Edit tour

Windows Analysis Report
radarinstaller.exe

Overview

General Information

Sample Name:	radarinstaller.exe
Analysis ID:	786950
MD5:	09d605c20a1de79592e839c6d78e5d3f
SHA1:	4c2d403aecbb0e2bbc3549327fdde8d31caf1a84
SHA256:	e00609f98a5ce391934710a1a47f748bb063ae939555e1cb491c4e5cff69fa97
Tags:	exeFragtorTrojan
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected UAC Bypass using CMSTP

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Costura Assembly Loader

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Deletes files inside the Windows folder

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Detected potential crypto function

Found potential string decryption / allocating functions

Stores files to the Windows start menu directory

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

PE file does not import any functions

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Found evasive API chain checking for process token information

Contains functionality to launch a program with higher privileges

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

radarinstaller.exe (PID: 3576 cmdline: C:\Users\user\Desktop\radarinstaller.exe MD5: 09D605C20A1DE79592E839C6D78E5D3F)

radarinstaller.exe (PID: 4704 cmdline: C:\Users\user\Desktop\radarinstaller.exe" /i "C:\Users\user\AppData\Roaming\Game Radar\Game Radar 1.0.0.0\install\Game_Radar.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Game Radar\Game Radar" SECONDSEQUENCE="1" CLIENTPROCESSID="3576" CHAINERUIPROCESSID="3576Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_SETUPEXEPATH="C:\Users\user\Desktop\radarinstaller.exe" SETUPEXEDIR="C:\Users\user\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1674079604 " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\user\Desktop\radarinstaller.exe" AI_INSTALL="1 MD5: 09D605C20A1DE79592E839C6D78E5D3F)

msiexec.exe (PID: 1236 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 2192 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 4FBD723870247546C5E896E447E04486 C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

msiexec.exe (PID: 1608 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding D6F6D127C2C7F254CEAC4AF4A73CD162 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

msiexec.exe (PID: 3112 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 39123E73EC491C747669F30AC2EBC3D4 E Global\MSI0000 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\Game Radar\Game Radar\RadarGame.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
C:\Program Files (x86)\Game Radar\Game Radar\Wireguard\wireguard.exe	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
C:\Program Files (x86)\Game Radar\Game Radar\Wireguard\wireguard.exe	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x33a205:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x33ece1:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3e7cf7:$s1: CoGetObject

Binary or memory string: &Configuration:,M3.2.0,M11.1.0/managerservice476837158203125: cannot parse <invalid Value>ASCII_Hex_DigitAbout WireGuardAddDllDirectoryAddresses: NoneCLSIDFromStringCallWindowProcWCreateHardLinkWCreatePopupMenuCreateWindowExWDeviceIoControlDialogBoxParamWDragAcceptFilesDrawThemeTextExDuplicateHandleExcludeClipRectFailed to find Failed to load FindNextVolumeWFindVolumeCloseFlushViewOfFileFwpmEngineOpen0FwpmFreeMemory0GdiplusShutdownGetActiveWindowGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetDpiForWindowGetEnhMetaFileWGetModuleHandleGetMonitorInfoWGetProcessTimesGetRawInputDataGetSecurityInfoGetStartupInfoWGetTextMetricsWGetThreadLocaleHanifi_RohingyaImpersonateSelfInsertMenuItemWInvalid key: %vIsWindowEnabledIsWindowVisibleIsWow64Process2NTSTATUS 0x%08xNotTrueTypeFontOleUninitializeOpenThreadTokenOther_LowercaseOther_UppercasePlayEnhMetaFilePostQuitMessageProcess32FirstWProfileNotFoundPsalter_PahlaviPublicKey = %s

System Summary

Malicious sample detected (through community Yara rule)

Source: C:\Program Files (x86)\Game Radar\Game Radar\Wireguard\wireguard.exe, type: DROPPED

Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Source: radarinstaller.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Program Files (x86)\Game Radar\Game Radar\Wireguard\wireguard.exe, type: DROPPED

Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI934F.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\6e9004.msi

Jump to behavior

Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_003167F0	0_2_003167F0
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_0033AC30	0_2_0033AC30
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_0043E014	0_2_0043E014
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_0020E230	0_2_0020E230
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_0020C363	0_2_0020C363
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_003C839A	0_2_003C839A
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_002DC450	0_2_002DC450
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_002184B0	0_2_002184B0
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_003B869E	0_2_003B869E
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_001E4772	0_2_001E4772
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_00396840	0_2_00396840
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_003029A0	0_2_003029A0
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_003B8A2C	0_2_003B8A2C
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_0030EAF0	0_2_0030EAF0
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_00204B30	0_2_00204B30
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_0034EDA0	0_2_0034EDA0
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_00208E20	0_2_00208E20
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_003CCE19	0_2_003CCE19
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_001E2EA0	0_2_001E2EA0
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_002011B0	0_2_002011B0
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_003D328A	0_2_003D328A
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_002173A0	0_2_002173A0
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_001FF420	0_2_001FF420
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_00219450	0_2_00219450
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_00257500	0_2_00257500
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_00209650	0_2_00209650
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_0021B720	0_2_0021B720
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_001E7480	0_2_001E7480
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_00209023	3_2_00209023
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_003C0040	3_2_003C0040
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_00218110	3_2_00218110
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_0020E230	3_2_0020E230
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_003D328A	3_2_003D328A
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_002173A0	3_2_002173A0
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_003C839A	3_2_003C839A
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_001FF420	3_2_001FF420
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_00219450	3_2_00219450
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_002DC450	3_2_002DC450
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_00257500	3_2_00257500
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_0021C600	3_2_0021C600
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_00209650	3_2_00209650
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_003B869E	3_2_003B869E
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_001E4772	3_2_001E4772
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_0021B786	3_2_0021B786
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_001E7480	3_2_001E7480
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_0020F9F0	3_2_0020F9F0
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_00204B30	3_2_00204B30
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_0020BC61	3_2_0020BC61
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_002FBDB0	3_2_002FBDB0
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_00208E20	3_2_00208E20
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_003CCE19	3_2_003CCE19
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_001E2EA0	3_2_001E2EA0
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_003CAEF1	3_2_003CAEF1
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_00355F00	3_2_00355F00

Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: String function: 001E8220 appears 35 times
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: String function: 001EA140 appears 52 times
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: String function: 001EA6D0 appears 60 times
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: String function: 001E9610 appears 239 times
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: String function: 002F9DE0 appears 52 times
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: String function: 003B022A appears 57 times
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: String function: 001E8190 appears 92 times
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: String function: 002011B0 appears 42 times
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: String function: 003AD922 appears 38 times

Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_002BA630 GetSystemDirectoryW,LoadLibraryExW,NtdllDefWindowProc_W,	0_2_002BA630
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_00341D40 NtdllDefWindowProc_W,	0_2_00341D40
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_002540A0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	0_2_002540A0
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_00208270 NtdllDefWindowProc_W,	0_2_00208270
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_001F8280 NtdllDefWindowProc_W,	0_2_001F8280
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_001F8840 NtdllDefWindowProc_W,	0_2_001F8840
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_00202C90 KillTimer,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection,	0_2_00202C90
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_001FEE70 NtdllDefWindowProc_W,	0_2_001FEE70
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_001F4E60 GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,GetWindowTextLengthW,GetWindowTextW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W,	0_2_001F4E60
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_0029EF50 NtdllDefWindowProc_W,	0_2_0029EF50
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_001FEFE0 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	0_2_001FEFE0
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_001F5580 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,GetWindowTextLengthW,GetWindowTextW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,NtdllDefWindowProc_W,SysFreeString,	0_2_001F5580
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_002BA630 GetSystemDirectoryW,LoadLibraryExW,NtdllDefWindowProc_W,	3_2_002BA630
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_002540A0 NtdllDefWindowProc_W,	3_2_002540A0
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_00208270 NtdllDefWindowProc_W,	3_2_00208270
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_001F8280 NtdllDefWindowProc_W,	3_2_001F8280
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_001F5580 SysFreeString,NtdllDefWindowProc_W,GlobalAlloc,GlobalLock,GlobalUnlock,SysFreeString,NtdllDefWindowProc_W,SysFreeString,	3_2_001F5580
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_001F8840 NtdllDefWindowProc_W,	3_2_001F8840
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_001F7B50 NtdllDefWindowProc_W,	3_2_001F7B50
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_001F5BE0 NtdllDefWindowProc_W,	3_2_001F5BE0
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_00202C90 NtdllDefWindowProc_W,DeleteCriticalSection,	3_2_00202C90
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_00215D40 NtdllDefWindowProc_W,	3_2_00215D40
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_001FEE70 NtdllDefWindowProc_W,	3_2_001FEE70
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_001F4EB7 NtdllDefWindowProc_W,GlobalAlloc,GlobalLock,GlobalUnlock,NtdllDefWindowProc_W,	3_2_001F4EB7
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_0029EF50 NtdllDefWindowProc_W,	3_2_0029EF50
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_001F4FF5 NtdllDefWindowProc_W,	3_2_001F4FF5
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_001FEFE0 NtdllDefWindowProc_W,	3_2_001FEFE0

Source: wireguard.exe.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: wireguard.exe.1.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: RadarGame.exe.1.dr

Static PE information: No import functions for PE file found

Source: radarinstaller.exe, 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameGame_Radar.exe6 vs radarinstaller.exe
Source: radarinstaller.exe, 00000000.00000003.314586254.0000000005AA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs radarinstaller.exe
Source: radarinstaller.exe, 00000000.00000003.308976652.0000000004E80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewininet.dllD vs radarinstaller.exe
Source: radarinstaller.exe, 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameGame_Radar.exe6 vs radarinstaller.exe
Source: radarinstaller.exe, 00000003.00000003.343479288.0000000003488000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewininet.dllD vs radarinstaller.exe
Source: radarinstaller.exe	Binary or memory string: OriginalFileNameGame_Radar.exe6 vs radarinstaller.exe
Source: radarinstaller.exe	Binary or memory string: OriginalFilenamelzmaextractor.dllF vs radarinstaller.exe
Source: radarinstaller.exe	Binary or memory string: OriginalFilenameShortcutFlags.dllF vs radarinstaller.exe
Source: radarinstaller.exe	Binary or memory string: OriginalFilenameAICustAct.dllF vs radarinstaller.exe
Source: radarinstaller.exe	Binary or memory string: OriginalFilenamePrereq.dllF vs radarinstaller.exe

Source: C:\Users\user\Desktop\radarinstaller.exe	Section loaded: lpk.dll	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Section loaded: lpk.dll	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior

Source: radarinstaller.exe	ReversingLabs: Detection: 21%
Source: radarinstaller.exe	Virustotal: Detection: 34%

Source: C:\Users\user\Desktop\radarinstaller.exe

File read: C:\Users\user\Desktop\radarinstaller.exe

Jump to behavior

Source: radarinstaller.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\radarinstaller.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\radarinstaller.exe C:\Users\user\Desktop\radarinstaller.exe
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 4FBD723870247546C5E896E447E04486 C
Source: C:\Users\user\Desktop\radarinstaller.exe	Process created: C:\Users\user\Desktop\radarinstaller.exe C:\Users\user\Desktop\radarinstaller.exe" /i "C:\Users\user\AppData\Roaming\Game Radar\Game Radar 1.0.0.0\install\Game_Radar.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Game Radar\Game Radar" SECONDSEQUENCE="1" CLIENTPROCESSID="3576" CHAINERUIPROCESSID="3576Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_SETUPEXEPATH="C:\Users\user\Desktop\radarinstaller.exe" SETUPEXEDIR="C:\Users\user\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1674079604 " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\user\Desktop\radarinstaller.exe" AI_INSTALL="1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D6F6D127C2C7F254CEAC4AF4A73CD162
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 39123E73EC491C747669F30AC2EBC3D4 E Global\MSI0000
Source: C:\Users\user\Desktop\radarinstaller.exe	Process created: C:\Users\user\Desktop\radarinstaller.exe C:\Users\user\Desktop\radarinstaller.exe" /i "C:\Users\user\AppData\Roaming\Game Radar\Game Radar 1.0.0.0\install\Game_Radar.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Game Radar\Game Radar" SECONDSEQUENCE="1" CLIENTPROCESSID="3576" CHAINERUIPROCESSID="3576Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_SETUPEXEPATH="C:\Users\user\Desktop\radarinstaller.exe" SETUPEXEDIR="C:\Users\user\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1674079604 " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\user\Desktop\radarinstaller.exe" AI_INSTALL="1	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 4FBD723870247546C5E896E447E04486 C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D6F6D127C2C7F254CEAC4AF4A73CD162	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 39123E73EC491C747669F30AC2EBC3D4 E Global\MSI0000	Jump to behavior

Source: C:\Users\user\Desktop\radarinstaller.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: RadarGame.lnk.1.dr	LNK file: ..\..\..\Program Files (x86)\Game Radar\Game Radar\RadarGame.exe
Source: RadarGame.lnk0.1.dr	LNK file: ..\..\..\..\Program Files (x86)\Game Radar\Game Radar\RadarGame.exe

Source: C:\Users\user\Desktop\radarinstaller.exe

File created: C:\Users\user\AppData\Roaming\Game Radar

Jump to behavior

Source: C:\Users\user\Desktop\radarinstaller.exe

File created: C:\Users\user\AppData\Local\Temp\shi4EE4.tmp

Jump to behavior

Source: shi8DE1.tmp.3.dr

Binary string: oNrtCloneOpenPacket\Device\NameResTrk\Record3VtI

Source: classification engine

Classification label: mal68.expl.evad.winEXE@10/92@0/1

Source: C:\Users\user\Desktop\radarinstaller.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\radarinstaller.exe

Code function: 0_2_0032E1F0 GetDiskFreeSpaceExW,

0_2_0032E1F0

Source: C:\Users\user\Desktop\radarinstaller.exe

Code function: 3_2_002FFDA0 FormatMessageW,GetLastError,

3_2_002FFDA0

Source: C:\Users\user\Desktop\radarinstaller.exe

Code function: 0_2_001EA000 LoadResource,LockResource,SizeofResource,

0_2_001EA000

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\Game Radar

Jump to behavior

Source: radarinstaller.exe

String found in binary or memory: ComboBoxListBoxListViewINSERT INTO `` (`Property`, `Order`, `Value`, `Text`,`Binary_`) VALUES (?,?,?,?,?) TEMPORARY` (`Property`, `Order`, `Value`, `Text`) VALUES (?,?,?,?) TEMPORARYSELECT * FROM `%s` WHERE `Property`='%s' AND `Value`='%s'SELECT * FROM `%s` WHERE `Property`='%s'EditSELECT `Message` FROM `Error` WHERE `Error` = %sSELECT `Text` FROM `UIText` WHERE `Key` = '%s'tmpALLUSERS = 1ALLUSERS = 2MSIINSTALLPERUSER = 1AI_PACKAGE_TYPE = "x64"AI_PACKAGE_TYPE = "Intel64"SELECT * FROM `Control` WHERE `Dialog_` = '%s' AND `Control` = '%s'SELECT `Attributes` FROM `Control` WHERE `Dialog_` = '%s' AND `Control` = '%s'$=3WS_BORDERWS_CAPTIONWS_CHILDWS_CHILDWINDOWWS_CLIPCHILDRENWS_CLIPSIBLINGSWS_DISABLEDWS_DLGFRAMEWS_GROUPWS_HSCROLLWS_ICONICWS_SIZEBOXWS_SYSMENUWS_TABSTOPWS_THICKFRAMEWS_VISIBLEWS_VSCROLLWS_MAXIMIZEBOXWS_MAXIMIZEWS_MINIMIZEBOXWS_MINIMIZEWS_OVERLAPPEDWINDOWWS_OVERLAPPEDWS_POPUPWINDOWWS_POPUPWS_TILEDWINDOWWS_TILEDWS_EX_ACCEPTFILESWS_EX_APPWINDOWWS_EX_CLIENTEDGEWS_EX_CONTEXTHELPWS_EX_CONTROLPARENTWS_EX_DLGMODALFRAMEWS_EX_LEFTWS_EX_LEFTSCROLLBARWS_EX_LTRREADINGWS_EX_MDICHILDWS_EX_NOPARENTNOTIFYWS_EX_OVERLAPPEDWINDOWWS_EX_PALETTEWINDOWWS_EX_RTLREADINGWS_EX_STATICEDGEWS_EX_TOOLWINDOWWS_EX_TOPMOSTWS_EX_TRANSPARENTWS_EX_WINDOWEDGEWS_EX_RIGHTSCROLLBARWS_EX_RIGHTWS_EX_LAYEREDWS_EX_NOACTIVATEWS_EX_NOINHERITLAYOUTWS_EX_LAYOUTRTLWS_EX_COMPOSITEDWS_EXAI_TRIAL_MESSAGE_BODYAI_MSM_TRIAL_MESSAGE_BODYAI_APP_FILEAI_README_FILEAI_APP_ARGSAI_RUN_AS_ADMINMsiLogFileLocation[ProgramFilesFolder][LocalAppDataFolder]Programs\[ProgramFiles64Folder][CommonFilesFolder][LocalAppDataFolder]Programs\Common\[CommonFiles64Folder][WindowsFolder][LocalAppDataFolder][SystemFolder][WindowsVolume][ProgramMenuFolder][DesktopFolder][StartupFolder][TemplateFolder][AdminToolsFolder][AI_UserProgramFiles][WindowsVolume]Program Files (x86)\[AI_ProgramFiles][WindowsVolume]Program Files\MIGRATEFindRelatedProductsMigrateFeatureStatesAI_SETMIXINSTLOCATIONAPPDIRAI_RESTORE_LOCATIONSELECT `ActionProperty` FROM `Upgrade`ActionTarget`Action`='SET_APPDIR' OR `Action`='SET_SHORTCUTDIR'CustomActionSET_APPDIRSET_SHORTCUTDIRSHORTCUTDIRProgramMenuFolderAI_SH_INITEDBrowseDlgCancelDlgDiskCostDlgExitDialogMsiRMFilesInUseOutOfDiskDlgOutOfRbDiskDlgDialog_Control_(`Control_` = 'Next' OR `Control_` = 'Install') AND `Event` = 'EndDialog' AND `Argument` = 'Return'ControlEventAI_INSTALLPERUSER = "0"ALLUSERSVersionMsi >= "5.0"2MSIINSTALLPERUSERAI_NEWINSTProductLanguageAI_INTANCE_LOCATIONAI_UPGRADENoLanguageVersionStringInstallLocationAI_REPLACE_PRODUCTSAI_Replaced_Versions_ListAI_Upgrade_Replace_Question_YesBackUp_AI_Upgrade_Question_YesAI_Upgrade_Question_YesAI_Upgrade_Replace_Question_NoBackUp_AI_Upgrade_Question_NoAI_Upgrade_Question_NoYesDELETE FROM `Shortcut` WHERE `Shortcut`.`Directory_`='%s'DELETE FROM `IniFile` WHERE `IniFile`.`Section`='InternetShortcut' AND`IniFile`.`DirProperty`='%s'SELECT * FROM `%s`ShortcutIniFileAI_DESKTOP_SH0AI_STARTMENU_SHAI_QUICKLAUNCH_SHAI_STARTUP_SHAI_SHORTCUTSREGNot Installe

Source: C:\Users\user\Desktop\radarinstaller.exe	Automated click: Next >
Source: C:\Users\user\Desktop\radarinstaller.exe	Automated click: Next >
Source: C:\Users\user\Desktop\radarinstaller.exe	Automated click: Install

Source: radarinstaller.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: radarinstaller.exe

Static file information: File size 11990127 > 1048576

Source: radarinstaller.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x256600

Source: radarinstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: radarinstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: radarinstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: radarinstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: radarinstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: radarinstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: radarinstaller.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: radarinstaller.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wininet.pdb source: radarinstaller.exe, 00000000.00000003.308976652.0000000004E80000.00000004.00000020.00020000.00000000.sdmp, radarinstaller.exe, 00000003.00000003.343479288.0000000003488000.00000004.00000020.00020000.00000000.sdmp, shi8DE1.tmp.3.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb\| source: radarinstaller.exe, 6e9004.msi.1.dr
Source:	Binary string: D:\nt-driver-builder\wireguard-nt-0.10\Release\amd64\driver\wireguard.pdbGCTL source: wireguard.exe.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdb source: radarinstaller.exe, ShortcutFlags.dll.0.dr, MSI9FDA.tmp.1.dr, 6e9004.msi.1.dr, MSI9A2A.tmp.1.dr, MSI996E.tmp.1.dr
Source:	Binary string: D:\nt-driver-builder\wireguard-nt-0.10\Release\arm64\driver\wireguard.pdbGCTL source: wireguard.exe.1.dr
Source:	Binary string: C:\Users\Jason A. Donenfeld\Projects\wireguard-nt\Release\amd64\wireguard.pdb source: wireguard.exe.1.dr
Source:	Binary string: D:\nt-driver-builder\wireguard-nt-0.10\Release\arm64\driver\wireguard.pdb source: wireguard.exe.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdb@ source: radarinstaller.exe, ShortcutFlags.dll.0.dr, MSI9FDA.tmp.1.dr, 6e9004.msi.1.dr, MSI9A2A.tmp.1.dr, MSI996E.tmp.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: radarinstaller.exe, 6e9004.msi.1.dr
Source:	Binary string: wininet.pdbUGP source: radarinstaller.exe, 00000000.00000003.308976652.0000000004E80000.00000004.00000020.00020000.00000000.sdmp, radarinstaller.exe, 00000003.00000003.343479288.0000000003488000.00000004.00000020.00020000.00000000.sdmp, shi8DE1.tmp.3.dr
Source:	Binary string: D:\nt-driver-builder\wireguard-nt-0.10\Release\amd64\driver\wireguard.pdb source: wireguard.exe.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: radarinstaller.exe, 6e9004.msi.1.dr
Source:	Binary string: C:\Users\Jason A. Donenfeld\Projects\wireguard-nt\Release\arm64\setupapihost.pdb source: wireguard.exe.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: radarinstaller.exe, MSI590C.tmp.0.dr, MSI500E.tmp.0.dr, MSI51A5.tmp.0.dr, 6e9004.msi.1.dr, MSI52A1.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: radarinstaller.exe

Source: radarinstaller.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: radarinstaller.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: radarinstaller.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: radarinstaller.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: radarinstaller.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match

File source: C:\Program Files (x86)\Game Radar\Game Radar\RadarGame.exe, type: DROPPED

Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_001FC230 push ecx; mov dword ptr [esp], ecx	0_2_001FC231
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_003B097E push ecx; ret	0_2_003B0991
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_002DCD60 push ecx; mov dword ptr [esp], 3F800000h	0_2_002DCE96
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_3_00C624ED push ss; retf 0000h	3_3_00C624EE
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_3_00C66998 pushfd ; iretd	3_3_00C669A6
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_3_00C62505 push ss; retf 0000h	3_3_00C62506
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_001FC230 push ecx; mov dword ptr [esp], ecx	3_2_001FC231
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_003B097E push ecx; ret	3_2_003B0991
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_002DCD60 push ecx; mov dword ptr [esp], 3F800000h	3_2_002DCE96

Source: shi4EE4.tmp.0.dr	Static PE information: section name: .wpp_sf
Source: shi4EE4.tmp.0.dr	Static PE information: section name: .didat
Source: wireguard.exe.1.dr	Static PE information: section name: .symtab
Source: shi8DE1.tmp.3.dr	Static PE information: section name: .wpp_sf
Source: shi8DE1.tmp.3.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\radarinstaller.exe

Code function: 0_2_00311960 SHGetFolderPathW,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetModuleFileNameW,SHGetSpecialFolderLocation,__Init_thread_footer,LoadLibraryW,GetProcAddress,SHGetPathFromIDListW,SHGetMalloc,

0_2_00311960

Source: shi4EE4.tmp.0.dr

Static PE information: 0x72F9C735 [Sun Feb 16 01:34:45 2031 UTC]

Source: C:\Users\user\Desktop\radarinstaller.exe	File created: C:\Users\user\AppData\Local\Temp\shi4EE4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9A2A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI996E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9FDA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI94E8.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\radarinstaller.exe	File created: C:\Users\user\AppData\Local\Temp\shi8DE1.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\radarinstaller.exe	File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\ShortcutFlags.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI944A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Game Radar\Game Radar\Wireguard\wireguard.exe	Jump to dropped file
Source: C:\Users\user\Desktop\radarinstaller.exe	File created: C:\Users\user\AppData\Local\Temp\MSI52A1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI934F.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\radarinstaller.exe	File created: C:\Users\user\AppData\Local\Temp\MSI5300.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\radarinstaller.exe	File created: C:\Users\user\AppData\Local\Temp\MSI500E.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\radarinstaller.exe	File created: C:\Users\user\AppData\Local\Temp\MSI5233.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\radarinstaller.exe	File created: C:\Users\user\AppData\Local\Temp\MSI590C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\radarinstaller.exe	File created: C:\Users\user\AppData\Local\Temp\MSI59A9.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\radarinstaller.exe	File created: C:\Users\user\AppData\Local\Temp\MSI51A5.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\radarinstaller.exe	File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\lzmaextractor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Game Radar\Game Radar\RadarGame.exe	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9A2A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI996E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9FDA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI94E8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI944A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI934F.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\RadarGame.lnk

Jump to behavior

Source: C:\Users\user\Desktop\radarinstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\radarinstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi4EE4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9A2A.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\radarinstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi8DE1.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\radarinstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\ShortcutFlags.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI944A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Game Radar\Game Radar\Wireguard\wireguard.exe	Jump to dropped file
Source: C:\Users\user\Desktop\radarinstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI52A1.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\radarinstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI5300.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\radarinstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI5233.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\radarinstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI59A9.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\radarinstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\lzmaextractor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Game Radar\Game Radar\RadarGame.exe	Jump to dropped file

Source: C:\Users\user\Desktop\radarinstaller.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_3-37307

Source: C:\Users\user\Desktop\radarinstaller.exe

API coverage: 7.7 %

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\radarinstaller.exe

Code function: 0_2_00396840 GetCurrentProcess,GetProcessAffinityMask,GetSystemInfo,GetModuleHandleA,GetProcAddress,GlobalMemoryStatus,

0_2_00396840

Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_003227F0 ReadFile,FindFirstFileW,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	0_2_003227F0
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_002FC9A0 FindFirstFileW,GetLastError,FindClose,	0_2_002FC9A0
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_002FC040 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,	0_2_002FC040
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_002FE270 FindFirstFileW,FindClose,	0_2_002FE270
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_003408C0 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_003408C0
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_0030AB40 FindFirstFileW,FindClose,FindClose,	0_2_0030AB40
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_0032CDD0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_0032CDD0
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_002011B0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,PathIsUNCW,	0_2_002011B0
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_0032D1D0 FindFirstFileW,FindClose,	0_2_0032D1D0
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_002E1410 FindFirstFileW,FindNextFileW,FindClose,	0_2_002E1410
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_002FBDB0 _wcsrchr,_wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,_wcsrchr,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SetFileAttributesW,	3_2_002FBDB0

Source: C:\Users\user\Desktop\radarinstaller.exe	File Volume queried: C:\Users\user\AppData\Roaming FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File Volume queried: C:\Users\user\AppData\Roaming\Game Radar\Game Radar 1.0.0.0\install FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File Volume queried: C:\Users\user\AppData\Roaming\Game Radar\Game Radar 1.0.0.0\install FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\radarinstaller.exe

Code function: 0_2_003B50F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_003B50F3

Source: C:\Users\user\Desktop\radarinstaller.exe

0_2_00311960

Source: C:\Users\user\Desktop\radarinstaller.exe

Code function: 0_2_003AFA13 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

0_2_003AFA13

Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_003CA0DB mov eax, dword ptr fs:[00000030h]	0_2_003CA0DB
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_003CA11F mov eax, dword ptr fs:[00000030h]	0_2_003CA11F
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_003BB5D7 mov ecx, dword ptr fs:[00000030h]	0_2_003BB5D7
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_003CA0DB mov eax, dword ptr fs:[00000030h]	3_2_003CA0DB
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_003CA11F mov eax, dword ptr fs:[00000030h]	3_2_003CA11F
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_003BB5D7 mov ecx, dword ptr fs:[00000030h]	3_2_003BB5D7
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_003AF9A7 mov esi, dword ptr fs:[00000030h]	3_2_003AF9A7

Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_0021B0B0 __set_se_translator,SetUnhandledExceptionFilter,	0_2_0021B0B0
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_003B0536 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_003B0536
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 0_2_003B50F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_003B50F3
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_0021B0B0 __set_se_translator,SetUnhandledExceptionFilter,	3_2_0021B0B0
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_003B50F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_003B50F3
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_003B0536 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_003B0536
Source: C:\Users\user\Desktop\radarinstaller.exe	Code function: 3_2_0021DA20 __set_se_translator,SetUnhandledExceptionFilter,	3_2_0021DA20

Source: C:\Users\user\Desktop\radarinstaller.exe	Process created: C:\Users\user\Desktop\radarinstaller.exe c:\users\user\desktop\radarinstaller.exe" /i "c:\users\user\appdata\roaming\game radar\game radar 1.0.0.0\install\game_radar.msi" ai_euimsi=1 appdir="c:\program files (x86)\game radar\game radar" secondsequence="1" clientprocessid="3576" chaineruiprocessid="3576chainer" action="install" executeaction="install" clientuilevel="0" addlocal="mainfeature" primaryfolder="appdir" rootdrive="c:\" ai_setupexepath="c:\users\user\desktop\radarinstaller.exe" setupexedir="c:\users\user\desktop\" exe_cmd_line="/exenoupdates /forcecleanup /wintime 1674079604 " targetdir="c:\" ai_setupexepath_original="c:\users\user\desktop\radarinstaller.exe" ai_install="1
Source: C:\Users\user\Desktop\radarinstaller.exe	Process created: C:\Users\user\Desktop\radarinstaller.exe c:\users\user\desktop\radarinstaller.exe" /i "c:\users\user\appdata\roaming\game radar\game radar 1.0.0.0\install\game_radar.msi" ai_euimsi=1 appdir="c:\program files (x86)\game radar\game radar" secondsequence="1" clientprocessid="3576" chaineruiprocessid="3576chainer" action="install" executeaction="install" clientuilevel="0" addlocal="mainfeature" primaryfolder="appdir" rootdrive="c:\" ai_setupexepath="c:\users\user\desktop\radarinstaller.exe" setupexedir="c:\users\user\desktop\" exe_cmd_line="/exenoupdates /forcecleanup /wintime 1674079604 " targetdir="c:\" ai_setupexepath_original="c:\users\user\desktop\radarinstaller.exe" ai_install="1			Jump to behavior

Source: C:\Users\user\Desktop\radarinstaller.exe

Code function: 0_2_002E4260 CreateFileW,CloseHandle,WriteFile,CloseHandle,ShellExecuteExW,

0_2_002E4260

Source: C:\Users\user\Desktop\radarinstaller.exe

Process created: C:\Users\user\Desktop\radarinstaller.exe C:\Users\user\Desktop\radarinstaller.exe" /i "C:\Users\user\AppData\Roaming\Game Radar\Game Radar 1.0.0.0\install\Game_Radar.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Game Radar\Game Radar" SECONDSEQUENCE="1" CLIENTPROCESSID="3576" CHAINERUIPROCESSID="3576Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_SETUPEXEPATH="C:\Users\user\Desktop\radarinstaller.exe" SETUPEXEDIR="C:\Users\user\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1674079604 " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\user\Desktop\radarinstaller.exe" AI_INSTALL="1

Jump to behavior

Source: C:\Users\user\Desktop\radarinstaller.exe

Code function: 0_2_002FE790 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,FindCloseChangeNotification,

0_2_002FE790

Source: wireguard.exe.1.dr

Binary or memory string: RegDeleteKeyWRegEnumKeyExWRegEnumValueWRegOpenKeyExWRoundingMode(RtlGetVersionRtlInitStringRtlMoveMemorySelectedCountSetBrushOrgExSetScrollInfoSetWindowLongShellExecuteWShell_TrayWndShutting downStartServiceWStarting%s %sSysFreeStringSysListView32Thread32FirstUnknown stateValueOverflowVirtualUnlockWTSFreeMemoryWireGuard: %sWriteConsoleWbad flushGen bad map statedalTLDpSugct?debugCall2048effect == nilexchange fullfatal error: getTypeInfo: gethostbynamegetservbynameinvalid UTF-8invalid base invalid indexinvalid stylelevel 3 resetload64 failedmin too largenil stackbasenot availableout of memoryparsing time runtime: seq=runtime: val=srmount errortimer expiredtraceStackTabvalue method wglShareListswireguard-%s-wireguard.dllxadd64 failedxchg64 failed}

Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\sys_close_down.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\sys_close_hot.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\sys_close_normal.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\sys_close_inactive.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\sys_min_down.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\sys_min_hot.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\sys_min_normal.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\sys_min_inactive.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_top_left.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_top_left_inactive.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_top_mid.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_top_mid_inactive.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_caption.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_caption_inactive.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_top_right.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_top_right_inactive.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_left.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_left_inactive.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_right.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_right_inactive.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_bottom_left.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_bottom_left_inactive.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_bottom_mid.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_bottom_mid_inactive.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_bottom_right.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_bottom_right_inactive.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\background.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\collecting.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\background.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\collecting.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\preparing.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\installing.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\finalizing.jpg VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\radarinstaller.exe

Code function: GetLocaleInfoW,

3_2_003C9DD6

Source: C:\Users\user\Desktop\radarinstaller.exe

Code function: 0_2_0033C2F0 CreateNamedPipeW,CreateFileW,

0_2_0033C2F0

Source: C:\Users\user\Desktop\radarinstaller.exe

Code function: 0_2_003B0F72 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_003B0F72

Source: C:\Users\user\Desktop\radarinstaller.exe

Code function: 0_2_001E7480 GetVersionExW,GetVersionExW,GetVersionExW,IsProcessorFeaturePresent,

0_2_001E7480

Source: C:\Users\user\Desktop\radarinstaller.exe

Code function: 0_2_0033AC30 GetUserNameW,GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,RegDeleteValueW,RegCloseKey,RegQueryInfoKeyW,RegCloseKey,RegCloseKey,RegDeleteKeyW,RegCloseKey,RegCloseKey,RegDeleteValueW,RegCloseKey,

0_2_0033AC30

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	12 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Exploitation for Privilege Escalation	22 Masquerading	11 Input Capture	1 System Time Discovery	1 Replication Through Removable Media	11 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Native API	1 DLL Side-Loading	13 Process Injection	13 Process Injection	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 DLL Side-Loading	2 Obfuscated Files or Information	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Account Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 DLL Side-Loading	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 File Deletion	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	26 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
radarinstaller.exe	21%	ReversingLabs	Win32.Trojan.Fragtor
radarinstaller.exe	34%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\Game Radar\Game Radar\RadarGame.exe	0%	ReversingLabs
C:\Program Files (x86)\Game Radar\Game Radar\Wireguard\wireguard.exe	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\ShortcutFlags.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\lzmaextractor.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI500E.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI51A5.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI5233.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI52A1.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI5300.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI590C.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI59A9.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\shi4EE4.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\shi8DE1.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI934F.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI944A.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI94E8.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI996E.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI9A2A.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI9FDA.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://html4/loose.dtd	0%	Avira URL Cloud	safe
http://.css	0%	Avira URL Cloud	safe
https://www.wireguard.com/	0%	Avira URL Cloud	safe
https://www.wireguard.com/initSpan:	0%	Avira URL Cloud	safe
https://www.wireguard.com/donations/key	0%	Avira URL Cloud	safe
https://www.wireguard.com/D	0%	Avira URL Cloud	safe
http://.jpg	0%	Avira URL Cloud	safe
https://www.wireguard.net/D	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.wireguard.com/	wireguard.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://html4/loose.dtd	radarinstaller.exe, 00000000.00000003.308976652.0000000004E80000.00000004.00000020.00020000.00000000.sdmp, radarinstaller.exe, 00000003.00000003.343479288.0000000003488000.00000004.00000020.00020000.00000000.sdmp, shi8DE1.tmp.3.dr	false	Avira URL Cloud: safe	low
https://www.wireguard.com/initSpan:	wireguard.exe.1.dr	false	Avira URL Cloud: safe	unknown
https://www.thawte.com/cps0/	radarinstaller.exe, ShortcutFlags.dll.0.dr, MSI590C.tmp.0.dr, MSI500E.tmp.0.dr, MSI9FDA.tmp.1.dr, MSI51A5.tmp.0.dr, 6e9004.msi.1.dr, MSI9A2A.tmp.1.dr, MSI52A1.tmp.0.dr, MSI996E.tmp.1.dr	false		high
https://www.thawte.com/repository0W	radarinstaller.exe, ShortcutFlags.dll.0.dr, MSI590C.tmp.0.dr, MSI500E.tmp.0.dr, MSI9FDA.tmp.1.dr, MSI51A5.tmp.0.dr, 6e9004.msi.1.dr, MSI9A2A.tmp.1.dr, MSI52A1.tmp.0.dr, MSI996E.tmp.1.dr	false		high
https://www.wireguard.com/D	wireguard.exe.1.dr	false	Avira URL Cloud: safe	unknown
https://www.wireguard.com/donations/key	wireguard.exe.1.dr	false	Avira URL Cloud: safe	unknown
https://www.advancedinstaller.com	radarinstaller.exe, ShortcutFlags.dll.0.dr, MSI590C.tmp.0.dr, MSI500E.tmp.0.dr, MSI9FDA.tmp.1.dr, MSI51A5.tmp.0.dr, 6e9004.msi.1.dr, MSI9A2A.tmp.1.dr, MSI52A1.tmp.0.dr, MSI996E.tmp.1.dr	false		high
http://www.google.com	radarinstaller.exe	false		high
http://www.yahoo.com	radarinstaller.exe	false		high
http://.css	radarinstaller.exe, 00000000.00000003.308976652.0000000004E80000.00000004.00000020.00020000.00000000.sdmp, radarinstaller.exe, 00000003.00000003.343479288.0000000003488000.00000004.00000020.00020000.00000000.sdmp, shi8DE1.tmp.3.dr	false	Avira URL Cloud: safe	low
http://.jpg	radarinstaller.exe, 00000000.00000003.308976652.0000000004E80000.00000004.00000020.00020000.00000000.sdmp, radarinstaller.exe, 00000003.00000003.343479288.0000000003488000.00000004.00000020.00020000.00000000.sdmp, shi8DE1.tmp.3.dr	false	Avira URL Cloud: safe	low
https://www.wireguard.net/D	wireguard.exe.1.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	786950
Start date and time:	2023-01-18 23:08:11 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	radarinstaller.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.expl.evad.winEXE@10/92@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\MSI500E.tmp	Danfe2372342.msi	Get hash	malicious	Browse
	Danfe2372342.msi	Get hash	malicious	Browse
	id-Processo_Z5TGVQUK.msi	Get hash	malicious	Browse
	id-Processo_Z5TGVQUK.msi	Get hash	malicious	Browse

Created / dropped Files

C:\Config.Msi\6e9005.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	9187
Entropy (8bit):	5.666794180289226
Encrypted:	false
SSDEEP:	192:1MQfbbeq2qVY3OVY3OG5cS8x+NXNIVrKhopL5Qe4u1pIsno:1MQf+qW3d3Z5cS8UNNIVrKq5Qe4u16so
MD5:	194942817C38B57D264CC6FED168803B
SHA1:	F013CB06FE6084FFC77D6868404561EB82286986
SHA-256:	2C9439A1EE426290E36261BF16030787FB4044AA272F374AD36824B2468DF20E
SHA-512:	07877E1A5A4A7F54EB6DA7E47794F560D9153A56CE3D8DBEF451EE515E69DFA895E2048BE6DAB05CBDF13F83A1EFE59BE19EEB9FB1FC1560BBD2D99F5746D494
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@..2V.@.....@.....@.....@.....@.....@......&.{7C01FBF1-500B-4790-9A33-BB42D3A26B4D}..Game Radar..Game_Radar.msi.@.....@.....@.....@......RadarGame_1.exe..&.{7CFE1D50-7AB2-42B5-ABF1-033649902C54}.....@.....@.....@.....@.......@.....@.....@.......@......Game Radar......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{E16BA958-06CF-4657-BF55-27D241F9A0F8}&.{7C01FBF1-500B-4790-9A33-BB42D3A26B4D}.@......&.{5601E68C-DE96-4D78-B167-8BD26B89F86E}&.{7C01FBF1-500B-4790-9A33-BB42D3A26B4D}.@......&.{06231126-92BF-4CB6-87E2-108CB8D83E29}&.{7C01FBF1-500B-4790-9A33-BB42D3A26B4D}.@......&.{9AF70465-4AB1-4435-BE3B-4A35DC5768FE}&.{7C01FBF1-500B-4790-9A33-BB42D3A26B4D}.@......&.{9397EFD7-5633-4EA0-93BE-09B3E5B97482}&.{7C01FBF1-500B-4790-9A33-BB42D3A26B4D}.@......&.{3CB35167-20F5-4D6C-887C-5F0F4E6FBD6D}&.{7C01FBF1-500B-4790-9A33-BB42D3A26B4D}.@........CreateFolders..Creating folders..Folder: [1]#.-.

C:\Program Files (x86)\Game Radar\Game Radar\RadarGame.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3828736
Entropy (8bit):	7.981454199098955
Encrypted:	false
SSDEEP:	98304:dtvh2ZVKb3agOF4+pl7qwkjncHtxxfjot:HgG3aDzlewkjnktxxLc
MD5:	9EC9288C055E39419DE1D2888F1CF01C
SHA1:	222AADBE56433E7071F1AF5684C6AF0F96E431A7
SHA-256:	28BC1D2B8800E309B1A1EB401123A04EC29062D18BBEC339D65693FCA1A34147
SHA-512:	33AA6AD25655226CFAF8C4E829876BEDB3C1DAD3A6AB631ACC06259C722BA7F815293EA2A6C7ADAC2D55240081021A45E0F0FF121419CB9C6B204B8D6181B413
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Program Files (x86)\Game Radar\Game Radar\RadarGame.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....m............"...0...9.............. ....@...... ........................:...........`...@......@............... ................................9............................l.9.8............................................................ ..H............text.....9.. ....9................. ..`.rsrc........9.......9.............@..@........................................H.......@\8.,v..........8....^7..........................................(J.....0...........(.......(......{.....o......{.....oT.........E............r...-...V...+p.{.....o.....+c.{.....o......{.....o.....+G.{.....o......{.....o......{.....o.....+..{.....o......{.....o.....+.+..0..<.......s.......}......}......}.....(....o...........s....o...+.+...0............(....&.{.....+..B...}.....(.....B...}.....(.....B...}.....(.....B...}.....(.......0..*.........{......,..+...}....r..

C:\Program Files (x86)\Game Radar\Game Radar\Wireguard\wireguard.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	8188928
Entropy (8bit):	6.150381564232972
Encrypted:	false
SSDEEP:	98304:U3eLwRi1vqC218Liu6zlUTL3YcTpOG7ZE78:0tDuml2Yc9OG7ZE78
MD5:	FEA28E2A6E2C3F2DFADC865E0520624B
SHA1:	2420686F4B00DE9890AFFB63B28C38612AA3DE08
SHA-256:	987FA1F6DFAAA3F45EDA9BB7B0F697C0773A14097297165842FA4C2FFA3C229B
SHA-512:	EFEAF40B065D5B5B2A80AE4C8E1CA92331414E47C9D904D7A680C6B4FACD73C4280B62F73940C804BFE85B673BE8E715CDCE04606BD7DEF4E76E6DDD738B549B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Program Files (x86)\Game Radar\Game Radar\Wireguard\wireguard.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Program Files (x86)\Game Radar\Game Radar\Wireguard\wireguard.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........^.......".......'..........@........@..............................P............`... ..............................................Pc.\|....`d.T....................`c.8...................................................@.Y.@............................text...%.'.......'................. ..`.rdata...r1...(..t1...'.............@..@.data........Y......lY.............@....idata..\|....Pc...... ].............@....reloc..8....`c......&].............@..B.symtab......Pd.......^................B.rsrc...T....`d.......^.............@..@........................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Game Radar\Game Radar\Wireguard\wireguard.h

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	C source, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	12613
Entropy (8bit):	5.119263951334253
Encrypted:	false
SSDEEP:	384:vz8hmRknL1/+z/bkn74bHIof9zpcDOpUcpGh739GRSgkRg:goy5WoCtI3pxgf
MD5:	DE61150D159B575AD7F122BB487C7AC9
SHA1:	FBAAFFC946157200C3CFF8DB7D29616B82EC7C94
SHA-256:	A9B063485976222F1DD90703914B13F3F635537D9B41AB4A50AA74EBF58A9D16
SHA-512:	BA2DA6AB96D2954CC1C2E3C8BC3226937F4164C40E64AC8130C58FA0919666AF37332C03792BBF6A22B21AE2844C210DED55F2FCD26C9F4A464DC43AF4C27A15
Malicious:	false
Reputation:	low
Preview:	/* SPDX-License-Identifier: GPL-2.0 OR MIT.. .. Copyright (C) 2018-2021 WireGuard LLC. All Rights Reserved... /....#pragma once....#include <winsock2.h>..#include <windows.h>..#include <ipexport.h>..#include <ifdef.h>..#include <ws2ipdef.h>....#ifdef __cplusplus..extern "C" {..#endif....#ifndef ALIGNED..# if defined(_MSC_VER)..# define ALIGNED(n) __declspec(align(n))..# elif defined(__GNUC__)..# define ALIGNED(n) __attribute__((aligned(n)))..# else..# error "Unable to define ALIGNED"..# endif..#endif..../ MinGW is missing this one, unfortunately. /..#ifndef _Post_maybenull_..# define _Post_maybenull_..#endif....#pragma warning(push)..#pragma warning(disable : 4324) / structure was padded due to alignment specifier /..../.. A handle representing WireGuard adapter.. /..typedef struct _WIREGUARD_ADAPTER WIREGUARD_ADAPTER_HANDLE;..../*.. Creates a new WireGuard adapter... .. @param Name The requested name of the adapter. Zero

C:\ProgramData\Microsoft\Windows\Start Menu\RadarGame.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Fri Jan 13 18:22:52 2023, mtime=Wed Jan 18 21:09:28 2023, atime=Fri Jan 13 18:22:52 2023, length=3828736, window=hide
Category:	dropped
Size (bytes):	2120
Entropy (8bit):	3.652288454542775
Encrypted:	false
SSDEEP:	48:8GM8fdOo0MWZhiEcRQd37dX25ZSrWTLcQ:8GlTEcj5CWTLc
MD5:	AC8C036E05D0A3C0116D477500C74F8C
SHA1:	724A024FC687A24215852624B3FD3BB8657A9993
SHA-256:	FFC72841FB2CE9E4049B67EA31DC2062A0C21E3645B1F716A4725CEC589BCA14
SHA-512:	73D23AE06A05CFC637123A99444BE99F7ABBD98309FB7CEDA62A5B43B6E609D0F5BF2F1FD01B539E4C2FB00C6B35B5BDE0D9AA7637A0A3F377C0CD916339853B
Malicious:	false
Reputation:	low
Preview:	L..................F.`.. ....N.n.'...`z..+...N.n.'...l:..........................P.O. .:i.....+00.../C:\.....................1.....2V....PROGRA~2.........L.2V......................V.....;.).P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....^.1.....2V....GAMERA~1..F......2V..2V......lX....................;.).G.a.m.e. .R.a.d.a.r.....^.1.....2V/...GAMERA~1..F......2V..2V/.....oX.....................B..G.a.m.e. .R.a.d.a.r.....h.2..l:.-V. .RADARG~1.EXE..L......-V.2V/.....sX........................R.a.d.a.r.G.a.m.e...e.x.e.......i...............-.......h.............R.....C:\Program Files (x86)\Game Radar\Game Radar\RadarGame.exe..C.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.G.a.m.e. .R.a.d.a.r.\.G.a.m.e. .R.a.d.a.r.\.R.a.d.a.r.G.a.m.e...e.x.e.-.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.G.a.m.e. .R.a.d.a.r.\.G.a.m.e. .R.a.d.a.r.\.K.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.C.0.1.F.B.F.1.-.5.0.0.B.-.4.7.9.0.-.9.A.3.3.-.B.B.

C:\Users\Public\Desktop\RadarGame.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Fri Jan 13 18:22:52 2023, mtime=Wed Jan 18 21:09:28 2023, atime=Fri Jan 13 18:22:52 2023, length=3828736, window=hide
Category:	dropped
Size (bytes):	2114
Entropy (8bit):	3.65184425635552
Encrypted:	false
SSDEEP:	24:8GM8fdOEfpvWqAhiEadRYe7dRYc2+MW+NNSQ34WW+NGUUdedePyfm:8GM8fdOopvWZhiEad37dX25ZSrWTLcQ
MD5:	0D6A998FE9DF55B5BF3E76DC1B0F4B78
SHA1:	6FA7A813E5B9FD4A4C55A630B1783706343C0CB6
SHA-256:	8EE3A4666F5301DEF5A8A412486FA93A9F4FE81B224677EDB602D8FD34151D97
SHA-512:	8EB68CBAE886B50B8CC754D390CA55E56DC4CEEF8CD38C68B2CD36EE12466FA2F88371D43B5F63D1DF8EFBBF13B7DEFEE68704B5F9F67576E2CD8F4B76DD2FB0
Malicious:	false
Preview:	L..................F.`.. ....N.n.'...`z..+...N.n.'...l:..........................P.O. .:i.....+00.../C:\.....................1.....2V....PROGRA~2.........L.2V......................V.....;.).P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....^.1.....2V....GAMERA~1..F......2V..2V......lX....................;.).G.a.m.e. .R.a.d.a.r.....^.1.....2V....GAMERA~1..F......2V..2V......oX......................'.G.a.m.e. .R.a.d.a.r.....h.2..l:.-V. .RADARG~1.EXE..L......-V.2V/.....sX........................R.a.d.a.r.G.a.m.e...e.x.e.......i...............-.......h.............R.....C:\Program Files (x86)\Game Radar\Game Radar\RadarGame.exe..@.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.G.a.m.e. .R.a.d.a.r.\.G.a.m.e. .R.a.d.a.r.\.R.a.d.a.r.G.a.m.e...e.x.e.-.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.G.a.m.e. .R.a.d.a.r.\.G.a.m.e. .R.a.d.a.r.\.K.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.C.0.1.F.B.F.1.-.5.0.0.B.-.4.7.9.0.-.9.A.3.3.-.B.B.4.2.D.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\New

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	2.9169468593135157
Encrypted:	false
SSDEEP:	96:+f+OFx/DgstjfDaf///////aorGbaX8PSccl1q12xfnW1orsKc:+WqDgOQ///////aoZsP+/qAVnWursKc
MD5:	1E80DE80CEFEE55D7CFDA0DF2EDCF3B2
SHA1:	6E567D732354BBB21F9A57BBB72730C497F35380
SHA-256:	4E64F4E40D8CBFF082B37186C831AF4B49E3131C62C00A0CF53E0A6E7E24AC2B
SHA-512:	5EFEA023B18FFD5B87A19837BA2C72C179B55B7C3071B773A032C63D7268DBE25E2902AE8B111AD83A4F005346B378C7A75033ADAEE90805BCB4FEC2822E54C0
Malicious:	false
Preview:	......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\ShortcutFlags.dll

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	298400
Entropy (8bit):	6.587657990073731
Encrypted:	false
SSDEEP:	6144:xQ3LMS8zXh5BxLeH+Lvh/nhmAOxesSd7nkhoaJ:xQ7wXjreamXe7d7nkhoaJ
MD5:	2BF4796C8D716FAC116C39BFF78B20E5
SHA1:	70D1B68F14D92213BB6DBC231A1122331E8E8813
SHA-256:	9D5C6A9038FAA187AA53F6C1602B6CF072924548DDA5D4E4429761D2A732274C
SHA-512:	2C970B3DF4E23AF9B8EBF2F24F7BDCE1E4299380075C42FC958BFA5423D36170CA86A0C50ADD075E4FA639DD1EAEF46DE1AC7477703DE439BE863C9211D36679
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\|.../.../.../P....../P...$../....../....../....../P....../P....../P....../.../P../B....../B....../B.J/.../.."/.../B....../Rich.../........PE..L...Q.c.........."!...".....j......gN....... ............................................@..................................0.......`..x............j...#...p.....h...p...............................@............ ...............................text...o........................... ..`.rdata....... ......................@..@.data........@.....................@....rsrc...x....`.......8..............@..@.reloc...*...p...,...>..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\Up

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	2.7901346596966383
Encrypted:	false
SSDEEP:	192:+n5lkX/1//AJffffPTb6ylHJxnSfFN5pM2C:+5lkX/K
MD5:	FD64F54DB4CBF736A6FC0D7049F5991E
SHA1:	24D42FB471AAA7BCD54D7CCB36480F5ADD9B31D4
SHA-256:	C269353D19D50E2688DB102FEF8226CA492DB17133043D7EB5420EE8542D571C
SHA-512:	EC622AFAB084016F144864967A41D647E813282CB058F0F11E203865C0C175BA182E325A6D5164580FF00757C8475B61DE89CCC8E892E1B030E51B03AD4EAFB4
Malicious:	false
Preview:	......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\background.jpg

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 700x526, components 3
Category:	dropped
Size (bytes):	28759
Entropy (8bit):	7.80109573064427
Encrypted:	false
SSDEEP:	768:4RfffnJ2PsZb6TqbI+82MPI+yIlsNfoVlZy7m6gVndNnih:u2UZb6Tc82wYMOQhJ6Sfih
MD5:	440BAFA90AD424948ECE33382243258E
SHA1:	C2F9D3E70878CA6637D3135B34523057C0CE7731
SHA-256:	BA5916A0240CE19D16F6330AD142A27968FA1C268753702732955D6DFC051CAF
SHA-512:	DA877B61C52D2742FF1D42869F1EFB880E1541919D77485C97EECA9E585932C79ED407C7A1BA97FB02BE9938726BBD05495254DCBB104A7BBFC38E75A63B2432
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......A......Adobe.d...................................................................................................................................................................................................................................!1AQ..aq...."....2R...Bb.T..U.r......#3s.$4D..CS.dt%5...c...............................?...*w.y...x.Z<.3....j.ON...c.............7...9......5...9......7...9......5...9...\|~#..>..@..\|~#.}>..A=....._O..=....._O.._\|w..<...\|..\|w..\...\|..\|w..\...\|.......7...9..=...7...9..=...7...T.\|...\...\|...]...7...9...\|.%..6..@..\|.%..6..@..\|.%..6..@..\|.%..6..@..\|~%..6..@..\|.%..>..A=..?.s.O.._\|...\...\|..\|...\..j\|..\|...\..j\|..\|...\...\|..\|...\...\|..\|...\..j\|..\|...\...\|..\|...\...\|..\|...\...\|..\|...\...\|..\|...<...\|..\|...<...\|...=...7...9...\|.#..>..@..\|.#..>..@..\|.#..6..@..\|.#..6..A=..?...M.._\|...<..j\|..\|...<..j\|..\|...<...\|..\|...<...\|..\|...<..j\|...=...7..9...\|.#..>..A=..?.s.O.._\|...\...\|..\|...\...\|..\|...\...\|..\|...\..j\|..\|...\..

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\cmdlinkarrow

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	MS Windows icon resource - 3 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
Category:	dropped
Size (bytes):	2862
Entropy (8bit):	3.160430651939096
Encrypted:	false
SSDEEP:	48:QFFZ+f+zd+kHeNTM9/+Xz++++++++YWWS0i6I:QFFEw4Xc+D++++++++ypi9
MD5:	983358CE03817F1CA404BEFBE1E4D96A
SHA1:	75CE6CE80606BBB052DD35351ED95435892BAF8D
SHA-256:	7F0121322785C107BFDFE343E49F06C604C719BAFF849D07B6E099675D173961
SHA-512:	BDEE6E81A9C15AC23684C9F654D11CC0DB683774367401AA2C240D57751534B1E5A179FE4042286402B6030467DB82EEDBF0586C427FAA9B29BD5EF74B807F3E
Malicious:	false
Preview:	..............(...6...........h...^......... .h.......(....... .........................................................................................................................................................wv....."""""o.."""""o..www""......"/.....""......"/......r.........................?...........................................?......(....... ..................................................."..... .". .6.-.9.;.<.;.D.3.,...4...9...O.,.Q.$.M.2.S.:.\.1.U.$._.1.F.G.I.A.`.@.w.q...\|...q...{.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\collecting.jpg

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 18x115, components 3
Category:	dropped
Size (bytes):	818
Entropy (8bit):	6.891913796943972
Encrypted:	false
SSDEEP:	12:VaUCEaslMrYFi/nMD6zww0z+T1Z6u/AMeg85K+d0Qd0N7Wj62JIYdZihm/xuB:02srEi/noeN0yBZ60egm5O/AjhJIYHBW
MD5:	9764C4D94006555ADF9954DBD3EF5A56
SHA1:	25C41BCB413170BCCD838EA87C56B67E00686704
SHA-256:	0D46EA835B805E76175A2B45EC7EA61E92212CAE88A86AF8D668412BE20B07E4
SHA-512:	5E682D654EB2B34722C4FFB8FDAC73FF1ACFA0705AF6FBC891C3DC725677838DC6150E5BCB8A0B2D4B38C5C35451820DA7E0EA7FD0108EC0F1F86E1F3B46E50A
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......:......Adobe.d................................................................ ................ ......s......................................................................................!AQ.1a....q.."BRbS....3..rc5......................!A.1...QaB...............?..N..E.........x...~.03.M......N.m..JR-.}\|CEiZ....T.ol...>.E3..e..F>..t..DwN\|...:..Z..c...X..)}.:.~<.E..s......%...=Y..i2.]T...=.ZYt3?..3@....+^j..[Wx..~./.....F..e;......k&Ni........B.......w.G.fm..0.....W..;..}J..W.v.K..V..v..f.o....=.d..k:)....2h.\|.L..+..F...O......f.... c..P@.........p.<....#..@.p...."@!.......g.iA;.......c...NSsJ..p;.......t.........^A.@.w...l...7..........E.(4.c...\|H,6....H.@.. Q.......1..P>...6....

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\completeex.ico

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	5.375991791179847
Encrypted:	false
SSDEEP:	384:Vry8tRhFKN+e1jn5T0FHQHgoSuqwcIrdpIM:VrJTAkE9T4HQHPS0cAdF
MD5:	DB1DB0D97484274A6A43D03DD10F5CFC
SHA1:	7FD2F78BFAD9CC2CD7E5F40E5DB396AA5E989334
SHA-256:	20B239B05BF2F5EE64BB8BC88260567B77FBA0BC97A85A9AE0B95A35B0A160A9
SHA-512:	0C8245BD28130BDD9295F9C6ECEF7A802232CD2266049A737205E02B2D35EE954675FAABA136FA002204803050B981515F418DE46A1BB3FC2CCC8AD64B47FADF
Malicious:	false
Preview:	......00......h...6...00..............00.... ..%..F...(...0...`.........................................................................................................................................................................p........w.............w...p....x.....p.....p.........wx..................................p.................................................................................................................................................................................................................................o.....p.................o.....p.........................................................................................................................................................p......p........................w.............p........ww`h....................wwp.........p..........wwwwp..................wwwwwwp.....p...........wwwwwwww.gp..............wwwwwwwww...............wwwwwwxwwp..............wwwwwwx.ww..............wwwwwwx.wwp...........

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\customex.ico

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	5.34168821588216
Encrypted:	false
SSDEEP:	384:Vry87bGFKE+e1jn5T0FHQHg+MenVFwcIrdpIM:VrXCABE9T4HQHtMenocAdF
MD5:	2092CC288266441C8D7204A2CA9E4079
SHA1:	07518125705D7AC6DBFB536992950777969E995D
SHA-256:	F831BFC02DBEDE4B2618D1AD06AD4B794E04938566173F57AF32BF9547968DFF
SHA-512:	0DD8C170D9FC739470A2B8A26562F994EC13686BCF3C1965B24EE96535AF5FDD36A4FCBB3528BC6F691038D144F34E9B9E14BBE6A23F18D76263F78A9120B120
Malicious:	false
Preview:	......00......h...6...00..............00.... ..%..F...(...0...`.........................................................................................................................................................................p........w.............w...p....x.....p.....p.........wx..................................p.................................................................................................................................................................................................................................o.....p.................o.....p................................................................................................................................................................p........................w......................ww`h....................wwp.........p..........wwwwp..................wwwwwwp.....p...........wwwwwwww.gp..............wwwwwwwww...............wwwwwwxwwp..............wwwwwwx.ww..............wwwwwwx.wwp...........

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\exclamation.ico

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	MS Windows icon resource - 2 icons, 48x48, 8 bits/pixel, 48x48, 32 bits/pixel
Category:	dropped
Size (bytes):	13430
Entropy (8bit):	4.339511276304085
Encrypted:	false
SSDEEP:	96:KYvlkFEXFYU2+yCvIFA13cJ/rrrrrpbEn5UnanjPRZfZy1wvI8:bVXuzd6IF0czwNPDZfI8
MD5:	93D722FA20A988A5C257A58BF155DC66
SHA1:	30C0D19F02CB39F8804DAFE6AF483A09C76E2338
SHA-256:	F587867EED0BEC33EF150F3A8525BDE9B6746C705543874E56653AA80EA53225
SHA-512:	BFB91739AE7432DD7D0A919F15B5B721E733675C3C2A4D5238C9955A6517DD4653042FA444F2D2627508908F6DA7DE0FBF22F37CF1A60476F59CBF254F62F736
Malicious:	false
Preview:	......00..........&...00.... ..%......(...0...`....................................-...<...I...L...P...S...S...T...G...@...K...V...W...Z...\...]..._...C..^...`...`...f...a...f..&e.."f..n..)v..3w..5v..2x..7\|..8}..<}..B}..._...e...k...a...m...p...t...r...z......5...M{..............,...0...+... ...,...<...?...<...:.......................................;.......-...!...-...................................................#...#...*...6...5...;...'.../...#...(...,...(...,...:...;...6...1...:...A...@...K...J...L...B...A...S...D...K...V...\...R...M...M...K...M...e...`...`...k...d...m...s...z...Y...e...}.......z...J...G...J...B...E...V..._...]...U...[...Y...Q...L...G...F...B...M...J...P...[...R...\...P...Z...b...i...e...b...l...f...u...~...b...k...g...m...c...s...z...5...<...C...J...N...T...Z...U...X...]...g...c...m...c...h...z...s...z...t...}...i...r...u...t...~.....................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\finalizing.jpg

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 18x115, components 3
Category:	dropped
Size (bytes):	1255
Entropy (8bit):	7.411043414041631
Encrypted:	false
SSDEEP:	24:02sjBLrd7b6aO1aMZRDsvEevnjI7Pn3IuYKnBXvDQZ3jCCXosDrSeBrD3:Dkh7LOvP2/jwUKnFvG3jCzsXS4D3
MD5:	8B006525C7CD62BCEA852CCFE17D1322
SHA1:	71E0F9C559EA450C3B4F80ADF6E5671D244A390B
SHA-256:	72F8356EB832B88D79B38CF7D34548BAF031AD7E47547C9050FB65D504B868AB
SHA-512:	74EC5BBBE1981299E276F4B408A06DC31B7840341F061BCB20D538E26BF82EEFC4E5889D084B5D02CC7337D9D8B643CF8E2ED4B444CDE419D58800D82AC63BA8
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......:......Adobe.d................................................................ ................ ......s.......................................................................................!1...Q..aq."2b3S.A.R4T5..B#...Cc.....................!..A.1...Qa.B................?..:.z.@uz.....s_N.E..e1VW:..`.r.+.!....`...5....x.m..z.H.CI1.x..4uS,..a.....v...Efd"...ZN...u.o....}.h..xe.?.i...f.+.:.'@\.b2......%'>..{ ...t).z..m..(.....EH..)j.. ..T.$..RNI@%I~\|..........\?.5.j.~T(.;(.YZ...,...E..........}f]._B...6.....$.....\b.t.6..t..Z.B.0$.hVfB...i8.S..E....u.O.rU..M.e.&...n...p{FW......JN\|]+.T.;H.T.t.......v........U.=.y}..8W.+.X.b.@,..z ..V{.:...s. f....C..u?e.[.J./.)j."...._f..Y....u....._...i6t_.4....i.;.2&..L...Ci...o1ZN...u.o....{..xg.s.2.+y.n.7\qS...$.8W..........@H.K...E+.1P...l..Wh..*@F..._\|..v...v.....l....P....QA@.k...kY....c...,....V.A.....)...>..ZV..n..

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_bottom_left.bmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PC bitmap, Windows 3.x format, 3 x 3 x 24, image size 38, resolution 2834 x 2834 px/m, cbSize 92, bits offset 54
Category:	dropped
Size (bytes):	92
Entropy (8bit):	2.8700552836237883
Encrypted:	false
SSDEEP:	3:k6llllDlO36NKvl2fllCn//l:k6l1S6c2f/C/t
MD5:	11C2AD5C2D776F5B68243C5AC17DEB4D
SHA1:	EF23AF0AC3D648C8D1499694F7EE6DFC57A70D0F
SHA-256:	5D0C71B7D593B8EBB38481F854DAAEBCC03BFC2D23DACFC7F0B72138DF503E3E
SHA-512:	6418EAC83D23179A58EA594F0D94C23A7276002FA5BA37F549740AF8893C30566B1EA34A0EFE517F6965BECAC7C7E81654F79DE57C79DFA62E3B7D547F68456D
Malicious:	false
Preview:	BM\.......6...(...................&...................Q/.Q/.Q/....Q/...f..e...Q/...edD......

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_bottom_left_inactive.bmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PC bitmap, Windows 3.x format, 3 x 3 x 24, image size 38, resolution 2834 x 2834 px/m, cbSize 92, bits offset 54
Category:	dropped
Size (bytes):	92
Entropy (8bit):	2.7977180876232053
Encrypted:	false
SSDEEP:	3:k6llllDlO36tFGFSG6G8kJzy//l:k6l1S6TG/D1Zy//l
MD5:	02AED802F7599568D96C4D1C9C59CE1F
SHA1:	F894C970B780FC92B9D66F4EB6A4DEF32AF1133D
SHA-256:	A86AF1573755840A7E8DE90F318A19486042FF7C7E908E3546BE813E5C44D5B3
SHA-512:	AC64E2DA7CE0F96A544E9779A0E32446764AF23E0DF9D3796ADEA92D83779E6AE0802D1376B2137F0135A1097F1D5497C3070C69F979E97B7FAA4098EFA1089C
Malicious:	false
Preview:	BM\.......6...(...................&...................}cM}cM}cM...}cM........}cM....sW.....

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_bottom_mid.bmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 3 x 24, image size 14, resolution 2834 x 2834 px/m, cbSize 68, bits offset 54
Category:	dropped
Size (bytes):	68
Entropy (8bit):	2.364912998090995
Encrypted:	false
SSDEEP:	3:84lul0lblO36N4RsC/l:84luKa66RsCt
MD5:	19DAD4F18DC0B3F3AB4D29DB99203696
SHA1:	B39F63E412AA47F6294B7C87F60628FA8D7F22E4
SHA-256:	CCDB2B04B54AD7670F32C6EE59341E9F9019A1096F48AAB13DE0D61468F79199
SHA-512:	43244581C3DEED166C19AEC3AE51DA3A7F204041202D5457735B4EDC94E35C8D841DD368D081BD2F238977765BFB74F888325955511A4E6DB1D331A506FE1650
Malicious:	false
Preview:	BMD.......6...(.......................................Q/....d.oR'...

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_bottom_mid_inactive.bmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 3 x 24, image size 14, resolution 2834 x 2834 px/m, cbSize 68, bits offset 54
Category:	dropped
Size (bytes):	68
Entropy (8bit):	2.3060894686792306
Encrypted:	false
SSDEEP:	3:84lul0lblO36tpgQ/:84luKa6EQ/
MD5:	C76FFA43A931CBC439957A50FD23B81A
SHA1:	5FB9A5A7C7A0F8E8EFF39D19ED1ACCB00AA95742
SHA-256:	A654806C30FC067D7A7E2A760899E01B844D9772B74CF57F8925B7B024A37EF5
SHA-512:	543959BDBE332A9A5E691665DB4F39A539AA0E9E005FB74E90E777B52E911E45B106292D50D8A9F9434ABDC1085164C0B1B6498EB0E1C8C3B5101CDBBB43AFED
Malicious:	false
Preview:	BMD.......6...(.......................................}cM......}]...

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_bottom_right.bmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PC bitmap, Windows 3.x format, 3 x 3 x 24, image size 38, resolution 2834 x 2834 px/m, cbSize 92, bits offset 54
Category:	dropped
Size (bytes):	92
Entropy (8bit):	2.840110854252446
Encrypted:	false
SSDEEP:	3:k6llllDlO36NKvlxIvccn:k6l1S6c+vPn
MD5:	394D8DEF22BCD5B938E0E91ED9CA0117
SHA1:	2C76AEFA7410B5C1D50DB343A3EC10BB97073E70
SHA-256:	0AABF62C6DA0FA584850A9A615CCD4A26DC14DAE887B4DE40A68EEC90D251192
SHA-512:	7E4E1151AC614C80953DAEB6AA513A9529FD9DA627F11B0A08982431F70DED7CE39ECFA0417BE45C9903C92BA1E24F4A1AE8C8A7DFF0662033D9BB7492F1D5AB
Malicious:	false
Preview:	BM\.......6...(...................&...................Q/.Q/.Q/......e..fQ/....dD...eQ/......

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_bottom_right_inactive.bmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PC bitmap, Windows 3.x format, 3 x 3 x 24, image size 38, resolution 2834 x 2834 px/m, cbSize 92, bits offset 54
Category:	dropped
Size (bytes):	92
Entropy (8bit):	2.7677736582518637
Encrypted:	false
SSDEEP:	3:k6llllDlO36tFGFuIJ/uW1ll:k6l1S6TG1Jbvl
MD5:	7913A7BD0A18DA0A2C2BDC131047F206
SHA1:	2C8CDA2A7AC8645AD21B6DEC6F6AFC5AD0EA2F26
SHA-256:	74182DB09464287540E3FC386AA8ED79789CE8CA7AF7F58D3CA85E2A9B7BB367
SHA-512:	F42B3A1B5105FFB5911A9BF09034878BC298CB7FA0582F054D30EE12A95CBDB20D4BDE28E0CF4D56001CB5E27303FCAD127EC179610A9227CE23FB3FC3678481
Malicious:	false
Preview:	BM\.......6...(...................&...................}cM}cM}cM........}cM....sW...}cM.....

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_caption.bmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 22 x 24, image size 90, resolution 2834 x 2834 px/m, cbSize 144, bits offset 54
Category:	dropped
Size (bytes):	144
Entropy (8bit):	4.256662675023374
Encrypted:	false
SSDEEP:	3:3l7lsl9/lsl36il09qnjk5T63t7stF0KSI0u+H/l:3lhslfst6TSk5TG7styPI0jN
MD5:	DD6EFE0F95B870FF07C63DEAF4F40D2A
SHA1:	70E9BE70F7A6539CF49D03CC189294760356B10F
SHA-256:	3F9FAA4EF669EA209EE20D9C6770493B7C5B0140474CF189ABDB7B9B718F3C49
SHA-512:	1B49C4292EBAEB9993949CE486EBE7944B47385972EC3658699CEA01CA72621065579F702ED50C38855F1A959B2199439B4E367942EE9B106B16097F2381C63C
Malicious:	false
Preview:	BM........6...(...................Z...................qU*.Q/..R0..S1..U3..W5..Z7..\9.._<..b>..eA..iD..lG..oJ..rM..uP..xR..{U..~X...Z ..\!..^"...

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_caption_inactive.bmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 22 x 24, image size 90, resolution 2834 x 2834 px/m, cbSize 144, bits offset 54
Category:	dropped
Size (bytes):	144
Entropy (8bit):	4.184686786296982
Encrypted:	false
SSDEEP:	3:3l7lsl9/lsl36WdJlko/gMqtvq5lfC19y3PyWA8bj8t:3lhslfst6WdrkogMCvAl6C3aWA8bjU
MD5:	B5BD71D18313EDC23EFA282CB59CAAC0
SHA1:	DED9D6AB0D0DD8821DC6D4A520281FBD486843EB
SHA-256:	029B3826BC9A4D65BCD08F54C97DD51CA6C3B3341AE2607E70E416316A2B903B
SHA-512:	990016E37DA361A0F5E8838C2F3173540F6FFE4AFB64F4702B232C96E05FB903A8931CD6817C4A3F5C46FC9561A0DEB930C524A27BE15DC4DAFF0294287F25C6
Malicious:	false
Preview:	BM........6...(...................Z....................._.}cM.}dM.~eM..fM..hN..iO..kP..mP..nQ..qQ..sS..uS..wT..zU..\|V..}V...V...W...X...Y...Y...

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_left.bmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PC bitmap, Windows 3.x format, 3 x 1 x 24, image size 14, resolution 2834 x 2834 px/m, cbSize 68, bits offset 54
Category:	dropped
Size (bytes):	68
Entropy (8bit):	2.364912998090995
Encrypted:	false
SSDEEP:	3:86llflFlblO36Nrj:86ltta65j
MD5:	DD96B8976A7CA121A7B63198DE6D7142
SHA1:	FF4ABD8F6B5CAE0E2A135376F7A204099F70F837
SHA-256:	631C7206C4CCBCC41D50A646781127E556F65CB00008EED8D1CBD09CFCD365F7
SHA-512:	D3A1DF67F73462BA75E42EA1B66BE608D83BD96D54044595A44BD5D0131C1B3060B05FBF17EBB8AF6D4763925821D02B90C025C2B6A90D7580597451CF34143F
Malicious:	false
Preview:	BMD.......6...(.......................................Q/...lqU*.....

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_left_inactive.bmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PC bitmap, Windows 3.x format, 3 x 1 x 24, image size 14, resolution 2834 x 2834 px/m, cbSize 68, bits offset 54
Category:	dropped
Size (bytes):	68
Entropy (8bit):	2.335501233385113
Encrypted:	false
SSDEEP:	3:86llflFlblO36t9mKl/n:86ltta6rmKtn
MD5:	EF0066376B6F27AE87BDDF2666BAD45C
SHA1:	DABA53BB5DDE5DF2CDC0D982002BE25D99228A98
SHA-256:	F2CCE8AA22AE5ADA4BEE7385B787BD2B14D6FE962C73A3215895B785C61424C6
SHA-512:	E4085FA64C4CED3F0183E9DCCA164C51A83767ED0C1EEAE87A1040DB97B218C0C56D0FE5360CBDFA4AD0D9B2155FC7B426B79C1F026D95E4A2DE1A1AB52D955C
Malicious:	false
Preview:	BMD.......6...(.......................................}cM...._.....

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_right.bmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PC bitmap, Windows 3.x format, 3 x 1 x 24, image size 14, resolution 2834 x 2834 px/m, cbSize 68, bits offset 54
Category:	dropped
Size (bytes):	68
Entropy (8bit):	2.364912998090995
Encrypted:	false
SSDEEP:	3:86llflFlblO36HH4l//n:86ltta6on
MD5:	E0E74C3374114CDC2A99474B6C1A30C4
SHA1:	A6FFF93C6D4DF5504CBA89C578070DF922DF7BF6
SHA-256:	7C34088803027EDCCEE36FEC7550A15FFE589D2E9E2B1EC1ABC208050A28AA6B
SHA-512:	026547D9603508376402A5FCA91BA12107B7B684252EE2D9A54308E390ADD1A4255D0898826D9A8D3EDBB2357B631A6B028B78A3BC0E809C6A661D3EC429C62A
Malicious:	false
Preview:	BMD.......6...(.......................................hL$..^Q/......

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_right_inactive.bmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PC bitmap, Windows 3.x format, 3 x 1 x 24, image size 14, resolution 2834 x 2834 px/m, cbSize 68, bits offset 54
Category:	dropped
Size (bytes):	68
Entropy (8bit):	2.335501233385113
Encrypted:	false
SSDEEP:	3:86llflFlblO36OCltl:86ltta6FXl
MD5:	271BF647DD804D1FE8B5D320342FE2C0
SHA1:	8A00DAC4DCFF969F58A4290E24CB3566D0B3B9CC
SHA-256:	9F11D08285846B2BAFDD1045C2F6A2EBA7264A0336CC1DB008CF92C413C42CBD
SHA-512:	D99511610CCBC9C4695B0AFA6A844450B113CF5E62A3CCAFB02131FB306C645177FF5AA8FDA997A4E6DDE7310A0B9889691A1962AF4F1964271DF69BA6DBFA57
Malicious:	false
Preview:	BMD.......6...(........................................y[...}cM.....

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_top_left.bmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PC bitmap, Windows 3.x format, 6 x 25 x 24, image size 502, resolution 2834 x 2834 px/m, cbSize 556, bits offset 54
Category:	dropped
Size (bytes):	556
Entropy (8bit):	5.710192621799831
Encrypted:	false
SSDEEP:	12:al0O3QVOI65WTDDhdv468NbgqtTUOw+8ZFHDj8xMJxGF8oTCAPjmf:aSO3AOI66RdQ68NXlZeBDj8xMJxSFT/a
MD5:	CFCBD67A3D6D3248701970170D1FA1C8
SHA1:	DA2EBC51DBDA964205E99BE853867F00AC07B9EC
SHA-256:	4FFE903A9B1836AEA4FE5AFFCD745638A83101063C1FE7889EF59E6550488D9F
SHA-512:	B1351BFA6BC17FBB06E2C186DF1272D68BEAE4C9C099BDDB5DCB830249A1DAE9766D28281A847E748B09BD6F019892090CE43264FCA047BFF4D04A03665D0784
Malicious:	false
Preview:	BM,.......6...(.......................................Q/...ldE qUqUqU*..Q/...lQ/.Q/.Q/.Q/...Q/...lR0.R0.R0.R0...Q/...lS1.S1.S1.S1...Q/...lU3.U3.U3.U3...Q/...mW5.W5.W5.W5...Q/...mZ7.Z7.Z7.Z7...Q/...n\9.\9.\9.\9...Q/...o_<._<._<._<...Q/...ob>.b>.b>.b>...Q/...oeA.eA.eA.eA...Q/...piD.iD.iD.iD...Q/...qlG.lG.lG.lG...Q/...roJ.oJ.oJ.oJ...Q/...rrM.rM.rM.rM...Q/..suP.uP.uP.uP...Q/..txR.xR.xR.xR...Q/..t{U.{U.{U.{U...Q/..r.^%~X.~X.~X...Q/...c.y?.Z .Z .Z .....Q/..u.\!.\!.\!.....Q/...j..i.^".^"........Q/...j.v..E...........Q/.Q/...c.................Q/.....

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_top_left_inactive.bmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PC bitmap, Windows 3.x format, 6 x 25 x 24, image size 502, resolution 2834 x 2834 px/m, cbSize 556, bits offset 54
Category:	dropped
Size (bytes):	556
Entropy (8bit):	5.4968566129106025
Encrypted:	false
SSDEEP:	12:al0rIHGJXadOqOtvo17OLwYUEk0VMxbLn:aSRJ1I7AwuPVMdLn
MD5:	B32F42B327343ED4630E011B022D60D0
SHA1:	1AE1418CF2267A45E3CCD0C59A453E5BD328DE9F
SHA-256:	5238C30B4C8132E5F5F41454D6032F1BD029AAB62807A922AB52787D8410FF18
SHA-512:	D7A47C1CBEB9318705F51297BBEC3C80469405F6DF0B4A6BEA563ABA8D28A37191536775DE4AE805E5AC590DCF105E3EE0AA94CB6CFE591F95036903689C6F54
Malicious:	false
Preview:	BM,.......6...(.......................................}cM...tX.._.._.._..}cM..}cM}cM}cM}cM..}cM..}dM}dM}dM}dM..}cM..~eM~eM~eM~eM..}cM...fM.fM.fM.fM..}cM...hN.hN.hN.hN..}cM...iO.iO.iO.iO..}cM...kP.kP.kP.kP..}cM...mP.mP.mP.mP..}cM...nQ.nQ.nQ.nQ..}cM...qQ.qQ.qQ.qQ..}cM...sS.sS.sS.sS..}cM...uS.uS.uS.uS..}cM...wT.wT.wT.wT..}cM...zU.zU.zU.zU..}cM...\|V.\|V.\|V.\|V..}cM...}V.}V.}V.}V..}cM....V..V..V..V..}cM....\..W..W..W..}cM....o..X..X..X.....}cM....Y..Y..Y.....}cM......Y..Y........}cM......t...........}cM}cM...................}cM....

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_top_mid.bmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 3 x 24, image size 14, resolution 2834 x 2834 px/m, cbSize 68, bits offset 54
Category:	dropped
Size (bytes):	68
Entropy (8bit):	2.364912998090995
Encrypted:	false
SSDEEP:	3:84lul0lblO36rB1VSan:84luKa6V1Vh
MD5:	778DAD585810E49156F930151F30B116
SHA1:	4428375ED58007543F922747E50FF6AA727985AD
SHA-256:	355A9E20E9C47686CDD9D58E476CE213141E8C0B8E7C8F31C9A9D635699DB43B
SHA-512:	87729CAA51899F6048C3DD5536FF64CB12FDAADC6D306C64419FCBE1204BB19E667272DC1E796632B4E1168A5A941C5D216C345CCBC922BC1C4E6AA7421953D6
Malicious:	false
Preview:	BMD.......6...(........................................a$..w.Q/....

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_top_mid_inactive.bmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 3 x 24, image size 14, resolution 2834 x 2834 px/m, cbSize 68, bits offset 54
Category:	dropped
Size (bytes):	68
Entropy (8bit):	2.335501233385113
Encrypted:	false
SSDEEP:	3:84lul0lblO36p5er4:84luKa6+U
MD5:	0281D46EB0A0FE2BF5416CB4499D5013
SHA1:	F1A8A29C76E6A41D86F4C2C7F2CBAE2B827A4D96
SHA-256:	89B9CD0099B28CD491BDF24DE0362ACFE1563F62F43BBAAFA769578B5D83710C
SHA-512:	026DEE6ADB2673074D7128454FFF8F8A111667FBB00CBB43F7F6319DEBEC538FB8D08FDB068CA342E486849290B33E85C6A4B44C427E9C5B97DA92EBA851B57C
Malicious:	false
Preview:	BMD.......6...(.........................................[....}cM...

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_top_right.bmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PC bitmap, Windows 3.x format, 6 x 25 x 24, image size 502, resolution 2834 x 2834 px/m, cbSize 556, bits offset 54
Category:	dropped
Size (bytes):	556
Entropy (8bit):	5.736028103772132
Encrypted:	false
SSDEEP:	12:al0JBa6uXEDmzrQ6TQggdygvMpdQDgOxvGXfXl686jft:aS66OnzU6TQrygv3DgOxvil6Tjft
MD5:	689FD0A5441259E8C46EF0F7251EA1D4
SHA1:	4C1307264B0220509974DA4EC66669A3AB1FCA2E
SHA-256:	AFB65D4680B9DB446E081F21F90B92DE8E2044EE802D819ACFDE9CD9E109F9B2
SHA-512:	E0F1495F1352B1D7FEAD7263222D627A61662EE90D0F67BAC62C0CE9ECB5F03FDB0029E33DBC307EC67AAF32FF3CCEE0113AEFA70DE22FA6060E5EE51FA5297D
Malicious:	false
Preview:	BM,.......6...(.......................................qUqUqU*dE ..lQ/...Q/.Q/.Q/.Q/...lQ/...R0.R0.R0.R0...lQ/...S1.S1.S1.S1...lQ/...U3.U3.U3.U3...lQ/...W5.W5.W5.W5...mQ/...Z7.Z7.Z7.Z7...mQ/...\9.\9.\9.\9...nQ/..._<._<._<._<...oQ/...b>.b>.b>.b>...oQ/...eA.eA.eA.eA...oQ/...iD.iD.iD.iD...pQ/...lG.lG.lG.lG...qQ/...oJ.oJ.oJ.oJ...rQ/...rM.rM.rM.rM...rQ/...uP.uP.uP.uP..sQ/...xR.xR.xR.xR..tQ/...{U.{U.{U.{U..tQ/...~X.~X.~X..^%.rQ/....Z .Z .Z .y?..cQ/....\!.\!.\!.uQ/.......^".^"..i..hQ/........I.v..jQ/...........`Q/.Q/............Q/....................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_top_right_inactive.bmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PC bitmap, Windows 3.x format, 6 x 25 x 24, image size 502, resolution 2834 x 2834 px/m, cbSize 556, bits offset 54
Category:	dropped
Size (bytes):	556
Entropy (8bit):	5.515097097533042
Encrypted:	false
SSDEEP:	12:al0WbLCTmCnH/JAXVSxOqOmxhxcGZV2czkb+lC5dVh5bylfgYd:aSSLSm7lSI1mxYGWCkb+lwpbqo8
MD5:	E82896D2FE67D867537A3924891A85C3
SHA1:	F2865A797B7EE556D0674522B6240D86A2D5B1C3
SHA-256:	0998821F255A1EF8D84F69741B67EFFB12E3C126679EAAFEC2190D903538120A
SHA-512:	82C4B39606D8017A6A010DD5E2A81A7EA87B96C9A7F3328BE02BD2D19530516192D694A45D09D3F9FFBCB927EA86315BE954CE667E1DBDC648EC0928AC27CB3F
Malicious:	false
Preview:	BM,.......6...(........................................._.._.._.tX..}cM..}cM}cM}cM}cM..}cM..}dM}dM}dM}dM..}cM..~eM~eM~eM~eM..}cM...fM.fM.fM.fM..}cM...hN.hN.hN.hN..}cM...iO.iO.iO.iO..}cM...kP.kP.kP.kP..}cM...mP.mP.mP.mP..}cM...nQ.nQ.nQ.nQ..}cM...qQ.qQ.qQ.qQ..}cM...sS.sS.sS.sS..}cM...uS.uS.uS.uS..}cM...wT.wT.wT.wT..}cM...zU.zU.zU.zU..}cM...\|V.\|V.\|V.\|V..}cM...}V.}V.}V.}V..}cM....V..V..V..V..}cM....W..W..W..\..}cM....X..X..X..o..}cM....Y..Y..Y..}cM.......Y..Y....}cM.......w....}cM..........}cM}cM...........}cM...................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\info

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	3.347251063198798
Encrypted:	false
SSDEEP:	192:+h7OMtMrJbDG0UDLHMrhmZ1galQpAAAAAAAAAAAS55qjOlr9n:+6g0uyi1ZQpAAAAAAAAAAASXqjOp9n
MD5:	8595D2A2D58310B448729E28649443D6
SHA1:	08C1DF6FBF692F21157B2276EB1988AC732FF93C
SHA-256:	27F13C4829994B214BB1A26EEF474DA67C521FD429536CB8421BA2F7C3E02B5F
SHA-512:	AE409B8F210067AC194875E8EBF6A04797DF64FA92874646957B2213FB4A4F7DA2427EF1ED8D35CD2832B2A065E050298BAC0FC99C2A81DE4A569A417C2A1037
Malicious:	false
Preview:	......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%.....................................................................................................................{...............................................................................................................................................................................................rqr............................................................................................................................................................................................rqr............................................................................................................................................................................................tst............................................................................................................................................................................}................yxy...................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\infoex.ico

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	MS Windows icon resource - 6 icons, 48x48, 8 bits/pixel, 32x32, 8 bits/pixel
Category:	dropped
Size (bytes):	22486
Entropy (8bit):	5.511908704029649
Encrypted:	false
SSDEEP:	192:0DT6aNn0CgAevbxezcSptuGH0BJ1cBYehJjbQypQ6X8rdb:/aNn0DAoN4c8HH031/QQ6XWZ
MD5:	FD535E63F539EACB3F11D03B52B39A80
SHA1:	A7F8C942E5672F2972C82210A38CC8861435F643
SHA-256:	0086BC01150989F553A0A4AE0E14926C6E247CEDDA312E1F946AE35D575742AB
SHA-512:	716EAB95B5535D54359D12C9786F5A53F9560126D2C48EB1A94DB5BD383363B43EA686AC421080564B54450DA35AF9CE3E11CECD485AAF27C0CEAEE7836F4518
Malicious:	false
Preview:	......00..........f... ......................h.......00.... ..%...... .... ......B........ .h...nS..(...0...`....................................B...C...D...F!..H#..I#..J%..L&..N)..Q+..S-..U/..V5..W1..Y3..Y4..[5..\7..]7..]9.._:.._<..c?..`9..c=..d>..d=..`@..eC..fB..gD..hA..iF..kF..lG..kN..kI..lJ..oK..nL..jC..lE..oG..qO..pH..rN..rM..tO..uO..sK..uM..wO..pT..sP..vW..w]..tQ..wT..yV..xQ..zQ..{U..zT..\|T..{Y..}Z..~Z..~X...\..}U..}d..[..^..^.._..W..Y..Y..[..]..\..]..]..].._..f..l..`..q..w..u..t..x..}..{...b..`..b..b..e..g..`..d..e..k..i..n..i..m..q..u..x.....z........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\installing.jpg

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 18x115, components 3
Category:	dropped
Size (bytes):	1096
Entropy (8bit):	7.293819663696126
Encrypted:	false
SSDEEP:	12:VaUCEaslM0CLAdNN53rFccz2nn4mCfg3EZ+e+D6UJ+GQioq6sp76FSyuDKm1T2tY:02sfLAdf7cpy+e+uJVioT0R1T9ki
MD5:	6B2DA1D66119B720209B9C11E7827591
SHA1:	4A86D1FCBCB12728D3F11F5205A378B634B15327
SHA-256:	FCE0919D3F6D7FC628F51D14E84C3F723FEBDF42B86E814727E6485223024626
SHA-512:	0537BC3FF34C86E798DCBD40AE9F7785DA03BEFA1ED0AD85E756F6AE66707409DE5EB8E74BE65EDAC23A4F28E767244B02C9A3F349F84A245A3061340943185F
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......:......Adobe.d................................................................ ................ ......s......................................................................................!1...Qa.Aq."R.3S..2Bb5.....4T.r#c......................!A.1...QaB...............?..:.........A.};)Hj......{..g,R.J....0&...3_...U./....._5..-.$.......L..5.B......:.L......q.S...... ..Dd.\3..SL..7l..'P..,KU.X..M..%';#..v.r..TR<.z...u..-.iRH"...-.d..@0...7J../n.....%?n...Ap..<........u...Ya.xqH.K..i...7..q......6....t.....\b.t.6..t..Z.B.2..i&kRRJ{.V...O.\..4...r}....p.a.Y.o8....I.%...U.X..L.`RRs..`...i.EM+..l....!i;R.. .2....~.y}..p.D...v....[.D..AC..e.f.....f.,._t...E........-..JR-.}\|CEiZ.......z.ty]...9P&...]]+.H.t....r....k.6...}bR......s...U.w..?..Q...=Y...v...h.Y...B.....U.,...zV.."4....Gj....S9N..w.u%.gQP..3B...P.fR.C..[..(..x..W=.._X...s.?._.../v?mZ@.......e`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\lzmaextractor.dll

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	16288
Entropy (8bit):	6.527689146911716
Encrypted:	false
SSDEEP:	192:ggJ+fwJ2c7PpL2am7qFnM/CK5a32h+noPOJB3hy2sE9jBF0NyA4lh1v:lOw0cDpLrmee/PE3JPxh8E9VF0NyAwh
MD5:	4E543BA36FEA29BFC0857CFF31793857
SHA1:	7FFB5CBEED54B3AFCC5DA8F467057DB8FCC31A2D
SHA-256:	FD3631EA3FA7D061CF8EDF107AF19B2290B8AB0CB8C39FEF78994235205B8DFB
SHA-512:	915837EC3AA30B6E2CAA33184E0CA19AC8561C2A8495FCFB462FA7525F48EB217AE604623BEF4C8888DDB7AB431A5B21E2E60AEE4F6DD9D61A587D6B343EA6B4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Xu9H9.jH9.jH9.j.K.kG9.jH9.jx9.j.E.kM9.j.E.kI9.j.E.jI9.jH9.jI9.j.E.kI9.jRichH9.j................PE..L.....c.........."!..."............@........ ...............................`............@.........................P".......$.......@..h................#...P..\....!..p............................................ ..X............................text...)........................... ..`.rdata..X.... ......................@..@.data........0......................@....rsrc...h....@......................@..@.reloc..\....P......................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\minbackground.jpg

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 700x100, components 3
Category:	dropped
Size (bytes):	11164
Entropy (8bit):	7.891470327146528
Encrypted:	false
SSDEEP:	192:eGvRpTCWR3Xa3fSONQrC/AXnZFkvhYLTQhnEakmBgN4BjsHvAxgUzj3zzY7OM8MN:ec5P3KqONWDnboYyEyz44Cw3zk7yE
MD5:	FBD9DC761E537B08D76E15998334BB24
SHA1:	7138054A6543846D91087D0D758F69A0C50A3604
SHA-256:	26159C3A44B9519FD313DD0D4A18E08241C208530E7773915A9B6B7C220EDF8C
SHA-512:	3E030AA9601517963543DA68534C7B3DD6D867346A4479CFDAC0C228C1FD76E071037762F6F30769358BC2A4430E0CBF556C0E94E63B30109A9BAFF15CA41969
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......P......Adobe.d.................................................................................................................................................d...................................................................................!1Qq..Aa...."2R.Bbr.#...3CS.....c...s..$4DT.u.6.5.dEUe..............................?..D..P.........?...A...@p........4....vt../...q.....j...@p..-......P....lt..@......c.@Y.Z`...(.P..........t..1.I.:(...u..}.z..dl2.5.....4j...\.N..{i..C....p.i.n9.....o...T..9.K].Q..].....v.6~..&.....o. .^l..0i..n.$.x..:r.uG.C.l..O?...)..M........+.....ZP.mr 4.".<%.,.w...I.u..o......{1....n...^.G.....( .^..=..o..n&..p...2x.'...d.n.....H@X...n...m..=.6.8...1vg.q6!.A..#..Sr..F.KZ..x.P.....h\|.$....Pf.T.....G....a:.nx.A.......nq....D.J.8.9.K#. +..Af.-.c...E.lR66.w..~r...0.6c.../.ccA..n-T.ck.#1.o.Pt.Y#X....v..H4...QAi...9c...~...=v...e!V%.....*@..T...}...,A...#6....\|n."\...\|........N.K.^....)8=...

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\preparing.jpg

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 18x115, components 3
Category:	dropped
Size (bytes):	954
Entropy (8bit):	7.069304110172994
Encrypted:	false
SSDEEP:	24:02sVlRk2l8ffW2V+XsZlJEofzAZV5J3w5+Ad:DEHk2l8fpxPxfq5dsd
MD5:	710D6B771C55E4CFAFFC297FE742FA6F
SHA1:	C6AAC5291ABDE440771D537E75E8D446A459D1DA
SHA-256:	A2D78BB2758C2B86C4D06A874683BF4FEE1BA14E8942D161A550280925F1AB2C
SHA-512:	5E56B946B28F31543FFA20B139C32ECA06F9E4010CC51466A35087E7F3617FF91E1103A4C833D586E110BA1279CC5D26AC3BFDB8444FD1F3A423F4B4E77538E7
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......:......Adobe.d................................................................ ................ ......s.....................................................................................!1..AQa...."BR...qb3S.4...2.#CDT5E.......................!1..Aa.."B..............?...!y.@._.y..y...vR..3#.es.., .X.z.)%"..@&....k..._.......z..:..1.>qp.'.U2..q.B......:.L......q.S........>.8#&>Yyg.M36....:D.B\L.-W-b....I.....[..H.).U=Cfm....]4.$..y.".u@.-...#9Hl.../.l..Z......#.......l...-+..5=<..@3qNJ.t..P..j...F..%6.l.b.).5...+.....<.,h..z...%.%f..s.E.g..\|4L......\|.w..3......_.\|...\|o.C(U&..RAS.t.y...2Ov.. .3.i.y.\..h...).R..a...V&.q.)kIAmAhJR..IP..0T..fw.x.}.d._.........b+.>.b.o.S..D..B....8..M=V....}.Q..".j..VJ.[d.o._v=...N..&...Q.......W..Y..=Gt.[.T..A...h....D.b..8..'\..u..du.`..&..@...,'D.....X.Kh....T..b..y.}...[L.Vz.....

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\removeex.ico

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	MS Windows icon resource - 6 icons, 48x48, 8 bits/pixel, 32x32, 8 bits/pixel
Category:	dropped
Size (bytes):	22486
Entropy (8bit):	3.6966182287679445
Encrypted:	false
SSDEEP:	192:0lO79rufRhoOF1E7wTEEEEEEEEhcEEy1d/gfbDsWSOK2NXBK0t+DMM4C+ik:379tOkwTEEEEEEEEhcEEMijxB+DMMfxk
MD5:	178E5DDDEDB4A98E397F9C3623B5F549
SHA1:	AD3AED8061B86B5A9BDAFA0F839AEF6C501AA6A3
SHA-256:	7ACFDCF1EA72E70B1C9B23001A47932871E847C92341215FAEC63929A60F6C38
SHA-512:	C02669E323A8C0E96BE350E78DDB7DD3BCE8C0230F5DC37028781CEF50F47C2F503645D541BD66390FC2FE49F33AF74FD7869BFE0BD3AE7445324E33D08B4688
Malicious:	false
Preview:	......00..........f... ......................h.......00.... ..%...... .... ......B........ .h...nS..(...0...`....................................Q...T...R...T...V...X...]...Y...\...^...a...c...c...f...a...e...g...h...m...j...h...n...i...o...l...t...q...t...y...~...~...n...o...}...~...q...r...t...v...x.......y...}...}.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\repairex.ico

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	5.68511076166258
Encrypted:	false
SSDEEP:	384:U57bk8EKFSm4bV1qz3Q0qHouU2y6iwNf3od:U5XWS3QrHBJW
MD5:	095990895C9D0AE47E084019CFED9036
SHA1:	A7A73A115DB999A4B96D2AC42F44B03AB60F5DA1
SHA-256:	5E22ED253E2F2ACD1132FF43A2C5C52143FE1E7891EE5177F0F6C24C9BC0B79B
SHA-512:	FD1E952AF8D85D9EAFA1AA93376AAB4BC80D871E57EDDDD555AD577E656A07AC8D06AE756C80FCFFB0DF578437E7D0B05BEDD6DE232C319A920A9B47E74E50D1
Malicious:	false
Preview:	......00......h...6...00..............00.... ..%..F...(...0...`................................................................................................................................................................w...w....p........w.....wP..ww..w...p....x.....X...............wx......]...x...................M...x.......................x.......................x.....................w.x.....................w.x.....................w.x.....................w.x.....................x.x.....................x.x.....................x.w.........o.....p.....x.w.........o.....p.....x.w.....................x.w.....................x.w.....................x...w.................x.x...w.................x.x...w.................x.w...w......p..........x.....w.......w.........x.....w......ww`h.............w......wwp........x...x..p....wwwwp.....w........p...wwwwwwp.........w...p...wwwwwwww.gp.......pww....wwwwwwwww.xw.....w......wwwwwwxwwp...wpx...p....wwwwwwx.ww.....w..xp....wwwwwwx.wwp...........

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\rtlobackground.jpg

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 700x29, components 3
Category:	dropped
Size (bytes):	1810
Entropy (8bit):	7.211058657855335
Encrypted:	false
SSDEEP:	24:lr9aWXrRteB8fXajbJV8UkEA53R2auOmEw1Ovu5ZFlnCFN8gNjaOqGcSj2/Edgk:lrVNtlfXaJWUyNR2aJmHPnEDaS2/Edgk
MD5:	DC2BFA6DBB6B28B0ADA0BFE062058564
SHA1:	09CED9AFCA39710C780CD1261581A7A48AFD1D78
SHA-256:	B5960DFACD6E2E32A368070F3B62EB3BD2EC3B09B69B49D77D3CE0CF9774A79E
SHA-512:	38305EDEFC629C0A019BE48223934C4A5D95B85A984974BEDD96F6489D9FD28D76C2D803ABCA9DE7768425F17BBE74CEA20EFE17748CC82F545F6234E11424F8
Malicious:	false
Preview:	......Exif..II.................Ducky.......A......Adobe.d.................................................................................................................................................................l.....................................................................!a..Aq"1Q..2..B.................................?..{D.......t.P.D.P.=.P..P....@.....-.Z.......-.h.@.....(..-.h.T.....j............................@Z.(...j..@Z.........(.....m.P.."t...z....[P..J..@P....-..........Z.r...w..]....F..L.uX....T.......s..rh.;_%...c~^.vJ..G.:..'.".#..8..W..m.P....e..m..g..I..{).+..GV....[.sZ.........v.lM.n.......'e+h...b=.TZ\.......ps21.s .\<;./!.s..%u..9..^..w.@a..g....G......Tm.H.kR.TD.......w.i12.+.....I.'r'..j:hh.]b*\|.V.......-..Q....P.....j...Z...j...Z.-@...P.....j...Z.-@...P........Z.,.`..X.......,.`..X..%....`....-.h.@X.......-.o..@#z.m...V..@+S..5.[.........9....?.`3.....U.!....g.d.I.f..8[...6.1..e.'e..-mU.8.q.C..8..z\|.30.b.E....;'"H...3.dH.b7....

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\sys_close_down.bmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PC bitmap, Windows 3.x format, 27 x 17 x 24, image size 1430, resolution 3778 x 3778 px/m, cbSize 1484, bits offset 54
Category:	dropped
Size (bytes):	1484
Entropy (8bit):	6.0481305060779285
Encrypted:	false
SSDEEP:	24:rYQXXXXXXXXXXXXXXXXXXXX6dffffqfffY0FT8WvIii6+bOJB8aWAa72Y:UQXXXXXXXXXXXXXXXXXXXX6RfffqfffG
MD5:	CAC3D7CC82721ED5D2845644FE5A508D
SHA1:	8A45865DE6F065C8D86D3A25A604F023F81BE270
SHA-256:	4488141F07DF133C8CF0FD47245B0B3FA00489C992D44C302DFDA1B59F69E45C
SHA-512:	7608A1344EA6031494B6D556E8FCB6B59D365130F928EF2454AF3586B7DCED573F31DC448F60A9EB9A2F00D9D323D85387DE647DDB78D42C144EAA3042FEBF66
Malicious:	false
Preview:	BM........6...(...........................................5..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..5........4............................................................................4.....:....f..f..f..f..f..f..f..f..f..f..f..f..f..f..f..f..f..f..f..f..f..f..f......:.....:....X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X..X.....:.....:....I..I..I..I..I..I..4...^..D..D..g.I...g..D..D..b.8..I..I..I..I..I..I.....:.....:....:..:..:..:..:..9...F..........Z...c.]............].:..:..:..:..:..:.....:.....:....,{.,{.,{.,{.,{.,{. k..K..........c............H."n.,{.,{.,{.,{.,{.,{....:.....:.....n..n..n..n..n..n..n..^..S.................O..`..n..n..n..n..n..n..n....:.....:.....c..c..c..c..c..c..c..c..U.Ew..........9n..V..c..c..c..c..c..c..c..c....:.....:....}..}..}..}..}..}..}..N...S.................O.W..}..}..}..}..}..}..}.....:.....:....z..z..z..z..z..z..X...K..........]............F.d..z..z..z..z..z..z.....:.....:....y..y..y..y..y..x

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\sys_close_hot.bmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PC bitmap, Windows 3.x format, 27 x 17 x 24, image size 1430, resolution 3779 x 3779 px/m, cbSize 1484, bits offset 54
Category:	dropped
Size (bytes):	1484
Entropy (8bit):	5.925778588133379
Encrypted:	false
SSDEEP:	24:Rpw0m88JHHHHyknSHHHHZFZR+bOIYE888888888888888888883I/:Rm0m8OeR+KNE8888888888888888888x
MD5:	27576F2D743D311C4F8859FD3C324044
SHA1:	F6EEB8B2409B65858133F56509BBBB725F355920
SHA-256:	5152C26D8C4B398552D243A7D3D4DF250310CBFC5B0C6172620AAAEBEF56D21A
SHA-512:	B82C86380D50BF765657D94399C238228CF4B6582B7A21CB9D11FB616E4AA577135141C3882D7E6DDD99CEC584B0AE88EBE42B41847FEEEF73074FBC716D5EA4
Malicious:	false
Preview:	BM........6...(...........................................5..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..5........4.............................................................................4.....:.............................................................................:.....:....~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~......:.....:....i..i..i..i..i..i..K.. e..D..D.+q.i..+q..D..D.%j.P..i..i..i..i..i..i......:.....:....S..S..S..S..S..R...F..........Z..%n.]............f.S..S..S..S..S..S.....:.....:....>..>..>..>..>..>..,...K..........c............H./..>..>..>..>..>..>.....:.....:....+..+..+..+..+..+..+...o..S.................O..r.+..+..+..+..+..+..+.....:.....:.....~..~..~..~..~..~..~..~..d.Ew..........9n..f..~..~..~..~..~..~..~..~....:.....:.........................O...S.................O.X...........................:.....:....{..{..{..{..{..{..X...K..........]............F.e..{..{..{..{..{..{.....:.....:....y..y..y..y..y..x

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\sys_close_inactive.bmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PC bitmap, Windows 3.x format, 27 x 17 x 24, image size 1430, resolution 2834 x 2834 px/m, cbSize 1484, bits offset 54
Category:	dropped
Size (bytes):	1484
Entropy (8bit):	1.863656253160122
Encrypted:	false
SSDEEP:	12:mtex6PPPPVoKK5mKKNVlK2zKqdlKlKQ1lCy9lKoBcJJZcs1hc85hc05PPP4:zuoKKQKKX0NI00gc40Ui3H37rb+
MD5:	A13B497EC2A4508AEC25100D68C98C19
SHA1:	8CC7FF0744CCDA78B64157A20BFA380126D6F316
SHA-256:	6B76F7D524AF67CFBE4019AFB3C5C7801E3744CBEEB08D616FAF19CB771FA84B
SHA-512:	C52116B238D4CDFCE1FD27C1D3F1FB151C718DA949C038866A8AEE01D70C7D93A0DB88A03F2BCE97B89A03EE47494B6B57FF48150CBFABB0F065E3C725E1105F
Malicious:	false
Preview:	BM........6...(...............................................................................................................................................................................................................................................................................................................................................................................................................@k.@k.@k.@k.@k....@k.@k.@k.@k.@k....................................................@k..........@k....@k..........@k.......................................................@k..........@k..........@k.............................................................@k................@k...................................................................@k..........@k...................................................................Ay................Ay.............................................................Ay..........Ay..........Ay.....................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\sys_close_normal.bmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PC bitmap, Windows 3.x format, 27 x 17 x 24, image size 1430, resolution 2834 x 2834 px/m, cbSize 1484, bits offset 54
Category:	dropped
Size (bytes):	1484
Entropy (8bit):	1.7792085699155513
Encrypted:	false
SSDEEP:	12:mtex6PPPP95AqnqU5oqBqU1gqeeUJIqUlwIq6fI4CCIilg7iPPP4:zjqnqRqBqJqeeBqxIPfIHCIn9
MD5:	C9C8ADC3286BD27B74FD560112CE1B4E
SHA1:	FBCCE927AAA09435F677AAC7736EF30C09C36224
SHA-256:	31794FD41DFA1B2BF79B07800FB1D87CDEECFE212749783D182719A1D0699F98
SHA-512:	525C31CB68B9A53E8BAB25ADA1345FFA8C87DA9993F5E3FED41F93300B46FE6939AE23654FABF89DE9782BBED6ADCFF14A1B19C857BA7EAB038C548E4F10B0CC
Malicious:	false
Preview:	BM........6...(................................................................................................................................................................................................................................................................................................................................................................................................................:..:..:..:..:.....:..:..:..:..:.....................................................:...........:.....:...........:........................................................:...........:...........:..............................................................:.................:....................................................................:...........:....................................................................L.................L..............................................................L...........L...........L.....................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\sys_min_down.bmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PC bitmap, Windows 3.x format, 27 x 17 x 24, image size 1430, resolution 2834 x 2834 px/m, cbSize 1484, bits offset 54
Category:	dropped
Size (bytes):	1484
Entropy (8bit):	5.305080600049874
Encrypted:	false
SSDEEP:	24:zNwNP3d566666666666666666666y66666666666666666666+HleeeeeeeeeeeP:z2PT66666666666666666666y666666L
MD5:	00737114DCCFD3509699FD666B98DE09
SHA1:	DDEB748525297C46BF077FE186591B81A16589A9
SHA-256:	8C5F7523F068955C62132CA0BD570C6291E8AA00F8C0D23DF0F7575D42DC2976
SHA-512:	C7E5CDD934F1EDD46CAB36644CADAC87E73F523868CD2E79AF9D31A371F83BCFB8B08F33F876CE49429762109B8C0471D02C019F8ABAF495AEE5B2563D82D76E
Malicious:	false
Preview:	BM........6...(..........................................G?6999999999999999999999999999999999999999999999999999999999999999999999G?6......I@6....................................................I@6...999....H..H..H..H..H..H..H..H..H..H..H..H..H..H..H..H..H..H..H..H..H..H..H..999...999....\|=.\|=.\|=.\|=.\|=.\|=.\|=.\|=.\|=.\|=.\|=.\|=.\|=.\|=.\|=.\|=.\|=.\|=.\|=.\|=.\|=.\|=.\|=...999...999...n2.n2.n2.n2.n2.n2I2.I2.I2.I2.I2.I2.I2.I2.I2.I2.I2..n2.n2.n2.n2.n2.n2..999...999..._'._'._'._'._'._'I2............................I2.._'._'._'._'._'._'..999...999...zQ.zQ.zQ.zQ.zQ.zQ.I2............................I2.zQ.zQ.zQ.zQ.zQ.zQ....999...999...nE.nE.nE.nE.nE.nE.I2............................I2.nE.nE.nE.nE.nE.nE....999...999...e:.e:.e:.e:.e:.e:.I2.I2.I2.I2.I2.I2.I2.I2.I2.I2.I2.e:.e:.e:.e:.e:.e:....999...999....z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..999...999....x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..999...999....x..x..x..x..x.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\sys_min_hot.bmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PC bitmap, Windows 3.x format, 27 x 17 x 24, image size 1430, resolution 2834 x 2834 px/m, cbSize 1484, bits offset 54
Category:	dropped
Size (bytes):	1484
Entropy (8bit):	5.529714413709945
Encrypted:	false
SSDEEP:	24:zOLvaD99999999AcSgCmwcGn999999999YyL:zgG999999995S9W499999999v
MD5:	798859B09E82A00F1431C0009E417C88
SHA1:	220E0F306C5310EAA23DF906CFD2052D51B4C85C
SHA-256:	3E005CBE52597457CA99FE73D31442B623F1E7E0F296562F015CB0E2E2C716D3
SHA-512:	3375FA9A57ECD4ACBA17148CEAF66374017175275526732AECD64FC58EA64EE2190E75D9319F3E0D0B9D241D0A5694C15D74E6B51FE3FE34CAA49AF40F7F04A5
Malicious:	false
Preview:	BM........6...(..........................................G?6999999999999999999999999999999999999999999999999999999999999999999999G?6......I@6....................................................I@6...999...a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a..999...999...U.U.U.U.U.U.U.U.U.U.U.U.U.U.U.U.U.U.U.U.U.U.U..999...999....H..H..H..H..H..H{T.{T.{T.{T.{T.{T.{T.{T.{T.{T.{T...H..H..H..H..H..H..999...999....;..;..;..;..;..;{T............................{T...;..;..;..;..;..;..999...999...w..w..w..w..w..w.{T............................{T..w..w..w..w..w..w...999...999...k#.k#.k#.k#.k#.k#{T............................{T..k#.k#.k#.k#.k#.k#..999...999...`..`..`..`..`..`.{T.{T.{T.{T.{T.{T.{T.{T.{T.{T.{T..`..`..`..`..`..`...999...999.........................................................................999...999....~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..~..999...999.....}..}..}..}..}.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\sys_min_inactive.bmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PC bitmap, Windows 3.x format, 27 x 17 x 24, image size 1430, resolution 3779 x 3779 px/m, cbSize 1484, bits offset 54
Category:	dropped
Size (bytes):	1484
Entropy (8bit):	1.5831722555782826
Encrypted:	false
SSDEEP:	6:mlU0SjQPPPPvXXXXXXXXnvJZyJZyJujl1vXXXXXXXXnvPPPPPPP4n:mtYQPPPPXJZyJZyJujvXPPPPPPP4
MD5:	67AB3572C7D2F5B0A9408B81AA5279A9
SHA1:	E9463EA35B06D875E966C2CC1BC703AD8E23DA1D
SHA-256:	88DFC967A4900AF35D2BFF293995AAD87CEA2D80ED02E81275D50416821CCEB3
SHA-512:	5B25E1C48CD700406FDD5D2B791F875B9E6752B66A5EA8201DE34C994C45C96D356CF3741BAC6CF10D5166777472E6E5646C6970271C0A00ACA8B5E535D35109
Malicious:	false
Preview:	BM........6...(................................................................................................................................................................................................................................................................................................................................................................................................................s-.s-.s-.s-.s-.s-.s-.s-.s-.s-.s-....................................................s-............................s-....................................................s-............................s-....................................................s-............................s-....................................................s-.s-.s-.s-.s-.s-.s-.s-.s-.s-.s-.........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\sys_min_normal.bmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PC bitmap, Windows 3.x format, 27 x 17 x 24, image size 1430, resolution 3779 x 3779 px/m, cbSize 1484, bits offset 54
Category:	dropped
Size (bytes):	1484
Entropy (8bit):	1.571496801237379
Encrypted:	false
SSDEEP:	12:mtYQPPPPH999999995oiZiZiQYiH999999995oiPPPPPPP4:RW99999999e99999999m
MD5:	3AB3C93B93A517416043661EAAE01EA3
SHA1:	2C4967E6AF70250B219AF1EB4B1F4B726319E9FF
SHA-256:	FE40F551256C9C89838751D5E168627A5D8DEB71BB35D9E31DC4BB6306D52A31
SHA-512:	434CC87A54E150C4C4258C3D1163F007ADDCF316F27970E2D74CCC960A6E39FB6F27A1512A7799D65EA51EBC6A1B285852131BAC81BA6BC36BDB6D421C7F5464
Malicious:	false
Preview:	BM........6...(...............................................................................................................................................................................................................................................................................................................................................................................................................{T.{T.{T.{T.{T.{T.{T.{T.{T.{T.{T....................................................{T............................{T....................................................{T............................{T....................................................{T............................{T....................................................{T.{T.{T.{T.{T.{T.{T.{T.{T.{T.{T..........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\tabback

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 200 x 24, cbSize 854, bits offset 54
Category:	dropped
Size (bytes):	854
Entropy (8bit):	3.802531598764924
Encrypted:	false
SSDEEP:	24:kUGGGGGGGGjg/QUVdLbCKKKKKKWqqqqqqr:kGUVdnCKKKKKKWqqqqqqr
MD5:	4C3DDA35E23D44E273D82F7F4C38470A
SHA1:	B62BC59F3EED29D3509C7908DA72041BD9495178
SHA-256:	E728F79439E07DF1AFBCF03E8788FA0B8B08CF459DB31FC8568BC511BF799537
SHA-512:	AB27A59ECCDCAAB420B6E498F43FDFE857645E5DA8E88D3CFD0E12FE96B3BB8A5285515688C7EEC838BBE6C2A40EA7742A9763CF5438D740756905515D9B0CC5
Malicious:	false
Preview:	BMV.......6...(.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\typicalex.ico

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	4.926016576393048
Encrypted:	false
SSDEEP:	192:entnoFoTahmFxRYq7mE25b6K0FHQHVd4oXb2zwNf3i4ij:enWuPFxt785T0FHQHgo2wNf3oj
MD5:	EB3F9054BB5F95ED6B10EC4E16A026BE
SHA1:	35760271A03029996BDA26D5D596CFCC465E3EA9
SHA-256:	E330FA8030AA0465B02880133ADDBA0A8C6011B511F6968B413BF45516F7275E
SHA-512:	B0A96DA5514A9B8E9FA182A294694299388A854245AEC01E835B1108D568F9F1158917D9792BC852568EC56C2ED5E54F9E630E02D1EC79A281E2B28A67167A51
Malicious:	false
Preview:	......00......h...6...00..............00.... ..%..F...(...0...`.........................................................................................................................................................................p........w.............w...p....x.....p...............wx....................................................................................................................................................................................................................................................................o.....p.................o.....p................................................................................................................................................................p........................w......................ww`h....................wwp.........p..........wwwwp..................wwwwwwp.....p...........wwwwwwww.gp..............wwwwwwwww...............wwwwwwxwwp..............wwwwwwx.ww..............wwwwwwx.wwp...........

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\white.jpg

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 493x312, components 3
Category:	dropped
Size (bytes):	1232
Entropy (8bit):	1.290282383283862
Encrypted:	false
SSDEEP:	3:nSullBbsRllAqp/y4FKKn5bbeWfa5QpUolHmBkDt0+EtZtE//Wmst18n:3llxqQ8AfQRGSDt0RZty/Wmsw
MD5:	57D130DDF327FCC5DA636A6AB4D7C112
SHA1:	D674F332D4F79C70D4A97BFD9E504A8F3A2C26B6
SHA-256:	990EAB9FAAAE9F78201EF00A72F7B59773EED2B2FC9EC72250C67F376EE0500F
SHA-512:	E2F2141973CD9B7B52347EBCC89E89FDDEAA5B9721011C2CD7B2F2EAE434EF0F10D02537EB0F1AD6276FA182147AE935277EF9BBE31960EE2D82437C0741D39D
Malicious:	false
Preview:	......JFIF.....d.d......Ducky..............Adobe.d.............).)A&&AB///BG?>>?GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG..))4&4?((?G?5?GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG......8...."..........K.....................................................................................?..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\whitesmall.jpg

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 446x92, components 3
Category:	dropped
Size (bytes):	554
Entropy (8bit):	2.356721207995078
Encrypted:	false
SSDEEP:	3:nSullBbsRllAqp/y4FKKn5bbeWfa5QpUolG5PkDt0+EtZtE//WmstN8n:3llxqQ8AfQRG5cDt0RZty/WmsY
MD5:	4429F170056663EFD1486395E8EB0AF6
SHA1:	AE9B01A44C8EE5AE7146F0523E512EE32DC284AD
SHA-256:	FFE2980D90152EF603555A735B7CBA1917C99BB67061B44D6AC6F12E6384BDD9
SHA-512:	719F4E55944502F7D472F362DD0D1D09649FBAEC0515701C9C84BBB3F32B06CC29E4A4C55022BC034CBC68C9C151A90018A926D1A08B4D5048F117950E9135E9
Malicious:	false
Preview:	......JFIF.....d.d......Ducky..............Adobe.d.............).)A&&AB///BG?>>?GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG..))4&4?((?G?5?GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG......\...."..........K.....................................................................................?................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI500E.tmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	570784
Entropy (8bit):	6.450187144191945
Encrypted:	false
SSDEEP:	6144:X+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOAVafv5kh4JQCmR+gj:X+SuPgAc8+MjGCCslegDiwX5vOCmR+gj
MD5:	DB7612F0FD6408D664185CFC81BEF0CB
SHA1:	19A6334EC00365B4F4E57D387ED885B32AA7C9AA
SHA-256:	E9E426B679B3EFB233F03C696E997E2DA3402F16A321E954B54454317FCEB240
SHA-512:	25E129CB22AAABC68C42ECF10BB650AC4D0609B12C08703C780572BAC7ECF4559FCC49CD595C56EA48CF55260A984CFA333C08307FFB7C62268B03FBECC724B9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Danfe2372342.msi, Detection: malicious, Browse Filename: Danfe2372342.msi, Detection: malicious, Browse Filename: id-Processo_Z5TGVQUK.msi, Detection: malicious, Browse Filename: id-Processo_Z5TGVQUK.msi, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L...f.c.........."!..."............................................................q.....@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI51A5.tmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	570784
Entropy (8bit):	6.450187144191945
Encrypted:	false
SSDEEP:	6144:X+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOAVafv5kh4JQCmR+gj:X+SuPgAc8+MjGCCslegDiwX5vOCmR+gj
MD5:	DB7612F0FD6408D664185CFC81BEF0CB
SHA1:	19A6334EC00365B4F4E57D387ED885B32AA7C9AA
SHA-256:	E9E426B679B3EFB233F03C696E997E2DA3402F16A321E954B54454317FCEB240
SHA-512:	25E129CB22AAABC68C42ECF10BB650AC4D0609B12C08703C780572BAC7ECF4559FCC49CD595C56EA48CF55260A984CFA333C08307FFB7C62268B03FBECC724B9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L...f.c.........."!..."............................................................q.....@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI5233.tmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	570784
Entropy (8bit):	6.450187144191945
Encrypted:	false
SSDEEP:	6144:X+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOAVafv5kh4JQCmR+gj:X+SuPgAc8+MjGCCslegDiwX5vOCmR+gj
MD5:	DB7612F0FD6408D664185CFC81BEF0CB
SHA1:	19A6334EC00365B4F4E57D387ED885B32AA7C9AA
SHA-256:	E9E426B679B3EFB233F03C696E997E2DA3402F16A321E954B54454317FCEB240
SHA-512:	25E129CB22AAABC68C42ECF10BB650AC4D0609B12C08703C780572BAC7ECF4559FCC49CD595C56EA48CF55260A984CFA333C08307FFB7C62268B03FBECC724B9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L...f.c.........."!..."............................................................q.....@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI52A1.tmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	570784
Entropy (8bit):	6.450187144191945
Encrypted:	false
SSDEEP:	6144:X+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOAVafv5kh4JQCmR+gj:X+SuPgAc8+MjGCCslegDiwX5vOCmR+gj
MD5:	DB7612F0FD6408D664185CFC81BEF0CB
SHA1:	19A6334EC00365B4F4E57D387ED885B32AA7C9AA
SHA-256:	E9E426B679B3EFB233F03C696E997E2DA3402F16A321E954B54454317FCEB240
SHA-512:	25E129CB22AAABC68C42ECF10BB650AC4D0609B12C08703C780572BAC7ECF4559FCC49CD595C56EA48CF55260A984CFA333C08307FFB7C62268B03FBECC724B9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L...f.c.........."!..."............................................................q.....@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI5300.tmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	570784
Entropy (8bit):	6.450187144191945
Encrypted:	false
SSDEEP:	6144:X+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOAVafv5kh4JQCmR+gj:X+SuPgAc8+MjGCCslegDiwX5vOCmR+gj
MD5:	DB7612F0FD6408D664185CFC81BEF0CB
SHA1:	19A6334EC00365B4F4E57D387ED885B32AA7C9AA
SHA-256:	E9E426B679B3EFB233F03C696E997E2DA3402F16A321E954B54454317FCEB240
SHA-512:	25E129CB22AAABC68C42ECF10BB650AC4D0609B12C08703C780572BAC7ECF4559FCC49CD595C56EA48CF55260A984CFA333C08307FFB7C62268B03FBECC724B9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L...f.c.........."!..."............................................................q.....@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI590C.tmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	570784
Entropy (8bit):	6.450187144191945
Encrypted:	false
SSDEEP:	6144:X+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOAVafv5kh4JQCmR+gj:X+SuPgAc8+MjGCCslegDiwX5vOCmR+gj
MD5:	DB7612F0FD6408D664185CFC81BEF0CB
SHA1:	19A6334EC00365B4F4E57D387ED885B32AA7C9AA
SHA-256:	E9E426B679B3EFB233F03C696E997E2DA3402F16A321E954B54454317FCEB240
SHA-512:	25E129CB22AAABC68C42ECF10BB650AC4D0609B12C08703C780572BAC7ECF4559FCC49CD595C56EA48CF55260A984CFA333C08307FFB7C62268B03FBECC724B9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L...f.c.........."!..."............................................................q.....@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI59A9.tmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	570784
Entropy (8bit):	6.450187144191945
Encrypted:	false
SSDEEP:	6144:X+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOAVafv5kh4JQCmR+gj:X+SuPgAc8+MjGCCslegDiwX5vOCmR+gj
MD5:	DB7612F0FD6408D664185CFC81BEF0CB
SHA1:	19A6334EC00365B4F4E57D387ED885B32AA7C9AA
SHA-256:	E9E426B679B3EFB233F03C696E997E2DA3402F16A321E954B54454317FCEB240
SHA-512:	25E129CB22AAABC68C42ECF10BB650AC4D0609B12C08703C780572BAC7ECF4559FCC49CD595C56EA48CF55260A984CFA333C08307FFB7C62268B03FBECC724B9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L...f.c.........."!..."............................................................q.....@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\shi4EE4.tmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3440640
Entropy (8bit):	6.332754172601424
Encrypted:	false
SSDEEP:	49152:iGfM3glOz6pNbH2qLG1cWJ2asQceg4LApnrkLgQ63lOT0q4Fn6rmLn:Lc3wFeyCulhqUn
MD5:	59A74284EACB95118CEDD7505F55E38F
SHA1:	ACDC28D6A1EF5C197DE614C46BA07AEAEB25B50B
SHA-256:	7C8EA70CA8EFB47632665833A6900E8F2836945AA80828B30DA73FBF4FCAF4F5
SHA-512:	E69A82ADC2D13B413C0689E9BF281704A5EF3350694690BA6F3FE20DA0F66396245B9756D52C37166013F971C79C124436600C373544321A44D71F75A16A2B6A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E..2..a..a..a..=aa.an..`..an..`..an..`..a..a..an..`..an..`..an..`l.an.Qa..an..`..aRich..a........................PE..d...5..r.........." .....n...H......P.........................................4.....g.4...`A........................................p.0.L&....0.......2......@1...............4......F'.T....................*..(....................q..8...Tc0......................text...o........................... ..`.wpp_sf.Y........................... ..`.rdata...Z.......\...r..............@..@.data....A....0.......0.............@....pdata.......@1.......0.............@..@.didat........2......V2.............@....rsrc.........2......b2.............@..@.reloc........4......b4.............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\shi8DE1.tmp

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3440640
Entropy (8bit):	6.332754172601424
Encrypted:	false
SSDEEP:	49152:iGfM3glOz6pNbH2qLG1cWJ2asQceg4LApnrkLgQ63lOT0q4Fn6rmLn:Lc3wFeyCulhqUn
MD5:	59A74284EACB95118CEDD7505F55E38F
SHA1:	ACDC28D6A1EF5C197DE614C46BA07AEAEB25B50B
SHA-256:	7C8EA70CA8EFB47632665833A6900E8F2836945AA80828B30DA73FBF4FCAF4F5
SHA-512:	E69A82ADC2D13B413C0689E9BF281704A5EF3350694690BA6F3FE20DA0F66396245B9756D52C37166013F971C79C124436600C373544321A44D71F75A16A2B6A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E..2..a..a..a..=aa.an..`..an..`..an..`..a..a..an..`..an..`..an..`l.an.Qa..an..`..aRich..a........................PE..d...5..r.........." .....n...H......P.........................................4.....g.4...`A........................................p.0.L&....0.......2......@1...............4......F'.T....................*..(....................q..8...Tc0......................text...o........................... ..`.wpp_sf.Y........................... ..`.rdata...Z.......\...r..............@..@.data....A....0.......0.............@....pdata.......@1.......0.............@..@.didat........2......V2.............@....rsrc.........2......b2.............@..@.reloc........4......b4.............@..B................................................................................................................................................................

C:\Users\user\AppData\Roaming\Game Radar\Game Radar 1.0.0.0\install\Game_Radar.msi

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {7CFE1D50-7AB2-42B5-ABF1-033649902C54}, Number of Words: 2, Subject: Game Radar, Author: Game Radar, Name of Creating Application: Game Radar, Template: ;1033, Comments: This installer database contains the logic and data required to install Game Radar., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	2037760
Entropy (8bit):	6.504455955339565
Encrypted:	false
SSDEEP:	49152:MR3UVskzd8oa8r6I5WCmR+ezE37zIXX5U96RX5ue9t:bhUo6HE3Yt
MD5:	99FD8523203541552E4D114A1DEC0360
SHA1:	F26BE72F692FC2134071458F4586E40684E831AF
SHA-256:	E3F711F2D3511C744955A3FAF56E584F00773357511E23166B5C26A1AA55D949
SHA-512:	3A4209B5742BCAFBF439CCD61AF351F0DEB940FF5E788C605F393A24743BDADA29844C075B974A3E11EE40FA0A56C2BB246ED1F8D6B2DF8AECEBB20C9D8CCAA6
Malicious:	false
Preview:	......................>................... ...................................~.......}.......C...D...E...F...G...........................................................................................................................................................................................................................................................................................................................................................................................................................X...............&...>........................................................................................... ...!..."...#...$...%...1...3...(...)...*...+...,...-......./...0.......2...4...;...5...6...7...8...9...:...?...<...=...F...I...@...A...B...C...D...E.......G...H...V...J...K...L...M...N...O...P...Q...R...S...T...U.......W...Y...4...Z...[...\...]...^...z...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y.......

C:\Users\user\AppData\Roaming\Game Radar\Game Radar 1.0.0.0\install\Game_Radar1.cab

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	Microsoft Cabinet archive data, many, 6592269 bytes, 3 files, at 0x2c +A "wireguard.exe" +A "wireguard.h", ID 1234, number 1, 368 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	6592269
Entropy (8bit):	7.995801684622925
Encrypted:	true
SSDEEP:	196608:K4RCgso1dTC6fOC76B0Jf067YhDrXrbUWu:VP1dTCcObobSnTu
MD5:	C5E23AD97CE77A064481AD32DE95F976
SHA1:	D2449B457417620B137EC05D81C919363DB8D419
SHA-256:	F07CB9F7C5BDA4923730EA2AEFACE692D602B65BF113BF501311BDE85290D390
SHA-512:	BF37D58B895ADCAAB1FE3D22E160060B0178DEE28F2DECAA07194A490275FACB8E77C3F7D1CD863E029636E6285779B4D0342414CC3130AA8935A50A0EA79116
Malicious:	false
Preview:	MSCF......d.....,.......................p.....\|........U. .wireguard.exe.E1....\|....U.r .wireguard.h..l:.E%}...-V. .RadarGame.exe..w..<..CK.}y\|TE...$.......2..$\...&../.\TN.W......e.$..8: .^.........(....C9._9..0....@ .~s.......f._wWuuuuuUw.....!Z..../...........v............-_c..].H.....W.Zm3,Zj..2,_eH..7....,.._...#3]..l....<D_..Q}.......~4....>.2LG.B.....7G.....%d...!T?<...C.....FdG..a.w.t.t.b.t.....e.....\|.mi......FN..=6...$kL.....Fn2.K...\|......?.W.N\|.[.<s8.W..X.l.r^...}.6..:..].b5.S...7.}C.zS.Y..p....%4F.q..7eL.\..y......{.S?.}N...........0m.a.}..%.k..k.O}x.u..qs.N]=7=-7[Zs....Y;.u...{3fL.N....<v..3.=.l%..d....3w.i.....L..~....Gn.?g....f\............&..!..+.z...9.h`.\|cB.GyY+.....Pn...+9..WbM...+.[.TO.......%..ck.4"n..1..P....z1..-..=..er.$W..&.p....Z...b..~..j..\.\|...\|..(......1...f>+n~....0...Une-.Y...6..i...\|..........Kn.G..RB_..%.M&.m.\|V. >5....3...Z...B..y.....U>.bv~...#M..>.d..7....,...%.%.K.9.y..!.imi....1..{.#..;.h....

C:\Users\user\AppData\Roaming\Game Radar\Game Radar 1.0.0.0\install\holder0.aiph

Download File

Process:	C:\Users\user\Desktop\radarinstaller.exe
File Type:	data
Category:	dropped
Size (bytes):	6592269
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	82DCC309CC98C02D28E5C62D70DB4CF1
SHA1:	9733E1070451C0232D79F26C3DA9214D0FA8F88E
SHA-256:	F1C5F9F11B5FEEA17A213AF73ECB01957EFA5E2E4C97FEAF5477E0DBA1300977
SHA-512:	DEA681C12F85B5BC2DB33A17E3960B562F436B8B81EC8F3AB8A2709687F72EA2C3B53BE5A899D8F12CFC2FBDED9322682A3643AC1BA47CD9809F853011E8C707
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\6e9004.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {7CFE1D50-7AB2-42B5-ABF1-033649902C54}, Number of Words: 2, Subject: Game Radar, Author: Game Radar, Name of Creating Application: Game Radar, Template: ;1033, Comments: This installer database contains the logic and data required to install Game Radar., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	2037760
Entropy (8bit):	6.504455955339565
Encrypted:	false
SSDEEP:	49152:MR3UVskzd8oa8r6I5WCmR+ezE37zIXX5U96RX5ue9t:bhUo6HE3Yt
MD5:	99FD8523203541552E4D114A1DEC0360
SHA1:	F26BE72F692FC2134071458F4586E40684E831AF
SHA-256:	E3F711F2D3511C744955A3FAF56E584F00773357511E23166B5C26A1AA55D949
SHA-512:	3A4209B5742BCAFBF439CCD61AF351F0DEB940FF5E788C605F393A24743BDADA29844C075B974A3E11EE40FA0A56C2BB246ED1F8D6B2DF8AECEBB20C9D8CCAA6
Malicious:	false
Preview:	......................>................... ...................................~.......}.......C...D...E...F...G...........................................................................................................................................................................................................................................................................................................................................................................................................................X...............&...>........................................................................................... ...!..."...#...$...%...1...3...(...)...*...+...,...-......./...0.......2...4...;...5...6...7...8...9...:...?...<...=...F...I...@...A...B...C...D...E.......G...H...V...J...K...L...M...N...O...P...Q...R...S...T...U.......W...Y...4...Z...[...\...]...^...z...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y.......

C:\Windows\Installer\6e9006.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {7CFE1D50-7AB2-42B5-ABF1-033649902C54}, Number of Words: 2, Subject: Game Radar, Author: Game Radar, Name of Creating Application: Game Radar, Template: ;1033, Comments: This installer database contains the logic and data required to install Game Radar., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	2037760
Entropy (8bit):	6.504455955339565
Encrypted:	false
SSDEEP:	49152:MR3UVskzd8oa8r6I5WCmR+ezE37zIXX5U96RX5ue9t:bhUo6HE3Yt
MD5:	99FD8523203541552E4D114A1DEC0360
SHA1:	F26BE72F692FC2134071458F4586E40684E831AF
SHA-256:	E3F711F2D3511C744955A3FAF56E584F00773357511E23166B5C26A1AA55D949
SHA-512:	3A4209B5742BCAFBF439CCD61AF351F0DEB940FF5E788C605F393A24743BDADA29844C075B974A3E11EE40FA0A56C2BB246ED1F8D6B2DF8AECEBB20C9D8CCAA6
Malicious:	false
Preview:	......................>................... ...................................~.......}.......C...D...E...F...G...........................................................................................................................................................................................................................................................................................................................................................................................................................X...............&...>........................................................................................... ...!..."...#...$...%...1...3...(...)...*...+...,...-......./...0.......2...4...;...5...6...7...8...9...:...?...<...=...F...I...@...A...B...C...D...E.......G...H...V...J...K...L...M...N...O...P...Q...R...S...T...U.......W...Y...4...Z...[...\...]...^...z...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y.......

C:\Windows\Installer\MSI934F.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	570784
Entropy (8bit):	6.450187144191945
Encrypted:	false
SSDEEP:	6144:X+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOAVafv5kh4JQCmR+gj:X+SuPgAc8+MjGCCslegDiwX5vOCmR+gj
MD5:	DB7612F0FD6408D664185CFC81BEF0CB
SHA1:	19A6334EC00365B4F4E57D387ED885B32AA7C9AA
SHA-256:	E9E426B679B3EFB233F03C696E997E2DA3402F16A321E954B54454317FCEB240
SHA-512:	25E129CB22AAABC68C42ECF10BB650AC4D0609B12C08703C780572BAC7ECF4559FCC49CD595C56EA48CF55260A984CFA333C08307FFB7C62268B03FBECC724B9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L...f.c.........."!..."............................................................q.....@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI944A.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	570784
Entropy (8bit):	6.450187144191945
Encrypted:	false
SSDEEP:	6144:X+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOAVafv5kh4JQCmR+gj:X+SuPgAc8+MjGCCslegDiwX5vOCmR+gj
MD5:	DB7612F0FD6408D664185CFC81BEF0CB
SHA1:	19A6334EC00365B4F4E57D387ED885B32AA7C9AA
SHA-256:	E9E426B679B3EFB233F03C696E997E2DA3402F16A321E954B54454317FCEB240
SHA-512:	25E129CB22AAABC68C42ECF10BB650AC4D0609B12C08703C780572BAC7ECF4559FCC49CD595C56EA48CF55260A984CFA333C08307FFB7C62268B03FBECC724B9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L...f.c.........."!..."............................................................q.....@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI94E8.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	722336
Entropy (8bit):	6.433567465029135
Encrypted:	false
SSDEEP:	12288:xZCGkZjiIiS4fZrmrRahiyN+bqpoMU0Z/4CwwEjD4JyVzIXyJe55EL96RgO5uh:xBkZVI+ep5U2fvEjD4wzIXX5EL96RX5u
MD5:	F7B1DDC86CD51E3391AA8BF4BE48D994
SHA1:	A0C0A4A77991D7F8DF722ACDD782310A6DA2A904
SHA-256:	AC2DF3283D65AB78CA399232FA090764636E0FEC7AB53BE28F6EE93733D8787F
SHA-512:	F853C3CF9EC175E946DD42F7F35D130F4FB941F64BBF5780CE452FE6E87459217B80872DB375AD1BBAFC47AD263408E4222D81F62C7DF92C77E23E77E67E6FA6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......m..D)...)...).......$...........f...8...f...1.......0...f...t.......(.......>...)...F.......a.......(.....*.(...).B.(.......(...Rich)...........................PE..L.....c.........."!..."..................................................... ......q.....@.........................@M......\N..........h................#.......o..8@..p....................@..........@....................K..@....................text...\|........................... ..`.rdata..Bb.......d..................@..@.data....'...p.......V..............@....rsrc...h............l..............@..@.reloc...o.......p...r..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI9900.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	344314
Entropy (8bit):	6.8590735328410375
Encrypted:	false
SSDEEP:	6144:jcQhWfV3pyMtjQ3LMS8zXh5BxLeH+Lvh/nhmAOxesSd7nkhoaN:jNWVntjQ7wXjreamXe7d7nkhoaN
MD5:	3317AE9BB97A2A00436FFE43B9E48DC7
SHA1:	BD3318961592E95C3B165A3609A672407DB6CDFE
SHA-256:	DE118EA656760B46F717A46E23BB55895BFD0CCF690CEB3CC5E946F4E050924C
SHA-512:	E70B9E6A5F73F3F5FB9F8B1056EDDFB4E8D874ABDFBE317D34F2AA7FC795D54412C205308650B89981D5DC6813F5F675E6C1FC82B5CE3B7127345348B3425B2A
Malicious:	false
Preview:	...@IXOS.@.....@..2V.@.....@.....@.....@.....@.....@......&.{7C01FBF1-500B-4790-9A33-BB42D3A26B4D}..Game Radar..Game_Radar.msi.@.....@.....@.....@......RadarGame_1.exe..&.{7CFE1D50-7AB2-42B5-ABF1-033649902C54}.....@.....@.....@.....@.......@.....@.....@.......@......Game Radar......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{E16BA958-06CF-4657-BF55-27D241F9A0F8}-.C:\Program Files (x86)\Game Radar\Game Radar\.@.......@.....@.....@......&.{5601E68C-DE96-4D78-B167-8BD26B89F86E}*.02:\Software\Game Radar\Game Radar\Version.@.......@.....@.....@......&.{06231126-92BF-4CB6-87E2-108CB8D83E29}D.C:\Program Files (x86)\Game Radar\Game Radar\Wireguard\wireguard.exe.@.......@.....@.....@......&.{9AF70465-4AB1-4435-BE3B-4A35DC5768FE}B.C:\Program Files (x86)\Game Radar\Game Radar\Wireguard\wireguard.h.@.......@.....@.....@......&.{9397EFD7-5633-4EA0-93BE-09B3E5B97482}f

C:\Windows\Installer\MSI996E.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	298400
Entropy (8bit):	6.587657990073731
Encrypted:	false
SSDEEP:	6144:xQ3LMS8zXh5BxLeH+Lvh/nhmAOxesSd7nkhoaJ:xQ7wXjreamXe7d7nkhoaJ
MD5:	2BF4796C8D716FAC116C39BFF78B20E5
SHA1:	70D1B68F14D92213BB6DBC231A1122331E8E8813
SHA-256:	9D5C6A9038FAA187AA53F6C1602B6CF072924548DDA5D4E4429761D2A732274C
SHA-512:	2C970B3DF4E23AF9B8EBF2F24F7BDCE1E4299380075C42FC958BFA5423D36170CA86A0C50ADD075E4FA639DD1EAEF46DE1AC7477703DE439BE863C9211D36679
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\|.../.../.../P....../P...$../....../....../....../P....../P....../P....../.../P../B....../B....../B.J/.../.."/.../B....../Rich.../........PE..L...Q.c.........."!...".....j......gN....... ............................................@..................................0.......`..x............j...#...p.....h...p...............................@............ ...............................text...o........................... ..`.rdata....... ......................@..@.data........@.....................@....rsrc...x....`.......8..............@..@.reloc...*...p...,...>..............@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI9A2A.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	298400
Entropy (8bit):	6.587657990073731
Encrypted:	false
SSDEEP:	6144:xQ3LMS8zXh5BxLeH+Lvh/nhmAOxesSd7nkhoaJ:xQ7wXjreamXe7d7nkhoaJ
MD5:	2BF4796C8D716FAC116C39BFF78B20E5
SHA1:	70D1B68F14D92213BB6DBC231A1122331E8E8813
SHA-256:	9D5C6A9038FAA187AA53F6C1602B6CF072924548DDA5D4E4429761D2A732274C
SHA-512:	2C970B3DF4E23AF9B8EBF2F24F7BDCE1E4299380075C42FC958BFA5423D36170CA86A0C50ADD075E4FA639DD1EAEF46DE1AC7477703DE439BE863C9211D36679
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\|.../.../.../P....../P...$../....../....../....../P....../P....../P....../.../P../B....../B....../B.J/.../.."/.../B....../Rich.../........PE..L...Q.c.........."!...".....j......gN....... ............................................@..................................0.......`..x............j...#...p.....h...p...............................@............ ...............................text...o........................... ..`.rdata....... ......................@..@.data........@.....................@....rsrc...x....`.......8..............@..@.reloc...*...p...,...>..............@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI9FDA.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	298400
Entropy (8bit):	6.587657990073731
Encrypted:	false
SSDEEP:	6144:xQ3LMS8zXh5BxLeH+Lvh/nhmAOxesSd7nkhoaJ:xQ7wXjreamXe7d7nkhoaJ
MD5:	2BF4796C8D716FAC116C39BFF78B20E5
SHA1:	70D1B68F14D92213BB6DBC231A1122331E8E8813
SHA-256:	9D5C6A9038FAA187AA53F6C1602B6CF072924548DDA5D4E4429761D2A732274C
SHA-512:	2C970B3DF4E23AF9B8EBF2F24F7BDCE1E4299380075C42FC958BFA5423D36170CA86A0C50ADD075E4FA639DD1EAEF46DE1AC7477703DE439BE863C9211D36679
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\|.../.../.../P....../P...$../....../....../....../P....../P....../P....../.../P../B....../B....../B.J/.../.."/.../B....../Rich.../........PE..L...Q.c.........."!...".....j......gN....... ............................................@..................................0.......`..x............j...#...p.....h...p...............................@............ ...............................text...o........................... ..`.rdata....... ......................@..@.data........@.....................@....rsrc...x....`.......8..............@..@.reloc...*...p...,...>..............@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{7C01FBF1-500B-4790-9A33-BB42D3A26B4D}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.2043338661998462
Encrypted:	false
SSDEEP:	12:JSbX72Fjm3XAlfLIlHuRpthG7777777777777777777777777ZDHFsgfg7mo+pgh:JUnUIwwNgS3g82F
MD5:	CF900B182918C8DDB1D0EE563DC80125
SHA1:	14F552F35E2217FB44B815015EAEDFF49E8D79CD
SHA-256:	309F17FD891B5368AE841B718297F2B1A000F395ADFBD27456170473A0269A36
SHA-512:	7F28D7047715D44F36C13F300CBF0BE2AC51E04560607EFF490F3A4B86A138EC163590066B1AF384FF5AAFAA9E9EB9B6532F10C4F3C679EB91B9FC7F0390BFDE
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.6450274726098104
Encrypted:	false
SSDEEP:	48:r8PhiuRc06WX4YFT5ushWrdwjWSkd/Ejx+f2DFDVFdRSkd7T:Shi1oFTLWndTid
MD5:	959D7034EC0AD8472D31CAFE811804AA
SHA1:	3D6AA8EE8564DA5A4D66505EF3828840BE67E709
SHA-256:	622CB7B4C2804DCF1E2565CF8C08B172EB3EDF2FAF63C8372448378DD276C349
SHA-512:	97EA17A7521D71F47D73206F9ED4C32E5A3ACF7405E91C2C7E92A6E09B865E487CD8B7DA4A1F779E3C030E30B56C52F4B660A2FF3B0AE8FF1C67E955152A17F5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{7C01FBF1-500B-4790-9A33-BB42D3A26B4D}\RadarGame_1.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 1 icon, 256x256 with PNG image data, 256 x 256, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	41756
Entropy (8bit):	7.983599524686216
Encrypted:	false
SSDEEP:	768:zkmlY77ihwD/ohi7JRjBFXMnkfmQ7l/FEX/ANruwVPLHK7J5:zRlYHucQheJRjBFXMe37ly/UrLVLKn
MD5:	727046C8DB4ECF2A304B599637065BAF
SHA1:	D33A2EF86BC0FC5270B56D1793B6646227B481B9
SHA-256:	DE1D3693CC07435D6297D767AAAB07E07E0FCEB6F1117B148434BE815CA6ED98
SHA-512:	10F746188661CA0C27B1E5F2B9B68A35321ADF706A5A8BB71A9CA55527F95B7B73AD37BC19A8B3B4BF9CFCF48496C58DE21A41E7E4FA8FEFF8A324679EAF8850
Malicious:	false
Preview:	.......................PNG........IHDR...............?1....orNT..w.....IDATx..}u..........O...]w.M.1,... .....].........w.....[J...B..3s^....s.(...$.{...;s.9...T4..&.O.>4y..GsSs..'\|.....O.h..Z[._...............v...~y...)>t..........A...........C~.G.....=..mG.~...~.@...@...z...1(?...q0x....g.8........c.?..kD<W.T.a...;.9..o..h........x6......X.;...........<..... .4E ......:Z}40.o.Q....h'........{{..&.:}.H0......-@..~w.```.............q8...0......0...... Y...5........3<4...0A ......G.0.@....1.P.#.1.......x....D._.......'.O.g..`w..'`\A...V..h.0.:.....:..w..@...N+..7......mq.....,`..]..^.3................!7..L...%....-10b.B... ....a ....L.Lc....G..>.....w.y...H!.....x/.*``.....A@x.....X...B......Xp..>...=.x........2...6G ......?`3..K.A`8..&"..0lX?...N.p`".i.....'..Kw.P0m.+....#..hPN....?..8.8...qy....h..@{..+he3........`HDB..@.@LB.E..GC=....z....P(&..?.B..0H..0..&-.9.....Pl.$"!?..VH..`...L@.W0............0..%...CAQ.L.\|G.....B...>..Vw....J.\|.0.q{ "..@$...Lb.

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	79122
Entropy (8bit):	5.282152547532746
Encrypted:	false
SSDEEP:	192:jmXs969ozNSkk3peTBYeHt0tfoI9qsjl0urmwYyiD:yXs9UogeWeH29qclhmwYyiD
MD5:	8C37F6DA7AEB0ED397AB70C960D669C8
SHA1:	AB3B79AB4F00A7B8E8890386DCBE3A775A063299
SHA-256:	C013DF4D9636853172DB80EAE4F7B7B9CC1E0EFD34D7E3454BC508EAF3CC4C2C
SHA-512:	159574BA711D8E82B1AC91279E87BAB270EFBB3B6D39102197C18D56BE67CF1C1EFA752002F6EDF02171517908B65DADA753FBD5526C190E0A32E8626C33E9E9
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 03:22:38.143 [320]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Outlook, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.159 [320]: ngen returning 0x00000000..07/23/2020 03:22:38.222 [3748]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Word, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.237 [3748]: ngen returning 0x00000000..07/23/2020 03:22:38.284 [64]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Common.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.300 [64]:

C:\Windows\Temp\~DF0417CD0B16F3D628.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF202C828E0D703917.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.311505941141665
Encrypted:	false
SSDEEP:	48:E26quYthPIFX4dT59shWrdwjWSkd/Ejx+f2DFDVFdRSkd7T:wqhI+TkWndTid
MD5:	0C370B61A715DB5B295960E4C8649DBA
SHA1:	A0E1587B1031FE72DAA069A286A26105E1F50328
SHA-256:	F41D9A43FF3DCDFB3900A6669569DC847C8853123524FF2C090A594E94CF34E7
SHA-512:	C073C86608B8E9CD35BB267249600A02B34102EA7B9933533CB97A7446DC34FA38BC4D853B3F199F9867AD431F5302B9B2E5D8C9EE459CCF4C598CF2410E0DDA
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF6AAAFEC1E88A3A93.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF83074A47D927D0EA.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9AD121B9C54DFA50.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.6450274726098104
Encrypted:	false
SSDEEP:	48:r8PhiuRc06WX4YFT5ushWrdwjWSkd/Ejx+f2DFDVFdRSkd7T:Shi1oFTLWndTid
MD5:	959D7034EC0AD8472D31CAFE811804AA
SHA1:	3D6AA8EE8564DA5A4D66505EF3828840BE67E709
SHA-256:	622CB7B4C2804DCF1E2565CF8C08B172EB3EDF2FAF63C8372448378DD276C349
SHA-512:	97EA17A7521D71F47D73206F9ED4C32E5A3ACF7405E91C2C7E92A6E09B865E487CD8B7DA4A1F779E3C030E30B56C52F4B660A2FF3B0AE8FF1C67E955152A17F5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9CEE0BCD1C4E0868.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.311505941141665
Encrypted:	false
SSDEEP:	48:E26quYthPIFX4dT59shWrdwjWSkd/Ejx+f2DFDVFdRSkd7T:wqhI+TkWndTid
MD5:	0C370B61A715DB5B295960E4C8649DBA
SHA1:	A0E1587B1031FE72DAA069A286A26105E1F50328
SHA-256:	F41D9A43FF3DCDFB3900A6669569DC847C8853123524FF2C090A594E94CF34E7
SHA-512:	C073C86608B8E9CD35BB267249600A02B34102EA7B9933533CB97A7446DC34FA38BC4D853B3F199F9867AD431F5302B9B2E5D8C9EE459CCF4C598CF2410E0DDA
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFBB2FDC8C1E00E687.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.6450274726098104
Encrypted:	false
SSDEEP:	48:r8PhiuRc06WX4YFT5ushWrdwjWSkd/Ejx+f2DFDVFdRSkd7T:Shi1oFTLWndTid
MD5:	959D7034EC0AD8472D31CAFE811804AA
SHA1:	3D6AA8EE8564DA5A4D66505EF3828840BE67E709
SHA-256:	622CB7B4C2804DCF1E2565CF8C08B172EB3EDF2FAF63C8372448378DD276C349
SHA-512:	97EA17A7521D71F47D73206F9ED4C32E5A3ACF7405E91C2C7E92A6E09B865E487CD8B7DA4A1F779E3C030E30B56C52F4B660A2FF3B0AE8FF1C67E955152A17F5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFBBE2EED8187343F5.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.1667509989412252
Encrypted:	false
SSDEEP:	24:9+NCLTx+dRYWipV+dRYU+dRYFJjWipV+dRYWEjxNelVG4nIGi/2RvkD4gC2rhKAq:JT4dRSkdWdwjWSkd/Ejx+f2DFDViysh
MD5:	C08109EFA59AF87C1C8200B797057FC6
SHA1:	8F333B03B67972D51E717CBC676CA2552CAEE6CA
SHA-256:	7C52AD08929A458432AA022142C02865B003E46C4BC1DFCAD753A8BB7EC23209
SHA-512:	E5D1EAED49D48C63931BCD890E8D24FD90C92DAEB09CE73BF916A3EEE2206B34AC6C5BF269126EE478A61620D8374EA2E9883D4274ACE734683C47B6ED778486
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFCF5A099ED778731A.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.311505941141665
Encrypted:	false
SSDEEP:	48:E26quYthPIFX4dT59shWrdwjWSkd/Ejx+f2DFDVFdRSkd7T:wqhI+TkWndTid
MD5:	0C370B61A715DB5B295960E4C8649DBA
SHA1:	A0E1587B1031FE72DAA069A286A26105E1F50328
SHA-256:	F41D9A43FF3DCDFB3900A6669569DC847C8853123524FF2C090A594E94CF34E7
SHA-512:	C073C86608B8E9CD35BB267249600A02B34102EA7B9933533CB97A7446DC34FA38BC4D853B3F199F9867AD431F5302B9B2E5D8C9EE459CCF4C598CF2410E0DDA
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFEA8048BC6D67B21B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.100415106264356
Encrypted:	false
SSDEEP:	6:xPLG7iVCnLG7iVrKOzPLHKOs8rYpd3Xgfg+Cmo+pg+SLtlyVky6liS+lhX:50i8n0itFzDHFsgfg7mo+pgxTijlx
MD5:	BF1E8DB0080F9E74F90BA5AB6107C9D4
SHA1:	5E3292D7CF3F078DE5B18A8F7BE0FE91A168FDA8
SHA-256:	A6F189389B91CFC057B28810B3393945174E82966DFA4792CBFBBA09F7260E55
SHA-512:	14D09429BAA63D51E2D841301A9ECBFCB921E78322C2EE651E3D2D99115A49B1A51A1B9F19DDBB6D0E296D360DF029191D0174D353D8972B203D8B4134A402D4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFEDA409CEEEDF5A0D.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF4359699473BBFF1.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.561465209442483
TrID:	Win32 Executable (generic) a (10002005/4) 98.81% Windows ActiveX control (116523/4) 1.15% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	radarinstaller.exe
File size:	11990127
MD5:	09d605c20a1de79592e839c6d78e5d3f
SHA1:	4c2d403aecbb0e2bbc3549327fdde8d31caf1a84
SHA256:	e00609f98a5ce391934710a1a47f748bb063ae939555e1cb491c4e5cff69fa97
SHA512:	05a3116a1299996baed81c75cae06000bebbcf39743bf2895b9121068b96121982530b110f76c37985ee8ece91a5628ffbdb671459867f9043c8462fb20c3322
SSDEEP:	196608:d5gk9KH9qVm914RCgso1dTC6fOC76B0Jf067YhDrXrbUWh:4eKdcP1dTCcObobSnTh
TLSH:	3DC6D0217686C43BD56A01B1692CDA9F5228BF721BB254D773CC3E7F1AB45C20632E27
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g..j#..9#..9#..9...8...9...8...9...8"..9l..80..9l..8:..9l..8J..9...89..9...8 ..9...8"..9#..9...9...8[..9..}9"..9#..9"..9...8"..

File Icon


Icon Hash:	6969edc3919092e0

Static PE Info

General

Entrypoint:	0x5d0974
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6399D230 [Wed Dec 14 13:40:00 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	8708d1fe1b5ff509570e29ce51663405

Entrypoint Preview

Instruction
call 00007F236C693B2Bh
jmp 00007F236C69335Fh
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007F236C6929B3h
jmp 00007F236C6934C2h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [006E4020h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [006E4020h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [006E4020h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2e223c	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2f1000	0x26fac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x318000	0x279d0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x288188	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x288200	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x259d50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x258000	0x2e8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x2df5e8	0x260	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2565c6	0x256600	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x258000	0x8b322	0x8b400	False	0.3123246745960503	data	4.589889619444622	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2e4000	0xcf40	0x3a00	False	0.2693292025862069	data	4.761885688726732	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2f1000	0x26fac	0x27000	False	0.12498747996794872	data	5.213191946056738	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x318000	0x279d0	0x27a00	False	0.4465817231861199	data	6.521615115365491	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_BITMAP	0x2f18e0	0x13e	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 5 important colors	English	United States
RT_BITMAP	0x2f1a20	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	English	United States
RT_BITMAP	0x2f2248	0x48a8	Device independent bitmap graphic, 290 x 16 x 32, image size 0	English	United States
RT_BITMAP	0x2f6af0	0xa6a	Device independent bitmap graphic, 320 x 16 x 4, image size 2562, resolution 2834 x 2834 px/m	English	United States
RT_BITMAP	0x2f755c	0x152	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 10 important colors	English	United States
RT_BITMAP	0x2f76b0	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	English	United States
RT_ICON	0x2f7ed8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States
RT_ICON	0x2fc100	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States
RT_ICON	0x2fe6a8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States
RT_ICON	0x2ff750	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States
RT_ICON	0x3000d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_DIALOG	0x300540	0xac	data	English	United States
RT_DIALOG	0x3005ec	0xcc	data	English	United States
RT_DIALOG	0x3006b8	0x1b4	data	English	United States
RT_DIALOG	0x30086c	0x136	data	English	United States
RT_DIALOG	0x3009a4	0x4c	data	English	United States
RT_STRING	0x3009f0	0x234	data	English	United States
RT_STRING	0x300c24	0x182	data	English	United States
RT_STRING	0x300da8	0x50	data	English	United States
RT_STRING	0x300df8	0x9a	data	English	United States
RT_STRING	0x300e94	0x2f6	data	English	United States
RT_STRING	0x30118c	0x5c0	data	English	United States
RT_STRING	0x30174c	0x3c2	data	English	United States
RT_STRING	0x301b10	0x100	data	English	United States
RT_STRING	0x301c10	0x484	data	English	United States
RT_STRING	0x302094	0x1ea	data	English	United States
RT_STRING	0x302280	0x18a	data	English	United States
RT_STRING	0x30240c	0x216	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States
RT_STRING	0x302624	0x624	data	English	United States
RT_STRING	0x302c48	0x660	data	English	United States
RT_STRING	0x3032a8	0x2e2	data	English	United States
RT_GROUP_ICON	0x30358c	0x4c	data	English	United States
RT_VERSION	0x3035d8	0x2e4	data	English	United States
RT_HTML	0x3038bc	0x3835	ASCII text, with very long lines (443), with CRLF line terminators	English	United States
RT_HTML	0x3070f4	0x1316	ASCII text, with CRLF line terminators	English	United States
RT_HTML	0x30840c	0x52b	HTML document, ASCII text, with CRLF line terminators	English	United States
RT_HTML	0x308938	0x6acd	HTML document, ASCII text, with CRLF line terminators	English	United States
RT_HTML	0x30f408	0x6a2	HTML document, ASCII text, with CRLF line terminators	English	United States
RT_HTML	0x30faac	0x104a	HTML document, ASCII text, with CRLF line terminators	English	United States
RT_HTML	0x310af8	0x15b1	HTML document, ASCII text, with CRLF line terminators	English	United States
RT_HTML	0x3120ac	0x205c	exported SGML document, ASCII text, with very long lines (659), with CRLF line terminators	English	United States
RT_HTML	0x314108	0x368d	HTML document, ASCII text, with CRLF line terminators	English	United States
RT_MANIFEST	0x317798	0x813	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL

Import

KERNEL32.dll

CreateFileW, CloseHandle, WriteFile, DeleteFileW, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, CreateEventExW, WaitForSingleObject, SetEvent, RemoveDirectoryW, GetProcAddress, GetModuleHandleW, GetTempPathW, GetTempFileNameW, CreateDirectoryW, MoveFileW, GetLastError, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetCurrentThreadId, RaiseException, SetLastError, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, lstrcmpW, CreateEventW, FindClose, FindFirstFileW, GetFullPathNameW, InitializeCriticalSection, lstrcpynW, CreateThread, LoadLibraryExW, GetCurrentProcess, Sleep, WideCharToMultiByte, GetDiskFreeSpaceExW, DecodePointer, GetExitCodeThread, GetCurrentProcessId, FreeLibrary, GetSystemDirectoryW, lstrlenW, VerifyVersionInfoW, VerSetConditionMask, lstrcmpiW, LoadLibraryW, GetDriveTypeW, CompareStringW, FindNextFileW, GetLogicalDriveStringsW, GetFileSize, GetFileAttributesW, GetShortPathNameW, SetFileAttributesW, GetFileTime, CopyFileW, ReadFile, SetFilePointer, SetFileTime, SystemTimeToFileTime, MultiByteToWideChar, GetSystemInfo, WaitForMultipleObjects, GetVersionExW, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, SetUnhandledExceptionFilter, FileTimeToSystemTime, GetEnvironmentVariableW, GetSystemTime, GetDateFormatW, GetTimeFormatW, GetLocaleInfoW, CreateProcessW, GetExitCodeProcess, GetWindowsDirectoryW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, FormatMessageW, GetEnvironmentStringsW, LocalFree, InitializeCriticalSectionEx, LoadLibraryA, GetModuleFileNameA, GetCurrentThread, GetConsoleOutputCP, FlushFileBuffers, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, IsWow64Process, SetConsoleTextAttribute, GetStdHandle, GetConsoleScreenBufferInfo, OutputDebugStringW, GetTickCount, GetCommandLineW, SetCurrentDirectoryW, SetEndOfFile, EnumResourceLanguagesW, GetSystemDefaultLangID, GetUserDefaultLangID, GetLocalTime, ResetEvent, GlobalFree, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, CreateNamedPipeW, ConnectNamedPipe, TerminateThread, LocalAlloc, CompareFileTime, CopyFileExW, OpenEventW, PeekNamedPipe, WaitForSingleObjectEx, QueryPerformanceCounter, QueryPerformanceFrequency, EncodePointer, LCMapStringEx, CompareStringEx, GetCPInfo, GetSystemTimeAsFileTime, IsDebuggerPresent, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, RtlUnwind, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, ExitProcess, GetFileType, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetTimeZoneInformation, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, FindFirstFileExW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, ReadConsoleW, WriteConsoleW, GetProcessAffinityMask, GetModuleHandleA, GlobalMemoryStatus, ReleaseSemaphore, CreateSemaphoreW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	23:09:05
Start date:	18/01/2023
Path:	C:\Users\user\Desktop\radarinstaller.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\radarinstaller.exe
Imagebase:	0x1e0000
File size:	11990127 bytes
MD5 hash:	09D605C20A1DE79592E839C6D78E5D3F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	23:09:07
Start date:	18/01/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff606cf0000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	23:09:08
Start date:	18/01/2023
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 4FBD723870247546C5E896E447E04486 C
Imagebase:	0x12a0000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	23:09:23
Start date:	18/01/2023
Path:	C:\Users\user\Desktop\radarinstaller.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\radarinstaller.exe" /i "C:\Users\user\AppData\Roaming\Game Radar\Game Radar 1.0.0.0\install\Game_Radar.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Game Radar\Game Radar" SECONDSEQUENCE="1" CLIENTPROCESSID="3576" CHAINERUIPROCESSID="3576Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_SETUPEXEPATH="C:\Users\user\Desktop\radarinstaller.exe" SETUPEXEDIR="C:\Users\user\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1674079604 " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\user\Desktop\radarinstaller.exe" AI_INSTALL="1
Imagebase:	0x1e0000
File size:	11990127 bytes
MD5 hash:	09D605C20A1DE79592E839C6D78E5D3F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	4
Start time:	23:09:25
Start date:	18/01/2023
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding D6F6D127C2C7F254CEAC4AF4A73CD162
Imagebase:	0x12a0000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	5
Start time:	23:09:28
Start date:	18/01/2023
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 39123E73EC491C747669F30AC2EBC3D4 E Global\MSI0000
Imagebase:	0x12a0000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Execution Graph

Execution Coverage:	6.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	18.4%
Total number of Nodes:	1347
Total number of Limit Nodes:	78

Executed Functions

Function 00311960 Relevance: 39.1, APIs: 11, Strings: 11, Instructions: 622libraryloaderCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?,SystemFolder,0000000C,?,?,?), ref: 00311B65
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00311C60
GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsFolder,0000000D,?,?,?), ref: 00311D60
GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsVolume,0000000D,?,?,?), ref: 00311E45
GetModuleFileNameW.KERNEL32(00000000,?,00000104,WindowsVolume,0000000D,?,?,?), ref: 00311F8C
SHGetSpecialFolderLocation.SHELL32(00000000,?,WindowsVolume,0000000D,?,?,?), ref: 00312072
__Init_thread_footer.LIBCMT ref: 003120E6
LoadLibraryW.KERNEL32(shfolder.dll,?,?,?), ref: 003120FC
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 0031212E
SHGetPathFromIDListW.SHELL32(?,?), ref: 0031219C
SHGetMalloc.SHELL32(00000000), ref: 003121B5

Part of subcall function 001EA850: HeapAlloc.KERNEL32(?,00000000,?,F026EBDC,00000000,003D7F70,000000FF,?,?,004BEFDC,?,0033C2E8,80004005,F026EBDC,?,?), ref: 001EA89A

Strings

ProgramFiles64Folder, xrefs: 0031199A
System32Folder, xrefs: 00311BED, 00311C02, 00311C0C
ProgramW6432, xrefs: 003119F5
Nqt, xrefs: 0031212E
SETUPEXEDIR, xrefs: 00311F34
SystemFolder, xrefs: 00311AD9, 00311AEE, 00311AF8
WindowsFolder, xrefs: 00311CED, 00311D02, 00311D0C
SHGetFolderPathW, xrefs: 00312128
WindowsVolume, xrefs: 00311DD4, 00311DE9, 00311DF3
TempFolder, xrefs: 00311E72
shfolder.dll, xrefs: 003120F7

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Directory$FolderPathWindows$AddressAllocFileFromHeapInit_thread_footerLibraryListLoadLocationMallocModuleNameProcSpecialSystem
String ID: ProgramFiles64Folder$ProgramW6432$SETUPEXEDIR$SHGetFolderPathW$System32Folder$SystemFolder$TempFolder$WindowsFolder$WindowsVolume$shfolder.dll$Nqt
API String ID: 1264188777-883784354
Opcode ID: 7cca92789c6cf91e721fbcf9f40897f56f2624e2214575b592e9c1fe1b673fb3
Instruction ID: 24ae6b30c8fb23347c823f46771c1127f2f17559a1897053e83a87d7e6bc18e5
Opcode Fuzzy Hash: 7cca92789c6cf91e721fbcf9f40897f56f2624e2214575b592e9c1fe1b673fb3
Instruction Fuzzy Hash: EA320570A006458BDB29DF24CC44BFAB3B5EF59315F1542A8EA0597292EB30AEC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 003167F0 Relevance: 32.8, APIs: 11, Strings: 7, Instructions: 1264synchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 001EAB90: GetProcessHeap.KERNEL32 ref: 001EABE5
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EAC17
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EACA2

GetTickCount.KERNEL32 ref: 00316874
__Xtime_get_ticks.LIBCPMT ref: 0031687C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003168C6
__Init_thread_footer.LIBCMT ref: 00316AB1
GetCurrentProcess.KERNEL32(00000008,?,F026EBDC), ref: 00316CA8
OpenProcessToken.ADVAPI32(00000000), ref: 00316CAF
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00316CDE
CloseHandle.KERNEL32(00000000), ref: 00316CF3

Part of subcall function 001EA850: HeapAlloc.KERNEL32(?,00000000,?,F026EBDC,00000000,003D7F70,000000FF,?,?,004BEFDC,?,0033C2E8,80004005,F026EBDC,?,?), ref: 001EA89A

Part of subcall function 001EA140: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A0,80070057,8007000E,80004005,00201A24,00000000,?,?,?,*.*), ref: 001EA163

Part of subcall function 00301DA0: __Init_thread_footer.LIBCMT ref: 00301E16

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 003174B5
CreateThread.KERNEL32 ref: 003174F0
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,?,?,?), ref: 00317523

Part of subcall function 0031A490: GetCurrentProcess.KERNEL32(?,F026EBDC), ref: 0031A4F9
Part of subcall function 0031A490: IsWow64Process.KERNEL32(00000000), ref: 0031A500
Part of subcall function 0031A490: _wcsrchr.LIBVCRUNTIME ref: 0031A581

Strings

L, xrefs: 00316AFE
\/:*?"<>|, xrefs: 00316A71
/uninstall, xrefs: 00316EA3
n=, xrefs: 003176DD
L, xrefs: 00316A76
\\?\, xrefs: 003175F7
VersionString, xrefs: 00316F74, 00316FC5

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Process$Init_thread_footer$CreateCurrentHeapToken$AllocCloseCountEventFindHandleInformationObjectOpenResourceSingleThreadTickUnothrow_t@std@@@WaitWow64Xtime_get_ticks__ehfuncinfo$??2@_wcsrchr
String ID: /uninstall$VersionString$\/:*?"<>|$\\?\$n=$L$L
API String ID: 1945640678-1511009421
Opcode ID: a21d41541a8330ade8d49e12b932cb4401efa4edcfc65a7c358484ec5c2be312
Instruction ID: 00f574bd08c665220faafdc1eac3cf3d51a5404473e42f7d06e348c4c6401722
Opcode Fuzzy Hash: a21d41541a8330ade8d49e12b932cb4401efa4edcfc65a7c358484ec5c2be312
Instruction Fuzzy Hash: 7EB2C070A00609DFDB19DFA8C845BEDFBB4FF08314F198269E815AB291DB74AD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0033AC30 Relevance: 26.8, APIs: 12, Strings: 3, Instructions: 529
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0033ACC5
GetLastError.KERNEL32 ref: 0033ACCB
GetUserNameW.ADVAPI32(?,?), ref: 0033AD13
GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 0033AD49
GetEnvironmentVariableW.KERNEL32(UserDomain,?,00000000,00000000,00000000), ref: 0033AD93
RegDeleteValueW.KERNEL32(?,?,00000000,80000001,00000001,00000000,F026EBDC), ref: 0033AF98
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000,F026EBDC), ref: 0033AFC8
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,F026EBDC,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0033B10D
RegDeleteKeyW.ADVAPI32(?,00000000), ref: 0033B1C0
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000), ref: 0033B202
RegDeleteValueW.KERNEL32(?,?,?,80000001,00000001,00000000,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000031,?,00000000,80000001,00000001,00000000), ref: 0033B2F6
RegCloseKey.ADVAPI32(?,?,?,?,80000001,00000001,00000000,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000031,?,00000000,80000001,00000001,00000000), ref: 0033B338

Strings

Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 0033B217
Software, xrefs: 0033AFE8
UserDomain, xrefs: 0033AD44, 0033AD8E

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CloseDelete$EnvironmentNameUserValueVariable$ErrorInfoLastQuery
String ID: Software$Software\Microsoft\Windows\CurrentVersion\RunOnce$UserDomain
API String ID: 3650088056-4079418357
Opcode ID: 19934aa8127c664f755ea308b848904ab3bf3e4940852abad0d8ace7aaf76d71
Instruction ID: 92ab5680ea1aefd31c5b47241795a7215fcac8f3ee16e91819e8ac37b6bd20af
Opcode Fuzzy Hash: 19934aa8127c664f755ea308b848904ab3bf3e4940852abad0d8ace7aaf76d71
Instruction Fuzzy Hash: A922AC70D10248DFDB15DFA8CC95BEEBBB4AF14304F208269E515A7291DB746A88CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 002FE790 Relevance: 16.6, APIs: 11, Instructions: 117
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 002FE7D8
OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 002FE7E5
GetLastError.KERNEL32 ref: 002FE7EF
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,000000FF), ref: 002FE819
GetLastError.KERNEL32 ref: 002FE81F
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),000000FF,000000FF,000000FF,000000FF), ref: 002FE845
AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 002FE878
EqualSid.ADVAPI32(00000000,?), ref: 002FE887
FreeSid.ADVAPI32(?), ref: 002FE896
FindCloseChangeNotification.KERNEL32(00000000), ref: 002FE8D0

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Token$ErrorInformationLastProcess$AllocateChangeCloseCurrentEqualFindFreeInitializeNotificationOpen
String ID:
API String ID: 2037597787-0
Opcode ID: 049fcff0c6a4649a6f2d372ab50217313f5c6f63c43e741bac97f85e56c281dd
Instruction ID: aac75a743806a899a4451281257f504546213ef9944f86e0fcefdbf14fbeef0d
Opcode Fuzzy Hash: 049fcff0c6a4649a6f2d372ab50217313f5c6f63c43e741bac97f85e56c281dd
Instruction Fuzzy Hash: D1412971D00209AFDF119FA0CD49BEEBBB8EF08754F154029E511B62A0DB799A14CF68

Uniqueness

Uniqueness Score: -1.00%

Function 003227F0 Relevance: 14.1, APIs: 9, Instructions: 623
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001EAB90: GetProcessHeap.KERNEL32 ref: 001EABE5
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EAC17
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EACA2

CloseHandle.KERNEL32(?,F026EBDC,?,7476FB40), ref: 00323A61

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Init_thread_footer$CloseHandleHeapProcess
String ID:
API String ID: 2534622057-0
Opcode ID: f13e9214c21ab1c1921a34c424f272fc2e1ffd9c354587d0ee6b78a89294b3a9
Instruction ID: 38b5454c2e3646963efc2382ad4fd1d7c962a01f49b2bd215b0de7e1b7a9e379
Opcode Fuzzy Hash: f13e9214c21ab1c1921a34c424f272fc2e1ffd9c354587d0ee6b78a89294b3a9
Instruction Fuzzy Hash: AA527B709016689FDB26CF68C944B9DBBF8AF45304F1582DDE408AB291DB78AF85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0032E1F0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0032E2CA

Strings

\, xrefs: 0032E244
\, xrefs: 0032E24C
\, xrefs: 0032E26E

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: DiskFreeSpace
String ID: \$\$\
API String ID: 1705453755-3791832595
Opcode ID: 7f82c365a6055a81439c29418512a873c2926093ac12ec04bd66a22f3d025d31
Instruction ID: f6939181bec52d69330a21e0ce71eff4c357717e664422bc40dc49ca445271f5
Opcode Fuzzy Hash: 7f82c365a6055a81439c29418512a873c2926093ac12ec04bd66a22f3d025d31
Instruction Fuzzy Hash: B041D432D14321CACB31EF24A446A6BB3F8FF95354F164E2EE9C997140E730998583C6

Uniqueness

Uniqueness Score: -1.00%

Function 002BA630 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 228libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 002BA671

Part of subcall function 001EAB90: GetProcessHeap.KERNEL32 ref: 001EABE5
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EAC17
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EACA2

Part of subcall function 001EA140: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A0,80070057,8007000E,80004005,00201A24,00000000,?,?,?,*.*), ref: 001EA163

LoadLibraryExW.KERNEL32(?,00000000,00000000,0040CDED,000000FF), ref: 002BA744

Strings

UxTheme.dll, xrefs: 002BA64C, 002BA71F, 002BA720, 002BA7B4

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Init_thread_footer$DirectoryFindHeapLibraryLoadProcessResourceSystem
String ID: UxTheme.dll
API String ID: 2586271605-352951104
Opcode ID: 5c9a4f78424d2773e08750eae89b277c1cb850ea0807c45c64ba46d709bc50ad
Instruction ID: 73ef58a32ad4b45c2aad61b98eb7b5be1d9b0a5102afc0ecd9bdb2017643014f
Opcode Fuzzy Hash: 5c9a4f78424d2773e08750eae89b277c1cb850ea0807c45c64ba46d709bc50ad
Instruction Fuzzy Hash: E8A18BB0500745EFE714CF68C858B9ABBF4FF04318F24865DE8199B681D7BAA618CF85

Uniqueness

Uniqueness Score: -1.00%

Function 003AFA13 Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000008,00000000,00325F3E,?,?,?,?,?,?), ref: 003AFA18
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?), ref: 003AFA1F
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?), ref: 003AFA65
HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 003AFA6C

Part of subcall function 003AF8B1: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,003AFA5B,?,?,?,?,?,?,?), ref: 003AF8D5
Part of subcall function 003AF8B1: HeapAlloc.KERNEL32(00000000,?,003AFA5B,?,?,?,?,?,?,?), ref: 003AF8DC

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Heap$Process$Alloc$Free
String ID:
API String ID: 1864747095-0
Opcode ID: abf27c8e300086f1047f6707c9f3cc146567d87a78ed4bf877cc7764089391d4
Instruction ID: c5967523542d3a5b3d3a3a37af2f957a3d5f1d5f52dfb0254be5e43388ea4c9e
Opcode Fuzzy Hash: abf27c8e300086f1047f6707c9f3cc146567d87a78ed4bf877cc7764089391d4
Instruction Fuzzy Hash: 9CF0B473644B119FC76A2BF87C08AAB6A78EFC2791713513CF54AC6254DF20C8014F58

Uniqueness

Uniqueness Score: -1.00%

Function 002FC9A0 Relevance: 4.6, APIs: 3, Instructions: 93fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?), ref: 002FCA3D
FindClose.KERNEL32(00000000), ref: 002FCA9C

Part of subcall function 001EA850: HeapAlloc.KERNEL32(?,00000000,?,F026EBDC,00000000,003D7F70,000000FF,?,?,004BEFDC,?,0033C2E8,80004005,F026EBDC,?,?), ref: 001EA89A

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Find$AllocCloseFileFirstHeap
String ID:
API String ID: 2507753907-0
Opcode ID: 4325cfd9be6230ac670e6e0248139c301ab5b60790b754e95e47244366e00de1
Instruction ID: 7aa9a9a4f7771fbd59267d84a1ac8033ab167b6ebc369bcc8e0ac6d7215ef925
Opcode Fuzzy Hash: 4325cfd9be6230ac670e6e0248139c301ab5b60790b754e95e47244366e00de1
Instruction Fuzzy Hash: BB31D07090420D8FDB24DF14CE48B6AF7B4EF48360F20816EEA1AA7380DB756D54CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00341D40 Relevance: 3.9, Strings: 3, Instructions: 154COMMON

Download Yara Rule

Strings

P+ , xrefs: 00341DC4
0'4, xrefs: 00341DBD
z+4, xrefs: 00341DCB

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Init_thread_footer$HeapProcess
String ID: 0'4$P+ $z+4
API String ID: 275895251-1308684382
Opcode ID: 528c8e2dcef8caa6fb2ae08eb3fa36a3d8b485015a91f2ddfcfb3ef83f395ce4
Instruction ID: 2289baf659b221ccded081a50bd416a7130441f27dac0f42abb31b519a60de13
Opcode Fuzzy Hash: 528c8e2dcef8caa6fb2ae08eb3fa36a3d8b485015a91f2ddfcfb3ef83f395ce4
Instruction Fuzzy Hash: 1D6156B0500B44CFE711CF25C54878ABBF0BF19308F248A9DD48A9B792D7B9E649DB85

Uniqueness

Uniqueness Score: -1.00%

Function 0033C2F0 Relevance: 3.1, APIs: 2, Instructions: 86filepipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,00007F90,00007F90,00001388,00000000,?,F026EBDC,F026EBDC,?,?,?,?,00000000), ref: 0033C379
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,F026EBDC,F026EBDC,?,?,?,?,00000000,00424595), ref: 0033C39A

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Create$FileNamedPipe
String ID:
API String ID: 1328467360-0
Opcode ID: a22c9bdffae3d2f14019ba84ff3061d350673d4827cbb163e51e1f077b858d61
Instruction ID: 73d5417a6fcc62cefc73ae97b543a03f3c6c94ca00a0646567d85939420b008a
Opcode Fuzzy Hash: a22c9bdffae3d2f14019ba84ff3061d350673d4827cbb163e51e1f077b858d61
Instruction Fuzzy Hash: 2331E336A84745AFE721CF14CC05B99BBA4EB01720F10C62EF9A9AB6D0D775A940CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0021B0B0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__set_se_translator.LIBVCRUNTIME ref: 0021B0C8
SetUnhandledExceptionFilter.KERNEL32(002FB960), ref: 0021B0DE

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: ExceptionFilterUnhandled__set_se_translator
String ID:
API String ID: 2480343447-0
Opcode ID: 7f0057f489b4d44073b79c48dd0f93afbf5c5cad14a1a0c98a7ba57dc0ad9d4e
Instruction ID: 7900f4da71727cc2d984fdd649ee99ded4b72b7f0ecb9a7cade691c4fc02e979
Opcode Fuzzy Hash: 7f0057f489b4d44073b79c48dd0f93afbf5c5cad14a1a0c98a7ba57dc0ad9d4e
Instruction Fuzzy Hash: F1E0CD36A502447FC7225761DC4DF5BBF64DBA7750F084475F70067161C77054558B72

Uniqueness

Uniqueness Score: -1.00%

Function 002E4560 Relevance: 112.3, APIs: 8, Strings: 56, Instructions: 327
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001EAB90: GetProcessHeap.KERNEL32 ref: 001EABE5
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EAC17
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EACA2

MoveFileW.KERNEL32(?,?), ref: 002E46DA
GetModuleHandleW.KERNEL32(kernel32,?), ref: 002E471C
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 002E4764
GetProcAddress.KERNEL32(00000000,SetDllDirectory), ref: 002E47BC
__Init_thread_footer.LIBCMT ref: 002E47CC
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 002E4814
__Init_thread_footer.LIBCMT ref: 002E4774

Part of subcall function 003B0328: EnterCriticalSection.KERNEL32(004C7DCC,?,?,001EACA7,004C89FC,00435FA0), ref: 003B0332
Part of subcall function 003B0328: LeaveCriticalSection.KERNEL32(004C7DCC,?,001EACA7,004C89FC,00435FA0), ref: 003B0365
Part of subcall function 003B0328: RtlWakeAllConditionVariable.NTDLL ref: 003B03DC

__Init_thread_footer.LIBCMT ref: 002E4824

Part of subcall function 002BA630: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 002BA671

Strings

uxtheme.dll, xrefs: 002E4877, 002E4903
comdlg32.dll, xrefs: 002E48D2
shcore.dll, xrefs: 002E4997
mpr.dll, xrefs: 002E4870, 002E48FC
shell32.dll, xrefs: 002E48B6
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 002E45D7, 002E45DF
USP10.dll, xrefs: 002E485B
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 002E45F7
wininet.dll, xrefs: 002E48EE
psapi.dll, xrefs: 002E483C
apphelp.dll, xrefs: 002E493D
srvcli.dll, xrefs: 002E49DD
version.dll, xrefs: 002E4869, 002E48E7
msihnd.dll, xrefs: 002E498D
shlwapi.dll, xrefs: 002E4965
kernel32.dll, xrefs: 002E491F
comctl32.dll, xrefs: 002E48AF
msi.dll, xrefs: 002E4854, 002E490A
secur32.dll, xrefs: 002E49AB
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 002E45D2
urlmon.dll, xrefs: 002E48F5
lpk.dll, xrefs: 002E496F
dbghelp.dll, xrefs: 002E48E0
WindowsCodecs.dll, xrefs: 002E4846
setupapi.dll, xrefs: 002E4979
usp10.dll, xrefs: 002E4983
advapi32.dll, xrefs: 002E48BD
oleaut32.dll, xrefs: 002E48A8
SetDllDirectory, xrefs: 002E47B6
dwmapi.dll, xrefs: 002E4893
crypt32.dll, xrefs: 002E4951
user32.dll, xrefs: 002E48CB
wintrust.dll, xrefs: 002E495B
wkscli.dll, xrefs: 002E49E7
userenv.dll, xrefs: 002E488C
Nqt, xrefs: 002E472B
profapi.dll, xrefs: 002E487E
msasn1.dll, xrefs: 002E4947
SetDefaultDllDirectories, xrefs: 002E480E
bcrypt.dll, xrefs: 002E484D
ws2_32.dll, xrefs: 002E49BF
samcli.dll, xrefs: 002E49B5
ole32.dll, xrefs: 002E48A1
netutils.dll, xrefs: 002E49D3
rsaenh.dll, xrefs: 002E4933
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 002E45F0, 002E45FF
gdi32.dll, xrefs: 002E48C4
SetSearchPathMode, xrefs: 002E475E
cryptsp.dll, xrefs: 002E49A1
msls31.dll, xrefs: 002E4862
davhlpr.dll, xrefs: 002E489A
kernel32, xrefs: 002E4717
netapi32.dll, xrefs: 002E49C9
msimg32.dll, xrefs: 002E48D9
gdiplus.dll, xrefs: 002E4885, 002E4911
cabinet.dll, xrefs: 002E4918

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Init_thread_footer$AddressProc$CriticalSection$ConditionDirectoryEnterFileHandleHeapLeaveModuleMoveProcessSystemVariableWake
String ID: @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$SetDefaultDllDirectories$SetDllDirectory$SetSearchPathMode$USP10.dll$WindowsCodecs.dll$advapi32.dll$apphelp.dll$bcrypt.dll$cabinet.dll$comctl32.dll$comdlg32.dll$crypt32.dll$cryptsp.dll$davhlpr.dll$dbghelp.dll$dwmapi.dll$gdi32.dll$gdiplus.dll$kernel32$kernel32.dll$lpk.dll$mpr.dll$msasn1.dll$msi.dll$msihnd.dll$msimg32.dll$msls31.dll$netapi32.dll$netutils.dll$ole32.dll$oleaut32.dll$profapi.dll$psapi.dll$rsaenh.dll$samcli.dll$secur32.dll$setupapi.dll$shcore.dll$shell32.dll$shlwapi.dll$srvcli.dll$urlmon.dll$user32.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wininet.dll$wintrust.dll$wkscli.dll$ws2_32.dll$Nqt
API String ID: 3437638698-3702451545
Opcode ID: d22f8a80f6d2ea9a1bf1ea6f513b99e7ff81a5671db87b42621ae05f2e3f9416
Instruction ID: 80b0fe12801f7fbf5499371a040878d1e8e2da0c94fa69f22d56f07d01e3348e
Opcode Fuzzy Hash: d22f8a80f6d2ea9a1bf1ea6f513b99e7ff81a5671db87b42621ae05f2e3f9416
Instruction Fuzzy Hash: C7E16FB0901289DFDB10DF55C849BDEBBB4EF15319F50811EE818AB292DB78990CCF99

Uniqueness

Uniqueness Score: -1.00%

Function 00301E40 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 224
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 00301EAE
RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 00301EF5
RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 00301F14
RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 00301F43
RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 00301FB8
RegQueryValueExW.KERNEL32(00000000,ReleaseId,00000000,00000000,?,?), ref: 00302032
RegQueryValueExW.KERNEL32(00000000,CSDVersion,00000000,00000000,?,?), ref: 00302084
GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00302118
GetProcAddress.KERNEL32(00000000), ref: 0030211F
__Init_thread_footer.LIBCMT ref: 00302133
GetCurrentProcess.KERNEL32(?), ref: 00302156
IsWow64Process.KERNEL32(00000000), ref: 0030215D
RegCloseKey.ADVAPI32(00000000), ref: 00302197

Strings

CurrentMinorVersionNumber, xrefs: 00301F09
Software\Microsoft\Windows NT\CurrentVersion, xrefs: 00301EA4
CurrentVersion, xrefs: 00301F38
CurrentMajorVersionNumber, xrefs: 00301EEA
Nqt, xrefs: 0030211F
kernel32, xrefs: 00302113
PWqt, xrefs: 00302125, 0030213B
(L, xrefs: 00302091
CurrentBuildNumber, xrefs: 00301FAD
ReleaseId, xrefs: 00302027
IsWow64Process, xrefs: 0030210E
CSDVersion, xrefs: 00302079

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: QueryValue$Process$AddressCloseCurrentHandleInit_thread_footerModuleOpenProcWow64
String ID: (L$CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$PWqt$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$kernel32$Nqt
API String ID: 1906320730-2665407064
Opcode ID: a877f0f1e403dc64735915db96f87b22517b52095377eeb7a2d3a8150b46d140
Instruction ID: 6a9ad8c9a8568340618b4b13e483a9378cb0fe628dce55d143fde74c4c9b1dca
Opcode Fuzzy Hash: a877f0f1e403dc64735915db96f87b22517b52095377eeb7a2d3a8150b46d140
Instruction Fuzzy Hash: C691B0B19017289FDB61CF10CC45FAAB7B5FB44711F1002AAE809A72D0EB75AE94CF58

Uniqueness

Uniqueness Score: -1.00%

Function 003021D0 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 220
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,00000000), ref: 00302240
RegQueryValueExW.KERNEL32(00000000,ProductType,00000000,00000000,?), ref: 0030227B
RegQueryValueExW.KERNEL32(00000000,ProductSuite,00000000,00000000,?,?), ref: 003022F6
RegCloseKey.KERNEL32(00000000), ref: 003024CE

Strings

Personal, xrefs: 003023F9
Blade, xrefs: 00302410
EmbeddedNT, xrefs: 003023C6
Enterprise, xrefs: 00302349
WinNT, xrefs: 00302281
SYSTEM\CurrentControlSet\Control\ProductOptions, xrefs: 00302236
Security Appliance, xrefs: 0030243E
Compute Server, xrefs: 0030246C
BackOffice, xrefs: 00302362
ProductSuite, xrefs: 003022EB
Storage Server, xrefs: 00302455
Small Business(Restricted), xrefs: 003023AD
CommunicationServer, xrefs: 0030237B
Embedded(Restricted), xrefs: 00302427
Small Business, xrefs: 00302330
DataCenter, xrefs: 003023DF
ProductType, xrefs: 00302270
ServerNT, xrefs: 003022A4
Terminal Server, xrefs: 00302394

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
API String ID: 1586453840-3149529848
Opcode ID: 9ab326e868e990c44ed9f5a3cdcf82fb44188235e2c24494d5b8fb8c3fc9c963
Instruction ID: 2db0103df3951c9ad10f8bf07d4a4113e70fc0c7247811965c2da7ebe80ca94e
Opcode Fuzzy Hash: 9ab326e868e990c44ed9f5a3cdcf82fb44188235e2c24494d5b8fb8c3fc9c963
Instruction Fuzzy Hash: 97712D30B013099BDB529B21CC687BF7269EF40744F1144B6ED06ABBC2EB38DD498B95

Uniqueness

Uniqueness Score: -1.00%

Function 00317FC0 Relevance: 30.5, APIs: 3, Strings: 14, Instructions: 784COMMON

Download Yara Rule

APIs

Part of subcall function 001EAB90: GetProcessHeap.KERNEL32 ref: 001EABE5
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EAC17
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EACA2

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?), ref: 00318094
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 003180C8

Part of subcall function 001EA140: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A0,80070057,8007000E,80004005,00201A24,00000000,?,?,?,*.*), ref: 001EA163

Strings

AI_BOOTSTRAPPERLANGS, xrefs: 003197C0, 003197D2, 003197DC
n=, xrefs: 00318D7D, 00318DD2
Language of a related product is:, xrefs: 00318E0C
Code returned to Windows by setup:, xrefs: 00318A11
Language selected programatically for UI:, xrefs: 00318EC2
Advinst_Extract_, xrefs: 0031802B, 00318040, 0031804A
A valid language was received from commnad line. This is:, xrefs: 00318C0A
Language used for UI:, xrefs: 00318F3E
%hu, xrefs: 00318C38
n=, xrefs: 003191DA
Languages of setup:, xrefs: 00319A1B
PE, xrefs: 003192C8, 003192EE, 00319545
Software\Caphyon\Advanced Installer\, xrefs: 00318D90
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 00318DA4

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: ByteCharInit_thread_footerMultiWide$FindHeapProcessResource
String ID: %hu$A valid language was received from commnad line. This is:$AI_BOOTSTRAPPERLANGS$Advinst_Extract_$Code returned to Windows by setup:$Language of a related product is:$Language selected programatically for UI:$Language used for UI:$Languages of setup:$PE$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$Software\Caphyon\Advanced Installer\$n=$n=
API String ID: 1419962739-218809915
Opcode ID: 461d75f7d00d927894a0673302dd706324b3cc39cb48c8fe182b310ec061ec56
Instruction ID: ed32ed733233b0f826c36ac43b5aa1a05c7c639082d991c8dbeede38febbe095
Opcode Fuzzy Hash: 461d75f7d00d927894a0673302dd706324b3cc39cb48c8fe182b310ec061ec56
Instruction Fuzzy Hash: 695203709006499FDB1ADF68CC45BEEB7B4EF09310F1582ACE915AB292DB309E45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00317C80 Relevance: 23.8, APIs: 10, Strings: 3, Instructions: 1034threadCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00317E50
SetLastError.KERNEL32(0000000E), ref: 00317E6D
GetCurrentThreadId.KERNEL32 ref: 00317E85
EnterCriticalSection.KERNEL32(004CE7BC), ref: 00317EA2
LeaveCriticalSection.KERNEL32(004CE7BC), ref: 00317EC5
DialogBoxParamW.USER32(000007D0,00000000,00258D40,00000000), ref: 00317EE2
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?), ref: 00318094
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 003180C8

Part of subcall function 002E6270: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,00000000,00000000,?,?,004C94D0,003303D0,?), ref: 002E6288
Part of subcall function 002E6270: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,?,-00000001), ref: 002E62BA

SetEvent.KERNEL32(?,?,00000000,?,00000001,?,?), ref: 00318299
SetEvent.KERNEL32(?,00000000,?,?), ref: 0031834F

Part of subcall function 00324550: DeleteFileW.KERNEL32(?,?,?,?,?,0031837F,?,?,?), ref: 0032457B

Part of subcall function 001EAB90: GetProcessHeap.KERNEL32 ref: 001EABE5
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EAC17
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EACA2

Strings

FILES.7z, xrefs: 00318573
Code returned to Windows by setup:, xrefs: 00318A11
Advinst_Extract_, xrefs: 0031802B, 00318040, 0031804A

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: ByteCharMultiWide$CriticalEventInit_thread_footerSection$ActiveCurrentDeleteDialogEnterErrorFileHeapLastLeaveParamProcessThreadWindow
String ID: Advinst_Extract_$Code returned to Windows by setup:$FILES.7z
API String ID: 2923632737-2771609608
Opcode ID: 40a097c9a4c1b4e6b3c06e34784d8a6c0c0a8722a61c6d506eee0110a01924dc
Instruction ID: d9a6a22df78168a4895c74c6d1b4dc8af9fd8cbbb5fe6e2d1dfbb64407d03850
Opcode Fuzzy Hash: 40a097c9a4c1b4e6b3c06e34784d8a6c0c0a8722a61c6d506eee0110a01924dc
Instruction Fuzzy Hash: 2092F330901249DFDB15DFA8CC49BDEFBB4AF09314F1482A9E405AB292DB749E84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00325ED0 Relevance: 18.2, APIs: 12, Instructions: 179
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 00325F0A
SetLastError.KERNEL32(0000000E,?,?,?,?,?,?), ref: 00325F47
GetCurrentThreadId.KERNEL32 ref: 00325FD2
SetWindowTextW.USER32(?,00000000), ref: 0032605C
GetDlgItem.USER32(?,000003E9), ref: 00326066
SetWindowTextW.USER32(00000000,?), ref: 00326072
GetDlgItem.USER32(?,00000002), ref: 003260DF
SetWindowTextW.USER32(00000000,?), ref: 003260E7

Part of subcall function 0031E3F0: GetDlgItem.USER32(?,00000002), ref: 0031E410
Part of subcall function 0031E3F0: GetWindowRect.USER32(00000000,?), ref: 0031E426
Part of subcall function 0031E3F0: ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,00325F2A,?,?,?,?,?,?), ref: 0031E43F
Part of subcall function 0031E3F0: InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,?,?,?,00325F2A,?,?), ref: 0031E44A
Part of subcall function 0031E3F0: GetDlgItem.USER32(00000000,000003E9), ref: 0031E45C
Part of subcall function 0031E3F0: GetWindowRect.USER32(00000000,?), ref: 0031E472
Part of subcall function 0031E3F0: SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,?,?,?,?,?,?,00325F2A), ref: 0031E4B5

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Window$Item$RectText$ActiveCurrentErrorInvalidateLastShowThread
String ID:
API String ID: 127311041-0
Opcode ID: a462cf284e419c8bbaf6be38a56f5aa1e565655ec3ad538bf1497d32c0840bc4
Instruction ID: 0a2f677677b6f868b3d2d50c22523e78d62bbc6f73a83c6c19f7a771b4d82d26
Opcode Fuzzy Hash: a462cf284e419c8bbaf6be38a56f5aa1e565655ec3ad538bf1497d32c0840bc4
Instruction Fuzzy Hash: 4F61ED30905614EFDB22DF69DC49B4ABBB4EF04320F11C269F825AB2E1CB70A904CF95

Uniqueness

Uniqueness Score: -1.00%

Function 002FFF30 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 85
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(ComCtl32.dll,F026EBDC,?,?,00000000), ref: 002FFF6E
GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 002FFF91
GetSystemMetrics.USER32(0000000C), ref: 002FFFCC
GetSystemMetrics.USER32(0000000B), ref: 002FFFE2
FreeLibrary.KERNEL32(00000000), ref: 0030000F

Strings

LoadIconMetric, xrefs: 002FFF8B
ComCtl32.dll, xrefs: 002FFF62
Nqt, xrefs: 002FFF91

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: LibraryMetricsSystem$AddressFreeLoadProc
String ID: ComCtl32.dll$LoadIconMetric$Nqt
API String ID: 499052680-347857085
Opcode ID: 5b22459afcdfd874da87e3c06dab552f992910e2ad5ef4810046d4eb46c2a052
Instruction ID: 4e01b63345f62e70a15e410d236591a37731e7ef3913670b9e27209dd2b0523c
Opcode Fuzzy Hash: 5b22459afcdfd874da87e3c06dab552f992910e2ad5ef4810046d4eb46c2a052
Instruction Fuzzy Hash: EE3164B1904259ABDB148F95CD44BAFBFF8EB48761F10423AF915A3281D77989048B94

Uniqueness

Uniqueness Score: -1.00%

Function 003AF7A5 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDecodePointer.NTDLL(?,00000000,?,003AFB44,004C7D7C,?,00000000,?,00325F5C,?,00000000,00000000,?,?), ref: 003AF7B7
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,00000000,?,003AFB44,004C7D7C,?,00000000,?,00325F5C,?,00000000,00000000), ref: 003AF7CC
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003AF848

Strings

AtlThunk_AllocateData, xrefs: 003AF7DD
AtlThunk_FreeData, xrefs: 003AF822
AtlThunk_DataToCode, xrefs: 003AF80B
atlthunk.dll, xrefs: 003AF7C7
AtlThunk_InitData, xrefs: 003AF7F4

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: 5b6bf8fe2cc3093d2887332ebee2ad5d09809a0933996d5a0fab5752b110ddd9
Instruction ID: 29a9eee3be90cba397e024838afb895f89bf4aad0ea56f588bf64c7444c2de34
Opcode Fuzzy Hash: 5b6bf8fe2cc3093d2887332ebee2ad5d09809a0933996d5a0fab5752b110ddd9
Instruction Fuzzy Hash: 9201C430644301AFCB125B909C02FA93BAC8F03B48F251079BC067B2E2DA9D9904859D

Uniqueness

Uniqueness Score: -1.00%

Function 002FA1C0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 249
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,F026EBDC), ref: 002FA404
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 002FA414
RegCloseKey.ADVAPI32(00000000), ref: 002FA45D

Strings

Nqt, xrefs: 002FA414
Advapi32.dll, xrefs: 002FA3FF
RegOpenKeyTransactedW, xrefs: 002FA40E

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: Advapi32.dll$RegOpenKeyTransactedW$Nqt
API String ID: 4190037839-1778486245
Opcode ID: b6ed7a07e7ff4699534837fb6dc0e3936655ecf3d88fff551a550503ebf7fcaa
Instruction ID: c5cdaeab4264149672f71eace357755301bd5b0b94112a704841ce501a2e994d
Opcode Fuzzy Hash: b6ed7a07e7ff4699534837fb6dc0e3936655ecf3d88fff551a550503ebf7fcaa
Instruction Fuzzy Hash: 51A18CB0D10749DFDB14CFA8C848BAEFBF4BF44304F148569E909AB291DB74AA54CB91

Uniqueness

Uniqueness Score: -1.00%

Function 002E8330 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 96
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,F026EBDC,00000000,?,?,?,00000000,003D83F0,000000FF), ref: 002E8373
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 002E839C
RegCreateKeyExW.KERNEL32(?,002FA4EF,00000000,00000000,00000000,003D83F0,00000000,00000000,003D83F0,F026EBDC,00000000,?,?,?,00000000,003D83F0), ref: 002E83E9
RegCloseKey.ADVAPI32(00000000,?,?,?,00000000,003D83F0,000000FF), ref: 002E83FC

Strings

Nqt, xrefs: 002E839C
Advapi32.dll, xrefs: 002E836E
RegCreateKeyTransactedW, xrefs: 002E8396

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AddressCloseCreateHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW$Nqt
API String ID: 1765684683-2173346407
Opcode ID: cbc1111b73ee14f9a30ec15ba0c8cc942e30b93d1967a1e5926cc24bfaee7959
Instruction ID: cffd09f78e52f7674920cf204039f34ff0e6d3444990492f0d106afa9ec3e233
Opcode Fuzzy Hash: cbc1111b73ee14f9a30ec15ba0c8cc942e30b93d1967a1e5926cc24bfaee7959
Instruction Fuzzy Hash: 6531B43265424AEFDB248F45DC45FABB7A8FB48B50F10416AF919D72C0EB71A810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00316980 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

Part of subcall function 003167F0: GetTickCount.KERNEL32 ref: 00316874
Part of subcall function 003167F0: __Xtime_get_ticks.LIBCPMT ref: 0031687C
Part of subcall function 003167F0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003168C6

Part of subcall function 0033AC30: GetUserNameW.ADVAPI32(?,?), ref: 0033ACC5
Part of subcall function 0033AC30: GetLastError.KERNEL32 ref: 0033ACCB
Part of subcall function 0033AC30: GetUserNameW.ADVAPI32(?,?), ref: 0033AD13
Part of subcall function 0033AC30: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 0033AD49
Part of subcall function 0033AC30: GetEnvironmentVariableW.KERNEL32(UserDomain,?,00000000,00000000,00000000), ref: 0033AD93

__Init_thread_footer.LIBCMT ref: 00316AB1
GetCurrentProcess.KERNEL32(00000008,?,F026EBDC), ref: 00316CA8
OpenProcessToken.ADVAPI32(00000000), ref: 00316CAF

Strings

L, xrefs: 00316AFE
\/:*?"<>|, xrefs: 00316A71
L, xrefs: 00316A76

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: EnvironmentNameProcessUserVariable$CountCurrentErrorInit_thread_footerLastOpenTickTokenUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
String ID: \/:*?"<>|$L$L
API String ID: 1521599615-1782159389
Opcode ID: 4d29c3a8a7edcbf6f56befaf90180dcb591d9cd38f94e4e2a68998744e165841
Instruction ID: ca64a2c6793e83afdcd504e042713c5470aca2f524bf3be2578b17039216e8cf
Opcode Fuzzy Hash: 4d29c3a8a7edcbf6f56befaf90180dcb591d9cd38f94e4e2a68998744e165841
Instruction Fuzzy Hash: 11B1F171D00248CFDB15DFA9C845BEEBBB0EF19304F24826DE815AB292DB746E45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 002E4B90 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 253
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002E4B90: GetModuleFileNameW.KERNEL32(00000000,?,00000104,F026EBDC,00000000,?,00413F86,000000FF), ref: 002E4AD8

Part of subcall function 001EAB90: GetProcessHeap.KERNEL32 ref: 001EABE5
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EAC17
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EACA2

FreeLibrary.KERNEL32(00000001,F026EBDC,?,00000001,?,?,?), ref: 002E4D27
EnterCriticalSection.KERNEL32(004C946C), ref: 002E4D42
DestroyWindow.USER32(00000000), ref: 002E4D60
LeaveCriticalSection.KERNEL32(004C946C), ref: 002E4DA9

Strings

.local, xrefs: 002E4B44
%s%lu, xrefs: 002E4C0D

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CriticalInit_thread_footerSection$DestroyEnterFileFreeHeapLeaveLibraryModuleNameProcessWindow
String ID: %s%lu$.local
API String ID: 3496055493-548699545
Opcode ID: 51515555d6a2eda91b16af20af84bdf0b3b763fb952b637a9bb99ce191074cf3
Instruction ID: 15a354d55ca9ef3ce7e05b30e644e70f881c9558768e23eda93c9a89bafa84b5
Opcode Fuzzy Hash: 51515555d6a2eda91b16af20af84bdf0b3b763fb952b637a9bb99ce191074cf3
Instruction Fuzzy Hash: 5A91FE71A016419FDB20EF5AC848B6EBBF4FF05314F54856EE816AB391CB74AC04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003400A0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(004252BD,-00000400,?,00000002,00000400,F026EBDC,?,?,?), ref: 00340146
GetLastError.KERNEL32(?,?), ref: 00340154
ReadFile.KERNEL32(004252BD,00000000,00000400,?,00000000,?,?), ref: 0034016F

Strings

ADVINSTSFX, xrefs: 003401A3, 0034025E

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: File$ErrorLastPointerRead
String ID: ADVINSTSFX
API String ID: 64821003-4038163286
Opcode ID: 576834ea8f91bcb107f21708ef38cfed795d6c9eaf2cba67fc2dccac67b5d71f
Instruction ID: e525b77a0664b1ee22c889cf0920509a91aa5e083bcbbd1f4e6d33cab93fa7ed
Opcode Fuzzy Hash: 576834ea8f91bcb107f21708ef38cfed795d6c9eaf2cba67fc2dccac67b5d71f
Instruction Fuzzy Hash: 2861D471B002099BDB0ACFA4CC85BBEB7F5FF45310F254665EA15AB281D770AD01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00306B40 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 180
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00301C70: __Init_thread_footer.LIBCMT ref: 00301D42

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,F026EBDC,00000000,00000000,?), ref: 00306B95
GetTempFileNameW.KERNEL32(00000000,shim_clone,00000000,?,?), ref: 00306C5C
Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 00306CFF
CopyFileW.KERNEL32(?,?,00000000), ref: 00306D21
Wow64RevertWow64FsRedirection.KERNEL32(?), ref: 00306D4D

Strings

shim_clone, xrefs: 00306C56

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Wow64$FileRedirection$CopyDisableFolderInit_thread_footerNamePathRevertTemp
String ID: shim_clone
API String ID: 1326775856-3944563459
Opcode ID: 12b3b320792a5fb3c0ab6079a9ffebec8b461c063b220340b0656b00861967cf
Instruction ID: 9f482e160ba60044e47e1471132c35a132a075746b98556f699679ba2cf959f7
Opcode Fuzzy Hash: 12b3b320792a5fb3c0ab6079a9ffebec8b461c063b220340b0656b00861967cf
Instruction Fuzzy Hash: 246134B0A012489FDF25DB24CC56BAAB7B4EF14300F5480ADE545972D2EB349E84CB64

Uniqueness

Uniqueness Score: -1.00%

Function 001F8DA1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,00000024), ref: 001F8E40
GetWindowLongW.USER32(?,000000FC), ref: 001F8E55
CallWindowProcW.USER32(?,?,00000082,?,00000024), ref: 001F8E6B
GetWindowLongW.USER32(?,000000FC), ref: 001F8E85
SetWindowLongW.USER32(?,000000FC,?), ref: 001F8E95

Strings

$, xrefs: 001F8DE9

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: 20172f6e89e77e162f6b5ea03236e31e85d2ee4a94d7414073c6392e9a9662af
Instruction ID: 517818e2070d9e4664e9ca8b4eb60d5b3f33ff76c4ff38dcc113dfb716f7cc1e
Opcode Fuzzy Hash: 20172f6e89e77e162f6b5ea03236e31e85d2ee4a94d7414073c6392e9a9662af
Instruction Fuzzy Hash: 37410271108704AFC764DF19C884A1BBBF9FF88720F504A2DF69A836A1C771E8448F51

Uniqueness

Uniqueness Score: -1.00%

Function 0031E3F0 Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000002), ref: 0031E410
GetWindowRect.USER32(00000000,?), ref: 0031E426
ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,00325F2A,?,?,?,?,?,?), ref: 0031E43F
InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,?,?,?,00325F2A,?,?), ref: 0031E44A
GetDlgItem.USER32(00000000,000003E9), ref: 0031E45C
GetWindowRect.USER32(00000000,?), ref: 0031E472
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,?,?,?,?,?,?,00325F2A), ref: 0031E4B5

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Window$Rect$Item$InvalidateShow
String ID:
API String ID: 2147159307-0
Opcode ID: a96198f560b383c11ebc29d9e643aa2991358ad3e398284fc8142e76dc800a85
Instruction ID: b56ff8d838c45317e3575585102c369caf7cbf6c99d50dbebd73513804fc9070
Opcode Fuzzy Hash: a96198f560b383c11ebc29d9e643aa2991358ad3e398284fc8142e76dc800a85
Instruction Fuzzy Hash: A8215A71608300AFE344DF35DC49E6A7BE8EF8C714F008668F889D7291E730E9818B5A

Uniqueness

Uniqueness Score: -1.00%

Function 002FCF10 Relevance: 9.2, APIs: 6, Instructions: 234COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,F026EBDC,?,?,?), ref: 002FCF5B
CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00453B3C,00000001,?,?,?,?,?,003D842D,000000FF,?,8000000B), ref: 002FD01A
GetLastError.KERNEL32(?,?,?,?,003D842D,000000FF,?,8000000B), ref: 002FD028

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CreateDirectoryErrorLastPath
String ID:
API String ID: 953296794-0
Opcode ID: 13efed0863261426c287caf8f809d2d59dfc910a3d846a4d62d0bdf3c3ff7852
Instruction ID: fe08f6a9022283eee66beb70c91ae1b75ca0b7d8cf62249e0f50768e849909a7
Opcode Fuzzy Hash: 13efed0863261426c287caf8f809d2d59dfc910a3d846a4d62d0bdf3c3ff7852
Instruction Fuzzy Hash: 8E81F331A006099FDB10DFA8C885BAEFBF5EF15360F204269E914A72D1DB759A18CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00326110 Relevance: 9.1, APIs: 6, Instructions: 69threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 0032618D
GetLastError.KERNEL32 ref: 0032619A
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 003261C3
GetExitCodeThread.KERNEL32(00000000,?), ref: 003261DD
TerminateThread.KERNEL32(00000000,00000000), ref: 003261F5
CloseHandle.KERNEL32(00000000), ref: 003261FE

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Thread$CloseCodeCreateErrorExitHandleLastObjectSingleTerminateWait
String ID:
API String ID: 1566822279-0
Opcode ID: 113159ff0d91f3cafc6ed2a8499aa1f6f05135005b45aa6e7407c53c6edbad29
Instruction ID: 4ee9d23a3e436e941ff13ac208f5b74bcc182c4b838ee4727a0f1926e782c8aa
Opcode Fuzzy Hash: 113159ff0d91f3cafc6ed2a8499aa1f6f05135005b45aa6e7407c53c6edbad29
Instruction Fuzzy Hash: 2A31D770900719ABDF11DF94DD09BDEBBB8FB08714F104229E910B62D0DB79AA15CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00307070 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 196COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(80004005,0041FE45,F026EBDC,?,?,00000000,?,?,00000000,0041FE45,000000FF,?,80004005,F026EBDC,?), ref: 003070D5
GetFileVersionInfoW.KERNELBASE(80004005,?,00000000,000000FF,00000000,?,00000000,?,?,00000000,0041FE45,000000FF,?,80004005,F026EBDC,?), ref: 00307123

Strings

\VarFileInfo\Translation, xrefs: 00307157
\StringFileInfo\%04x%04x\%s, xrefs: 0030718D
ProductName, xrefs: 00307183

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: FileInfoVersion$Size
String ID: ProductName$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
API String ID: 2104008232-2149928195
Opcode ID: 24f8d735f76e4014e4c9d1d616be8803365cd128a60c6b2eaffaf096877d4d39
Instruction ID: d136c02e97adfc40e56d10eac406bc1c42a15984d8c228ca929574aa1ef297e7
Opcode Fuzzy Hash: 24f8d735f76e4014e4c9d1d616be8803365cd128a60c6b2eaffaf096877d4d39
Instruction Fuzzy Hash: CA61EE71D061499FCB15DFA8C858AAEB7B8FF15310F15856AF811E72D1EB30AD04CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00342040 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 129COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00342091
EndDialog.USER32(00000000,00000001), ref: 003420A0

Strings

P+ , xrefs: 00342079
0'4, xrefs: 00342072
z+4, xrefs: 00342080

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: DialogWindow
String ID: 0'4$P+ $z+4
API String ID: 2634769047-1308684382
Opcode ID: a4fa21d688c1d584a067da38e02a84087510777b7bce37bd56b428fffb78319b
Instruction ID: 39b81fff5b502b4a1a8e2f36318308d7b74017bb972ec2e302ae2657d123cc2d
Opcode Fuzzy Hash: a4fa21d688c1d584a067da38e02a84087510777b7bce37bd56b428fffb78319b
Instruction Fuzzy Hash: B5518830A01B45DFD711CF69C948B8AFBF4FF49310F1486A9E449EB2A1E775AA04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00306F60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00306B40: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,F026EBDC,00000000,00000000,?), ref: 00306B95
Part of subcall function 00306B40: GetTempFileNameW.KERNEL32(00000000,shim_clone,00000000,?,?), ref: 00306C5C

GetFileVersionInfoSizeW.KERNELBASE(?,000000FF,Shlwapi.dll,F026EBDC,00000000,?,?,00000000,00419775,000000FF,Shlwapi.dll,00306F16,?,?,?), ref: 00306FAD
GetFileVersionInfoW.KERNELBASE(?,?,?,00000000,00000000,?,?), ref: 00306FD9
GetLastError.KERNEL32(?,?), ref: 0030701E
DeleteFileW.KERNEL32(?), ref: 00307031

Strings

Shlwapi.dll, xrefs: 00306F60, 00306F98

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: File$InfoVersion$DeleteErrorFolderLastNamePathSizeTemp
String ID: Shlwapi.dll
API String ID: 1346648681-1687636465
Opcode ID: 5ec398ca63ef8bedd732dcdc5646246429f74405a2c89c806831c1b2040c294a
Instruction ID: 67bfea540a92b507fe669fdccdda393b12125afb13b69f5c62ae4283289ddd5f
Opcode Fuzzy Hash: 5ec398ca63ef8bedd732dcdc5646246429f74405a2c89c806831c1b2040c294a
Instruction Fuzzy Hash: 3C3172B1D05209AFDB15CFA5DD54FEEFBB8EF08350F14422AE905A3681DB35A904CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00341610 Relevance: 7.7, APIs: 5, Instructions: 167threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,F026EBDC,00000000,?,?,?,?,?,?,?,00000000,0042574D,000000FF), ref: 00341650
CreateThread.KERNEL32 ref: 00341686
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0034178F
GetExitCodeThread.KERNEL32(00000000,?), ref: 0034179A
CloseHandle.KERNEL32(00000000), ref: 003417BA

Part of subcall function 001EA850: HeapAlloc.KERNEL32(?,00000000,?,F026EBDC,00000000,003D7F70,000000FF,?,?,004BEFDC,?,0033C2E8,80004005,F026EBDC,?,?), ref: 001EA89A

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CreateThread$AllocCloseCodeEventExitHandleHeapObjectSingleWait
String ID:
API String ID: 3988410809-0
Opcode ID: 72909075dc16816959f2e568378171ddc913fee1a725f8a38fdcde1310991683
Instruction ID: 0b7a39639e489fbbe17f06dc7318ce9cfc9f4588c9de837ae9ffeca32b31c5f5
Opcode Fuzzy Hash: 72909075dc16816959f2e568378171ddc913fee1a725f8a38fdcde1310991683
Instruction Fuzzy Hash: D0515975A00B099FCB14CF69C884BAABBF4FF48714F258669E916AB791D730B940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 002FD7E0 Relevance: 7.6, APIs: 5, Instructions: 64windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjectsEx.USER32(00000001,00000000,000000FF,000005FF,00000004), ref: 002FD801
PeekMessageW.USER32(?,00000000), ref: 002FD847
TranslateMessage.USER32(00000000), ref: 002FD852
DispatchMessageW.USER32(00000000), ref: 002FD859
MsgWaitForMultipleObjectsEx.USER32(00000001,?,000000FF,000005FF,00000004), ref: 002FD86B

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Message$MultipleObjectsWait$DispatchPeekTranslate
String ID:
API String ID: 4084795276-0
Opcode ID: 2c7d74b2d9f920556ca9569774b1bd29dbe1c20d5792d22eeed814dd0bdade59
Instruction ID: 46490782cdd88959d45a22f9c86a8327018e9b49e580bfdb434b4729a4928d8a
Opcode Fuzzy Hash: 2c7d74b2d9f920556ca9569774b1bd29dbe1c20d5792d22eeed814dd0bdade59
Instruction Fuzzy Hash: CF11067164430A7BE610CB519C81FB6B7DCEB897B0F500636FA14E62C0E670E9468B65

Uniqueness

Uniqueness Score: -1.00%

Function 0031EEE0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 327COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,F026EBDC,?,00000010,?), ref: 0031F1AA

Part of subcall function 002FE790: GetCurrentProcess.KERNEL32 ref: 002FE7D8
Part of subcall function 002FE790: OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 002FE7E5
Part of subcall function 002FE790: GetLastError.KERNEL32 ref: 002FE7EF
Part of subcall function 002FE790: FindCloseChangeNotification.KERNEL32(00000000), ref: 002FE8D0

Part of subcall function 001EAB90: GetProcessHeap.KERNEL32 ref: 001EABE5
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EAC17
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EACA2

Part of subcall function 001EA140: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A0,80070057,8007000E,80004005,00201A24,00000000,?,?,?,*.*), ref: 001EA163

Strings

[WindowsVolume], xrefs: 0031EF70, 0031EF82, 0031EF8C
\\?\, xrefs: 0031F1B7
Extraction path set to:, xrefs: 0031F1FD

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Process$FindInit_thread_footer$ChangeCloseCurrentErrorHeapLastNotificationOpenPathResourceToken
String ID: Extraction path set to:$[WindowsVolume]$\\?\
API String ID: 2914359614-3538578949
Opcode ID: b34785111e065ea62f5398713ab67e4fc55cb7380824f671039357e4c21830db
Instruction ID: 6e17265bef8d8abc4ef18ebd7fc527effa68824ba4d87560bf328a428628b9e8
Opcode Fuzzy Hash: b34785111e065ea62f5398713ab67e4fc55cb7380824f671039357e4c21830db
Instruction Fuzzy Hash: D6C1F3309006499FDB15DF68C884BEEF7B5EF48314F1582A9E815AB2A2DB70DD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00304B10 Relevance: 6.3, APIs: 4, Instructions: 279COMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,00000000,?,00000100), ref: 00304C0C
LoadStringW.USER32(?,00000000,?,00000001), ref: 00304CA0

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 87fb05cb4102311403e5b6a59c4974eefac43812eef0c2099c23d01df0e51f6f
Instruction ID: abcd0f1ef8604ab96076bde64546aaabe09c930e3d171d3ff5749acc3a71fb64
Opcode Fuzzy Hash: 87fb05cb4102311403e5b6a59c4974eefac43812eef0c2099c23d01df0e51f6f
Instruction Fuzzy Hash: AEB1A2B1D01248EFDB05CFA8D955BEEFBB5FF44310F14822AE911A7691DB746A40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003164F0 Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,F026EBDC,?,00000010,?,00319EF0,?), ref: 00316556
SetFilePointer.KERNEL32(00000000,?,00000010,00000000), ref: 0031659F
ReadFile.KERNEL32(00000000,F026EBDC,?,?,00000000,00000078,?), ref: 003165E1
FindCloseChangeNotification.KERNEL32(00000000), ref: 0031665A

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: File$ChangeCloseCreateFindNotificationPointerRead
String ID:
API String ID: 2405668454-0
Opcode ID: 48c6b1eb66ca72638992549d69f9878242b562b5ac9f679c8ce50e62c199490e
Instruction ID: 05c53045099752efac634bfd770fb6aa34a8fcef03b7a42a3c4e93e45aee477c
Opcode Fuzzy Hash: 48c6b1eb66ca72638992549d69f9878242b562b5ac9f679c8ce50e62c199490e
Instruction Fuzzy Hash: C251BD70900609ABDB15CFA8CC89BEEFBB8EF09724F148259E411AB2D1DB749D44CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0031E380 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0031E389
DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D0D0,000000FF), ref: 0031E398
PostMessageW.USER32(?,00000401,00000000,00000000), ref: 0031E3B6
IsWindow.USER32(?), ref: 0031E3C5

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Window$CurrentDestroyMessagePostThread
String ID:
API String ID: 3186974096-0
Opcode ID: 6766850448db35230fbc8ed50d8e85af2eda4f52ab992d01386b638976ba5f75
Instruction ID: bc8463a5ec4789c0d20b3b346115c52ea250ff2a19784ea43f0f30f3f92f3abd
Opcode Fuzzy Hash: 6766850448db35230fbc8ed50d8e85af2eda4f52ab992d01386b638976ba5f75
Instruction Fuzzy Hash: 69F0E230105B509BD3799B28EE08F42BBE46B48B00F011D1DE49687990C3B1F880CF28

Uniqueness

Uniqueness Score: -1.00%

Function 002FCB90 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 345COMMON

Download Yara Rule

APIs

Part of subcall function 001EAB90: GetProcessHeap.KERNEL32 ref: 001EABE5
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EAC17
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EACA2

PathIsUNCW.SHLWAPI(?,?), ref: 002FCD26

Strings

\\?\, xrefs: 002FCD08, 002FCD0E
\\?\UNC\, xrefs: 002FCC21, 002FCC99, 002FCC9F

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Init_thread_footer$HeapPathProcess
String ID: \\?\$\\?\UNC\
API String ID: 806983814-3019864461
Opcode ID: 29cce60c67ae1e074760d59821e4710f35e493211265dc3ccba203488355fd77
Instruction ID: 38fa6b00e495739cb42318bb92be05f4686cf01e3fe77c4b23f679891e1a442a
Opcode Fuzzy Hash: 29cce60c67ae1e074760d59821e4710f35e493211265dc3ccba203488355fd77
Instruction Fuzzy Hash: 97C1BD71A1060E9FDB00DBA8C945BAEFBB8FF48350F248269E515E72D1DB74A914CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003AF855 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?), ref: 003AF85E
RtlEncodePointer.NTDLL(00000000,?,003AF7E8,00000000,AtlThunk_AllocateData,004C7D78,?,003AFB44,004C7D7C,?,00000000,?,00325F5C,?,00000000,00000000), ref: 003AF86D

Strings

Nqt, xrefs: 003AF85E

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AddressEncodePointerProc
String ID: Nqt
API String ID: 1846120836-806837294
Opcode ID: 38e25e8e8052e60138e51d1265ab41aaca25b16d5b1483d5aa58e6c1c17a6edc
Instruction ID: 081e050864cad4214278055edc463c8319695df734d0d97c3deaef3ff87a77fc
Opcode Fuzzy Hash: 38e25e8e8052e60138e51d1265ab41aaca25b16d5b1483d5aa58e6c1c17a6edc
Instruction Fuzzy Hash: 11D0A93414030CAFCF410FB2EC0889A3BADFF0A31570090A8F80CC7220DB369422AF20

Uniqueness

Uniqueness Score: -1.00%

Function 00351F40 Relevance: 4.7, APIs: 3, Instructions: 212synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 003525A0: OpenEventW.KERNEL32(00000000,00000000,F026EBDC,_pbl_evt,00000008,?,?,0045B480,00000001,F026EBDC,00000000), ref: 0035264E
Part of subcall function 003525A0: CreateEventW.KERNEL32(00000000,00000001,00000001,?), ref: 0035266B

WaitForSingleObject.KERNEL32(00000000,00000000,00000001,F026EBDC,?,00000000), ref: 00351F8E
ResetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004276C9,000000FF), ref: 00351FA3

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Event$CreateObjectOpenResetSingleWait
String ID:
API String ID: 2109722436-0
Opcode ID: 3d1c07997fc25303aaf08a720051334560de7d42dd55be156aabdd0694af9218
Instruction ID: 24af6fac98b177813420881a1b06e9458671b062adb5b426aa17d427f4931814
Opcode Fuzzy Hash: 3d1c07997fc25303aaf08a720051334560de7d42dd55be156aabdd0694af9218
Instruction Fuzzy Hash: 9F81E271D10244DFDB05CFA8CC45B9EBBB0FF56314F24825DE904AB2A2D775AA86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003CA1EC Relevance: 4.7, APIs: 3, Instructions: 202COMMON

Download Yara Rule

APIs

__freea.LIBCMT ref: 003CA39B

Part of subcall function 003C8247: RtlAllocateHeap.NTDLL(00000000,00000000,003C5FF3,?,003CA198,?,00000000,?,003B9D85,00000000,003C5FF3,?,?,?,?,003C5DED), ref: 003C8279

__freea.LIBCMT ref: 003CA3B0
__freea.LIBCMT ref: 003CA3C0

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: __freea$AllocateHeap
String ID:
API String ID: 2243444508-0
Opcode ID: 9c9abc2544823b1f347aa9b09848112d48465682feaf34c7f87c2fc0d9d7ca0f
Instruction ID: 588323a23cad40db3186a4fa1bb4c5cb3de98705d4f27877dcc95b0f278b8ab7
Opcode Fuzzy Hash: 9c9abc2544823b1f347aa9b09848112d48465682feaf34c7f87c2fc0d9d7ca0f
Instruction Fuzzy Hash: CB51D07260066EAFEB279EA0DC41FBB3BA9EF44718B16052DFD08DA150EB31CC109761

Uniqueness

Uniqueness Score: -1.00%

Function 00321F00 Relevance: 4.7, APIs: 3, Instructions: 192fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000,F026EBDC,?,?), ref: 00321F67
ReadFile.KERNEL32(?,00000000,00000018,?,00000000), ref: 00322074

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 1d62dffcaee15cac601e9576a65a82be60f14c6e99e0fbfdcb6f9a22d98c1199
Instruction ID: 9724d38b5bc2b054a3fc8ed72380f447d9c158d3725ea8800371fc72cd61b59a
Opcode Fuzzy Hash: 1d62dffcaee15cac601e9576a65a82be60f14c6e99e0fbfdcb6f9a22d98c1199
Instruction Fuzzy Hash: 5D616E71D00609AFDB05CFA8DD45B9DFBB4FF09320F10826AE925A7790DB75AA14CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0031F2C0 Relevance: 4.7, APIs: 3, Instructions: 183fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,F026EBDC,?,00000000,?,80004005,?,00000000), ref: 0031F35E
GetLastError.KERNEL32 ref: 0031F396
GetLastError.KERNEL32(?), ref: 0031F42F

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: ErrorLast$CreateFile
String ID:
API String ID: 1722934493-0
Opcode ID: daafb5bf099de41ae44c4abbe4da244bb6c7e0980e088700cd739f3998a9e721
Instruction ID: d0e9caf1a9fa4af577ece1c0a437a5ac85454735f8fab923fe1cf2f9ddf8b05f
Opcode Fuzzy Hash: daafb5bf099de41ae44c4abbe4da244bb6c7e0980e088700cd739f3998a9e721
Instruction Fuzzy Hash: F651E171A00B069FDB25DF69C845BAAF7B1FF48320F108679E529973D1EB31A940CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0034F2E0 Relevance: 4.7, APIs: 3, Instructions: 181fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00350324,40000000,00000001,00000000,00000002,00000080,00000000,F026EBDC,?,00000001), ref: 0034F342
WriteFile.KERNEL32(00000000,0000C800,0000C800,0000C800,00000000,?,0000C800), ref: 0034F3D8
CloseHandle.KERNEL32(00000000,?,0000C800), ref: 0034F44C

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: de8c2e9d58c85dc17181d30e495feb01420170a7b6f83ddca88102748b27f1cf
Instruction ID: 617a24a20b87b20e0188553500178e42386d090eec6eecea94026223dd4b8db3
Opcode Fuzzy Hash: de8c2e9d58c85dc17181d30e495feb01420170a7b6f83ddca88102748b27f1cf
Instruction Fuzzy Hash: AE518E71A10218AFDF05DFA9DD45BDEBBF8FF44310F144229F410AB290DB74A9008BA4

Uniqueness

Uniqueness Score: -1.00%

Function 002FAD60 Relevance: 4.6, APIs: 3, Instructions: 142fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,0000002A,00000000,?,F026EBDC), ref: 002FADD0
DeleteFileW.KERNEL32(?,?,00000000,0000002A,00000000,?,F026EBDC), ref: 002FAE6A
FindNextFileW.KERNEL32(?,?), ref: 002FAEAB

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: File$Delete$FindNext
String ID:
API String ID: 1410743141-0
Opcode ID: d440c415e404a426a757fa17af0f3348900f8f4fcde9223d8108e4e90de02bfe
Instruction ID: 930bf96273ce770a3a79b1b33f4338a54e016c03e8f7692cb83b99c3c45a6ae5
Opcode Fuzzy Hash: d440c415e404a426a757fa17af0f3348900f8f4fcde9223d8108e4e90de02bfe
Instruction Fuzzy Hash: 1151BE74A112198FCF24DF18C998BADF7B9EF08350F1442B9E91DAB281DB309E50CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00200EF0 Relevance: 4.6, APIs: 3, Instructions: 88COMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(?), ref: 00200EF7
GetWindowTextW.USER32(?,?,00000001), ref: 00200F28
DeleteDC.GDI32(?), ref: 00200FAF

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: TextWindow$DeleteLength
String ID:
API String ID: 1151112070-0
Opcode ID: fd7316af5ab6ee3d3d20f38cb22a93441af58f26d8c4afc924651e6c54cf7beb
Instruction ID: 58db7b082ab71901e5f718518098ea75c9d0cdc3ee99023239f8b726b8d1b180
Opcode Fuzzy Hash: fd7316af5ab6ee3d3d20f38cb22a93441af58f26d8c4afc924651e6c54cf7beb
Instruction Fuzzy Hash: 69218E313056419FDB24CF69D888F59BBE9EF89711F10416DF915C77A1DB31AC109B14

Uniqueness

Uniqueness Score: -1.00%

Function 0031E180 Relevance: 4.6, APIs: 3, Instructions: 80COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(0031DAE1), ref: 0031E180
EnableWindow.USER32(?,00000000), ref: 0031E211
DestroyWindow.USER32(00000000,?,00000000), ref: 0031E237

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Window$DestroyEnableErrorLast
String ID:
API String ID: 2755773105-0
Opcode ID: 55b38b44d7294e184e3a64cbb0c5e5b5e0546853abde2cb87a35aa5c1fd1f837
Instruction ID: 26557f00ce0dfaa8ad65d5e10005e386a1eca46ff2c6b6c2a7769540955642c3
Opcode Fuzzy Hash: 55b38b44d7294e184e3a64cbb0c5e5b5e0546853abde2cb87a35aa5c1fd1f837
Instruction Fuzzy Hash: 122136716002099BD725AF08EC01BEA7798EB58321F000626FC15CB691D776ECA1CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 003BB563 Relevance: 4.5, APIs: 3, Instructions: 15COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,003BB55D,?,003B50F2,?,?,F026EBDC,003B50F2,?), ref: 003BB574
TerminateProcess.KERNEL32(00000000,?,003BB55D,?,003B50F2,?,?,F026EBDC,003B50F2,?), ref: 003BB57B
ExitProcess.KERNEL32 ref: 003BB58D

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 36e2d3728ea7b1199ed1dab96a37f68c9dcd474c61f1891e7b3d75d3c3f14c9e
Instruction ID: 3f0d2a940d0645389fc8c920bfaf4d116228442c7694cd44fe2626c514d5c9fa
Opcode Fuzzy Hash: 36e2d3728ea7b1199ed1dab96a37f68c9dcd474c61f1891e7b3d75d3c3f14c9e
Instruction Fuzzy Hash: 28D09E31000608AFCF522F61DC0D89EFF2AEF45355B055165BA0549431CFB1D952DB55

Uniqueness

Uniqueness Score: -1.00%

Function 002FD360 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 217COMMON

Download Yara Rule

APIs

Part of subcall function 001EAB90: GetProcessHeap.KERNEL32 ref: 001EABE5
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EAC17
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EACA2

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000025,00000000,F026EBDC), ref: 002FD500

Part of subcall function 002FD5C0: GetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,?,?,?,80004005), ref: 002FD5CD

Strings

USERPROFILE, xrefs: 002FD3AE

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Init_thread_footer$EnvironmentFolderHeapPathProcessSpecialVariable
String ID: USERPROFILE
API String ID: 1777821646-2419442777
Opcode ID: 4dd8aed0b14a21542abcaf80031cd96fbafc416fa7b09dfe47ec2440d9ad72aa
Instruction ID: 3bdc0d196b4deaa86366e05671ee85499621ad282a6ab15bc21321ddb0ab5e00
Opcode Fuzzy Hash: 4dd8aed0b14a21542abcaf80031cd96fbafc416fa7b09dfe47ec2440d9ad72aa
Instruction Fuzzy Hash: 6F610D71A0060A9FDB14DFA8C859BAEF7B5FF44314F10866DE916DB391DB30A900CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003B4C57 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

FlsAlloc.KERNEL32(?,003B1BB6,003B1AB9,003B3D4F), ref: 003B4C85

Strings

FlsAlloc, xrefs: 003B4C5B, 003B4C65

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 1b54dad6ed95bd0c84eba5ad71a34bb7ae51294cfa95801efbb975009b89989c
Instruction ID: 8dbde8a86066b6521a6a2e405ca94760db5d05463bc96f7d68ce6c098dffdb93
Opcode Fuzzy Hash: 1b54dad6ed95bd0c84eba5ad71a34bb7ae51294cfa95801efbb975009b89989c
Instruction Fuzzy Hash: F6D0C232A8173563CA01B6806C03BBBBF08C700FA2F0011A2FA08551D299E64C0046CC

Uniqueness

Uniqueness Score: -1.00%

Function 00324550 Relevance: 3.2, APIs: 2, Instructions: 201fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,?,?,0031837F,?,?,?), ref: 0032457B
CloseHandle.KERNEL32(?,F026EBDC,?,00000000,?,?,?), ref: 0032465B

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CloseDeleteFileHandle
String ID:
API String ID: 2633145722-0
Opcode ID: cdad10d6a753a6dfe610651635d3ab585b48784c8bc73b44d15a6e453eaff9d7
Instruction ID: fcac70ef43cbfff24e29e81b5b560cd92a25afb921e3ebc7c42b3883ae35af6a
Opcode Fuzzy Hash: cdad10d6a753a6dfe610651635d3ab585b48784c8bc73b44d15a6e453eaff9d7
Instruction Fuzzy Hash: 1051F372A006659FDB11CF68D884B9AFBA4FF05714F158269E9249F781D734A900CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 003CFF9D Relevance: 3.2, APIs: 2, Instructions: 177COMMON

Download Yara Rule

APIs

Part of subcall function 003CFACA: GetOEMCP.KERNEL32(00000000,?,?,?,?), ref: 003CFAF5

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,003CFDE1,?,00000000,?,?,?), ref: 003CFFFE
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,003CFDE1,?,00000000,?,?,?), ref: 003D0040

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 7156c1feafc4950ed8df7c4e5648dbd632c6a2bb3fb67d841bc8930a50690614
Instruction ID: 65f09f157cf8111ad1c5979b4d933357ead5c3bc21eb83de64ca9ec1dc834982
Opcode Fuzzy Hash: 7156c1feafc4950ed8df7c4e5648dbd632c6a2bb3fb67d841bc8930a50690614
Instruction Fuzzy Hash: A7513176E00344AEDB2ACF35D880BABBBF5EF81700F19416FD0968B251D7759946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0029F120 Relevance: 3.1, APIs: 2, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000004), ref: 0029F16A
DestroyWindow.USER32(00000004,?,?,?,?,?,?,?,?,000000FF), ref: 0029F177

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Window$Destroy
String ID:
API String ID: 3707531092-0
Opcode ID: 9784779531a47f1739b483ac5c6d670f4dcd508f22af7ba4f7c086c8e54338d1
Instruction ID: 43f3f4d4302648855dc6851633e66088ca0aa1847bb79813fce7448c6ed8f364
Opcode Fuzzy Hash: 9784779531a47f1739b483ac5c6d670f4dcd508f22af7ba4f7c086c8e54338d1
Instruction Fuzzy Hash: 1A31C070904A89EFCB00DF65C904B8EFBF4BF11314F108669D45897691CBB46A18CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00300920 Relevance: 3.0, APIs: 2, Instructions: 41windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002FFF30: LoadLibraryW.KERNEL32(ComCtl32.dll,F026EBDC,?,?,00000000), ref: 002FFF6E
Part of subcall function 002FFF30: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 002FFF91
Part of subcall function 002FFF30: FreeLibrary.KERNEL32(00000000), ref: 0030000F

Part of subcall function 002FFF30: GetSystemMetrics.USER32(0000000C), ref: 002FFFCC
Part of subcall function 002FFF30: GetSystemMetrics.USER32(0000000B), ref: 002FFFE2

SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00300964
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0030096F

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: LibraryMessageMetricsSendSystem$AddressFreeLoadProc
String ID:
API String ID: 1118950307-0
Opcode ID: aeb9b3402a966d5c3bfd15e7effc4667b466cf19c6373d1b8775ed55245974c8
Instruction ID: 5854f4fb039f93936070690a4e5e47987c0e45c65623de881ee878d022ca757d
Opcode Fuzzy Hash: aeb9b3402a966d5c3bfd15e7effc4667b466cf19c6373d1b8775ed55245974c8
Instruction Fuzzy Hash: 82F0A0317A521C37F66021591C03F27B64CDB81BA8F104276FB88AB7C2ECC63C1106D8

Uniqueness

Uniqueness Score: -1.00%

Function 003C9F58 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

LCMapStringEx.KERNEL32(?,003CA2DA,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 003C9F8C
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,003CA2DA,?,?,00000000,?,00000000), ref: 003C9FAA

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: c73419e92c1ec7a2e86a32c9d208075bb25bc0b1b165c5bb107ac41f18ac57d4
Instruction ID: 9dfb1a6f8cad3a6dcf695bf4d2c288c6d66f875ec1ef686e7a73bd8135eb9d77
Opcode Fuzzy Hash: c73419e92c1ec7a2e86a32c9d208075bb25bc0b1b165c5bb107ac41f18ac57d4
Instruction Fuzzy Hash: 64F0683240421ABBCF135F90DC09EDE7F26EB48361B0A4119FE18A5020CB36D871AB98

Uniqueness

Uniqueness Score: -1.00%

Function 003C820D Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,003D1120,?,00000000,?,?,003D13C1,?,00000007,?,?,003D1813,?,?), ref: 003C8223
GetLastError.KERNEL32(?,?,003D1120,?,00000000,?,?,003D13C1,?,00000007,?,?,003D1813,?,?), ref: 003C822E

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: f8d7474f146b16a8bc62ea7372e5042714f017831e7136b1355c33198472ecce
Instruction ID: 82927b6df666d0205e733c7036add8e9b208b326fecd61d9648c4cc46ba75ed9
Opcode Fuzzy Hash: f8d7474f146b16a8bc62ea7372e5042714f017831e7136b1355c33198472ecce
Instruction Fuzzy Hash: 56E08632100B14ABCB122FA5AC0DFA57A689B40355F124038F708DA160DF3099408794

Uniqueness

Uniqueness Score: -1.00%

Function 003B1BAC Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 003B4C57: FlsAlloc.KERNEL32(?,003B1BB6,003B1AB9,003B3D4F), ref: 003B4C85

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003B1BCA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 003B1BD5

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AllocValue___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1208342256-0
Opcode ID: cd1c0b74067d46ff05983154ab1a9d916c5037beb2f5f7d03bfd3bdbcc4be35b
Instruction ID: be9d130723213108735e8de163724d4f8d1ebec4fa1e3296decd4aacf3d97702
Opcode Fuzzy Hash: cd1c0b74067d46ff05983154ab1a9d916c5037beb2f5f7d03bfd3bdbcc4be35b
Instruction Fuzzy Hash: B5D0A928158200588C0AA3B12833ADA27889802B7C3F1064EE3209ADC3FF1880416119

Uniqueness

Uniqueness Score: -1.00%

Function 002E6270 Relevance: 2.6, APIs: 2, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,00000000,00000000,?,?,004C94D0,003303D0,?), ref: 002E6288
MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,?,-00000001), ref: 002E62BA

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 09e811f1100fc6613b82abcbd7a5505f39ce312b43fb01564e8d93a93d3691ea
Instruction ID: 9be28d78ccb8f1381c4f0ef36db8d2500315ed93436caa2f25103cbc1f0c7edf
Opcode Fuzzy Hash: 09e811f1100fc6613b82abcbd7a5505f39ce312b43fb01564e8d93a93d3691ea
Instruction Fuzzy Hash: 3B012631300152AFDA109B5ADC8DF1EF759EFE5361F20412EF7109B2D0CB216C118B94

Uniqueness

Uniqueness Score: -1.00%

Function 003AFABF Relevance: 2.5, APIs: 2, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,F026EBDC,?,?,00342007,00000000,F026EBDC,?,00342142), ref: 003AFB03
HeapFree.KERNEL32(00000000,?,00342007,00000000,F026EBDC,?,00342142), ref: 003AFB0A

Part of subcall function 003AF977: GetProcessHeap.KERNEL32(00000000,F026EBDC,?,003AFADD,?,?,?,00342007,00000000,F026EBDC,?,00342142), ref: 003AF98F
Part of subcall function 003AF977: HeapFree.KERNEL32(00000000,?,003AFADD,?,?,?,00342007,00000000,F026EBDC,?,00342142), ref: 003AF996

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 92724dac5ef102d0dbe91fe2e99a9aa9900e5f759add00415f3d68ade0dd64e8
Instruction ID: 3d6e7314c7adf3e3156ab27510bd88513a633fc973aff489cd06eb4b919eb29a
Opcode Fuzzy Hash: 92724dac5ef102d0dbe91fe2e99a9aa9900e5f759add00415f3d68ade0dd64e8
Instruction Fuzzy Hash: C3F0A736104711AFC6362BD4DC19F5BBBB8DF82BA1F16403DF516461608F71A840DAA9

Uniqueness

Uniqueness Score: -1.00%

Function 003CFB9E Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(E8458D00,?,003CFDED,003CFDE1,00000000), ref: 003CFBD0

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 85e129ec4714577d15572fa4907ed34630a4ed70f42e4a1f5e7b0ca39e0a62f8
Instruction ID: e87d71c9a2e3b0fce8dd49adfa8b79cdbc1748867b387f440d94722768d9d397
Opcode Fuzzy Hash: 85e129ec4714577d15572fa4907ed34630a4ed70f42e4a1f5e7b0ca39e0a62f8
Instruction Fuzzy Hash: 8F515771A0425C9FDB228A28CD84FE67BBEEB55704F2445FDE49AC7182C335AD46DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00301B30 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 00301DA0: __Init_thread_footer.LIBCMT ref: 00301E16

Part of subcall function 003B0372: EnterCriticalSection.KERNEL32(004C7DCC,?,?,?,001EAC36,004C89FC,F026EBDC,?,?,003D84ED,000000FF,?,0033C28C,F026EBDC,?,?), ref: 003B037D
Part of subcall function 003B0372: LeaveCriticalSection.KERNEL32(004C7DCC,?,001EAC36,004C89FC,F026EBDC,?,?,003D84ED,000000FF,?,0033C28C,F026EBDC,?,?), ref: 003B03BA

__Init_thread_footer.LIBCMT ref: 00301C10

Part of subcall function 003B0328: EnterCriticalSection.KERNEL32(004C7DCC,?,?,001EACA7,004C89FC,00435FA0), ref: 003B0332
Part of subcall function 003B0328: LeaveCriticalSection.KERNEL32(004C7DCC,?,001EACA7,004C89FC,00435FA0), ref: 003B0365
Part of subcall function 003B0328: RtlWakeAllConditionVariable.NTDLL ref: 003B03DC

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CriticalSection$EnterInit_thread_footerLeave$ConditionVariableWake
String ID:
API String ID: 984842325-0
Opcode ID: b39c1ac1d4a2cabb307ab1cac4c1093a065f23530e1ccdf196a690cccc3860ee
Instruction ID: 2af6e0fa40cd8be86046799a2676fad337e6717208871219bd88df5774c095ea
Opcode Fuzzy Hash: b39c1ac1d4a2cabb307ab1cac4c1093a065f23530e1ccdf196a690cccc3860ee
Instruction Fuzzy Hash: 8931D171985644EFE766DF15EC92F99B3A1F700714F200629E4164B7D0DBB9B8408B4D

Uniqueness

Uniqueness Score: -1.00%

Function 002FAC80 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 002FAD60: DeleteFileW.KERNEL32(00000000,0000002A,00000000,?,F026EBDC), ref: 002FADD0

RemoveDirectoryW.KERNEL32(00000000,?,F026EBDC,?,?,00000000,F026EBDC,00000000,?,00000000,004179E3,000000FF), ref: 002FACDE

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: DeleteDirectoryFileRemove
String ID:
API String ID: 3325800564-0
Opcode ID: 03383aa5b4228193e09d8c37b234196437052c9aaafda2d1948132b5d7e8fd56
Instruction ID: 0272ce6d5beaf803486521f377d0ec438a05c077db400e4cc3ccf851143eefb5
Opcode Fuzzy Hash: 03383aa5b4228193e09d8c37b234196437052c9aaafda2d1948132b5d7e8fd56
Instruction Fuzzy Hash: C321B371900608CFCB24DF58D884AADF7B4FB48720F1546AAED296B382DB349900CF90

Uniqueness

Uniqueness Score: -1.00%

Function 003CA183 Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003C8247: RtlAllocateHeap.NTDLL(00000000,00000000,003C5FF3,?,003CA198,?,00000000,?,003B9D85,00000000,003C5FF3,?,?,?,?,003C5DED), ref: 003C8279

RtlReAllocateHeap.NTDLL(00000000,00000000,?,003C5FF3,00000000,?,003B9D85,00000000,003C5FF3,?,?,?,?,003C5DED,?,?), ref: 003CA1E0

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 48bb12cb01e5964b8ccc7274b7e90a41f1cc116b60fdd84181a049224ae06667
Instruction ID: ba7a5d8521a4bf8ff4edbaccfb028cd59d15314a4f490bd1153e3662221131dd
Opcode Fuzzy Hash: 48bb12cb01e5964b8ccc7274b7e90a41f1cc116b60fdd84181a049224ae06667
Instruction Fuzzy Hash: C0F0683120591966DB233B26AC05F6B37599F82775F2E412DFC24DA190DF30DD4097A2

Uniqueness

Uniqueness Score: -1.00%

Function 00258D40 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 001F8CF0: EnterCriticalSection.KERNEL32(004CE7BC), ref: 001F8D2C
Part of subcall function 001F8CF0: GetCurrentThreadId.KERNEL32 ref: 001F8D40
Part of subcall function 001F8CF0: LeaveCriticalSection.KERNEL32(004CE7BC), ref: 001F8D7F

SetWindowLongW.USER32(?,00000004,00000000), ref: 00258D8D

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveLongThreadWindow
String ID:
API String ID: 3550545212-0
Opcode ID: 0cd45a8a1419779d3e59324e1c31f29d93fe999d87333d9158875ebee851e2bd
Instruction ID: 87653a2c95a68b4e23928ffa6ef1f479d438c79832f1381c1fa475e8005abbb5
Opcode Fuzzy Hash: 0cd45a8a1419779d3e59324e1c31f29d93fe999d87333d9158875ebee851e2bd
Instruction Fuzzy Hash: 8BF081326016125F8632AFA89844D6FBBF8DF957A1B004829FA85D7151CB70CC15DBB5

Uniqueness

Uniqueness Score: -1.00%

Function 002E2170 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 003B0372: EnterCriticalSection.KERNEL32(004C7DCC,?,?,?,001EAC36,004C89FC,F026EBDC,?,?,003D84ED,000000FF,?,0033C28C,F026EBDC,?,?), ref: 003B037D
Part of subcall function 003B0372: LeaveCriticalSection.KERNEL32(004C7DCC,?,001EAC36,004C89FC,F026EBDC,?,?,003D84ED,000000FF,?,0033C28C,F026EBDC,?,?), ref: 003B03BA

__Init_thread_footer.LIBCMT ref: 002E21E2

Part of subcall function 003B0328: EnterCriticalSection.KERNEL32(004C7DCC,?,?,001EACA7,004C89FC,00435FA0), ref: 003B0332
Part of subcall function 003B0328: LeaveCriticalSection.KERNEL32(004C7DCC,?,001EACA7,004C89FC,00435FA0), ref: 003B0365
Part of subcall function 003B0328: RtlWakeAllConditionVariable.NTDLL ref: 003B03DC

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID:
API String ID: 2296764815-0
Opcode ID: a670e322c0e68b571ae684cdb333a20645a9aedd876400f2153e88d264c6b7d1
Instruction ID: b2679e7e3e34599119a8af76f6294f522520f289528e25f525ade6030e437136
Opcode Fuzzy Hash: a670e322c0e68b571ae684cdb333a20645a9aedd876400f2153e88d264c6b7d1
Instruction Fuzzy Hash: 3E01F7B5944644EBD754DF99EC4AF4973E4E708720F20433EEA1AC77C0DB38AA048B09

Uniqueness

Uniqueness Score: -1.00%

Function 003C97AF Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,003C8004,00000001,00000364,?,00000002,000000FF,?,003B9D85,00000000,003C5FF3,?), ref: 003C97F0

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d9341fdaa2cc8922335d46b6cd990f4354f17685d47bdb5da2d84080b9fbb90c
Instruction ID: 32a5d5b4dab9ed3dabde0267e9e6a5a05244d00d4882a55edd8a0c2e15b4f3f3
Opcode Fuzzy Hash: d9341fdaa2cc8922335d46b6cd990f4354f17685d47bdb5da2d84080b9fbb90c
Instruction Fuzzy Hash: 68F054325166256ADB236F229C49F5B7B599B417A0B1B802FAC15EB590CE34DC0047E0

Uniqueness

Uniqueness Score: -1.00%

Function 00301DA0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 003B0372: EnterCriticalSection.KERNEL32(004C7DCC,?,?,?,001EAC36,004C89FC,F026EBDC,?,?,003D84ED,000000FF,?,0033C28C,F026EBDC,?,?), ref: 003B037D
Part of subcall function 003B0372: LeaveCriticalSection.KERNEL32(004C7DCC,?,001EAC36,004C89FC,F026EBDC,?,?,003D84ED,000000FF,?,0033C28C,F026EBDC,?,?), ref: 003B03BA

Part of subcall function 00301E40: RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 00301EAE
Part of subcall function 00301E40: RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 00301EF5
Part of subcall function 00301E40: RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 00301F14
Part of subcall function 00301E40: RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 00301F43
Part of subcall function 00301E40: RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 00301FB8

__Init_thread_footer.LIBCMT ref: 00301E16

Part of subcall function 003B0328: EnterCriticalSection.KERNEL32(004C7DCC,?,?,001EACA7,004C89FC,00435FA0), ref: 003B0332
Part of subcall function 003B0328: LeaveCriticalSection.KERNEL32(004C7DCC,?,001EACA7,004C89FC,00435FA0), ref: 003B0365
Part of subcall function 003B0328: RtlWakeAllConditionVariable.NTDLL ref: 003B03DC

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CriticalQuerySectionValue$EnterLeave$ConditionInit_thread_footerOpenVariableWake
String ID:
API String ID: 3563064969-0
Opcode ID: fcff6ecec592dec29170ede15e9b66117960fbf560649471087b483fc199b75e
Instruction ID: a3f5e3d04e303c59739732101565279b54044c95aed9dc615089eed2c753a6eb
Opcode Fuzzy Hash: fcff6ecec592dec29170ede15e9b66117960fbf560649471087b483fc199b75e
Instruction Fuzzy Hash: 7501F279B40604EBC751DB58D912F69B3A4F704730F100B3AFA268B7C5E73A7D008A55

Uniqueness

Uniqueness Score: -1.00%

Function 0033CBD0 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,F026EBDC,00000000,?,?,00000000,0042487E,000000FF,?,80004005), ref: 0033CC58

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: f4a5c35d61af088d8e25403f241e2df01a1393c4917275be2dd77b4b9b5ed08e
Instruction ID: 53f94942234b1d00c238c5cb468eb5b85bf92793cdd560317a8ca79c348b4ae0
Opcode Fuzzy Hash: f4a5c35d61af088d8e25403f241e2df01a1393c4917275be2dd77b4b9b5ed08e
Instruction Fuzzy Hash: 63F0AF71610614BFDB11CF19CC84FABB7ACEB49724F014219F925EB2D0D7B0AD008794

Uniqueness

Uniqueness Score: -1.00%

Function 003C8247 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,003C5FF3,?,003CA198,?,00000000,?,003B9D85,00000000,003C5FF3,?,?,?,?,003C5DED), ref: 003C8279

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1579e765966d7a09f37115073933848a51754a42b0bc2d0ac6945f32aa1da422
Instruction ID: 5197d410f77fdcb6f26e31994fe12379bd7a81efb6d96b2ed0a0a27d0500a9f1
Opcode Fuzzy Hash: 1579e765966d7a09f37115073933848a51754a42b0bc2d0ac6945f32aa1da422
Instruction Fuzzy Hash: E6E0ED33141A2066DA3327269C0CFAA765D9B823A0F2B492DEC00DA4C0DF20CE0083E0

Uniqueness

Uniqueness Score: -1.00%

Function 003C5F5B Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 003C5F62

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: fbfc4ddc62519b5eb276e4d98e9d982e2b46643a0b38d4f95806948616ab1917
Instruction ID: b5a8c9b44ae53ef70a016213a5ff3b27a5c361fd63b509987daf7c28d2a7ddac
Opcode Fuzzy Hash: fbfc4ddc62519b5eb276e4d98e9d982e2b46643a0b38d4f95806948616ab1917
Instruction Fuzzy Hash: DCE09A76C4060E9EDB01DFD4C552BEFB7B8AB08704F508126E215EB141EB7897858BA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001E4772 Relevance: 145.9, Strings: 115, Instructions: 2113COMMON

Download Yara Rule

Strings

PublishComponent, xrefs: 001E6720
DuplicateFile, xrefs: 001E525D, 001E5C81
InstallFinalize, xrefs: 001E68F7
WriteIniValues, xrefs: 001E60C4
WriteRegistryValues, xrefs: 001E603E
AI_GxInstall, xrefs: 001E6C86
AI_CountRowAction, xrefs: 001E7274
DuplicateFiles, xrefs: 001E5C1B
SelfRegModules, xrefs: 001E6465
200000, xrefs: 001E688D
AI_UserGroups, xrefs: 001E6DA6, 001E6F9A
AI_InstallPostPrerequisite, xrefs: 001E6B06
CreateFolder, xrefs: 001E5623, 001E5769
IniFile, xrefs: 001E4E8B, 001E60E5
5000, xrefs: 001E5D54
RegisterMIMEInfo, xrefs: 001E5FBB
AI_GxUninstall, xrefs: 001E6E7A
WriteEnvironmentStrings, xrefs: 001E614A
AI_InstallPrerequisite, xrefs: 001E6A80
RemoveIniValues, xrefs: 001E4CDF, 001E4E25
AI_UserAccounts, xrefs: 001E6D29, 001E7017
120000, xrefs: 001E4F9E
RegisterClassInfo, xrefs: 001E5E44
File, xrefs: 001E53A3, 001E59F5
RemoveFile, xrefs: 001E54E9
ServiceInstall, xrefs: 001E658E
FileSize, xrefs: 001E5A6F
AI_Game, xrefs: 001E6CAC, 001E6EA0
AI_UninstallTasks, xrefs: 001E6DFD
AppId, xrefs: 001E482D, 001E5E6A
AI_XmlElement, xrefs: 001E6BB2, 001E7111
15000, xrefs: 001E587C, 001E5C4E, 001E5ED4, 001E6601, 001E6810
6000, xrefs: 001E6051
Environment, xrefs: 001E5117, 001E6170
InstallFiles, xrefs: 001E598F
Feature, xrefs: 001E6823
10000, xrefs: 001E670D, 001E7304
Options, xrefs: 001E6AE0, 001E6B66
RegisterFonts, xrefs: 001E61D0
ServiceControl, xrefs: 001E669A
Registry, xrefs: 001E6064
CreateShortcuts, xrefs: 001E5DBE
AI_ProcessGroups, xrefs: 001E6F74
2000, xrefs: 001E6C99, 001E6D16, 001E6D93, 001E6E10, 001E6F87, 001E7004, 001E7081
Location, xrefs: 001E69D4, 001E6A5A
RegisterTypeLibraries, xrefs: 001E63DF
ODBCDataSource, xrefs: 001E6273
MsiAssembly, xrefs: 001E67A6
100000, xrefs: 001E690A
AI_DefaultActionCost, xrefs: 001E72F1
PublishComponents, xrefs: 001E66FA
Patch, xrefs: 001E5B3B
StartServices, xrefs: 001E6674
AI_UninstallAccounts, xrefs: 001E6D03
InstallInitialize, xrefs: 001E687A
InstallServices, xrefs: 001E6568
1800, xrefs: 001E6B9F, 001E70FE
RegisterProgIdInfo, xrefs: 001E5F3E
AI_ProcessAccounts, xrefs: 001E6FF1
MsiPublishAssemblies, xrefs: 001E677B
1500, xrefs: 001E4D12, 001E4E58, 001E6C1C, 001E7184
3000, xrefs: 001E47FA, 001E4940, 001E4A86, 001E4BCC, 001E50E4, 001E5E57, 001E5FCE, 001E63F2, 001E64F5
Component_, xrefs: 001E4D78, 001E4EBE, 001E5004, 001E517E, 001E5290, 001E53D6, 001E567B, 001E579C, 001E58E2, 001E5A28, 001E5CB4, 001E5DF7, 001E6077, 001E60FD, 001E6183, 001E6286, 001E630C, 001E6392, 001E6418, 001E651B, 001E65A1, 001E6622, 001E66AD, 001E6733
1500000, xrefs: 001E657B
RemoveDuplicateFiles, xrefs: 001E51F7
30000, xrefs: 001E60D7, 001E6793
AI_XmlInstall, xrefs: 001E6B8C, 001E6C09
AI_DownloadPrereq, xrefs: 001E6974
8000, xrefs: 001E61E3, 001E6478
500, xrefs: 001E6F05
PublishFeatures, xrefs: 001E67FD
TypeLib, xrefs: 001E6405
MoveFiles, xrefs: 001E5849
ODBCDriver, xrefs: 001E637F
UnregisterProgIdInfo, xrefs: 001E4A53
AI_AppSearchEx, xrefs: 001E6EF7, 001E6F1D
~, xrefs: 001E6AEA
PatchFiles, xrefs: 001E5AD5
20000, xrefs: 001E6687
ODBCTranslator, xrefs: 001E62F9
AI_ChainProductsPseudo, xrefs: 001E71F7
RemoveShortcuts, xrefs: 001E4F6B
ProgId, xrefs: 001E4AD4, 001E5F64
RemoveEnvironmentStrings, xrefs: 001E50B1
AI_ScheduledTasks, xrefs: 001E7094
AI_XmlUninstall, xrefs: 001E70EB, 001E7171
MoveFile, xrefs: 001E58AF
RemoveFolders, xrefs: 001E55BD
CreateFolders, xrefs: 001E5703
AI_ProcessTasks, xrefs: 001E706E
3000000, xrefs: 001E615D
BindImage, xrefs: 001E5D41, 001E5D67
UnregisterExtensionInfo, xrefs: 001E4928
Font, xrefs: 001E61F6
SelfReg, xrefs: 001E648B
Complus, xrefs: 001E6508
UnregisterClassInfo, xrefs: 001E47C7
RegisterExtensionInfo, xrefs: 001E5EC1
PatchSize, xrefs: 001E5BB5
AI_UninstallGroups, xrefs: 001E6D80
AI_PreRequisite, xrefs: 001E699A, 001E6A20, 001E6AA6, 001E6B2C
MIME, xrefs: 001E4BFF, 001E5FE1
Extension, xrefs: 001E4973, 001E5EE7
RegisterComPlus, xrefs: 001E64E2
AI_ExtractPrereq, xrefs: 001E69FA
Feature_, xrefs: 001E49A6, 001E5EF8, 001E67B7, 001E69AD, 001E6A33, 001E6AB9, 001E6B53
UnregisterMIMEInfo, xrefs: 001E4B99
Shortcut, xrefs: 001E4FDB, 001E5DE4
RemoveFiles, xrefs: 001E533D, 001E5483
InstallODBC, xrefs: 001E624D, 001E62D3, 001E6359
12000, xrefs: 001E522A, 001E5370, 001E54D1, 001E55F0, 001E5736, 001E5DD1, 001E6260, 001E62E6, 001E636C
RemoveIniFile, xrefs: 001E4D45
100, xrefs: 001E5B08, 001E5F51, 001E6E8D
AI_XmlAttribute, xrefs: 001E6C2F, 001E7197
MsiConfigureServices, xrefs: 001E65EE, 001E6614

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID:
String ID: 100$10000$100000$12000$120000$1500$15000$1500000$1800$2000$20000$200000$3000$30000$3000000$500$5000$6000$8000$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$BindImage$Complus$Component_$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature_$File$FileSize$Font$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$Location$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$Patch$PatchFiles$PatchSize$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniFile$RemoveIniValues$RemoveShortcuts$SelfReg$SelfRegModules$ServiceControl$ServiceInstall$Shortcut$StartServices$TypeLib$UnregisterClassInfo$UnregisterExtensionInfo$UnregisterMIMEInfo$UnregisterProgIdInfo$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$~
API String ID: 0-2578128725
Opcode ID: fe990ecc54ee7dcb11ba4f2460624e708394b6ac591da0f08768da7d69f7e8e7
Instruction ID: ee799656ca444b10f4fb7fd0aa7d168f9d28a4331d107b21dfb874bd08c52ec4
Opcode Fuzzy Hash: fe990ecc54ee7dcb11ba4f2460624e708394b6ac591da0f08768da7d69f7e8e7
Instruction Fuzzy Hash: D9233994A447C8A9DB80DBB25D1AF5D3B509B6270DF24879FF1442B2D2DBF80690839F

Uniqueness

Uniqueness Score: -1.00%

Function 001E2EA0 Relevance: 49.9, Strings: 39, Instructions: 1105COMMON

Download Yara Rule

Strings

PublishComponent, xrefs: 001E38E5
RemoveRegistry, xrefs: 001E46E7
MsiUnpublishAssemblies, xrefs: 001E3745
SelfUnregModules, xrefs: 001E3EDD
AppSearch, xrefs: 001E2FE9, 001E306A
InstallValidate, xrefs: 001E34D1
FileCost, xrefs: 001E325D
15000, xrefs: 001E3B3E, 001E3C84
3000, xrefs: 001E363E, 001E38B2, 001E39F8, 001E3DCA, 001E456E, 001E46B4
Component_, xrefs: 001E3918, 001E3BA4, 001E3CEA, 001E3E30, 001E40E1, 001E4202, 001E4348, 001E45DE, 001E471A
RemoveRegistryValues, xrefs: 001E453B, 001E4681
Feature, xrefs: 001E3A2B
30000, xrefs: 001E3778
UnregisterComPlus, xrefs: 001E3D97
CostInitialize, xrefs: 001E3123
ServiceControl, xrefs: 001E3B71, 001E3CB7
UnregisterFonts, xrefs: 001E43F5
UnpublishFeatures, xrefs: 001E39C5
Registry, xrefs: 001E45A1
StopServices, xrefs: 001E3B0B, 001E3C51
8000, xrefs: 001E3F2B, 001E4428
RemoveExistingProducts, xrefs: 001E2EC4
Component, xrefs: 001E3189, 001E33FD, 001E3548, 001E3671
Font, xrefs: 001E445B
SelfReg, xrefs: 001E3F43
RemoveODBC, xrefs: 001E4023, 001E4169, 001E42AF
2000, xrefs: 001E301C
Complus, xrefs: 001E3DFD
ODBCDriver, xrefs: 001E4315
ODBCDataSource, xrefs: 001E4089
ProcessComponents, xrefs: 001E360B
Feature_, xrefs: 001E37AB
File, xrefs: 001E32C3
u, xrefs: 001E4758
ODBCTranslator, xrefs: 001E41CF
12000, xrefs: 001E4056, 001E419C, 001E42E2
CostFinalize, xrefs: 001E33A8
UnpublishComponents, xrefs: 001E3886
800, xrefs: 001E3504

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID:
String ID: 12000$15000$2000$3000$30000$800$8000$AppSearch$Complus$Component$Component_$CostFinalize$CostInitialize$Feature$Feature_$File$FileCost$Font$InstallValidate$MsiUnpublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$ProcessComponents$PublishComponent$Registry$RemoveExistingProducts$RemoveODBC$RemoveRegistry$RemoveRegistryValues$SelfReg$SelfUnregModules$ServiceControl$StopServices$UnpublishComponents$UnpublishFeatures$UnregisterComPlus$UnregisterFonts$u
API String ID: 0-3127294129
Opcode ID: db8e607dd946fef7a10d34c603eb99f5ccf96d18326765b80c35a054d6014f95
Instruction ID: cbdd688b7fcfd8ec2664fb39fc67da95b491334ce33f7ec94a85d603efac6792
Opcode Fuzzy Hash: db8e607dd946fef7a10d34c603eb99f5ccf96d18326765b80c35a054d6014f95
Instruction Fuzzy Hash: 12C28460A55784FAE3C0CF61ED4DF9A37A0AB62708F24936DE1042A2E1DBF919C4C75D

Uniqueness

Uniqueness Score: -1.00%

Function 0020C363 Relevance: 44.8, APIs: 14, Strings: 11, Instructions: 1036memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0020C38B
VariantClear.OLEAUT32(?), ref: 0020C3BC
VariantClear.OLEAUT32(?), ref: 0020C415
VariantClear.OLEAUT32(?), ref: 0020C4C4
VariantClear.OLEAUT32(?), ref: 0020C608
SysAllocString.OLEAUT32(00000000), ref: 0020C619
VariantClear.OLEAUT32(?), ref: 0020C663
VariantClear.OLEAUT32(?), ref: 0020C68C
SysFreeString.OLEAUT32(00000000), ref: 0020C697
VariantClear.OLEAUT32(?), ref: 0020C7A5
SysAllocString.OLEAUT32(00000000), ref: 0020C7B2
VariantClear.OLEAUT32(?), ref: 0020C7FA
VariantClear.OLEAUT32(?), ref: 0020C822
SysFreeString.OLEAUT32(00000000), ref: 0020C82C

Strings

MsiGetProperty, xrefs: 0020C989
MessageBox, xrefs: 0020CE03
MsiSetProperty, xrefs: 0020C8D0
MsiGetBinaryPath, xrefs: 0020CBC6
MsiGetFormattedError, xrefs: 0020CF81
MsiPublishEvents, xrefs: 0020CD44
MsiGetBytesCountText, xrefs: 0020CEC2
MsiEvaluateCondition, xrefs: 0020CA48
MsiResolveFormatted, xrefs: 0020CB07
GetFontHeight, xrefs: 0020D040
MsiGetBinaryPathIndirect, xrefs: 0020CC85

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: ClearVariant$String$AllocFree
String ID: GetFontHeight$MessageBox$MsiEvaluateCondition$MsiGetBinaryPath$MsiGetBinaryPathIndirect$MsiGetBytesCountText$MsiGetFormattedError$MsiGetProperty$MsiPublishEvents$MsiResolveFormatted$MsiSetProperty
API String ID: 1305860026-3153392536
Opcode ID: 048cfdb062a8e20d6a2174547983e80f1b372bd2ca7410c0227f5e453bda943a
Instruction ID: 1c8a71ab1900252ac476e897dc729a43545e1b29869ad72dbfdff10630d23091
Opcode Fuzzy Hash: 048cfdb062a8e20d6a2174547983e80f1b372bd2ca7410c0227f5e453bda943a
Instruction Fuzzy Hash: 23929DB1D203498FDB14DFA8CC84B9EBBB4FF59314F208319E515A7291EB74AA95CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0021B720 Relevance: 39.6, APIs: 14, Strings: 8, Instructions: 1082stringthreadsleepCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,?,msix,00000004,?,?,?,?,?, ?(-|/)+q,00447BBE), ref: 0021BAEE
lstrcmpiW.KERNEL32(?,?,msixbundle,0000000A,msix,00000004,?,?,?,?,?, ?(-|/)+q,00447BBE), ref: 0021BC6E
GetCurrentThreadId.KERNEL32 ref: 0021BE2B
std::locale::_Init.LIBCPMT ref: 0021B827

Part of subcall function 001EAB90: GetProcessHeap.KERNEL32 ref: 001EABE5
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EAC17
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EACA2

Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,?,?,?, ?(-|/)+q,00447BBE), ref: 0021C183
std::_Throw_Cpp_error.LIBCPMT ref: 0021C1EF
std::_Throw_Cpp_error.LIBCPMT ref: 0021C1F6
std::_Throw_Cpp_error.LIBCPMT ref: 0021C1FD
std::_Throw_Cpp_error.LIBCPMT ref: 0021C213
GetCurrentThreadId.KERNEL32 ref: 0021C3FE
std::_Throw_Cpp_error.LIBCPMT ref: 0021C50F
std::_Throw_Cpp_error.LIBCPMT ref: 0021C516
std::_Throw_Cpp_error.LIBCPMT ref: 0021C51D
std::_Throw_Cpp_error.LIBCPMT ref: 0021C524

Part of subcall function 002011B0: FindClose.KERNEL32(00000000), ref: 002012EF
Part of subcall function 002011B0: PathIsUNCW.SHLWAPI(?,*.*,00000000), ref: 002013A7

Part of subcall function 002FFDA0: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,F026EBDC,?,00000000), ref: 002FFDEB
Part of subcall function 002FFDA0: GetLastError.KERNEL32(?,00000000), ref: 002FFDF5

Strings

msix, xrefs: 0021B9C1
appx, xrefs: 0021BC89
Return code of launched file:, xrefs: 0021C0FE
(, xrefs: 0021C14A
Launching file:, xrefs: 0021B7AE
msixbundle, xrefs: 0021BB0D
Launch failed. Error:, xrefs: 0021C036
?(-|/)+q, xrefs: 0021B860

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CurrentInit_thread_footerThreadlstrcmpi$CloseErrorFindFormatHeapInitLastMessagePathProcessSleepstd::locale::_
String ID: ?(-|/)+q$($Launch failed. Error:$Launching file:$Return code of launched file:$appx$msix$msixbundle
API String ID: 3689723087-3482523422
Opcode ID: 0f67fae944c05a6704fe980d661aa144680de05253b41e44e080890575a28832
Instruction ID: b43ff12ace3d7f9981e5cb0294d2c2e93681b51eb50ec9d475ff6db2047513fd
Opcode Fuzzy Hash: 0f67fae944c05a6704fe980d661aa144680de05253b41e44e080890575a28832
Instruction Fuzzy Hash: A592F031D10249DFDB25CFA8C845BEDBBB0BF55314F24829DE415AB292EB706A85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 001FF420 Relevance: 26.1, APIs: 17, Instructions: 611COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 001FF458
GetWindowLongW.USER32(?,000000EB), ref: 001FF4D3
ShowWindow.USER32(00000000,?), ref: 001FF4F2
SetWindowLongW.USER32(?,000000EB,00000000), ref: 001FF500
GetWindowRect.USER32(00000000,?), ref: 001FF517
ShowWindow.USER32(00000000,?), ref: 001FF538
SetWindowLongW.USER32(?,000000EB,?), ref: 001FF54F

Part of subcall function 001EA850: HeapAlloc.KERNEL32(?,00000000,?,F026EBDC,00000000,003D7F70,000000FF,?,?,004BEFDC,?,0033C2E8,80004005,F026EBDC,?,?), ref: 001EA89A

GetClientRect.USER32(?,?), ref: 001FF608
ShowWindow.USER32(?,?), ref: 001FF68D
GetWindowLongW.USER32(?,000000EB), ref: 001FF6BC
ShowWindow.USER32(?,?), ref: 001FF6D9
GetWindowRect.USER32(?,?), ref: 001FF6FE

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Window$LongRectShow$Client$AllocHeap
String ID:
API String ID: 2861869479-0
Opcode ID: ad3618eccd46b169040a15c17cc606a41b8fda06a0f0cd17ac5b72033f28678e
Instruction ID: ce58390e81b51bc41cf2ee44c859e1d923d24e19b20edb7782e2519e14a07360
Opcode Fuzzy Hash: ad3618eccd46b169040a15c17cc606a41b8fda06a0f0cd17ac5b72033f28678e
Instruction Fuzzy Hash: FA423871A042099FCB24CFA8D884AAEFBF5FF88314F10456EE955EB260D770A946CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001F5580 Relevance: 25.9, APIs: 17, Instructions: 389memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 001F5A10: EnterCriticalSection.KERNEL32(004CE7BC,F026EBDC,00000000,?,?,?,?,?,?,001F523E,003DB23D,000000FF), ref: 001F5A4D
Part of subcall function 001F5A10: LoadCursorW.USER32(00000000,00007F00), ref: 001F5AC8
Part of subcall function 001F5A10: LoadCursorW.USER32(00000000,00007F00), ref: 001F5B6E

SysFreeString.OLEAUT32(00000000), ref: 001F5623
SysAllocString.OLEAUT32(00000000), ref: 001F5654
GetWindowLongW.USER32(?,000000EC), ref: 001F572B
GetWindowLongW.USER32(?,000000EC), ref: 001F573B
SetWindowLongW.USER32(?,000000EC,00000000), ref: 001F5746
NtdllDefWindowProc_W.NTDLL(?,?,00000001,?), ref: 001F5754
GetWindowLongW.USER32(?,000000EB), ref: 001F5762
GetWindowTextLengthW.USER32(?), ref: 001F5786
GetWindowTextW.USER32(?,00000000,00000001), ref: 001F57F5
SetWindowTextW.USER32(?,0044329C), ref: 001F5801
GlobalAlloc.KERNEL32(00000042,00000000), ref: 001F5836
GlobalLock.KERNEL32 ref: 001F5844
GlobalUnlock.KERNEL32(?), ref: 001F5898
SetWindowLongW.USER32(?,000000EB,00000000), ref: 001F5923
SysFreeString.OLEAUT32(00000000), ref: 001F593C
NtdllDefWindowProc_W.NTDLL(?,?,?,00000000), ref: 001F5983
SysFreeString.OLEAUT32(00000000), ref: 001F59A2

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Window$Long$String$FreeGlobalText$AllocCursorLoadNtdllProc_$CriticalEnterLengthLockSectionUnlock
String ID:
API String ID: 4180494407-0
Opcode ID: bc44f581a30bdb33b95ca2ab4cd72fe2f9908bcc4015b2276375fbc62e80b4f2
Instruction ID: 5b109b8eb4d2da46827bd7118b5097ac9bcc5869c86e14da6f0818d74154dac5
Opcode Fuzzy Hash: bc44f581a30bdb33b95ca2ab4cd72fe2f9908bcc4015b2276375fbc62e80b4f2
Instruction Fuzzy Hash: DBD1D071900609EFDB11DFA4CC48BBFBBBAAF45324F144168FB11AB291D7749A00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 002011B0 Relevance: 23.4, APIs: 10, Strings: 3, Instructions: 668fileCOMMON

Download Yara Rule

APIs

FindClose.KERNEL32(00000000), ref: 002012EF
PathIsUNCW.SHLWAPI(?,*.*,00000000), ref: 002013A7
FindFirstFileW.KERNEL32(?,0045FDB8,*.*,00000000), ref: 002014FC
GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000), ref: 00201516
GetFullPathNameW.KERNEL32(?,00000000,?,00000000), ref: 00201549
FindClose.KERNEL32(00000000), ref: 002015B8
SetLastError.KERNEL32(0000007B), ref: 002015C6
_wcsrchr.LIBVCRUNTIME ref: 0020161C
_wcsrchr.LIBVCRUNTIME ref: 0020163C
PathIsUNCW.SHLWAPI(*.*,?,F026EBDC), ref: 002017D5

Strings

\\?\UNC\, xrefs: 002013C7, 0020147E, 002017F7, 002018B0
*.*, xrefs: 0020131A, 00201377, 00201378, 00201704, 002017D4
\\?\, xrefs: 00201491, 002014E6, 002018C6, 0020191E

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Path$Find$CloseFullName_wcsrchr$ErrorFileFirstLast
String ID: *.*$\\?\$\\?\UNC\
API String ID: 1241272779-1700010636
Opcode ID: 875e4c787d4c3388b087570d4df6671786a54b3c1f4bec7b43ae763a074b692b
Instruction ID: d9262c30ec756d46aa99e2f79666ff647de60086b772f064cfe97d46da2b55a1
Opcode Fuzzy Hash: 875e4c787d4c3388b087570d4df6671786a54b3c1f4bec7b43ae763a074b692b
Instruction Fuzzy Hash: 7232D0706107069FDB14DF68CC89B6EB7B5FF54314F148268E915DB2E2EB75A920CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0030EAF0 Relevance: 20.9, APIs: 2, Strings: 9, Instructions: 1604fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001EA850: HeapAlloc.KERNEL32(?,00000000,?,F026EBDC,00000000,003D7F70,000000FF,?,?,004BEFDC,?,0033C2E8,80004005,F026EBDC,?,?), ref: 001EA89A

Part of subcall function 001EAB90: GetProcessHeap.KERNEL32 ref: 001EABE5
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EAC17
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EACA2

Part of subcall function 001EA140: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A0,80070057,8007000E,80004005,00201A24,00000000,?,?,?,*.*), ref: 001EA163

CopyFileW.KERNEL32(?,?,00000000,00000000,00000000), ref: 0030F078
CopyFileW.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,?), ref: 0030F579

Part of subcall function 002E6270: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,00000000,00000000,?,?,004C94D0,003303D0,?), ref: 002E6288
Part of subcall function 002E6270: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,?,-00000001), ref: 002E62BA

Strings

instname-target.msi, xrefs: 0030EFED, 0030F4EE
instname-custom.mst, xrefs: 0030F02B, 0030F52C
ProductCode, xrefs: 0030F7B0, 0030F7C2, 0030F7CC
{%0.8X-%0.4X-%0.4X-%0.2X%0.2X-%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X}, xrefs: 0030F3C3
ProductName, xrefs: 0030F147, 0030F159, 0030F163, 0030F6C2, 0030F6D4, 0030F6DE
AI_PRODUCTNAME_ARP, xrefs: 0030F1CF, 0030F1E1, 0030F1EB, 0030F739, 0030F74B, 0030F755
InstanceId, xrefs: 0030F824, 0030F836, 0030F83E
2r=, xrefs: 0030F364
\\?\, xrefs: 0030EF56, 0030F450

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: ByteCharCopyFileHeapInit_thread_footerMultiWide$AllocFindProcessResource
String ID: 2r=$AI_PRODUCTNAME_ARP$InstanceId$ProductCode$ProductName$\\?\$instname-custom.mst$instname-target.msi${%0.8X-%0.4X-%0.4X-%0.2X%0.2X-%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X}
API String ID: 1546577494-4003344076
Opcode ID: baf4c19561429f23ff61fa9979a7e2dca1d510edd60fe27c096e7143fa63b7bf
Instruction ID: 6244604e162a9bb4b6fa9afff96bd67c74ea9631e4096ee36575ea2b42783d48
Opcode Fuzzy Hash: baf4c19561429f23ff61fa9979a7e2dca1d510edd60fe27c096e7143fa63b7bf
Instruction Fuzzy Hash: 14D2D230A01649DFDB11DFA9C858BAEBBF4EF45314F148269E405EB292DB74EE04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001F4E60 Relevance: 19.9, APIs: 13, Instructions: 416nativememoryCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(80070216,000000EC), ref: 001F508B
GetWindowLongW.USER32(00000000,000000EC), ref: 001F509B
SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 001F50A6
NtdllDefWindowProc_W.NTDLL(00000000,00000000,00000001,80070216,?,?,80070216), ref: 001F50B4
GetWindowLongW.USER32(00000000,000000EB), ref: 001F50C2
GetWindowTextLengthW.USER32(00000000), ref: 001F50E6
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 001F5155
SetWindowTextW.USER32(00000000,0044329C), ref: 001F5161
GlobalAlloc.KERNEL32(00000042,00000000), ref: 001F5196
GlobalLock.KERNEL32 ref: 001F51A4
GlobalUnlock.KERNEL32(?), ref: 001F51F8
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 001F525D
NtdllDefWindowProc_W.NTDLL(00000000,00000000,F026EBDC,00000000), ref: 001F52AF

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Window$Long$GlobalText$NtdllProc_$AllocLengthLockUnlock
String ID:
API String ID: 2673961051-0
Opcode ID: 25dfcec8d8496af8d0e1f7a454eaa1b101f7ed35770dc676b029cd85758d0c2b
Instruction ID: 8a00f4247a00463c2bceb95533948fd2648281fa60e5f1bad24c4243b1615c83
Opcode Fuzzy Hash: 25dfcec8d8496af8d0e1f7a454eaa1b101f7ed35770dc676b029cd85758d0c2b
Instruction Fuzzy Hash: FFE1B071A0460ADBDB14DFA8CC44BAFBBA9EF45314F140229FB15EB291DB34D900CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0030AB40 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 420fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001EAB90: GetProcessHeap.KERNEL32 ref: 001EABE5
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EAC17
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EACA2

FindFirstFileW.KERNEL32(?,?,?,00000001), ref: 0030AEE2
FindClose.KERNEL32(00000000), ref: 0030AF10
FindClose.KERNEL32(00000000), ref: 0030AF99

Strings

No acceptable version found., xrefs: 0030B4AC
No acceptable version found. It must be downloaded manually from a site., xrefs: 0030B497
An acceptable version was found., xrefs: 0030B482
No acceptable version found. It must be installed from package., xrefs: 0030B489
No acceptable version found. It is already downloaded and it will be installed., xrefs: 0030B4A5
No acceptable version found. It must be downloaded., xrefs: 0030B490
Not selected for install., xrefs: 0030B4B3
No acceptable version found. Operating System not supported., xrefs: 0030B49E

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Find$CloseInit_thread_footer$FileFirstHeapProcess
String ID: An acceptable version was found.$No acceptable version found.$No acceptable version found. It is already downloaded and it will be installed.$No acceptable version found. It must be downloaded manually from a site.$No acceptable version found. It must be downloaded.$No acceptable version found. It must be installed from package.$No acceptable version found. Operating System not supported.$Not selected for install.
API String ID: 544434140-749633484
Opcode ID: 87a612212cc60782c6aa30bab40afb86ec488cda90e7a13d321aad4ebee053ea
Instruction ID: dd02063311b76277e71cbf2b110014ccc0fdfa63acdeb6eb2419b76c4c1e417c
Opcode Fuzzy Hash: 87a612212cc60782c6aa30bab40afb86ec488cda90e7a13d321aad4ebee053ea
Instruction Fuzzy Hash: FCF19E70901B0ACFDB51DF28C9587AEFBF1BF85310F158298D8599B392DB349A44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 002DC450 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 367windowtimeCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 002DC6D9
RedrawWindow.USER32(?,00000000,00000000,00000541), ref: 002DC6EB
SendMessageW.USER32(?,00000443,00000000), ref: 002DC743
GetDC.USER32(00000000), ref: 002DC767
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002DC772
MulDiv.KERNEL32(?,00000000), ref: 002DC77A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 002DC79F
SetTimer.USER32(?,?,?,00000000), ref: 002DC910

Strings

Segoe UI, xrefs: 002DC751
NumberValidationTipMsg, xrefs: 002DC5B5
NumberValidationTipTitle, xrefs: 002DC4C5

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Window$CapsCreateDeviceFontMessageRedrawSendTimer
String ID: NumberValidationTipMsg$NumberValidationTipTitle$Segoe UI
API String ID: 4027244334-2319862951
Opcode ID: 36a2ca147b679fb440481c7423a8a58c99dd3069836fa1c9e3247d9698724a3e
Instruction ID: fd3a2fdc461b6844e26dea0171174a32316033ee8177d146b28cfa10476dd49b
Opcode Fuzzy Hash: 36a2ca147b679fb440481c7423a8a58c99dd3069836fa1c9e3247d9698724a3e
Instruction Fuzzy Hash: 6CD1DE31A00705AFEB18CF64CC45BEEB7B5EF89300F108699E55AA72D1DB74AA45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00396840 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 197libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?), ref: 0039686D
GetProcessAffinityMask.KERNEL32(00000000), ref: 00396874
GetSystemInfo.KERNEL32(?), ref: 003968F5
GetModuleHandleA.KERNEL32 ref: 00396944
GetProcAddress.KERNEL32(00000000), ref: 0039694B
GlobalMemoryStatus.KERNEL32 ref: 0039699B

Strings

Nqt, xrefs: 0039694B
kernel32.dll, xrefs: 00396904
, xrefs: 00396992
@, xrefs: 0039693C
GlobalMemoryStatusEx, xrefs: 003968FF

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Process$AddressAffinityCurrentGlobalHandleInfoMaskMemoryModuleProcStatusSystem
String ID: $@$GlobalMemoryStatusEx$kernel32.dll$Nqt
API String ID: 3120231856-3878547479
Opcode ID: afd586a77061a68a832768951164f955e36c526a9203705dcbf48cddad6ea690
Instruction ID: a599a242374aab346fbe929dca112496ce60a55b74b34f58f54a891c679e5d2f
Opcode Fuzzy Hash: afd586a77061a68a832768951164f955e36c526a9203705dcbf48cddad6ea690
Instruction Fuzzy Hash: 7E716AB1A083118FD708CF59D89575ABBE5BB88314F05892DE899C7351D7B4D904CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00219450 Relevance: 18.2, Strings: 14, Instructions: 725COMMON

Download Yara Rule

Strings

ptD, xrefs: 00219770
INSERT INTO `ControlEvent` (`Dialog_`, `Control_`,`Event`,`Argument`, `Condition`, `Ordering`) VALUES (', xrefs: 00219883
Dialog, xrefs: 002194EA, 00219512
EndDialog, xrefs: 00219843
', ', xrefs: 002198D2, 00219952, 002199D8, 00219A61
"', ', xrefs: 00219BAE
') TEMPORARY, xrefs: 00219CE2
= ", xrefs: 00219B56
AND , xrefs: 00219B09
`Dialog_`=', xrefs: 00219668
Control_Default, xrefs: 002194C2
4xD, xrefs: 0021975D, 00219769
' AND `Control_`=', xrefs: 0021969C
ControlEvent, xrefs: 00219732

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID:
String ID: = "$ AND $"', '$' AND `Control_`='$') TEMPORARY$', '$4xD$ControlEvent$Control_Default$Dialog$EndDialog$INSERT INTO `ControlEvent` (`Dialog_`, `Control_`,`Event`,`Argument`, `Condition`, `Ordering`) VALUES ('$`Dialog_`='$ptD
API String ID: 0-207046956
Opcode ID: c5dd6ce13740dd8b894690f9dc40c1d73aed5a5ac19024d92a12e964821f4541
Instruction ID: b6779bce42db6e5dd64ac25d0a0487220e7eb7fc21a8071844b44b05aee422a4
Opcode Fuzzy Hash: c5dd6ce13740dd8b894690f9dc40c1d73aed5a5ac19024d92a12e964821f4541
Instruction Fuzzy Hash: 78628970910258DFDB14DF68CC94BEEBBB5BF65304F248199E009AB291DB74AAC5CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0020E230 Relevance: 18.1, APIs: 6, Strings: 4, Instructions: 639windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001009,00000000,00000000), ref: 0020E311

Part of subcall function 003B0372: EnterCriticalSection.KERNEL32(004C7DCC,?,?,?,001EAC36,004C89FC,F026EBDC,?,?,003D84ED,000000FF,?,0033C28C,F026EBDC,?,?), ref: 003B037D
Part of subcall function 003B0372: LeaveCriticalSection.KERNEL32(004C7DCC,?,001EAC36,004C89FC,F026EBDC,?,?,003D84ED,000000FF,?,0033C28C,F026EBDC,?,?), ref: 003B03BA

__Init_thread_footer.LIBCMT ref: 0020E2CE

Part of subcall function 003B0328: EnterCriticalSection.KERNEL32(004C7DCC,?,?,001EACA7,004C89FC,00435FA0), ref: 003B0332
Part of subcall function 003B0328: LeaveCriticalSection.KERNEL32(004C7DCC,?,001EACA7,004C89FC,00435FA0), ref: 003B0365
Part of subcall function 003B0328: RtlWakeAllConditionVariable.NTDLL ref: 003B03DC

SendMessageW.USER32(?,0000104D,00000000,?), ref: 0020E832
SendMessageW.USER32(?,0000102B,?,0000000F), ref: 0020E8E0
SendMessageW.USER32(?,00001003,00000001,?), ref: 0020E981

Part of subcall function 002F2170: __cftof.LIBCMT ref: 002F21C0

SendMessageW.USER32(?,0000101E,00000000,0000FFFE), ref: 0020EB09

Strings

Icon, xrefs: 0020E686
AiFeatIco, xrefs: 0020E5CB
dL, xrefs: 0020E624
dL, xrefs: 0020E732

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: MessageSend$CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake__cftof
String ID: AiFeatIco$Icon$dL$dL
API String ID: 2303580663-1457112329
Opcode ID: 4a61170f1dbb38c568b6c814705790d31ce8bee95e96b99ca07ae77c607f9421
Instruction ID: 9f1f0ce046ec014d613418737e4769533de41b15671662871714c412f3a8befa
Opcode Fuzzy Hash: 4a61170f1dbb38c568b6c814705790d31ce8bee95e96b99ca07ae77c607f9421
Instruction Fuzzy Hash: 50529971900658DFDB24DF68CC88BEDBBB5BF58304F1445A9E44AAB292DB706E84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003029A0 Relevance: 18.1, APIs: 9, Strings: 1, Instructions: 581COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00302B4D
__Init_thread_footer.LIBCMT ref: 00302CEC

Part of subcall function 003B0372: EnterCriticalSection.KERNEL32(004C7DCC,?,?,?,001EAC36,004C89FC,F026EBDC,?,?,003D84ED,000000FF,?,0033C28C,F026EBDC,?,?), ref: 003B037D
Part of subcall function 003B0372: LeaveCriticalSection.KERNEL32(004C7DCC,?,001EAC36,004C89FC,F026EBDC,?,?,003D84ED,000000FF,?,0033C28C,F026EBDC,?,?), ref: 003B03BA

GetStdHandle.KERNEL32(000000F5,?,F026EBDC,?,?), ref: 00302D74
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?), ref: 00302D7B
GetStdHandle.KERNEL32(000000F5,0000000C,?,?), ref: 00302D8F
SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 00302D96
GetStdHandle.KERNEL32(000000F5,000000FF,?,00000000,?,00000000,Function_00265F2C,00000002,?,?), ref: 00302E25
SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 00302E2C
IsWindow.USER32(00000000), ref: 003030BC

Strings

Error, xrefs: 00303052

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: ConsoleHandle$AttributeCriticalInit_thread_footerSectionText$BufferEnterInfoLeaveScreenWindow
String ID: Error
API String ID: 2811146417-2619118453
Opcode ID: f87a8e202b1ce9878e60496c7a62c6e610e6b88b3b179e351ea814f24d6129bb
Instruction ID: 65674a5449b27e7c4b8c33b8ee4e4036c1959db5264fc9afa6c2c114b316fdb4
Opcode Fuzzy Hash: f87a8e202b1ce9878e60496c7a62c6e610e6b88b3b179e351ea814f24d6129bb
Instruction Fuzzy Hash: 3F429F71D00259CFDB14CFA8CC58B9EBBB0BF55314F248299E419BB291DB745A84CF60

Uniqueness

Uniqueness Score: -1.00%

Function 002184B0 Relevance: 16.6, APIs: 1, Strings: 8, Instructions: 843windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002184FC

Strings

AiTabPage, xrefs: 0021872D, 002188F3
SpawnDialog, xrefs: 00218BBD
Title, xrefs: 00218C62
Dialog, xrefs: 00218C8D, 00218CB5, 00218E2C, 00218E49, 00218E71
LtD, xrefs: 00218856
`Dialog_`=', xrefs: 0021867B
' AND `Control_`=', xrefs: 002186BA
ControlEvent, xrefs: 0021880F

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: MessageSend
String ID: ' AND `Control_`='$AiTabPage$ControlEvent$Dialog$LtD$SpawnDialog$Title$`Dialog_`='
API String ID: 3850602802-1772565510
Opcode ID: 38f8967761e7408b6a05a96e524e4b6ba33464fdcf417cad405b8a8e38b4578a
Instruction ID: 255a17316b7417099c8a14519ba7ff557f741f62729545e9fe4bf4ced8c9a7d7
Opcode Fuzzy Hash: 38f8967761e7408b6a05a96e524e4b6ba33464fdcf417cad405b8a8e38b4578a
Instruction Fuzzy Hash: E272D271D10258DFDB14CFA8C884BEDBBF1FF69304F248259E405AB291DB74AA95CB90

Uniqueness

Uniqueness Score: -1.00%

Function 002E4260 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 248fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000), ref: 002E434F
CloseHandle.KERNEL32(00000000), ref: 002E4377
WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?), ref: 002E43B9
CloseHandle.KERNEL32(?), ref: 002E440E
ShellExecuteExW.SHELL32 ref: 002E44A3

Strings

EXE, xrefs: 002E42B3
open, xrefs: 002E4438
runas, xrefs: 002E448B
.bat, xrefs: 002E42AE

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CloseFileHandle$CreateExecuteShellWrite
String ID: .bat$EXE$open$runas
API String ID: 548387358-1492471297
Opcode ID: 6352bbf0458a533a83bc5974fe4f3d36152bf706e1a825dd9b8c768022f2a320
Instruction ID: 168ec20c0f6da4cadb14ec9ac491e0ef64d2e791a359ac7a786a9c6eec74af02
Opcode Fuzzy Hash: 6352bbf0458a533a83bc5974fe4f3d36152bf706e1a825dd9b8c768022f2a320
Instruction Fuzzy Hash: 0AA1AB70901689DFEB10DFA9C848B9DFBB4FF45315F6482A9E805AB291DB749E04CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00209650 Relevance: 13.3, Strings: 10, Instructions: 770COMMON

Download Yara Rule

Strings

AI_MajorUpgrades, xrefs: 00209ABB
OldProductCode, xrefs: 00209952
AI_DynInstances, xrefs: 002099DC
UpgradeCode, xrefs: 0020971E
, xrefs: 00209F05
ProductCode, xrefs: 0020969C
InstanceId, xrefs: 002098C5
Manufacturer, xrefs: 002097AB
AI_GenNewCompGuids, xrefs: 00209B9B
ProductVersion, xrefs: 00209838

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID:
String ID: $AI_DynInstances$AI_GenNewCompGuids$AI_MajorUpgrades$InstanceId$Manufacturer$OldProductCode$ProductCode$ProductVersion$UpgradeCode
API String ID: 0-614494711
Opcode ID: 57773020ac1308d6f99e64fad8506fde2f081370024933a6941c0fd0ec27fe71
Instruction ID: 1a8f0a907160ec3f9b7e34135f76726608c353aedd8b85e68522302a26bdb0b9
Opcode Fuzzy Hash: 57773020ac1308d6f99e64fad8506fde2f081370024933a6941c0fd0ec27fe71
Instruction Fuzzy Hash: 61620031D10299CFDF04CB68CC54BEEBBB5AF55304F248299E406B7292DB746E94CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 003D328A Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 003D346E

Strings

1#QNAN, xrefs: 003D339D
1#IND, xrefs: 003D338F
1#INF, xrefs: 003D33C0
1#SNAN, xrefs: 003D3396

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: e97994675b8ecd8b976ce908acfce1223c05276ff8dd14f903579fe79e7a0893
Instruction ID: 561cbc527afa85648c4c049b373a31b0f6d0e18f898ca77dc03d67ee1ca65013
Opcode Fuzzy Hash: e97994675b8ecd8b976ce908acfce1223c05276ff8dd14f903579fe79e7a0893
Instruction Fuzzy Hash: 31D23972E082288FDB66CE28ED407EAB7B9EB45304F1545EBD44DE7240D778AE858F41

Uniqueness

Uniqueness Score: -1.00%

Function 003408C0 Relevance: 9.2, APIs: 6, Instructions: 203fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,-00000010,?,F026EBDC,?,00000000,00000000), ref: 00340991
FindNextFileW.KERNEL32(?,00000000), ref: 003409AC

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: 48fc26dc362fb361356e2d7864596481f654583e8e3f9b6621784036006c5ed4
Instruction ID: 8b53f892a1a9fde9e9da599486c66a5cea5359b9fb3213d5825451f9833b6d92
Opcode Fuzzy Hash: 48fc26dc362fb361356e2d7864596481f654583e8e3f9b6621784036006c5ed4
Instruction Fuzzy Hash: 09718C71A01689DFDB15DFA8CD48ADEBBF4FF05310F148169E914AB292DB34AE08CB50

Uniqueness

Uniqueness Score: -1.00%

Function 002FC040 Relevance: 7.7, APIs: 5, Instructions: 240fileCOMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 002FC098

Part of subcall function 001EAB90: GetProcessHeap.KERNEL32 ref: 001EABE5
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EAC17
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EACA2

FindFirstFileW.KERNEL32(?,00000000,?,?,00000011), ref: 002FC198
FindFirstFileW.KERNEL32(?,00000000,0000002A,?,00000000,?,?,00000011), ref: 002FC235
FindClose.KERNEL32(00000000,?,00000000,?,?,00000011), ref: 002FC25B
FindClose.KERNEL32(00000000,?,00000000,?,?,00000011), ref: 002FC2A5

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Find$CloseFileFirstInit_thread_footer$HeapProcess_wcsrchr
String ID:
API String ID: 352340201-0
Opcode ID: e33763726c0bdf44f81b157130298905f6a2eca76753421a5e5a4e988de973d4
Instruction ID: 75c6e73ac1b05c9be5da75de0765c4cd26fbb37502219c43054c34d57925b8a4
Opcode Fuzzy Hash: e33763726c0bdf44f81b157130298905f6a2eca76753421a5e5a4e988de973d4
Instruction Fuzzy Hash: 5071D23191020E9BDB14DFA8CE44BBEF7B4FF55364F20822EEA1597281EB759914CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00208E20 Relevance: 6.8, Strings: 5, Instructions: 567COMMON

Download Yara Rule

Strings

MultipleInstances, xrefs: 00208E7D
PropertyValue, xrefs: 00209498
MultipleInstancesProps, xrefs: 00208F3C, 0020938E
AI_EXIST_INSTANCES, xrefs: 00209075
AI_EXIST_NEW_INSTANCES, xrefs: 002091D3

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Init_thread_footer
String ID: AI_EXIST_INSTANCES$AI_EXIST_NEW_INSTANCES$MultipleInstances$MultipleInstancesProps$PropertyValue
API String ID: 1385522511-2308371840
Opcode ID: 40ac26690726602781082e24b83b5b6528b76501c1b99293bea46859d7fe47fe
Instruction ID: f0802bccab5ed246a037644320679c18033b33b10864be877b9d7296e8acdfe2
Opcode Fuzzy Hash: 40ac26690726602781082e24b83b5b6528b76501c1b99293bea46859d7fe47fe
Instruction Fuzzy Hash: 5E22E170E103499FDF04DFA4CC99BEEBBB1AF55314F248249E105AB2D2DB746A84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003C839A Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 003C8427

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: cf26b04feba36ec538749ee1d57a00ae9e5f61497e5783d4f8033c0758c89abe
Instruction ID: 6767c8ac6b1093958bf7c31fbbbb43ad52309f9aafe3a787fa6f73e7cceb904b
Opcode Fuzzy Hash: cf26b04feba36ec538749ee1d57a00ae9e5f61497e5783d4f8033c0758c89abe
Instruction Fuzzy Hash: 3AB146329042569FDB178F28C881FFEBBA5EF59300F15816EE904EB341DA749E01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0032CDD0 Relevance: 6.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 603f7f1a6257108972ce2f9f0646a05a80f2e0a6d6f894071760662e48d35652
Instruction ID: ec3a71bc87ddb579b121b2ffa51e5b4dfdab1a9d924a0e25c1f37f1d1acb266b
Opcode Fuzzy Hash: 603f7f1a6257108972ce2f9f0646a05a80f2e0a6d6f894071760662e48d35652
Instruction Fuzzy Hash: ED817B71901258DFDB60DF28CD89B99F7B4EF45314F2482D9E818AB292DB70AE44CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00202C90 Relevance: 6.1, APIs: 4, Instructions: 87timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(00000003,00000001,F026EBDC,?,?,?,?,003DD5E4,000000FF), ref: 00202CD1
GetWindowLongW.USER32(00000003,000000FC), ref: 00202CE6
SetWindowLongW.USER32(00000003,000000FC,?), ref: 00202CF8
DeleteCriticalSection.KERNEL32(?,F026EBDC,?,?,?,?,003DD5E4,000000FF), ref: 00202D23

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: LongWindow$CriticalDeleteKillSectionTimer
String ID:
API String ID: 1032004442-0
Opcode ID: ddd7fe2bf455108fe32716594ad420185efef9f21223f74c9f7948db92f6b32c
Instruction ID: 9a57fb339cc7629e5f479aa56a0daea2d9bccddf767f2cf321565fca158225ac
Opcode Fuzzy Hash: ddd7fe2bf455108fe32716594ad420185efef9f21223f74c9f7948db92f6b32c
Instruction Fuzzy Hash: AD318F71504746EFCB11DF68DC08B99BBA8FB06320F24426AE814D76D2D771EA24CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00204B30 Relevance: 5.7, Strings: 4, Instructions: 694COMMON

Download Yara Rule

Strings

AI_CONTROL_VISUAL_STYLE, xrefs: 00204B8A
AI_NO_BORDER_HOVER, xrefs: 00204CCA
AI_NO_BORDER_NORMAL, xrefs: 00204C1D
AI_CONTROL_VISUAL_STYLE_EX, xrefs: 00204FD5

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID:
String ID: AI_CONTROL_VISUAL_STYLE$AI_CONTROL_VISUAL_STYLE_EX$AI_NO_BORDER_HOVER$AI_NO_BORDER_NORMAL
API String ID: 0-932585912
Opcode ID: 63c5cbc2a1f010197f0de8edbee492e5d9ac9a2a2aa362fff81dc4336937f3ef
Instruction ID: 7eeee3c4cc95d4c51aaefd1f7ac309fd4c6b9307b65a683fa7f7148f8ba230f0
Opcode Fuzzy Hash: 63c5cbc2a1f010197f0de8edbee492e5d9ac9a2a2aa362fff81dc4336937f3ef
Instruction Fuzzy Hash: 7C422371D106288FDB18DF68CC94BAEB7B1FF85300F108259E455AB3D2CB74AA55CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0032D1D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00000000,?), ref: 0032D28C
FindClose.KERNEL32(00000000), ref: 0032D3D7

Part of subcall function 001EA850: HeapAlloc.KERNEL32(?,00000000,?,F026EBDC,00000000,003D7F70,000000FF,?,?,004BEFDC,?,0033C2E8,80004005,F026EBDC,?,?), ref: 001EA89A

Strings

%d.%d.%d.%d, xrefs: 0032D369

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Find$AllocCloseFileFirstHeap
String ID: %d.%d.%d.%d
API String ID: 2507753907-3491811756
Opcode ID: dc62ae27e110c4f4932446acbdfd71154d77c3308af66eec3dcba7195ef47e08
Instruction ID: a255ae1f5b6dc6c8388f6a3c94ffb9c11e4c45c0801114517e0faf68cd9aaf7d
Opcode Fuzzy Hash: dc62ae27e110c4f4932446acbdfd71154d77c3308af66eec3dcba7195ef47e08
Instruction Fuzzy Hash: 7E617E70905259DFDF61DF28CC49B9DBBB4EF44314F108299E919AB291DB35AE84CF80

Uniqueness

Uniqueness Score: -1.00%

Function 002173A0 Relevance: 5.4, Strings: 4, Instructions: 364COMMON

Download Yara Rule

Strings

= ", xrefs: 002176C2
<> ", xrefs: 002174BB
Hide, xrefs: 00217466, 00217487
Show, xrefs: 00217698

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID:
String ID: <> "$ = "$Hide$Show
API String ID: 0-289022205
Opcode ID: 5acde0081185688c6c85507e55d003f5e373d5c75a379ea6cf286108ed54beaa
Instruction ID: 064abbcaf8f74df47be42963024f60e4fc2f334b6573d59a57c133b992eafb71
Opcode Fuzzy Hash: 5acde0081185688c6c85507e55d003f5e373d5c75a379ea6cf286108ed54beaa
Instruction Fuzzy Hash: 58F18C70D14298DFDB14DF64C854BEDB7B0BFA5304F2086D9E4096B292DB71AAC4CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001E7480 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 003A99C8
GetVersionExW.KERNEL32(?), ref: 003A9A13
IsProcessorFeaturePresent.KERNEL32(00000011), ref: 003A9A27

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Version$FeaturePresentProcessor
String ID:
API String ID: 1871528217-0
Opcode ID: 4d89e8af924a2a0ff071476ec47b79bc25955bfb15ac1cd3f4dd07a3829e9d2d
Instruction ID: 39b0e0968a736820b15e3b3818c5a8ec6599b36935a8ceee07596520919c7aac
Opcode Fuzzy Hash: 4d89e8af924a2a0ff071476ec47b79bc25955bfb15ac1cd3f4dd07a3829e9d2d
Instruction Fuzzy Hash: 29614A72B102244BE749CF2DCCC56AABBD5EBCA341F05863FE496D7291DA78C505CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 002E1410 Relevance: 4.7, APIs: 3, Instructions: 190fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,F026EBDC,?), ref: 002E14DC
FindNextFileW.KERNEL32(000000FF,00000010,?,F026EBDC,?), ref: 002E1633
FindClose.KERNEL32(000000FF,?,?,F026EBDC,?), ref: 002E1692

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: d1d3615069b88301a21a3d041b26c151aae6499031b0eebefa34ee63d4934495
Instruction ID: 5aa1d9b9a17ca2165d36560db24339f8082b46c44ee2165cf594750fe1283513
Opcode Fuzzy Hash: d1d3615069b88301a21a3d041b26c151aae6499031b0eebefa34ee63d4934495
Instruction Fuzzy Hash: 1D81AC70D10289DFDB24DF69C959BEDB7B8FF04300F6482A9E81967291DB706A94CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001FEFE0 Relevance: 4.6, APIs: 3, Instructions: 93COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000004), ref: 001FF02E
GetWindowLongW.USER32(00000004,000000FC), ref: 001FF047
SetWindowLongW.USER32(00000004,000000FC,?), ref: 001FF059

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: e71adca1fe08fc9cf26e09500d992bd09820fe6da340c100a90972e59ebb020f
Instruction ID: 98b879d833505de55cfb5dca44f0f1d84fd4203fe15aaebffa24c5d29adeaa1e
Opcode Fuzzy Hash: e71adca1fe08fc9cf26e09500d992bd09820fe6da340c100a90972e59ebb020f
Instruction Fuzzy Hash: 0D418CB1A04606EFDB10DF65C908B6ABBB4FF05324F10426DE524DBA91DBB6E914CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003B50F3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 003B51EB
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 003B51F5
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 003B5202

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 6b09d6dd1f4b239c266bb2578fff38fe725922563670c47bdb3c2177ee6597a6
Instruction ID: 247e3cfea1da8629ee38a2cf506c6f74351ac76d533c7ce90c8be85b87cd0df2
Opcode Fuzzy Hash: 6b09d6dd1f4b239c266bb2578fff38fe725922563670c47bdb3c2177ee6597a6
Instruction Fuzzy Hash: F23105709412189BCB21DF28D8897CDBBB8BF08310F1041EAE51CAB251EB709F818F54

Uniqueness

Uniqueness Score: -1.00%

Function 001EA000 Relevance: 4.6, APIs: 3, Instructions: 65COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000000,00000000,F026EBDC,00000001,00000000,?,00000000,003D7D20,000000FF,?,001E9FAC,F026EBDC,?,?,000000A0,?), ref: 001EA02B
LockResource.KERNEL32(00000000,?,001E9FAC,F026EBDC,?,?,000000A0,?,A0CE001E,003D83F0,000000FF,?,001EA150,?,?,000000A0), ref: 001EA036
SizeofResource.KERNEL32(00000000,00000000,?,001E9FAC,F026EBDC,?,?,000000A0,?,A0CE001E,003D83F0,000000FF,?,001EA150,?,?), ref: 001EA044

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 39db9a8d295dbc5a9af9b438cd7ab1fa0bde57f4b2b9d28d1efee8505e264aeb
Instruction ID: ca37139e06acee8af31736b70a46cac2295e1adc3f6d43bf655785b03de90acd
Opcode Fuzzy Hash: 39db9a8d295dbc5a9af9b438cd7ab1fa0bde57f4b2b9d28d1efee8505e264aeb
Instruction Fuzzy Hash: 3811C832A04A549BC7358F19DC45B7AF7F8EB88711F41463EFC56D3640EB35AC008694

Uniqueness

Uniqueness Score: -1.00%

Function 002540A0 Relevance: 3.1, APIs: 2, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000FC), ref: 0025410F
SetWindowLongW.USER32(00000000,000000FC,?), ref: 0025411D

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: fd44c54bb91136d01ecffa80c2e54aa9307ce0e01d6a456a5dfbfd5fdcf3063c
Instruction ID: 7074e8cb78bdd01dbfbbc6597c8548a3ab075b16b7b8fc384efbc76950580475
Opcode Fuzzy Hash: fd44c54bb91136d01ecffa80c2e54aa9307ce0e01d6a456a5dfbfd5fdcf3063c
Instruction Fuzzy Hash: 6B31CE31904606EFCB10EF69C944B9AFBB4FF05324F248369E824A76D0C731AD64CB94

Uniqueness

Uniqueness Score: -1.00%

Function 002FE270 Relevance: 3.1, APIs: 2, Instructions: 71fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,F026EBDC,?,00000000,00000000,00000000,004182FD,000000FF), ref: 002FE2D8
FindClose.KERNEL32(00000000,?,F026EBDC,?,00000000,00000000,00000000,004182FD,000000FF), ref: 002FE322

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 8f75ea16e6c9fca4de77af93ca243ac8b35f60fde96e70f271b722b12e11da20
Instruction ID: a9adce95c0620b815a41fd205a1d9d1a3ed5a6f786483397c166e966b91cde01
Opcode Fuzzy Hash: 8f75ea16e6c9fca4de77af93ca243ac8b35f60fde96e70f271b722b12e11da20
Instruction Fuzzy Hash: BD21C4719006499FDB20DF68CD49BEEF7B8FF84724F104269E925A72D1DB345A08CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0043E014 Relevance: 2.1, Strings: 1, Instructions: 823COMMON

Download Yara Rule

Strings

E, xrefs: 0043E404

Memory Dump Source

Source File: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID:
String ID: E
API String ID: 0-4072790445
Opcode ID: 5bfe94cc2067a58f3ca728d08dd19735584310172ace90819a77f8cebb18a605
Instruction ID: 66855009ebfc20e8c7f77f2075787c415bec2f58e06a78fd3b817a3c3ae0c4be
Opcode Fuzzy Hash: 5bfe94cc2067a58f3ca728d08dd19735584310172ace90819a77f8cebb18a605
Instruction Fuzzy Hash: 0062D0A941E3C55FD7538B704CB95907FB0AE1320971E85DBC8D58F4A3E118AA0EE72B

Uniqueness

Uniqueness Score: -1.00%

Function 00257500 Relevance: 1.8, Strings: 1, Instructions: 521COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 002576E5, 002578D2

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: ExceptionRaise__floor_pentium4
String ID: unordered_map/set too long
API String ID: 996205981-306623848
Opcode ID: 8f0768f32e2a034f3afc7f4c0ab8ba298933838db11ede81ade34a081a89f847
Instruction ID: 79b96f35bb5cf49267519c11271bfbebb129086675a68d234bd26b7edfd51ce9
Opcode Fuzzy Hash: 8f0768f32e2a034f3afc7f4c0ab8ba298933838db11ede81ade34a081a89f847
Instruction Fuzzy Hash: A1121471A142099FCB09DF68D881AADFBF9FF48310F14826AE815EB391D730E915CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00208270 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,-00002000,?,?,002069C7,?,?,?,?,?,?,?,?,00206838,?,?), ref: 002082C0

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 1d32d5a98b2edf08210d0204d93334cd100fa16fa3391e048f18239f6927cc4f
Instruction ID: 55f5f3b0473742cfedb13e0cd64a079a5c3be6f79ab904ec418258b7c3380814
Opcode Fuzzy Hash: 1d32d5a98b2edf08210d0204d93334cd100fa16fa3391e048f18239f6927cc4f
Instruction Fuzzy Hash: C3F0EC30018782CEE3058F64D848A6BBBB6FB44302F4845F6E8C8C50A2DB358E60CF04

Uniqueness

Uniqueness Score: -1.00%

Function 003CCE19 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6984b06ee9e2e6e8fe44aaa20e20e406cc3cf3b881328459bdcc7c8a302d01f9
Instruction ID: fc1c8421d98dad989d8e1350606e4b43b4e2e77c3bc98f1b1baeba6377961434
Opcode Fuzzy Hash: 6984b06ee9e2e6e8fe44aaa20e20e406cc3cf3b881328459bdcc7c8a302d01f9
Instruction Fuzzy Hash: 6C322621D29F014ED7279634D922335A259AFB73C8F15D73BF81AF5DA9EB28C8834204

Uniqueness

Uniqueness Score: -1.00%

Function 003B8A2C Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d837e9492d8c0c798754f942ae9700890cf50d069a2ced10705a4c0882ff41
Instruction ID: b0c6cfc447d7c2745bde8c5e0f02f5fb4b486b7ff301e61ff05d221d47c2203e
Opcode Fuzzy Hash: f0d837e9492d8c0c798754f942ae9700890cf50d069a2ced10705a4c0882ff41
Instruction Fuzzy Hash: 73E1DF706006058FCB26CF68C480AEEB7F9FF45318B254A5ED6569BB91DB30ED42CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0034EDA0 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f1a40e06b6079c3801e9336b1a9ffb11d3f21173d3c0bc9a502e50674424d6a
Instruction ID: 5f53628e9a2dcce14c5d91dca3ba456dc2ada9ede5c339a3c82e89681fb8b707
Opcode Fuzzy Hash: 4f1a40e06b6079c3801e9336b1a9ffb11d3f21173d3c0bc9a502e50674424d6a
Instruction Fuzzy Hash: F8D18E71D00249CFDB05CFA8C948BEEBBF5FF49304F258229E415AB291D775AA85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003B869E Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a1094bd0e6555eaf1f25ac7d67a09f41cece25ea82de6ab8f105309deb7c85
Instruction ID: 9cef26fae0042d6444d463eaa5f2cbdcac4831cc6152defa7c61c292913e7a54
Opcode Fuzzy Hash: 05a1094bd0e6555eaf1f25ac7d67a09f41cece25ea82de6ab8f105309deb7c85
Instruction Fuzzy Hash: 76C1F030A006468FCB2ACF28C4916FAB7B9AF0531CF25461AD7969BE91CF31ED45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0029EF50 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a86ba8cdc796b81664c7d113af351e20b8950c6d074220d2c80bbc49af6bb8e
Instruction ID: 25d89f77228dbe2cbf37463ab582d9e06783d8aa50471d9b244af009f86cd29e
Opcode Fuzzy Hash: 8a86ba8cdc796b81664c7d113af351e20b8950c6d074220d2c80bbc49af6bb8e
Instruction Fuzzy Hash: E94102B0905A85EED704CF69C10878AFBF0BF09318F20825ED4589B781D3BAA618CF95

Uniqueness

Uniqueness Score: -1.00%

Function 001FEE70 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84fdd93a39baa236ca9d40fb79824465ca69b828e3bb4272c6f851e38ab1d7b1
Instruction ID: 6e175daccb587ae6a20dede87a181df497cb13cd67382f262c66bd795ef6d47e
Opcode Fuzzy Hash: 84fdd93a39baa236ca9d40fb79824465ca69b828e3bb4272c6f851e38ab1d7b1
Instruction Fuzzy Hash: 4331CDB0405B84CFE721CF29C658787BFF4BB05718F108A5DD4A64BB91C3BAA608CB95

Uniqueness

Uniqueness Score: -1.00%

Function 001F8280 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cf51b35569e9ff2086ad5f25453fc87b3044994f86fb4d93a8306f9324b775b
Instruction ID: 08ec01fde8cf0b12e0d0fa6ca354df64e56d304b179ee03ecad85b1f58a534ff
Opcode Fuzzy Hash: 4cf51b35569e9ff2086ad5f25453fc87b3044994f86fb4d93a8306f9324b775b
Instruction Fuzzy Hash: 2F215BB1804788DFD710CF68C904B8ABBF4FB09314F1186AED4559B791D3B9AA44CF94

Uniqueness

Uniqueness Score: -1.00%

Function 001F8840 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75fb7648338b9cbcf71883c46d01cf64296029ef3783291172641cb554a80b2d
Instruction ID: 608c6adbe98f916a2bc63c60714e1e7303fde1bfcd46be06b499e744b2a8c86d
Opcode Fuzzy Hash: 75fb7648338b9cbcf71883c46d01cf64296029ef3783291172641cb554a80b2d
Instruction Fuzzy Hash: 3A215BB1804788DFD710CF68C904B8ABBF4FB09314F1186AED4559B791D3B9AA04CF94

Uniqueness

Uniqueness Score: -1.00%

Function 003CA0DB Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3451cbf4a5f4a20c6ff63322a7706ab375775fa12a8bcbf4266e610671382732
Instruction ID: b06bd1cab983786789cf704f6b7a2bd2c2e43d5cf162e33956c5136aadf40d7a
Opcode Fuzzy Hash: 3451cbf4a5f4a20c6ff63322a7706ab375775fa12a8bcbf4266e610671382732
Instruction Fuzzy Hash: C0F03032611628EBCB16DB48DC06F59B3A8EB85B65F16405EE501DB251C670DD00C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 003CA11F Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a31a1b2c87d20f6f1ccd6e3f5e56cdbfee1b29986efbea090f4dac1cf3a30c
Instruction ID: 976f7c841821d50debaa01a220a2f7738f29eded73400b78eaa0ac61d11142e8
Opcode Fuzzy Hash: 52a31a1b2c87d20f6f1ccd6e3f5e56cdbfee1b29986efbea090f4dac1cf3a30c
Instruction Fuzzy Hash: 1BE08C32911628EBCB16DB9CC908E8AF3ECEB49B04F16049AF501D3200C270DE00C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 003BB5D7 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a962eb7063aa5dac9a286c1eb4be0eb6ad47394398426903ba7e2235a18e8e
Instruction ID: f0018e3f0eca49fcae3081afb63791daa896a4b24ca24ed241781f2929e86f02
Opcode Fuzzy Hash: 16a962eb7063aa5dac9a286c1eb4be0eb6ad47394398426903ba7e2235a18e8e
Instruction Fuzzy Hash: 5BC08C340009804BCE3B8918C3B27E6B354B39278AF84048ECB024BA43EE5EDC82D712

Uniqueness

Uniqueness Score: -1.00%

Function 00336AA0 Relevance: 30.1, APIs: 9, Strings: 8, Instructions: 335COMMON

Download Yara Rule

Strings

powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new, xrefs: 00336BFF
txt, xrefs: 00336B73
Unable to retrieve PowerShell output from file: , xrefs: 00336DFE
Unable to find file , xrefs: 00336AD3
ps1, xrefs: 00336B46, 00336B58, 00336B62
Unable to retrieve exit code from process., xrefs: 00336E21
Unable to create process: , xrefs: 00336CA4
Unable to get a temp file for script output, temp path: , xrefs: 00336BAF

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID:
String ID: Unable to create process: $Unable to find file $Unable to get a temp file for script output, temp path: $Unable to retrieve PowerShell output from file: $Unable to retrieve exit code from process.$powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new$ps1$txt
API String ID: 0-4129021124
Opcode ID: f1a12311bb65a399a9771ab62868939d191d319529e26a8b9943e7213afa47bd
Instruction ID: c2266d8f18d79f549d62510ae49d2b7e53ddefff15d22b1eb486490ffb319b4d
Opcode Fuzzy Hash: f1a12311bb65a399a9771ab62868939d191d319529e26a8b9943e7213afa47bd
Instruction Fuzzy Hash: 78C1CE70D00649AFDB11DFA8CD46BAEFBB4FF19310F248259F510AB291DB74AA04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003061C0 Relevance: 28.4, APIs: 9, Strings: 7, Instructions: 414libraryloaderthreadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(004CC5D0,F026EBDC,00000000), ref: 00306363
EnterCriticalSection.KERNEL32(004CC5D0,F026EBDC), ref: 00306378
GetCurrentProcess.KERNEL32 ref: 00306385
GetCurrentThread.KERNEL32 ref: 00306393
LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr,00000000), ref: 0030642D
GetProcAddress.KERNEL32(00000000), ref: 00306434
__Init_thread_footer.LIBCMT ref: 00306448
GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,0000001F,?,?,?,00000000), ref: 0030667E
LeaveCriticalSection.KERNEL32(004CC5D0,?,00000000), ref: 003067BC

Strings

*** Stack Trace (x86) ***, xrefs: 00306554
Dbghelp.dll, xrefs: 00306428
Nqt, xrefs: 00306434
MODULE_BASE_ADDRESS, xrefs: 003066CB
[0x%.8Ix] , xrefs: 00305F77, 00306685
<--------------------MORE--FRAMES-------------------->, xrefs: 0030661B
SymFromAddr, xrefs: 00306423

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CriticalSection$Current$AddressEnterHandleInit_thread_footerInitializeLeaveLibraryLoadModuleProcProcessThread
String ID: *** Stack Trace (x86) ***$<--------------------MORE--FRAMES-------------------->$Dbghelp.dll$MODULE_BASE_ADDRESS$SymFromAddr$[0x%.8Ix] $Nqt
API String ID: 1326996155-2623581119
Opcode ID: cb647eec50e726367873d09b84db68d22b97197c73915e563f3558e5551ace55
Instruction ID: 6c7b436b1e379438d42cc2e402599adbd444a390dfb8e9814399240d49b96891
Opcode Fuzzy Hash: cb647eec50e726367873d09b84db68d22b97197c73915e563f3558e5551ace55
Instruction Fuzzy Hash: 35F120719006589FDB25DF24CC99BAEBBB4EF45304F2002EAE409AB2D2DB745B84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003062F0 Relevance: 28.3, APIs: 9, Strings: 7, Instructions: 296libraryloaderthreadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(004CC5D0,F026EBDC,00000000), ref: 00306363
EnterCriticalSection.KERNEL32(004CC5D0,F026EBDC), ref: 00306378
GetCurrentProcess.KERNEL32 ref: 00306385
GetCurrentThread.KERNEL32 ref: 00306393
LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr,00000000), ref: 0030642D
GetProcAddress.KERNEL32(00000000), ref: 00306434
__Init_thread_footer.LIBCMT ref: 00306448
GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,0000001F,?,?,?,00000000), ref: 0030667E
LeaveCriticalSection.KERNEL32(004CC5D0,?,00000000), ref: 003067BC

Strings

*** Stack Trace (x86) ***, xrefs: 00306554
Dbghelp.dll, xrefs: 00306428
Nqt, xrefs: 00306434
MODULE_BASE_ADDRESS, xrefs: 003066CB
[0x%.8Ix] , xrefs: 00306685
<--------------------MORE--FRAMES-------------------->, xrefs: 0030661B
SymFromAddr, xrefs: 00306423

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CriticalSection$Current$AddressEnterHandleInit_thread_footerInitializeLeaveLibraryLoadModuleProcProcessThread
String ID: *** Stack Trace (x86) ***$<--------------------MORE--FRAMES-------------------->$Dbghelp.dll$MODULE_BASE_ADDRESS$SymFromAddr$[0x%.8Ix] $Nqt
API String ID: 1326996155-2623581119
Opcode ID: 44f4b273569a66fe096b9161a15aca866ad1c662d89de1939a54d278116926bb
Instruction ID: f1e5d6f76ecc804dadbc9b50a022ca06e26c6f3d3b0541a8bd3c7f43a2babb46
Opcode Fuzzy Hash: 44f4b273569a66fe096b9161a15aca866ad1c662d89de1939a54d278116926bb
Instruction Fuzzy Hash: 21D1FF709006A8DFDB25CF24CC99BEEBBB4AF14705F1041EAE409A7292DB756B84CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00308910 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000001F6), ref: 0030895E
GetDlgItem.USER32(?,000001F8), ref: 0030896B
GetDlgItem.USER32(?,000001F7), ref: 003089AD
SetWindowTextW.USER32(00000000,?), ref: 003089BC
ShowWindow.USER32(?,00000005), ref: 00308A22
GetDlgItem.USER32(?,000001F7), ref: 00308A44
SetWindowTextW.USER32(00000000,?), ref: 00308A53
ShowWindow.USER32(?,00000000), ref: 00308AB8
ShowWindow.USER32(?,00000000), ref: 00308ABF
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000616), ref: 00308B08
GetDlgItem.USER32(?,00000000), ref: 00308B3A
IsWindow.USER32(00000000), ref: 00308B44
IsRectEmpty.USER32(?), ref: 00308B61
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000014,?,00000000,?,?,00000616), ref: 00308B91

Strings

Details >>, xrefs: 00308A2B
Details <<, xrefs: 00308994

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Window$Item$Show$Text$EmptyRect
String ID: Details <<$Details >>
API String ID: 4171068809-3763984547
Opcode ID: bf3eae8bc2645033e4c5f7624ce4b9ab3ce85ba2e98acb12840de0a12306b26b
Instruction ID: 38f544bff2b3ecfaeaec5434a3f007c8d25bd228cc4ea5d81e5545ae8084725d
Opcode Fuzzy Hash: bf3eae8bc2645033e4c5f7624ce4b9ab3ce85ba2e98acb12840de0a12306b26b
Instruction Fuzzy Hash: 3D91B071D01609AFDF05DF68DC95BAEBBB4EF08310F104229F541AB691DB34A991CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00330A30 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 231memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00343820: LoadLibraryW.KERNEL32(Advapi32.dll,F026EBDC), ref: 003438B1
Part of subcall function 00343820: GetLastError.KERNEL32 ref: 003438DF

LocalFree.KERNEL32(00000000,Everyone,10000000,00000000,F026EBDC), ref: 00330AE2
LocalFree.KERNEL32(00000000,Everyone,10000000,00000000,F026EBDC), ref: 00330AF3
LocalAlloc.KERNEL32(00000040,00000014), ref: 00330B68
GetLastError.KERNEL32 ref: 00330B86
LocalFree.KERNEL32(00000000), ref: 00330B97
GetLastError.KERNEL32 ref: 00330BB6
LocalFree.KERNEL32(00000000), ref: 00330BC7
CreateDirectoryW.KERNEL32(?,?), ref: 00330BF0
LocalFree.KERNEL32(00000000,Everyone,10000000,00000000,F026EBDC), ref: 00330C44
LocalFree.KERNEL32(00000000,Everyone,10000000,00000000,F026EBDC), ref: 00330CA7
LocalFree.KERNEL32(00000000,Everyone,10000000,00000000,F026EBDC), ref: 00330CB1

Strings

q=, xrefs: 00330B7C
q=, xrefs: 00330BAC
Everyone, xrefs: 00330ACA

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Local$Free$ErrorLast$AllocCreateDirectoryLibraryLoad
String ID: Everyone$q=$q=
API String ID: 1481213927-389876732
Opcode ID: 9f3c91ffb88af95a561394c0714025a1c0f1f0e0c7c91230330ccf10bef2473a
Instruction ID: d6fe20385fd34775935f391b658a7a25f15c2b66a6cfde943bc0aebc7b67a2e0
Opcode Fuzzy Hash: 9f3c91ffb88af95a561394c0714025a1c0f1f0e0c7c91230330ccf10bef2473a
Instruction Fuzzy Hash: AF91F9B0E00249ABEF19DFE5D998B9EFBB8AF04704F254129E501AB290DB79D904CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00215200 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 229windowtimeCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,tooltips_class32,00000000,80000063,80000000,80000000,80000000,80000000,?,00000000,00000000,F026EBDC), ref: 00215288

Part of subcall function 001F72B0: SetWindowLongW.USER32(?,000000FC,00000000), ref: 001F72E6

SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 0021538B
SendMessageW.USER32(00000000,00000439,00000000,0000002C), ref: 0021539F
SendMessageW.USER32(00000000,00000421,00000003,?), ref: 002153B4
SendMessageW.USER32(00000000,00000418,00000000,0000012C), ref: 002153C9
GetWindowTextLengthW.USER32(?), ref: 002153D0
SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 002153E0
ClientToScreen.USER32(?,?), ref: 00215400
GetWindowRect.USER32(?,?), ref: 00215412
PtInRect.USER32(?,?,?), ref: 00215422
SendMessageW.USER32(00000000,00000412,00000000), ref: 00215474
SendMessageW.USER32(00000000,00000411,00000001,0000002C), ref: 00215484
SetTimer.USER32(?,?,00001388,00000000), ref: 0021549B

Strings

tooltips_class32, xrefs: 00215282
,, xrefs: 0021533A

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: MessageSend$Window$Rect$ClientCreateLengthLongScreenTextTimer
String ID: ,$tooltips_class32
API String ID: 3976673834-3856767331
Opcode ID: 05e748740322a463b48ae7811baacc57d94f3f475ce76b2bd5a8e2ac90da1ea1
Instruction ID: cdd124a8d01623f92bd46b00d77a4e4b55bdb06f5ca726f3a4d55678dfd1a2d8
Opcode Fuzzy Hash: 05e748740322a463b48ae7811baacc57d94f3f475ce76b2bd5a8e2ac90da1ea1
Instruction Fuzzy Hash: B0912A71A00218AFEB14CFA5CC95FAEBBF9FB48700F10852AF516EA690D774A914CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00343820 Relevance: 24.9, APIs: 11, Strings: 3, Instructions: 390libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Advapi32.dll,F026EBDC), ref: 003438B1
GetLastError.KERNEL32 ref: 003438DF

Part of subcall function 001EA850: HeapAlloc.KERNEL32(?,00000000,?,F026EBDC,00000000,003D7F70,000000FF,?,?,004BEFDC,?,0033C2E8,80004005,F026EBDC,?,?), ref: 001EA89A

GetProcAddress.KERNEL32(00000000,ConvertStringSidToSidW), ref: 003438F5
FreeLibrary.KERNEL32(00000000), ref: 0034390E
GetLastError.KERNEL32 ref: 0034391B
GetLastError.KERNEL32 ref: 00343B09
GetLastError.KERNEL32 ref: 00343B6E

Strings

Nqt, xrefs: 003438F5
Advapi32.dll, xrefs: 003438AC
ConvertStringSidToSidW, xrefs: 003438EF

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: ErrorLast$Library$AddressAllocFreeHeapLoadProc
String ID: Advapi32.dll$ConvertStringSidToSidW$Nqt
API String ID: 1560807876-1715149547
Opcode ID: aac25d495f7497302f88385ab696fb065b90582b27d493281a2554ec1a53f6a5
Instruction ID: 52b036f0961f6d00875a2c3e2f60b892d325dfc36012eb103fcff06a5bf406f3
Opcode Fuzzy Hash: aac25d495f7497302f88385ab696fb065b90582b27d493281a2554ec1a53f6a5
Instruction Fuzzy Hash: 8AF178B1C01209ABDF11DF94C985BEEBBB4FF09314F204129E914BB290D774AA49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00308600 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 132windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002FFF30: LoadLibraryW.KERNEL32(ComCtl32.dll,F026EBDC,?,?,00000000), ref: 002FFF6E
Part of subcall function 002FFF30: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 002FFF91
Part of subcall function 002FFF30: FreeLibrary.KERNEL32(00000000), ref: 0030000F

GetDlgItem.USER32(?,000001F4), ref: 00308641
SendMessageW.USER32(00000000,00000170,00000000,00000000), ref: 00308652
GetDC.USER32(00000000), ref: 0030865A
GetDeviceCaps.GDI32(00000000), ref: 00308661
MulDiv.KERNEL32(00000009,00000000), ref: 0030866A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,Courier New), ref: 00308693
GetDlgItem.USER32(?,000001F6), ref: 003086A4
IsWindow.USER32(00000000), ref: 003086AD
SendMessageW.USER32(00000000,00000030,?,00000000), ref: 003086C4
GetDlgItem.USER32(?,000001F8), ref: 003086CE
GetWindowRect.USER32(?,?), ref: 003086DF
GetWindowRect.USER32(?,?), ref: 003086F2
GetWindowRect.USER32(00000000,?), ref: 00308702

Strings

Courier New, xrefs: 00308670

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Window$ItemRect$LibraryMessageSend$AddressCapsCreateDeviceFontFreeLoadProc
String ID: Courier New
API String ID: 1731048342-2572734833
Opcode ID: 6dcdbd70eaac8a35b7bce1eecbf36a62ab3bd374fe802832fe019df79845b112
Instruction ID: d41f14e2cf36cdc438794c3e8d6dec971c558fc98fe14bd733ab820c909c59ec
Opcode Fuzzy Hash: 6dcdbd70eaac8a35b7bce1eecbf36a62ab3bd374fe802832fe019df79845b112
Instruction Fuzzy Hash: 1841C771B843087BEB55AF25CC56FAE77A9EF48B04F01052DFB057A1D1DAB4A8408B58

Uniqueness

Uniqueness Score: -1.00%

Function 00216970 Relevance: 22.7, APIs: 15, Instructions: 178windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000318,00000000,00000004), ref: 002169D7
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 002169E5
SendMessageW.USER32(?,00001304,00000000,00000000), ref: 002169FF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00216A17
SendMessageW.USER32(?,0000130A,00000000,?), ref: 00216A48
CreateRectRgn.GDI32(?,?,?,?), ref: 00216A82
DeleteObject.GDI32(00000000), ref: 00216A99
GetClientRect.USER32(?,?), ref: 00216AB5
CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 00216AE0
CreateRectRgn.GDI32(?,?,?,?), ref: 00216AFD
SelectClipRgn.GDI32(00000000,00000000), ref: 00216B14
GetParent.USER32(?), ref: 00216B24
SendMessageW.USER32(00000000,00000136,?,?), ref: 00216B35
DeleteObject.GDI32(00000000), ref: 00216B4B
DeleteObject.GDI32(?), ref: 00216B50

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: MessageRectSend$Create$DeleteObject$ClientClipParentSelect
String ID:
API String ID: 1236051970-0
Opcode ID: b3f4191d6e2a56dd5e57af310d455fa1c615b6386a04ae412a1ebeebddbc729e
Instruction ID: 41fa33e53c706ac83b87df30514d03663ec5460beb07aa7b5780bb527c7cadcb
Opcode Fuzzy Hash: b3f4191d6e2a56dd5e57af310d455fa1c615b6386a04ae412a1ebeebddbc729e
Instruction Fuzzy Hash: 13612572904218AFDB219FE4CC49FAEBBB9FF48711F100169F615AB2A0C7716A51CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0031A490 Relevance: 21.5, APIs: 4, Strings: 8, Instructions: 455COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,F026EBDC), ref: 0031A4F9
IsWow64Process.KERNEL32(00000000), ref: 0031A500

Part of subcall function 002FC2F0: _wcsrchr.LIBVCRUNTIME ref: 002FC329

_wcsrchr.LIBVCRUNTIME ref: 0031A581
_wcsrchr.LIBVCRUNTIME ref: 0031A617

Strings

.x64, xrefs: 0031A562
TRANSFORMS=":%d", xrefs: 0031A670
"%s" , xrefs: 0031A7BD
/fvomus //, xrefs: 0031A6CA, 0031A71F, 0031A720
EXE_CMD_LINE="%s ", xrefs: 0031A8A2
%s AI_SETUPEXEPATH="%s" SETUPEXEDIR="%s", xrefs: 0031A84F
/p //, xrefs: 0031A6C1
/i //, xrefs: 0031A6CF

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: _wcsrchr$Process$CurrentWow64
String ID: "%s" $ /fvomus //$ /i //$ /p //$ EXE_CMD_LINE="%s "$ TRANSFORMS=":%d"$%s AI_SETUPEXEPATH="%s" SETUPEXEDIR="%s"$.x64
API String ID: 657290924-2074823060
Opcode ID: c871f27a3b8de0a285d4902b29a4f1761a8bcb6e39a464a976d56db0498b1e4e
Instruction ID: 918065ac1b5a7f3ff41c64cc9b377d07ea561e768d5a483ef922f9e37a7dbaab
Opcode Fuzzy Hash: c871f27a3b8de0a285d4902b29a4f1761a8bcb6e39a464a976d56db0498b1e4e
Instruction Fuzzy Hash: 00F11530A01A498FDB15DFA8C844BAEB7B5FF09311F15826CE815AB2D2DB74ED44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0030B080 Relevance: 21.4, APIs: 4, Strings: 8, Instructions: 410libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 003265B0: GetSystemDefaultLangID.KERNEL32(F026EBDC,0000004C,?,00000048,?), ref: 003265E6

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,00000000), ref: 0030B1E3
GetProcAddress.KERNEL32(00000000), ref: 0030B1EA
__Init_thread_footer.LIBCMT ref: 0030B201
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000000), ref: 0030B220

Strings

IsWow64Process2, xrefs: 0030B1D9
Nqt, xrefs: 0030B1EA
kernel32, xrefs: 0030B1DE
Search result:, xrefs: 0030B459
Undefined, xrefs: 0030B4BA
No acceptable version found. It must be installed from package., xrefs: 0030B4D3, 0030B4D4
Wrong OS or Os language for:, xrefs: 0030B54B
Searching for:, xrefs: 0030B2D9

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AddressCurrentDefaultHandleInit_thread_footerLangModuleProcProcessSystem
String ID: IsWow64Process2$No acceptable version found. It must be installed from package.$Search result:$Searching for:$Undefined$Wrong OS or Os language for:$kernel32$Nqt
API String ID: 52476621-932281551
Opcode ID: 68dd44e13cc985ddb21c83d8c773389daa2d8a9f0d77032f2fe6563aeac8f296
Instruction ID: 93a176bde4a0f87d16e6ea0d6b918a7f590f3efa4d70d09d2f2f9527144ceba5
Opcode Fuzzy Hash: 68dd44e13cc985ddb21c83d8c773389daa2d8a9f0d77032f2fe6563aeac8f296
Instruction Fuzzy Hash: 72F1BC70901604DFCB15DFA9C8A4BAEF7B5FF45310F2582ADE416AB2D2DB31A946CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0021B200 Relevance: 21.4, APIs: 4, Strings: 8, Instructions: 358libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,00000043), ref: 0021B328
GetProcAddress.KERNEL32(00000000,InitializeEmbeddedUI), ref: 0021B341
GetProcAddress.KERNEL32(00000043,ShutdownEmbeddedUI), ref: 0021B34D
GetProcAddress.KERNEL32(00000043,EmbeddedUIHandler), ref: 0021B35A

Part of subcall function 001EA850: HeapAlloc.KERNEL32(?,00000000,?,F026EBDC,00000000,003D7F70,000000FF,?,?,004BEFDC,?,0033C2E8,80004005,F026EBDC,?,?), ref: 001EA89A

Part of subcall function 001EAB90: GetProcessHeap.KERNEL32 ref: 001EABE5
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EAC17
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EACA2

Strings

INAN, xrefs: 0021B235
EmbeddedUIHandler, xrefs: 0021B34F
SELECT `Data` FROM `Binary` WHERE `Name` = 'InstallerAnalytics.dll', xrefs: 0021B289
20.2, xrefs: 0021B43A
build , xrefs: 0021B44F
ShutdownEmbeddedUI, xrefs: 0021B343
2c3f1cf9, xrefs: 0021B45E
InitializeEmbeddedUI, xrefs: 0021B33B

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AddressProc$HeapInit_thread_footer$AllocLibraryLoadProcess
String ID: build $20.2$2c3f1cf9$EmbeddedUIHandler$INAN$InitializeEmbeddedUI$SELECT `Data` FROM `Binary` WHERE `Name` = 'InstallerAnalytics.dll'$ShutdownEmbeddedUI
API String ID: 1086585969-3504904618
Opcode ID: 7b490bb59ac21223800623b766cb4ed47a33a0014694fdd3fe9a1312cec967e9
Instruction ID: 15945aa8342b0e86104d4fdc784ca6e4319e85dcf1334bc5f233fc0b58a9a41a
Opcode Fuzzy Hash: 7b490bb59ac21223800623b766cb4ed47a33a0014694fdd3fe9a1312cec967e9
Instruction Fuzzy Hash: B9D1DE70D1060A9FDB05DFA8CC55BEEBBB4FF18310F148629E915A72C1EB74AA54CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001EEE80 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 267libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,F026EBDC,0045ADDC,?,?,?,?,?,?,?,?,?,?,?,F026EBDC), ref: 001EEEFB
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 001EEF01
LoadLibraryW.KERNEL32(?,.dll,-00000001,00000000,0044329C,00000000,00000000,00000000), ref: 001EF08B

Strings

RoGetActivationFactory, xrefs: 001EEEF1
CoIncrementMTAUsage, xrefs: 001EEF8C
DllGetActivationFactory, xrefs: 001EF0CE
.dll, xrefs: 001EF072
combase.dll, xrefs: 001EEEF6, 001EEF91

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: LibraryLoad$AddressProc
String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
API String ID: 1469910268-2454113998
Opcode ID: 0c73976b3376587c2ed374e52770a50d9a397f5ec412b5ab9d5c87f019539fea
Instruction ID: f5f95db1f9ffb0810d25aa89a8ef7b733b2e3cac1840fc6a139e508ba3383147
Opcode Fuzzy Hash: 0c73976b3376587c2ed374e52770a50d9a397f5ec412b5ab9d5c87f019539fea
Instruction Fuzzy Hash: 7BB19B71D00689EFDF15DFAAD845BAEBBF1EF58300F24412DE811AB291DB70AA45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001EE620 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 233libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory), ref: 001EE62E
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 001EE634
LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?), ref: 001EE667
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 001EE66D
LoadLibraryW.KERNEL32(?,.dll,00000004,-00000001,00000000,Function_0026329C,00000000,00000000,00000000), ref: 001EE78D
GetProcAddress.KERNEL32(00000000,DllGetActivationFactory), ref: 001EE7D6

Strings

RoGetActivationFactory, xrefs: 001EE624
CoIncrementMTAUsage, xrefs: 001EE65D
DllGetActivationFactory, xrefs: 001EE7D0
.dll, xrefs: 001EE774
combase.dll, xrefs: 001EE629, 001EE662

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
API String ID: 2574300362-2454113998
Opcode ID: dea6218fdb5fe595c52ba02e540f0f9fbae0745d780300d86431a98e533024d7
Instruction ID: a7853452ccc4c3fffd106b8158b2a39a4e69f4425714a33ec609f4065cf5332b
Opcode Fuzzy Hash: dea6218fdb5fe595c52ba02e540f0f9fbae0745d780300d86431a98e533024d7
Instruction Fuzzy Hash: 2F918031D10689DFEF15DFAAD895BAEBBF1FF58300F244129E411A7290EB749A44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00331450 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 319synchronizationfileCOMMON

Download Yara Rule

APIs

Part of subcall function 001EAB90: GetProcessHeap.KERNEL32 ref: 001EABE5
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EAC17
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EACA2

DeleteFileW.KERNEL32(?,?,?,?,00000000,?,?,?,?), ref: 0033175A

Part of subcall function 001EA140: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A0,80070057,8007000E,80004005,00201A24,00000000,?,?,?,*.*), ref: 001EA163

Part of subcall function 001EA850: HeapAlloc.KERNEL32(?,00000000,?,F026EBDC,00000000,003D7F70,000000FF,?,?,004BEFDC,?,0033C2E8,80004005,F026EBDC,?,?), ref: 001EA89A

ResetEvent.KERNEL32(00000000,F026EBDC,?,?,00000000,004222FD,000000FF,?,80004005), ref: 003317EF
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,004222FD,000000FF,?,80004005), ref: 0033180F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000,004222FD,000000FF,?,80004005), ref: 0033181A

Strings

[m=, xrefs: 003317FD, 00331835
http://www.google.com, xrefs: 003315AE
http://www.example.com, xrefs: 003315BF
tin9999.tmp, xrefs: 003315A9
h3, xrefs: 00331827
TEST, xrefs: 003315A2
http://www.yahoo.com, xrefs: 003315B8

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: HeapInit_thread_footerObjectSingleWait$AllocDeleteEventFileFindProcessResetResource
String ID: h3$TEST$[m=$http://www.example.com$http://www.google.com$http://www.yahoo.com$tin9999.tmp
API String ID: 639690705-3557471699
Opcode ID: 29b70d74859b335e7279eb3cea4635d09543a4cde265fd58affaecae2e5cce9f
Instruction ID: f4ec00baf17269206bad91b8ccc56c3c537932dc8a163b82a89298eb1af7abbc
Opcode Fuzzy Hash: 29b70d74859b335e7279eb3cea4635d09543a4cde265fd58affaecae2e5cce9f
Instruction Fuzzy Hash: 0FC11531900649DFDB11DFA9CC45BAEB7B8FF05310F1582ADE816AB291DB74AE04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 002001F0 Relevance: 18.3, APIs: 12, Instructions: 337windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00200244
GetWindowRect.USER32(?,?), ref: 00200323
GetClientRect.USER32(?,?), ref: 00200335
GetWindowDC.USER32(?), ref: 00200347
CreateCompatibleDC.GDI32(00000000), ref: 00200374
CreateCompatibleBitmap.GDI32(00000000), ref: 002003B6
SelectObject.GDI32(00000000,00000000), ref: 002003C5

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: RectWindow$CompatibleCreate$BitmapClientObjectSelect
String ID:
API String ID: 2032541772-0
Opcode ID: 07f7686a338314a71f07e8d68188bc0efd05dbcd1a215593874c39ebdead92d1
Instruction ID: c02c9910ee30b8312dcfc729915f87278e05c576f437cba6783c790302b1095a
Opcode Fuzzy Hash: 07f7686a338314a71f07e8d68188bc0efd05dbcd1a215593874c39ebdead92d1
Instruction Fuzzy Hash: 05E13771D047199FEB60CFA8C944B9EBBF8EF09710F1042A9E809A7292D7706A50CF54

Uniqueness

Uniqueness Score: -1.00%

Function 003310D0 Relevance: 17.8, APIs: 4, Strings: 6, Instructions: 302libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 002BA630: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 002BA671

GetLastError.KERNEL32(F026EBDC,?,?,?,004221DD,000000FF,?,00314362,?), ref: 0033113D
GetProcAddress.KERNEL32(00000000,GetPackagePath), ref: 003312CD
GetProcAddress.KERNEL32(00000000,GetPackagePath), ref: 00331326
FreeLibrary.KERNEL32(00000000,?,?,?,?,004221DD,000000FF,?,00314362,?), ref: 00331414

Strings

Kernel32.dll, xrefs: 00331111
x86, xrefs: 00331185
GetPackagePath, xrefs: 003312C7, 00331320
Nqt, xrefs: 003312CD, 00331326
x64, xrefs: 003311B6
neutral, xrefs: 003311D2

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AddressProc$DirectoryErrorFreeLastLibrarySystem
String ID: GetPackagePath$Kernel32.dll$neutral$x64$x86$Nqt
API String ID: 2155880084-986992180
Opcode ID: 89cf965ed8167d2ada6f9e565e98b9b3f00a991a9849367e7e0bcceaab61fa26
Instruction ID: 48de537963787ff127526cee96f7fb085ae7b35f2e20f50b3f7c0b378c8ffdb0
Opcode Fuzzy Hash: 89cf965ed8167d2ada6f9e565e98b9b3f00a991a9849367e7e0bcceaab61fa26
Instruction Fuzzy Hash: 78C17870A00609DFDB05CFA8C984BADFBB4FF09314F158269E805EB291EB75E945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00312210 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 283COMMON

Download Yara Rule

APIs

Part of subcall function 00306E80: LoadLibraryW.KERNEL32(Shlwapi.dll,?,?,?,?,00312271,?,F026EBDC,?,?), ref: 00306E9B
Part of subcall function 00306E80: GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00306EB1
Part of subcall function 00306E80: FreeLibrary.KERNEL32(00000000), ref: 00306EEA

GetEnvironmentVariableW.KERNEL32(APPDATA,?,00000104,F026EBDC,?,?), ref: 00312450

Strings

AI_BOOTSTRAPPERLANGS, xrefs: 00312522, 0031256A
Shell32.dll, xrefs: 00312293
Shlwapi.dll, xrefs: 00312267
AppDataFolder, xrefs: 003123B8, 003123F5
ProgramFiles, xrefs: 00312350, 00312365, 0031236D
APPDATA, xrefs: 00312447, 0031244F
PROGRAMFILES, xrefs: 0031242D
ProgramFilesFolder, xrefs: 003122D7

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Library$AddressEnvironmentFreeLoadProcVariable
String ID: AI_BOOTSTRAPPERLANGS$APPDATA$AppDataFolder$PROGRAMFILES$ProgramFiles$ProgramFilesFolder$Shell32.dll$Shlwapi.dll
API String ID: 788177547-1020860216
Opcode ID: b266a2bc034809419262f5d22d391587f82979fffe2580fc68675ac75d8ff392
Instruction ID: 6c9fdf2a5d26c274d5b95ffe0409e24e903195fe96a2f65ff7aeba282637359e
Opcode Fuzzy Hash: b266a2bc034809419262f5d22d391587f82979fffe2580fc68675ac75d8ff392
Instruction Fuzzy Hash: C99126756002059FDB29EF24C845BFBB3A5FF28314F114969E80687391EB35DE95CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00308440 Relevance: 15.2, APIs: 10, Instructions: 155COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00308451
DeleteObject.GDI32(?), ref: 003084A9
EndDialog.USER32(?,00000000), ref: 00308529

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: DeleteDialogLongObjectWindow
String ID:
API String ID: 1328495006-0
Opcode ID: e5fec08681110b188c7b3cb3a3f0276eaae2fca9959553f021108812d53e2c6a
Instruction ID: 6e42c82e0a5d051aa08f6542616f4d885820a374eddb09ed9b894dee6a5a2195
Opcode Fuzzy Hash: e5fec08681110b188c7b3cb3a3f0276eaae2fca9959553f021108812d53e2c6a
Instruction Fuzzy Hash: FF41F3326152145BC6399F3DAC19B7B3B9CDB86731F00072AFD91C66D0CA61DC11CAA8

Uniqueness

Uniqueness Score: -1.00%

Function 001F9710 Relevance: 15.1, APIs: 10, Instructions: 95windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 001F9751
GetClientRect.USER32(?,?), ref: 001F9778
CreateCompatibleDC.GDI32(?), ref: 001F9788
CreateCompatibleBitmap.GDI32(?,?,?), ref: 001F97A9
DeleteDC.GDI32(00000000), ref: 001F97B6
FillRect.USER32(?,?,00000006), ref: 001F97FA

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CompatibleCreateRect$BitmapClientDeleteFill
String ID:
API String ID: 1262984673-0
Opcode ID: bb1610ca373155747df44583dd27174fccac6df8a9c304029dff31a10618fe9f
Instruction ID: e2818ff40c98d400c8e9bc6f1882c0e4f44e5f3f13242f23fb37e4134bb96789
Opcode Fuzzy Hash: bb1610ca373155747df44583dd27174fccac6df8a9c304029dff31a10618fe9f
Instruction Fuzzy Hash: AB31CE721083099FC755FF28D888F2ABBE8BF88314F04096DF98686262DB31D840CF65

Uniqueness

Uniqueness Score: -1.00%

Function 001F0EC0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 221libraryloaderCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001F0F61

Part of subcall function 003B0328: EnterCriticalSection.KERNEL32(004C7DCC,?,?,001EACA7,004C89FC,00435FA0), ref: 003B0332
Part of subcall function 003B0328: LeaveCriticalSection.KERNEL32(004C7DCC,?,001EACA7,004C89FC,00435FA0), ref: 003B0365
Part of subcall function 003B0328: RtlWakeAllConditionVariable.NTDLL ref: 003B03DC

GetModuleHandleW.KERNEL32(Kernel32.dll,GetTempPath2W), ref: 001F0FAA
GetProcAddress.KERNEL32(00000000), ref: 001F0FB1
__Init_thread_footer.LIBCMT ref: 001F0FC5

Part of subcall function 003B0372: EnterCriticalSection.KERNEL32(004C7DCC,?,?,?,001EAC36,004C89FC,F026EBDC,?,?,003D84ED,000000FF,?,0033C28C,F026EBDC,?,?), ref: 003B037D
Part of subcall function 003B0372: LeaveCriticalSection.KERNEL32(004C7DCC,?,001EAC36,004C89FC,F026EBDC,?,?,003D84ED,000000FF,?,0033C28C,F026EBDC,?,?), ref: 003B03BA

GetTempPathW.KERNEL32(00000104,?,F026EBDC,?), ref: 001F0FF2

Strings

Kernel32.dll, xrefs: 001F0FA5
Nqt, xrefs: 001F0FB1
GetTempPath2W, xrefs: 001F0FA0

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CriticalSection$EnterInit_thread_footerLeave$AddressConditionHandleModulePathProcTempVariableWake
String ID: GetTempPath2W$Kernel32.dll$Nqt
API String ID: 3676318360-4066745456
Opcode ID: 240a22ab7998a80642c0f5bef4a2e744f86ede51bd6aa88cc3132f1cbcc6c990
Instruction ID: eb8d87342448c2ef48e1d720421efb9cae588ead0915a300bb8db5504b6d6e12
Opcode Fuzzy Hash: 240a22ab7998a80642c0f5bef4a2e744f86ede51bd6aa88cc3132f1cbcc6c990
Instruction Fuzzy Hash: 5781E3B1D00248EFDB24DF98DC89BEEB7B4EB18710F10426DE509A7281DB786E44CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00334960 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 201COMMON

Download Yara Rule

Strings

[m=, xrefs: 00334CAB, 00334CDA, 00334CFF, 00334E78
em=, xrefs: 00334CF8, 0033585F
h3, xrefs: 00334C3B, 00334CCE

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Init_thread_footer$HeapProcess
String ID: h3$[m=$em=
API String ID: 275895251-1624596387
Opcode ID: d0fb94b1fad6b6485f7887d6dc12b5406eb6c4d465a15aa49ef4200c4585058b
Instruction ID: 12aea1110ae3dc1761ea4dbdc708442411d15d945aeac39bc3f1322521174bce
Opcode Fuzzy Hash: d0fb94b1fad6b6485f7887d6dc12b5406eb6c4d465a15aa49ef4200c4585058b
Instruction Fuzzy Hash: EE818C70A01249DFDF11CFA8C984B9EBBB5FF49320F158269E914AB392C774A944CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00336890 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 178fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001EAB90: GetProcessHeap.KERNEL32 ref: 001EABE5
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EAC17
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EACA2

Part of subcall function 001EA140: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A0,80070057,8007000E,80004005,00201A24,00000000,?,?,?,*.*), ref: 001EA163

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,ps1,ps1,00000003,?,00314B98), ref: 00336983
WriteFile.KERNEL32(00000000,0000FEFF,00000002,?,00000000), ref: 003369C7
WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 003369E4
CloseHandle.KERNEL32(00000000), ref: 003369FE
CloseHandle.KERNEL32(00000000,?,?,00000000,00000000), ref: 00336A3D

Strings

ps1, xrefs: 003368F9, 0033690B, 00336915, 00336926
Unable to get temp file , xrefs: 00336964
Unable to save script file , xrefs: 00336A0D

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: File$CloseHandleInit_thread_footerWrite$CreateFindHeapProcessResource
String ID: Unable to get temp file $Unable to save script file $ps1
API String ID: 2821137686-4253966538
Opcode ID: 4110fac82cd1272786e92d43a61dcac639ca665564158dc1c96bc9286bc3d302
Instruction ID: 556e775b8f66d94e8d25fe07cf3858cbefcc2db73b4b1a2668dbcd13a9c22509
Opcode Fuzzy Hash: 4110fac82cd1272786e92d43a61dcac639ca665564158dc1c96bc9286bc3d302
Instruction Fuzzy Hash: 5051F970900649AFDB11DF68CD46B9EBBB8AF05714F14C159F900BB2D2D7749E08CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 001FD0A0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 150fileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001FD18F

Part of subcall function 003B0328: EnterCriticalSection.KERNEL32(004C7DCC,?,?,001EACA7,004C89FC,00435FA0), ref: 003B0332
Part of subcall function 003B0328: LeaveCriticalSection.KERNEL32(004C7DCC,?,001EACA7,004C89FC,00435FA0), ref: 003B0365
Part of subcall function 003B0328: RtlWakeAllConditionVariable.NTDLL ref: 003B03DC

CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,?,F026EBDE), ref: 001FD1E3
CloseHandle.KERNEL32(00000000), ref: 001FD240

Part of subcall function 003B0372: EnterCriticalSection.KERNEL32(004C7DCC,?,?,?,001EAC36,004C89FC,F026EBDC,?,?,003D84ED,000000FF,?,0033C28C,F026EBDC,?,?), ref: 003B037D
Part of subcall function 003B0372: LeaveCriticalSection.KERNEL32(004C7DCC,?,001EAC36,004C89FC,F026EBDC,?,?,003D84ED,000000FF,?,0033C28C,F026EBDC,?,?), ref: 003B03BA

WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 001FD2A7
CloseHandle.KERNEL32(00000000,777DCF00), ref: 001FD2CD

Strings

aix, xrefs: 001FD1A1
L, xrefs: 001FD27B
html, xrefs: 001FD19C

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CriticalSection$CloseEnterFileHandleLeave$ConditionCreateInit_thread_footerVariableWakeWrite
String ID: aix$html$L
API String ID: 2030708724-4274302322
Opcode ID: 571c4b29cffffd77040aae8b45b20f45fe169cdd33954fb053b27811f0e13dd5
Instruction ID: 5137e862bd22f3345d0e9e1a5fbae44e95acd238969bc0de116b041d165bbc02
Opcode Fuzzy Hash: 571c4b29cffffd77040aae8b45b20f45fe169cdd33954fb053b27811f0e13dd5
Instruction Fuzzy Hash: 65619DB0901388DFEB14CF95DC59BAEBBF4FB04708F10412DE5016B291DBB96A08CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00325700 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 148libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDefaultLangID.KERNEL32 ref: 0032573C
GetUserDefaultLangID.KERNEL32 ref: 00325749
LoadLibraryW.KERNEL32(kernel32.dll), ref: 0032575B
GetProcAddress.KERNEL32(00000000,GetSystemDefaultUILanguage), ref: 0032576F
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00325784

Strings

GetUserDefaultUILanguage, xrefs: 0032577E
GetSystemDefaultUILanguage, xrefs: 00325769
kernel32.dll, xrefs: 00325752

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AddressDefaultLangProc$LibraryLoadSystemUser
String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll
API String ID: 667524283-3528650308
Opcode ID: b7f9e034f0e8d0e52567d9d9d28e016dfab6c1265650119acbd3bd62dde153e8
Instruction ID: ffd9b516a36d975d82cb9fbc82a0e09c9f5a63d0bc757ba869b20b26e293d143
Opcode Fuzzy Hash: b7f9e034f0e8d0e52567d9d9d28e016dfab6c1265650119acbd3bd62dde153e8
Instruction Fuzzy Hash: 3941BD70A04721DFC745EF28E85067AB7E1AFE8311F92192EF886C7240EB34CA45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 001E26E0 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 135COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(004C948C,00000000,F026EBDC,00000000,00414033,000000FF,?,F026EBDC), ref: 001E2853
GetLastError.KERNEL32(?,F026EBDC), ref: 001E285D

Strings

VolumeCostRequired, xrefs: 001E2729
VolumeCostDifference, xrefs: 001E2733
Pr., xrefs: 001E289E
VolumeCostVolume, xrefs: 001E270D, 001E27C5
VolumeCostSize, xrefs: 001E2717
VolumeCostAvailable, xrefs: 001E2720

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpin
String ID: Pr.$VolumeCostAvailable$VolumeCostDifference$VolumeCostRequired$VolumeCostSize$VolumeCostVolume
API String ID: 439134102-3319657408
Opcode ID: fb3847c191f3e51d5dbda59cf03abc00ab25f6c2e86cb66d143871da63c38f83
Instruction ID: 9ad02bdfe6278577be00486bd8ad6c3ced76c4bb6b27885e7332c7acba1159cf
Opcode Fuzzy Hash: fb3847c191f3e51d5dbda59cf03abc00ab25f6c2e86cb66d143871da63c38f83
Instruction Fuzzy Hash: 325104B1D04A48EBDB04CFA5DC19BAEBBF8FB08715F10422AE81597391E7795908CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 003435B0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,?), ref: 003435C0
LoadLibraryW.KERNEL32(Shell32.dll), ref: 003435D3
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 003435E3
SHGetPathFromIDListW.SHELL32(?,00000000), ref: 0034366C
SHGetMalloc.SHELL32(?), ref: 003436AE

Strings

Shell32.dll, xrefs: 003435CE
Nqt, xrefs: 003435E3
SHGetSpecialFolderPathW, xrefs: 003435DD

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AddressFolderFromLibraryListLoadLocationMallocPathProcSpecial
String ID: SHGetSpecialFolderPathW$Shell32.dll$Nqt
API String ID: 2352187698-1595809170
Opcode ID: 80f31f709ec4c710ecebc375a94a46a33a2bd0be55f25a3108bd626c853f0150
Instruction ID: f11352f76f98a8a4ca902cbd190d15bf8daee393553bcbad13ca3dd1c17c1288
Opcode Fuzzy Hash: 80f31f709ec4c710ecebc375a94a46a33a2bd0be55f25a3108bd626c853f0150
Instruction Fuzzy Hash: 90310771600302ABDB269F24DC85B67B7F5EFC4701F57C42CE8858B2D0EB79A9458B91

Uniqueness

Uniqueness Score: -1.00%

Function 00334010 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 136COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00334071

Strings

Local Network Server, xrefs: 003347F8, 0033480A, 00334814
FTP Server, xrefs: 00334A58, 00334A6A, 00334A74
[m=, xrefs: 00334CFF, 00334E78
em=, xrefs: 00334CF8, 0033585F
HTTP/1.0, xrefs: 00334E68
qp=, xrefs: 00334778
*/*, xrefs: 00334DF0
GET, xrefs: 003341F9

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: ErrorLast
String ID: */*$FTP Server$GET$HTTP/1.0$Local Network Server$[m=$em=$qp=
API String ID: 1452528299-3896471185
Opcode ID: 6ed3fc7c0d1f4b550da69866c102a540dda9813b078365aa1fdc75538829ef29
Instruction ID: 7f860402c9bd53ed6662c5c62d4d2129b62f73a1aa138486859af62860d8eb88
Opcode Fuzzy Hash: 6ed3fc7c0d1f4b550da69866c102a540dda9813b078365aa1fdc75538829ef29
Instruction Fuzzy Hash: F941D8B1E006059BDB11DFA5CC85FAFB7F8EF15310F114529E911EB2D1DB74A9008BA1

Uniqueness

Uniqueness Score: -1.00%

Function 002AE520 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 342COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002AE7C5
SystemParametersInfoW.USER32(00000030,00000000,004CE9A4,00000000), ref: 002AE7FC
__Init_thread_footer.LIBCMT ref: 002AE891

Strings

PuD, xrefs: 002AE66B
`Dialog` = ', xrefs: 002AE5F1
Dialog, xrefs: 002AE63C
AI_FRAME_NO_CAPTION_, xrefs: 002AE575

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Init_thread_footer$InfoParametersSystem
String ID: AI_FRAME_NO_CAPTION_$Dialog$PuD$`Dialog` = '
API String ID: 3910108132-1954572031
Opcode ID: 5ba0fdcbe89f968c2a457a527aa315e8f97734f314f32178261da9b56ccf9d91
Instruction ID: fecb220322623bd115d6b059a79739421a5a15abbee2668fabca1499198d18f4
Opcode Fuzzy Hash: 5ba0fdcbe89f968c2a457a527aa315e8f97734f314f32178261da9b56ccf9d91
Instruction Fuzzy Hash: 99D100B1E10244CFCB54CF78CD85B9EB7B4EF59300F24822EE915AB2A1DB74A905CB95

Uniqueness

Uniqueness Score: -1.00%

Function 001E96A0 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 230COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001E9785
__Init_thread_footer.LIBCMT ref: 001E97D0

Strings

hL, xrefs: 001E97DF
<a href=", xrefs: 001E9745
hL, xrefs: 001E974A
<a>, xrefs: 001E9978
</a>, xrefs: 001E98D6

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Init_thread_footer
String ID: </a>$<a href="$<a>$hL$hL
API String ID: 1385522511-4177630360
Opcode ID: 443f1f935375c257beb90491947fabb68bebd41182317cbd8046f62205535e38
Instruction ID: 73ae145d96605e9b87cd84a411fd96a3fb94b5df0655f6356d65b10ba8042f3a
Opcode Fuzzy Hash: 443f1f935375c257beb90491947fabb68bebd41182317cbd8046f62205535e38
Instruction Fuzzy Hash: CE91DB70A00B44EFDB04DFA9D855FADB7B1FF58318F204229E015AB2D1EB34AA44CB54

Uniqueness

Uniqueness Score: -1.00%

Function 001F9050 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 151threadCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000E,F026EBDC,?,?,00000000,?), ref: 001F908E
GetCurrentThreadId.KERNEL32 ref: 001F90CF
EnterCriticalSection.KERNEL32(004CE7BC), ref: 001F90EF
LeaveCriticalSection.KERNEL32(004CE7BC), ref: 001F9113
CreateWindowExW.USER32(00000000,00000000,00000000,004CE7BC,?,80000000,00000000,80000000,00000000,00000000,00000000), ref: 001F916E

Part of subcall function 003AFA13: GetProcessHeap.KERNEL32(00000008,00000008,00000000,00325F3E,?,?,?,?,?,?), ref: 003AFA18
Part of subcall function 003AFA13: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?), ref: 003AFA1F

Strings

AXWIN UI Window, xrefs: 001F91E5
KL, xrefs: 001F9134

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CriticalHeapSection$AllocCreateCurrentEnterErrorLastLeaveProcessThreadWindow
String ID: AXWIN UI Window$KL
API String ID: 213679520-2179203408
Opcode ID: 0429a713bacb892ad57986a2b96f45964e42c352316315b40a3b4311325701c0
Instruction ID: 51c7e63a097dd855122ceb83132c5a98c898f86bdba8ebc4d2540a18fb7aed80
Opcode Fuzzy Hash: 0429a713bacb892ad57986a2b96f45964e42c352316315b40a3b4311325701c0
Instruction Fuzzy Hash: 8651C235604309AFDB10DF59DD04FAABBB8FB98714F10812EFE14AB280D775A914CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00306E80 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 79libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Shlwapi.dll,?,?,?,?,00312271,?,F026EBDC,?,?), ref: 00306E9B
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00306EB1
FreeLibrary.KERNEL32(00000000), ref: 00306EEA
FreeLibrary.KERNEL32(00000000,?,?,?,?,00312271,?,F026EBDC,?,?), ref: 00306F06

Strings

Shlwapi.dll, xrefs: 00306E9A
Nqt, xrefs: 00306EB1
DllGetVersion, xrefs: 00306EAB

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Library$Free$AddressLoadProc
String ID: DllGetVersion$Shlwapi.dll$Nqt
API String ID: 1386263645-3712805009
Opcode ID: 607c9dc7a773623e5697582aae7a880a7d82075a75ae95f4e9e5978ba48c6218
Instruction ID: 918acdf314014e0a74c64a3b84a2d2c73c9dd784e5881a685fbf9bd40652e0e6
Opcode Fuzzy Hash: 607c9dc7a773623e5697582aae7a880a7d82075a75ae95f4e9e5978ba48c6218
Instruction Fuzzy Hash: E821A4726043068BC305AF29E851A6BF7E4FFDD711B81092DF449C7252EB35D80987A2

Uniqueness

Uniqueness Score: -1.00%

Function 003AD1CE Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,003AD249,003AD1AC,003AD44D), ref: 003AD1E5
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 003AD1FB
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 003AD210

Strings

ReleaseSRWLockExclusive, xrefs: 003AD205
Nqt, xrefs: 003AD1FB, 003AD210
KERNEL32.DLL, xrefs: 003AD1E0
AcquireSRWLockExclusive, xrefs: 003AD1F5

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive$Nqt
API String ID: 667068680-2151535928
Opcode ID: 6e819463211363cae383d4b74aec1452365b90f5db4c28b30b13e21f59d52641
Instruction ID: 47f696f0f013a7b92a9886fa8503bab1c204601bb28404870d6135cda228a662
Opcode Fuzzy Hash: 6e819463211363cae383d4b74aec1452365b90f5db4c28b30b13e21f59d52641
Instruction Fuzzy Hash: 28F0C2313853129B4BA36F645C98B6667D8EA1B350326083EF943D7E41EE24CC48DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 002DD0B0 Relevance: 12.2, APIs: 8, Instructions: 189windowCOMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 002DD136
SelectObject.GDI32(00000000,?), ref: 002DD1B4
SetBkMode.GDI32(00000000,00000001), ref: 002DD1C2
SetTextColor.GDI32(00000000), ref: 002DD207
GetWindowLongW.USER32(00000000), ref: 002DD21B
SendMessageW.USER32(00000000), ref: 002DD239
DrawTextW.USER32(00000000,00000010,?,?,00000010), ref: 002DD288
SelectObject.GDI32(00000000,?), ref: 002DD294

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: ObjectSelectTextWindow$CallColorDrawLongMessageModeProcSend
String ID:
API String ID: 3580941354-0
Opcode ID: e493a6cd268e36fad23224cd6cac0f1e032db13218d716847ab88de705ff4b6b
Instruction ID: ce8c9de1f898c24159ce45da718fc012c44d83fc9a7b6b0da63c3f27ad50727e
Opcode Fuzzy Hash: e493a6cd268e36fad23224cd6cac0f1e032db13218d716847ab88de705ff4b6b
Instruction Fuzzy Hash: 5F715871A00649AFDB14CFA8CC48FADBBB5FF48310F108269F915AB2A5C770A851CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00200050 Relevance: 12.1, APIs: 8, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0020007A
GetWindow.USER32(?,00000005), ref: 00200087
GetWindow.USER32(00000000,00000002), ref: 002001C2

Part of subcall function 001FFED0: GetWindowRect.USER32(?,?), ref: 001FFEFC
Part of subcall function 001FFED0: GetWindowRect.USER32(?,?), ref: 001FFF0C

GetWindowRect.USER32(?,?), ref: 0020011B
GetWindowRect.USER32(00000000,?), ref: 0020012B
GetWindowRect.USER32(00000000,?), ref: 00200145

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Window$Rect
String ID:
API String ID: 3200805268-0
Opcode ID: 2e9ab65c23b833f54600235607f27612666fa2d6b2b06e5aab7a4c6241e19c14
Instruction ID: ec8cc7cca16e4379c91c8e87fc64848b0dc280a7c42efa73b79b63eb28315263
Opcode Fuzzy Hash: 2e9ab65c23b833f54600235607f27612666fa2d6b2b06e5aab7a4c6241e19c14
Instruction Fuzzy Hash: BA417D315147019BD321DF29C9C0A6BF7FABF96704F504A2DF089925A2EB30E995CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00208100 Relevance: 12.1, APIs: 8, Instructions: 125COMMON

Download Yara Rule

APIs

GetWindowDC.USER32(?,F026EBDC,?,00000000,?,?,?,?,?,00000000,003DE445,000000FF,?,00207EC2,?,?), ref: 00208142
GetWindowRect.USER32(?,?), ref: 00208161
IsWindowEnabled.USER32(?), ref: 00208170
SelectObject.GDI32(00000000,00000000), ref: 002081CE
ExcludeClipRect.GDI32(?,?,?,?,00000000), ref: 002081F8
SelectObject.GDI32(?,?), ref: 00208212
DeleteObject.GDI32(00000000), ref: 00208221
DeleteDC.GDI32(?), ref: 00208244

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: ObjectWindow$DeleteRectSelect$ClipEnabledExclude
String ID:
API String ID: 3871716574-0
Opcode ID: 279fb300b403547b9aac53801db6857c70a0fb1a764a445c4de7b0ee740e96a7
Instruction ID: 3da1c025efbdc14878dca345629323dc139bcc6c4b5e39007e56964a30d9f95c
Opcode Fuzzy Hash: 279fb300b403547b9aac53801db6857c70a0fb1a764a445c4de7b0ee740e96a7
Instruction Fuzzy Hash: C1415E71A04219AFDB14CFA9DD48BAEFBB9FF88710F104269F905A7291CB745901CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00300330 Relevance: 10.8, APIs: 7, Instructions: 346fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,F026EBDC), ref: 003003B9
ReadFile.KERNEL32(00000000,00000000,00001000,?,00000000,00001000), ref: 0030042B
ReadFile.KERNEL32(?,00000000,00001000,00000000,00000000,?,?,00000000), ref: 003006CC
CloseHandle.KERNEL32(?), ref: 0030072A

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: File$Read$CloseCreateHandle
String ID:
API String ID: 1724936099-0
Opcode ID: 71940e5ba84eb2e9531d77bb2b9fd8698d41472f296ad025db3981a462c062a3
Instruction ID: eb9bd7216ff7a59bd60e9c1ffd22a9c3321224fe04ae2a1451a4f148aaf1da09
Opcode Fuzzy Hash: 71940e5ba84eb2e9531d77bb2b9fd8698d41472f296ad025db3981a462c062a3
Instruction Fuzzy Hash: DCD18D71D013489BDB29CFA8CD59BAEBBB5AF45704F20821DE415AB2C1D774AA44CF90

Uniqueness

Uniqueness Score: -1.00%

Function 001FD310 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 285registryCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,Caphyon.AI.ExtUI.IEClickSoundRemover,F026EBDC), ref: 001FD3B1
GetLastError.KERNEL32 ref: 001FD3DA
RegCloseKey.ADVAPI32(?,Function_0026329C,00000000,Function_0026329C,00000000,?,80000001,00000001,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033), ref: 001FD64E
CloseHandle.KERNEL32(?,F026EBDC,?,?,00000000,003DC7CD,000000FF,?,Function_0026329C,00000000,Function_0026329C,00000000,?,80000001,00000001,00000000), ref: 001FD6DE

Strings

Caphyon.AI.ExtUI.IEClickSoundRemover, xrefs: 001FD3A6
AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 001FD412

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Close$CreateErrorEventHandleLast
String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current$Caphyon.AI.ExtUI.IEClickSoundRemover
API String ID: 1253123496-2079760225
Opcode ID: f2072fddf959af5a0b495f2bb89aa62c9e0d493ce67ec3c9e412e4b1e8624d6d
Instruction ID: 8a36ea9ac61f5ab40e5488ed51b5dc31294b1fbfeda7978d915fdd7d388eaa3b
Opcode Fuzzy Hash: f2072fddf959af5a0b495f2bb89aa62c9e0d493ce67ec3c9e412e4b1e8624d6d
Instruction Fuzzy Hash: 98C1ED70D00348DFDB14CF68D858BAEBBB1FF55304F24829DE559A7281DB74AA84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001F0720 Relevance: 10.7, APIs: 7, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 001F0814
SysFreeString.OLEAUT32(00000000), ref: 001F0889
GetProcessHeap.KERNEL32(?,?), ref: 001F08F9
HeapFree.KERNEL32(00000000,?,?), ref: 001F08FF
GetProcessHeap.KERNEL32(?,00000000,?,00000000,00000000,00000000,F026EBDC,0045ADDC,00000000), ref: 001F092C
HeapFree.KERNEL32(00000000,?,00000000,?,00000000,00000000,00000000,F026EBDC,0045ADDC,00000000), ref: 001F0932
SysFreeString.OLEAUT32(00000000), ref: 001F094A

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Free$Heap$String$Process
String ID:
API String ID: 2680101141-0
Opcode ID: 6e3a3453e9651ec14d4972ad888fade9ed9b80593eb647e080cae03b31caac8e
Instruction ID: 67638025e8a4652a6749893817fc319bba4f9454cc8610269e2658993575990c
Opcode Fuzzy Hash: 6e3a3453e9651ec14d4972ad888fade9ed9b80593eb647e080cae03b31caac8e
Instruction Fuzzy Hash: 3B816B70D0025DDBEF16DFA8C844BBEBBB4BF09314F144559E515AB2C2D7B8AA04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 002FC5D0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 169fileCOMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,?,004148ED,000000FF,?,002FC8E6,?), ref: 002FC673

Part of subcall function 001EA140: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A0,80070057,8007000E,80004005,00201A24,00000000,?,?,?,*.*), ref: 001EA163

RemoveDirectoryW.KERNEL32(?,F026EBDC,?,?,?,?,004148ED,000000FF,?,002FC8E6,?,00000000), ref: 002FC6A2
GetLastError.KERNEL32(?,F026EBDC,?,?,?,?,004148ED,000000FF,?,002FC8E6,?,00000000), ref: 002FC6B2
DeleteFileW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,?,00000000,004148ED,000000FF,?,80004005,F026EBDC,?), ref: 002FC783
GetLastError.KERNEL32(?,?,?,00000000,004148ED,000000FF,?,80004005,F026EBDC,?,?,?,?,004148ED,000000FF), ref: 002FC7C2

Part of subcall function 001EAB90: GetProcessHeap.KERNEL32 ref: 001EABE5
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EAC17
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EACA2

Strings

\\?\, xrefs: 002FC634, 002FC646, 002FC650, 002FC744, 002FC756, 002FC760

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: DirectoryErrorInit_thread_footerLastRemove$DeleteFileFindHeapProcessResource
String ID: \\?\
API String ID: 34920479-4282027825
Opcode ID: 12a3fcc4fd864d1dfe1c800f0c77638c2ac8880e3aaadadee6e2f2cf7e4b7ccd
Instruction ID: 0ecf7439c5dd4e864ed766e0b1c90c72e239dcd23d027c674fe40c79acd3ca91
Opcode Fuzzy Hash: 12a3fcc4fd864d1dfe1c800f0c77638c2ac8880e3aaadadee6e2f2cf7e4b7ccd
Instruction Fuzzy Hash: 2C51DD719006099FDB10EF68C948BAAF3F8EF04361F21462AFA61D7290CB75AD148F94

Uniqueness

Uniqueness Score: -1.00%

Function 002FE070 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166synchronizationCOMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 002FE1E6
GetLastError.KERNEL32 ref: 002FE1F7
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 002FE213
GetExitCodeProcess.KERNEL32 ref: 002FE224
CloseHandle.KERNEL32(00000000), ref: 002FE232

Strings

open, xrefs: 002FE107

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CloseCodeErrorExecuteExitHandleLastObjectProcessShellSingleWait
String ID: open
API String ID: 1481985272-2758837156
Opcode ID: a5f88aadaf353e371ca63ded411ea78c1b07210077082e60aac4ce69b3587759
Instruction ID: 4eef7f095ee7c27c95254c94ee5309bb0b3278c297976b85ade668d7bedfe193
Opcode Fuzzy Hash: a5f88aadaf353e371ca63ded411ea78c1b07210077082e60aac4ce69b3587759
Instruction Fuzzy Hash: 75617A71A0064A9BDB10CFA9C8447AEFBB4FF49364F194269E924AB3A1D7749D00CF90

Uniqueness

Uniqueness Score: -1.00%

Function 002F6B50 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 002F6B84
std::_Lockit::_Lockit.LIBCPMT ref: 002F6BA6
std::_Lockit::~_Lockit.LIBCPMT ref: 002F6BCE
std::_Facet_Register.LIBCPMT ref: 002F6CB7
std::_Lockit::~_Lockit.LIBCPMT ref: 002F6CE1

Strings

PR", xrefs: 002F6C78

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: PR"
API String ID: 459529453-3457190288
Opcode ID: ff1ed76dadd55ae2657be028ce5c8e99fc2838b290cf90e9f90546bbde0d60ff
Instruction ID: 112d83a6564f5af087ec9a1d7acec03cc036117cbac0db2c771f5884e02b449f
Opcode Fuzzy Hash: ff1ed76dadd55ae2657be028ce5c8e99fc2838b290cf90e9f90546bbde0d60ff
Instruction Fuzzy Hash: B451D2B0910219DFDB11CF58D888BAEBBB0EF01354F24816EE496AF391D775AE45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003BB5F9 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,F026EBDC,?,?,00000000,00435D89,000000FF,?,003BB589,?,?,003BB55D,?), ref: 003BB62E
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 003BB640
FreeLibrary.KERNEL32(00000000,?,00000000,00435D89,000000FF,?,003BB589,?,?,003BB55D,?), ref: 003BB662

Strings

CorExitProcess, xrefs: 003BB638
Nqt, xrefs: 003BB640
mscoree.dll, xrefs: 003BB627

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll$Nqt
API String ID: 4061214504-548968907
Opcode ID: c98c1a22bb39334b7cbd23870269509382bfb4ba151095748f964ff3a7040951
Instruction ID: 42afadd2361205ee03e10a4bf217b0605a3970e09c4f10ea3ccfe7d5dc078842
Opcode Fuzzy Hash: c98c1a22bb39334b7cbd23870269509382bfb4ba151095748f964ff3a7040951
Instruction Fuzzy Hash: 4C01A731940719EFDB118B51DC05FAEF7B8FB08715F01062AF911A26E0DF749800CA98

Uniqueness

Uniqueness Score: -1.00%

Function 00305640 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 003B0372: EnterCriticalSection.KERNEL32(004C7DCC,?,?,?,001EAC36,004C89FC,F026EBDC,?,?,003D84ED,000000FF,?,0033C28C,F026EBDC,?,?), ref: 003B037D
Part of subcall function 003B0372: LeaveCriticalSection.KERNEL32(004C7DCC,?,001EAC36,004C89FC,F026EBDC,?,?,003D84ED,000000FF,?,0033C28C,F026EBDC,?,?), ref: 003B03BA

LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 0030569E
GetProcAddress.KERNEL32(00000000), ref: 003056A5
__Init_thread_footer.LIBCMT ref: 003056BC

Part of subcall function 003B0328: EnterCriticalSection.KERNEL32(004C7DCC,?,?,001EACA7,004C89FC,00435FA0), ref: 003B0332
Part of subcall function 003B0328: LeaveCriticalSection.KERNEL32(004C7DCC,?,001EACA7,004C89FC,00435FA0), ref: 003B0365
Part of subcall function 003B0328: RtlWakeAllConditionVariable.NTDLL ref: 003B03DC

Strings

Dbghelp.dll, xrefs: 00305699
Nqt, xrefs: 003056A5
SymFromAddr, xrefs: 00305694

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AddressConditionInit_thread_footerLibraryLoadProcVariableWake
String ID: Dbghelp.dll$SymFromAddr$Nqt
API String ID: 3268644551-3399073288
Opcode ID: b1c99cde2cba6df971472e76979a808c7de6fb7b6277cd8c00299e6914c092e1
Instruction ID: 1eb5655082d2c395054ba3efc6d471e8df3d79c62fbc0af5b7618f21fbd4d0a0
Opcode Fuzzy Hash: b1c99cde2cba6df971472e76979a808c7de6fb7b6277cd8c00299e6914c092e1
Instruction Fuzzy Hash: 4C019AB5940748EFCB50CF59EC45F55BBA4F708B21F20423AE925877D0DB79A8008B18

Uniqueness

Uniqueness Score: -1.00%

Function 00341120 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 244fileCOMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 00341154

Part of subcall function 001EAB90: GetProcessHeap.KERNEL32 ref: 001EABE5
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EAC17
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EACA2

DeleteFileW.KERNEL32(?), ref: 003411FA
_wcsrchr.LIBVCRUNTIME ref: 00341269
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0034132F

Part of subcall function 00300270: LoadStringW.USER32(000000A1,?,00000514,F026EBDC), ref: 003001D6

Strings

--verbose --log-file="%s" --remove-pack-file "%s" "%s", xrefs: 003411AE

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: DeleteFileInit_thread_footer_wcsrchr$HeapLoadProcessString
String ID: --verbose --log-file="%s" --remove-pack-file "%s" "%s"
API String ID: 2702461799-3685554107
Opcode ID: 8077df71aa5d4e0fdf9efcec6bfab7847f27e3c10ef7cff10f6a093070f63d01
Instruction ID: 3a338ba472efb475b6c33a2b12dbcd73c4ed3edc51b0e4f3ebdf6a97cc838d4e
Opcode Fuzzy Hash: 8077df71aa5d4e0fdf9efcec6bfab7847f27e3c10ef7cff10f6a093070f63d01
Instruction Fuzzy Hash: 2991C231A006099FDB01DF68C844B9EFBF5FF55314F1482A9E515DB2A2EB35E904CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00216760 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 182windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,SysTabControl32,?,46010000,?,?,?,?,00000000,00000309,00000000), ref: 0021685D
SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00216872
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 0021687A

Part of subcall function 001EA850: HeapAlloc.KERNEL32(?,00000000,?,F026EBDC,00000000,003D7F70,000000FF,?,?,004BEFDC,?,0033C2E8,80004005,F026EBDC,?,?), ref: 001EA89A

Part of subcall function 002184B0: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002184FC

Strings

SysTabControl32, xrefs: 00216855
TabHost, xrefs: 002167E9, 002167FB, 00216805

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: MessageSend$AllocCreateHeapWindow
String ID: SysTabControl32$TabHost
API String ID: 4294867080-2872506973
Opcode ID: 5d0789d457f16b3854328f1c7740ad2c25b5745965b4ce86b0f0f466713128d2
Instruction ID: b7abf1d510a04580d1956f0c7f7f5c73ecd865b227250e9c155e94652482b0da
Opcode Fuzzy Hash: 5d0789d457f16b3854328f1c7740ad2c25b5745965b4ce86b0f0f466713128d2
Instruction Fuzzy Hash: 6B51BC35A00605AFDB10DF69C844FAEBBF4FF89310F144669E905AB3A0DB34AD04CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 001F8AF0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004CE7BC,F026EBDC,00000000,004CE7D8), ref: 001F8B63
LeaveCriticalSection.KERNEL32(004CE7BC), ref: 001F8BC8
LoadCursorW.USER32(001E0000,?), ref: 001F8C24
LeaveCriticalSection.KERNEL32(004CE7BC), ref: 001F8CBB

Strings

ATL:%p, xrefs: 001F8C44

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CriticalSection$Leave$CursorEnterLoad
String ID: ATL:%p
API String ID: 2080323225-4171052921
Opcode ID: 7a6f08f641b760074e059ef08a0562344cabd8d473848c5e8bd673f50a1406c7
Instruction ID: 49b85b91924954471cedb3219b8f212003edde68a03fd81399f29af3f81a98ac
Opcode Fuzzy Hash: 7a6f08f641b760074e059ef08a0562344cabd8d473848c5e8bd673f50a1406c7
Instruction Fuzzy Hash: 20519B71905B489BDB20CF69C945BAAF7F4FF18314F00461EE996A7690EB70B980CB64

Uniqueness

Uniqueness Score: -1.00%

Function 001FB490 Relevance: 7.8, APIs: 5, Instructions: 269COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004C946C,F026EBDC,?,?,?,?,?,?,?,?,?,?,?,?,00000000,003DC0C5), ref: 001FB4FA
GetModuleFileNameW.KERNEL32(0000FFFF,00000104,?,?,?,?,?,?,?,?,?,?,?,?,00000000,003DC0C5), ref: 001FB57A
EnterCriticalSection.KERNEL32(004C9488,?,?,?,?,?,?,?,?,?,?,?,00000000,003DC0C5,000000FF), ref: 001FB733
LeaveCriticalSection.KERNEL32(004C9488,?,?,?,?,?,?,?,?,?,?,00000000,003DC0C5,000000FF), ref: 001FB754

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CriticalSection$Enter$FileLeaveModuleName
String ID:
API String ID: 1807155316-0
Opcode ID: d94b63bc3dd9c392e0de9f46695bdb945a23b73f6cfa78616bec1733010987f6
Instruction ID: 6be56bcb50d6b98fe6a8bc626b8882d3cfb3001ab80885ebccc8d1786ac434c3
Opcode Fuzzy Hash: d94b63bc3dd9c392e0de9f46695bdb945a23b73f6cfa78616bec1733010987f6
Instruction Fuzzy Hash: 23B18E70A04249DFDB10DFA4C898BBEBBB4FF48314F258169E905EB291CB75AD44CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00202F70 Relevance: 7.7, APIs: 5, Instructions: 237windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000001), ref: 00202FE2
GetParent.USER32(00000001), ref: 0020300D
SendMessageW.USER32(00000000,00000138,?,00000001), ref: 0020301D
FillRect.USER32(?,?,00000000), ref: 0020302B
ReleaseDC.USER32(00000001,00000000), ref: 00203201

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: FillMessageParentRectReleaseSend
String ID:
API String ID: 2215362955-0
Opcode ID: 15ee9cdc29fdb9e1368724a6396434d863da03a6b1762de8fc8148c077549ea2
Instruction ID: 3488c2d84935b7a04e8fe86af9dd8ce8b97bd3ea311e515325b4a796ade20aec
Opcode Fuzzy Hash: 15ee9cdc29fdb9e1368724a6396434d863da03a6b1762de8fc8148c077549ea2
Instruction Fuzzy Hash: 5E913971A1060AEFDB15CFA9CD04BAEBBB9FF08300F144129E905E7691DB31A925CF94

Uniqueness

Uniqueness Score: -1.00%

Function 002FC3D0 Relevance: 7.7, APIs: 5, Instructions: 161fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?), ref: 002FC4F4
SetFileAttributesW.KERNEL32(?,00000000), ref: 002FC501
GetFileAttributesW.KERNEL32(?,?,?,00458798,00000001,F026EBDC,?,0000000A,00000000,00000000,00417E15,000000FF), ref: 002FC510
SetFileAttributesW.KERNEL32(?,00000000), ref: 002FC51D
FindNextFileW.KERNEL32(?,?), ref: 002FC55B

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: File$Attributes$FindNext
String ID:
API String ID: 3019667586-0
Opcode ID: 1703088c41248e1293de876d0db57a45ce90831875e757083f744359db1f9d4f
Instruction ID: af90fa546217a46daa94ac2cc84fcec37bc6f6907a0b2deac2273bf11a808597
Opcode Fuzzy Hash: 1703088c41248e1293de876d0db57a45ce90831875e757083f744359db1f9d4f
Instruction Fuzzy Hash: EA51AE3051064E9BDB24DF68CE55BBDB3B4EF00360F644228E915AB2E1DB70AE14CB50

Uniqueness

Uniqueness Score: -1.00%

Function 002DCD60 Relevance: 7.7, APIs: 5, Instructions: 151windowCOMMON

Download Yara Rule

APIs

GetWindowDC.USER32(?,F026EBDC,?,?,00000000,?,?,?,?,?,?,?,?,00000000,00412B2D,000000FF), ref: 002DCD90
GetWindowRect.USER32(?,?), ref: 002DCDB0
IsWindowEnabled.USER32(?), ref: 002DCDE1
GetFocus.USER32 ref: 002DCDEF
DeleteDC.GDI32(?), ref: 002DCF05

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Window$DeleteEnabledFocusRect
String ID:
API String ID: 733580484-0
Opcode ID: e6cde8f1076a888399323dd1f2b76f341fa7d3ebe12f65ff323b400918a6173c
Instruction ID: f1c0fb33a25a0f7c7425a2381cc66626dcf9c781ac28d2eeae5bb16933c775da
Opcode Fuzzy Hash: e6cde8f1076a888399323dd1f2b76f341fa7d3ebe12f65ff323b400918a6173c
Instruction Fuzzy Hash: FA5109B1A04609EFDB24DFA4DD48BEDBBF8EF09310F24415AE455A7290D7716944CF24

Uniqueness

Uniqueness Score: -1.00%

Function 001F6140 Relevance: 7.6, APIs: 5, Instructions: 125windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 001F619E
GetDlgItem.USER32(?,?), ref: 001F61C3
SendMessageW.USER32(?,?,?,?), ref: 001F628D

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: ItemMessageSendWindow
String ID:
API String ID: 799199299-0
Opcode ID: 4149a9934ba1c6f6ded4d6e36da3f8b32058f769094b6ee4133ee1da9c4d96f1
Instruction ID: 67d28490d862fbb7648b7c52a7d51bc9fe47ac78d2c3b05cbbf3520fbfd86b8c
Opcode Fuzzy Hash: 4149a9934ba1c6f6ded4d6e36da3f8b32058f769094b6ee4133ee1da9c4d96f1
Instruction Fuzzy Hash: 0441D432305209DFD718CF55D898E76B7B9FB88351F04886AE646C7561C732E851EB60

Uniqueness

Uniqueness Score: -1.00%

Function 002DCF30 Relevance: 7.6, APIs: 5, Instructions: 124windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 002DCF8E

Part of subcall function 001EAB90: GetProcessHeap.KERNEL32 ref: 001EABE5
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EAC17
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EACA2

Part of subcall function 00200EF0: GetWindowTextLengthW.USER32(?), ref: 00200EF7
Part of subcall function 00200EF0: GetWindowTextW.USER32(?,?,00000001), ref: 00200F28

IsWindowEnabled.USER32(?), ref: 002DCFC4
GetFocus.USER32 ref: 002DCFD4
GetDC.USER32(?), ref: 002DD004

Part of subcall function 00302500: SelectObject.GDI32(?,?), ref: 00302563
Part of subcall function 00302500: SetTextColor.GDI32(?,?), ref: 003025AF
Part of subcall function 00302500: DrawTextW.USER32(?,?,?,?,00000024), ref: 003025CD
Part of subcall function 00302500: SelectObject.GDI32(?,?), ref: 003025D9

CallWindowProcW.USER32(?,?,?,?,?), ref: 002DD033

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: TextWindow$Init_thread_footerObjectSelect$CallClientColorDrawEnabledFocusHeapLengthProcProcessRect
String ID:
API String ID: 1398943273-0
Opcode ID: a2f0817675aafb2ec2da72629fc0b0ba01e9d9ee78dd37ed555c730928fa333b
Instruction ID: 3407e892c41f5fa2749f714f2c2b674fe8c9eb5938e4381e40289206e8524fcc
Opcode Fuzzy Hash: a2f0817675aafb2ec2da72629fc0b0ba01e9d9ee78dd37ed555c730928fa333b
Instruction Fuzzy Hash: 1E415B71910509DFCB00DFA4C984BEEBBB4FF48311F14816AE815AB2A2DB31AD14CF64

Uniqueness

Uniqueness Score: -1.00%

Function 002034C0 Relevance: 7.6, APIs: 5, Instructions: 113timeCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(F026EBDC,F026EBDC,?), ref: 002034FF
EnterCriticalSection.KERNEL32(?,F026EBDC,?), ref: 0020350C
KillTimer.USER32(?,00000001), ref: 00203554
SetTimer.USER32(?,00000001,?,00000000), ref: 002035CC
LeaveCriticalSection.KERNEL32(?,?,00000000,?), ref: 002035E3

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CriticalSection$Timer$EnterInitializeKillLeave
String ID:
API String ID: 160562401-0
Opcode ID: 26a9c2347a93b32c1f6b1b4039e660270412bd7a2d9d29744d5e58acd05873c9
Instruction ID: f45fdab7981a143a346fc6fc34d59e86520bff9ca7c30234dee5b1d434e241ce
Opcode Fuzzy Hash: 26a9c2347a93b32c1f6b1b4039e660270412bd7a2d9d29744d5e58acd05873c9
Instruction Fuzzy Hash: F441C3342147428FDB21CF28CC44BAABFB5EF49314F504529E996D77E2CB31AA25CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0020F1C0 Relevance: 7.6, APIs: 5, Instructions: 109windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000,?,?), ref: 0020F238
SendMessageW.USER32(?,00001012,00000000,?), ref: 0020F280
SendMessageW.USER32(?,0000102C,000000FF,0000F000), ref: 0020F29C
SendMessageW.USER32(?,0000102B,000000FF,?), ref: 0020F2CE
SetFocus.USER32(00000000,?,?), ref: 0020F2E1

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: MessageSend$Focus
String ID:
API String ID: 3982298024-0
Opcode ID: 87c2c397e61855a11fd76c6748a0219db15b3a6121fd70808ea8cbf066ba0df9
Instruction ID: eb591e55257bd6a09db504a64f9893caf860d2104c54cc4783e34dec5ef8dfec
Opcode Fuzzy Hash: 87c2c397e61855a11fd76c6748a0219db15b3a6121fd70808ea8cbf066ba0df9
Instruction Fuzzy Hash: 5A416D75910709EFDB60CF68CD85AA9BBF4FF48714F20462AE86597BA1DB70A910CF40

Uniqueness

Uniqueness Score: -1.00%

Function 001FF120 Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000FC,00000000), ref: 001FF169
GetClientRect.USER32(?,?), ref: 001FF18F
GetParent.USER32(?), ref: 001FF19D

Part of subcall function 003AFA13: GetProcessHeap.KERNEL32(00000008,00000008,00000000,00325F3E,?,?,?,?,?,?), ref: 003AFA18
Part of subcall function 003AFA13: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?), ref: 003AFA1F

SetWindowLongW.USER32(?,000000EB), ref: 001FF1D0
ShowWindow.USER32(?,00000000), ref: 001FF1E6

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Window$HeapLong$AllocClientParentProcessRectShow
String ID:
API String ID: 3563161840-0
Opcode ID: 1834c827f4702be799d67a9580db0d5975b721571b7ade1fd7d43150522d7ae7
Instruction ID: e0d920eee21b12f4e84ee5803762081e3c8fc65927aee7a22ba19d32bb5434e8
Opcode Fuzzy Hash: 1834c827f4702be799d67a9580db0d5975b721571b7ade1fd7d43150522d7ae7
Instruction Fuzzy Hash: E0217C346087019FC725EF29D808E2BBBE8EF49715B004A3DF496C6661DB70E804CF65

Uniqueness

Uniqueness Score: -1.00%

Function 001F0240 Relevance: 7.6, APIs: 5, Instructions: 60memorywindowCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 001F028A
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001F0290
FormatMessageW.KERNEL32(00001300,00000000,?,00000400,00000000,00000000,00000000), ref: 001F02B3
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,003D9B16,000000FF), ref: 001F02DB
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,003D9B16,000000FF), ref: 001F02E1

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Heap$FreeProcess$FormatMessage
String ID:
API String ID: 1606019998-0
Opcode ID: f2c52f13981f2a747fbbf2a208d604b1a9d64d6d0ae01dcf733e4ba386a05835
Instruction ID: 1cf5a25a05cd5dbf3295267776c7ebced4dcd9fee3a2c895cad8fef673e1cfd0
Opcode Fuzzy Hash: f2c52f13981f2a747fbbf2a208d604b1a9d64d6d0ae01dcf733e4ba386a05835
Instruction Fuzzy Hash: 081130B1A44219ABEB11DF94DC06FAFBBBCEB04B54F100519F510AB2C1D7B5AA0487A5

Uniqueness

Uniqueness Score: -1.00%

Function 00330D30 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,F026EBDC,74715870,00000000), ref: 00330D82
CloseHandle.KERNEL32(?,F026EBDC,00000000,?,00000000,00422143,000000FF,?), ref: 00330F00
CloseHandle.KERNEL32(00000000,F026EBDC,00000000,?,00000000,00422143,000000FF,?), ref: 00330F2F

Strings

LOG, xrefs: 00330DEA

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CloseHandle$FileModuleName
String ID: LOG
API String ID: 3884789274-429402703
Opcode ID: 3ee374e85386603859ee934c4c879f76ff97bd0d8366d560a08dd6daf6c91c4f
Instruction ID: 8a15ee94e5cebe216d5c1588c88351b1df5bde33d6903e026971587462488207
Opcode Fuzzy Hash: 3ee374e85386603859ee934c4c879f76ff97bd0d8366d560a08dd6daf6c91c4f
Instruction Fuzzy Hash: BD51DF71A00744DFDB29CF68C854BAAB7F4EF44710F158A2AE816DB680E7B4AA04C784

Uniqueness

Uniqueness Score: -1.00%

Function 003406E0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 167synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,F026EBDC), ref: 00340714

Part of subcall function 002E6270: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,00000000,00000000,?,?,004C94D0,003303D0,?), ref: 002E6288
Part of subcall function 002E6270: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,?,-00000001), ref: 002E62BA

Part of subcall function 001EA850: HeapAlloc.KERNEL32(?,00000000,?,F026EBDC,00000000,003D7F70,000000FF,?,?,004BEFDC,?,0033C2E8,80004005,F026EBDC,?,?), ref: 001EA89A

Strings

.pack, xrefs: 00340A51
.jar, xrefs: 00340B9C
*.*, xrefs: 0034078A, 0034079C, 003407A4

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapObjectSingleWait
String ID: *.*$.jar$.pack
API String ID: 760676496-3892993289
Opcode ID: e95f5c8cf1924b98a1b68ca4197d017ef936d353a14c043a04db5653a0daefd4
Instruction ID: 39223f145590aff642538933065a451aa85b77171a318acc78ae999c82a36529
Opcode Fuzzy Hash: e95f5c8cf1924b98a1b68ca4197d017ef936d353a14c043a04db5653a0daefd4
Instruction Fuzzy Hash: 5551BF70A0061A9FDB15DFA9C948BAEFBF4FF04310F118269E520AB291DB34E904CF91

Uniqueness

Uniqueness Score: -1.00%

Function 002F49B0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 002F69A0: std::locale::_Init.LIBCPMT ref: 002F6A2E

std::locale::_Init.LIBCPMT ref: 002F4A8D

Part of subcall function 003ADC64: __EH_prolog3.LIBCMT ref: 003ADC6B
Part of subcall function 003ADC64: std::_Lockit::_Lockit.LIBCPMT ref: 003ADC76
Part of subcall function 003ADC64: std::locale::_Setgloballocale.LIBCPMT ref: 003ADC91
Part of subcall function 003ADC64: std::_Lockit::~_Lockit.LIBCPMT ref: 003ADCE7

Strings

`M/, xrefs: 002F4A19
PL/, xrefs: 002F4A7B
p|/, xrefs: 002F49F0

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: std::locale::_$InitLockitstd::_$H_prolog3Lockit::_Lockit::~_Setgloballocale
String ID: PL/$`M/$p|/
API String ID: 1011079220-2681216032
Opcode ID: d22e5f453d1533c186a1ecff12a7e66e21524961c753cbbf556d2e8ebfa08aed
Instruction ID: a80f5d2b2e18ba8cfbb7106cf14db965638f0a4f280586393d92efdccf9b35ed
Opcode Fuzzy Hash: d22e5f453d1533c186a1ecff12a7e66e21524961c753cbbf556d2e8ebfa08aed
Instruction Fuzzy Hash: 9641F4F4900205DFD701CF44C984B9ABBF4FF49314F11829AD9149B3A2E3BAAA18CF95

Uniqueness

Uniqueness Score: -1.00%

Function 002FC6E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,?,00000000,004148ED,000000FF,?,80004005,F026EBDC,?), ref: 002FC783

Part of subcall function 001EA140: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A0,80070057,8007000E,80004005,00201A24,00000000,?,?,?,*.*), ref: 001EA163

DeleteFileW.KERNEL32(?,F026EBDC,?,7476F9C0,?,00000000,004148ED,000000FF,?,002FC527), ref: 002FC7B2
GetLastError.KERNEL32(?,?,?,00000000,004148ED,000000FF,?,80004005,F026EBDC,?,?,?,?,004148ED,000000FF), ref: 002FC7C2

Part of subcall function 001EAB90: GetProcessHeap.KERNEL32 ref: 001EABE5
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EAC17
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EACA2

Strings

\\?\, xrefs: 002FC634, 002FC646, 002FC650, 002FC744, 002FC756, 002FC760

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: DeleteFileInit_thread_footer$ErrorFindHeapLastProcessResource
String ID: \\?\
API String ID: 1908169709-4282027825
Opcode ID: b6dda004d176cab68edef0fd546b34167b5256ed1af55596e4bd6202c9c998a8
Instruction ID: 21e526ebbe441498221e677b64b1f28e65840a4e3d3b7506f9661a42d506411f
Opcode Fuzzy Hash: b6dda004d176cab68edef0fd546b34167b5256ed1af55596e4bd6202c9c998a8
Instruction Fuzzy Hash: 4021BC759006099FDB10EF68C948BAAF7F8EF04361F20462AE961D7290CB35AD148F54

Uniqueness

Uniqueness Score: -1.00%

Function 001F0610 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoOriginateLanguageException), ref: 001F0652
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 001F0658

Strings

RoOriginateLanguageException, xrefs: 001F0648
combase.dll, xrefs: 001F064D

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoOriginateLanguageException$combase.dll
API String ID: 2574300362-3996158991
Opcode ID: 30fdb971b12fcd93be8411ef6ba26371d371441e82238e1af3d26104f5ffc34c
Instruction ID: f3fc6cf49ca84e43711135bc2c1d2659b59fd13282cfe7e985549b0e7dd75c04
Opcode Fuzzy Hash: 30fdb971b12fcd93be8411ef6ba26371d371441e82238e1af3d26104f5ffc34c
Instruction Fuzzy Hash: 4531AE7190060DAFDB15DFA8DC05BFEB7B4FB08324F10862AE925A72D1EB745A04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 002F2440 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 002F2515

Strings

`M/, xrefs: 002F2501
PL/, xrefs: 002F24AA
p|/, xrefs: 002F250F

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: PL/$`M/$p|/
API String ID: 323602529-2681216032
Opcode ID: 1cdf597edaabe5244758c5886a525a8d274ae85a05f771b3abfd1865f06963bf
Instruction ID: 5f929fe99bd2a157ecbda7eed692ea563d4b4723bce8cf832d726385b405722f
Opcode Fuzzy Hash: 1cdf597edaabe5244758c5886a525a8d274ae85a05f771b3abfd1865f06963bf
Instruction Fuzzy Hash: 2C317870A0024ADFC710CF18C544A9DFBF4FF46718F2086AED805AB391D7B5AA09CB80

Uniqueness

Uniqueness Score: -1.00%

Function 003B4C0C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,003B4BBD,?,?,00000000,?,?,?,003B4CE7,00000002,FlsGetValue,00439F08,FlsGetValue), ref: 003B4C19
GetLastError.KERNEL32(?,003B4BBD,?,?,00000000,?,?,?,003B4CE7,00000002,FlsGetValue,00439F08,FlsGetValue,?,?,003B1B04), ref: 003B4C23
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 003B4C4B

Strings

api-ms-, xrefs: 003B4C30

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 54be49f74e7926fc81793ddb366af66190f6feb9a3fb02a9c8f594fe4aa2d564
Instruction ID: 8fcd83104e48ec594a06fd712f4257d369b39c1e12955d2dd9b23ef8ed04b549
Opcode Fuzzy Hash: 54be49f74e7926fc81793ddb366af66190f6feb9a3fb02a9c8f594fe4aa2d564
Instruction Fuzzy Hash: 6CE01230240304BAEB121B50EC47B9D7F659B00B99F154034FB0CA84F5EBA1D9549649

Uniqueness

Uniqueness Score: -1.00%

Function 00206E30 Relevance: 6.3, APIs: 4, Instructions: 321windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001037,00000000,00000000), ref: 00206F78
SendMessageW.USER32(?,00001036,00000000,00000000), ref: 00206F8D

Part of subcall function 001EA850: HeapAlloc.KERNEL32(?,00000000,?,F026EBDC,00000000,003D7F70,000000FF,?,?,004BEFDC,?,0033C2E8,80004005,F026EBDC,?,?), ref: 001EA89A

Part of subcall function 002DBAD0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,000000EF,?,00206FC8,00000000,80004005), ref: 002DBB38
Part of subcall function 002DBAD0: RedrawWindow.USER32(?,00000000,00000000,00000541,?,?,?,000000EF,?,00206FC8,00000000,80004005), ref: 002DBB49
Part of subcall function 002DBAD0: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002DBB68

SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 002070C3
SendMessageW.USER32(?,00001061,00000000,00000005), ref: 002071BF

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: MessageSend$Window$AllocHeapRedraw
String ID:
API String ID: 1554694749-0
Opcode ID: 7a3e97a694b3b2051df229fef143470a1a57846e5df3e5234a95e862cd979cb2
Instruction ID: 054ff5c4930c4e8049c2e8d3fdc4d4cf4705ba2dc99f3a8b4210b92517e8a4a9
Opcode Fuzzy Hash: 7a3e97a694b3b2051df229fef143470a1a57846e5df3e5234a95e862cd979cb2
Instruction Fuzzy Hash: 87C19E71A10209AFDB14CFA8CC99BEEFBB5FF48314F104219E415AB2D1DB75A950CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001F5390 Relevance: 6.3, APIs: 4, Instructions: 269memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 001F545A
SysFreeString.OLEAUT32(00000000), ref: 001F54A6
SysFreeString.OLEAUT32(00000000), ref: 001F54C8
SysFreeString.OLEAUT32(00000000), ref: 001F5623

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: ec4570ead81a77312041fa52f22ceb98e7ee33926c0866667ab1200bf9ebc6d4
Instruction ID: ede8d2c475ba95738a121a1e2be6a17504003723ec967521353dc04852e5577d
Opcode Fuzzy Hash: ec4570ead81a77312041fa52f22ceb98e7ee33926c0866667ab1200bf9ebc6d4
Instruction Fuzzy Hash: 69A19E71A00649EFDB15CFA8C844FBEBBB9EF44714F104219EA15EB290E774AA01CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00210570 Relevance: 6.2, APIs: 4, Instructions: 246windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000001,0000110A,00000004,?), ref: 00210645
SendMessageW.USER32(00000001,0000110A,00000001,00000000), ref: 00210677
SendMessageW.USER32(?,0000110A,00000004,?), ref: 002107EE
SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 00210816

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0d74e9d8d6a4c00f985551b4aec65aa9c8cc33e398b6a488c32305dace01fbf4
Instruction ID: f926a729db13ac427fc807e04e15626ccffbd384f7cd199d0ef30a11ac5f52b5
Opcode Fuzzy Hash: 0d74e9d8d6a4c00f985551b4aec65aa9c8cc33e398b6a488c32305dace01fbf4
Instruction Fuzzy Hash: 5C917C71A10209AFCB25DF64D8C4EEEB7F9BF68310F044569E501A7291D7B0A8A5CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0030C5F0 Relevance: 6.2, APIs: 4, Instructions: 199COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0030C741
GetForegroundWindow.USER32(?,00314BA9), ref: 0030C751
SetForegroundWindow.USER32(00000000), ref: 0030C78B

Part of subcall function 001EAB90: GetProcessHeap.KERNEL32 ref: 001EABE5
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EAC17
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EACA2

OutputDebugStringW.KERNEL32(?,F026EBDC,?,?,?,000000FF,?,00314BA9,?), ref: 0030C7DF

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Window$ForegroundInit_thread_footer$ActiveDebugHeapOutputProcessString
String ID:
API String ID: 1401059542-0
Opcode ID: 6a0006f187f18af18fa188a4b7783f534e3cf643a967d34f54a8a935b4ec9f7b
Instruction ID: 7b10df1d92e64d8f5b7b46e77168db321089d631f1d59f6b37eab287c978273b
Opcode Fuzzy Hash: 6a0006f187f18af18fa188a4b7783f534e3cf643a967d34f54a8a935b4ec9f7b
Instruction Fuzzy Hash: AA612035A016459FDB15DB6CC818BAEBBB4EF85310F1982ADE816973D1EB309D01CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0032D610 Relevance: 6.2, APIs: 4, Instructions: 157registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,F026EBDC), ref: 0032D686
_wcsrchr.LIBVCRUNTIME ref: 0032D6B0
RegQueryValueExW.ADVAPI32(00000000,F026EBDC,00000000,00000000,00000000,00000000,F026EBDC,00000001,?,00000000,00000000), ref: 0032D733
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0032D77F

Part of subcall function 0032D530: RegOpenKeyExW.ADVAPI32(00000000,F026EBDC,00000000,00020019,00000002,F026EBDC,00000001,00000010,00000002,0032C85C,F026EBDC,00000000,00000000), ref: 0032D5CC

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Close$OpenQueryValue_wcsrchr
String ID:
API String ID: 213811329-0
Opcode ID: ecec7235fd0a771b3ab3abf89b45a9316f33c24c31a358af5a7fcf735e171db0
Instruction ID: 6d756783af62fc624b366547c2461ff4753e4a6463cc9bae1617d3e1a834f11d
Opcode Fuzzy Hash: ecec7235fd0a771b3ab3abf89b45a9316f33c24c31a358af5a7fcf735e171db0
Instruction Fuzzy Hash: 18510471905359AFDB11CF68D944BAEFBB5EF41320F24826AEC24973C1D7799A04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00302500 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

Part of subcall function 00200D60: CreateCompatibleDC.GDI32(?), ref: 00200DBB
Part of subcall function 00200D60: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00200DD4
Part of subcall function 00200D60: SelectObject.GDI32(?,00000000), ref: 00200DE0
Part of subcall function 00200D60: SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 00200DF9

SelectObject.GDI32(?,?), ref: 00302563
SetTextColor.GDI32(?,?), ref: 003025AF
DrawTextW.USER32(?,?,?,?,00000024), ref: 003025CD
SelectObject.GDI32(?,?), ref: 003025D9

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: ObjectSelect$CompatibleCreateText$BitmapColorDrawViewport
String ID:
API String ID: 1496946490-0
Opcode ID: 7df934fd8701057ab7b24968a512003bb11a26e856f88bee4d9cd9eb192327d8
Instruction ID: 86e4483622e9d13e5300bff3778ebd5930c66a9c7ede42fad80220e596387268
Opcode Fuzzy Hash: 7df934fd8701057ab7b24968a512003bb11a26e856f88bee4d9cd9eb192327d8
Instruction Fuzzy Hash: 94314531801208AFDB11DFA4DD46F9EBB76FF08720F204225F915A62A1EB316A20DF94

Uniqueness

Uniqueness Score: -1.00%

Function 00290280 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00000000,?,00000017,F026EBDC,?,004C9310,?,?,?,?,00000000,Function_00223FBD,000000FF,?,?,004C9310), ref: 002902C9
LoadResource.KERNEL32(00000000,00000000,?,004C9310,?,?,?,?,00000000,Function_00223FBD,000000FF,?,?,004C9310,?), ref: 002902D8
LockResource.KERNEL32(00000000,?,004C9310,?,?,?,?,00000000,Function_00223FBD,000000FF,?,?,004C9310,?), ref: 002902E3
SizeofResource.KERNEL32(00000000,?,?,004C9310,?,?,?,?,00000000,Function_00223FBD,000000FF,?,?,004C9310,?), ref: 002902F4

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 3978e3af466eeb4859229d0d60fbfcc54e6dbdae60d892edbc15453c0b91619f
Instruction ID: dc5f589a9a40e3f08f3c0efc77e9527ccc8d1fb4af949e68350b44c9c6a087f4
Opcode Fuzzy Hash: 3978e3af466eeb4859229d0d60fbfcc54e6dbdae60d892edbc15453c0b91619f
Instruction Fuzzy Hash: 8431C071D1570AAFDB209F74DD45BAEB7B8EB44710F104239EC15A7680EF309A1487A5

Uniqueness

Uniqueness Score: -1.00%

Function 001F6020 Relevance: 6.1, APIs: 4, Instructions: 84windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 001F60D4
IsChild.USER32(?,00000000), ref: 001F60DE
GetWindow.USER32(?,00000005), ref: 001F60ED
SetFocus.USER32(00000000), ref: 001F60F4

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Focus$ChildWindow
String ID:
API String ID: 501040988-0
Opcode ID: 097004bf253e70999e3738b8c493b485842abdf18e03d8be79fcb1ce1b4fcef7
Instruction ID: 53a9af391502c52f6812e2f70553a6e44f4ccb0dd24281f36144bc10f7a2c55e
Opcode Fuzzy Hash: 097004bf253e70999e3738b8c493b485842abdf18e03d8be79fcb1ce1b4fcef7
Instruction Fuzzy Hash: 94318C70600A0AEFDB15CF64CD49F6ABBB8FF48714F204629F625D72A0DB75A810CB94

Uniqueness

Uniqueness Score: -1.00%

Function 002032F0 Relevance: 6.1, APIs: 4, Instructions: 74timeCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,F026EBDC), ref: 0020335A
EnterCriticalSection.KERNEL32(?,F026EBDC), ref: 00203367
SetTimer.USER32(00000000,00000001,0000000A,00000000), ref: 0020339D
LeaveCriticalSection.KERNEL32(?), ref: 002033B8

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeaveTimer
String ID:
API String ID: 3379552715-0
Opcode ID: bc18abfc70fed199d21e4742d38b158552f5212f6087ec1bba4536b9dc97a3ba
Instruction ID: 469da83064fd99cd1ba650425bf330e634e2bb0cd29b9d10b34cd1815478addd
Opcode Fuzzy Hash: bc18abfc70fed199d21e4742d38b158552f5212f6087ec1bba4536b9dc97a3ba
Instruction Fuzzy Hash: 6E21A3369003459FDF11CF64D880BE9BBB8FB56324F5141A9EC55AB382CB325A05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 002033E0 Relevance: 6.1, APIs: 4, Instructions: 71timeCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,F026EBDC), ref: 0020344A
EnterCriticalSection.KERNEL32(?,F026EBDC), ref: 00203457
SetTimer.USER32(00000000,00000001,0000000A,00000000), ref: 00203487
LeaveCriticalSection.KERNEL32(?), ref: 0020349E

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeaveTimer
String ID:
API String ID: 3379552715-0
Opcode ID: 96c7d766a718bd6df969ae965569b40e5e3e148865018176e50bf12d40b9c693
Instruction ID: 87f103315f9344234d127517e77403b25de2acd9fe1ec353fe043edfddb7e784
Opcode Fuzzy Hash: 96c7d766a718bd6df969ae965569b40e5e3e148865018176e50bf12d40b9c693
Instruction Fuzzy Hash: 2821B0329003459FDF12CF24DC40BA9BBB8FF15324F1105A9ED55AB382D7319A05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00200CB0 Relevance: 6.1, APIs: 4, Instructions: 60windowCOMMON

Download Yara Rule

APIs

BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 00200D01
SelectObject.GDI32(?,?), ref: 00200D0C
DeleteObject.GDI32(?), ref: 00200D1E
DeleteDC.GDI32(?), ref: 00200D43

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: DeleteObject$Select
String ID:
API String ID: 207189511-0
Opcode ID: 3db1fdfa24780d713ecd813dd698405dcc4a54b6fed9afa2ccd794d1c0f65f79
Instruction ID: fe937ea9d14d86b1e3e41b5939369da36935f31e885bf00c39293dbd4109619b
Opcode Fuzzy Hash: 3db1fdfa24780d713ecd813dd698405dcc4a54b6fed9afa2ccd794d1c0f65f79
Instruction Fuzzy Hash: 0F110771604606BFE7108F99DD48F6AFBBCFB48720F104269F814D3690D771A860CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00200D60 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 00200DBB
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00200DD4
SelectObject.GDI32(?,00000000), ref: 00200DE0
SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 00200DF9

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CompatibleCreate$BitmapObjectSelectViewport
String ID:
API String ID: 1881423421-0
Opcode ID: f06b41a1b8463b86459e0a9816e099ed4df0363fba599be4116fd9c2324377dd
Instruction ID: f5c42086ce4ac98af3e6134975cbb185ed519066eec5d7a8832f63a7e350a94b
Opcode Fuzzy Hash: f06b41a1b8463b86459e0a9816e099ed4df0363fba599be4116fd9c2324377dd
Instruction Fuzzy Hash: 75211875504B05EFD720CF58D944B6ABBF8FB08710F108A5EF8A687AA0D771A944CF40

Uniqueness

Uniqueness Score: -1.00%

Function 001F9830 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 001F985B
BitBlt.GDI32(00000000,?,?,?,00000000,?,00000000,00000000,00CC0020), ref: 001F9886
DeleteDC.GDI32(?), ref: 001F988D
ReleaseDC.USER32(?,?), ref: 001F989A

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: ClientDeleteRectRelease
String ID:
API String ID: 2015589292-0
Opcode ID: 083dbcab403c4a4d8096c71165a156e34839ba454291df38a87532e0c297de9b
Instruction ID: 3dff83858d723dafc3d6848e76a8158ca4f69386235e90d755570f48998de008
Opcode Fuzzy Hash: 083dbcab403c4a4d8096c71165a156e34839ba454291df38a87532e0c297de9b
Instruction Fuzzy Hash: 3B011372208205AFD344DF69DC89F2BBBA9FB8C710F444A28F54582661C770E8148BA5

Uniqueness

Uniqueness Score: -1.00%

Function 003B03FA Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,003B0397,00000064), ref: 003B041D
LeaveCriticalSection.KERNEL32(004C7DCC,?,?,003B0397,00000064,?,001EAC36,004C89FC,F026EBDC,?,?,003D84ED,000000FF,?,0033C28C,F026EBDC), ref: 003B0427
WaitForSingleObjectEx.KERNEL32(?,00000000,?,003B0397,00000064,?,001EAC36,004C89FC,F026EBDC,?,?,003D84ED,000000FF,?,0033C28C,F026EBDC), ref: 003B0438
EnterCriticalSection.KERNEL32(004C7DCC,?,003B0397,00000064,?,001EAC36,004C89FC,F026EBDC,?,?,003D84ED,000000FF,?,0033C28C,F026EBDC), ref: 003B043F

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: d2979f627a68a2cd6dd7bee2ab1229097cb4578ebb16994d83f2884f92c71e47
Instruction ID: e5ef55b8c89098afeca465b6d78d9c111c21e4c835fc6f143193c5bd117dad42
Opcode Fuzzy Hash: d2979f627a68a2cd6dd7bee2ab1229097cb4578ebb16994d83f2884f92c71e47
Instruction Fuzzy Hash: 52E09235644624ABCA422F81EC08FEE7F28DF04711F010079FA0E62170CF6119408FDD

Uniqueness

Uniqueness Score: -1.00%

Function 0032F520 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 001EAB90: GetProcessHeap.KERNEL32 ref: 001EABE5
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EAC17
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EACA2

CloseHandle.KERNEL32(?,F026EBDC,000000C9,00000000), ref: 0032F6A3
DeleteCriticalSection.KERNEL32(?,F026EBDC,000000C9,00000000), ref: 0032F731

Strings

<< Advanced Installer (x86) Log >>, xrefs: 0032F60F

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Init_thread_footer$CloseCriticalDeleteHandleHeapProcessSection
String ID: << Advanced Installer (x86) Log >>
API String ID: 3699736680-396061572
Opcode ID: d2891749225def63ffa3080f86df33c9fb18c93008368bc459329896bfaccd1f
Instruction ID: 36cf3a4a3583fc8716c86992b0f2417a34e52dc6e69e65de1c6c182a65c83b3f
Opcode Fuzzy Hash: d2891749225def63ffa3080f86df33c9fb18c93008368bc459329896bfaccd1f
Instruction Fuzzy Hash: BD61DA30A04686EFDB01CF68D948B4EBBF0EF45314F1482ADE4009B391DB78AE05CB98

Uniqueness

Uniqueness Score: -1.00%

Function 002EEAB0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,F026EBDC), ref: 002EEB51

Strings

\\?\UNC\, xrefs: 002EEB78, 002EEBD9
\\?\, xrefs: 002EEC4E, 002EEC79

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Path
String ID: \\?\$\\?\UNC\
API String ID: 2875597873-3019864461
Opcode ID: db6bbb3efa84472ad4e6ff48fc59dc58e2efd1a2e11b99916ec1fdb8b03fa849
Instruction ID: d888b538a0e09b0de90ca460dcbacdda95201e32443aabb771c6f51ef7c7d44a
Opcode Fuzzy Hash: db6bbb3efa84472ad4e6ff48fc59dc58e2efd1a2e11b99916ec1fdb8b03fa849
Instruction Fuzzy Hash: F95125B0D106449BDF14CF69C885BAEF7B4FF94308F60821ED81267281E7B46954CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 003525A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

OpenEventW.KERNEL32(00000000,00000000,F026EBDC,_pbl_evt,00000008,?,?,0045B480,00000001,F026EBDC,00000000), ref: 0035264E
CreateEventW.KERNEL32(00000000,00000001,00000001,?), ref: 0035266B

Strings

_pbl_evt, xrefs: 00352622

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Event$CreateOpen
String ID: _pbl_evt
API String ID: 2335040897-4023232351
Opcode ID: b4a609d992d56c7846d01ec060fa5b25393b00ee4af67c8cd878f2a6ce10d26f
Instruction ID: 5d3cd47293f1f9b00a0092415570d9894d63ca2521183998790da90b64578cd2
Opcode Fuzzy Hash: b4a609d992d56c7846d01ec060fa5b25393b00ee4af67c8cd878f2a6ce10d26f
Instruction Fuzzy Hash: 7051A071D10648EFDB10DFA8CC45FEEB7B4FB15710F208229E915A7690DB746A08CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00330870 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,F026EBDC,?,?,004C94D0), ref: 003308AF
CreateDirectoryW.KERNEL32(?,00000000,?,004C94D0), ref: 00330910

Strings

ADVINST_LOGS, xrefs: 003308E8

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CreateDirectoryPathTemp
String ID: ADVINST_LOGS
API String ID: 2885754953-2492584244
Opcode ID: 3299120161d7ae87511345ca1b85d9f98fd9acdbd9125070c4a48a5adc08ec5f
Instruction ID: 59ae5918c8d2a2bc660b7a5db812d06c517b34dfc4c19d24b82645168ea2b866
Opcode Fuzzy Hash: 3299120161d7ae87511345ca1b85d9f98fd9acdbd9125070c4a48a5adc08ec5f
Instruction Fuzzy Hash: 1451F575900219CBDB359F28C894BBAB3F4FF14714F1546AEE849972A1EB345DC1CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00221280 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0022141B

Strings

0[", xrefs: 002212D6
`7", xrefs: 002212FC

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: 0["$`7"
API String ID: 118556049-3400002789
Opcode ID: 54eb06ef69877eef1202e63735410059ae01cd23d17eb8e611d36fa83c5a8a62
Instruction ID: 1709bfdb9294f583092b6a81cc25f730235e5c95a2c08444827f48bcc88d1804
Opcode Fuzzy Hash: 54eb06ef69877eef1202e63735410059ae01cd23d17eb8e611d36fa83c5a8a62
Instruction Fuzzy Hash: 805177B0900614DFCB20CF95D584B9ABBF4FF08314F2086AEE85A9B791D735E915CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003D167C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 003C820D: RtlFreeHeap.NTDLL(00000000,00000000,?,003D1120,?,00000000,?,?,003D13C1,?,00000007,?,?,003D1813,?,?), ref: 003C8223
Part of subcall function 003C820D: GetLastError.KERNEL32(?,?,003D1120,?,00000000,?,?,003D13C1,?,00000007,?,?,003D1813,?,?), ref: 003C822E

___free_lconv_mon.LIBCMT ref: 003D16C0

Strings

p@L, xrefs: 003D1692
XBL, xrefs: 003D1768

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: ErrorFreeHeapLast___free_lconv_mon
String ID: XBL$p@L
API String ID: 4068849827-2792846342
Opcode ID: c6d946168b9387958593af3f9a78ebc0008c2e355271b52684a5f669a177009a
Instruction ID: 18d74880abf64ab06747f7b6504fbd1f9bb30b0b49c2b4d755859c14861c2efc
Opcode Fuzzy Hash: c6d946168b9387958593af3f9a78ebc0008c2e355271b52684a5f669a177009a
Instruction Fuzzy Hash: 4B314F32600700AFEB22AB78E849F5677E9AF00311F25492EF469DB261DF71ED40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00305040 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(000013FF,00000000,?,00000000,00000000,00000000,00000000,F026EBDC,0045A7FC), ref: 003050AC
LocalFree.KERNEL32(00000000,00000000,-00000002), ref: 003051A3

Part of subcall function 002F49B0: std::locale::_Init.LIBCPMT ref: 002F4A8D

Part of subcall function 002F2440: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 002F2515

Strings

Failed to get Windows error message [win32 error 0x, xrefs: 003050CA

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: FormatFreeInitIos_base_dtorLocalMessagestd::ios_base::_std::locale::_
String ID: Failed to get Windows error message [win32 error 0x
API String ID: 1983821583-3373098694
Opcode ID: 372b109b912e2c8beca0873007615bff047d5b30930e4e6477edc4b129bd9fbe
Instruction ID: 81a5a1a2f4918f6f3eaaa18f0104570dc03701e51ec5b3b4f87f5a71065986ce
Opcode Fuzzy Hash: 372b109b912e2c8beca0873007615bff047d5b30930e4e6477edc4b129bd9fbe
Instruction Fuzzy Hash: 0A41D670A017089BDB10DF58CD05BAFBBF8EF44314F204169E505AB2D1DBB49A48CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0022E590 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

InterlockedPushEntrySList.KERNEL32(004C8A70,004C8B18,Windows.UI.Xaml.Controls.TextBlock,00000022,F026EBDC,004C9310,000000C4,?,004C8B14,Function_001F8977,000000FF), ref: 0022E668

Strings

Windows.UI.Xaml.Controls.TextBlock, xrefs: 0022E5BA
P", xrefs: 0022E670, 0022E678

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: EntryInterlockedListPush
String ID: P"$Windows.UI.Xaml.Controls.TextBlock
API String ID: 4129690577-3428865363
Opcode ID: 656a76eaf5063820d4e7197fedd8f47f6ba7343e8188cebb4ef83286c9fad548
Instruction ID: 6fb5f3a6fb6c8ec75cc4a26629a882551c35c85ec8ca3b02f0a91c427a787176
Opcode Fuzzy Hash: 656a76eaf5063820d4e7197fedd8f47f6ba7343e8188cebb4ef83286c9fad548
Instruction Fuzzy Hash: D1316DB5D1021AABDB00DF94DC45BAEBBB8FB54714F10412EE8116B290EBB56A04CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00225730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0022575B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 002257BE

Strings

bad locale name, xrefs: 002257E1

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 585fe07af4e1df43bfc56dd0172b6254fadc6722730715792a12f8383fa832f0
Instruction ID: 28a8fe5de26b070a7c63441e269b36236eb9716567a523ce20bdee696543f4b3
Opcode Fuzzy Hash: 585fe07af4e1df43bfc56dd0172b6254fadc6722730715792a12f8383fa832f0
Instruction Fuzzy Hash: 7421E070905B84EFD721CF68C904B5ABBE4AF15700F14869DE4558BB81D3B5AA04C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 003B4B6C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,003B4CE7,00000002,FlsGetValue,00439F08,FlsGetValue,?,?,003B1B04,?,003B1ADA), ref: 003B4BEF
GetProcAddress.KERNEL32(00000000,?), ref: 003B4BF9

Strings

Nqt, xrefs: 003B4BF9

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: Nqt
API String ID: 3013587201-806837294
Opcode ID: 8d344aea75664b04228db93bf9318388fa32a84826bc8031495db7592d4c26c3
Instruction ID: 207d3be1a1aa12bbdbe52a019ba42a51f0307c73814c16ca7848d120058d2fc4
Opcode Fuzzy Hash: 8d344aea75664b04228db93bf9318388fa32a84826bc8031495db7592d4c26c3
Instruction Fuzzy Hash: 691193366042159F8F17CF94DC80EDA73B8FB463587260569EB45D7A52EB30DD01CB98

Uniqueness

Uniqueness Score: -1.00%

Function 003AD283 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,003AD1C8,0000001C,003AD3BD,00000000,?,?,?,?,?,?,?,003AD1C8,00000004,004C78D4,003AD44D), ref: 003AD294
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,003AD1C8,00000004,004C78D4,003AD44D), ref: 003AD2AF

Strings

D, xrefs: 003AD2A3

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 0cb501f8c80ba5e065dc842b6b38559eeff7859e6698f5a7aec2e4513a162e52
Instruction ID: 56bb365f6c959db679da3ba0a2e6fac84b84a292ee1c03e555a69370186fe1ca
Opcode Fuzzy Hash: 0cb501f8c80ba5e065dc842b6b38559eeff7859e6698f5a7aec2e4513a162e52
Instruction Fuzzy Hash: 0301DB72A002096BDF14DE69DC05BDD7BAAEFC9364F0DC124ED5AD7154DA34D902C684

Uniqueness

Uniqueness Score: -1.00%

Function 001F324B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 001F3277

Strings

4VL, xrefs: 001F328D
C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 001F3252

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: ActiveWindow
String ID: 4VL$C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp
API String ID: 2558294473-2194915417
Opcode ID: 2608ce93ca15ca8c29e705b5fb3603fecf03f4653a68ce6619aecb8b9ddd278f
Instruction ID: 9c14bd2b448bafcc8acd46b64103e9384a45823c123cf6e3e4ba67ca3655bb72
Opcode Fuzzy Hash: 2608ce93ca15ca8c29e705b5fb3603fecf03f4653a68ce6619aecb8b9ddd278f
Instruction Fuzzy Hash: 51118E70D15298DFCF04DBE4C954BADBBB1BF55304F508098D506AB285DBB46B08CB51

Uniqueness

Uniqueness Score: -1.00%

Function 001F35B9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 001F35E8

Strings

4VL, xrefs: 001F35FE
C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 001F35C3

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: ActiveWindow
String ID: 4VL$C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp
API String ID: 2558294473-2194915417
Opcode ID: 5cb999c315b1b5602dde260919b1412d894b010b6db742bfcd3d07f2abf5bc8c
Instruction ID: da1883c470eeb7806baa6fafcd25fa58a69abbd4c575867231e9a086ae7cf1fb
Opcode Fuzzy Hash: 5cb999c315b1b5602dde260919b1412d894b010b6db742bfcd3d07f2abf5bc8c
Instruction Fuzzy Hash: 68118B74D15298EFCF04EBE4C954BADFBB0BF55304F6080A8D505AB286DBB86B08CB51

Uniqueness

Uniqueness Score: -1.00%

Function 001F32DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 001F3307

Strings

4VL, xrefs: 001F331D
C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 001F32E0

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: ActiveWindow
String ID: 4VL$C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp
API String ID: 2558294473-2194915417
Opcode ID: 0112d69631a8a8421f84868586eda8b15afbce86045f67f20952bfef7ea3e500
Instruction ID: 2b9bf5db14dedabd68bbb948665aa014c689297ddefa1cbf5e494262af7c09d5
Opcode Fuzzy Hash: 0112d69631a8a8421f84868586eda8b15afbce86045f67f20952bfef7ea3e500
Instruction Fuzzy Hash: EA116D30D05288DFCF04DBE4C954BADBBB1BF55304F608099D105AB286DBB59B09CB52

Uniqueness

Uniqueness Score: -1.00%

Function 001F364F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 001F367B

Strings

C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 001F3654
4VL, xrefs: 001F3691

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: ActiveWindow
String ID: 4VL$C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp
API String ID: 2558294473-2194915417
Opcode ID: c315cebb5aacca149e6efdb9e2f5d38f59aa25cfd047365416426eb757bfa225
Instruction ID: 52c165e59f562f7f2017c5f15efbccc64e00dbcb44e771581a42ff3035a8345f
Opcode Fuzzy Hash: c315cebb5aacca149e6efdb9e2f5d38f59aa25cfd047365416426eb757bfa225
Instruction Fuzzy Hash: 01116134D05288EFCF04DBE4C954BADBBB0AF55344F6080A9D105AB286DBB55B09CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0020806F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetParent.USER32(0000000F), ref: 002080A2

Strings

C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00208087
Unknown exception, xrefs: 00208077

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Parent
String ID: C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h$Unknown exception
API String ID: 975332729-9186675
Opcode ID: c184792eb57f9dfa3eadefe9f139ebfcc613e6ca42de89b5fd9c98637201bc4b
Instruction ID: 14db4500a9e23f699d221258180198f5a62c8726558cb27284a59f43f222abaf
Opcode Fuzzy Hash: c184792eb57f9dfa3eadefe9f139ebfcc613e6ca42de89b5fd9c98637201bc4b
Instruction Fuzzy Hash: 5D018030D05288EFDF04EBE4C915BDDBFB0AF15304F148499E4016B286DBB99E08DB92

Uniqueness

Uniqueness Score: -1.00%

Function 001F36E2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 001F3712

Strings

Unknown exception, xrefs: 001F36EA
C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 001F36FD

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: ActiveWindow
String ID: C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
API String ID: 2558294473-2631306498
Opcode ID: 6f8a76e5755a07bacceda4e6eab99f70a7df19379b484280959bfa2ee4571eee
Instruction ID: a3805034139128a8aaa721e6c01066e755918af9826f48229da1bf8d003ec89a
Opcode Fuzzy Hash: 6f8a76e5755a07bacceda4e6eab99f70a7df19379b484280959bfa2ee4571eee
Instruction Fuzzy Hash: E7019E30D05288EFDF05EBE8C915BDDBBB0BF59304F608498D041AB286DBB45B08DB92

Uniqueness

Uniqueness Score: -1.00%

Function 001F336E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 001F339B

Strings

Unknown exception, xrefs: 001F3376
C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 001F3386

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: ActiveWindow
String ID: C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
API String ID: 2558294473-2631306498
Opcode ID: 02a87e039f757efc1bab0a40e94e5b2746910be40d19aee579edea5c544e9d0e
Instruction ID: cfab0bc9772ebd6a84abfc5c8b1e6373649b3390f8b56e1bcd1631529a11f2d3
Opcode Fuzzy Hash: 02a87e039f757efc1bab0a40e94e5b2746910be40d19aee579edea5c544e9d0e
Instruction Fuzzy Hash: 57019E70D05288EFDF05DBE4C914BDDBFB0AF19304F508498D4426B282DBB45B08DB92

Uniqueness

Uniqueness Score: -1.00%

Function 003AF694 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 001F9C30: InitializeCriticalSectionAndSpinCount.KERNEL32(004C7D50,00000000,F026EBDC,001E0000,Function_001F7F70,000000FF,?,003AF6C3,?,?,?,001E7586), ref: 001F9C55
Part of subcall function 001F9C30: GetLastError.KERNEL32(?,003AF6C3,?,?,?,001E7586), ref: 001F9C5F

IsDebuggerPresent.KERNEL32(?,?,?,001E7586), ref: 003AF6C7
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,001E7586), ref: 003AF6D6

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 003AF6D1

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 450123788-631824599
Opcode ID: beca8f7f96d9762694307a6b6f10d043c97486a2c85e4a6c3b759f648ed40cb0
Instruction ID: 5fe3d1264602e7ac2024b7937686796e1f1ebc0805580418461ff919493cbfdd
Opcode Fuzzy Hash: beca8f7f96d9762694307a6b6f10d043c97486a2c85e4a6c3b759f648ed40cb0
Instruction Fuzzy Hash: 0BE022702007408FC331AF64E804706BBE0EF08348F00883EE482C2620DBF5E444CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003D6D79 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003D6D52

Part of subcall function 003AD43D: DloadAcquireSectionWriteAccess.DELAYIMP ref: 003AD448
Part of subcall function 003AD43D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003AD4B0
Part of subcall function 003AD43D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003AD4C1

Strings

ym=, xrefs: 003D6D79
@m=, xrefs: 003D6D4C

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: @m=$ym=
API String ID: 697777088-3371694329
Opcode ID: 61e58e268899e0696e2fed341b210352f10932e12dcbfe3e9f3ded4229d8c65f
Instruction ID: 161382507d0e114bee67cfdcc11d3d91dc646076262febd9542399d2fbd9ae68
Opcode Fuzzy Hash: 61e58e268899e0696e2fed341b210352f10932e12dcbfe3e9f3ded4229d8c65f
Instruction Fuzzy Hash: 9CB0128A35D5016E314A931EBC03E36014CC0C4F20370C16FB015C8A40DD546C450439

Uniqueness

Uniqueness Score: -1.00%

Function 003D6D65 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003D6D52

Part of subcall function 003AD43D: DloadAcquireSectionWriteAccess.DELAYIMP ref: 003AD448
Part of subcall function 003AD43D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003AD4B0
Part of subcall function 003AD43D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003AD4C1

Strings

em=, xrefs: 003D6D65
@m=, xrefs: 003D6D4C

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: @m=$em=
API String ID: 697777088-3721110253
Opcode ID: 97f49b5d6965b9eb4cc67daa3a44f8ac051b118ec5c158038851a53b3165fd6b
Instruction ID: 770ece1bde631a1b9df2aff47f5ce03c7103a942184adf8d24732365accf4fa3
Opcode Fuzzy Hash: 97f49b5d6965b9eb4cc67daa3a44f8ac051b118ec5c158038851a53b3165fd6b
Instruction Fuzzy Hash: C4B0128E35C4006F3149571D7C07E36014CC0C4F20370C86FB015C8980DD546C051435

Uniqueness

Uniqueness Score: -1.00%

Function 003D6D5B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003D6D52

Part of subcall function 003AD43D: DloadAcquireSectionWriteAccess.DELAYIMP ref: 003AD448
Part of subcall function 003AD43D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003AD4B0
Part of subcall function 003AD43D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003AD4C1

Strings

[m=, xrefs: 003D6D5B
@m=, xrefs: 003D6D4C

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: @m=$[m=
API String ID: 697777088-4080953975
Opcode ID: 47c1d456390214d4f1a59b3d3fff30552fa96fb699a6b665836b8454725a52e6
Instruction ID: acf116a36da8336b5ae065382eb878ca92da92454e6a54cec8b33359b0c91dd7
Opcode Fuzzy Hash: 47c1d456390214d4f1a59b3d3fff30552fa96fb699a6b665836b8454725a52e6
Instruction Fuzzy Hash: C0B0128A35D5016E3189531E7C03E36018CC0C4F20370C16FB015C8A40DD546C450435

Uniqueness

Uniqueness Score: -1.00%

Function 003D6DBF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003D6D52

Part of subcall function 003AD43D: DloadAcquireSectionWriteAccess.DELAYIMP ref: 003AD448
Part of subcall function 003AD43D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003AD4B0
Part of subcall function 003AD43D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003AD4C1

Strings

uL, xrefs: 003D6DBF
@m=, xrefs: 003D6D4C

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: @m=$uL
API String ID: 697777088-701350648
Opcode ID: 34fac8fc1e567affc5b020e2d8ba6068632e1f898a1766b6b3ae1b5aace2eccb
Instruction ID: 08885fd31bc7150720477596eb3af2f4e5f5ede63110e7f9440235b49ab1b106
Opcode Fuzzy Hash: 34fac8fc1e567affc5b020e2d8ba6068632e1f898a1766b6b3ae1b5aace2eccb
Instruction Fuzzy Hash: F8B0128A35C0007E3149531D7C03E36014CC0C5F103B0C06FB415C8D40DD58AC050835

Uniqueness

Uniqueness Score: -1.00%

Function 003D6DE7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003D6D52

Part of subcall function 003AD43D: DloadAcquireSectionWriteAccess.DELAYIMP ref: 003AD448
Part of subcall function 003AD43D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003AD4B0
Part of subcall function 003AD43D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003AD4C1

Strings

@m=, xrefs: 003D6D4C
m=, xrefs: 003D6DE7

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: @m=$m=
API String ID: 697777088-2362710795
Opcode ID: 839bf8205dc0d898ba9fe106b8bf9d65666c3a42ce44d5890677746b57f089df
Instruction ID: 6f11c4930063689b19679bbf2757082fb8ecbaac501fb30add7720bab39edc19
Opcode Fuzzy Hash: 839bf8205dc0d898ba9fe106b8bf9d65666c3a42ce44d5890677746b57f089df
Instruction Fuzzy Hash: FEB0128E35D5016F3149531E7C07E76014CC0C4F30370C56FB015C8A40DD546C450475

Uniqueness

Uniqueness Score: -1.00%

Function 003D6DC9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003D6D52

Part of subcall function 003AD43D: DloadAcquireSectionWriteAccess.DELAYIMP ref: 003AD448
Part of subcall function 003AD43D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003AD4B0
Part of subcall function 003AD43D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003AD4C1

Strings

vL, xrefs: 003D6DC9
@m=, xrefs: 003D6D4C

Memory Dump Source

Source File: 00000000.00000002.368278832.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.368271791.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369373878.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369384792.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369406395.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.369429440.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: vL$@m=
API String ID: 697777088-3310899492
Opcode ID: 297cca242dd43510cd168461ac13d2865adb570d3817e253e8fc31d0c4030c56
Instruction ID: 46f64a6dd0a4b90f58577e3814804d9e8d37732ce8bbbdf5ba06abb497b3b8a8
Opcode Fuzzy Hash: 297cca242dd43510cd168461ac13d2865adb570d3817e253e8fc31d0c4030c56
Instruction Fuzzy Hash: 25B0128B35C4006E3189531D7C03E36018CC0C4F20370C06FB015C8940DD546C050435

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: radarinstaller.exePID: 4704, Parent PID: 3576COMMON

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	399
Total number of Limit Nodes:	21

Executed Functions

Function 002BA630 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 228
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 002BA671

Part of subcall function 001EAB90: GetProcessHeap.KERNEL32 ref: 001EABE5
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EAC17
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EACA2

Part of subcall function 001EA140: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,001E124B,http://,?,80004005,4D857E4F,?,003DA6EF,000000FF), ref: 001EA163

LoadLibraryExW.KERNEL32(?,00000000,00000000,0040CDED,000000FF), ref: 002BA744

Strings

UxTheme.dll, xrefs: 002BA64C, 002BA71F, 002BA720, 002BA7B4

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Init_thread_footer$DirectoryFindHeapLibraryLoadProcessResourceSystem
String ID: UxTheme.dll
API String ID: 2586271605-352951104
Opcode ID: 479b876915a60985f5cb7c18ecdde0f9146133e90bc85c30f2fa00128ee810b9
Instruction ID: 73ef58a32ad4b45c2aad61b98eb7b5be1d9b0a5102afc0ecd9bdb2017643014f
Opcode Fuzzy Hash: 479b876915a60985f5cb7c18ecdde0f9146133e90bc85c30f2fa00128ee810b9
Instruction Fuzzy Hash: E8A18BB0500745EFE714CF68C858B9ABBF4FF04318F24865DE8199B681D7BAA618CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00301E40 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 224
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 00301EAE
RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 00301EF5
RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 00301F14
RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 00301F43
RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 00301FB8
RegQueryValueExW.KERNEL32(00000000,ReleaseId,00000000,00000000,?,?), ref: 00302032
RegQueryValueExW.KERNEL32(00000000,CSDVersion,00000000,00000000,?,?), ref: 00302084
GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00302118
GetProcAddress.KERNEL32(00000000), ref: 0030211F
__Init_thread_footer.LIBCMT ref: 00302133
GetCurrentProcess.KERNEL32(?), ref: 00302156
IsWow64Process.KERNEL32(00000000), ref: 0030215D
RegCloseKey.ADVAPI32(00000000), ref: 00302197

Strings

Software\Microsoft\Windows NT\CurrentVersion, xrefs: 00301EA4
CurrentBuildNumber, xrefs: 00301FAD
PWqt, xrefs: 00302125, 0030213B
(L, xrefs: 00302091
CurrentMinorVersionNumber, xrefs: 00301F09
CSDVersion, xrefs: 00302079
IsWow64Process, xrefs: 0030210E
, xrefs: 00301F25
CurrentVersion, xrefs: 00301F38
kernel32, xrefs: 00302113
CurrentMajorVersionNumber, xrefs: 00301EEA
ReleaseId, xrefs: 00302027

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: QueryValue$Process$AddressCloseCurrentHandleInit_thread_footerModuleOpenProcWow64
String ID: $(L$CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$PWqt$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$kernel32
API String ID: 1906320730-1814513313
Opcode ID: 207c3ae845992862d9e5abcc91cc1ec5236074ac4aa089628f32e7f3f3083515
Instruction ID: 6a9ad8c9a8568340618b4b13e483a9378cb0fe628dce55d143fde74c4c9b1dca
Opcode Fuzzy Hash: 207c3ae845992862d9e5abcc91cc1ec5236074ac4aa089628f32e7f3f3083515
Instruction Fuzzy Hash: C691B0B19017289FDB61CF10CC45FAAB7B5FB44711F1002AAE809A72D0EB75AE94CF58

Uniqueness

Uniqueness Score: -1.00%

Function 003021D0 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 220
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,00000000), ref: 00302240
RegQueryValueExW.KERNEL32(00000000,ProductType,00000000,00000000,?), ref: 0030227B
RegQueryValueExW.KERNEL32(00000000,ProductSuite,00000000,00000000,?,?), ref: 003022F6
RegCloseKey.KERNEL32(00000000), ref: 003024CE

Strings

Small Business, xrefs: 00302330
ProductSuite, xrefs: 003022EB
Enterprise, xrefs: 00302349
ServerNT, xrefs: 003022A4
Small Business(Restricted), xrefs: 003023AD
Blade, xrefs: 00302410
EmbeddedNT, xrefs: 003023C6
Terminal Server, xrefs: 00302394
Embedded(Restricted), xrefs: 00302427
SYSTEM\CurrentControlSet\Control\ProductOptions, xrefs: 00302236
ProductType, xrefs: 00302270
DataCenter, xrefs: 003023DF
Personal, xrefs: 003023F9
CommunicationServer, xrefs: 0030237B
Compute Server, xrefs: 0030246C
BackOffice, xrefs: 00302362
WinNT, xrefs: 00302281
Storage Server, xrefs: 00302455
Security Appliance, xrefs: 0030243E

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
API String ID: 1586453840-3149529848
Opcode ID: 9ab326e868e990c44ed9f5a3cdcf82fb44188235e2c24494d5b8fb8c3fc9c963
Instruction ID: 2db0103df3951c9ad10f8bf07d4a4113e70fc0c7247811965c2da7ebe80ca94e
Opcode Fuzzy Hash: 9ab326e868e990c44ed9f5a3cdcf82fb44188235e2c24494d5b8fb8c3fc9c963
Instruction Fuzzy Hash: 97712D30B013099BDB529B21CC687BF7269EF40744F1144B6ED06ABBC2EB38DD498B95

Uniqueness

Uniqueness Score: -1.00%

Function 002FE790 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 117
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 002FE7D8
OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 002FE7E5
GetLastError.KERNEL32 ref: 002FE7EF
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 002FE819
GetLastError.KERNEL32 ref: 002FE81F
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,?,?,?), ref: 002FE845
AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 002FE878
EqualSid.ADVAPI32(00000000,?), ref: 002FE887
FreeSid.ADVAPI32(?), ref: 002FE896
FindCloseChangeNotification.KERNEL32(00000000), ref: 002FE8D0

Strings

<3D, xrefs: 002FE7CF

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Token$ErrorInformationLastProcess$AllocateChangeCloseCurrentEqualFindFreeInitializeNotificationOpen
String ID: <3D
API String ID: 2037597787-1474962783
Opcode ID: 68c500cb73ffcce238207a29a5462f14949180a5213f7201aa759d29349dfaaa
Instruction ID: aac75a743806a899a4451281257f504546213ef9944f86e0fcefdbf14fbeef0d
Opcode Fuzzy Hash: 68c500cb73ffcce238207a29a5462f14949180a5213f7201aa759d29349dfaaa
Instruction Fuzzy Hash: D1412971D00209AFDF119FA0CD49BEEBBB8EF08754F154029E511B62A0DB799A14CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0034F2E0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 181
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00350324,40000000,00000001,00000000,00000002,00000080,00000000,4D857E4F,?,00000001), ref: 0034F342
WriteFile.KERNEL32(00000000,0000C800,0000C800,0000C800,00000000,?,0000C800), ref: 0034F3D8
CloseHandle.KERNEL32(00000000,?,0000C800), ref: 0034F44C

Strings

<3D, xrefs: 0034F440

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: <3D
API String ID: 1065093856-1474962783
Opcode ID: 12d1cb1d5df6f145f0e5814639690c87394031ac968e70891635ce5affc76560
Instruction ID: 617a24a20b87b20e0188553500178e42386d090eec6eecea94026223dd4b8db3
Opcode Fuzzy Hash: 12d1cb1d5df6f145f0e5814639690c87394031ac968e70891635ce5affc76560
Instruction Fuzzy Hash: AE518E71A10218AFDF05DFA9DD45BDEBBF8FF44310F144229F410AB290DB74A9008BA4

Uniqueness

Uniqueness Score: -1.00%

Function 003CA1EC Relevance: 4.7, APIs: 3, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__freea.LIBCMT ref: 003CA39B

Part of subcall function 003C8247: RtlAllocateHeap.NTDLL(00000000,00000001,00000009,?,003B153C,0000000B,00000009,00000009,?,?,001EFEBC,0000000D,0000000D), ref: 003C8279

__freea.LIBCMT ref: 003CA3B0
__freea.LIBCMT ref: 003CA3C0

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: __freea$AllocateHeap
String ID:
API String ID: 2243444508-0
Opcode ID: 411ba72a7917482d049d8c80b882d7698d5298936275803158ac3bc81a40298e
Instruction ID: 588323a23cad40db3186a4fa1bb4c5cb3de98705d4f27877dcc95b0f278b8ab7
Opcode Fuzzy Hash: 411ba72a7917482d049d8c80b882d7698d5298936275803158ac3bc81a40298e
Instruction Fuzzy Hash: CB51D07260066EAFEB279EA0DC41FBB3BA9EF44718B16052DFD08DA150EB31CC109761

Uniqueness

Uniqueness Score: -1.00%

Function 002E6270 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,?,?,00312377,ProgramFiles), ref: 002E6288
MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,?,?,?,00312377,ProgramFiles), ref: 002E62BA

Strings

w#1, xrefs: 002E6304, 002E6309, 002E6308

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: w#1
API String ID: 626452242-1099485340
Opcode ID: 21398a45ebdbe7bb92b6838cda9ae7b2eb3635f1f97bf28b3b091dfebe5bf039
Instruction ID: fb3de46b050f0c9a26753da8fe855c948dc2d437e35df65c807b12180a7ad312
Opcode Fuzzy Hash: 21398a45ebdbe7bb92b6838cda9ae7b2eb3635f1f97bf28b3b091dfebe5bf039
Instruction Fuzzy Hash: D711E035300252AFDA109B9ADC99F1EF759EFE4361F60812EF7149B2D0CB31AC118B54

Uniqueness

Uniqueness Score: -1.00%

Function 0021DF35 Relevance: 4.6, APIs: 3, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Getctype.LIBCPMT ref: 0021DF95
std::_Facet_Register.LIBCPMT ref: 0021DFF7
std::_Lockit::~_Lockit.LIBCPMT ref: 0021E021

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: std::_$Facet_GetctypeLockitLockit::~_Register
String ID:
API String ID: 1274453042-0
Opcode ID: 72c73042130ee4ee9b2b6d9f557802956b8df7251ce4829ea913c8fbe94a1eb1
Instruction ID: 2f0a5b76c58b682edd8266503843f53ecdb52ce649eabb66c29926b37d2ec6c7
Opcode Fuzzy Hash: 72c73042130ee4ee9b2b6d9f557802956b8df7251ce4829ea913c8fbe94a1eb1
Instruction Fuzzy Hash: EF3148B1C04759DBDB11CF68C94179AB7F0FF18304F20829EE4856B691EBB5AA84CB81

Uniqueness

Uniqueness Score: -1.00%

Function 003BB563 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,003BB55D,00000016,003B50F2,?,?,4D857E4F,003B50F2,?), ref: 003BB574
TerminateProcess.KERNEL32(00000000,?,003BB55D,00000016,003B50F2,?,?,4D857E4F,003B50F2,?), ref: 003BB57B
ExitProcess.KERNEL32 ref: 003BB58D

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 36e2d3728ea7b1199ed1dab96a37f68c9dcd474c61f1891e7b3d75d3c3f14c9e
Instruction ID: 3f0d2a940d0645389fc8c920bfaf4d116228442c7694cd44fe2626c514d5c9fa
Opcode Fuzzy Hash: 36e2d3728ea7b1199ed1dab96a37f68c9dcd474c61f1891e7b3d75d3c3f14c9e
Instruction Fuzzy Hash: 28D09E31000608AFCF522F61DC0D89EFF2AEF45355B055165BA0549431CFB1D952DB55

Uniqueness

Uniqueness Score: -1.00%

Function 003CFF9D Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003CFACA: GetOEMCP.KERNEL32(00000000,?,?,00000016,?), ref: 003CFAF5

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,003CFDE1,?,00000000,?,00000016,?), ref: 003CFFFE
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,003CFDE1,?,00000000,?,00000016,?), ref: 003D0040

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 8d80637cf02f5bf5f8555b022c5a45610196fb8f18a794f8c4d1641056f41167
Instruction ID: 65f09f157cf8111ad1c5979b4d933357ead5c3bc21eb83de64ca9ec1dc834982
Opcode Fuzzy Hash: 8d80637cf02f5bf5f8555b022c5a45610196fb8f18a794f8c4d1641056f41167
Instruction Fuzzy Hash: A7513176E00344AEDB2ACF35D880BABBBF5EF81700F19416FD0968B251D7759946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 003C9F58 Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNEL32(?,003CA2DA,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 003C9F8C
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,003CA2DA,?,?,00000000,?,00000000), ref: 003C9FAA

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: c73419e92c1ec7a2e86a32c9d208075bb25bc0b1b165c5bb107ac41f18ac57d4
Instruction ID: 9dfb1a6f8cad3a6dcf695bf4d2c288c6d66f875ec1ef686e7a73bd8135eb9d77
Opcode Fuzzy Hash: c73419e92c1ec7a2e86a32c9d208075bb25bc0b1b165c5bb107ac41f18ac57d4
Instruction Fuzzy Hash: 64F0683240421ABBCF135F90DC09EDE7F26EB48361B0A4119FE18A5020CB36D871AB98

Uniqueness

Uniqueness Score: -1.00%

Function 003CFB9E Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32(E8458D00,?,003CFDED,003CFDE1,00000000), ref: 003CFBD0

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 85e129ec4714577d15572fa4907ed34630a4ed70f42e4a1f5e7b0ca39e0a62f8
Instruction ID: e87d71c9a2e3b0fce8dd49adfa8b79cdbc1748867b387f440d94722768d9d397
Opcode Fuzzy Hash: 85e129ec4714577d15572fa4907ed34630a4ed70f42e4a1f5e7b0ca39e0a62f8
Instruction Fuzzy Hash: 8F515771A0425C9FDB228A28CD84FE67BBEEB55704F2445FDE49AC7182C335AD46DB20

Uniqueness

Uniqueness Score: -1.00%

Function 002E2170 Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003B0372: EnterCriticalSection.KERNEL32(004C7DCC,?,?,?,001EAC36,004C89FC,4D857E4F,?,?,003D84ED,000000FF,?,001E1177,4D857E4F,?,003DA6EF), ref: 003B037D
Part of subcall function 003B0372: LeaveCriticalSection.KERNEL32(004C7DCC,?,?,?,001EAC36,004C89FC,4D857E4F,?,?,003D84ED,000000FF,?,001E1177,4D857E4F,?,003DA6EF), ref: 003B03BA

__Init_thread_footer.LIBCMT ref: 002E21E2

Part of subcall function 003B0328: EnterCriticalSection.KERNEL32(004C7DCC,?,?,001EACA7,004C89FC,00435FA0), ref: 003B0332
Part of subcall function 003B0328: LeaveCriticalSection.KERNEL32(004C7DCC,?,?,001EACA7,004C89FC,00435FA0), ref: 003B0365
Part of subcall function 003B0328: RtlWakeAllConditionVariable.NTDLL ref: 003B03DC

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID:
API String ID: 2296764815-0
Opcode ID: a670e322c0e68b571ae684cdb333a20645a9aedd876400f2153e88d264c6b7d1
Instruction ID: b2679e7e3e34599119a8af76f6294f522520f289528e25f525ade6030e437136
Opcode Fuzzy Hash: a670e322c0e68b571ae684cdb333a20645a9aedd876400f2153e88d264c6b7d1
Instruction Fuzzy Hash: 3E01F7B5944644EBD754DF99EC4AF4973E4E708720F20433EEA1AC77C0DB38AA048B09

Uniqueness

Uniqueness Score: -1.00%

Function 003C97AF Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,0000000D,00000001,?,003C8004,00000001,00000364,00000001,00000002,000000FF,?,003B153C,0000000B,00000009,00000009), ref: 003C97F0

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 81bff6b7d2a4d7c52957c314e08c15a0abe53315d5e17ba87f4ba5a6d257cb94
Instruction ID: 32a5d5b4dab9ed3dabde0267e9e6a5a05244d00d4882a55edd8a0c2e15b4f3f3
Opcode Fuzzy Hash: 81bff6b7d2a4d7c52957c314e08c15a0abe53315d5e17ba87f4ba5a6d257cb94
Instruction Fuzzy Hash: 68F054325166256ADB236F229C49F5B7B599B417A0B1B802FAC15EB590CE34DC0047E0

Uniqueness

Uniqueness Score: -1.00%

Function 00301DA0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 003B0372: EnterCriticalSection.KERNEL32(004C7DCC,?,?,?,001EAC36,004C89FC,4D857E4F,?,?,003D84ED,000000FF,?,001E1177,4D857E4F,?,003DA6EF), ref: 003B037D
Part of subcall function 003B0372: LeaveCriticalSection.KERNEL32(004C7DCC,?,?,?,001EAC36,004C89FC,4D857E4F,?,?,003D84ED,000000FF,?,001E1177,4D857E4F,?,003DA6EF), ref: 003B03BA

Part of subcall function 00301E40: RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 00301EAE
Part of subcall function 00301E40: RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 00301EF5
Part of subcall function 00301E40: RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 00301F14
Part of subcall function 00301E40: RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 00301F43
Part of subcall function 00301E40: RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 00301FB8

__Init_thread_footer.LIBCMT ref: 00301E16

Part of subcall function 003B0328: EnterCriticalSection.KERNEL32(004C7DCC,?,?,001EACA7,004C89FC,00435FA0), ref: 003B0332
Part of subcall function 003B0328: LeaveCriticalSection.KERNEL32(004C7DCC,?,?,001EACA7,004C89FC,00435FA0), ref: 003B0365
Part of subcall function 003B0328: RtlWakeAllConditionVariable.NTDLL ref: 003B03DC

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CriticalQuerySectionValue$EnterLeave$ConditionInit_thread_footerOpenVariableWake
String ID:
API String ID: 3563064969-0
Opcode ID: fcff6ecec592dec29170ede15e9b66117960fbf560649471087b483fc199b75e
Instruction ID: a3f5e3d04e303c59739732101565279b54044c95aed9dc615089eed2c753a6eb
Opcode Fuzzy Hash: fcff6ecec592dec29170ede15e9b66117960fbf560649471087b483fc199b75e
Instruction Fuzzy Hash: 7501F279B40604EBC751DB58D912F69B3A4F704730F100B3AFA268B7C5E73A7D008A55

Uniqueness

Uniqueness Score: -1.00%

Function 003C8247 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,00000009,?,003B153C,0000000B,00000009,00000009,?,?,001EFEBC,0000000D,0000000D), ref: 003C8279

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5463b14e85444e36cba1a65b176162b4b4356812d9dd89044eea44fe70841480
Instruction ID: 5197d410f77fdcb6f26e31994fe12379bd7a81efb6d96b2ed0a0a27d0500a9f1
Opcode Fuzzy Hash: 5463b14e85444e36cba1a65b176162b4b4356812d9dd89044eea44fe70841480
Instruction Fuzzy Hash: E6E0ED33141A2066DA3327269C0CFAA765D9B823A0F2B492DEC00DA4C0DF20CE0083E0

Uniqueness

Uniqueness Score: -1.00%

Function 003C5F5B Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 003C5F62

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: fbfc4ddc62519b5eb276e4d98e9d982e2b46643a0b38d4f95806948616ab1917
Instruction ID: b5a8c9b44ae53ef70a016213a5ff3b27a5c361fd63b509987daf7c28d2a7ddac
Opcode Fuzzy Hash: fbfc4ddc62519b5eb276e4d98e9d982e2b46643a0b38d4f95806948616ab1917
Instruction Fuzzy Hash: DCE09A76C4060E9EDB01DFD4C552BEFB7B8AB08704F508126E215EB141EB7897858BA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001F5580 Relevance: 12.4, APIs: 8, Instructions: 389nativememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001F5A10: EnterCriticalSection.KERNEL32(004CE7BC,4D857E4F,00000002,00000000,003DB23D,000000FF,?,001F4987,00000002,00000000,4D857E4F), ref: 001F5A4D
Part of subcall function 001F5A10: LoadCursorW.USER32(00000000,00007F00), ref: 001F5AC8
Part of subcall function 001F5A10: LoadCursorW.USER32(00000000,00007F00), ref: 001F5B6E

SysFreeString.OLEAUT32(00000000), ref: 001F5623
NtdllDefWindowProc_W.NTDLL(?,?,00000001,?), ref: 001F5754
GlobalAlloc.KERNEL32(00000042,00000000), ref: 001F5836
GlobalLock.KERNEL32 ref: 001F5844
GlobalUnlock.KERNEL32(?), ref: 001F5898
SysFreeString.OLEAUT32(00000000), ref: 001F593C
NtdllDefWindowProc_W.NTDLL(?,?,?,00000000), ref: 001F5983
SysFreeString.OLEAUT32(00000000), ref: 001F59A2

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: FreeGlobalString$CursorLoadNtdllProc_Window$AllocCriticalEnterLockSectionUnlock
String ID:
API String ID: 306625881-0
Opcode ID: 1e3666929daff8919d44e06e7c523a8f230d39551bbbfe57d56fa6845f7f95ce
Instruction ID: 5b109b8eb4d2da46827bd7118b5097ac9bcc5869c86e14da6f0818d74154dac5
Opcode Fuzzy Hash: 1e3666929daff8919d44e06e7c523a8f230d39551bbbfe57d56fa6845f7f95ce
Instruction Fuzzy Hash: DBD1D071900609EFDB11DFA4CC48BBFBBBAAF45324F144168FB11AB291D7749A00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 003C0040 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 449COMMON

Download Yara Rule

Strings

w#1, xrefs: 003C0042
6E=, xrefs: 003C0383, 003C0361
6E=, xrefs: 003C005B, 003C01DE, 003C0407, 003C03A0, 003C022D

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID:
String ID: 6E=$6E=$w#1
API String ID: 0-763883801
Opcode ID: f40ca80c90454d9bb8bd0caa50f101cdb85a86c6e363d9e87564464705d264ef
Instruction ID: fa205a4f4f0c9d4b95c8dcd47321c036c892120e70812487f6d4f575aa926fcd
Opcode Fuzzy Hash: f40ca80c90454d9bb8bd0caa50f101cdb85a86c6e363d9e87564464705d264ef
Instruction Fuzzy Hash: 33F11A75E00259DBDF19CFA9D880BAEB7B1EF88314F15826DE915EB391D730AD018B90

Uniqueness

Uniqueness Score: -1.00%

Function 003C839A Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 003C8427

Strings

w#1, xrefs: 003C839C

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: _strrchr
String ID: w#1
API String ID: 3213747228-1099485340
Opcode ID: 81f4738b0ccc89e0b9334de42be24ec92ddaeb4e4006c95d88b6c96e87f0cc40
Instruction ID: 6767c8ac6b1093958bf7c31fbbbb43ad52309f9aafe3a787fa6f73e7cceb904b
Opcode Fuzzy Hash: 81f4738b0ccc89e0b9334de42be24ec92ddaeb4e4006c95d88b6c96e87f0cc40
Instruction Fuzzy Hash: 3AB146329042569FDB178F28C881FFEBBA5EF59300F15816EE904EB341DA749E01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 002DC450 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 367COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00000000), ref: 002DC77A

Strings

Segoe UI, xrefs: 002DC751
NumberValidationTipMsg, xrefs: 002DC5B5
NumberValidationTipTitle, xrefs: 002DC4C5

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID:
String ID: NumberValidationTipMsg$NumberValidationTipTitle$Segoe UI
API String ID: 0-2319862951
Opcode ID: fe3160900da875c14af9a46af723dd1e1d21d2d74a3130fc4124ae4747edcf8f
Instruction ID: fd3a2fdc461b6844e26dea0171174a32316033ee8177d146b28cfa10476dd49b
Opcode Fuzzy Hash: fe3160900da875c14af9a46af723dd1e1d21d2d74a3130fc4124ae4747edcf8f
Instruction Fuzzy Hash: 6CD1DE31A00705AFEB18CF64CC45BEEB7B5EF89300F108699E55AA72D1DB74AA45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0021B200 Relevance: 21.4, APIs: 4, Strings: 8, Instructions: 358libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,00000043), ref: 0021B328
GetProcAddress.KERNEL32(00000000,InitializeEmbeddedUI), ref: 0021B341
GetProcAddress.KERNEL32(00000043,ShutdownEmbeddedUI), ref: 0021B34D
GetProcAddress.KERNEL32(00000043,EmbeddedUIHandler), ref: 0021B35A

Part of subcall function 001EA850: HeapAlloc.KERNEL32(?,00000000,?,4D857E4F,00000000,003D7F70,000000FF,?,?,004BEFDC,?,001E11E6,80004005,4D857E4F,?,003DA6EF), ref: 001EA89A

Part of subcall function 001EAB90: GetProcessHeap.KERNEL32 ref: 001EABE5
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EAC17
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EACA2

Strings

INAN, xrefs: 0021B235
20.2, xrefs: 0021B43A
2c3f1cf9, xrefs: 0021B45E
SELECT `Data` FROM `Binary` WHERE `Name` = 'InstallerAnalytics.dll', xrefs: 0021B289
build , xrefs: 0021B44F
ShutdownEmbeddedUI, xrefs: 0021B343
EmbeddedUIHandler, xrefs: 0021B34F
InitializeEmbeddedUI, xrefs: 0021B33B

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AddressProc$HeapInit_thread_footer$AllocLibraryLoadProcess
String ID: build $20.2$2c3f1cf9$EmbeddedUIHandler$INAN$InitializeEmbeddedUI$SELECT `Data` FROM `Binary` WHERE `Name` = 'InstallerAnalytics.dll'$ShutdownEmbeddedUI
API String ID: 1086585969-3504904618
Opcode ID: 6b92213ea728bdb33d4f5b98527b8a9d05dd3c8bf1f1eac07a541a2b5af153cf
Instruction ID: 15945aa8342b0e86104d4fdc784ca6e4319e85dcf1334bc5f233fc0b58a9a41a
Opcode Fuzzy Hash: 6b92213ea728bdb33d4f5b98527b8a9d05dd3c8bf1f1eac07a541a2b5af153cf
Instruction Fuzzy Hash: B9D1DE70D1060A9FDB05DFA8CC55BEEBBB4FF18310F148629E915A72C1EB74AA54CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001FD0A0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 150fileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001FD18F

Part of subcall function 003B0328: EnterCriticalSection.KERNEL32(004C7DCC,?,?,001EACA7,004C89FC,00435FA0), ref: 003B0332
Part of subcall function 003B0328: LeaveCriticalSection.KERNEL32(004C7DCC,?,?,001EACA7,004C89FC,00435FA0), ref: 003B0365
Part of subcall function 003B0328: RtlWakeAllConditionVariable.NTDLL ref: 003B03DC

CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,?,4D857E51), ref: 001FD1E3
CloseHandle.KERNEL32(00000000), ref: 001FD240

Part of subcall function 003B0372: EnterCriticalSection.KERNEL32(004C7DCC,?,?,?,001EAC36,004C89FC,4D857E4F,?,?,003D84ED,000000FF,?,001E1177,4D857E4F,?,003DA6EF), ref: 003B037D
Part of subcall function 003B0372: LeaveCriticalSection.KERNEL32(004C7DCC,?,?,?,001EAC36,004C89FC,4D857E4F,?,?,003D84ED,000000FF,?,001E1177,4D857E4F,?,003DA6EF), ref: 003B03BA

WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 001FD2A7
CloseHandle.KERNEL32(00000000,003AD0EC), ref: 001FD2CD

Strings

html, xrefs: 001FD19C
<3D, xrefs: 001FD2C1
aix, xrefs: 001FD1A1
L, xrefs: 001FD27B

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CriticalSection$CloseEnterFileHandleLeave$ConditionCreateInit_thread_footerVariableWakeWrite
String ID: <3D$aix$html$L
API String ID: 2030708724-1320731275
Opcode ID: 84e6f3157a234590a3b75f20bc57b4542cf4958460ba57807dfc9233aef9fd8d
Instruction ID: 5137e862bd22f3345d0e9e1a5fbae44e95acd238969bc0de116b041d165bbc02
Opcode Fuzzy Hash: 84e6f3157a234590a3b75f20bc57b4542cf4958460ba57807dfc9233aef9fd8d
Instruction Fuzzy Hash: 65619DB0901388DFEB14CF95DC59BAEBBF4FB04708F10412DE5016B291DBB96A08CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00300270 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 414fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001EAB90: GetProcessHeap.KERNEL32 ref: 001EABE5
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EAC17
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EACA2

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,4D857E4F,000000D8,?), ref: 003003B9
CloseHandle.KERNEL32(?), ref: 0030072A

Part of subcall function 00300180: LoadStringW.USER32(000000D8,?,00000514,4D857E4F), ref: 003001D6

ReadFile.KERNEL32(00000000,00000000,00001000,?,00000000,00001000), ref: 0030042B
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,00000000), ref: 003006CC

Strings

<3D, xrefs: 0030071B

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: File$Init_thread_footerRead$CloseCreateHandleHeapLoadProcessString
String ID: <3D
API String ID: 1714711150-1474962783
Opcode ID: 4034b8a59184fb4b21a8d514c58aa9bf110779dd4ef40dcf3928e16a3be33827
Instruction ID: c8129314ebc6d80e91c98827ee0da619ff47b46b26c28191a868fd77761de50b
Opcode Fuzzy Hash: 4034b8a59184fb4b21a8d514c58aa9bf110779dd4ef40dcf3928e16a3be33827
Instruction Fuzzy Hash: 52F19E71D01308DBDB25CFA8C959BAEBBB9EF45704F20825DE415AB2C1DB74AA44CF90

Uniqueness

Uniqueness Score: -1.00%

Function 002FA1C0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 249registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,4D857E4F,4D857E4F,?,?), ref: 002FA404
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 002FA414
RegCloseKey.ADVAPI32(00000000,?,?), ref: 002FA45D

Strings

Advapi32.dll, xrefs: 002FA3FF
<;E, xrefs: 002FA354
RegOpenKeyTransactedW, xrefs: 002FA40E

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: <;E$Advapi32.dll$RegOpenKeyTransactedW
API String ID: 4190037839-1888863923
Opcode ID: 70b6ef5afc3b23ab9a56ff87d3ece1f5ea3f3ca6e17031ec0f605394f4bccf10
Instruction ID: c5cdaeab4264149672f71eace357755301bd5b0b94112a704841ce501a2e994d
Opcode Fuzzy Hash: 70b6ef5afc3b23ab9a56ff87d3ece1f5ea3f3ca6e17031ec0f605394f4bccf10
Instruction Fuzzy Hash: 51A18CB0D10749DFDB14CFA8C848BAEFBF4BF44304F148569E909AB291DB74AA54CB91

Uniqueness

Uniqueness Score: -1.00%

Function 002FC5D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 169fileCOMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNEL32(4D857E4F,00000000,?,\\?\,00000004,?,002FD053,?,4D857E4F), ref: 002FC673

Part of subcall function 001EA140: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,001E124B,http://,?,80004005,4D857E4F,?,003DA6EF,000000FF), ref: 001EA163

RemoveDirectoryW.KERNEL32(?,4D857E4F,?,00000000,?,00000000,004148ED,000000FF,?,002FD053,?,4D857E4F), ref: 002FC6A2
GetLastError.KERNEL32(?,002FD053,?,4D857E4F), ref: 002FC6B2
DeleteFileW.KERNEL32(4D857E4F,00000000,?,\\?\,00000004,?,00000000,004148ED,000000FF,?,80004005,4D857E4F,?,00000000,?,00000000), ref: 002FC783
GetLastError.KERNEL32(?,00000000,004148ED,000000FF,?,80004005,4D857E4F,?,00000000,?,00000000,004148ED,000000FF,?,002FD053), ref: 002FC7C2

Part of subcall function 001EAB90: GetProcessHeap.KERNEL32 ref: 001EABE5
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EAC17
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EACA2

Strings

hHA, xrefs: 002FC6E5
\\?\, xrefs: 002FC634, 002FC646, 002FC650, 002FC744, 002FC756, 002FC760

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: DirectoryErrorInit_thread_footerLastRemove$DeleteFileFindHeapProcessResource
String ID: \\?\$hHA
API String ID: 34920479-2369205873
Opcode ID: 316e2a63d807da853570dada6d55b601a1693a98417c8748227af2ed0a95fbbd
Instruction ID: 0ecf7439c5dd4e864ed766e0b1c90c72e239dcd23d027c674fe40c79acd3ca91
Opcode Fuzzy Hash: 316e2a63d807da853570dada6d55b601a1693a98417c8748227af2ed0a95fbbd
Instruction Fuzzy Hash: 2C51DD719006099FDB10EF68C948BAAF3F8EF04361F21462AFA61D7290CB75AD148F94

Uniqueness

Uniqueness Score: -1.00%

Function 003435B0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,?), ref: 003435C0
LoadLibraryW.KERNEL32(Shell32.dll), ref: 003435D3
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 003435E3
SHGetPathFromIDListW.SHELL32(?,00000000), ref: 0034366C
SHGetMalloc.SHELL32(?), ref: 003436AE

Strings

Shell32.dll, xrefs: 003435CE
SHGetSpecialFolderPathW, xrefs: 003435DD

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AddressFolderFromLibraryListLoadLocationMallocPathProcSpecial
String ID: SHGetSpecialFolderPathW$Shell32.dll
API String ID: 2352187698-2988203397
Opcode ID: 4e5b278665386615f26569247585076a37c92240fe9bc52db35f11badfa8f690
Instruction ID: f11352f76f98a8a4ca902cbd190d15bf8daee393553bcbad13ca3dd1c17c1288
Opcode Fuzzy Hash: 4e5b278665386615f26569247585076a37c92240fe9bc52db35f11badfa8f690
Instruction Fuzzy Hash: 90310771600302ABDB269F24DC85B67B7F5EFC4701F57C42CE8858B2D0EB79A9458B91

Uniqueness

Uniqueness Score: -1.00%

Function 002AE520 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 342COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002AE7C5
__Init_thread_footer.LIBCMT ref: 002AE891

Strings

`Dialog` = ', xrefs: 002AE5F1
Dialog, xrefs: 002AE63C
PuD, xrefs: 002AE66B
AI_FRAME_NO_CAPTION_, xrefs: 002AE575

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Init_thread_footer
String ID: AI_FRAME_NO_CAPTION_$Dialog$PuD$`Dialog` = '
API String ID: 1385522511-1954572031
Opcode ID: e7888ae4389ed8e871d10b783b93c6a75dfd0071565457ee844b835aaabfc9c8
Instruction ID: fecb220322623bd115d6b059a79739421a5a15abbee2668fabca1499198d18f4
Opcode Fuzzy Hash: e7888ae4389ed8e871d10b783b93c6a75dfd0071565457ee844b835aaabfc9c8
Instruction Fuzzy Hash: 99D100B1E10244CFCB54CF78CD85B9EB7B4EF59300F24822EE915AB2A1DB74A905CB95

Uniqueness

Uniqueness Score: -1.00%

Function 001FD310 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 285registryCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,Caphyon.AI.ExtUI.IEClickSoundRemover,4D857E4F), ref: 001FD3B1
GetLastError.KERNEL32 ref: 001FD3DA
RegCloseKey.ADVAPI32(?,0044329C,00000000,0044329C,00000000,?,80000001,00000001,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033), ref: 001FD64E
CloseHandle.KERNEL32(?,4D857E4F,?,?,00000000,003DC7CD,000000FF,?,0044329C,00000000,0044329C,00000000,?,80000001,00000001,00000000), ref: 001FD6DE

Strings

AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 001FD412
Caphyon.AI.ExtUI.IEClickSoundRemover, xrefs: 001FD3A6

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Close$CreateErrorEventHandleLast
String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current$Caphyon.AI.ExtUI.IEClickSoundRemover
API String ID: 1253123496-2079760225
Opcode ID: fc47c99e0319396d6097e5c70bc3820c8c05e24640451af58e4970a7676ca6f0
Instruction ID: 8a36ea9ac61f5ab40e5488ed51b5dc31294b1fbfeda7978d915fdd7d388eaa3b
Opcode Fuzzy Hash: fc47c99e0319396d6097e5c70bc3820c8c05e24640451af58e4970a7676ca6f0
Instruction Fuzzy Hash: 98C1ED70D00348DFDB14CF68D858BAEBBB1FF55304F24829DE559A7281DB74AA84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001F9050 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151threadCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000E,4D857E4F,?,?,00000000,?), ref: 001F908E
GetCurrentThreadId.KERNEL32 ref: 001F90CF
EnterCriticalSection.KERNEL32(004CE7BC), ref: 001F90EF
LeaveCriticalSection.KERNEL32(004CE7BC), ref: 001F9113

Part of subcall function 003AFA13: GetProcessHeap.KERNEL32(00000008,00000008,?,001F72C7,?,?,001F7074,?), ref: 003AFA18
Part of subcall function 003AFA13: HeapAlloc.KERNEL32(00000000,?,?,001F7074,?), ref: 003AFA1F

Strings

KL, xrefs: 001F9134
AXWIN UI Window, xrefs: 001F91E5

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CriticalHeapSection$AllocCurrentEnterErrorLastLeaveProcessThread
String ID: AXWIN UI Window$KL
API String ID: 2176831970-2179203408
Opcode ID: 956b9a6be71dcdd9bcf3204f91c0d25d357a50a7e1fbde16346ab2e9e4b37aae
Instruction ID: 51c7e63a097dd855122ceb83132c5a98c898f86bdba8ebc4d2540a18fb7aed80
Opcode Fuzzy Hash: 956b9a6be71dcdd9bcf3204f91c0d25d357a50a7e1fbde16346ab2e9e4b37aae
Instruction Fuzzy Hash: 8651C235604309AFDB10DF59DD04FAABBB8FB98714F10812EFE14AB280D775A914CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0021D180 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0021D1C7
OpenProcessToken.ADVAPI32(00000000,00000028,00000000), ref: 0021D1D4
GetLastError.KERNEL32 ref: 0021D212
CloseHandle.KERNEL32(00000000), ref: 0021D249

Strings

<3D, xrefs: 0021D1BE
SeShutdownPrivilege, xrefs: 0021D1E2

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Process$CloseCurrentErrorHandleLastOpenToken
String ID: <3D$SeShutdownPrivilege
API String ID: 2767541406-3745702647
Opcode ID: 955225c833dae999d1109e39f7d3276432e7c4aa0a34ff5ff3e325317292ab15
Instruction ID: 4bc38b562a1be39e1e261e0b160343e288c63d4549c0ee19ec5a2d3b8ff81e29
Opcode Fuzzy Hash: 955225c833dae999d1109e39f7d3276432e7c4aa0a34ff5ff3e325317292ab15
Instruction Fuzzy Hash: 76213D70A44209EFEB10DFA0CD49BEEBBF8EB18714F504169E911B62D1DB759904CB28

Uniqueness

Uniqueness Score: -1.00%

Function 001EF046 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 150libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,?,?,?,?,.dll,?,00000000), ref: 001EF08B
GetProcAddress.KERNEL32(00000000,DllGetActivationFactory), ref: 001EF0D4
FreeLibrary.KERNEL32(00000000,00000000,DllGetActivationFactory,00000002,00000000,?,?,?,?,?,.dll,?,00000000), ref: 001EF122

Strings

DllGetActivationFactory, xrefs: 001EF0CE
.dll, xrefs: 001EF072

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: .dll$DllGetActivationFactory
API String ID: 145871493-1250754257
Opcode ID: 40cb2f72f3730a87d29e168b320e1e2804d032d4078def04aa05a0cdb23f7218
Instruction ID: 2a4b97cc25836bf28b6ebd3c6b479a8e77c6b1f112d6b4c03e81cc2eface638b
Opcode Fuzzy Hash: 40cb2f72f3730a87d29e168b320e1e2804d032d4078def04aa05a0cdb23f7218
Instruction Fuzzy Hash: F4517731D00689DEDF15DFA9C895BEEFBB1EF58300F24812DE811A7291DB746A4ACB50

Uniqueness

Uniqueness Score: -1.00%

Function 002E8330 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,4D857E4F,4D857E4F,?,?,?,?,003D83F0,000000FF), ref: 002E8373
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 002E839C
RegCloseKey.ADVAPI32(00000000,?,?,?,?,003D83F0,000000FF), ref: 002E83FC

Strings

Advapi32.dll, xrefs: 002E836E
RegCreateKeyTransactedW, xrefs: 002E8396

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 4190037839-2994018265
Opcode ID: cbc1111b73ee14f9a30ec15ba0c8cc942e30b93d1967a1e5926cc24bfaee7959
Instruction ID: cffd09f78e52f7674920cf204039f34ff0e6d3444990492f0d106afa9ec3e233
Opcode Fuzzy Hash: cbc1111b73ee14f9a30ec15ba0c8cc942e30b93d1967a1e5926cc24bfaee7959
Instruction Fuzzy Hash: 6531B43265424AEFDB248F45DC45FABB7A8FB48B50F10416AF919D72C0EB71A810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 003BB5F9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,4D857E4F,00000001,?,00000000,00435D89,000000FF,?,003BB589,?,?,003BB55D,00000016), ref: 003BB62E
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 003BB640
FreeLibrary.KERNEL32(00000000,?,00000000,00435D89,000000FF,?,003BB589,?,?,003BB55D,00000016), ref: 003BB662

Strings

CorExitProcess, xrefs: 003BB638
mscoree.dll, xrefs: 003BB627

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: c98c1a22bb39334b7cbd23870269509382bfb4ba151095748f964ff3a7040951
Instruction ID: 42afadd2361205ee03e10a4bf217b0605a3970e09c4f10ea3ccfe7d5dc078842
Opcode Fuzzy Hash: c98c1a22bb39334b7cbd23870269509382bfb4ba151095748f964ff3a7040951
Instruction Fuzzy Hash: 4C01A731940719EFDB118B51DC05FAEF7B8FB08715F01062AF911A26E0DF749800CA98

Uniqueness

Uniqueness Score: -1.00%

Function 001FB490 Relevance: 7.8, APIs: 5, Instructions: 269COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004C946C,4D857E4F,?,?,?,?,?,?,?,?,?,?,?,?,00000000,003DC0C5), ref: 001FB4FA
GetModuleFileNameW.KERNEL32(0000FFFF,00000104,?,?,?,?,?,?,?,?,?,?,?,?,00000000,003DC0C5), ref: 001FB57A
EnterCriticalSection.KERNEL32(004C9488,?,?,?,?,?,?,?,?,?,?,?,00000000,003DC0C5,000000FF), ref: 001FB733
LeaveCriticalSection.KERNEL32(004C9488,?,?,?,?,?,?,?,?,?,?,00000000,003DC0C5,000000FF), ref: 001FB754

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CriticalSection$Enter$FileLeaveModuleName
String ID:
API String ID: 1807155316-0
Opcode ID: 36f34e48697d066cadb8b037b1a4eba69f42b00001dcf5871038f805acb5806e
Instruction ID: 6be56bcb50d6b98fe6a8bc626b8882d3cfb3001ab80885ebccc8d1786ac434c3
Opcode Fuzzy Hash: 36f34e48697d066cadb8b037b1a4eba69f42b00001dcf5871038f805acb5806e
Instruction Fuzzy Hash: 23B18E70A04249DFDB10DFA4C898BBEBBB4FF48314F258169E905EB291CB75AD44CB64

Uniqueness

Uniqueness Score: -1.00%

Function 001F0240 Relevance: 7.6, APIs: 5, Instructions: 60memorywindowCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 001F028A
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001F0290
FormatMessageW.KERNEL32(00001300,00000000,?,00000400,00000000,00000000,00000000), ref: 001F02B3
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,003D9B16,000000FF), ref: 001F02DB
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,003D9B16,000000FF), ref: 001F02E1

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Heap$FreeProcess$FormatMessage
String ID:
API String ID: 1606019998-0
Opcode ID: be6346a950a04e99a78f5382e56f40328c82a5ca5e8c238bf26759c40a6f05f6
Instruction ID: 1cf5a25a05cd5dbf3295267776c7ebced4dcd9fee3a2c895cad8fef673e1cfd0
Opcode Fuzzy Hash: be6346a950a04e99a78f5382e56f40328c82a5ca5e8c238bf26759c40a6f05f6
Instruction Fuzzy Hash: 081130B1A44219ABEB11DF94DC06FAFBBBCEB04B54F100519F510AB2C1D7B5AA0487A5

Uniqueness

Uniqueness Score: -1.00%

Function 0032F520 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 001EAB90: GetProcessHeap.KERNEL32 ref: 001EABE5
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EAC17
Part of subcall function 001EAB90: __Init_thread_footer.LIBCMT ref: 001EACA2

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0041B9DF,000000FF), ref: 0032F6A3
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0041B9DF,000000FF), ref: 0032F731

Strings

<3D, xrefs: 0032F694
<< Advanced Installer (x86) Log >>, xrefs: 0032F60F

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Init_thread_footer$CloseCriticalDeleteHandleHeapProcessSection
String ID: << Advanced Installer (x86) Log >>$<3D
API String ID: 3699736680-2439039107
Opcode ID: d5ab4e1820c52b3ac4e852a1ebb12344326d23549a03a528de912e3f7a7f2d3c
Instruction ID: 36cf3a4a3583fc8716c86992b0f2417a34e52dc6e69e65de1c6c182a65c83b3f
Opcode Fuzzy Hash: d5ab4e1820c52b3ac4e852a1ebb12344326d23549a03a528de912e3f7a7f2d3c
Instruction Fuzzy Hash: BD61DA30A04686EFDB01CF68D948B4EBBF0EF45314F1482ADE4009B391DB78AE05CB98

Uniqueness

Uniqueness Score: -1.00%

Function 001F5390 Relevance: 6.3, APIs: 4, Instructions: 269memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 001F545A
SysFreeString.OLEAUT32(00000000), ref: 001F54A6
SysFreeString.OLEAUT32(00000000), ref: 001F54C8
SysFreeString.OLEAUT32(00000000), ref: 001F5623

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 266048149d1b61ca4316e829def80c87ddd579ad158eff22ef854d78e2fcf574
Instruction ID: ede8d2c475ba95738a121a1e2be6a17504003723ec967521353dc04852e5577d
Opcode Fuzzy Hash: 266048149d1b61ca4316e829def80c87ddd579ad158eff22ef854d78e2fcf574
Instruction Fuzzy Hash: 69A19E71A00649EFDB15CFA8C844FBEBBB9EF44714F104219EA15EB290E774AA01CB65

Uniqueness

Uniqueness Score: -1.00%

Function 003B03FA Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,003B0397,00000064), ref: 003B041D
LeaveCriticalSection.KERNEL32(004C7DCC,?,?,003B0397,00000064,?,?,?,001EAC36,004C89FC,4D857E4F,?,?,003D84ED,000000FF), ref: 003B0427
WaitForSingleObjectEx.KERNEL32(?,00000000,?,003B0397,00000064,?,?,?,001EAC36,004C89FC,4D857E4F,?,?,003D84ED,000000FF), ref: 003B0438
EnterCriticalSection.KERNEL32(004C7DCC,?,003B0397,00000064,?,?,?,001EAC36,004C89FC,4D857E4F,?,?,003D84ED,000000FF,?,001E1177), ref: 003B043F

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: d2979f627a68a2cd6dd7bee2ab1229097cb4578ebb16994d83f2884f92c71e47
Instruction ID: e5ef55b8c89098afeca465b6d78d9c111c21e4c835fc6f143193c5bd117dad42
Opcode Fuzzy Hash: d2979f627a68a2cd6dd7bee2ab1229097cb4578ebb16994d83f2884f92c71e47
Instruction Fuzzy Hash: 52E09235644624ABCA422F81EC08FEE7F28DF04711F010079FA0E62170CF6119408FDD

Uniqueness

Uniqueness Score: -1.00%

Function 003525A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

OpenEventW.KERNEL32(00000000,00000000,4D857E4F,_pbl_evt,00000008,?,?,0045B480,00000001,4D857E4F,00000000), ref: 0035264E
CreateEventW.KERNEL32(00000000,00000001,00000001,?), ref: 0035266B

Strings

_pbl_evt, xrefs: 00352622

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: Event$CreateOpen
String ID: _pbl_evt
API String ID: 2335040897-4023232351
Opcode ID: bbd6908c9167111ba6a96850c6fecc5c5ac07f3cff064ac55ec9687ba2302595
Instruction ID: 5d3cd47293f1f9b00a0092415570d9894d63ca2521183998790da90b64578cd2
Opcode Fuzzy Hash: bbd6908c9167111ba6a96850c6fecc5c5ac07f3cff064ac55ec9687ba2302595
Instruction Fuzzy Hash: 7051A071D10648EFDB10DFA8CC45FEEB7B4FB15710F208229E915A7690DB746A08CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00305040 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(000013FF,00000000,?,00000000,00000000,00000000,00000000,4D857E4F,0045A7FC), ref: 003050AC
LocalFree.KERNEL32(00000000,00000000,-00000002), ref: 003051A3

Part of subcall function 002F49B0: std::locale::_Init.LIBCPMT ref: 002F4A8D

Part of subcall function 002F2440: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 002F2515

Strings

Failed to get Windows error message [win32 error 0x, xrefs: 003050CA

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: FormatFreeInitIos_base_dtorLocalMessagestd::ios_base::_std::locale::_
String ID: Failed to get Windows error message [win32 error 0x
API String ID: 1983821583-3373098694
Opcode ID: 372b109b912e2c8beca0873007615bff047d5b30930e4e6477edc4b129bd9fbe
Instruction ID: 81a5a1a2f4918f6f3eaaa18f0104570dc03701e51ec5b3b4f87f5a71065986ce
Opcode Fuzzy Hash: 372b109b912e2c8beca0873007615bff047d5b30930e4e6477edc4b129bd9fbe
Instruction Fuzzy Hash: 0A41D670A017089BDB10DF58CD05BAFBBF8EF44314F204169E505AB2D1DBB49A48CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0022E590 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

InterlockedPushEntrySList.KERNEL32(004C8A70,004C8B18,Windows.UI.Xaml.Controls.TextBlock,00000022,4D857E4F,004C9310,000000C4,?,004C8B14,003D8977,000000FF), ref: 0022E668

Strings

Windows.UI.Xaml.Controls.TextBlock, xrefs: 0022E5BA
P", xrefs: 0022E670, 0022E678

Memory Dump Source

Source File: 00000003.00000002.357570819.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.357564563.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358232298.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358324553.00000000004C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358331754.00000000004C6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358337495.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.358347139.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_radarinstaller.jbxd

Similarity

API ID: EntryInterlockedListPush
String ID: P"$Windows.UI.Xaml.Controls.TextBlock
API String ID: 4129690577-3428865363
Opcode ID: 99b841d883bf709bcf8d65432739948bc58969aeac47de5969ad118453fc8b4d
Instruction ID: 6fb5f3a6fb6c8ec75cc4a26629a882551c35c85ec8ca3b02f0a91c427a787176
Opcode Fuzzy Hash: 99b841d883bf709bcf8d65432739948bc58969aeac47de5969ad118453fc8b4d
Instruction Fuzzy Hash: D1316DB5D1021AABDB00DF94DC45BAEBBB8FB54714F10412EE8116B290EBB56A04CBE1

Uniqueness

Uniqueness Score: -1.00%

Source: radarinstaller.exe, 00000000.00000000.304121126.0000000000438000.00000002.00000001.01000000.00000003.sdmp, radarinstaller.exe, 00000000.00000002.368718623.0000000000438000.00000002.00000001.01000000.00000003.sdmp, radarinstaller.exe, 00000003.00000000.341634402.0000000000438000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: 3FlashWindowFlashWindowExGetPackagePathhttp://www.yahoo.comhttp://www.example.comhttp://www.google.comTESTtin9999.tmpattachment=.partGETcharsetDLD "filenameutf-8utf-16123POSTAdvancedInstallerLocal Network ServerISO-8859-1US-ASCIIHTTP/1.0Range: bytes=%u- equals www.yahoo.com (Yahoo)
Source: radarinstaller.exe	String found in binary or memory: UFlashWindowFlashWindowExGetPackagePathhttp://www.yahoo.comhttp://www.example.comhttp://www.google.comTESTtin9999.tmpattachment=.partGETcharsetDLD "filenameutf-8utf-16123POSTAdvancedInstallerLocal Network ServerISO-8859-1US-ASCIIHTTP/1.0Range: bytes=%u- equals www.yahoo.com (Yahoo)
Source: radarinstaller.exe	String found in binary or memory: http://www.yahoo.com equals www.yahoo.com (Yahoo)

Source: radarinstaller.exe, 00000000.00000003.308976652.0000000004E80000.00000004.00000020.00020000.00000000.sdmp, radarinstaller.exe, 00000003.00000003.343479288.0000000003488000.00000004.00000020.00020000.00000000.sdmp, shi8DE1.tmp.3.dr	String found in binary or memory: http://.css
Source: radarinstaller.exe, 00000000.00000003.308976652.0000000004E80000.00000004.00000020.00020000.00000000.sdmp, radarinstaller.exe, 00000003.00000003.343479288.0000000003488000.00000004.00000020.00020000.00000000.sdmp, shi8DE1.tmp.3.dr	String found in binary or memory: http://.jpg
Source: wireguard.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: radarinstaller.exe, ShortcutFlags.dll.0.dr, MSI590C.tmp.0.dr, MSI500E.tmp.0.dr, MSI9FDA.tmp.1.dr, MSI51A5.tmp.0.dr, 6e9004.msi.1.dr, MSI9A2A.tmp.1.dr, MSI52A1.tmp.0.dr, MSI996E.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: wireguard.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: wireguard.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: wireguard.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: radarinstaller.exe, ShortcutFlags.dll.0.dr, MSI590C.tmp.0.dr, MSI500E.tmp.0.dr, MSI9FDA.tmp.1.dr, MSI51A5.tmp.0.dr, 6e9004.msi.1.dr, MSI9A2A.tmp.1.dr, MSI52A1.tmp.0.dr, MSI996E.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: radarinstaller.exe, ShortcutFlags.dll.0.dr, MSI590C.tmp.0.dr, MSI500E.tmp.0.dr, MSI9FDA.tmp.1.dr, MSI51A5.tmp.0.dr, 6e9004.msi.1.dr, MSI9A2A.tmp.1.dr, MSI52A1.tmp.0.dr, MSI996E.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: radarinstaller.exe, ShortcutFlags.dll.0.dr, MSI590C.tmp.0.dr, MSI500E.tmp.0.dr, MSI9FDA.tmp.1.dr, MSI51A5.tmp.0.dr, 6e9004.msi.1.dr, MSI9A2A.tmp.1.dr, MSI52A1.tmp.0.dr, MSI996E.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: wireguard.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: wireguard.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: radarinstaller.exe, ShortcutFlags.dll.0.dr, MSI590C.tmp.0.dr, MSI500E.tmp.0.dr, MSI9FDA.tmp.1.dr, MSI51A5.tmp.0.dr, 6e9004.msi.1.dr, MSI9A2A.tmp.1.dr, MSI52A1.tmp.0.dr, MSI996E.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: radarinstaller.exe, ShortcutFlags.dll.0.dr, MSI590C.tmp.0.dr, MSI500E.tmp.0.dr, MSI9FDA.tmp.1.dr, MSI51A5.tmp.0.dr, 6e9004.msi.1.dr, MSI9A2A.tmp.1.dr, MSI52A1.tmp.0.dr, MSI996E.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: wireguard.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: wireguard.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: wireguard.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: wireguard.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: wireguard.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: wireguard.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: radarinstaller.exe, 00000000.00000003.308976652.0000000004E80000.00000004.00000020.00020000.00000000.sdmp, radarinstaller.exe, 00000003.00000003.343479288.0000000003488000.00000004.00000020.00020000.00000000.sdmp, shi8DE1.tmp.3.dr	String found in binary or memory: http://html4/loose.dtd
Source: radarinstaller.exe, ShortcutFlags.dll.0.dr, MSI590C.tmp.0.dr, MSI500E.tmp.0.dr, MSI9FDA.tmp.1.dr, MSI51A5.tmp.0.dr, 6e9004.msi.1.dr, MSI9A2A.tmp.1.dr, MSI52A1.tmp.0.dr, MSI996E.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: radarinstaller.exe, ShortcutFlags.dll.0.dr, MSI590C.tmp.0.dr, wireguard.exe.1.dr, MSI500E.tmp.0.dr, MSI9FDA.tmp.1.dr, MSI51A5.tmp.0.dr, 6e9004.msi.1.dr, MSI9A2A.tmp.1.dr, MSI52A1.tmp.0.dr, MSI996E.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: wireguard.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: wireguard.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: wireguard.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: radarinstaller.exe, ShortcutFlags.dll.0.dr, MSI590C.tmp.0.dr, MSI500E.tmp.0.dr, MSI9FDA.tmp.1.dr, MSI51A5.tmp.0.dr, 6e9004.msi.1.dr, MSI9A2A.tmp.1.dr, MSI52A1.tmp.0.dr, MSI996E.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: radarinstaller.exe, ShortcutFlags.dll.0.dr, MSI590C.tmp.0.dr, MSI500E.tmp.0.dr, MSI9FDA.tmp.1.dr, MSI51A5.tmp.0.dr, 6e9004.msi.1.dr, MSI9A2A.tmp.1.dr, MSI52A1.tmp.0.dr, MSI996E.tmp.1.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: radarinstaller.exe, ShortcutFlags.dll.0.dr, MSI590C.tmp.0.dr, MSI500E.tmp.0.dr, MSI9FDA.tmp.1.dr, MSI51A5.tmp.0.dr, 6e9004.msi.1.dr, MSI9A2A.tmp.1.dr, MSI52A1.tmp.0.dr, MSI996E.tmp.1.dr	String found in binary or memory: http://t2.symcb.com0
Source: radarinstaller.exe, ShortcutFlags.dll.0.dr, MSI590C.tmp.0.dr, MSI500E.tmp.0.dr, MSI9FDA.tmp.1.dr, MSI51A5.tmp.0.dr, 6e9004.msi.1.dr, MSI9A2A.tmp.1.dr, MSI52A1.tmp.0.dr, MSI996E.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: radarinstaller.exe, ShortcutFlags.dll.0.dr, MSI590C.tmp.0.dr, MSI500E.tmp.0.dr, MSI9FDA.tmp.1.dr, MSI51A5.tmp.0.dr, 6e9004.msi.1.dr, MSI9A2A.tmp.1.dr, MSI52A1.tmp.0.dr, MSI996E.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: radarinstaller.exe, ShortcutFlags.dll.0.dr, MSI590C.tmp.0.dr, MSI500E.tmp.0.dr, MSI9FDA.tmp.1.dr, MSI51A5.tmp.0.dr, 6e9004.msi.1.dr, MSI9A2A.tmp.1.dr, MSI52A1.tmp.0.dr, MSI996E.tmp.1.dr	String found in binary or memory: http://tl.symcd.com0&
Source: wireguard.exe.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: wireguard.exe.1.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: radarinstaller.exe	String found in binary or memory: http://www.google.com
Source: radarinstaller.exe	String found in binary or memory: http://www.yahoo.com
Source: radarinstaller.exe, ShortcutFlags.dll.0.dr, MSI590C.tmp.0.dr, MSI500E.tmp.0.dr, MSI9FDA.tmp.1.dr, MSI51A5.tmp.0.dr, 6e9004.msi.1.dr, MSI9A2A.tmp.1.dr, MSI52A1.tmp.0.dr, MSI996E.tmp.1.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: wireguard.exe.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: radarinstaller.exe, ShortcutFlags.dll.0.dr, MSI590C.tmp.0.dr, MSI500E.tmp.0.dr, MSI9FDA.tmp.1.dr, MSI51A5.tmp.0.dr, 6e9004.msi.1.dr, MSI9A2A.tmp.1.dr, MSI52A1.tmp.0.dr, MSI996E.tmp.1.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: radarinstaller.exe, ShortcutFlags.dll.0.dr, MSI590C.tmp.0.dr, MSI500E.tmp.0.dr, MSI9FDA.tmp.1.dr, MSI51A5.tmp.0.dr, 6e9004.msi.1.dr, MSI9A2A.tmp.1.dr, MSI52A1.tmp.0.dr, MSI996E.tmp.1.dr	String found in binary or memory: https://www.thawte.com/repository0W
Source: wireguard.exe.1.dr	String found in binary or memory: https://www.wireguard.com/
Source: wireguard.exe.1.dr	String found in binary or memory: https://www.wireguard.com/D
Source: wireguard.exe.1.dr	String found in binary or memory: https://www.wireguard.com/donations/key
Source: wireguard.exe.1.dr	String found in binary or memory: https://www.wireguard.com/initSpan:
Source: wireguard.exe.1.dr	String found in binary or memory: https://www.wireguard.net/D

Source: C:\Users\user\Desktop\radarinstaller.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Users\user\Desktop\radarinstaller.exe	File opened: a:	Jump to behavior

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report radarinstaller.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\6e9005.rbs

C:\Program Files (x86)\Game Radar\Game Radar\RadarGame.exe

C:\Program Files (x86)\Game Radar\Game Radar\Wireguard\wireguard.exe

C:\Program Files (x86)\Game Radar\Game Radar\Wireguard\wireguard.h

C:\ProgramData\Microsoft\Windows\Start Menu\RadarGame.lnk

C:\Users\Public\Desktop\RadarGame.lnk

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\New

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\ShortcutFlags.dll

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\Up

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\background.jpg

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\cmdlinkarrow

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\collecting.jpg

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\completeex.ico

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\customex.ico

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\exclamation.ico

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\finalizing.jpg

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_bottom_left.bmp

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_3576\frame_bottom_left_inactive.bmp

Windows Analysis Report
radarinstaller.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre