c515848834932142afd4dbd7bdc4d4a438b4d53
Instruction ID: e010987050b12fe445d7ee3f2b54560d60afecf95b9dc6b6a59aaeecb9b0297f
Opcode Fuzzy Hash: 5d371ad9e8605828d13a16163c515848834932142afd4dbd7bdc4d4a438b4d53
Instruction Fuzzy Hash: 8E418B3273C55143A7A89738AD62D376A92EBC5760B886339E95EC3FE4DE2CD5008B10

Function 00007FF75D935490 Relevance: 1.4, APIs: 1, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF75D9354AC

Memory Dump Source

Source File: 00000015.00000002.2141098105.00007FF75D931000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF75D930000, based on PE: true

Associated: 00000015.00000002.2141075525.00007FF75D930000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141576230.00007FF75DB8E000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141627621.00007FF75DB9F000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141680045.00007FF75DBB7000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141680045.00007FF75DBBA000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141680045.00007FF75DC1D000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141903602.00007FF75DC21000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141967096.00007FF75DC23000.00000004.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff75d930000_MLE_Config_beta.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ff4f314fb52d58614d020e5335608645761c06bbe78508165f7a109119a175a6
Instruction ID: b4ad74c40ec0b5a94656ad3dcbdab3c3fa65ae2e0a0331f58d8093816691922d
Opcode Fuzzy Hash: ff4f314fb52d58614d020e5335608645761c06bbe78508165f7a109119a175a6
Instruction Fuzzy Hash: A7414A3373DA9542E760D739B85192BAAD1E7897A4B542324EE6EC3FD8DA3ED1014B00

Function 000000014011D758 Relevance: 6.1, APIs: 4, Instructions: 65
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,0000000140123371), ref: 000000014011D7A1

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fa702a1818ffb6b8e9e1b8e5fb94fe68093c190d33758d34eb9046929484e72f
Instruction ID: a872d6ac15e49e81bcb6e402cc2fdf8fedc509efffe6e503cca0c791e6531545
Opcode Fuzzy Hash: fa702a1818ffb6b8e9e1b8e5fb94fe68093c190d33758d34eb9046929484e72f
Instruction Fuzzy Hash: B3319336608B4487EB60CF2AE49435EBBB4F7C9B94F604115EB9947BA8DF39C5458F00

Function 000000014011FE28 Relevance: 4.6, APIs: 3, Instructions: 52
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 000000014011FE6D
CreateFileMappingW.KERNELBASE ref: 000000014011FECC
MapViewOfFile.KERNELBASE ref: 000000014011FEEE

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: File$Create$MappingView
String ID:
API String ID: 1299149932-0
Opcode ID: adc7ce85746f15b18e302e3d6d9fbbf35a76bdbe9ac71d6ff60923e7ba8727e8
Instruction ID: 820315da7b4020408db1b1cc614476c0a1407536e4ab1f95ad091a2a37da56bc
Opcode Fuzzy Hash: adc7ce85746f15b18e302e3d6d9fbbf35a76bdbe9ac71d6ff60923e7ba8727e8
Instruction Fuzzy Hash: 1621A376218B8082EBA0DB56F45575EBBA0F3C9B84F209115EBCD87B68DF7DC4598B00

Function 00007FF75DB8C360 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 167
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FF75DB8C5BC

Strings

@, xrefs: 00007FF75DB8C52B

Memory Dump Source

Source File: 00000015.00000002.2141098105.00007FF75D931000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF75D930000, based on PE: true

Associated: 00000015.00000002.2141075525.00007FF75D930000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141576230.00007FF75DB8E000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141627621.00007FF75DB9F000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141680045.00007FF75DBB7000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141680045.00007FF75DBBA000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141680045.00007FF75DC1D000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141903602.00007FF75DC21000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141967096.00007FF75DC23000.00000004.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff75d930000_MLE_Config_beta.jbxd

Similarity

API ID: ProtectVirtual
String ID: @
API String ID: 544645111-2766056989
Opcode ID: e5394c59ebb7de25128ae237650083047c7b9f2dc1cc76e2994e0239bd5923de
Instruction ID: 2f51c0c9013975b12781e39da5410d61d177a07788d9f8d267a2b8734e126214
Opcode Fuzzy Hash: e5394c59ebb7de25128ae237650083047c7b9f2dc1cc76e2994e0239bd5923de
Instruction Fuzzy Hash: 9C613BE2F0DB098BEB14DB59D58226863A2FB587C4B988035DE1D93714EF3CEA02D310

Function 00007FF75D9356B2 Relevance: 1.6, APIs: 1, Instructions: 74
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF75D935490: VirtualAlloc.KERNEL32 ref: 00007FF75D9354AC

CreateThread.KERNELBASE ref: 00007FF75D935761

Memory Dump Source

Source File: 00000015.00000002.2141098105.00007FF75D931000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF75D930000, based on PE: true

Associated: 00000015.00000002.2141075525.00007FF75D930000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141576230.00007FF75DB8E000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141627621.00007FF75DB9F000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141680045.00007FF75DBB7000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141680045.00007FF75DBBA000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141680045.00007FF75DC1D000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141903602.00007FF75DC21000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141967096.00007FF75DC23000.00000004.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff75d930000_MLE_Config_beta.jbxd

Similarity

API ID: AllocCreateThreadVirtual
String ID:
API String ID: 3065189322-0
Opcode ID: 7c4e89417ec1145bc31552d12b82915981abf6b5d74b4fcfd4d2f285ab6a69ed
Instruction ID: 2201222990ce51f450fa09bc9822fe7eaeb78049fb89d2c131f29acb720e1693
Opcode Fuzzy Hash: 7c4e89417ec1145bc31552d12b82915981abf6b5d74b4fcfd4d2f285ab6a69ed
Instruction Fuzzy Hash: F0314436F1DB89C9E740ABA5E8412A973B5F70C758F940036DA4C47764EF78C162C760

Function 000000014011D934 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameW.KERNEL32 ref: 000000014011D93C

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 8aa76fb0e6ea81a43412a6e4ce3e67ee4a0c44f8450056c290c247b20c5f490d
Instruction ID: 3d613ac56ecaa76a4e7d91ee78244c06fa0071a276e7ba6f2ac5590dae2c62da
Opcode Fuzzy Hash: 8aa76fb0e6ea81a43412a6e4ce3e67ee4a0c44f8450056c290c247b20c5f490d
Instruction Fuzzy Hash: 3931B272218A848AC774CB29E48075EB7A1F7CCB58F444216E6CE87B69DA3CCA45CF04

Function 00007FF75DB8C5DC Relevance: 1.6, APIs: 1, Instructions: 61
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?,?,00007FF75DB8CABD,?,?,?,?,?,00007FF75D9312E5), ref: 00007FF75DB8C694

Memory Dump Source

Source File: 00000015.00000002.2141098105.00007FF75D931000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF75D930000, based on PE: true

Associated: 00000015.00000002.2141075525.00007FF75D930000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141576230.00007FF75DB8E000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141627621.00007FF75DB9F000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141680045.00007FF75DBB7000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141680045.00007FF75DBBA000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141680045.00007FF75DC1D000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141903602.00007FF75DC21000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141967096.00007FF75DC23000.00000004.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff75d930000_MLE_Config_beta.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: beb8c38d02a2b53fbd7be99df4a00c79adf73913b803789b3b0d298dfa95b0ee
Instruction ID: 58042e7a001378ed6309bbca3bdc5ead414b95bf923e20ad9d40a16ad66c6b60
Opcode Fuzzy Hash: beb8c38d02a2b53fbd7be99df4a00c79adf73913b803789b3b0d298dfa95b0ee
Instruction Fuzzy Hash: 861142E2F0D7458BEF04DB55D582268A362BB98BC5B598035CD1D97314EE3CEB029710

Function 00007FF75D935860 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF75D935490: VirtualAlloc.KERNEL32 ref: 00007FF75D9354AC

CreateThread.KERNELBASE ref: 00007FF75D9358E7

Memory Dump Source

Source File: 00000015.00000002.2141098105.00007FF75D931000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF75D930000, based on PE: true

Associated: 00000015.00000002.2141075525.00007FF75D930000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141576230.00007FF75DB8E000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141627621.00007FF75DB9F000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141680045.00007FF75DBB7000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141680045.00007FF75DBBA000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141680045.00007FF75DC1D000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141903602.00007FF75DC21000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000015.00000002.2141967096.00007FF75DC23000.00000004.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff75d930000_MLE_Config_beta.jbxd

Similarity

API ID: AllocCreateThreadVirtual
String ID:
API String ID: 3065189322-0
Opcode ID: bb50a292e33c1ae5368d5b7c105191ac3e88e23a404754edeedffa150133abed
Instruction ID: 613ea8381723b45de5dbabc5e7f82576ddec97ce44fcaa4357ca43090affd8a1
Opcode Fuzzy Hash: bb50a292e33c1ae5368d5b7c105191ac3e88e23a404754edeedffa150133abed
Instruction Fuzzy Hash: A9215A36A1DB8982D740EB54E44036AB3A6F78CB64F944136EA8D87764EF7CC415C750

Function 000000014011F888 Relevance: 1.5, APIs: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

realloc.MSVCRT ref: 000000014011F8F3

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: 3f1eb1290eb503b2145d9c0e382a8b9ab882b585fb38e67f0ecac83848e7f568
Instruction ID: 561e48d5a86c5783f5dc688081665245eb1983b796079a5d4baa60a9d0ab499f
Opcode Fuzzy Hash: 3f1eb1290eb503b2145d9c0e382a8b9ab882b585fb38e67f0ecac83848e7f568
Instruction Fuzzy Hash: 84119736604B4886DA44DB0AE48025E77B4F3D9B80F614026EF8D57B68DF3AC946DB40

Function 0000000140120018 Relevance: 1.5, APIs: 1, Instructions: 30libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE ref: 0000000140120074

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5fdda1b636b50f9fc504353daad9641b4c9c534a50ade388255728a4b60dc926
Instruction ID: d573d171b4691707fc38c9ddb05e420b9f30bf651de66fe43147e61a49fc26ed
Opcode Fuzzy Hash: 5fdda1b636b50f9fc504353daad9641b4c9c534a50ade388255728a4b60dc926
Instruction Fuzzy Hash: AF01D672218B88C2E6219B16E45436EB7B0F3CDB88F504625EBCD47B69CF3DC9448B04

Function 00000001401209F8 Relevance: 1.3, APIs: 1, Instructions: 86memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,0000000140120B85), ref: 0000000140120A36

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6bcd8b487a366c1c59843c47b777b3e1da3161276deb4923ee1d31ae147b4254
Instruction ID: 666a9bba36a8258ab6c1abd1cc1a10056bbc9ec2a7f906673a408a3f03c71112
Opcode Fuzzy Hash: 6bcd8b487a366c1c59843c47b777b3e1da3161276deb4923ee1d31ae147b4254
Instruction Fuzzy Hash: A541B776219B8486DB61CF0AE08075EBBA0F388F94F405156EB8E97B69DB79C545CB00

Non-executed Functions

Function 000000014000E214 Relevance: 75.6, APIs: 38, Strings: 5, Instructions: 343windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000000014000E247

Part of subcall function 000000014000204C: GetWindowLongW.USER32 ref: 0000000140002069
Part of subcall function 000000014000204C: GetParent.USER32 ref: 000000014000207F
Part of subcall function 000000014000204C: GetWindowRect.USER32 ref: 000000014000209D
Part of subcall function 000000014000204C: GetWindowLongW.USER32 ref: 00000001400020B6
Part of subcall function 000000014000204C: SystemParametersInfoW.USER32 ref: 00000001400020D7
Part of subcall function 000000014000204C: SetWindowPos.USER32 ref: 00000001400021DE

Part of subcall function 000000014000399C: lstrlenA.KERNEL32 ref: 00000001400039CA
Part of subcall function 000000014000399C: MultiByteToWideChar.KERNEL32 ref: 0000000140003A0F
Part of subcall function 000000014000399C: lstrlenW.KERNEL32 ref: 0000000140003A2B

GetDlgItem.USER32 ref: 000000014000E3A0
SetWindowTextW.USER32 ref: 000000014000E3AC
GetDlgItem.USER32 ref: 000000014000E3B8
SetWindowTextW.USER32 ref: 000000014000E3CC
GetDlgItem.USER32 ref: 000000014000E42D
EnableWindow.USER32 ref: 000000014000E439
GetDlgItem.USER32 ref: 000000014000E45A
EnableWindow.USER32 ref: 000000014000E465
GetWindowLongW.USER32 ref: 000000014000E476
SetWindowLongW.USER32 ref: 000000014000E48F
GetDlgItem.USER32 ref: 000000014000E4A5
EnableWindow.USER32 ref: 000000014000E4B0
GetDlgItem.USER32 ref: 000000014000E4BF
EnableWindow.USER32 ref: 000000014000E4CA
GetDlgItem.USER32 ref: 000000014000E4D7
EnableWindow.USER32 ref: 000000014000E4E3
SendMessageW.USER32 ref: 000000014000E57C
SendMessageW.USER32 ref: 000000014000E59A
SendMessageW.USER32 ref: 000000014000E5B0
SendMessageW.USER32 ref: 000000014000E5C6
GetDlgItem.USER32 ref: 000000014000E5DC
GetWindowRect.USER32 ref: 000000014000E601
SendMessageW.USER32 ref: 000000014000E615
ScreenToClient.USER32 ref: 000000014000E624
ScreenToClient.USER32 ref: 000000014000E638

Part of subcall function 0000000140105E24: SendMessageW.USER32 ref: 0000000140105E5F
Part of subcall function 0000000140105E24: SendMessageW.USER32 ref: 0000000140105E7D

SetWindowPos.USER32 ref: 000000014000E690
SendMessageW.USER32 ref: 000000014000E6A4
SendMessageW.USER32 ref: 000000014000E6B8
SendMessageW.USER32 ref: 000000014000E6CC
GetSystemMetrics.USER32 ref: 000000014000E6DE
GetSystemMetrics.USER32 ref: 000000014000E6EB
LoadImageW.USER32 ref: 000000014000E70B
SendMessageW.USER32 ref: 000000014000E71D
GetSystemMetrics.USER32 ref: 000000014000E72D
GetSystemMetrics.USER32 ref: 000000014000E738
LoadImageW.USER32 ref: 000000014000E753
SendMessageW.USER32 ref: 000000014000E765

Strings

lng, xrefs: 000000014000E512
LZEN, xrefs: 000000014000E26A
LZIT, xrefs: 000000014000E32E
Lizenz, xrefs: 000000014000E3D9
LZDE, xrefs: 000000014000E2CE

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Window$MessageSend$Item$EnableSystem$LongMetrics$ClientImageLoadParentRectScreenTextlstrlen$ByteCharInfoMultiParametersWide
String ID: LZDE$LZEN$LZIT$Lizenz$lng
API String ID: 2727863672-2363247610
Opcode ID: 174c2ef5cb3542c4634db0dd5a4240508240e34c614a04612fcd01b8688baa98
Instruction ID: 9f9485a48d6402ffa7bcfd86dcc73b779697d7fdc7c33d9dfa55754880688632
Opcode Fuzzy Hash: 174c2ef5cb3542c4634db0dd5a4240508240e34c614a04612fcd01b8688baa98
Instruction Fuzzy Hash: 93F15C72301A8082EB52DB27E8587DA7361F78CFE0F448225AB5A5B7B5DF39C845CB40

Function 000000014001F2A4 Relevance: 59.7, APIs: 29, Strings: 5, Instructions: 243windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014001F347
SendMessageW.USER32 ref: 000000014001F360
SendMessageW.USER32 ref: 000000014001F379
SendMessageW.USER32 ref: 000000014001F38F
SendMessageW.USER32 ref: 000000014001F3A3
SendMessageW.USER32 ref: 000000014001F3C9
ShowWindow.USER32 ref: 000000014001F3F3
SendMessageW.USER32 ref: 000000014001F407
ImageList_GetIcon.COMCTL32 ref: 000000014001F422
SendMessageW.USER32 ref: 000000014001F451
SendMessageW.USER32 ref: 000000014001F467
GetModuleHandleW.KERNEL32 ref: 000000014001F474
SendMessageW.USER32 ref: 000000014001F58B

Part of subcall function 000000014001E45C: GetWindowRect.USER32 ref: 000000014001E47E

CreateWindowExW.USER32 ref: 000000014001F5EC
SendMessageW.USER32 ref: 000000014001F608
SendMessageW.USER32 ref: 000000014001F61C
SendMessageW.USER32 ref: 000000014001F638
SendMessageW.USER32 ref: 000000014001F64C
SendMessageW.USER32 ref: 000000014001F669
SendMessageW.USER32 ref: 000000014001F67D

Strings

L, xrefs: 000000014001F2F7
, xrefs: 000000014001F51E
ToolbarWindow32, xrefs: 000000014001F59E
d, xrefs: 000000014001F5D5
shell32.dll, xrefs: 000000014001F46D

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: MessageSend$Window$CreateHandleIconImageList_ModuleRectShow
String ID: $L$ToolbarWindow32$d$shell32.dll
API String ID: 1744847649-4053673454
Opcode ID: ec00726696b043959fb503d2530eeb205b183dbc9545bf4d2d9651eca1e06abb
Instruction ID: 14f72573145001a94804b50c9369ed43ca5d4e3a5e1751d385d7e3ab38500a66
Opcode Fuzzy Hash: ec00726696b043959fb503d2530eeb205b183dbc9545bf4d2d9651eca1e06abb
Instruction Fuzzy Hash: 5EA15771314A8482EBA18B63B954BAA37A1F78DFC5F444025AF0A4BF74DF3DC54A8B44

Function 000000014000D848 Relevance: 58.3, APIs: 30, Strings: 3, Instructions: 556windowstringregistryCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsW.KERNEL32 ref: 000000014000D8BC
GetDlgItem.USER32 ref: 000000014000D8CC
GetDriveTypeW.KERNEL32 ref: 000000014000D8FC
_cwprintf_s_l.LIBCMT ref: 000000014000D984
SendMessageW.USER32 ref: 000000014000D997
SendMessageW.USER32 ref: 000000014000D9CD
SendMessageW.USER32 ref: 000000014000DA8B
SendMessageW.USER32 ref: 000000014000DA9F
SHGetSpecialFolderPathW.SHELL32 ref: 000000014000DB67
lstrlenW.KERNEL32 ref: 000000014000DB7F
SHGetSpecialFolderPathW.SHELL32 ref: 000000014000DC4B
lstrlenW.KERNEL32 ref: 000000014000DC63
SendMessageW.USER32 ref: 000000014000DD2F
SendMessageW.USER32 ref: 000000014000DD4D
GetDlgItem.USER32 ref: 000000014000DD5F
SendMessageW.USER32 ref: 000000014000DD75
SendMessageW.USER32 ref: 000000014000DD8D
GetDlgItem.USER32 ref: 000000014000DD9A
SendMessageW.USER32 ref: 000000014000DDAB
RegOpenKeyExW.ADVAPI32 ref: 000000014000DE18
lstrlenW.KERNEL32 ref: 000000014000DEBA
lstrlenW.KERNEL32 ref: 000000014000DEEE
lstrlenW.KERNEL32 ref: 000000014000DF39
lstrlenW.KERNEL32 ref: 000000014000DF63
lstrlenW.KERNEL32 ref: 000000014000DF9B
lstrlenW.KERNEL32 ref: 000000014000DFC5
SendMessageW.USER32 ref: 000000014000DFF9
SendMessageW.USER32 ref: 000000014000E01A
SendMessageW.USER32 ref: 000000014000E02E
RegCloseKey.ADVAPI32 ref: 000000014000E092

Strings

UninstallString, xrefs: 000000014000DE94
%C:\, xrefs: 000000014000D978
SoftwareOK\, xrefs: 000000014000D9D3

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: MessageSend$lstrlen$Item$DriveFolderPathSpecial$CloseLogicalOpenStringsType_cwprintf_s_l
String ID: %C:\$SoftwareOK\$UninstallString
API String ID: 423617-1242695785
Opcode ID: ce4a602b15cb63e03b6c9d7a59fa3f4c24bcbb6a3fbfdff46da888468d75f5d0
Instruction ID: 1213c6fbc6b11f0d7670e3afec7627d9e251dbf8b966614931f2d1ab06e0adb4
Opcode Fuzzy Hash: ce4a602b15cb63e03b6c9d7a59fa3f4c24bcbb6a3fbfdff46da888468d75f5d0
Instruction Fuzzy Hash: BF429F72204A8082EB52DB26E8507DE73A1FB89BF4F544212E76E97AF5DF38C485C740

Function 0000000140013390 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 254windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 0000000140013429
SendMessageW.USER32 ref: 000000014001343B
GetDlgItem.USER32 ref: 000000014001344D
SendMessageW.USER32 ref: 000000014001345E
GetDlgItem.USER32 ref: 000000014001346D
SendMessageW.USER32 ref: 0000000140013484
GetDlgItem.USER32 ref: 0000000140013493
SendMessageW.USER32 ref: 00000001400134A5
GetDlgItem.USER32 ref: 00000001400134CC
SendMessageW.USER32 ref: 00000001400134DD
GetDlgItem.USER32 ref: 00000001400134EC
SendMessageW.USER32 ref: 0000000140013500
GetDlgItem.USER32 ref: 0000000140013510
SendMessageW.USER32 ref: 0000000140013524
GetDlgItem.USER32 ref: 000000014001355B
SendMessageW.USER32 ref: 000000014001356C
GetDlgItem.USER32 ref: 0000000140013578
SendMessageW.USER32 ref: 0000000140013589
GetDlgItem.USER32 ref: 0000000140013598
SendMessageW.USER32 ref: 00000001400135A9
GetDlgItem.USER32 ref: 00000001400135B8
SendMessageW.USER32 ref: 00000001400135C9
EndDialog.USER32 ref: 00000001400135D8
PostQuitMessage.USER32 ref: 00000001400135E1
GetDlgItem.USER32 ref: 00000001400135F5
SendMessageW.USER32 ref: 0000000140013606
GetDlgItem.USER32 ref: 0000000140013625
SendMessageW.USER32 ref: 0000000140013639
GetDlgItem.USER32 ref: 000000014001365F
SendMessageW.USER32 ref: 0000000140013675
GetDlgItem.USER32 ref: 000000014001373D
SendMessageW.USER32 ref: 0000000140013751

Strings

forall , xrefs: 000000014001352A

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Message$ItemSend$DialogPostQuit
String ID: forall
API String ID: 3324692860-1056140417
Opcode ID: f6947c149669c0dbfbf2dbbacbf94d7a9bfeb96a041f4d752126100307eba41c
Instruction ID: 87455486c33b27b8cf29d0c37acd839ce203718a171ce02a85bea06c2aac402e
Opcode Fuzzy Hash: f6947c149669c0dbfbf2dbbacbf94d7a9bfeb96a041f4d752126100307eba41c
Instruction Fuzzy Hash: 70B19E72700A8182FB66DB37EC55BAA73A1E78DFD5F4481209B5A4BBB4CF39C8458740

Function 000000014000BFFC Relevance: 55.1, APIs: 19, Strings: 12, Instructions: 837stringfilewindowCOMMON

Download Yara Rule

APIs

CharLowerW.USER32 ref: 000000014000C07A
lstrcmpiW.KERNEL32 ref: 000000014000C0DB
lstrcmpiW.KERNEL32 ref: 000000014000C10D
lstrlenW.KERNEL32 ref: 000000014000C164
lstrlenW.KERNEL32 ref: 000000014000C1F6
lstrcmpiW.KERNEL32 ref: 000000014000C269
lstrcmpW.KERNEL32 ref: 000000014000C29A
lstrlenW.KERNEL32 ref: 000000014000C2D0
GetActiveWindow.USER32 ref: 000000014000C32C
GetTempPathW.KERNEL32 ref: 000000014000C3E4
lstrlenW.KERNEL32 ref: 000000014000C3F9

Part of subcall function 000000014000998C: LoadStringW.USER32 ref: 00000001400099C9
Part of subcall function 000000014000998C: lstrlenW.KERNEL32 ref: 00000001400099ED

Part of subcall function 000000014000AC04: lstrlenW.KERNEL32 ref: 000000014000AC4C

Part of subcall function 000000014000AB88: lstrlenW.KERNEL32 ref: 000000014000ABCF

GetModuleFileNameW.KERNEL32 ref: 000000014000C5E7
CopyFileW.KERNEL32 ref: 000000014000C609
MessageBoxW.USER32 ref: 000000014000C753
lstrlenW.KERNEL32 ref: 000000014000C879
ShellExecuteW.SHELL32 ref: 000000014000C939
GetModuleFileNameW.KERNEL32 ref: 000000014000CB1E
CharLowerW.USER32 ref: 000000014000CB9E
lstrlenW.KERNEL32 ref: 000000014000CC57

Strings

setup, xrefs: 000000014000CBF8
for_all_install, xrefs: 000000014000C8A2
install, xrefs: 000000014000CBAA
-runas -uninstall+", xrefs: 000000014000C8DB
runas, xrefs: 000000014000C90B
forall, xrefs: 000000014000C106
_uninstall.ini, xrefs: 000000014000C51D
_uninstall.exe, xrefs: 000000014000C458
open, xrefs: 000000014000C912
inst_all, xrefs: 000000014000CBCF
-uninstall, xrefs: 000000014000C262, 000000014000C293
-install, xrefs: 000000014000C0D4

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: lstrlen$Filelstrcmpi$CharLowerModuleName$ActiveCopyExecuteLoadMessagePathShellStringTempWindowlstrcmp
String ID: -install$-runas -uninstall+"$-uninstall$_uninstall.exe$_uninstall.ini$for_all_install$forall$inst_all$install$open$runas$setup
API String ID: 2504411763-1341484687
Opcode ID: 8562d175aedde86520c8cd2ec8d3d0bc397fb097088fd8139ba27f20c5951f99
Instruction ID: cf43a6124aa4e3bb155e5ad45821fdca4f14204c7f904ce3f0e914a877faeb3c
Opcode Fuzzy Hash: 8562d175aedde86520c8cd2ec8d3d0bc397fb097088fd8139ba27f20c5951f99
Instruction Fuzzy Hash: 87826272312A8082EA62DB6AE8517DA63A1F7897B4F584311E77E876F5CF3CC485C740

Function 000000014001048C Relevance: 47.6, APIs: 15, Strings: 12, Instructions: 314filewindowCOMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 00000001400104E2

Part of subcall function 00000001400852AC: _cwprintf_s_l.LIBCMT ref: 00000001400852E4

SetFileAttributesW.KERNEL32 ref: 0000000140010569
GetDlgItem.USER32 ref: 000000014001059C
SendMessageW.USER32 ref: 00000001400105B2
_cwprintf_s_l.LIBCMT ref: 00000001400105DB
CopyFileW.KERNEL32 ref: 00000001400105F0
GetDlgItem.USER32 ref: 00000001400105FF
SendMessageW.USER32 ref: 0000000140010610
_cwprintf_s_l.LIBCMT ref: 000000014001064D
CopyFileW.KERNEL32 ref: 00000001400106AA
GetDlgItem.USER32 ref: 00000001400106B9
SendMessageW.USER32 ref: 00000001400106CA
_cwprintf_s_l.LIBCMT ref: 00000001400106EB
CopyFileW.KERNEL32 ref: 0000000140010700
ShellExecuteW.SHELL32 ref: 0000000140010724

Strings

Link, xrefs: 0000000140010531
.\Favoriten\Quick-Link\, xrefs: 000000014001052A
Favoriten, xrefs: 000000014001051B
Ordner, xrefs: 0000000140010514
%s\%s.lnk, xrefs: 000000014001057E
m_lang_id, xrefs: 00000001400104F6
.\Favoriten\, xrefs: 000000014001050D
open, xrefs: 000000014001071B
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0000000140010623
portable_install, xrefs: 000000014001054E
m_lang_id=%d, xrefs: 00000001400104D3
Program, xrefs: 0000000140010555

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: _cwprintf_s_l$File$CopyItemMessageSend$AttributesExecuteShell
String ID: %s\%s.lnk$.\Favoriten\$.\Favoriten\Quick-Link\$Favoriten$Link$Ordner$Program$\Microsoft\Internet Explorer\Quick Launch$m_lang_id$m_lang_id=%d$open$portable_install
API String ID: 865069665-912432381
Opcode ID: 09fd3be6d87d3314e842234ac9bfaaf60286fd91aaa6fe79aa6a6f993e03e53e
Instruction ID: f5fd568eb4fa89ef09741f301376edfd5dbb115e4928b6f7acd597c23f9de95b
Opcode Fuzzy Hash: 09fd3be6d87d3314e842234ac9bfaaf60286fd91aaa6fe79aa6a6f993e03e53e
Instruction Fuzzy Hash: 56E1B633205A8086E7628B7AE8553DD33A0F789BB4F444302E7A99B6F2DE7DD4858740

Function 0000000140021A00 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 320windowstringCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0000000140021A43
SendMessageW.USER32 ref: 0000000140021A79
SendMessageW.USER32 ref: 0000000140021AFE
SendMessageW.USER32 ref: 0000000140021B68
lstrlenW.KERNEL32 ref: 0000000140021BE0
lstrlenW.KERNEL32 ref: 0000000140021C3B
SendMessageW.USER32 ref: 0000000140021C8E
SetWindowPos.USER32 ref: 0000000140021CF0
SendMessageW.USER32 ref: 0000000140021D22
SendMessageW.USER32 ref: 0000000140021D64
SetWindowPos.USER32 ref: 0000000140021D9E
_cwprintf_s_l.LIBCMT ref: 0000000140021DCF
SendMessageW.USER32 ref: 0000000140021DEE
SendMessageW.USER32 ref: 0000000140021E0F
SendMessageW.USER32 ref: 0000000140021E26
ImageList_GetIconSize.COMCTL32 ref: 0000000140021E3F
SendMessageW.USER32 ref: 0000000140021E70
SendMessageW.USER32 ref: 0000000140021E8A
SendMessageW.USER32 ref: 0000000140021E9F
SetWindowPos.USER32 ref: 0000000140021EDC
SendMessageW.USER32 ref: 0000000140021F0A
SetWindowPos.USER32 ref: 0000000140021F51

Strings

0, xrefs: 0000000140021AA0
@, xrefs: 0000000140021D3A

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: MessageSend$Window$lstrlen$ClientIconImageList_RectSize_cwprintf_s_l
String ID: 0$@
API String ID: 3730665866-1545510068
Opcode ID: 11cc51ba024c335070304a6cd7586fed144db14e9716be4ba93d075a169ea3cb
Instruction ID: f515dbf1d49814e9e3407b6919e0efcb9013ed6d199b989b111f9ff7d72fbfb8
Opcode Fuzzy Hash: 11cc51ba024c335070304a6cd7586fed144db14e9716be4ba93d075a169ea3cb
Instruction Fuzzy Hash: AFE16B722146C48BE765CF66E8447DEB7A0F3C8B84F548115EB8957B68CB39D865CF00

Function 000000014000909C Relevance: 40.5, APIs: 17, Strings: 6, Instructions: 287windowregistrystringCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 00000001400090F7
lstrcmpiW.KERNEL32 ref: 0000000140009114
GetWindowLongW.USER32 ref: 0000000140009127
SetWindowLongW.USER32 ref: 0000000140009140
GetWindowLongW.USER32 ref: 000000014000914C
CreateCursor.USER32 ref: 00000001400091C5
GetParent.USER32 ref: 00000001400091E6
SendMessageW.USER32 ref: 00000001400091F9
GetStockObject.GDI32 ref: 000000014000920C
GetObjectW.GDI32 ref: 0000000140009244
CreateFontIndirectW.GDI32 ref: 0000000140009283
GetWindowTextLengthW.USER32 ref: 00000001400092D3
GetWindowTextW.USER32 ref: 0000000140009351
SendMessageW.USER32 ref: 00000001400093DA
SendMessageW.USER32 ref: 000000014000945B
RegOpenKeyExW.ADVAPI32 ref: 000000014000949D
RegCloseKey.ADVAPI32 ref: 000000014000956D

Strings

Software\Microsoft\Internet Explorer\Settings, xrefs: 000000014000948F
static, xrefs: 0000000140009105
Anchor Color Visited, xrefs: 0000000140009539
Anchor Color, xrefs: 00000001400094F8
H, xrefs: 00000001400093F8
tooltips_class32, xrefs: 00000001400092B2

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Window$LongMessageSend$CreateObjectText$ClassCloseCursorFontIndirectLengthNameOpenParentStocklstrcmpi
String ID: Anchor Color$Anchor Color Visited$H$Software\Microsoft\Internet Explorer\Settings$static$tooltips_class32
API String ID: 4016893531-15458338
Opcode ID: 212ea544e0e226f010af4f5bfcc0c737a4f562a775f8519822f56687e2b46025
Instruction ID: 85be3385342c9aca68e5758e7a1ed4048d160111e8e1d2afd3ed2a036945b3fd
Opcode Fuzzy Hash: 212ea544e0e226f010af4f5bfcc0c737a4f562a775f8519822f56687e2b46025
Instruction Fuzzy Hash: 44E16172204B8186EB72DF26F4847DEB3A1F788B90F544126EB9A47AB4DF78D545CB00

Function 000000014000A378 Relevance: 39.1, APIs: 26, Instructions: 141windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000998C: LoadStringW.USER32 ref: 00000001400099C9
Part of subcall function 000000014000998C: lstrlenW.KERNEL32 ref: 00000001400099ED

GetDlgItem.USER32 ref: 000000014000A3B5
SendMessageW.USER32 ref: 000000014000A3C9
GetDlgItem.USER32 ref: 000000014000A3E2
SendMessageW.USER32 ref: 000000014000A3FA
GetDlgItem.USER32 ref: 000000014000A40B
SendMessageW.USER32 ref: 000000014000A420
GetDlgItem.USER32 ref: 000000014000A42F
EnableWindow.USER32 ref: 000000014000A443
GetDlgItem.USER32 ref: 000000014000A452
EnableWindow.USER32 ref: 000000014000A466
GetDlgItem.USER32 ref: 000000014000A475
EnableWindow.USER32 ref: 000000014000A489
GetDlgItem.USER32 ref: 000000014000A498
EnableWindow.USER32 ref: 000000014000A4AC
GetDlgItem.USER32 ref: 000000014000A4BB
EnableWindow.USER32 ref: 000000014000A4CF
GetDlgItem.USER32 ref: 000000014000A4DE
EnableWindow.USER32 ref: 000000014000A4F2
GetDlgItem.USER32 ref: 000000014000A501
SendMessageW.USER32 ref: 000000014000A520
GetDlgItem.USER32 ref: 000000014000A52F
SendMessageW.USER32 ref: 000000014000A54E
GetDlgItem.USER32 ref: 000000014000A55D
SendMessageW.USER32 ref: 000000014000A57C
GetDlgItem.USER32 ref: 000000014000A58B
SendMessageW.USER32 ref: 000000014000A5AA

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Item$MessageSend$EnableWindow$LoadStringlstrlen
String ID:
API String ID: 1173643101-0
Opcode ID: 7c7d513955768bfae79e3a188177268da00716552af1d794ceb65d20afd4135a
Instruction ID: 6dabcdcea65f6328270f3a14a4be7ba257ce24461f4ee2d6b5f721c516a55c37
Opcode Fuzzy Hash: 7c7d513955768bfae79e3a188177268da00716552af1d794ceb65d20afd4135a
Instruction Fuzzy Hash: 09512F71602A9182F766DF76ED1479A3361EBCDFA5F1881219B050BAB8CF3DC885C740

Function 000000014001A9B8 Relevance: 38.8, APIs: 20, Strings: 2, Instructions: 310windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 000000014001AA20
SendMessageW.USER32 ref: 000000014001AA34
GetDlgItem.USER32 ref: 000000014001AA4E
SendMessageW.USER32 ref: 000000014001AA62
_cwprintf_s_l.LIBCMT ref: 000000014001AA95
GetDlgItem.USER32 ref: 000000014001AAE5
SendMessageW.USER32 ref: 000000014001AAF9
GetDlgItem.USER32 ref: 000000014001AB0E
SendMessageW.USER32 ref: 000000014001AB22
GetDlgItem.USER32 ref: 000000014001AB31
SendMessageW.USER32 ref: 000000014001AB45
GetDlgItem.USER32 ref: 000000014001AB54
EnableWindow.USER32 ref: 000000014001AB65
GetDlgItem.USER32 ref: 000000014001ABC9
SendMessageW.USER32 ref: 000000014001ABDD
MessageBoxW.USER32 ref: 000000014001ACF6

Part of subcall function 000000014000399C: lstrlenA.KERNEL32 ref: 00000001400039CA
Part of subcall function 000000014000399C: MultiByteToWideChar.KERNEL32 ref: 0000000140003A0F
Part of subcall function 000000014000399C: lstrlenW.KERNEL32 ref: 0000000140003A2B

GetDlgItem.USER32 ref: 000000014001AC38
SendMessageW.USER32 ref: 000000014001AC4C
GetDlgItem.USER32 ref: 000000014001AE40
SendMessageW.USER32 ref: 000000014001AE5B

Strings

%d, xrefs: 000000014001AA86
Folder, xrefs: 000000014001ABE9, 000000014001AC0A

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: ItemMessage$Send$lstrlen$ByteCharEnableMultiWideWindow_cwprintf_s_l
String ID: %d$Folder
API String ID: 1125211564-3146767445
Opcode ID: d5c5b766d43663587aaf605c0f3c775f4b55a46af071f10d0a1cd3309bd6e41c
Instruction ID: 21c51c626c70cd87c04718b6dab06da61f7cb9eb7a6040d354ccdd7e0e2232fa
Opcode Fuzzy Hash: d5c5b766d43663587aaf605c0f3c775f4b55a46af071f10d0a1cd3309bd6e41c
Instruction Fuzzy Hash: 73D1707230198082EA52DB6AE8547DA63A1F7C9BF4F544712AB2E4BBF5DE3DC8418740

Function 0000000140008C3C Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 275COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32 ref: 0000000140008C94
LoadResource.KERNEL32 ref: 0000000140008CAE

Strings

ToolbarWindow32, xrefs: 0000000140008E56
@ , xrefs: 0000000140008F67

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Resource$FindLoad
String ID: @ $ToolbarWindow32
API String ID: 2619053042-323118299
Opcode ID: ba8c7da73fdf4611577f9cc5b69f03cab2a023da74b4aa09a77eb4ab799658c9
Instruction ID: 86fd8192aee64fd393b297de248f850f55717a7b1b35142793763b7c302a9f68
Opcode Fuzzy Hash: ba8c7da73fdf4611577f9cc5b69f03cab2a023da74b4aa09a77eb4ab799658c9
Instruction Fuzzy Hash: E0C1BE72215BD086E7A1CB26F8147AE77A1F38CBD4F548125EB8A47BA4DB3DC480CB00

Function 000000014001D000 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 323memoryCOMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32 ref: 000000014001D037
LoadResource.KERNEL32 ref: 000000014001D058
LockResource.KERNEL32 ref: 000000014001D066
FindResourceW.KERNEL32 ref: 000000014001D087
LoadResource.KERNEL32 ref: 000000014001D0A0
LockResource.KERNEL32 ref: 000000014001D0B2
GetWindow.USER32 ref: 000000014001D100
GlobalAlloc.KERNEL32 ref: 000000014001D1B0
GlobalLock.KERNEL32 ref: 000000014001D1C7
GlobalUnlock.KERNEL32 ref: 000000014001D209
CreateStreamOnHGlobal.OLE32 ref: 000000014001D21F
MapDialogRect.USER32 ref: 000000014001D2CB
SetWindowContextHelpId.USER32 ref: 000000014001D34F
SetWindowPos.USER32 ref: 000000014001D3C0
#6.OLEAUT32 ref: 000000014001D3E7
GetWindow.USER32 ref: 000000014001D413

Part of subcall function 0000000140015570: GetLastError.KERNEL32 ref: 0000000140015574

#6.OLEAUT32 ref: 000000014001D489

Strings

AtlAxWinLic90, xrefs: 000000014001D320

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Resource$GlobalWindow$Lock$FindLoad$AllocContextCreateDialogErrorHelpLastRectStreamUnlock
String ID: AtlAxWinLic90
API String ID: 3889352284-3795641830
Opcode ID: de0d6f08919c3052e159f00e3193dda42f239365d0447abbbd27013998200e8d
Instruction ID: 51d079df90b8a02c2a86cf8d9dc758cc88ac7561a0772db8427750d37b632643
Opcode Fuzzy Hash: de0d6f08919c3052e159f00e3193dda42f239365d0447abbbd27013998200e8d
Instruction Fuzzy Hash: 13D16F3620469086EB65DF62E4503EA73A1F78CBC4F188526FB5A4FBB4DB7AD844C740

Function 0000000140024A78 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 218windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140105C3C: GetWindowsDirectoryW.KERNEL32 ref: 0000000140105CA3
Part of subcall function 0000000140105C3C: SHGetFileInfoW.SHELL32 ref: 0000000140105CCB
Part of subcall function 0000000140105C3C: SHGetFileInfoW.SHELL32 ref: 0000000140105CF6

Part of subcall function 0000000140020DC0: SendMessageW.USER32 ref: 0000000140020E75
Part of subcall function 0000000140020DC0: SendMessageW.USER32 ref: 0000000140020EFB

Part of subcall function 000000014001F2A4: SendMessageW.USER32 ref: 000000014001F58B
Part of subcall function 000000014001F2A4: CreateWindowExW.USER32 ref: 000000014001F5EC
Part of subcall function 000000014001F2A4: SendMessageW.USER32 ref: 000000014001F608
Part of subcall function 000000014001F2A4: SendMessageW.USER32 ref: 000000014001F61C
Part of subcall function 000000014001F2A4: SendMessageW.USER32 ref: 000000014001F638
Part of subcall function 000000014001F2A4: SendMessageW.USER32 ref: 000000014001F64C
Part of subcall function 000000014001F2A4: SendMessageW.USER32 ref: 000000014001F669
Part of subcall function 000000014001F2A4: SendMessageW.USER32 ref: 000000014001F67D

SetParent.USER32 ref: 0000000140024AE9

Part of subcall function 000000014001E45C: GetWindowRect.USER32 ref: 000000014001E47E

CreateWindowExW.USER32 ref: 0000000140024B49
SendMessageW.USER32 ref: 0000000140024B6B
SendMessageW.USER32 ref: 0000000140024B80
SHGetSpecialFolderLocation.SHELL32 ref: 0000000140024BE4
SendMessageW.USER32 ref: 0000000140024C82
SendMessageW.USER32 ref: 0000000140024C9C
GetWindowLongW.USER32 ref: 0000000140024CD4
SetWindowLongW.USER32 ref: 0000000140024CF0
SendMessageW.USER32 ref: 0000000140024D05
SendMessageW.USER32 ref: 0000000140024D35
GetSystemMetrics.USER32 ref: 0000000140024D3E
SendMessageW.USER32 ref: 0000000140024D67
SendMessageW.USER32 ref: 0000000140024D7C
SetWindowPos.USER32 ref: 0000000140024DD5
ShowWindow.USER32 ref: 0000000140024DE7

Strings

d, xrefs: 0000000140024B25
ToolbarWindow32, xrefs: 0000000140024B40

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: MessageSend$Window$CreateFileInfoLong$DirectoryFolderLocationMetricsParentRectShowSpecialSystemWindows
String ID: ToolbarWindow32$d
API String ID: 3673439606-1364537291
Opcode ID: da462dc776a07fecd68a21ef27e8583de3242e8132480acd492de46ce9948398
Instruction ID: 9830e13c2f5f986fa01b6c7e6cdaa0575e950eba642a179dc9f7cec8fa218f83
Opcode Fuzzy Hash: da462dc776a07fecd68a21ef27e8583de3242e8132480acd492de46ce9948398
Instruction Fuzzy Hash: 15A16C7620468087E765DF26E8507DEB3A1F78CB94F544025EB8A8BB75CF39C94ACB00

Function 000000014000D458 Relevance: 30.0, APIs: 11, Strings: 6, Instructions: 247windowCOMMON

Download Yara Rule

APIs

LoadMenuW.USER32 ref: 000000014000D49C

Part of subcall function 0000000140007FF4: GetSubMenu.USER32 ref: 0000000140008008

GetMenuItemCount.USER32 ref: 000000014000D4C1
DestroyMenu.USER32 ref: 000000014000D5F0
GetMenuItemCount.USER32 ref: 000000014000D5FE
SendMessageW.USER32 ref: 000000014000D63A
GetMenuItemInfoW.USER32 ref: 000000014000D6AB
_cwprintf_s_l.LIBCMT ref: 000000014000D6ED
SendMessageW.USER32 ref: 000000014000D781

Part of subcall function 000000014007E7A0: GetMenuItemInfoW.USER32 ref: 000000014007E82D
Part of subcall function 000000014007E7A0: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000014000D4EE), ref: 000000014007E83E

Part of subcall function 000000014000399C: lstrlenA.KERNEL32 ref: 00000001400039CA
Part of subcall function 000000014000399C: MultiByteToWideChar.KERNEL32 ref: 0000000140003A0F
Part of subcall function 000000014000399C: lstrlenW.KERNEL32 ref: 0000000140003A2B

SendMessageW.USER32 ref: 000000014000D79E
DestroyMenu.USER32 ref: 000000014000D805
DestroyMenu.USER32 ref: 000000014000D816

Strings

H, xrefs: 000000014000D65F
InitLangCombo-ERR, xrefs: 000000014000D60B
| , xrefs: 000000014000D74F
P, xrefs: 000000014000D68D
10900, xrefs: 000000014000D4EF
ID:%d, xrefs: 000000014000D6E1

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Menu$Item$DestroyMessageSendlstrlen$CountInfo$ByteCharLoadMultiWide_cwprintf_s_l
String ID: ID:%d$ | $10900$H$InitLangCombo-ERR$P
API String ID: 2576854577-3851071048
Opcode ID: b755c7a2f0a5b9e27a8672cc3b79c1c9fff2e32756b21b6200b3ea2545efba30
Instruction ID: 20116706675992dc0dd6a543d8b96af0499e673c97be450d8ca5d57fafb5b745
Opcode Fuzzy Hash: b755c7a2f0a5b9e27a8672cc3b79c1c9fff2e32756b21b6200b3ea2545efba30
Instruction Fuzzy Hash: 28B1A272215A4182EA62DB2AE8417EA7360FB8DBF4F444212AF6D476F5DF78C845CB40

Function 0000000140007274 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 110windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00000001400072A2
GetDlgItem.USER32 ref: 00000001400072B0
GetWindowRect.USER32 ref: 00000001400072C1
ScreenToClient.USER32 ref: 00000001400072CF
ScreenToClient.USER32 ref: 00000001400072DD
GetClientRect.USER32 ref: 00000001400072EE

Part of subcall function 0000000140048318: LoadLibraryW.KERNEL32 ref: 000000014004832C
Part of subcall function 0000000140048318: GetProcAddress.KERNEL32 ref: 0000000140048353

Part of subcall function 00000001400487CC: GetProcAddress.KERNEL32 ref: 0000000140048805

Part of subcall function 000000014004839C: GetProcAddress.KERNEL32 ref: 00000001400483AF

Part of subcall function 00000001400483E0: GetProcAddress.KERNEL32 ref: 00000001400483F3

CreateDIBSection.GDI32 ref: 000000014000739F
GetDC.USER32 ref: 00000001400073AA
CreateCompatibleDC.GDI32 ref: 00000001400073B3
SelectObject.GDI32 ref: 00000001400073C2
SelectObject.GDI32 ref: 000000014000741E
ReleaseDC.USER32 ref: 0000000140007429
SendMessageW.USER32 ref: 000000014000743D

Part of subcall function 0000000140048780: GetProcAddress.KERNEL32 ref: 00000001400487A5
Part of subcall function 0000000140048780: FreeLibrary.KERNEL32 ref: 00000001400487BE

Strings

bitmap9.jpg, xrefs: 000000014000730D
PNG, xrefs: 0000000140007306
(, xrefs: 0000000140007344

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: AddressProc$Client$CreateItemLibraryObjectRectScreenSelect$CompatibleFreeLoadMessageReleaseSectionSendWindow
String ID: ($PNG$bitmap9.jpg
API String ID: 730289181-2908563061
Opcode ID: 09fbaf4045a4607f18a197df20f88c37a2a963bc86c1ec830f2e47abbfd2117b
Instruction ID: e3f5f732d1241b50202e92e1289a60451ceede66af42e874af80bba1de0125b7
Opcode Fuzzy Hash: 09fbaf4045a4607f18a197df20f88c37a2a963bc86c1ec830f2e47abbfd2117b
Instruction Fuzzy Hash: 24513972218B818AE751DF26E41839EB360F788BD6F145125EB8A07BA9CF7DC449CF40

Function 000000014011B450 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 164windowCOMMON

Download Yara Rule

APIs

InitCommonControlsEx.COMCTL32 ref: 000000014011B492
CreateWindowExW.USER32 ref: 000000014011B4F2
GetStockObject.GDI32 ref: 000000014011B500
GetObjectW.GDI32 ref: 000000014011B527
CreateFontIndirectW.GDI32 ref: 000000014011B54A
SendMessageW.USER32 ref: 000000014011B55C
SendMessageW.USER32 ref: 000000014011B570
SendMessageW.USER32 ref: 000000014011B5A3
SendMessageW.USER32 ref: 000000014011B5D7
SendMessageW.USER32 ref: 000000014011B66C
SendMessageW.USER32 ref: 000000014011B6A5
SendMessageW.USER32 ref: 000000014011B6D5

Strings

, xrefs: 000000014011B4C4
ToolbarWindow32, xrefs: 000000014011B4E1
d, xrefs: 000000014011B4CF

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: MessageSend$CreateObject$CommonControlsFontIndirectInitStockWindow
String ID: $ToolbarWindow32$d
API String ID: 2235514304-853020219
Opcode ID: 04f20807d92875e8a941c46ab5e9a55c7c36849dd24a71f01fe2bb3f4ca10e66
Instruction ID: 81380e565916d0e3a220b6bcff18d90d1e69f70c6a8208045f8504cb5dddd19f
Opcode Fuzzy Hash: 04f20807d92875e8a941c46ab5e9a55c7c36849dd24a71f01fe2bb3f4ca10e66
Instruction Fuzzy Hash: BF61E1722146908BE761CF26F854BEA77A0F788F99F544114EF990BEA9DB3CC546CB00

Function 000000014000B824 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 203filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000AB88: lstrlenW.KERNEL32 ref: 000000014000ABCF

GetTempPathW.KERNEL32 ref: 000000014000B8E2
GetTempPathW.KERNEL32 ref: 000000014000B8F1
GetModuleFileNameW.KERNEL32 ref: 000000014000B92B
CreateFileW.KERNEL32 ref: 000000014000B973
_cwprintf_s_l.LIBCMT ref: 000000014000B9A8
lstrlenW.KERNEL32 ref: 000000014000B9D7
WideCharToMultiByte.KERNEL32 ref: 000000014000BA47
WriteFile.KERNEL32 ref: 000000014000BA6A
CloseHandle.KERNEL32 ref: 000000014000BA73
ShellExecuteW.SHELL32 ref: 000000014000BA9A

Strings

_selfdestruct.bat, xrefs: 000000014000B878
open, xrefs: 000000014000BA91
###, xrefs: 000000014000B9B4
:Repeat###DEL "%s"###if exist "%s" goto Repeat###DEL "%s"###, xrefs: 000000014000B867

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: File$PathTemplstrlen$ByteCharCloseCreateExecuteHandleModuleMultiNameShellWideWrite_cwprintf_s_l
String ID: ###$:Repeat###DEL "%s"###if exist "%s" goto Repeat###DEL "%s"###$_selfdestruct.bat$open
API String ID: 526318972-2663367853
Opcode ID: e0ef0da1caaaa179e51490a716369e6204e6a809852cf07e17a30ec8e6058aa4
Instruction ID: 604c710743bc7a9a6ac54444303196fb82ccd627159c2c83cb5586e85e4cd396
Opcode Fuzzy Hash: e0ef0da1caaaa179e51490a716369e6204e6a809852cf07e17a30ec8e6058aa4
Instruction Fuzzy Hash: 8BA15F72200A848AEB21DF76E8517D933A1F789BBCF444315E7294BAE9DF39C549C740

Function 00000001400238F8 Relevance: 21.2, APIs: 14, Instructions: 197windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 0000000140023A53
ShowWindow.USER32 ref: 0000000140023A67
SendMessageW.USER32 ref: 0000000140023A83
GetClientRect.USER32 ref: 0000000140023ACC
GetClientRect.USER32 ref: 0000000140023ADB
SendMessageW.USER32 ref: 0000000140023AF3
SetWindowPos.USER32 ref: 0000000140023B2D

Part of subcall function 000000014001FA20: SHGetSpecialFolderLocation.SHELL32 ref: 000000014001FB76
Part of subcall function 000000014001FA20: SHGetDesktopFolder.SHELL32 ref: 000000014001FB86

ShowWindow.USER32 ref: 0000000140023B89
SendMessageW.USER32 ref: 0000000140023BBE
GetClientRect.USER32 ref: 0000000140023C07
GetClientRect.USER32 ref: 0000000140023C16
SendMessageW.USER32 ref: 0000000140023C2E
SetWindowPos.USER32 ref: 0000000140023C68
ShowWindow.USER32 ref: 0000000140023C82

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Window$ClientMessageRectSendShow$Folder$DesktopLocationSpecial
String ID:
API String ID: 410288209-0
Opcode ID: 322aa77159f3c7b8964ab516e3fed0feb13d7947f0b69d87805b915b5fec351c
Instruction ID: 942626af1d8c366efc04faf1e635a78e2675706e48596580cf5a1b9c9d0c1d8e
Opcode Fuzzy Hash: 322aa77159f3c7b8964ab516e3fed0feb13d7947f0b69d87805b915b5fec351c
Instruction Fuzzy Hash: A8A12972204B8486E761DF26E4403DAB761F789F94F588129EF8D0BB69DF79C985CB00

Function 0000000140020BB8 Relevance: 19.6, APIs: 13, Instructions: 106windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0000000140020C1F
GetWindowRect.USER32 ref: 0000000140020C3E
ScreenToClient.USER32 ref: 0000000140020C4D
ScreenToClient.USER32 ref: 0000000140020C60
ExcludeClipRect.GDI32 ref: 0000000140020C7F
MapWindowPoints.USER32 ref: 0000000140020C9F
OffsetWindowOrgEx.GDI32 ref: 0000000140020CB6
SendMessageW.USER32 ref: 0000000140020CD2
OffsetWindowOrgEx.GDI32 ref: 0000000140020CEE
SendMessageW.USER32 ref: 0000000140020D01
OffsetWindowOrgEx.GDI32 ref: 0000000140020D13
SendMessageW.USER32 ref: 0000000140020D26
SetWindowOrgEx.GDI32 ref: 0000000140020D37

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Window$ClientMessageOffsetRectSend$Screen$ClipExcludePoints
String ID:
API String ID: 986806451-0
Opcode ID: 8c00654a11622e0dcc756902661d98b627de24cb9cdf065ffea1d5c81ef6825d
Instruction ID: 00f282a4903dedcf0ef504674032e559c766e118f53e70da6700473c5c189a97
Opcode Fuzzy Hash: 8c00654a11622e0dcc756902661d98b627de24cb9cdf065ffea1d5c81ef6825d
Instruction Fuzzy Hash: 7E414676624A9087E7618F26F944B8ABBB0F38CFC4F545116EF4A47B28CB79C405CB80

Function 00000001400231CC Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014002326A
SendMessageW.USER32 ref: 0000000140023287

Part of subcall function 00000001400FD62C: SHGetFileInfoW.SHELL32 ref: 00000001400FD67D

SendMessageW.USER32 ref: 000000014002329C
SendMessageW.USER32 ref: 00000001400232BC
SendMessageW.USER32 ref: 0000000140023566
SendMessageW.USER32 ref: 00000001400235BF
SendMessageW.USER32 ref: 0000000140023639
GetClientRect.USER32 ref: 000000014002369B
SetWindowPos.USER32 ref: 00000001400236DE
SendMessageW.USER32 ref: 00000001400236F3

Part of subcall function 0000000140002CBC: SHGetMalloc.SHELL32 ref: 0000000140002CE8

Part of subcall function 0000000140002D3C: SHGetMalloc.SHELL32 ref: 0000000140002D81

Strings

0, xrefs: 000000014002358D

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: MessageSend$Malloc$ClientFileInfoRectWindow
String ID: 0
API String ID: 30954516-4108050209
Opcode ID: cb529b6333ca4705a5f3cca5ab3b9139987fc52c36c606cb42ce1bf2cc7aac13
Instruction ID: e8b1978d66d724abf10e59701e6cad1c3fbe022964d49da35ceb54ce9944eccd
Opcode Fuzzy Hash: cb529b6333ca4705a5f3cca5ab3b9139987fc52c36c606cb42ce1bf2cc7aac13
Instruction Fuzzy Hash: F4E1A072204A8486EB62DB26E4547DEB3A1F389BD4F444216EB6D47BF5CF38D985CB00

Function 0000000140001424 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 119windowstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0000000140001458

Part of subcall function 00000001400011C0: lstrlenW.KERNEL32 ref: 00000001400011E1

SendMessageW.USER32 ref: 000000014000148A
SendMessageW.USER32 ref: 00000001400014A1
lstrlenW.KERNEL32 ref: 00000001400014EC
lstrlenW.KERNEL32 ref: 00000001400014FC
SendMessageW.USER32 ref: 000000014000153E
SendMessageW.USER32 ref: 0000000140001564
SendMessageW.USER32 ref: 0000000140001578
wsprintfW.USER32 ref: 0000000140001596

Part of subcall function 00000001400013AC: SendMessageW.USER32 ref: 0000000140001405

Strings

last_entry, xrefs: 0000000140001466
entry_%03d, xrefs: 0000000140001587

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: MessageSend$lstrlen$wsprintf
String ID: entry_%03d$last_entry
API String ID: 2298119551-2593065581
Opcode ID: 008a9c5fa7d62b771aece80f0896661768ff2290b8738e3542514f7c33eedfca
Instruction ID: 86b7992cb3d53b04f29448162b060c05a39dc93cda4563d4c974ff5a86073e78
Opcode Fuzzy Hash: 008a9c5fa7d62b771aece80f0896661768ff2290b8738e3542514f7c33eedfca
Instruction Fuzzy Hash: 4B41707231099192FB65DB63F895BDA6291EBCDBC5F844021EF4A4BE66DE38C1058B40

Function 00000001400041C8 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 294COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 000000014000420D

Part of subcall function 0000000140001A70: LoadLibraryW.KERNEL32 ref: 0000000140001A93
Part of subcall function 0000000140001A70: GetProcAddress.KERNEL32 ref: 0000000140001ABB

GetClientRect.USER32 ref: 0000000140004260
SHGetSpecialFolderLocation.SHELL32 ref: 00000001400042E9
#190.SHELL32 ref: 0000000140004345

Strings

d, xrefs: 0000000140004617
d, xrefs: 0000000140004607
d, xrefs: 000000014000460F

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: ClientRect$#190AddressFolderLibraryLoadLocationProcSpecial
String ID: d$d$d
API String ID: 2660539279-1898527202
Opcode ID: 71c33372302f916ebc354bbbe30eccb46d4915fba6f3a10c20ba7567cc0c0410
Instruction ID: a6f3bc1b3df756f0986c1d608cc1a7eeb1e4ca896bd857a2471bc125daaf5835
Opcode Fuzzy Hash: 71c33372302f916ebc354bbbe30eccb46d4915fba6f3a10c20ba7567cc0c0410
Instruction Fuzzy Hash: 52E16C76205A8482EB21DF26E4907DEB361F789FD4F448126EB9E47BA5DF39C548CB00

Function 0000000140021068 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 185windowstringCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00000001400210B3
SendMessageW.USER32 ref: 0000000140021190
lstrcatW.KERNEL32 ref: 00000001400211A5

Part of subcall function 000000014000399C: lstrlenA.KERNEL32 ref: 00000001400039CA
Part of subcall function 000000014000399C: MultiByteToWideChar.KERNEL32 ref: 0000000140003A0F
Part of subcall function 000000014000399C: lstrlenW.KERNEL32 ref: 0000000140003A2B

Part of subcall function 00000001400FE27C: SHGetFileInfoW.SHELL32 ref: 00000001400FE2F8
Part of subcall function 00000001400FE27C: lstrlenW.KERNEL32 ref: 00000001400FE308

Strings

o, xrefs: 000000014002122A
p, xrefs: 00000001400212B6
0, xrefs: 0000000140021133

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: lstrlen$MessageSend$ByteCharFileInfoMultiWidelstrcat
String ID: 0$o$p
API String ID: 2028529823-2855627637
Opcode ID: 1b963002c905acdd9e4b1c3cbb92eebd2488d5de023baa553beeb7a623ec9a00
Instruction ID: 3be114c49241565be9ad57c24d918b27290463d7114049797c8fd31369fbb42a
Opcode Fuzzy Hash: 1b963002c905acdd9e4b1c3cbb92eebd2488d5de023baa553beeb7a623ec9a00
Instruction Fuzzy Hash: 77719D32204A8181EA52EB2BE8513EA6361FBDDBF4F804316BB6D476F5DE38C945C700

Function 0000000140007860 Relevance: 9.1, APIs: 6, Instructions: 66clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00000001400078A7
EmptyClipboard.USER32 ref: 00000001400078B1
GlobalAlloc.KERNEL32 ref: 00000001400078C9
GlobalLock.KERNEL32 ref: 00000001400078EF
SetClipboardData.USER32 ref: 000000014000790B
CloseClipboard.USER32 ref: 0000000140007911

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Clipboard$Global$AllocCloseDataEmptyLockOpen
String ID:
API String ID: 1872618283-0
Opcode ID: 594cd973ebf979aee4e0bde8c44eb27d035c6e478d97713dde4b44e7a8cf85c9
Instruction ID: be190ecb7c61bb58360671a9dd132366ebcc16387152280a04eaceafb3a8eab2
Opcode Fuzzy Hash: 594cd973ebf979aee4e0bde8c44eb27d035c6e478d97713dde4b44e7a8cf85c9
Instruction Fuzzy Hash: 6C216032201A4085EA62EB36E8553EA6761EB88FF4F480335AB6D477F6DF38C545C744

Function 0000000140026184 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 181timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140003AE4: lstrlenA.KERNEL32 ref: 0000000140003B08
Part of subcall function 0000000140003AE4: MultiByteToWideChar.KERNEL32 ref: 0000000140003B86
Part of subcall function 0000000140003AE4: lstrlenW.KERNEL32 ref: 0000000140003BA2

GetTimeZoneInformation.KERNEL32 ref: 00000001400262AF

Part of subcall function 000000014000399C: lstrlenA.KERNEL32 ref: 00000001400039CA
Part of subcall function 000000014000399C: MultiByteToWideChar.KERNEL32 ref: 0000000140003A0F
Part of subcall function 000000014000399C: lstrlenW.KERNEL32 ref: 0000000140003A2B

Strings

https, xrefs: 00000001400263CD
http, xrefs: 00000001400263B9
com, xrefs: 0000000140026322, 0000000140026368

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: lstrlen$ByteCharMultiWide$InformationTimeZone
String ID: com$http$https
API String ID: 1891917992-1205338474
Opcode ID: 7f8d9ded14d1b2e1fbde5ff34204a7be8db8e8b6ccaffbc52d971124b6693e83
Instruction ID: 7e7559996cf9e42fc57bdc9444302e077bc977e404b3c2ff2fd3f9c16d10a7aa
Opcode Fuzzy Hash: 7f8d9ded14d1b2e1fbde5ff34204a7be8db8e8b6ccaffbc52d971124b6693e83
Instruction Fuzzy Hash: F3918332309680C1EB02DB7AD8497ED37A0A749BE4F580219E7AD472F6CB7ACD45C761

Function 00000001400853D4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000A9E8: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140001249), ref: 000000014000AA2C

GetPrivateProfileStringW.KERNEL32 ref: 0000000140085466
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,for_all_install,Program,0000000140085790), ref: 0000000140085478

Strings

for_all_install, xrefs: 00000001400853DC
Program, xrefs: 00000001400853DB

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: lstrlen$PrivateProfileString
String ID: Program$for_all_install
API String ID: 2516951217-68737091
Opcode ID: ccdaf7ac6400ac0d2139999ccba3a0792c53768118820b3a4d037f2c4a500497
Instruction ID: 80b73980f0693fcc24a34737d6480afba8fa95c67a586a6b7372958da9185dee
Opcode Fuzzy Hash: ccdaf7ac6400ac0d2139999ccba3a0792c53768118820b3a4d037f2c4a500497
Instruction Fuzzy Hash: 39213B72210A808AE741EF26E85439E6764F78DFF4F544221BF6E877E5CB78C5518740

Function 00000001400038A8 Relevance: 4.5, APIs: 3, Instructions: 22timekeyboardCOMMON

Download Yara Rule

APIs

KillTimer.USER32 ref: 00000001400038BA
GetAsyncKeyState.USER32 ref: 00000001400038C5
SetTimer.USER32 ref: 00000001400038E6

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Timer$AsyncKillState
String ID:
API String ID: 3065476933-0
Opcode ID: c61981b638d52854e934b5ce57fdcafba756d400136af1b0950cb53aa9c6da54
Instruction ID: 83b0dc558db1e19b8b48179a39578b0fa32cfe84b150e48cabf1ca8d5a4039f0
Opcode Fuzzy Hash: c61981b638d52854e934b5ce57fdcafba756d400136af1b0950cb53aa9c6da54
Instruction Fuzzy Hash: ACE0927170058182EB1ADB63F4213A92224E79CFD2F084020EF460B3A2CE3AC8918750

Function 00000001400198D0 Relevance: 51.1, APIs: 20, Strings: 9, Instructions: 324COMMON

Download Yara Rule

APIs

RedrawWindow.USER32 ref: 0000000140019942
IsWindow.USER32 ref: 0000000140019979
GetSysColor.USER32 ref: 00000001400199D3
GetWindowLongW.USER32 ref: 0000000140019A92

Strings

t, xrefs: 0000000140019B41
:, xrefs: 0000000140019B70
s, xrefs: 0000000140019B1D
7, xrefs: 0000000140019AD3
l, xrefs: 0000000140019B65
m, xrefs: 0000000140019B53
M, xrefs: 0000000140019B04
h, xrefs: 0000000140019B2F
m, xrefs: 0000000140019B0B

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Window$ColorLongRedraw
String ID: 7$:$M$h$l$m$m$s$t
API String ID: 4056730343-774144524
Opcode ID: b7f5465834f6e590c0bbed4cce9958aad9cdde72733777f65dba2b1614c7fcd9
Instruction ID: 78b4388999416cd18bfcb0f14d0a6cd4aa7666f392b8eb34da5cf203a5b0034f
Opcode Fuzzy Hash: b7f5465834f6e590c0bbed4cce9958aad9cdde72733777f65dba2b1614c7fcd9
Instruction Fuzzy Hash: 99E1B432208A8481EB62DF66E4443ED77A5F788BD4F548116EB4A5F7B8CF7AC884C741

Function 0000000140026470 Relevance: 39.2, APIs: 1, Strings: 25, Instructions: 177stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000399C: lstrlenA.KERNEL32 ref: 00000001400039CA
Part of subcall function 000000014000399C: MultiByteToWideChar.KERNEL32 ref: 0000000140003A0F
Part of subcall function 000000014000399C: lstrlenW.KERNEL32 ref: 0000000140003A2B

Part of subcall function 0000000140003AE4: lstrlenA.KERNEL32 ref: 0000000140003B08
Part of subcall function 0000000140003AE4: MultiByteToWideChar.KERNEL32 ref: 0000000140003B86
Part of subcall function 0000000140003AE4: lstrlenW.KERNEL32 ref: 0000000140003BA2

lstrlenW.KERNEL32 ref: 00000001400266AB

Strings

w, xrefs: 0000000140026521
t, xrefs: 00000001400264FE
r, xrefs: 000000014002654E
w, xrefs: 0000000140026526
., xrefs: 000000014002652B
a, xrefs: 0000000140026549
:, xrefs: 000000014002650D
e, xrefs: 0000000140026553
o, xrefs: 0000000140026535
p, xrefs: 0000000140026508
., xrefs: 0000000140026562
auto_update_domain, xrefs: 00000001400264B6
w, xrefs: 000000014002651C
t, xrefs: 0000000140026503
s, xrefs: 0000000140026530
w, xrefs: 0000000140026544
k, xrefs: 000000014002655D
f, xrefs: 000000014002653A
o, xrefs: 0000000140026558
t, xrefs: 000000014002653F
com, xrefs: 0000000140026598
/, xrefs: 0000000140026512
h, xrefs: 00000001400264F9
/, xrefs: 0000000140026517
Start, xrefs: 00000001400264C9

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: lstrlen$ByteCharMultiWide
String ID: .$.$/$/$:$Start$a$auto_update_domain$com$e$f$h$k$o$o$p$r$s$t$t$t$w$w$w$w
API String ID: 477651035-1038781873
Opcode ID: 652a20e7a2572e4ecdc1d2d50a95e814720ad845413677b369cbd449c423dca3
Instruction ID: 605818b88a422d67cb553fba9621f2b72a2fa53064d5ecd022150907ca5edf59
Opcode Fuzzy Hash: 652a20e7a2572e4ecdc1d2d50a95e814720ad845413677b369cbd449c423dca3
Instruction Fuzzy Hash: 5481913220868086E752CB3AE8487DD77A5F389BD8F584215F79C476BACB7DC949CB10

Function 00000001400FEC0C Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 185windowmemoryCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32 ref: 00000001400FEC7A
SetWindowLongW.USER32 ref: 00000001400FEC94
GetWindowLongW.USER32 ref: 00000001400FECAA
SetWindowLongW.USER32 ref: 00000001400FECC3
GetWindowLongW.USER32 ref: 00000001400FECE2
GetWindowLongW.USER32 ref: 00000001400FECF1
SetWindowLongW.USER32 ref: 00000001400FED0A
SHGetSettings.SHELL32 ref: 00000001400FED3A
#18.SHELL32 ref: 00000001400FED5F
#17.SHELL32 ref: 00000001400FED6B
#16.SHELL32 ref: 00000001400FED7D
#18.SHELL32 ref: 00000001400FED86
SendMessageW.USER32 ref: 00000001400FEDE8
SendMessageW.USER32 ref: 00000001400FEDFE
SHGetSpecialFolderLocation.SHELL32 ref: 00000001400FEE10
GlobalAlloc.KERNEL32 ref: 00000001400FEE2F
#18.SHELL32 ref: 00000001400FEE3F
SendMessageW.USER32 ref: 00000001400FEEA7
SendMessageW.USER32 ref: 00000001400FEEE8

Strings

g, xrefs: 00000001400FEE24

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: LongWindow$MessageSend$AllocFolderGlobalLocationSettingsSpecial
String ID: g
API String ID: 1528256793-30677878
Opcode ID: 9d70cd2dfe3b08ff4a48f132ec8a9e10b75704701d64df2a7dac44062355b066
Instruction ID: 3535d59f8bcc30ae388a77284d4861c99e2a340e566c5f91dd2fabfe10c68ed7
Opcode Fuzzy Hash: 9d70cd2dfe3b08ff4a48f132ec8a9e10b75704701d64df2a7dac44062355b066
Instruction Fuzzy Hash: 0C81C336200B9096E7659F63E8147D9B3A1F38CBA4F184225EF5A47BA4CF79C495C740

Function 00000001400244B0 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 215windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140024503
ClientToScreen.USER32 ref: 000000014002451B
SendMessageW.USER32 ref: 000000014002455B

Part of subcall function 00000001400C4F64: SHGetMalloc.SHELL32 ref: 00000001400C4F84

Part of subcall function 00000001400FA040: SHGetMalloc.SHELL32 ref: 00000001400FA0A0

Part of subcall function 00000001400C4C68: #18.SHELL32 ref: 00000001400C4C8C
Part of subcall function 00000001400C4C68: #17.SHELL32 ref: 00000001400C4C98

#18.SHELL32 ref: 0000000140024633
GetMenuItemCount.USER32 ref: 0000000140024678
AppendMenuW.USER32 ref: 0000000140024695
AppendMenuW.USER32 ref: 00000001400246AE
SendMessageW.USER32 ref: 000000014002470B
GetParent.USER32 ref: 0000000140024717
GetParent.USER32 ref: 00000001400247EB
SendMessageW.USER32 ref: 0000000140024801
SendMessageW.USER32 ref: 000000014002472D

Part of subcall function 00000001400231CC: SendMessageW.USER32 ref: 000000014002326A
Part of subcall function 00000001400231CC: SendMessageW.USER32 ref: 0000000140023287
Part of subcall function 00000001400231CC: SendMessageW.USER32 ref: 000000014002329C
Part of subcall function 00000001400231CC: SendMessageW.USER32 ref: 00000001400232BC

SendMessageW.USER32 ref: 0000000140024787
GetParent.USER32 ref: 00000001400247A7
SendMessageW.USER32 ref: 00000001400247BD

Strings

0, xrefs: 000000014002475E
0, xrefs: 000000014002453B

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: MessageSend$MenuParent$AppendMalloc$ClientCountItemScreen
String ID: 0$0
API String ID: 3922845531-203156872
Opcode ID: 7ce9dacb1bc64561837ac27299ddedabc1a54e358a56596400871af15922fa3b
Instruction ID: 7f67bf3373ce3a456f9989ec7ffe31b5fd478d69111acfe88976eef59cd645a9
Opcode Fuzzy Hash: 7ce9dacb1bc64561837ac27299ddedabc1a54e358a56596400871af15922fa3b
Instruction Fuzzy Hash: 67A14A72215A8082EB66DF23E8547DAB3A1F389BC0F444526EB9A47BB4CF78C945C740

Function 000000014001C80C Relevance: 28.8, APIs: 19, Instructions: 271comCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32 ref: 000000014001C895
GetWindowLongW.USER32 ref: 000000014001C8AA
SetWindowLongW.USER32 ref: 000000014001C8BC
GetWindowLongPtrW.USER32 ref: 000000014001C8CF
OleUninitialize.OLE32 ref: 000000014001C8E3
OleInitialize.OLE32 ref: 000000014001C8F0
GetWindowTextLengthW.USER32 ref: 000000014001C8F9
DefWindowProcW.USER32 ref: 000000014001CBB9

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Window$Long$InitializeLengthProcTextUninitialize
String ID:
API String ID: 2434527812-0
Opcode ID: 82c245bcf7b4fbf843697dfbe54cce4bd7381970a776bb4d117c168738b632a9
Instruction ID: 8cf8d774629b1b792a8639e8062def99c3f65678199ee207a8be0d27a644c741
Opcode Fuzzy Hash: 82c245bcf7b4fbf843697dfbe54cce4bd7381970a776bb4d117c168738b632a9
Instruction Fuzzy Hash: 63B16D32210B4486EB169F76D8957EC23A1FB4DFE9F444616EB6A4B7E4CF3AC4058341

Function 0000000140003BD0 Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 425stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

CharNextW.USER32 ref: 0000000140003C4E
CharNextW.USER32 ref: 0000000140003CA6
CharNextW.USER32 ref: 0000000140003CE5
CharNextW.USER32 ref: 0000000140003D03
CharNextW.USER32 ref: 0000000140003D1D
CharNextW.USER32 ref: 0000000140003D4C
CharNextW.USER32 ref: 0000000140003DA4
CharNextW.USER32 ref: 0000000140003DB7
lstrlenW.KERNEL32 ref: 0000000140003E2D
CharNextW.USER32 ref: 000000014000410A
CharNextW.USER32 ref: 000000014000411F
lstrlenW.KERNEL32 ref: 000000014000417B

Strings

%*.*f, xrefs: 0000000140004001

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: CharNext$lstrlen
String ID: %*.*f
API String ID: 2675299387-4192566172
Opcode ID: 3fe3da11784543e7d843720205ee1903bdd7cf345871e15eea4f6f606d473c2e
Instruction ID: b4c1326da23ca97ccb6389a22e72082814a40bd792c4521e559d803615b2f45d
Opcode Fuzzy Hash: 3fe3da11784543e7d843720205ee1903bdd7cf345871e15eea4f6f606d473c2e
Instruction Fuzzy Hash: D6F1F0B660058086FB67EB2BB4183FD62A5F78CBD4F584125EB4A57AF5DB39C881C304

Function 000000014001CBF0 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 99registrywindowCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014001C196), ref: 000000014001CC0B
RegisterWindowMessageW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014001C196), ref: 000000014001CC18
RegisterWindowMessageW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014001C196), ref: 000000014001CC2B
GetClassInfoExW.USER32 ref: 000000014001CC56
LoadCursorW.USER32 ref: 000000014001CC9E
RegisterClassExW.USER32 ref: 000000014001CCC6
GetClassInfoExW.USER32 ref: 000000014001CD1A
LoadCursorW.USER32 ref: 000000014001CD62
RegisterClassExW.USER32 ref: 000000014001CD8A
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014001C196), ref: 000000014001CDC1

Strings

AtlAxWin90, xrefs: 000000014001CC38
WM_ATLGETCONTROL, xrefs: 000000014001CC1E
WM_ATLGETHOST, xrefs: 000000014001CC11
AtlAxWinLic90, xrefs: 000000014001CD07

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: ClassRegister$CriticalCursorInfoLoadMessageSectionWindow$EnterLeave
String ID: AtlAxWin90$AtlAxWinLic90$WM_ATLGETCONTROL$WM_ATLGETHOST
API String ID: 185448633-2573294316
Opcode ID: 4a4dc0a71a64f910c3efcc53002b9c8d915b523e739c08cd6505fd3f4404b1fa
Instruction ID: 7986171e3b76222582f8c06ca4b60176ae19bcc8dc82d8985c2837d70915d36b
Opcode Fuzzy Hash: 4a4dc0a71a64f910c3efcc53002b9c8d915b523e739c08cd6505fd3f4404b1fa
Instruction Fuzzy Hash: 0951E635208B8596E761DF12F88039AB7A4F78CB84F95011AE68E47A78DF7DC549CB40

Function 000000014001C4A0 Relevance: 22.7, APIs: 15, Instructions: 240comCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32 ref: 000000014001C523
GetWindowLongW.USER32 ref: 000000014001C538
SetWindowLongW.USER32 ref: 000000014001C54A
GetWindowLongPtrW.USER32 ref: 000000014001C55D
OleUninitialize.OLE32 ref: 000000014001C571
OleInitialize.OLE32 ref: 000000014001C57E
GetWindowTextLengthW.USER32 ref: 000000014001C587
DefWindowProcW.USER32 ref: 000000014001C7DC

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Window$Long$InitializeLengthProcTextUninitialize
String ID:
API String ID: 2434527812-0
Opcode ID: 227c9dd65ee7533fb1e84d7316d8b4941004fe8c613ba2a53903bd98b2763ab7
Instruction ID: 76dc4582497b9bdb2348e122cf3ea98d43fabccae93ac3cae806c58874e0c8c8
Opcode Fuzzy Hash: 227c9dd65ee7533fb1e84d7316d8b4941004fe8c613ba2a53903bd98b2763ab7
Instruction Fuzzy Hash: CBA16B32210B4086EB169F67D854BE823A1FB4DFE8F544616EB2A4BBF4DF7AC4458340

Function 0000000140008260 Relevance: 21.2, APIs: 14, Instructions: 158COMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 000000014000827B
GetDC.USER32 ref: 00000001400082A3
GetClientRect.USER32 ref: 00000001400082C8
SelectObject.GDI32 ref: 000000014000835B
DrawTextW.USER32 ref: 0000000140008397
SelectObject.GDI32 ref: 00000001400083A4
DrawTextW.USER32 ref: 00000001400083E2
SelectObject.GDI32 ref: 00000001400083EE
ReleaseDC.USER32 ref: 00000001400084BD

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: ObjectSelect$DrawText$ClientRectReleaseWindow
String ID:
API String ID: 1355666434-0
Opcode ID: 893e0c766cdfdd3461609f2a558485331817d1031521fe845494253acd3cdb6d
Instruction ID: 9d926bde3497d3a3371b77ea12b0fb76e1a34730dc86fc67dd60e8615cecfe53
Opcode Fuzzy Hash: 893e0c766cdfdd3461609f2a558485331817d1031521fe845494253acd3cdb6d
Instruction Fuzzy Hash: 1B615C72604A8086E761CF6AE4443AEB3A1F789FD8F444125EF8957B68DF79C489CB40

Function 000000014001E970 Relevance: 21.2, APIs: 14, Instructions: 154COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 000000014001E9A7
GetWindowRect.USER32 ref: 000000014001E9F8
ScreenToClient.USER32 ref: 000000014001EA07
ScreenToClient.USER32 ref: 000000014001EA1B
GetWindowRect.USER32 ref: 000000014001EA41
ScreenToClient.USER32 ref: 000000014001EA50
ScreenToClient.USER32 ref: 000000014001EA64
ShowWindow.USER32 ref: 000000014001EAB0
ShowWindow.USER32 ref: 000000014001EAD4
ShowWindow.USER32 ref: 000000014001EAF8
ShowWindow.USER32 ref: 000000014001EB1F
SetWindowPos.USER32 ref: 000000014001EB6D
ShowWindow.USER32 ref: 000000014001EB81
SetWindowPos.USER32 ref: 000000014001EBC8

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Window$ClientShow$Screen$Rect
String ID:
API String ID: 4033864348-0
Opcode ID: 82c66f738b9c41a2d33d2497e02259bb66c8bcd59079c4847bd791c22aabd92b
Instruction ID: 1976d155ac8d099234ee3f07ae942c047681902390d94a75db932e77025a7aee
Opcode Fuzzy Hash: 82c66f738b9c41a2d33d2497e02259bb66c8bcd59079c4847bd791c22aabd92b
Instruction Fuzzy Hash: AF7128762056C4CADB11CF26E48439E7BB1F388F98F180125EB465BB68CF7AD585CB00

Function 00000001400FD0F4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 147windowthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400F9DFC: SHGetDesktopFolder.SHELL32 ref: 00000001400F9E3B
Part of subcall function 00000001400F9DFC: SHGetSpecialFolderLocation.SHELL32 ref: 00000001400F9E4A
Part of subcall function 00000001400F9DFC: SHGetSpecialFolderLocation.SHELL32 ref: 00000001400F9E5C
Part of subcall function 00000001400F9DFC: SHGetPathFromIDListW.SHELL32 ref: 00000001400F9E8A
Part of subcall function 00000001400F9DFC: lstrlenW.KERNEL32 ref: 00000001400F9E9D
Part of subcall function 00000001400F9DFC: GetWindowsDirectoryW.KERNEL32 ref: 00000001400F9F01
Part of subcall function 00000001400F9DFC: SHGetFileInfoW.SHELL32 ref: 00000001400F9F21

Part of subcall function 00000001400FCFEC: RegisterClassExW.USER32 ref: 00000001400FD066
Part of subcall function 00000001400FCFEC: CreateWindowExW.USER32 ref: 00000001400FD0A7

GetCurrentThreadId.KERNEL32 ref: 00000001400FD164
SetWindowsHookExW.USER32 ref: 00000001400FD17A
TrackPopupMenu.USER32 ref: 00000001400FD1BB
GetMenuItemInfoW.USER32 ref: 00000001400FD23D
GetCursorPos.USER32 ref: 00000001400FD250
SendMessageW.USER32 ref: 00000001400FD284
#18.SHELL32 ref: 00000001400FD303
UnhookWindowsHookEx.USER32 ref: 00000001400FD31C
DestroyMenu.USER32 ref: 00000001400FD335

Strings

1, xrefs: 00000001400FD2B6

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: FolderMenuWindows$HookInfoLocationSpecial$ClassCreateCurrentCursorDesktopDestroyDirectoryFileFromItemListMessagePathPopupRegisterSendThreadTrackUnhookWindowlstrlen
String ID: 1
API String ID: 1986443932-2212294583
Opcode ID: 017e1fcdb5041dea43e4e5ef5ca760f41a045f45972e04e04561bb667492bedf
Instruction ID: 4a34fb743099f5c0d21492d07469bf26186d2e4b10e55b7b02df0579b31d6d60
Opcode Fuzzy Hash: 017e1fcdb5041dea43e4e5ef5ca760f41a045f45972e04e04561bb667492bedf
Instruction Fuzzy Hash: D8616D32200B8196E7A9DB22E590BDDB3A5F38CBC4F444016EF9947B64DFB9C4A4D780

Function 0000000140024264 Relevance: 21.1, APIs: 14, Instructions: 135windowkeyboardtimeCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 00000001400242C7
GetAsyncKeyState.USER32 ref: 00000001400242E4
GetWindowTextW.USER32 ref: 0000000140024333
SendMessageW.USER32 ref: 0000000140024353

Part of subcall function 000000014001DD00: GetCursorPos.USER32 ref: 000000014001DD31
Part of subcall function 000000014001DD00: ScreenToClient.USER32 ref: 000000014001DD4A
Part of subcall function 000000014001DD00: SendMessageW.USER32 ref: 000000014001DD61
Part of subcall function 000000014001DD00: SendMessageW.USER32 ref: 000000014001DD98
Part of subcall function 000000014001DD00: GetParent.USER32 ref: 000000014001DDF0
Part of subcall function 000000014001DD00: SendMessageW.USER32 ref: 000000014001DE39

ShowWindow.USER32 ref: 0000000140024384
ShowWindow.USER32 ref: 0000000140024393
KillTimer.USER32 ref: 00000001400243A2
GetAsyncKeyState.USER32 ref: 00000001400243CB
ShowWindow.USER32 ref: 00000001400243E9
ShowWindow.USER32 ref: 00000001400243F8
KillTimer.USER32 ref: 0000000140024407
SetFocus.USER32 ref: 0000000140024411

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Window$MessageSendShow$AsyncFocusKillStateTimer$ClientCursorParentScreenText
String ID:
API String ID: 1093764380-0
Opcode ID: 37ebd5f6e52e66a54b59bbc2f7ff1f2532833614a27d4f5e2fa0e94b20c9e92b
Instruction ID: 6805c90a65e38899544e8c03b055e5b4624535c23f5bf62ab5c369371d14bfbe
Opcode Fuzzy Hash: 37ebd5f6e52e66a54b59bbc2f7ff1f2532833614a27d4f5e2fa0e94b20c9e92b
Instruction Fuzzy Hash: 5B518E32304A8082EB66EB63D9503EA7361F78CBD5F444026EB8E47AB5CF39DD958740

Function 000000014002483C Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 130windowtimeCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00000001400248A8
SendMessageW.USER32 ref: 00000001400249A4
GetParent.USER32 ref: 00000001400249C3
SendMessageW.USER32 ref: 00000001400249DB
GetParent.USER32 ref: 0000000140024A04
SendMessageW.USER32 ref: 0000000140024A1C
GetFocus.USER32 ref: 0000000140024A2B
ShowWindow.USER32 ref: 0000000140024A3F
KillTimer.USER32 ref: 0000000140024A4E

Strings

0, xrefs: 0000000140024983
z, xrefs: 0000000140024871
n, xrefs: 0000000140024868

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: MessageSend$ParentWindow$FocusKillRectShowTimer
String ID: 0$n$z
API String ID: 67215063-1260578908
Opcode ID: ad2fa97399c74bd8e148a163742bb3981c4192edaa37dd00953432776324da9c
Instruction ID: 353916c933dbeb335ca23472a2ee22bd995c05d693e285e5e6657473a8f6f8bf
Opcode Fuzzy Hash: ad2fa97399c74bd8e148a163742bb3981c4192edaa37dd00953432776324da9c
Instruction Fuzzy Hash: 9A516F32205B8492EB56CF27E5403DD73A0F38CBC0F18452AEB5A47BA4CF78C9958740

Function 000000014001F004 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 117windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000000014001F04A
GetWindowRect.USER32 ref: 000000014001F091
ScreenToClient.USER32 ref: 000000014001F09F
ScreenToClient.USER32 ref: 000000014001F0B1
ExcludeClipRect.GDI32 ref: 000000014001F0DE
MapWindowPoints.USER32 ref: 000000014001F107
OffsetWindowOrgEx.GDI32 ref: 000000014001F122
SendMessageW.USER32 ref: 000000014001F15A
SetWindowOrgEx.GDI32 ref: 000000014001F16E
DefWindowProcW.USER32 ref: 000000014001F183
GetSysColor.USER32 ref: 000000014001F1B4

Strings

@@@, xrefs: 000000014001F19B

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Window$ClientRectScreen$ClipColorExcludeMessageOffsetParentPointsProcSend
String ID: @@@
API String ID: 2202115610-159275591
Opcode ID: a8ba20d67e2554cb8f7e019cc5a408e0be371603667b6fe64e080c7b47ba407f
Instruction ID: cfd89bdcf9b9de1506be96823bbc52b926521566db7552c5b4f4f4d4a564549d
Opcode Fuzzy Hash: a8ba20d67e2554cb8f7e019cc5a408e0be371603667b6fe64e080c7b47ba407f
Instruction Fuzzy Hash: 81515E76604B8486E761CF27E84079EB761F388FC0F444116EB9A4BBA9CF3AD455CB00

Function 0000000140016964 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

GetStockObject.GDI32 ref: 00000001400169B8
GetStockObject.GDI32 ref: 00000001400169C6

Strings

(, xrefs: 0000000140016A01

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: ObjectStock
String ID: (
API String ID: 3428563643-3887548279
Opcode ID: dbfb32c48899aaefe43eaba97014cafc6b24533e1e6f2073b3d9948d7bb9592a
Instruction ID: 5c754f1ce86fb98e8e9def602d4d805f5c7ee26293241d6fdc1ebd05c272f42c
Opcode Fuzzy Hash: dbfb32c48899aaefe43eaba97014cafc6b24533e1e6f2073b3d9948d7bb9592a
Instruction Fuzzy Hash: 86412176206B408AEB529B62E8543AA77A0FB4DBC5F484025EF4E4B764DF7DC844CB41

Function 000000014001E148 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 000000014001E17F
GetWindowRect.USER32 ref: 000000014001E1B7
ScreenToClient.USER32 ref: 000000014001E1C6
ScreenToClient.USER32 ref: 000000014001E1DA
GetWindowRect.USER32 ref: 000000014001E200
ScreenToClient.USER32 ref: 000000014001E20F
ScreenToClient.USER32 ref: 000000014001E223
SetWindowPos.USER32 ref: 000000014001E26C
SetWindowPos.USER32 ref: 000000014001E2A7
SetWindowPos.USER32 ref: 000000014001E2BD
ShowWindow.USER32 ref: 000000014001E2CC

Strings

\, xrefs: 000000014001E28A

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Window$Client$Screen$Rect$Show
String ID: \
API String ID: 246452983-2967466578
Opcode ID: d47420ffb9c6a9e4f20d59f050cefa3e15003d7d6e67e64eaf7e1f1bf76f9deb
Instruction ID: f665aa084009d26088d94018eddfa345193660b9efb92d92c2f5957e8de33296
Opcode Fuzzy Hash: d47420ffb9c6a9e4f20d59f050cefa3e15003d7d6e67e64eaf7e1f1bf76f9deb
Instruction Fuzzy Hash: 5F51B076214B848AD711CF2AE48865EBBB5F38CB94F184125EB8947B28CF3AD945CF40

Function 000000014000B45C Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 75stringCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 000000014000B49E
GetVersionExW.KERNEL32 ref: 000000014000B4F3
_cwprintf_s_l.LIBCMT ref: 000000014000B537
lstrlenW.KERNEL32 ref: 000000014000B550
lstrlenW.KERNEL32 ref: 000000014000B56C
lstrlenW.KERNEL32 ref: 000000014000B587
lstrlenW.KERNEL32 ref: 000000014000B59D

Strings

Win32 WINDOWS, xrefs: 000000014000B565, 000000014000B572
Windows %d.%d, xrefs: 000000014000B52D
Win32s, xrefs: 000000014000B580, 000000014000B58D
Win32 NT , xrefs: 000000014000B549, 000000014000B556
Unbekannt , xrefs: 000000014000B596, 000000014000B5A3

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: lstrlen$Version$_cwprintf_s_l
String ID: Unbekannt $ Win32 NT $ Win32 WINDOWS$ Win32s$Windows %d.%d
API String ID: 186566674-1665667020
Opcode ID: 7ac9d5a7afde2f0ab05f418263c8f16b336959beaec5b9c1beb767fe6be93ec7
Instruction ID: a7870134e7f6aaab7ce6c1545d93f9d4c2554553abfe56dcda2b0a86a282c088
Opcode Fuzzy Hash: 7ac9d5a7afde2f0ab05f418263c8f16b336959beaec5b9c1beb767fe6be93ec7
Instruction Fuzzy Hash: B741CE74220E059AFB57DB1BEC453E437B1B75DB86F880451EB0A6B2B0DB3AC848CB51

Function 00000001400049E0 Relevance: 19.7, APIs: 13, Instructions: 175timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32 ref: 0000000140004A24

Part of subcall function 00000001400041C8: GetClientRect.USER32 ref: 000000014000420D
Part of subcall function 00000001400041C8: GetClientRect.USER32 ref: 0000000140004260
Part of subcall function 00000001400041C8: SHGetSpecialFolderLocation.SHELL32 ref: 00000001400042E9
Part of subcall function 00000001400041C8: #190.SHELL32 ref: 0000000140004345

ShowWindow.USER32 ref: 0000000140004A45
KillTimer.USER32 ref: 0000000140004A5D
GlobalUnlock.KERNEL32 ref: 0000000140004B3E
GlobalFree.KERNEL32 ref: 0000000140004B47

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: ClientGlobalKillRectTimer$#190FolderFreeLocationShowSpecialUnlockWindow
String ID:
API String ID: 296821359-0
Opcode ID: f5d0d520823314f4caf08c963358c158c66f2b9a780af6c20416ee76c4d95752
Instruction ID: 3652137149b15181d2ea5413d4dbcb7718f1dd4f1004878e16fc513910652855
Opcode Fuzzy Hash: f5d0d520823314f4caf08c963358c158c66f2b9a780af6c20416ee76c4d95752
Instruction Fuzzy Hash: B18149B2315A4182FB66DB26F8547AA63A0F78CFD8F084121EB5A476B5DF3DC449C704

Function 000000014000BB74 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 172windowstringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 000000014000BBCF
GetWindowTextW.USER32 ref: 000000014000BBE1
lstrlenW.KERNEL32 ref: 000000014000BBF6
lstrlenW.KERNEL32 ref: 000000014000BC37
_cwprintf_s_l.LIBCMT ref: 000000014000BD34
GetDlgItem.USER32 ref: 000000014000BD4F
SetWindowTextW.USER32 ref: 000000014000BD63
SendMessageW.USER32 ref: 000000014000BD77
SendMessageW.USER32 ref: 000000014000BD9D
SendMessageW.USER32 ref: 000000014000BDB1

Strings

%s\%s, xrefs: 000000014000BD25

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: MessageSend$ItemTextWindowlstrlen$_cwprintf_s_l
String ID: %s\%s
API String ID: 4093046438-4073750446
Opcode ID: 68f6d6e936142cc6abd4d8e24d6dd9447a291e48de21addc7d95c0bade4a9985
Instruction ID: 53bbeb9e5caabb3b8c04ebf1d86b7c83d5c5240be59d6a0cb739a061037817ca
Opcode Fuzzy Hash: 68f6d6e936142cc6abd4d8e24d6dd9447a291e48de21addc7d95c0bade4a9985
Instruction Fuzzy Hash: C4814F72214A8182EA52DB26E8903E97360F789BF0F544322AB7E87BF5DF38C445C740

Function 000000014000204C Relevance: 18.1, APIs: 12, Instructions: 118COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32 ref: 0000000140002069
GetParent.USER32 ref: 000000014000207F
GetWindow.USER32 ref: 000000014000208C
GetWindowRect.USER32 ref: 000000014000209D
GetWindowLongW.USER32 ref: 00000001400020B6
SystemParametersInfoW.USER32 ref: 00000001400020D7
GetWindowRect.USER32 ref: 00000001400020F7
GetParent.USER32 ref: 0000000140002102
GetClientRect.USER32 ref: 0000000140002113
GetClientRect.USER32 ref: 0000000140002121
MapWindowPoints.USER32 ref: 0000000140002138
SetWindowPos.USER32 ref: 00000001400021DE

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Window$Rect$ClientLongParent$InfoParametersPointsSystem
String ID:
API String ID: 2289592163-0
Opcode ID: e78856af9152c24a87f141017bd36f2d3bad89628bb575f646988a1160544266
Instruction ID: 312306d3f7eb7005132e0c3f4ef1c4776f6e8c197fce6b373ac1fd4fb78c43b8
Opcode Fuzzy Hash: e78856af9152c24a87f141017bd36f2d3bad89628bb575f646988a1160544266
Instruction Fuzzy Hash: 7E418D72324A4186E712CF3AF94879EB761F78CBD0F644110EB9987AA8CF39D804CB40

Function 000000014003FD18 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 171stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 000000014003FD8E
GetStockObject.GDI32 ref: 000000014003FDA1
GetObjectW.GDI32 ref: 000000014003FDC8
lstrcpynW.KERNEL32 ref: 000000014003FE33
CreateFontIndirectW.GDI32 ref: 000000014003FE41
DeleteObject.GDI32 ref: 000000014003FE72
GetObjectW.GDI32 ref: 000000014003FF07
CreateFontIndirectW.GDI32 ref: 000000014003FFD6

Strings

FontFaceName, xrefs: 000000014003FDE4
Start, xrefs: 000000014003FDF8

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Object$CreateFontIndirect$DeleteInfoParametersStockSystemlstrcpyn
String ID: FontFaceName$Start
API String ID: 3063546216-3130205924
Opcode ID: c6e1499cfb9564bb87d0e889e4a3538c7a7504f1bc9edd6da0c40f8a7d3fc47a
Instruction ID: 1335b930583471c401568da85460d81441081d594d8bf66777c56c906804ed68
Opcode Fuzzy Hash: c6e1499cfb9564bb87d0e889e4a3538c7a7504f1bc9edd6da0c40f8a7d3fc47a
Instruction Fuzzy Hash: 69816272204A8086EB62DB26F4503DAB7A1F78DB90F544225EB9D476B9DF3CC544CB00

Function 0000000140021368 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 152windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 00000001400213B6
SendMessageW.USER32 ref: 0000000140021410
#155.SHELL32 ref: 000000014002141B
SetFocus.USER32 ref: 0000000140021425
SendMessageW.USER32 ref: 0000000140021468
SendMessageW.USER32 ref: 0000000140021482
SendMessageW.USER32 ref: 000000014002152C
SetFocus.USER32 ref: 0000000140021535
MessageBoxW.USER32 ref: 000000014002159F

Strings

o, xrefs: 00000001400213BC

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Message$Send$Focus$#155ShowWindow
String ID: o
API String ID: 2215054203-252678980
Opcode ID: 94a81325d3e9a3dd52085e5951d4ef5b73bf1f2d353f4957e86eb7ed04f8b1f8
Instruction ID: f360dae6c34f02a1a50e69c9ca832809ff607a5ede2e33d9de8455e465023ea0
Opcode Fuzzy Hash: 94a81325d3e9a3dd52085e5951d4ef5b73bf1f2d353f4957e86eb7ed04f8b1f8
Instruction Fuzzy Hash: C7715C72210A4182EB629B67E8507DA6360F7D8BF4F444312AB6E47AF5CF7CC881C740

Function 000000014004847C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 144libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00000001400484BF
GetProcAddress.KERNEL32 ref: 00000001400484DF
GetProcAddress.KERNEL32 ref: 00000001400484FF
GetProcAddress.KERNEL32 ref: 0000000140048522
GetProcAddress.KERNEL32 ref: 0000000140048545

Strings

GdipCreateFromHDC, xrefs: 00000001400484B8
GdipDrawImageRectRectI, xrefs: 00000001400484F8
GdipCreateImageAttributes, xrefs: 000000014004851B
GdipDeleteGraphics, xrefs: 00000001400484D8
GdipSetImageAttributesColorMatrix, xrefs: 000000014004853E

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: AddressProc
String ID: GdipCreateFromHDC$GdipCreateImageAttributes$GdipDeleteGraphics$GdipDrawImageRectRectI$GdipSetImageAttributesColorMatrix
API String ID: 190572456-226930721
Opcode ID: ec020341f3fd1c9a219bf9e339275d5b6ec1268e70b2c8aff49a7e354ba13650
Instruction ID: d79905fdd51cec85347cc80a3e93e2b177e4b0c056a36e1656d9055f5e08d980
Opcode Fuzzy Hash: ec020341f3fd1c9a219bf9e339275d5b6ec1268e70b2c8aff49a7e354ba13650
Instruction Fuzzy Hash: 0681E732515F819AE671CF13E8807AAB3B0F7DDB90F14521AEB8946678DF78C490DB00

Function 000000014001B8B4 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 134windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 000000014001B8EE
SendMessageW.USER32 ref: 000000014001B902

Part of subcall function 000000014005E758: RegOpenKeyExW.ADVAPI32 ref: 000000014005E7E3
Part of subcall function 000000014005E758: RegCloseKey.ADVAPI32 ref: 000000014005E7F7
Part of subcall function 000000014005E758: RegDeleteKeyW.ADVAPI32 ref: 000000014005E813
Part of subcall function 000000014005E758: RegCloseKey.ADVAPI32 ref: 000000014005E83F

GetModuleFileNameW.KERNEL32 ref: 000000014001B938
_cwprintf_s_l.LIBCMT ref: 000000014001B9B2
ShellExecuteExW.SHELL32 ref: 000000014001B9D2
EndDialog.USER32 ref: 000000014001B9E5
GetDlgItem.USER32 ref: 000000014001BA4B
SendMessageW.USER32 ref: 000000014001BA5F

Strings

RegisterAdminKey4_EEETWETRFSD=%d, xrefs: 000000014001B9A6
runas, xrefs: 000000014001B9C1

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: CloseItemMessageSend$DeleteDialogExecuteFileModuleNameOpenShell_cwprintf_s_l
String ID: RegisterAdminKey4_EEETWETRFSD=%d$runas
API String ID: 1829791887-816592029
Opcode ID: e372da56c28a990fbb92f7d819f175b5be815f8c1b7e09dd1fcf64c85f84d74b
Instruction ID: 4334877fde328765f94068981d195eae6652ff7aec441a5f90725909425142f0
Opcode Fuzzy Hash: e372da56c28a990fbb92f7d819f175b5be815f8c1b7e09dd1fcf64c85f84d74b
Instruction Fuzzy Hash: CB517432305A8182F762DF66E8913D973A0F78CBA4F584225E7698BAF5DF39C845C740

Function 000000014001A25C Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 122registryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000014001A2CE
GetClassInfoExW.USER32 ref: 000000014001A304
GetClassInfoExW.USER32 ref: 000000014001A31C
LeaveCriticalSection.KERNEL32 ref: 000000014001A32A
LoadCursorW.USER32 ref: 000000014001A371
GetClassInfoExW.USER32 ref: 000000014001A3D3
RegisterClassExW.USER32 ref: 000000014001A3E6
LeaveCriticalSection.KERNEL32 ref: 000000014001A40F

Strings

P, xrefs: 000000014001A2F5
ATL:%p, xrefs: 000000014001A395

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Class$CriticalInfoSection$Leave$CursorEnterLoadRegister
String ID: ATL:%p$P
API String ID: 269841140-2635742592
Opcode ID: 7135ce2e13eeb8f1b9f4bcc9cc07b40e4abefb95b85b1c23abd4ab857eedd00b
Instruction ID: 5c11983778a0ab81b461f75c5dd45ad7feddb2b90970f6c6fe026f4118fcad2c
Opcode Fuzzy Hash: 7135ce2e13eeb8f1b9f4bcc9cc07b40e4abefb95b85b1c23abd4ab857eedd00b
Instruction Fuzzy Hash: 26518A76200B80A3EA25DB23E5443DD33A0F389BC0F444612EF5A4BBA4CB7AD5A5C740

Function 000000014001E7FC Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 75registryCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32 ref: 000000014001E833
GetModuleHandleW.KERNEL32 ref: 000000014001E85E
RegisterClassExW.USER32 ref: 000000014001E89F
CreateWindowExW.USER32 ref: 000000014001E8DE
ShowWindow.USER32 ref: 000000014001E8F0
SetWindowLongPtrW.USER32 ref: 000000014001E905
#4.SHELL32 ref: 000000014001E912
#2.SHELL32 ref: 000000014001E946

Strings

NotifyWnd_123, xrefs: 000000014001E87E
P, xrefs: 000000014001E897

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Window$ClassCreateFolderHandleLocationLongModuleRegisterShowSpecial
String ID: NotifyWnd_123$P
API String ID: 299184763-2082992119
Opcode ID: 1d53f2cbd94e36df47257f48112cbb351e0baf55650e9ff48d23cdca450d3295
Instruction ID: 6e4335584d0a11d185457a98343a665f84a6d97a261aeb1d3196329f68ad3c39
Opcode Fuzzy Hash: 1d53f2cbd94e36df47257f48112cbb351e0baf55650e9ff48d23cdca450d3295
Instruction Fuzzy Hash: 57415E32614B8087F765CF22E44839EB3A0F78CB99F540119EB894BAA8CF7EC155CB40

Function 0000000140006A08 Relevance: 16.6, APIs: 11, Instructions: 150stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0000000140006A36
lstrcatW.KERNEL32 ref: 0000000140006A62
lstrcatW.KERNEL32 ref: 0000000140006A6E
lstrcatW.KERNEL32 ref: 0000000140006A7A
lstrcatW.KERNEL32 ref: 0000000140006A86
lstrcatW.KERNEL32 ref: 0000000140006A92
lstrcatW.KERNEL32 ref: 0000000140006A9E
lstrlenW.KERNEL32 ref: 0000000140006AA7
lstrlenW.KERNEL32 ref: 0000000140006AB0
lstrlenW.KERNEL32 ref: 0000000140006B38
lstrlenW.KERNEL32 ref: 0000000140006B63

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: lstrcat$lstrlen
String ID:
API String ID: 751011610-0
Opcode ID: 2c46cecf6dd1d1aeaeca04e78982a9fbe33ca1ac9120f1a51e7d7d4f4d1fd1c9
Instruction ID: a6d428bd347c04e7a3eb1a91d8404619ce07dde4f06cd20341777a9d9b1d3f47
Opcode Fuzzy Hash: 2c46cecf6dd1d1aeaeca04e78982a9fbe33ca1ac9120f1a51e7d7d4f4d1fd1c9
Instruction Fuzzy Hash: BC514EB130064189DF669F22E9543A973A2FB1CBD4F488022DF46AB374EB7DC490C344

Function 0000000140017120 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 00000001400171F9

Strings

{, xrefs: 0000000140017255

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: CreateInstance
String ID: {
API String ID: 542301482-366298937
Opcode ID: 6bd7c3035b2f1fec2c520c9da2092109bdcf0cc699e1576e10d92db8021fd3a6
Instruction ID: e2cddfe4c8c8dd64bed88e1f857c62dc5917b2c5f16a611aa439516e0512c65a
Opcode Fuzzy Hash: 6bd7c3035b2f1fec2c520c9da2092109bdcf0cc699e1576e10d92db8021fd3a6
Instruction Fuzzy Hash: 4D51743260464181EB629F2AE844BD973B1F38CB98F588112FB5A4B6B4DB7AC586C700

Function 000000014001DD00 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 000000014001DD31
ScreenToClient.USER32 ref: 000000014001DD4A
SendMessageW.USER32 ref: 000000014001DD61
SendMessageW.USER32 ref: 000000014001DD98
GetParent.USER32 ref: 000000014001DDF0
SendMessageW.USER32 ref: 000000014001DE10
GetParent.USER32 ref: 000000014001DE1F
SendMessageW.USER32 ref: 000000014001DE39

Strings

0, xrefs: 000000014001DDCD

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: MessageSend$Parent$ClientCursorScreen
String ID: 0
API String ID: 3424710631-4108050209
Opcode ID: 6972e0b8af878e675b3cba79eeed6a12daec459d72d18f05386f1dda4083b506
Instruction ID: b08a569aa33570b1f3eb60ac203390e3ace8c55b3d1c2544c6414936085219ec
Opcode Fuzzy Hash: 6972e0b8af878e675b3cba79eeed6a12daec459d72d18f05386f1dda4083b506
Instruction Fuzzy Hash: 9B312F72214A8482E761DF22E4547DE73A1F78CF89F484016EB8D4BAA8CF3DC949CB40

Function 0000000140009CC4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32 ref: 0000000140009CF6
GetDlgCtrlID.USER32 ref: 0000000140009D10
GetParent.USER32 ref: 0000000140009D1D
GetDlgCtrlID.USER32 ref: 0000000140009D3D
GetParent.USER32 ref: 0000000140009D49
SendMessageW.USER32 ref: 0000000140009D5F
ShellExecuteW.SHELL32 ref: 0000000140009D81
InvalidateRect.USER32 ref: 0000000140009DA4

Strings

open, xrefs: 0000000140009D6B

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Ctrl$Parent$ExecuteInvalidateMessageRectSendShell
String ID: open
API String ID: 1200564152-2758837156
Opcode ID: 518eda953508c50585776ef5b8d8172c329e54e578ab125f7fbe16511b086925
Instruction ID: bdd8e8cff3ba433485ce1aaed6632ce3e642ae7ee45adf98f839c4fb0c243799
Opcode Fuzzy Hash: 518eda953508c50585776ef5b8d8172c329e54e578ab125f7fbe16511b086925
Instruction Fuzzy Hash: F4215C36204B8083E725CB22F8953A9B761F78DBD5F084526EB9A4BB64CF3AD465C740

Function 000000014001FC14 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

CreatePen.GDI32 ref: 000000014001FC35
SelectObject.GDI32 ref: 000000014001FC45
MoveToEx.GDI32 ref: 000000014001FC5C
LineTo.GDI32 ref: 000000014001FC6C
LineTo.GDI32 ref: 000000014001FC7C
LineTo.GDI32 ref: 000000014001FC8D
LineTo.GDI32 ref: 000000014001FC9E
SelectObject.GDI32 ref: 000000014001FCAB
DeleteObject.GDI32 ref: 000000014001FCB9
DeleteObject.GDI32 ref: 000000014001FCC7

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: LineObject$DeleteSelect$CreateMove
String ID:
API String ID: 942295950-0
Opcode ID: 8905afc1c0ad8fed279197ddca2ebb14e51d8cef65e504ca11912654cb231f72
Instruction ID: dafebe9fe28e3f16b7396be985a0e8fda7e01714ea8ec3aa6c9759547280ec70
Opcode Fuzzy Hash: 8905afc1c0ad8fed279197ddca2ebb14e51d8cef65e504ca11912654cb231f72
Instruction Fuzzy Hash: 5A21963A710A808BD7559F23E95479AB761F78DFD4F188015EF5A0BB28CF39E4458B80

Function 0000000140006138 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 335stringwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140001E54: LoadLibraryW.KERNEL32 ref: 0000000140001E87
Part of subcall function 0000000140001E54: GetProcAddress.KERNEL32 ref: 0000000140001E9E

lstrlenW.KERNEL32 ref: 0000000140006319
_cwprintf_s_l.LIBCMT ref: 0000000140006353
_cwprintf_s_l.LIBCMT ref: 0000000140006463
MessageBoxW.USER32 ref: 00000001400064DA

Strings

--, xrefs: 0000000140006468
%d c2:%d, xrefs: 0000000140006457
%d.) %s : %s, xrefs: 0000000140006347
, xrefs: 000000014000647A

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: _cwprintf_s_l$AddressLibraryLoadMessageProclstrlen
String ID: $--$%d c2:%d$%d.) %s : %s
API String ID: 2498098824-883129594
Opcode ID: 70e4913d2d89bd3880ad882b7e21b25d7f954f37d94998cd494a27b14dc6733a
Instruction ID: 1662987e0f51c3c27642f526c6c655dd5087fd7a4b320527f6e57c0d40f780c9
Opcode Fuzzy Hash: 70e4913d2d89bd3880ad882b7e21b25d7f954f37d94998cd494a27b14dc6733a
Instruction Fuzzy Hash: 9EE17072305A8082EA52CB7AE8517D963A1F789BF4F444312EB6E976F5DF38C445CB40

Function 00000001400A6518 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 183windowcomCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00000001400A6562
CoCreateInstance.OLE32 ref: 00000001400A65B9
FindWindowExW.USER32 ref: 00000001400A665C
GetDlgCtrlID.USER32 ref: 00000001400A66D7
SendMessageW.USER32 ref: 00000001400A673D
ImageList_GetImageInfo.COMCTL32 ref: 00000001400A6765
SendMessageW.USER32 ref: 00000001400A6797

Strings

SysTreeView32, xrefs: 00000001400A664C

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: ImageMessageSend$ClientCreateCtrlFindInfoInstanceList_RectWindow
String ID: SysTreeView32
API String ID: 3498475682-1698111956
Opcode ID: b40857ce68eca97ac279472ae2654539bca499f7acb29a13780fa7775b3860a5
Instruction ID: b967fff96086e11505ed5890c6433bfeb092e69e14d3da72218f5800dead6df7
Opcode Fuzzy Hash: b40857ce68eca97ac279472ae2654539bca499f7acb29a13780fa7775b3860a5
Instruction Fuzzy Hash: E7812576210B8486DB65DF26E8847DE73A5F388B80F548922DBAE47B64DF39D885C700

Function 0000000140040018 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 166registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00000001400400D8
RegOpenKeyExW.ADVAPI32 ref: 0000000140040157
RegQueryValueExW.ADVAPI32 ref: 00000001400401A8
lstrlenW.KERNEL32 ref: 00000001400401B8
RegCloseKey.ADVAPI32 ref: 00000001400401D4
lstrlenW.KERNEL32 ref: 000000014004021A

Strings

Content Type, xrefs: 000000014004019C
application/unknown, xrefs: 0000000140040127

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: lstrlen$CloseOpenQueryValue
String ID: Content Type$application/unknown
API String ID: 2304643261-1085911772
Opcode ID: 729a1a9da6d946ea1f34177d70679dbff31b99967a0bb983a2b847bf8bd67fac
Instruction ID: 7d05fe7c52b983f75d58c2bb761ad57d65d29fbc042a1f479a0e2f95defb6702
Opcode Fuzzy Hash: 729a1a9da6d946ea1f34177d70679dbff31b99967a0bb983a2b847bf8bd67fac
Instruction Fuzzy Hash: DE716C36211A4096EB529F66E8803DA63A0F788BE4F448225FB6E477F6DF38C455CB00

Function 0000000140115834 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 158stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 000000014011588B
SHGetMalloc.SHELL32 ref: 00000001401158A7
SHBrowseForFolderW.SHELL32 ref: 000000014011593C
SHGetPathFromIDListW.SHELL32 ref: 0000000140115961
lstrlenW.KERNEL32 ref: 000000014011597B
MessageBoxW.USER32 ref: 00000001401159AD

Strings

Verzeichnisauswahl / Select a directory:, xrefs: 0000000140115884, 0000000140115891
Failed to get directory, xrefs: 00000001401159A4

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: lstrlen$BrowseFolderFromListMallocMessagePath
String ID: Failed to get directory$Verzeichnisauswahl / Select a directory:
API String ID: 611531059-3768070435
Opcode ID: e5d83f78b5bc466dd82e8a16b2694b29347c46f22ebacb69bd1f815ada073fac
Instruction ID: 70b6ff1d12bcbbf4c6862068cb43ef99f1d53f3ccfea9ca737139f6557321e0e
Opcode Fuzzy Hash: e5d83f78b5bc466dd82e8a16b2694b29347c46f22ebacb69bd1f815ada073fac
Instruction Fuzzy Hash: 4D615032211A4086E756EB3AE8953A923A0FB8CFB4F544711DB6F8B6F4DF39C4558740

Function 000000014001E2F0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 000000014001E323
ScreenToClient.USER32 ref: 000000014001E33F
SendMessageW.USER32 ref: 000000014001E359
SendMessageW.USER32 ref: 000000014001E374
ScreenToClient.USER32 ref: 000000014001E3B2
SendMessageW.USER32 ref: 000000014001E3CC
SendMessageW.USER32 ref: 000000014001E402

Strings

o, xrefs: 000000014001E408

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: MessageSend$ClientScreen$Cursor
String ID: o
API String ID: 2946236063-252678980
Opcode ID: ef7565315ca815afcddbb04c803b954a53bf61e154ffe7df45128ba5cbdcb52e
Instruction ID: 45a8256c60a5a16804508c6eb6fde6f4c1b61692bd0d3b56c2c541f91f8d4270
Opcode Fuzzy Hash: ef7565315ca815afcddbb04c803b954a53bf61e154ffe7df45128ba5cbdcb52e
Instruction Fuzzy Hash: C3413B36214A8583EB65CB22E4547DEB3A0F78CFD5F448122EB5A0BB68DF79C555CB00

Function 000000014001DA80 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32 ref: 000000014001DAB1
ShowWindow.USER32 ref: 000000014001DB05
SetFocus.USER32 ref: 000000014001DB0F
SendMessageW.USER32 ref: 000000014001DB28
SetWindowPos.USER32 ref: 000000014001DB62
UpdateWindow.USER32 ref: 000000014001DB6C
RedrawWindow.USER32 ref: 000000014001DB81

Part of subcall function 00000001400FE830: #4.SHELL32 ref: 00000001400FE843

Strings

p, xrefs: 000000014001DB40

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Window$FocusFolderLocationMessageRedrawSendShowSpecialUpdate
String ID: p
API String ID: 1076984956-2181537457
Opcode ID: 266f0b2ab112205f0fbbeebdebc48049461b818aec0bb42451ce944bca3b1aed
Instruction ID: 9eb0a05253ee0a9591f03b78a0303ee2663ee33ba0746f13fc5c789fc2b9bbd8
Opcode Fuzzy Hash: 266f0b2ab112205f0fbbeebdebc48049461b818aec0bb42451ce944bca3b1aed
Instruction Fuzzy Hash: DB318D72300A8087E718DF67E95478EB761F78CBA0F448225DBAA47BA4CF39D465CB40

Function 0000000140103BA4 Relevance: 13.6, APIs: 9, Instructions: 149COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140048B84: GetVersionExW.KERNEL32 ref: 0000000140048BE5
Part of subcall function 0000000140048B84: GetVersionExW.KERNEL32 ref: 0000000140048C19

Concurrency::details::stl_critical_section_win7::stl_critical_section_win7.LIBCPMT ref: 0000000140103C3D

Part of subcall function 0000000140118880: InitializeCriticalSection.KERNEL32 ref: 0000000140118897

SHGetSpecialFolderLocation.SHELL32 ref: 0000000140103D0A
SHGetSpecialFolderLocation.SHELL32 ref: 0000000140103D1E
SHGetSpecialFolderLocation.SHELL32 ref: 0000000140103D34
SHGetSettings.SHELL32 ref: 0000000140103D42
DeleteObject.GDI32 ref: 0000000140103DAA
CreateFontIndirectW.GDI32 ref: 0000000140103DCA
SHGetDesktopFolder.SHELL32 ref: 0000000140103DE1
SHGetSpecialFolderLocation.SHELL32 ref: 0000000140103DF9

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Folder$LocationSpecial$Version$Concurrency::details::stl_critical_section_win7::stl_critical_section_win7CreateCriticalDeleteDesktopFontIndirectInitializeObjectSectionSettings
String ID:
API String ID: 4159206225-0
Opcode ID: a799804ddf88ae58d7e28c15e9a88a2b400b0d6743f4b1ee47025bf93db21a22
Instruction ID: 6f3ffeec9e0406492a276f117b0f5e0e68a6d5468a7e380ec3e4171c25c19210
Opcode Fuzzy Hash: a799804ddf88ae58d7e28c15e9a88a2b400b0d6743f4b1ee47025bf93db21a22
Instruction Fuzzy Hash: 2C810872201B8087E769CF26F8947DEB7A8F749BA4F504219DBEA076A0DF39D055CB40

Function 0000000140022170 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155windowstringCOMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 00000001400221B2
SendMessageW.USER32 ref: 0000000140022216
lstrlenW.KERNEL32 ref: 000000014002227A
lstrlenW.KERNEL32 ref: 0000000140022297
SendMessageW.USER32 ref: 0000000140022335
SendMessageW.USER32 ref: 0000000140022390

Strings

0, xrefs: 000000014002234B

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: MessageSend$lstrlen$DrivesLogical
String ID: 0
API String ID: 1932446174-4108050209
Opcode ID: 592ac17d05d446328c3688e30ddf1153552348c05069813c25ede8053c76e5e4
Instruction ID: e856c5174a01106574392260ac54b9b31cd9196cc3e436c50abd4262a28f5b2a
Opcode Fuzzy Hash: 592ac17d05d446328c3688e30ddf1153552348c05069813c25ede8053c76e5e4
Instruction Fuzzy Hash: 8771A132204A8096E762DF26E8407DE77A0F788BA4F444226EB9D47AF5DF3CC549CB40

Function 00000001400022A8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67registryclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400022C5
GlobalFree.KERNEL32 ref: 00000001400022CE
RegisterClipboardFormatW.USER32 ref: 0000000140002303
GlobalLock.KERNEL32 ref: 000000014000237F
GlobalUnlock.KERNEL32 ref: 0000000140002391
ReleaseStgMedium.OLE32 ref: 000000014000239C

Strings

Shell IDList Array, xrefs: 00000001400022F6

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Global$Unlock$ClipboardFormatFreeLockMediumRegisterRelease
String ID: Shell IDList Array
API String ID: 660139674-4184189358
Opcode ID: d9502714cfd4eeb025a438ff4370efde520d43677dca64ecf7438b66c26511cb
Instruction ID: d4b21c7c341ee0f96bc615b554f6c755829edfc16a3668a57fc3daebf2462da3
Opcode Fuzzy Hash: d9502714cfd4eeb025a438ff4370efde520d43677dca64ecf7438b66c26511cb
Instruction Fuzzy Hash: D031F3B2204A4186EB52CB26E88439967B0FB8CBD4F144125EB8A87674DF3DC554CB00

Function 000000014001F818 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 000000014001F831
SendMessageW.USER32 ref: 000000014001F84D
OutputDebugStringW.KERNEL32 ref: 000000014001F85A
SendMessageW.USER32 ref: 000000014001F874
SetFocus.USER32 ref: 000000014001F880
SendMessageW.USER32 ref: 000000014001F895

Strings

fffff, xrefs: 000000014001F853

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: MessageSend$Focus$DebugOutputString
String ID: fffff
API String ID: 3720455092-4168676731
Opcode ID: d87b18b21f16af6a7ec6c76fb937ac97ee716c7bf0c7f15d98149f5f35deb68e
Instruction ID: 06b651e80687653329116ea51fc719b0f8f11fc327404b097ad18aa9ec196e5c
Opcode Fuzzy Hash: d87b18b21f16af6a7ec6c76fb937ac97ee716c7bf0c7f15d98149f5f35deb68e
Instruction Fuzzy Hash: 93011D3171154182EB518F72F859BE93360E79DF8AF4C50218F0A0FA70DF3AC44A8740

Function 0000000140020284 Relevance: 12.1, APIs: 8, Instructions: 99windowtimethreadCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00000001400202B1
SendMessageW.USER32 ref: 00000001400202D2
SendMessageW.USER32 ref: 00000001400202F6
#18.SHELL32 ref: 0000000140020308
KillTimer.USER32 ref: 0000000140020327
SetTimer.USER32 ref: 000000014002033B
GetCurrentThreadId.KERNEL32 ref: 000000014002037F
RaiseException.KERNEL32 ref: 000000014002040B

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: MessageSend$Timer$CurrentExceptionKillRaiseThread
String ID:
API String ID: 3847418034-0
Opcode ID: 68dc1cbe0aa24f5a72b5a5f84de792b169ec02f3503486e96eca1d02fefaeae8
Instruction ID: b550e88aca2e2971f9cabf041bfae2363234ac33b535199f5b93c579eccb6f49
Opcode Fuzzy Hash: 68dc1cbe0aa24f5a72b5a5f84de792b169ec02f3503486e96eca1d02fefaeae8
Instruction Fuzzy Hash: A2414B32310B4082EB658B27E4947A973A5F788FD5F548129EF5E4BBA5CF39C8858700

Function 0000000140008824 Relevance: 12.1, APIs: 8, Instructions: 95comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 0000000140008876
#8.OLEAUT32 ref: 000000014000889A
#9.OLEAUT32 ref: 00000001400088DE
#9.OLEAUT32 ref: 00000001400088EA
#9.OLEAUT32 ref: 000000014000895E
#9.OLEAUT32 ref: 000000014000896A

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 0b51c8b527ad2f00af57ab81d83cb1fae91b659708fd774fc8f7d48fba9401a9
Instruction ID: 30c3a11663207b04ce095c9100f30b01413de14057cc9cfd9d68442222aacb3b
Opcode Fuzzy Hash: 0b51c8b527ad2f00af57ab81d83cb1fae91b659708fd774fc8f7d48fba9401a9
Instruction Fuzzy Hash: 88413572214B4492EB22DF26E8503D973B0F789F95F544122DB8E4B6B8DF39C989C740

Function 000000014002184C Relevance: 12.1, APIs: 8, Instructions: 67windowtimeCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 000000014002185C
ShowWindow.USER32 ref: 000000014002187B
ShowWindow.USER32 ref: 0000000140021887
SetWindowTextW.USER32 ref: 00000001400218D5
SendMessageW.USER32 ref: 00000001400218F1
SendMessageW.USER32 ref: 0000000140021909
SetTimer.USER32 ref: 000000014002191F
SetFocus.USER32 ref: 000000014002192C

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Window$FocusMessageSendShow$TextTimer
String ID:
API String ID: 1913100717-0
Opcode ID: de8d7ff7c91b498aabb582babbec0c5d97a4d4816c88dcba63e197aca167ba28
Instruction ID: c75126f2db7df582280ac30466f0de8ea6cd3c0ad971bec71a96c073e1f00cd0
Opcode Fuzzy Hash: de8d7ff7c91b498aabb582babbec0c5d97a4d4816c88dcba63e197aca167ba28
Instruction Fuzzy Hash: 83312B36200A8182E752DF76E8507D97362F7C8BF8F5842229F694BAE8CF39C945C740

Function 0000000140025258 Relevance: 12.1, APIs: 8, Instructions: 53windowtimeCOMMON

Download Yara Rule

APIs

KillTimer.USER32 ref: 0000000140025276

Part of subcall function 0000000140024F7C: SendMessageW.USER32 ref: 0000000140024F9B
Part of subcall function 0000000140024F7C: SendMessageW.USER32 ref: 0000000140024FDC
Part of subcall function 0000000140024F7C: SendMessageW.USER32 ref: 0000000140024FF7

KillTimer.USER32 ref: 0000000140025292
KillTimer.USER32 ref: 00000001400252AE
SendMessageW.USER32 ref: 00000001400252C6
SendMessageW.USER32 ref: 00000001400252E3
#18.SHELL32 ref: 00000001400252ED
SendMessageW.USER32 ref: 0000000140025306
SendMessageW.USER32 ref: 0000000140025322

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: MessageSend$KillTimer
String ID:
API String ID: 1116794301-0
Opcode ID: e45ad180756f6a66daf05634541f668884d209b0447e005d31019f26e81111e8
Instruction ID: 1bab376f7a794c7d31a38753163fbee1d4bf8b7147017290e8f01d4ca8160433
Opcode Fuzzy Hash: e45ad180756f6a66daf05634541f668884d209b0447e005d31019f26e81111e8
Instruction Fuzzy Hash: 30211C35201A8082EB919FB7E85479D6361E7CDFDAF5890319F4A5BBA8DE38C8858350

Function 0000000140005D28 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 254COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140003AE4: lstrlenA.KERNEL32 ref: 0000000140003B08
Part of subcall function 0000000140003AE4: MultiByteToWideChar.KERNEL32 ref: 0000000140003B86
Part of subcall function 0000000140003AE4: lstrlenW.KERNEL32 ref: 0000000140003BA2

_cwprintf_s_l.LIBCMT ref: 0000000140005F02
CoTaskMemFree.OLE32 ref: 0000000140005F1F
_cwprintf_s_l.LIBCMT ref: 000000014000606A
CoTaskMemFree.OLE32 ref: 00000001400060BD

Part of subcall function 0000000140001FB4: LoadLibraryW.KERNEL32 ref: 0000000140001FD7
Part of subcall function 0000000140001FB4: GetProcAddress.KERNEL32 ref: 0000000140001FFA

Strings

ViewMode,%d;ImageSize,%d;FolderFlags,%d;GroupBy,%s;Group,%d;, xrefs: 0000000140006023
%s,%d;, xrefs: 0000000140005EF6

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: FreeTask_cwprintf_s_llstrlen$AddressByteCharLibraryLoadMultiProcWide
String ID: %s,%d;$ViewMode,%d;ImageSize,%d;FolderFlags,%d;GroupBy,%s;Group,%d;
API String ID: 1249642529-1631008325
Opcode ID: 203c4573784517ce03fd3c447d22a9bbf788c9fd543a52949406ede2e60a0183
Instruction ID: 9ab6454bb757e8da9094741ec634296485af00c7723aab5dd1c2fcc9ba6f4e5e
Opcode Fuzzy Hash: 203c4573784517ce03fd3c447d22a9bbf788c9fd543a52949406ede2e60a0183
Instruction Fuzzy Hash: 17C16172204A8086EA12DB2AE4403DEB7A1F7C9FE4F544212EB9D47BA9DF79C545CB00

Function 00000001401020EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104memorywindowCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(?,?,?,?,?,00000000,00000000,00000001401025F1), ref: 00000001401021F5
#18.SHELL32(?,?,?,?,?,00000000,00000000,00000001401025F1), ref: 0000000140102212
#18.SHELL32(?,?,?,?,?,00000000,00000000,00000001401025F1), ref: 000000014010221E
#25.SHELL32(?,?,?,?,?,00000000,00000000,00000001401025F1), ref: 000000014010222A
SendMessageW.USER32 ref: 0000000140102283

Strings

g, xrefs: 00000001401021E2

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: AllocGlobalMessageSend
String ID: g
API String ID: 277534643-30677878
Opcode ID: a3ede16d70b84d5b16f8be3e7eef29651660cf2209a86c703adac8cf844c0f0e
Instruction ID: 58952fd4f6ce98fa664fcb414808b88aa69d7abdc39faae01a3d54ba6093df09
Opcode Fuzzy Hash: a3ede16d70b84d5b16f8be3e7eef29651660cf2209a86c703adac8cf844c0f0e
Instruction Fuzzy Hash: 5F416B72604B85C6EB61CF56E8447DAB3A1F38CF94F544226EBA943BA8CF39C545CB40

Function 00000001400F9460 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00000001400F947F
SHGetDesktopFolder.SHELL32 ref: 00000001400F94AA
CreatePopupMenu.USER32 ref: 00000001400F9503
TrackPopupMenu.USER32 ref: 00000001400F9588
SendMessageW.USER32 ref: 00000001400F9607

Strings

8, xrefs: 00000001400F95D6

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: MenuPopup$CreateDesktopFolderMessageParentSendTrack
String ID: 8
API String ID: 4175632323-4194326291
Opcode ID: 953e1428a459ef7c34fd10fe8bc78450de88d03029f7ffd9cdbf9f1594351eae
Instruction ID: 6b4657662e0c15f174c5e52701b3c905c76491e72966aaa2a50895af07cd93e3
Opcode Fuzzy Hash: 953e1428a459ef7c34fd10fe8bc78450de88d03029f7ffd9cdbf9f1594351eae
Instruction Fuzzy Hash: C4510576314B8486EB618B26E49479AB7A0F789B89F548115EB8D4BB68CF7DC448CB00

Function 00000001400250B0 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140025106
SendMessageW.USER32 ref: 0000000140025126
SendMessageW.USER32 ref: 000000014002513E
SendMessageW.USER32 ref: 000000014002515F
SendMessageW.USER32 ref: 00000001400251A5
SendMessageW.USER32 ref: 00000001400251DD
GetFocus.USER32 ref: 00000001400251E6

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: MessageSend$Focus
String ID:
API String ID: 3982298024-0
Opcode ID: f860ffe6d2140f2844f54cab0ca51870d3129242f74bd8ea73c5c69872e084bb
Instruction ID: b610f388160f3f1a26fda727c0b36c87e76938eff2afb54359062850295804c1
Opcode Fuzzy Hash: f860ffe6d2140f2844f54cab0ca51870d3129242f74bd8ea73c5c69872e084bb
Instruction Fuzzy Hash: 5A419F31314A80C2FBA6AB62E8507DA7350F789BD5F488125AB594BEF5DF38CC95C704

Function 0000000140017B78 Relevance: 10.6, APIs: 7, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

#6.OLEAUT32 ref: 0000000140017BDF
#7.OLEAUT32 ref: 0000000140017BF2
#7.OLEAUT32 ref: 0000000140017C05
CoTaskMemAlloc.OLE32 ref: 0000000140017C13
#6.OLEAUT32 ref: 0000000140017C26

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: AllocTask
String ID:
API String ID: 277515162-0
Opcode ID: 5e8679a3c84486a76ba3651a4798ff9ea1603562ef64feffcd663faec1f149ab
Instruction ID: 2024940fa7bce86b04e29bd2d8e461a2552d7b48f24a366a49c5181144aec1d9
Opcode Fuzzy Hash: 5e8679a3c84486a76ba3651a4798ff9ea1603562ef64feffcd663faec1f149ab
Instruction Fuzzy Hash: 28319431200B8586FB569B67A4547D953B0EBCCBD4F184429BF4D8F7B5DE7AC8848380

Function 000000014000801C Relevance: 10.6, APIs: 7, Instructions: 80threadCOMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 0000000140008044
GetCurrentThreadId.KERNEL32 ref: 0000000140008058
EnterCriticalSection.KERNEL32 ref: 0000000140008065
RaiseException.KERNEL32 ref: 00000001400080A0
EnterCriticalSection.KERNEL32 ref: 00000001400080CE
GetCurrentThreadId.KERNEL32 ref: 00000001400080DD
LeaveCriticalSection.KERNEL32 ref: 0000000140008113

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: CriticalSection$CurrentEnterExceptionRaiseThread$Leave
String ID:
API String ID: 1900833728-0
Opcode ID: ba634b300a653fc6c7866f7a959c155f4ccca22f17d11136a9290faf1b74e37b
Instruction ID: aa2b480570dfd8a4a5ca896e549a89b7028c7b0db67c4808613ad90208e02cc4
Opcode Fuzzy Hash: ba634b300a653fc6c7866f7a959c155f4ccca22f17d11136a9290faf1b74e37b
Instruction Fuzzy Hash: E8318E72210B8182EBA5CF62F95079977A4FB4CBC4F485421EF9A07F64DF38D4A58740

Function 0000000140009B24 Relevance: 10.6, APIs: 7, Instructions: 70COMMON

Download Yara Rule

APIs

PtInRect.USER32 ref: 0000000140009B66
SetCursor.USER32 ref: 0000000140009B78
InvalidateRect.USER32 ref: 0000000140009BB6
UpdateWindow.USER32 ref: 0000000140009BC0
_TrackMouseEvent.COMCTL32 ref: 0000000140009BF4
InvalidateRect.USER32 ref: 0000000140009C28
UpdateWindow.USER32 ref: 0000000140009C32

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Rect$InvalidateUpdateWindow$CursorEventMouseTrack
String ID:
API String ID: 1598129390-0
Opcode ID: 802e805989fa9d4c4a32bece14764307a2230e9df8b2b09ca72670b31ce017dd
Instruction ID: 949cb897e6d9736c8290268a34c261f74a99af520b63d9f9da859e87e208ad99
Opcode Fuzzy Hash: 802e805989fa9d4c4a32bece14764307a2230e9df8b2b09ca72670b31ce017dd
Instruction Fuzzy Hash: E1314F7260468486EB52CF3AE5547DD77E0F788F88F484026EB894B679CF39C946CB90

Function 0000000140001260 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 64windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140001210: lstrlenW.KERNEL32 ref: 0000000140001231

SetWindowTextW.USER32 ref: 00000001400012D8
wsprintfW.USER32 ref: 00000001400012EF
SendMessageW.USER32 ref: 0000000140001360

Part of subcall function 0000000140001148: SendMessageW.USER32 ref: 00000001400011A7

Strings

last_entry, xrefs: 00000001400012BA, 000000014000133A
entry_%03d, xrefs: 00000001400012E0
@, xrefs: 000000014000132D

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: MessageSend$TextWindowlstrlenwsprintf
String ID: @$entry_%03d$last_entry
API String ID: 1117576183-2027942737
Opcode ID: 48a734eb831d4a926fa84141339b4d994ed079c3306510baa5842e080204d01d
Instruction ID: 20367c67e7e0e347c9ea5ae8511fba4c3340f68be4988edafbc17f5fb6ca8904
Opcode Fuzzy Hash: 48a734eb831d4a926fa84141339b4d994ed079c3306510baa5842e080204d01d
Instruction Fuzzy Hash: 35316B72204A85A1EB31DFA2F4957DA73A1F78CBC0F841012EB8947A6ADF38C115CB84

Function 0000000140001988 Relevance: 10.6, APIs: 7, Instructions: 52windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00000001400019C4
SendMessageW.USER32 ref: 00000001400019E0
SendMessageW.USER32 ref: 00000001400019FA
SetWindowLongPtrW.USER32 ref: 0000000140001A0E
SetWindowLongPtrW.USER32 ref: 0000000140001A20
SetWindowLongPtrW.USER32 ref: 0000000140001A38
SetWindowLongPtrW.USER32 ref: 0000000140001A55

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: fa389dbd0ff469c580dd02baa99d938c1ff7d63db430f8735c4fcb3ba0e5e364
Instruction ID: 64377e77e092256bba4b0bf8dd6efe28a2cdfd72a8759b74ea15fe6f58fd8926
Opcode Fuzzy Hash: fa389dbd0ff469c580dd02baa99d938c1ff7d63db430f8735c4fcb3ba0e5e364
Instruction Fuzzy Hash: C7213576700B8193E718CB72E984B9A73A0F78DB94F448121DB1A07F21DF35D0798340

Function 0000000140053BCC Relevance: 9.1, APIs: 6, Instructions: 137COMMON

Download Yara Rule

APIs

GetClipBox.GDI32 ref: 0000000140053C0C
CopyRect.USER32 ref: 0000000140053C24
GetClientRect.USER32 ref: 0000000140053C4E
SetBkColor.GDI32 ref: 0000000140053D61
ExtTextOutW.GDI32 ref: 0000000140053D8F
SetBkColor.GDI32 ref: 0000000140053D9A

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: ColorRect$ClientClipCopyText
String ID:
API String ID: 3037928153-0
Opcode ID: 8f9e3595d1f24f89afdd309441a8681e8f0c67a4d7e7932a1e4881341db277d8
Instruction ID: 8260f42f37f333a98bb1e8b9bc4db72a3e4eedd5c871235fd60e27b76e8a4575
Opcode Fuzzy Hash: 8f9e3595d1f24f89afdd309441a8681e8f0c67a4d7e7932a1e4881341db277d8
Instruction Fuzzy Hash: 4D5177766187908BD315CF1AA84479AFBA5F3D8B81F50411AFB8643B28DB7DD846CF00

Function 0000000140022BE0 Relevance: 9.1, APIs: 6, Instructions: 133windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140020988: IsWindowVisible.USER32 ref: 0000000140020995
Part of subcall function 0000000140020988: ShowWindow.USER32 ref: 00000001400209A5
Part of subcall function 0000000140020988: ShowWindow.USER32 ref: 00000001400209B1
Part of subcall function 0000000140020988: SendMessageW.USER32 ref: 00000001400209D2
Part of subcall function 0000000140020988: SendMessageW.USER32 ref: 00000001400209FD
Part of subcall function 0000000140020988: ReleaseCapture.USER32 ref: 0000000140020A03

GetCursorPos.USER32 ref: 0000000140022C92
GetWindowRect.USER32 ref: 0000000140022CA3
SendMessageW.USER32 ref: 0000000140022CC1
SetCapture.USER32 ref: 0000000140022CD5
SendMessageW.USER32 ref: 0000000140022DD1
ReleaseCapture.USER32 ref: 0000000140022DD7

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: MessageSendWindow$Capture$ReleaseShow$CursorRectVisible
String ID:
API String ID: 898369708-0
Opcode ID: 9c36f5682363d8106458575818e2ac02bb8ebccf653df2b50aa808af24c2f18c
Instruction ID: 9e7ededcd470cc7bf4384a777be597110a382e4ea636f7fee75998e3a344dd72
Opcode Fuzzy Hash: 9c36f5682363d8106458575818e2ac02bb8ebccf653df2b50aa808af24c2f18c
Instruction Fuzzy Hash: 89515B36604B8096EB618B62F4043DE72A4F388BC8F20452AFB8917BA5DF79C945CB45

Function 00000001400074B8 Relevance: 9.1, APIs: 6, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 000000014000750A
RegCloseKey.ADVAPI32 ref: 0000000140007526
RegEnumKeyExW.ADVAPI32 ref: 0000000140007587
RegCloseKey.ADVAPI32 ref: 000000014000759B
RegDeleteKeyW.ADVAPI32 ref: 00000001400075B0
RegCloseKey.ADVAPI32 ref: 00000001400075C2

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: bf99dca1336df69e9244f836b331ceaeb518d51efc0e3d7ef9c974df55cd5413
Instruction ID: d7bd5abe59ac059ee7eff851a91fbfb4fc1a61cb37cfc273d06cbcdd0c71c80d
Opcode Fuzzy Hash: bf99dca1336df69e9244f836b331ceaeb518d51efc0e3d7ef9c974df55cd5413
Instruction Fuzzy Hash: 32313E76608B8486DA51DF66F88479AB7A0F38CBD4F940025EB8E47B65CF7DC485CB40

Function 00000001400017FC Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140001851
SendMessageW.USER32 ref: 0000000140001865
SendMessageW.USER32 ref: 0000000140001888
SendMessageW.USER32 ref: 00000001400018AC
SendMessageW.USER32 ref: 00000001400018C4
SetWindowLongPtrW.USER32 ref: 00000001400018E3

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 12d0f0d73ac8d2e3b61ed2c7a29258e4ce9088586d7d1f5a5a690189d225b3e2
Instruction ID: 39fb874ae95ad9df0cd18ba223608d9a1f9d5846aaa8b884554e399c5500fca1
Opcode Fuzzy Hash: 12d0f0d73ac8d2e3b61ed2c7a29258e4ce9088586d7d1f5a5a690189d225b3e2
Instruction Fuzzy Hash: FA21BE71B1068182FB618BA3F845BDA2390E7CCBE5F589121AB0A4BEB4DE79C1418740

Function 000000014001603C Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 000000014001607D
GetDeviceCaps.GDI32 ref: 000000014001608E
GetDeviceCaps.GDI32 ref: 000000014001609E
ReleaseDC.USER32 ref: 00000001400160AB
MulDiv.KERNEL32 ref: 00000001400160BF
MulDiv.KERNEL32 ref: 00000001400160D2

Part of subcall function 0000000140001D00: FindWindowExW.USER32 ref: 0000000140001D34

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: CapsDevice$FindReleaseWindow
String ID:
API String ID: 359319186-0
Opcode ID: 335af62c087f23680f868d21f8b268083a477dfa7f84046068a8233ea32e3cee
Instruction ID: 555d2e7100eae8ecbc063fbf60d384ae605c5965ff4310db2ed006cd44cf6971
Opcode Fuzzy Hash: 335af62c087f23680f868d21f8b268083a477dfa7f84046068a8233ea32e3cee
Instruction Fuzzy Hash: AF113D75300B408AEB4ADF72E84935A76A1F78CFC1F188129EF4A4BB65DF3AD8118744

Function 0000000140015C2D Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

ClientToScreen.USER32 ref: 0000000140015C67
ClientToScreen.USER32 ref: 0000000140015C7A
GetParent.USER32 ref: 0000000140015C84
ScreenToClient.USER32 ref: 0000000140015C9A
ScreenToClient.USER32 ref: 0000000140015CAC
MoveWindow.USER32 ref: 0000000140015CDA

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: ClientScreen$MoveParentWindow
String ID:
API String ID: 2420994850-0
Opcode ID: 1f98c295c3b08c56dcbf839a4a4d2b88b824048dac41c1f21ebf9688380bf2dc
Instruction ID: 7f329799f33bd3262adc9ebb96557a10ded11004f7850d3629f50e521894eeb0
Opcode Fuzzy Hash: 1f98c295c3b08c56dcbf839a4a4d2b88b824048dac41c1f21ebf9688380bf2dc
Instruction Fuzzy Hash: E6115C76316B418AEA51DF26E84479DB760FB88BC4F045511EB8A4BB28EF3DC455CB40

Function 000000014002196C Relevance: 9.0, APIs: 6, Instructions: 37windowtimeCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0000000140021989
ShowWindow.USER32 ref: 000000014002199D
ShowWindow.USER32 ref: 00000001400219AC
KillTimer.USER32 ref: 00000001400219BB
KillTimer.USER32 ref: 00000001400219D1
GetFocus.USER32 ref: 00000001400219DE

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: FocusKillShowTimerWindow
String ID:
API String ID: 3044290596-0
Opcode ID: 8621990ddfdd798133131d01057765c320258a9855b5f303c8fe18765cb774f9
Instruction ID: 2b9b25263dbd1fb5fa7c94dd138958bca2446ae866684a869933d9ca086554c2
Opcode Fuzzy Hash: 8621990ddfdd798133131d01057765c320258a9855b5f303c8fe18765cb774f9
Instruction Fuzzy Hash: D5015E31705A8092EB86C76BE5543EE6261F7DCBC1F0840259B494BA70CF3CC9D2C340

Function 0000000140020988 Relevance: 9.0, APIs: 6, Instructions: 33windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0000000140020995
ShowWindow.USER32 ref: 00000001400209A5
ShowWindow.USER32 ref: 00000001400209B1
SendMessageW.USER32 ref: 00000001400209D2
SendMessageW.USER32 ref: 00000001400209FD
ReleaseCapture.USER32 ref: 0000000140020A03

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Window$MessageSendShow$CaptureReleaseVisible
String ID:
API String ID: 3175066377-0
Opcode ID: ce0e83a03ec4ee1dd4523d9e77da799b9ee6c93cae91b3f4803d904d8190cee2
Instruction ID: 16d2b01de5cf0ce976be5311fdb5b58e5e045f856cc25ec0490923595423f03d
Opcode Fuzzy Hash: ce0e83a03ec4ee1dd4523d9e77da799b9ee6c93cae91b3f4803d904d8190cee2
Instruction Fuzzy Hash: 5B01FB7170164582F7969F73E8587E92361EB8CF96F4880368B0A5F665CF39C9868350

Function 0000000140084178 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 275windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000399C: lstrlenA.KERNEL32 ref: 00000001400039CA
Part of subcall function 000000014000399C: MultiByteToWideChar.KERNEL32 ref: 0000000140003A0F
Part of subcall function 000000014000399C: lstrlenW.KERNEL32 ref: 0000000140003A2B

Part of subcall function 0000000140030614: lstrlenW.KERNEL32 ref: 00000001400306AE

Part of subcall function 000000014000346C: lstrlenW.KERNEL32 ref: 000000014000349C
Part of subcall function 000000014000346C: lstrlenW.KERNEL32 ref: 0000000140003518

Part of subcall function 000000014000346C: lstrlenW.KERNEL32 ref: 00000001400034BB
Part of subcall function 000000014000346C: lstrlenW.KERNEL32 ref: 00000001400036A1

Part of subcall function 000000014010691C: lstrlenW.KERNEL32 ref: 0000000140106985
Part of subcall function 000000014010691C: lstrlenW.KERNEL32 ref: 00000001401069E0

SetMenuItemInfoW.USER32 ref: 00000001400844DF

Strings

0, xrefs: 00000001400844A5
MENU_2017, xrefs: 000000014008418F
, xrefs: 00000001400842FD
H, xrefs: 00000001400842CD

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: lstrlen$ByteCharInfoItemMenuMultiWide
String ID: $0$H$MENU_2017
API String ID: 3110664725-3967075016
Opcode ID: 8e81b88c14c24131ab1970799924c347965d24fb70a2d45b9b1259aab2ef4ff1
Instruction ID: 814d161aec673e9a6ab83f971220734419c78d4361167942e45194d01dc9a85f
Opcode Fuzzy Hash: 8e81b88c14c24131ab1970799924c347965d24fb70a2d45b9b1259aab2ef4ff1
Instruction Fuzzy Hash: 76D1617330598182EB62CB2AE8517DA6360FB89BB4F444311B7BD879E6DF78C585CB40

Function 0000000140004CA8 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 272COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNEL32 ref: 0000000140004DA1

Strings

>>>>>>>>>>>>>>>>>>>>>>>>:, xrefs: 0000000140004D66
image, xrefs: 0000000140004E6F
video, xrefs: 0000000140004EFD
audio, xrefs: 0000000140004F45

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: DebugOutputString
String ID: >>>>>>>>>>>>>>>>>>>>>>>>:$audio$image$video
API String ID: 1166629820-85831261
Opcode ID: 89fbec7ecaf396ec757d79277fa80d567e2ed32d2e822b1b38b77f2b79e6fa56
Instruction ID: 4ea4c7d9c971c157d1c39f83fbb9d670df84a9e1285380ed96d5ec2a79abadac
Opcode Fuzzy Hash: 89fbec7ecaf396ec757d79277fa80d567e2ed32d2e822b1b38b77f2b79e6fa56
Instruction Fuzzy Hash: FFC14FB3201A8086EA62DB2AE4913DE73A1F7897B4F144312B779576F6CF38D885C740

Function 0000000140007068 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00000001400070CA
CompareStringW.KERNEL32 ref: 0000000140007124
CompareStringW.KERNEL32 ref: 0000000140007173

Strings

<A>, xrefs: 000000014000710C
</A>, xrefs: 0000000140007159

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: CompareString$lstrlen
String ID: </A>$<A>
API String ID: 1657112622-2122467442
Opcode ID: f1ae98306a0dc4d9a198098ee93d0280e83c32c987eb90ee134b27f4caac6ae2
Instruction ID: a16723b432ad62851a6586a46339e6a28edab238c7e60eb586aea2c4c25c0ee0
Opcode Fuzzy Hash: f1ae98306a0dc4d9a198098ee93d0280e83c32c987eb90ee134b27f4caac6ae2
Instruction Fuzzy Hash: 81417C72A04B84C9EB25CF2AE8447E9BBA4F798F84F558115DB8C83768EF38D446C740

Function 0000000140022074 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60windowstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00000001400220BE
SendMessageW.USER32 ref: 00000001400220E7
SendMessageW.USER32 ref: 000000014002212D

Strings

@, xrefs: 00000001400220CF
0, xrefs: 00000001400220A6

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: MessageSend$lstrlen
String ID: 0$@
API String ID: 1172434978-1545510068
Opcode ID: 1601c8e892db72aa0a1cf2bf1ea9bc19a7191a27e1eb105fa9045aeaef51daeb
Instruction ID: ddbfc51c3a79b05a2869253fabb33f1850f7458376bc7d084a722858f95e90de
Opcode Fuzzy Hash: 1601c8e892db72aa0a1cf2bf1ea9bc19a7191a27e1eb105fa9045aeaef51daeb
Instruction Fuzzy Hash: 4321813231464082E7619B3AE44439A77A0E7C9BA4F548315E7A987AF9CF38C556CF44

Function 000000014011A924 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32 ref: 000000014011A95F
lstrlenW.KERNEL32 ref: 000000014011A96E
RegSetValueExW.ADVAPI32 ref: 000000014011A98E
RegCloseKey.ADVAPI32 ref: 000000014011A99B

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 000000014011A948

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: CloseOpenValuelstrlen
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
API String ID: 2964171075-3913687870
Opcode ID: 7c50986e9f4b8f3e8bd8faefeb71720e6021442e1d482e1be689d0675f62ecc8
Instruction ID: 5cfe4bb5abde329db52458d4a005f69208c2917290fcb5ade1d3e3645eb3a88a
Opcode Fuzzy Hash: 7c50986e9f4b8f3e8bd8faefeb71720e6021442e1d482e1be689d0675f62ecc8
Instruction Fuzzy Hash: 48014C76214B5087DB109F66E84039DBBA1F788FE0F594621EF8947B68CF39C54ACB44

Function 0000000140105AD8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000000140105B01
GetProcAddress.KERNEL32 ref: 0000000140105B21
FreeLibrary.KERNEL32 ref: 0000000140105B35

Strings

IsThemeActive, xrefs: 0000000140105B17
UxTheme.dll, xrefs: 0000000140105AF2

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: IsThemeActive$UxTheme.dll
API String ID: 145871493-3611418440
Opcode ID: 908373fd2877a7542c0fe83e044299c2c99612ad8c6aa36e03c116ce3a162b6c
Instruction ID: de9107f110dc6e1ef5aef7b735d2bc255ab8f3378797630c10079203d58b98cd
Opcode Fuzzy Hash: 908373fd2877a7542c0fe83e044299c2c99612ad8c6aa36e03c116ce3a162b6c
Instruction Fuzzy Hash: AC018F31B0165086E751DF67B8803A673E0F70CF94F880929FB5A877B4CB38C8819B00

Function 0000000140006C74 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000000140006C88
GetProcAddress.KERNEL32 ref: 0000000140006CA0
FreeLibrary.KERNEL32 ref: 0000000140006CB8

Strings

EnableThemeDialogTexture, xrefs: 0000000140006C96
UxTheme.dll, xrefs: 0000000140006C81

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: EnableThemeDialogTexture$UxTheme.dll
API String ID: 145871493-3190584797
Opcode ID: 34f173713268b76265d243d26936bb18781a0dd01399a9456a214fb2d26c225c
Instruction ID: f56c2b9d72aac4315c18d815eab8db19e53424442d43405e60542a7c232650f8
Opcode Fuzzy Hash: 34f173713268b76265d243d26936bb18781a0dd01399a9456a214fb2d26c225c
Instruction Fuzzy Hash: 48E0C970711A4181EE869B63F9557A523A1EB8CFC0F4C64249E5A0B774EE39C994C740

Function 000000014001816C Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00000001400181C5
GetModuleFileNameW.KERNEL32 ref: 000000014001823A
#161.OLEAUT32 ref: 000000014001825A
#162.OLEAUT32 ref: 000000014001827A
LeaveCriticalSection.KERNEL32 ref: 0000000140018382

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: CriticalSection$#161#162EnterFileLeaveModuleName
String ID:
API String ID: 2971530505-0
Opcode ID: 690f21a3e1845385bcaf53a61c12f3dc099acad6d1dcaefb814ef141a452e445
Instruction ID: a25afa92f56d2209929bf59a66b26f0a43651612561abbed378a00cff9f07290
Opcode Fuzzy Hash: 690f21a3e1845385bcaf53a61c12f3dc099acad6d1dcaefb814ef141a452e445
Instruction Fuzzy Hash: 8A613E32205B4086EB66CB2AE4903AD77B1F788FD4F644125EF594B6B8DF3ACA45C740

Function 0000000140023CA8 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140023CF8
ClientToScreen.USER32 ref: 0000000140023D14
GetWindowRect.USER32 ref: 0000000140023D27
SendMessageW.USER32 ref: 0000000140023DDC
SendMessageW.USER32 ref: 0000000140023DF9

Part of subcall function 0000000140023730: GetWindowRect.USER32 ref: 0000000140023765
Part of subcall function 0000000140023730: SendMessageW.USER32 ref: 0000000140023790
Part of subcall function 0000000140023730: SendMessageW.USER32 ref: 00000001400237D0

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: MessageSend$RectWindow$ClientScreen
String ID:
API String ID: 2198136683-0
Opcode ID: 25aae191ebed58256dedb4c8005e7a6a9c56e7cefbce6b6ef52f19e44207613b
Instruction ID: 625f7a3db415114be2c7c946a1617b858740bbf1a3ad8bb013b25d59d0c9dcbb
Opcode Fuzzy Hash: 25aae191ebed58256dedb4c8005e7a6a9c56e7cefbce6b6ef52f19e44207613b
Instruction Fuzzy Hash: 3D419076210B8086EB419F22E4447ED7360F788FC9F888029EF090B7A5CF78C949C751

Function 0000000140007AEC Relevance: 7.6, APIs: 5, Instructions: 74COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 0000000140007B00
GetDlgItem.USER32 ref: 0000000140007B24
SetWindowTextW.USER32 ref: 0000000140007B30
SetWindowTextW.USER32 ref: 0000000140007B7B
SetDlgItemTextW.USER32 ref: 0000000140007BC9

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: ItemText$Window
String ID:
API String ID: 2802354418-0
Opcode ID: a594adfbb520d1e042016f0e6dc4fa538fe7353b5541c58799b67476dee03054
Instruction ID: b634ca63e069e3e971be17b39d32aaa82f392764d4f4bf4a7909ee36b2a31c6b
Opcode Fuzzy Hash: a594adfbb520d1e042016f0e6dc4fa538fe7353b5541c58799b67476dee03054
Instruction Fuzzy Hash: 0D31617270094183EA41DB7BD8113996361EB88BF0F184321AB7D877E5DF3DC8828751

Function 0000000140015278 Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00000001400152C9
GetDlgItem.USER32 ref: 000000014001533A
SendMessageW.USER32 ref: 000000014001534E
GetDlgItem.USER32 ref: 000000014001535E
SendMessageW.USER32 ref: 0000000140015372

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Message$ItemSend
String ID:
API String ID: 950433545-0
Opcode ID: 6e43536db41890a5825e03dcb4903996deabe10d9ec55dcb28b7f51d9de9cb92
Instruction ID: 7bca7bfb517bbd07c9e830d1f50b30bb9cf377672a3dcc04f259e63f8db61dda
Opcode Fuzzy Hash: 6e43536db41890a5825e03dcb4903996deabe10d9ec55dcb28b7f51d9de9cb92
Instruction Fuzzy Hash: 00319F3271098083EB619B3AE86439A7360FBC9BF0F544311AB7A8BAF5DF79C4518740

Function 000000014000A844 Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32 ref: 000000014000A8BA
SHGetPathFromIDListW.SHELL32 ref: 000000014000A8CA
wsprintfW.USER32 ref: 000000014000A8E4
GetDlgItem.USER32 ref: 000000014000A8F7
SetWindowTextW.USER32 ref: 000000014000A903

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: FolderFromItemListLocationPathSpecialTextWindowwsprintf
String ID:
API String ID: 3259017916-0
Opcode ID: b337608be67815e1f882543b53302fc6b7cb76a9cbfcc451b9fed8b6dfe20f4a
Instruction ID: bfd92be44cf0351dca82a94b62c2d325711ab0d382a8b8545932bfc03b26e6e2
Opcode Fuzzy Hash: b337608be67815e1f882543b53302fc6b7cb76a9cbfcc451b9fed8b6dfe20f4a
Instruction Fuzzy Hash: C3215E72214A8592EA15DB22E4943EA6361F7CCFC5F4880219F8D0BB69CF3CC14ACB80

Function 000000014001FCE4 Relevance: 7.6, APIs: 5, Instructions: 50windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000000014001FD0B
GetClientRect.USER32 ref: 000000014001FD37
GetSysColor.USER32 ref: 000000014001FD4A

Part of subcall function 000000014001FC14: CreatePen.GDI32 ref: 000000014001FC35
Part of subcall function 000000014001FC14: SelectObject.GDI32 ref: 000000014001FC45
Part of subcall function 000000014001FC14: MoveToEx.GDI32 ref: 000000014001FC5C
Part of subcall function 000000014001FC14: LineTo.GDI32 ref: 000000014001FC6C
Part of subcall function 000000014001FC14: LineTo.GDI32 ref: 000000014001FC7C
Part of subcall function 000000014001FC14: LineTo.GDI32 ref: 000000014001FC8D
Part of subcall function 000000014001FC14: LineTo.GDI32 ref: 000000014001FC9E
Part of subcall function 000000014001FC14: SelectObject.GDI32 ref: 000000014001FCAB
Part of subcall function 000000014001FC14: DeleteObject.GDI32 ref: 000000014001FCB9
Part of subcall function 000000014001FC14: DeleteObject.GDI32 ref: 000000014001FCC7

IntersectClipRect.GDI32 ref: 000000014001FD91
SendMessageW.USER32 ref: 000000014001FDA4

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: LineObject$DeleteRectSelect$ClientClipColorCreateIntersectMessageMoveParentSend
String ID:
API String ID: 640795467-0
Opcode ID: 8abdaa05f8489e53c2f73c3562a215e7ab2baa942873b570995f9dff90c38e61
Instruction ID: 5038d5b4792f7b22fca29c3999077a22cbaf7a2f18104be4f42bbff3053623b0
Opcode Fuzzy Hash: 8abdaa05f8489e53c2f73c3562a215e7ab2baa942873b570995f9dff90c38e61
Instruction Fuzzy Hash: 0821E5726286848ADB918F26F44079AB7B0F7C8B84F049116EF8A87B28DF79C445CF40

Function 000000014001DBA4 Relevance: 7.5, APIs: 5, Instructions: 49keyboardwindowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 000000014001DBD3
GetAsyncKeyState.USER32 ref: 000000014001DBE8
SendMessageW.USER32 ref: 000000014001DC16
GetAsyncKeyState.USER32 ref: 000000014001DC2D
ShowWindow.USER32 ref: 000000014001DC44

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: AsyncState$FocusMessageSendShowWindow
String ID:
API String ID: 3327096832-0
Opcode ID: 5f866e217674990f0777899df403e4e448b59f894e4c893b9b520a52e3229b59
Instruction ID: fe49c99cfa19325b68a893d8f7872c518b3e05df83aafa69b7cd2fa17d13bb67
Opcode Fuzzy Hash: 5f866e217674990f0777899df403e4e448b59f894e4c893b9b520a52e3229b59
Instruction Fuzzy Hash: FB115131700681C2FB6A9B23E55439973A1F7ACBD1F444822EB464BAB4CFB9C8D1C780

Function 00000001400C4C68 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

#18.SHELL32 ref: 00000001400C4C8C
#17.SHELL32 ref: 00000001400C4C98
#16.SHELL32 ref: 00000001400C4CB4
#18.SHELL32 ref: 00000001400C4CBD
#155.SHELL32 ref: 00000001400C4CCE

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: #155
String ID:
API String ID: 1122522878-0
Opcode ID: 9a32cc60d28c6435935e3f868d0b0a818da1d710b44b85fc901688fecaf1c201
Instruction ID: da2093146b1d4883f13c63bd912c2f832ea7c315c3b51f47c1b6f2bbca3d1f38
Opcode Fuzzy Hash: 9a32cc60d28c6435935e3f868d0b0a818da1d710b44b85fc901688fecaf1c201
Instruction Fuzzy Hash: 62014F31606B4582EB9A8B23E5943A963A0BB5DFC4F084020EF0A0B778EF3DC4658340

Function 000000014002E4EC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 223windowCOMMON

Download Yara Rule

APIs

#18.SHELL32 ref: 000000014002E51B

Part of subcall function 00000001400FD62C: SHGetFileInfoW.SHELL32 ref: 00000001400FD67D

SendMessageW.USER32 ref: 000000014002E869

Part of subcall function 0000000140002D3C: SHGetMalloc.SHELL32 ref: 0000000140002D81

Part of subcall function 00000001400C4C68: #18.SHELL32 ref: 00000001400C4C8C
Part of subcall function 00000001400C4C68: #17.SHELL32 ref: 00000001400C4C98

Strings

ftp://, xrefs: 000000014002E744
', xrefs: 000000014002E7E9

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: FileInfoMallocMessageSend
String ID: '$ftp://
API String ID: 2720085397-2224211471
Opcode ID: b6ef2afb53ec975224ac763cd79f9719379ac8e05474e69a604d13932f95c70a
Instruction ID: 9e87be585b3c4869394aaa91d6377e58f1872d871267d8a4f42fb31f4084679d
Opcode Fuzzy Hash: b6ef2afb53ec975224ac763cd79f9719379ac8e05474e69a604d13932f95c70a
Instruction Fuzzy Hash: 68B15332255AC181EB62DB26E4947DEB360F7887E4F444326A7AD47AF9DF78C845CB00

Function 000000014002E268 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94stringwindowCOMMON

Download Yara Rule

APIs

SHGetFileInfoW.SHELL32 ref: 000000014002E31D
lstrlenW.KERNEL32 ref: 000000014002E330
SendMessageW.USER32 ref: 000000014002E3A5

Strings

7, xrefs: 000000014002E34A

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: FileInfoMessageSendlstrlen
String ID: 7
API String ID: 1791443542-1790921346
Opcode ID: fd089fbe94b865a4ff175553e115fef7a51f2bc2555e8dd100df362627659a02
Instruction ID: d8490fb1d67b395f664c64d04c705b151f0ec587bd65ca41e6f578b32846002c
Opcode Fuzzy Hash: fd089fbe94b865a4ff175553e115fef7a51f2bc2555e8dd100df362627659a02
Instruction Fuzzy Hash: 5B41B332214A8082E762DB26E8417DA73A1F7CCBA0F444225BB5E4BAE5DF3CC445CB00

Function 000000014000F9F9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000AC04: lstrlenW.KERNEL32 ref: 000000014000AC4C

MessageBoxW.USER32 ref: 000000014000FA39
PostQuitMessage.USER32 ref: 000000014000FADB

Strings

-install -nolisense, xrefs: 000000014000FAB5
DIR (error):, xrefs: 000000014000FA1A

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Message$PostQuitlstrlen
String ID: -install -nolisense$DIR (error):
API String ID: 3530804915-3378501890
Opcode ID: da9d2116cc6d976f98589fa54ca457e95707e8747e53270dfad2b62e2fa2f9a8
Instruction ID: 02d7fa17c24a308701276c9fe8fa7bfc21bf2d42b33da7dad155f12c4e7e3459
Opcode Fuzzy Hash: da9d2116cc6d976f98589fa54ca457e95707e8747e53270dfad2b62e2fa2f9a8
Instruction Fuzzy Hash: 8941937234098082E662DB7AE8553EA2391F78C7F0F144701AB3D976E2DF3DD8859B01

Function 00000001400FCFEC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegisterClassExW.USER32 ref: 00000001400FD066
CreateWindowExW.USER32 ref: 00000001400FD0A7

Strings

statis_dum_iii, xrefs: 00000001400FD03F
P, xrefs: 00000001400FD01C

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: ClassCreateRegisterWindow
String ID: P$statis_dum_iii
API String ID: 3469048531-1313065383
Opcode ID: 7204a8fc8213da2249f4636d29afe0a13662ff5a4b7e30aacd79e94bcc40acda
Instruction ID: 0e978ea9e3005acd3e133d29108afae009959e9db712d3859dcc4d955e5486f4
Opcode Fuzzy Hash: 7204a8fc8213da2249f4636d29afe0a13662ff5a4b7e30aacd79e94bcc40acda
Instruction Fuzzy Hash: 02311972218B848AD750CF11F84838EB7B8F348B80FA5412AEB9C47724CF7AD965CB44

Function 0000000140002888 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00000001400028B3
GetProcAddress.KERNEL32 ref: 00000001400028DB

Strings

SHLWAPI.DLL, xrefs: 00000001400028AC
QISearch, xrefs: 00000001400028D1

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: QISearch$SHLWAPI.DLL
API String ID: 2574300362-4145147620
Opcode ID: 024a2e34a9e16ffaf39e3ee9d7162d9bb1e6c21d7cf10d2e7c5e60dc774e91dc
Instruction ID: ab2e1c7d4fd7b7f29266dee46f7ffa0049422a4993816f206347337d25c21c3c
Opcode Fuzzy Hash: 024a2e34a9e16ffaf39e3ee9d7162d9bb1e6c21d7cf10d2e7c5e60dc774e91dc
Instruction Fuzzy Hash: 80011274206B4481EA9ACB17B84079A63A0BB5CFC0F488426EF5D07778EF3CC458C700

Function 00000001400F816C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00000001400F819E
GetProcAddress.KERNEL32 ref: 00000001400F81B5

Strings

SHCreateItemFromIDList, xrefs: 00000001400F81AB
shell32.dll, xrefs: 00000001400F8197

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SHCreateItemFromIDList$shell32.dll
API String ID: 2574300362-1230108373
Opcode ID: 55f173ef94ab55738991bd415ffd65b7ca69e7955fa855aaca1ef78abd096189
Instruction ID: 3ec731725c5976e047d5f3ed11543dc33774e5eb01105c34f16c41895327d7f4
Opcode Fuzzy Hash: 55f173ef94ab55738991bd415ffd65b7ca69e7955fa855aaca1ef78abd096189
Instruction Fuzzy Hash: 90012C34306B4180FE6ACB17B8643E522A4BB4CBD0F484539AF0E0BB74EF78C5429344

Function 00000001400010D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000000140001102
GetProcAddress.KERNEL32 ref: 000000014000111E

Strings

SHLWAPI.DLL, xrefs: 00000001400010FB
SHAutoComplete, xrefs: 0000000140001114

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SHAutoComplete$SHLWAPI.DLL
API String ID: 2574300362-1962728933
Opcode ID: 91fbb4a9fa89c319b7572ef584f78a7a01c34eab096ff84b722d1c6fe429b0da
Instruction ID: 9c84f83e5ba2447c17645bfe4ecb8d1c6c0cccc2d12660ec6964ceba05baf484
Opcode Fuzzy Hash: 91fbb4a9fa89c319b7572ef584f78a7a01c34eab096ff84b722d1c6fe429b0da
Instruction Fuzzy Hash: E1F03C31315A5081EB96DF57F9803EA62A1A78CBC0F984935EB5A47BB8DF78C9958300

Function 000000014011B3C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 000000014011B3F6
GetProcAddress.KERNEL32 ref: 000000014011B412

Strings

SHLWAPI.DLL, xrefs: 000000014011B3EF
SHAutoComplete, xrefs: 000000014011B408

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SHAutoComplete$SHLWAPI.DLL
API String ID: 2574300362-1962728933
Opcode ID: 1fce9783a230938123d34a771df2d9e771897002ef47b020f12f1327e121a8b2
Instruction ID: fed27306617197554a2f73ec955ba6208234ef249cfd57f541c290223bed88eb
Opcode Fuzzy Hash: 1fce9783a230938123d34a771df2d9e771897002ef47b020f12f1327e121a8b2
Instruction Fuzzy Hash: F9F04F3131565082EA569B57F9C07AA23A0B74CFC0F8C9832DB5E4BB78DB78C8958344

Function 0000000140048318 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 000000014004832C
GetProcAddress.KERNEL32 ref: 0000000140048353

Strings

GdiplusStartup, xrefs: 0000000140048349
gdiplus.dll, xrefs: 0000000140048325

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GdiplusStartup$gdiplus.dll
API String ID: 2574300362-2859723088
Opcode ID: 6b284fe02d542a2ce75dd6ef7befe24c2a921d87d8afc18bd5ca5d95d158839b
Instruction ID: 02acb70657b7ce33846d5257c67c8b078a4d2101f609615c76177b8a4c57a85b
Opcode Fuzzy Hash: 6b284fe02d542a2ce75dd6ef7befe24c2a921d87d8afc18bd5ca5d95d158839b
Instruction Fuzzy Hash: 17014F73614B4082EB668F61F4543A973E0FB5CB88F4C4629AB9D0A7A8DF7CC658C744

Function 00000001400A5040 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00000001400A5072
GetProcAddress.KERNEL32 ref: 00000001400A5089

Strings

SHCreateItemFromIDList, xrefs: 00000001400A507F
shell32.dll, xrefs: 00000001400A506B

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SHCreateItemFromIDList$shell32.dll
API String ID: 2574300362-1230108373
Opcode ID: b134420dda41a678cf4efad9540bf980d1ee860ab89cf5841b3a577b61b047f8
Instruction ID: 6ecaa34bf034c5b73901124b93beb4e4cad3f1f82d00e2624006f4f16cdb6e34
Opcode Fuzzy Hash: b134420dda41a678cf4efad9540bf980d1ee860ab89cf5841b3a577b61b047f8
Instruction Fuzzy Hash: C5011D34612B4081FE46D717B8547D523A0BB5CFD1F489125AB5E0BB74EF39C5918784

Function 00000001400021F8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 000000014000222A
GetProcAddress.KERNEL32 ref: 0000000140002241

Strings

SHCreateItemFromIDList, xrefs: 0000000140002237
shell32.dll, xrefs: 0000000140002223

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SHCreateItemFromIDList$shell32.dll
API String ID: 2574300362-1230108373
Opcode ID: a91374056d8a68bab526b41000e1498591f4dbb3c24734d4698b5937bf57ea7d
Instruction ID: b8c87af924705db2950075d95956967bfee2869166edcb5ef87f549912d79088
Opcode Fuzzy Hash: a91374056d8a68bab526b41000e1498591f4dbb3c24734d4698b5937bf57ea7d
Instruction Fuzzy Hash: 220119B1606B8090EA46DB57B9843D962A1AB4CFD0F489025AF4D0BB79EF39C585C344

Function 0000000140001A70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000000140001A93
GetProcAddress.KERNEL32 ref: 0000000140001ABB

Strings

IUnknown_SetSite, xrefs: 0000000140001AB1
SHLWAPI.DLL, xrefs: 0000000140001A8C

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: IUnknown_SetSite$SHLWAPI.DLL
API String ID: 2574300362-510016731
Opcode ID: 6064f585d60d4145410394664492ab82eb0897fb9772e554ece2b036209c83a3
Instruction ID: 4f7f00e34cd4cc156fd306960ba262de995f3fe2bfab1153746e0823def66540
Opcode Fuzzy Hash: 6064f585d60d4145410394664492ab82eb0897fb9772e554ece2b036209c83a3
Instruction Fuzzy Hash: 4AF0ECB1702F4580EE56CB57B8407E522A0EB9EFD0F5840299F1E07BB8EB38C584C201

Function 000000014007E154 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 000000014007E175
CreateSolidBrush.GDI32 ref: 000000014007E17F

Strings

, xrefs: 000000014007E15E
(, xrefs: 000000014007E1A0

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: BrushColorCreateSolid
String ID: $(
API String ID: 2798526982-1539405979
Opcode ID: 8bca26f666f68ddcab24edef733aa7cbd67f7eb763f99ad5e1c9ba8bd19d0f90
Instruction ID: cc96462c3d3a73b8de1c9c82f96d7f4ec678fd16d64f8ff339f61ba97182009a
Opcode Fuzzy Hash: 8bca26f666f68ddcab24edef733aa7cbd67f7eb763f99ad5e1c9ba8bd19d0f90
Instruction Fuzzy Hash: F0F06D7231478482EB229B22F5453DDB3A1F78CB84F844129EB8D077AADF3DC5448B00

Function 000000014001595C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28stringCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0000000140015974
GetClassNameW.USER32 ref: 0000000140015988
lstrcmpW.KERNEL32 ref: 00000001400159A4

Strings

#32770, xrefs: 0000000140015998

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: ClassNameParentlstrcmp
String ID: #32770
API String ID: 3513268407-463685578
Opcode ID: 3ae7b716422dc3192f24f15b70690bc868262ec55aadb2eb93d50f21e9092d4c
Instruction ID: e288a9f42ec0ff8e3952b93c68f4a1e9c458a99ced97bda2198b7ac34596bf18
Opcode Fuzzy Hash: 3ae7b716422dc3192f24f15b70690bc868262ec55aadb2eb93d50f21e9092d4c
Instruction Fuzzy Hash: EFF03071321A45C6EB519B62E89539923A0F74CBC9F941029DB4E8F274DE39C508C740

Function 0000000140105B58 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000000140105B83
GetProcAddress.KERNEL32 ref: 0000000140105B9F

Strings

SetWindowTheme, xrefs: 0000000140105B95
UxTheme.dll, xrefs: 0000000140105B7C

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SetWindowTheme$UxTheme.dll
API String ID: 2574300362-2822173195
Opcode ID: 6e0da49aacfabf357029b364a9a1c58496de4a0e89ac07912c19dfa8c451e8b4
Instruction ID: 0731938fe58207dfb6702455b0e71ea80bed2a645dcd5936e3ac2dc96702abd7
Opcode Fuzzy Hash: 6e0da49aacfabf357029b364a9a1c58496de4a0e89ac07912c19dfa8c451e8b4
Instruction Fuzzy Hash: 13F01274711B8081EA5ADB53B99439673A0AB4DFD0F884465AE4E0BB78EF38C5858300

Function 0000000140048424 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,?,00000001400487F1), ref: 000000014004843C
GlobalUnlock.KERNEL32 ref: 0000000140048460
GlobalFree.KERNEL32 ref: 000000014004846A

Strings

GdipDisposeImage, xrefs: 0000000140048435

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Global$AddressFreeProcUnlock
String ID: GdipDisposeImage
API String ID: 1533353642-3565980357
Opcode ID: a4abbf6f368b430c10a21c962181fb2737ca6e8b6dafcfd9994dcd65e6a59665
Instruction ID: d88b59f72e536f6f0b794206abc0cba7b427f7b5d53eb3b9d58d43c7f53d9297
Opcode Fuzzy Hash: a4abbf6f368b430c10a21c962181fb2737ca6e8b6dafcfd9994dcd65e6a59665
Instruction Fuzzy Hash: D3F0F47521264085FF569FB2D45536C2360EB9CF84F0D44258F090F264CF39C894C394

Function 00000001400EB2A8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00000001400EB2BF
GetProcAddress.KERNEL32 ref: 00000001400EB2DB

Strings

user32.dll, xrefs: 00000001400EB2B8
SetProcessDPIAware, xrefs: 00000001400EB2D1

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SetProcessDPIAware$user32.dll
API String ID: 2574300362-1137607222
Opcode ID: 5b6d96cb6dbb1e847212dc029c4e773adc48d9993dbcc8fe46d1e707afd9163d
Instruction ID: 493432112d8da6590dd3b1c40e2d49a572422a9c4a2a5c2a3ae0f7300becff1c
Opcode Fuzzy Hash: 5b6d96cb6dbb1e847212dc029c4e773adc48d9993dbcc8fe46d1e707afd9163d
Instruction Fuzzy Hash: 34E0EE30303B0090FE5B9B63AC603A922A0AF0DB94F88082C8B0D173B0EF39CA448280

Function 0000000140102A7C Relevance: 6.2, APIs: 4, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c4be9195cc77cef775c8262ad6f01d72f4586bf9be56751ae816e588f1db10a
Instruction ID: 8b70a3cb79fed4f23f4ea39d58610363a57c493864a3569b9f248fe61172f74f
Opcode Fuzzy Hash: 1c4be9195cc77cef775c8262ad6f01d72f4586bf9be56751ae816e588f1db10a
Instruction Fuzzy Hash: 45719E7130554055FA66EB63A8203EA6252AB9CFC4F48442AFF4E4BBF6EE78C945D700

Function 0000000140015064 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

APIs

#7.OLEAUT32 ref: 0000000140015142
#6.OLEAUT32 ref: 000000014001518B

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51ceb622f80d42db67fe6a6f522834c050ab0093bd0d86a59864c8b844b44a3a
Instruction ID: e724c0a393fb44e7d7fe32b0fe0895aa892e40907ff70938ef366399635737c4
Opcode Fuzzy Hash: 51ceb622f80d42db67fe6a6f522834c050ab0093bd0d86a59864c8b844b44a3a
Instruction Fuzzy Hash: 57518036314B4192EB66AF26E4507AE63A0F78DBD5F444229FB4A4FBA4DF3DC5048B40

Function 000000014001BAE4 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 000000014001BBE0
GetClientRect.USER32 ref: 000000014001BBEF
CreateAcceleratorTableW.USER32 ref: 000000014001BC17
GetParent.USER32 ref: 000000014001BC42

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: ClientRect$AcceleratorCreateParentTable
String ID:
API String ID: 2716292469-0
Opcode ID: dde6dacba9a0fd88c2da3e85faeaa71228a4c03b5a5a80f5f4903a9e7cbb60fb
Instruction ID: e9e3a129fd05a8c3afb600424b66cc8f3f5fc5f14f7970f0e15b79112e3d724d
Opcode Fuzzy Hash: dde6dacba9a0fd88c2da3e85faeaa71228a4c03b5a5a80f5f4903a9e7cbb60fb
Instruction Fuzzy Hash: 94412C32204E4582DB62CF26E59079DB3A1F788BD4F494112EB9A8BB74DF7AC485C740

Function 00000001401024F8 Relevance: 6.1, APIs: 4, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140102554
SendMessageW.USER32 ref: 000000014010256D
SendMessageW.USER32 ref: 00000001401025AD
SendMessageW.USER32 ref: 0000000140102620

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e9c618750f7e9578091f6e8aa6e7481c5c0fc8e068f3fb0e563ea0cbc207b183
Instruction ID: 4d5a6ef5ac5062a46ac362863f6712f742d6aee19744449d42b04f9158f65dc6
Opcode Fuzzy Hash: e9c618750f7e9578091f6e8aa6e7481c5c0fc8e068f3fb0e563ea0cbc207b183
Instruction Fuzzy Hash: B3313C32214B9586EB65CF62E800BCAB3A5F789F94F588026EF8D07B58CF39C545CB40

Function 000000014000998C Relevance: 6.1, APIs: 4, Instructions: 79stringCOMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 00000001400099C9
lstrlenW.KERNEL32 ref: 00000001400099ED
LoadStringW.USER32 ref: 0000000140009A34
lstrlenW.KERNEL32 ref: 0000000140009A5D

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: LoadStringlstrlen
String ID:
API String ID: 1897449643-0
Opcode ID: 457bd7444d0fc5994a8c104cdb6e2962a47c23aba82ab7f79dffde6ede849265
Instruction ID: 3cd70586c1396cff09d75043366134b9b1ed1679a98ee94d3190c10c9813ca6e
Opcode Fuzzy Hash: 457bd7444d0fc5994a8c104cdb6e2962a47c23aba82ab7f79dffde6ede849265
Instruction Fuzzy Hash: 4131717230568045EB22EB27F8983EA62A0F7CCBC8F454135EF8E87765DA38C445C780

Function 00000001400179A0 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bac78f750ec2e47ba6344a709ca526592b7416773e67249dee86739aa590f930
Instruction ID: 7c83a08e8cf7d5c6799400a3feae95c4bb6c90063c94fd271dd9d7610a84688e
Opcode Fuzzy Hash: bac78f750ec2e47ba6344a709ca526592b7416773e67249dee86739aa590f930
Instruction Fuzzy Hash: 0B213C32340B4182EA559F57E8407AD66F0AB8CFC0F888025AF4E8F364DE3AD9558301

Function 000000014001EC28 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 000000014001EC45

Part of subcall function 0000000140105AD8: LoadLibraryW.KERNEL32 ref: 0000000140105B01

GetSysColor.USER32 ref: 000000014001ECC1
GetClientRect.USER32 ref: 000000014001ECFA
InflateRect.USER32 ref: 000000014001ED0D

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: ColorRect$ClientInflateLibraryLoad
String ID:
API String ID: 2668497441-0
Opcode ID: ee54cd4c1953a957bb43c1b937c2af624417fde18b992d8604e50a31b5b21dc2
Instruction ID: 621d7bfdc53ed731dfeb870418368c788bc9be0a4d45be09091ebdda6881bc4a
Opcode Fuzzy Hash: ee54cd4c1953a957bb43c1b937c2af624417fde18b992d8604e50a31b5b21dc2
Instruction Fuzzy Hash: 273193322186C087E711E779E49039EB7A0F7C9760F500226F7D6879F9DA7DC9458B50

Function 0000000140020AAC Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

SetWindowPos.USER32 ref: 0000000140020AF0
SetWindowPos.USER32 ref: 0000000140020B1A
SetWindowPos.USER32 ref: 0000000140020B46
SetWindowPos.USER32 ref: 0000000140020B9D

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 98d8c97723451eee5fa419887b154b15311763850bf29c52930ce66418f04811
Instruction ID: 76e228422efc14ab171354e0e710eb4dd20a536a494ed9ee1e2266c35080bb6e
Opcode Fuzzy Hash: 98d8c97723451eee5fa419887b154b15311763850bf29c52930ce66418f04811
Instruction Fuzzy Hash: 72317F726146408BE761CF26E094BAEBBA0F7C8BA5F040125EB8947A68CB7CC549CF40

Function 00000001401043B4 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00000001401043FE
SendMessageW.USER32 ref: 0000000140104439
#18.SHELL32(?,?,?,?,?,00000001400213ED), ref: 000000014010444F
SendMessageW.USER32 ref: 000000014010446E

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 02ee0a031452a712dcc5a9b6ccb9cc4f5df80136606332f29e6b9056247e12a8
Instruction ID: f4b5b43e1dbcac641fd52aed1dc90abb487d34aedc2016f7dd9dbe00a17d074d
Opcode Fuzzy Hash: 02ee0a031452a712dcc5a9b6ccb9cc4f5df80136606332f29e6b9056247e12a8
Instruction Fuzzy Hash: 64214FB6304A5182E761CF23E8847DA7360F78CF84F5881219B898BB65CF39C986C740

Function 00000001400084DC Relevance: 6.1, APIs: 4, Instructions: 54stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0000000140008513
lstrlenW.KERNEL32 ref: 0000000140008565
lstrcpyW.KERNEL32 ref: 000000014000857C
SetWindowTextW.USER32 ref: 0000000140008596

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: lstrlen$TextWindowlstrcpy
String ID:
API String ID: 3464547807-0
Opcode ID: db62b39b4671f13d4572fde29e556102d66c5e290e4090359d6da12b4e4a19fc
Instruction ID: c0fc1cc7a5d8f3d75b9a2797b5c5bd133a69d83c8b481480aec860af552f8b6a
Opcode Fuzzy Hash: db62b39b4671f13d4572fde29e556102d66c5e290e4090359d6da12b4e4a19fc
Instruction Fuzzy Hash: A1112B71205A4081EA25DB26B9543A96761FB8CFE5F044724AFAA0B7F9DF39C442C740

Function 0000000140025018 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140020420: SetLastError.KERNEL32 ref: 000000014002044D

Part of subcall function 0000000140024A78: SetParent.USER32 ref: 0000000140024AE9
Part of subcall function 0000000140024A78: CreateWindowExW.USER32 ref: 0000000140024B49
Part of subcall function 0000000140024A78: SendMessageW.USER32 ref: 0000000140024B6B
Part of subcall function 0000000140024A78: SendMessageW.USER32 ref: 0000000140024B80
Part of subcall function 0000000140024A78: SHGetSpecialFolderLocation.SHELL32 ref: 0000000140024BE4

GetWindowLongW.USER32 ref: 0000000140025053
SetWindowLongW.USER32 ref: 000000014002506F
GetWindowLongW.USER32 ref: 000000014002507E
SetWindowLongW.USER32 ref: 000000014002509C

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Window$Long$MessageSend$CreateErrorFolderLastLocationParentSpecial
String ID:
API String ID: 127071798-0
Opcode ID: 31d0594e58dac9dbcf91257bd07bd6adf73933fdf4610d401216bfd29f03893a
Instruction ID: e840238b4ca7c3278d7244374dd0ad3c6c885b7f1ffa2557ae340cb135501bd2
Opcode Fuzzy Hash: 31d0594e58dac9dbcf91257bd07bd6adf73933fdf4610d401216bfd29f03893a
Instruction Fuzzy Hash: 6C017125310A5082E7619B37E840B9DA261EBCDBE4F584215EF9987BB9DF35C8408A50

Function 00000001400FE8E0 Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00000001400FE8FF
SendMessageW.USER32 ref: 00000001400FE920
#21.SHELL32 ref: 00000001400FE932
SendMessageW.USER32 ref: 00000001400FE94E

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c7720ca7e7c40b996d3996fa9c523e65bfa02980a4f1ce7d30cdc8fcfbe39b0b
Instruction ID: 1753b21ec4ce3c16ece94459741227543a9f819e30e0fd13699a7feb37fece1f
Opcode Fuzzy Hash: c7720ca7e7c40b996d3996fa9c523e65bfa02980a4f1ce7d30cdc8fcfbe39b0b
Instruction Fuzzy Hash: 75014032308A8482EB618B66F45479AA360E78CFD8F188011AF8D47B68DE79C585DB10

Function 0000000140001AE8 Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

GlobalSize.KERNEL32 ref: 0000000140001B02
GlobalLock.KERNEL32 ref: 0000000140001B0E
GlobalAlloc.KERNEL32 ref: 0000000140001B1C
GlobalUnlock.KERNEL32 ref: 0000000140001B36

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: Global$AllocLockSizeUnlock
String ID:
API String ID: 2086698462-0
Opcode ID: 09c52875e877b2a5fc08a8396cdfbcce9c071e6894155dc83de6b17818f59550
Instruction ID: d4e86e2ec7734a2390b9ac896b665349f28d54d72912de68fa70092b4f6f7785
Opcode Fuzzy Hash: 09c52875e877b2a5fc08a8396cdfbcce9c071e6894155dc83de6b17818f59550
Instruction Fuzzy Hash: C3F0F475705B9485DA459B63B94439A67A1F78DFD0F4C8434EF4A4BB29DE3CC0418740

Function 000000014002049C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON

Download Yara Rule

Strings

Edit Path ;), xrefs: 00000001400204E8
0, xrefs: 00000001400204D0

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: lstrlen$ByteCharMultiWide
String ID: 0$Edit Path ;)
API String ID: 477651035-1818000224
Opcode ID: 8f265c33bc38ae585d8ce734efa95eedfd7aa536a2d69f8a7b000e511b4f5191
Instruction ID: 92e8f7f46945e047ba99f33e5a88af4d362af239cfe9d9597c6b8eead95aa8c0
Opcode Fuzzy Hash: 8f265c33bc38ae585d8ce734efa95eedfd7aa536a2d69f8a7b000e511b4f5191
Instruction Fuzzy Hash: E7515271204A4081EA52DB2AE4943EA7361FB89BF4F544316BB7D476F6DF78C841C740

Function 0000000140002AB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

FindWindowExW.USER32 ref: 0000000140002B5B
GetFocus.USER32 ref: 0000000140002B64

Strings

DirectUIHWND, xrefs: 0000000140002B4D

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: FindFocusWindow
String ID: DirectUIHWND
API String ID: 3177014434-3768200426
Opcode ID: af27027bf0b43742ae8a5b907855fffb2ff0bb26dd53e08ee966ba0d9613169e
Instruction ID: a4c3607e550bbc57b8f385f4c7907111bbb0e25a870caa10011de1781df032b7
Opcode Fuzzy Hash: af27027bf0b43742ae8a5b907855fffb2ff0bb26dd53e08ee966ba0d9613169e
Instruction Fuzzy Hash: C1310AB2314A4082EB15CF26E44439EB3A0F78DFD4F654922EB5D97AB4DF79C8848701

Function 000000014001D4CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014001D560
SendMessageW.USER32 ref: 000000014001D57F

Strings

0, xrefs: 000000014001D546

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: MessageSend
String ID: 0
API String ID: 3850602802-4108050209
Opcode ID: 2cd662d7ebf6fac9ccfca7c5517019c1845b6673797ba0c1b39958fbc234c6cb
Instruction ID: 0edbeefc919d7124638846e930830738506a7f8c3ec3b61a7e0fdb640a844e4a
Opcode Fuzzy Hash: 2cd662d7ebf6fac9ccfca7c5517019c1845b6673797ba0c1b39958fbc234c6cb
Instruction Fuzzy Hash: 9F113A722096C486E722CB52E4543DAB7A1E7DDB99F484115EB880BB99CB7DC545CF00

Function 000000014000346C Relevance: 5.2, APIs: 4, Instructions: 189stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 000000014000349C
lstrlenW.KERNEL32 ref: 00000001400034BB
lstrlenW.KERNEL32 ref: 0000000140003518
lstrlenW.KERNEL32 ref: 00000001400036A1

Memory Dump Source

Source File: 00000015.00000002.2140630984.0000000140001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000015.00000002.2140606165.0000000140000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140885980.0000000140156000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140939655.00000001401A9000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140966121.00000001401C7000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000015.00000002.2140996434.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_140000000_MLE_Config_beta.jbxd

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 2c91adfc4207df4da6370e711a4044172966fa88e970d98e7d5bd1eec2555210
Instruction ID: 831c3a05420aad9251ac649fad6c53a27428b546b4ada271ac814e6292017296
Opcode Fuzzy Hash: 2c91adfc4207df4da6370e711a4044172966fa88e970d98e7d5bd1eec2555210
Instruction Fuzzy Hash: 88619172301A449ADE26DF67E9443E9A7A5F78CBC8F488521AB4A8B7B5DE3DC045C700

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report K3UtwU3CH9.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\MLE_Config_beta.exe

C:\Users\user\AppData\Local\Temp\MSI3996.tmp

C:\Users\user\AppData\Local\Temp\MSI3B8B.tmp

C:\Users\user\AppData\Local\Temp\cf3a1739

C:\Users\user\AppData\Local\Temp\e59d9e24

C:\Users\user\AppData\Local\Temp\eca08140

C:\Users\user\AppData\Local\Temp\oxstqvsuk

C:\Users\user\AppData\Local\Temp\snfgsgf

C:\Users\user\AppData\Local\Temp\xvjmsqbp

C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISBEW64.exe

C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\ISRT.dll

C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\IsConfig.ini

C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\String1033.txt

C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\_isres_0x0409.dll

C:\Users\user\AppData\Local\Temp\{1A6328FB-D974-49DB-B6B0-6954CDDE92BD}\setup.inx

C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\Dashboard.exe

C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\UXCore.dll

C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\hkdsl

C:\Users\user\AppData\Local\Temp\{D5CE2740-095B-41D8-8BD7-CD8C6AF97028}\mgty

Windows Analysis Report
K3UtwU3CH9.msi

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre