Edit tour

Windows Analysis Report
DiStem-0.9.10.exe

Overview

General Information

Sample name:	DiStem-0.9.10.exe
Analysis ID:	1426763
MD5:	b7ce9c421b63b546ed2ab4a85237347f
SHA1:	9628b349eb84055011555e1378f38923c5bff59d
SHA256:	34c2cb8faabda345e28fbd7d189da2d08d34209e30d39b355ec4e2ef44e59863
Infos:

Detection

Score:	8
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

System is w10x64

DiStem-0.9.10.exe (PID: 7316 cmdline: "C:\Users\user\Desktop\DiStem-0.9.10.exe" MD5: B7CE9C421B63B546ED2AB4A85237347F)

msiexec.exe (PID: 7508 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7552 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding D4A075D37BC1D68A01BCA1EB71DE32A6 C MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: DiStem-0.9.10.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: DiStem-0.9.10.exe

Static PE information: certificate valid

Source: DiStem-0.9.10.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: wininet.pdb source: DiStem-0.9.10.exe, 00000000.00000003.1324795841.0000000009432000.00000004.00000020.00020000.00000000.sdmp, shiAA8C.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\ExternalUICleaner.pdb source: DiStem-0.9.10.exe, ExternalUICleaner.dll.0.dr, DiStem-0.9.10.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\InstallTrial.pdb2 source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, TrialBinaryComponent.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\ExternalUICleaner.pdb7 source: DiStem-0.9.10.exe, ExternalUICleaner.dll.0.dr, DiStem-0.9.10.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr
Source:	Binary string: wininet.pdbUGP source: DiStem-0.9.10.exe, 00000000.00000003.1324795841.0000000009432000.00000004.00000020.00020000.00000000.sdmp, shiAA8C.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\InstallTrial.pdb source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, TrialBinaryComponent.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: DiStem-0.9.10.exe, lzmaextractor.dll.0.dr, DiStem-0.9.10.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: DiStem-0.9.10.exe, MSIACD7.tmp.0.dr, MSIB037.tmp.0.dr, MSIB076.tmp.0.dr, MSIAC78.tmp.0.dr, DiStem-0.9.10.msi.0.dr, MSIABF8.tmp.0.dr, MSIAB79.tmp.0.dr, MSIAD94.tmp.0.dr, MSIAD45.tmp.0.dr, MSIB007.tmp.0.dr, MSIAC48.tmp.0.dr, MSIABD8.tmp.0.dr, MSIAB0A.tmp.0.dr, MSIADC4.tmp.0.dr, MSIAC28.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: DiStem-0.9.10.exe, DiStem-0.9.10.aiui.0.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\SfxCA.pdb source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00A6E460 FindFirstFileW,GetLastError,FindClose,	0_2_00A6E460
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00A94060 FindFirstFileW,FindClose,	0_2_00A94060
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00A502F0 FindFirstFileW,FindNextFileW,FindClose,	0_2_00A502F0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00AA45D0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_00AA45D0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00954AD0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW,	0_2_00954AD0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00AA4A50 FindFirstFileW,FindClose,	0_2_00AA4A50
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00A7CD70 FindFirstFileW,FindClose,FindClose,	0_2_00A7CD70
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00AB9950 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_00AB9950
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00A6DB30 FindFirstFileW,FindFirstFileW,FindClose,FindClose,	0_2_00A6DB30
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00A99ED0 FindFirstFileW,FindClose,CloseHandle,CloseHandle,	0_2_00A99ED0

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe

Code function: 0_2_00AA3220 GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,

0_2_00AA3220

Source: shiAA8C.tmp.0.dr	String found in binary or memory: http://.css
Source: shiAA8C.tmp.0.dr	String found in binary or memory: http://.jpg
Source: DiStem-0.9.10.exe, 00000000.00000002.2542527874.0000000004F7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr, DiStem-0.9.10.aiui.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: DiStem-0.9.10.exe, 00000000.00000002.2542527874.0000000004F7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrusT
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr, DiStem-0.9.10.aiui.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr, DiStem-0.9.10.aiui.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr, DiStem-0.9.10.aiui.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: DiStem-0.9.10.exe, 00000000.00000002.2542527874.0000000004F7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssur8
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr, DiStem-0.9.10.aiui.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr, DiStem-0.9.10.aiui.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr, DiStem-0.9.10.aiui.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: DiStem-0.9.10.aiui.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr, DiStem-0.9.10.aiui.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: shiAA8C.tmp.0.dr	String found in binary or memory: http://html4/loose.dtd
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr, DiStem-0.9.10.aiui.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr, DiStem-0.9.10.aiui.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr, DiStem-0.9.10.aiui.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr, DiStem-0.9.10.aiui.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: DiStem-0.9.10.exe	String found in binary or memory: http://schemas.micr
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr, DiStem-0.9.10.aiui.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: DiStem-0.9.10.exe, 00000000.00000002.2542527874.0000000004F56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/DiRoots-Limited/DiRoots.DiStem.Releases/releases
Source: DiStem-0.9.10.exe, 00000000.00000003.1319898874.0000000004F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/DiRoots-Limited/DiRoots.DiStem.Releases/releasesPbw
Source: DiStem-0.9.10.exe, 00000000.00000002.2542527874.0000000004F7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://diroots.com/contact-us/
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr	String found in binary or memory: https://diroots.com/privacy-policy/
Source: DiStem-0.9.10.exe, 00000000.00000002.2545254998.000000000A6AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://diroots.com/privacy-policy/0
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr	String found in binary or memory: https://diroots.com/terms-and-conditions

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe

Code function: 0_2_00A4A060 SendMessageW,GetParent,GetWindowRect,GetParent,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,MapWindowPoints,FillRect,DeleteDC,SendMessageW,SendMessageW,

0_2_00A4A060

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00A28250 GetSystemDirectoryW,LoadLibraryExW,NtdllDefWindowProc_W,GetSysColor,	0_2_00A28250
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00958FC0 KillTimer,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection,	0_2_00958FC0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00ABBB50 NtdllDefWindowProc_W,	0_2_00ABBB50
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00948480 NtdllDefWindowProc_W,GetSysColor,	0_2_00948480
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00A06490 NtdllDefWindowProc_W,	0_2_00A06490
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00952590 NtdllDefWindowProc_W,	0_2_00952590
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_0094A680 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow,	0_2_0094A680
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00952700 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	0_2_00952700
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_0095E9B0 NtdllDefWindowProc_W,	0_2_0095E9B0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_0096CD10 NtdllDefWindowProc_W,	0_2_0096CD10
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_0094AE70 NtdllDefWindowProc_W,	0_2_0094AE70
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_0094B4D0 NtdllDefWindowProc_W,	0_2_0094B4D0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_009B1610 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	0_2_009B1610
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00947600 GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,NtdllDefWindowProc_W,GetWindowTextLengthW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W,	0_2_00947600
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00947DD0 SysFreeString,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,GetWindowTextLengthW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,SysFreeString,	0_2_00947DD0

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00A76690	0_2_00A76690
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00A849E0	0_2_00A849E0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00A88A70	0_2_00A88A70
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00AD0BB0	0_2_00AD0BB0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00ACD210	0_2_00ACD210
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00AB3260	0_2_00AB3260
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00931490	0_2_00931490
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_0095F640	0_2_0095F640
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00ADA260	0_2_00ADA260
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00A744A0	0_2_00A744A0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00B5E48F	0_2_00B5E48F
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_0096E420	0_2_0096E420
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00966500	0_2_00966500
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00B4C680	0_2_00B4C680
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00962673	0_2_00962673
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00B1E8B0	0_2_00B1E8B0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00B548A3	0_2_00B548A3
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00A4A8C0	0_2_00A4A8C0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00972A20	0_2_00972A20
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_009B4B20	0_2_009B4B20
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00B44C9E	0_2_00B44C9E
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00952C40	0_2_00952C40
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00964D40	0_2_00964D40
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_0095AFE0	0_2_0095AFE0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_0095F0D0	0_2_0095F0D0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00AD1020	0_2_00AD1020
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00B4502C	0_2_00B4502C
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00933480	0_2_00933480
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00B254D0	0_2_00B254D0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00AC9620	0_2_00AC9620
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_0096F660	0_2_0096F660
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00ADD850	0_2_00ADD850
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00937AA0	0_2_00937AA0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00ABDCF0	0_2_00ABDCF0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00AD1DC0	0_2_00AD1DC0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_0095FEA0	0_2_0095FEA0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00A99ED0	0_2_00A99ED0

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: String function: 00939300 appears 120 times
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: String function: 009387D0 appears 58 times
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: String function: 0093A840 appears 57 times
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: String function: 00954AD0 appears 35 times
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: String function: 0093AE80 appears 66 times

Source: DiStem-0.9.10.exe	Binary or memory string: OriginalFileName vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe, 00000000.00000002.2544999209.000000000A61A000.00000002.00000001.00040000.00000024.sdmp	Binary or memory string: OriginalFilenameDiRoots.CustomActions.dllL vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe, 00000000.00000002.2544999209.000000000A61A000.00000002.00000001.00040000.00000024.sdmp	Binary or memory string: OriginalFilenameSfxCA.dll\ vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe, 00000000.00000002.2545254998.000000000A6F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe, 00000000.00000002.2544999209.000000000A370000.00000002.00000001.00040000.00000024.sdmp	Binary or memory string: OriginalFilenamelzmaextractor.dllF vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe, 00000000.00000002.2544999209.000000000A370000.00000002.00000001.00040000.00000024.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe, 00000000.00000002.2544999209.000000000A370000.00000002.00000001.00040000.00000024.sdmp	Binary or memory string: OriginalFilenamePrereq.dllF vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe, 00000000.00000002.2544999209.000000000A370000.00000002.00000001.00040000.00000024.sdmp	Binary or memory string: OriginalFilenameExternalUICleaner.dllF vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe, 00000000.00000003.1324795841.0000000009432000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewininet.dllD vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe	Binary or memory string: OriginalFileNameDiStem-0.9.10.aiui. vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe	Binary or memory string: OriginalFilenamelzmaextractor.dllF vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe	Binary or memory string: OriginalFilenameAICustAct.dllF vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe	Binary or memory string: OriginalFilenamePrereq.dllF vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe	Binary or memory string: OriginalFilenameExternalUICleaner.dllF vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe	Binary or memory string: OriginalFilenameDiRoots.CustomActions.dllL vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe	Binary or memory string: OriginalFilenameSfxCA.dll\ vs DiStem-0.9.10.exe

Source: DiStem-0.9.10.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: shiAA8C.tmp.0.dr

Binary string: \Device\NameResTrk\RecordNrtCloneOpenPacket

Source: classification engine

Classification label: clean8.winEXE@4/100@0/0

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe

Code function: 0_2_00A71850 FormatMessageW,GetLastError,

0_2_00A71850

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe

Code function: 0_2_00AA5A20 GetDiskFreeSpaceExW,

0_2_00AA5A20

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe

Code function: 0_2_0093A700 LoadResource,LockResource,SizeofResource,

0_2_0093A700

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe

File created: C:\Users\user~1\AppData\Local\Temp\shiAA8C.tmp

Jump to behavior

Source: DiStem-0.9.10.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DiStem-0.9.10.exe, 00000000.00000002.2542527874.0000000004F7C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: SELECT `FileName`,`Version`,`State`,`File`.`Attributes`,`TempAttributes`,`File`,`FileSize`,`Language`,`Sequence`,`Directory_`,`Installed`,`Action`,`Component` FROM `File`,`Component` WHERE `Component`=`Component_` AND `Component_`=? AND `Directory_`=?;So

Source: DiStem-0.9.10.exe

String found in binary or memory: ComboBoxListBoxListViewINSERT INTO `` (`Property`, `Order`, `Value`, `Text`,`Binary_`) VALUES (?,?,?,?,?) TEMPORARY` (`Property`, `Order`, `Value`, `Text`) VALUES (?,?,?,?) TEMPORARYSELECT * FROM `%s` WHERE `Property`='%s' AND `Value`='%s'SELECT * FROM `%s` WHERE `Property`='%s'EditSELECT `Message` FROM `Error` WHERE `Error` = %sSELECT `Text` FROM `UIText` WHERE `Key` = '%s'tmpALLUSERS = 1ALLUSERS = 2MSIINSTALLPERUSER = 1AI_PACKAGE_TYPE = "x64"AI_PACKAGE_TYPE = "Intel64"SELECT * FROM `Control` WHERE `Dialog_` = '%s' AND `Control` = '%s'SELECT `Attributes` FROM `Control` WHERE `Dialog_` = '%s' AND `Control` = '%s'$=3WS_BORDERWS_CAPTIONWS_CHILDWS_CHILDWINDOWWS_CLIPCHILDRENWS_CLIPSIBLINGSWS_DISABLEDWS_DLGFRAMEWS_GROUPWS_HSCROLLWS_ICONICWS_SIZEBOXWS_SYSMENUWS_TABSTOPWS_THICKFRAMEWS_VISIBLEWS_VSCROLLWS_MAXIMIZEBOXWS_MAXIMIZEWS_MINIMIZEBOXWS_MINIMIZEWS_OVERLAPPEDWINDOWWS_OVERLAPPEDWS_POPUPWINDOWWS_POPUPWS_TILEDWINDOWWS_TILEDWS_EX_ACCEPTFILESWS_EX_APPWINDOWWS_EX_CLIENTEDGEWS_EX_CONTEXTHELPWS_EX_CONTROLPARENTWS_EX_DLGMODALFRAMEWS_EX_LEFTWS_EX_LEFTSCROLLBARWS_EX_LTRREADINGWS_EX_MDICHILDWS_EX_NOPARENTNOTIFYWS_EX_OVERLAPPEDWINDOWWS_EX_PALETTEWINDOWWS_EX_RTLREADINGWS_EX_STATICEDGEWS_EX_TOOLWINDOWWS_EX_TOPMOSTWS_EX_TRANSPARENTWS_EX_WINDOWEDGEWS_EX_RIGHTSCROLLBARWS_EX_RIGHTWS_EX_LAYEREDWS_EX_NOACTIVATEWS_EX_NOINHERITLAYOUTWS_EX_LAYOUTRTLWS_EX_COMPOSITEDWS_EXAI_TRIAL_MESSAGE_BODYAI_MSM_TRIAL_MESSAGE_BODYAI_APP_FILEAI_README_FILEAI_APP_ARGSAI_RUN_AS_ADMINMsiLogFileLocation[ProgramFilesFolder][LocalAppDataFolder]Programs\[ProgramFiles64Folder][CommonFilesFolder][LocalAppDataFolder]Programs\Common\[CommonFiles64Folder][WindowsFolder][LocalAppDataFolder][SystemFolder][WindowsVolume][ProgramMenuFolder][DesktopFolder][StartupFolder][TemplateFolder][AdminToolsFolder][AI_UserProgramFiles][WindowsVolume]Program Files (x86)\[AI_ProgramFiles][WindowsVolume]Program Files\MIGRATEFindRelatedProductsMigrateFeatureStatesAI_SETMIXINSTLOCATIONAI_RESTORE_LOCATIONSELECT `ActionProperty` FROM `Upgrade``Action`='SET_APPDIR' OR `Action`='SET_SHORTCUTDIR'SET_APPDIRSET_SHORTCUTDIRSHORTCUTDIRProgramMenuFolderAI_SH_INITEDBrowseDlgCancelDlgDiskCostDlgExitDialogMsiRMFilesInUseOutOfDiskDlgOutOfRbDiskDlgDialog_Control_(`Control_` = 'Next' OR `Control_` = 'Install') AND `Event` = 'EndDialog' AND `Argument` = 'Return'ControlEventAI_INSTALLPERUSER = "0"ALLUSERSVersionMsi >= "5.0"2MSIINSTALLPERUSERAI_NEWINSTProductLanguageAI_INTANCE_LOCATIONAI_UPGRADEValuePropertyNoLanguageVersionStringInstallLocationAI_REPLACE_PRODUCTSAI_Replaced_Versions_ListAI_Upgrade_Replace_Question_YesBackUp_AI_Upgrade_Question_YesAI_Upgrade_Question_YesAI_Upgrade_Replace_Question_NoBackUp_AI_Upgrade_Question_NoAI_Upgrade_Question_NoYesDELETE FROM `Shortcut` WHERE `Shortcut`.`Directory_`='%s'DELETE FROM `IniFile` WHERE `IniFile`.`Section`='InternetShortcut' AND`IniFile`.`DirProperty`='%s'SELECT * FROM `%s`ShortcutIniFileAI_DESKTOP_SHAI_STARTMENU_SHAI_STARTUP_SHAI_SHORTCUTSREGNot InstalledDesktopFolderStartupFolderAI_SH_DI

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe

File read: C:\Users\user\Desktop\DiStem-0.9.10.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DiStem-0.9.10.exe "C:\Users\user\Desktop\DiStem-0.9.10.exe"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D4A075D37BC1D68A01BCA1EB71DE32A6 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D4A075D37BC1D68A01BCA1EB71DE32A6 C	Jump to behavior

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: lpk.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Automated click: Install

Source: DiStem-0.9.10.exe

Static PE information: certificate valid

Source: DiStem-0.9.10.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: DiStem-0.9.10.exe

Static file information: File size 91671328 > 1048576

Source: DiStem-0.9.10.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x298000

Source: DiStem-0.9.10.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: DiStem-0.9.10.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: DiStem-0.9.10.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: DiStem-0.9.10.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: DiStem-0.9.10.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: DiStem-0.9.10.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: DiStem-0.9.10.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: DiStem-0.9.10.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wininet.pdb source: DiStem-0.9.10.exe, 00000000.00000003.1324795841.0000000009432000.00000004.00000020.00020000.00000000.sdmp, shiAA8C.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\ExternalUICleaner.pdb source: DiStem-0.9.10.exe, ExternalUICleaner.dll.0.dr, DiStem-0.9.10.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\InstallTrial.pdb2 source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, TrialBinaryComponent.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\ExternalUICleaner.pdb7 source: DiStem-0.9.10.exe, ExternalUICleaner.dll.0.dr, DiStem-0.9.10.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr
Source:	Binary string: wininet.pdbUGP source: DiStem-0.9.10.exe, 00000000.00000003.1324795841.0000000009432000.00000004.00000020.00020000.00000000.sdmp, shiAA8C.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\InstallTrial.pdb source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, TrialBinaryComponent.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: DiStem-0.9.10.exe, lzmaextractor.dll.0.dr, DiStem-0.9.10.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: DiStem-0.9.10.exe, MSIACD7.tmp.0.dr, MSIB037.tmp.0.dr, MSIB076.tmp.0.dr, MSIAC78.tmp.0.dr, DiStem-0.9.10.msi.0.dr, MSIABF8.tmp.0.dr, MSIAB79.tmp.0.dr, MSIAD94.tmp.0.dr, MSIAD45.tmp.0.dr, MSIB007.tmp.0.dr, MSIAC48.tmp.0.dr, MSIABD8.tmp.0.dr, MSIAB0A.tmp.0.dr, MSIADC4.tmp.0.dr, MSIAC28.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: DiStem-0.9.10.exe, DiStem-0.9.10.aiui.0.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\SfxCA.pdb source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr

Source: DiStem-0.9.10.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: DiStem-0.9.10.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: DiStem-0.9.10.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: DiStem-0.9.10.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: DiStem-0.9.10.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: shiAA8C.tmp.0.dr

Static PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe

Code function: 0_2_00A849E0 SHGetFolderPathW,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetModuleFileNameW,SHGetSpecialFolderLocation,LoadLibraryW,GetProcAddress,GetEnvironmentVariableW,SHGetPathFromIDListW,SHGetMalloc,

0_2_00A849E0

Source: TrialBinaryComponent.0.dr

Static PE information: real checksum: 0x42782 should be: 0x45951

Source: DiStem-0.9.10.exe	Static PE information: section name: .didat
Source: DiStem-0.9.10.aiui.0.dr	Static PE information: section name: .didat
Source: shiAA8C.tmp.0.dr	Static PE information: section name: .wpp_sf
Source: shiAA8C.tmp.0.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00A4B220 push ecx; mov dword ptr [esp], 3F800000h	0_2_00A4B37F
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00B3D20E push ecx; ret	0_2_00B3D221
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_0094F3B0 push ecx; mov dword ptr [esp], ecx	0_2_0094F3B1

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File created: C:\ProgramData\DiRoots, LDA\DiStem 0.9.10\install\DiStem-0.9.10.aiui	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File created: C:\Users\user\AppData\Local\Temp\MSIAB79.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\lzmaextractor.dll	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File created: C:\Users\user\AppData\Local\Temp\MSIAC28.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\TrialBinaryComponent	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\ExternalUICleaner.dll	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File created: C:\Users\user\AppData\Local\Temp\MSIAC78.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File created: C:\Users\user\AppData\Local\Temp\MSIAC48.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File created: C:\Users\user\AppData\Local\Temp\shiAA8C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File created: C:\Users\user\AppData\Local\Temp\MSIABF8.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File created: C:\Users\user\AppData\Local\Temp\MSIB037.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\DiRoots.CustomActions	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File created: C:\Users\user\AppData\Local\Temp\MSIAD45.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File created: C:\Users\user\AppData\Local\Temp\MSIADC4.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File created: C:\Users\user\AppData\Local\Temp\MSIB007.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File created: C:\Users\user\AppData\Local\Temp\MSIABD8.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File created: C:\Users\user\AppData\Local\Temp\MSIB076.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File created: C:\Users\user\AppData\Local\Temp\MSIACD7.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File created: C:\Users\user\AppData\Local\Temp\MSIAB0A.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File created: C:\Users\user\AppData\Local\Temp\MSIAD94.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe

File created: C:\ProgramData\DiRoots, LDA\DiStem 0.9.10\install\DiStem-0.9.10.aiui

Jump to dropped file

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File created: C:\ProgramData\DiRoots, LDA\DiStem 0.9.10\install\DiStem-0.9.10.aiui	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\DiRoots.CustomActions	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\TrialBinaryComponent	Jump to dropped file

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Dropped PE file which has not been started: C:\ProgramData\DiRoots, LDA\DiStem 0.9.10\install\DiStem-0.9.10.aiui	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIAB79.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\lzmaextractor.dll	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIAC28.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\TrialBinaryComponent	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\ExternalUICleaner.dll	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIAC78.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIAC48.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiAA8C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIABF8.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\DiRoots.CustomActions	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB037.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIAD45.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIADC4.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB007.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIABD8.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB076.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIAB0A.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIACD7.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIAD94.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-60432

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File Volume queried: C:\ProgramData FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File Volume queried: C:\ProgramData\DiRoots, LDA\DiStem 0.9.10\install FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File Volume queried: C:\ProgramData\DiRoots, LDA\DiStem 0.9.10\install FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00A6E460 FindFirstFileW,GetLastError,FindClose,	0_2_00A6E460
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00A94060 FindFirstFileW,FindClose,	0_2_00A94060
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00A502F0 FindFirstFileW,FindNextFileW,FindClose,	0_2_00A502F0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00AA45D0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_00AA45D0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00954AD0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW,	0_2_00954AD0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00AA4A50 FindFirstFileW,FindClose,	0_2_00AA4A50
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00A7CD70 FindFirstFileW,FindClose,FindClose,	0_2_00A7CD70
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00AB9950 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_00AB9950
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00A6DB30 FindFirstFileW,FindFirstFileW,FindClose,FindClose,	0_2_00A6DB30
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00A99ED0 FindFirstFileW,FindClose,CloseHandle,CloseHandle,	0_2_00A99ED0

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe

Code function: 0_2_00AA3220 GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,

0_2_00AA3220

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe

Code function: 0_2_00B395C6 VirtualQuery,GetSystemInfo,

0_2_00B395C6

Source: DiStem-0.9.10.exe, 00000000.00000002.2545254998.000000000A6AA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V Administrators

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe

Code function: 0_2_00B416F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00B416F3

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe

Code function: 0_2_00AA7750 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,OutputDebugStringW,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,

0_2_00AA7750

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe

0_2_00A849E0

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00B3C0ED mov esi, dword ptr fs:[00000030h]	0_2_00B3C0ED
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00B5668A mov eax, dword ptr fs:[00000030h]	0_2_00B5668A
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00B56646 mov eax, dword ptr fs:[00000030h]	0_2_00B56646
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00B47D54 mov ecx, dword ptr fs:[00000030h]	0_2_00B47D54

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe

Code function: 0_2_00B3C159 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

0_2_00B3C159

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_009723A0 __set_se_translator,SetUnhandledExceptionFilter,	0_2_009723A0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00B3CBDE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00B3CBDE
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00975000 __set_se_translator,SetUnhandledExceptionFilter,	0_2_00975000
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Code function: 0_2_00B416F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B416F3

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe

Code function: 0_2_00A6A020 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,FindCloseChangeNotification,

0_2_00A6A020

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe

Code function: GetLocaleInfoW,GetLocaleInfoW,

0_2_00A9C2B0

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\sys_close_down.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\sys_close_hot.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\sys_close_hot.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\sys_close_normal.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\sys_close_inactive.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\sys_min_down.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\sys_min_hot.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\sys_min_hot.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\sys_min_normal.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\sys_min_inactive.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_top_left.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_top_left_inactive.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_top_mid.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_top_mid_inactive.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_caption_datGray.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_caption_inactive.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_top_right.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_top_right_inactive.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_left.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_left_inactive.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_right.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_right_inactive.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_bottom_left.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_bottom_left_inactive.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_bottom_mid.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_bottom_mid_inactive.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_bottom_right.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_bottom_right_inactive.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\PrepareDlgProgress.gif VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\PrepareDlgProgress.gif VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\backgroundprepareDarkGray.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\PluginLogo VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\nextcancelbuttons VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\browsebutton VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\backgroundDarkGray.bmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\backbutton VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\nextcancelbuttons VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\checkbox VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\metroinstallbuttonDarkOrange.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\PluginLogo VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\checkbox VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\checkbox VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\checkbox VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe

Code function: 0_2_00AB48E0 CreateNamedPipeW,CreateFileW,

0_2_00AB48E0

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe

Code function: 0_2_00B3D61E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00B3D61E

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe

Code function: 0_2_00AB3260 GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,RegCloseKey,RegCloseKey,RegCloseKey,RegCloseKey,RegCloseKey,

0_2_00AB3260

Source: C:\Users\user\Desktop\DiStem-0.9.10.exe

Code function: 0_2_00937AA0 GetVersionExW,GetVersionExW,IsProcessorFeaturePresent,

0_2_00937AA0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	2 Command and Scripting Interpreter	1 DLL Side-Loading	2 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Process Injection	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	11 Peripheral Device Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	3 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	27 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\ExternalUICleaner.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\ExternalUICleaner.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\lzmaextractor.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\lzmaextractor.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSIAB0A.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIAB0A.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSIAB79.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIABD8.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIABF8.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIAC28.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIAC48.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIAC78.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIACD7.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIAD45.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIAD94.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIADC4.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIB007.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIB037.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIB076.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\shiAA8C.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://schemas.micr	0%	URL Reputation	safe
https://diroots.com/privacy-policy/	0%	Virustotal		Browse
https://diroots.com/terms-and-conditions	0%	Virustotal		Browse
https://diroots.com/contact-us/	0%	Virustotal		Browse
https://diroots.com/privacy-policy/0	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://diroots.com/terms-and-conditions	DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr	false	0%, Virustotal, Browse	unknown
http://html4/loose.dtd	shiAA8C.tmp.0.dr	false		low
https://diroots.com/contact-us/	DiStem-0.9.10.exe, 00000000.00000002.2542527874.0000000004F7C000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://.css	shiAA8C.tmp.0.dr	false		low
http://schemas.micr	DiStem-0.9.10.exe	false	URL Reputation: safe	unknown
http://.jpg	shiAA8C.tmp.0.dr	false		low
https://diroots.com/privacy-policy/	DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr	false	0%, Virustotal, Browse	unknown
https://api.github.com/repos/DiRoots-Limited/DiRoots.DiStem.Releases/releasesPbw	DiStem-0.9.10.exe, 00000000.00000003.1319898874.0000000004F98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/repos/DiRoots-Limited/DiRoots.DiStem.Releases/releases	DiStem-0.9.10.exe, 00000000.00000002.2542527874.0000000004F56000.00000004.00000020.00020000.00000000.sdmp	false		high
https://diroots.com/privacy-policy/0	DiStem-0.9.10.exe, 00000000.00000002.2545254998.000000000A6AA000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1426763
Start date and time:	2024-04-16 15:32:57 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DiStem-0.9.10.exe
Detection:	CLEAN
Classification:	clean8.winEXE@4/100@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:23:46	API Interceptor	6x Sleep call for process: DiStem-0.9.10.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\MSIAB0A.tmp	https://downloads.decipher-media.com/DecipherTextMessage.exe	Get hash	malicious	Unknown	Browse
	https://downloads.decipher-media.com/DecipherTextMessage.exe	Get hash	malicious	Unknown	Browse
	Payslip-9583.exe	Get hash	malicious	Unknown	Browse
	test.exe	Get hash	malicious	Globeimposter	Browse
	test.exe	Get hash	malicious	Globeimposter	Browse
	2024.04.02#U4e1a#U52a1#U5bf9#U63a5#U66f4#U65b0.txt.msi	Get hash	malicious	GhostRat	Browse
	troca.msi	Get hash	malicious	Unknown	Browse
	Epdf_information.msi	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\lzmaextractor.dll	https://downloads.decipher-media.com/DecipherTextMessage.exe	Get hash	malicious	Unknown	Browse
	https://downloads.decipher-media.com/DecipherTextMessage.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\DiRoots, LDA\DiStem 0.9.10\install\DiStem-0.9.10.aiui

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3943824
Entropy (8bit):	6.437267601690084
Encrypted:	false
SSDEEP:	98304:SDuIpsPu5Z0zlkDF3UYjYGdvLUfY6u/oGdSNo/7:xIpsPu5Z0z6yYkGdL/oK
MD5:	13B7EA913512F889094E41B82040D984
SHA1:	F430F664B1C43432C078AFF5C259105AD1593C41
SHA-256:	9F03CF4307100FB2E9A5E740C561E91CDADD81815EF9F516BBE0239B261049EB
SHA-512:	C4164D33D3914F72CC27D9640BBC06C2DA386AA079D2C0F7F5595630D71F2E70AA22F63C64A718836183497B98A221378C2EC1D418A9697A8C8964B5E4EAC135
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........^............$...L...$.......5w......5w......5w......$.......$.......$.......$................t..s....t........}......t......Rich............PE..L......e.........."....'..).........0. .......)...@...........................<.....Q.<...@.................................(.4.<.....5.x/..........8.<.X(....9.....`...p...........................`.+.@.............). .....4.@....................text.....).......)................. ..`.rdata...8....)..:....).............@..@.data.........4..4....4.............@....didat........5.......4.............@....rsrc...x/....5..0....4.............@..@.reloc........9......*9.............@..B................................................................................................................................................................................................................................................

C:\ProgramData\DiRoots, LDA\DiStem 0.9.10\install\DiStem-0.9.10.msi

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {AC3E06E9-7BAF-43C4-8229-DF7E9A839035}, Number of Words: 2, Subject: DiStem, Author: DiRoots, LDA, Name of Creating Application: DiStem, Template: ;1033, Comments: This installer database contains the logic and data required to install DiStem., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Apr 1 08:02:22 2024, Last Saved Time/Date: Mon Apr 1 08:02:22 2024, Last Printed: Mon Apr 1 08:02:22 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	3141632
Entropy (8bit):	6.596340225806549
Encrypted:	false
SSDEEP:	49152:6CLImSycFTznm9500zjjZ1haJBcvYna5CXuoRoU/uc+Dw9MD5rRnldOW:1syclkABcvdUWcswKXO
MD5:	318D40952E30730BBE9C707273CB64E9
SHA1:	A6181961AAB6AF3562D156AD3E6659CDAA89FEC4
SHA-256:	E0583C50BD1094EDF07CE00B9604BF98704AF0385DCE3E51577FAE8199F8C13D
SHA-512:	4C26AB059604D17B7D149DBF54EFAF6FE7D08EF1BD1E4F65FF7DF879FD8B73196D71BC62F8D94E89EF9ECAA33B1C79EE2D63499960C8D510708876EE0BD57666
Malicious:	false
Reputation:	low
Preview:	......................>...................0...........................................x.......t...............................................\|...........................................................................................................................................................................................................................................................................................................................................................................................{...............................................................B............................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...;.../...0...=...2...3...4...5...6...7...8...9...:.......<...?...>...A...@...C...D...b...E...y...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...x...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w.../.......z...

C:\ProgramData\DiRoots, LDA\DiStem 0.9.10\install\holder0.aiph

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	data
Category:	dropped
Size (bytes):	80641071
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	934ABE15CC510F769E493A4272910A99
SHA1:	FA21F1F32293864CDB2D8B4E9D185059A7896DD9
SHA-256:	5F9424DAA45791BC9F4C85517D49D0291417EF141143E3123472151960886F9B
SHA-512:	26F2C89423A1DEBB1E7B51F93393AD400CFDCA28B80C5562D74C7F85AA2C0D9B72AC5A1D18F1C83193DA558157A478E7D7E99B228822976D3E8D385603CD05E9
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\DiRoots.CustomActions

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
Category:	dropped
Size (bytes):	261672
Entropy (8bit):	6.306816867231044
Encrypted:	false
SSDEEP:
MD5:	5C230B01150B4A50FA2EB8A2001B3B42
SHA1:	BCB5E4D9C5C47794C960FDA16196C4FAD23DF019
SHA-256:	FECE449F9A848908A1B872B406846A59AAB2812D4E1F979AC07E81EBA2FB757B
SHA-512:	8F3B8D306E567D828DCB701A556B6DA3714BDF68A2F1E45E30CD2186CA27EE44916CF50AA2240BE989F8BEDE7DD3F75BABEADAE9A43E42B6569FD1F5D095C96F
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........6m..X>..X>..X>(..>..X>(..>..X>(..>..X>E.[?..X>E.\?..X>E.]?..X>...>..X>..Y>;.X>8.]?..X>8.X?..X>8.>..X>...>..X>8.Z?..X>Rich..X>........PE..L.....Z...........!.....B...\|.......L.......`............................................@..........................{.........x.......d...............H(...... ....r..T...........................Xr..@............`..l............................text....A.......B.................. ..`.rdata...P...`...R...F..............@..@.data...t...........................@....rsrc...d...........................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\ExternalUICleaner.dll

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	298848
Entropy (8bit):	6.876442823747918
Encrypted:	false
SSDEEP:
MD5:	1DB3AA8F1AE21A2E0AB418A4D99418EE
SHA1:	20AFC74196A7E1B1A7D845F380B61842D56CA63B
SHA-256:	37DB005DDB90C3BFB2DBE200BEBD608BE46EF135130D137FC34D1A9729585AC3
SHA-512:	88EFB87E3B3DCB472AFFAF225D591D30C3F8DF6DEC4ABABBFC2160F1A0101352317762AA669D5AB4217B59C5F008AE32440E68A761E8F6BE1E0B28129E01B8B6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X?w.9Q$.9Q$.9Q$FKR%.9Q$FKT%29Q$FKU%.9Q$W.U%.9Q$W.R%.9Q$W.T%.9Q$FKP%.9Q$.9P$^9Q$e.X%.9Q$e.Q%.9Q$e..$.9Q$.9.$.9Q$e.S%.9Q$Rich.9Q$................PE..L......e.........."!...'............@................................................z....@A.........................&......P'..x....`...............R..`=...p...... ...p...........................`...@............................................text............................... ..`.rdata..dq.......r..................@..@.data........@.......$..............@....rsrc........`.......0..............@..@.reloc.......p.......6..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\New

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	2.9169468593135157
Encrypted:	false
SSDEEP:
MD5:	1E80DE80CEFEE55D7CFDA0DF2EDCF3B2
SHA1:	6E567D732354BBB21F9A57BBB72730C497F35380
SHA-256:	4E64F4E40D8CBFF082B37186C831AF4B49E3131C62C00A0CF53E0A6E7E24AC2B
SHA-512:	5EFEA023B18FFD5B87A19837BA2C72C179B55B7C3071B773A032C63D7268DBE25E2902AE8B111AD83A4F005346B378C7A75033ADAEE90805BCB4FEC2822E54C0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\PluginLogo

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PNG image data, 1264 x 1264, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	24927
Entropy (8bit):	7.786328670778166
Encrypted:	false
SSDEEP:
MD5:	8F4542ED2CA41F7386AAA5DBFD4C9D0F
SHA1:	FDEFF00F34CAD5067DB5CAE44DD35AE1C2364485
SHA-256:	F2A4E0786B005D2520660AB452D044FAB24516F1DC9217C25A3FEEE23C573363
SHA-512:	419F4C8A4CB8BD160A036B11D1CBE0CA43280032EEB365B654167E67C88D0E2926F661C96EC2AC950A91B6D4BE16E8E4B0F53CF543A04A711295BF72F434CBE3
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR.............M.N1....sRGB.........gAMA......a....6PLTE....u.i.F..u.R.].Q.h..t...]..t.^...i..u....c.....tRNS........................pHYs..........o.d..`.IDATx^..ac.9..a......9...?......R.J]%....%ul...I.....C.<.. x..A......8...p........1...c.<.. x..A......8...p........1...c.<.. x..A..........w....... x...?......I...>......?t..c.....>.......I..y/?n.w2....c..lx.>....8....k...-wo4..!x.._..F..>.C.. ....f.o6I....~.O..I..ft5......._.8......o._.....A.q..Nt._......F....o#../..%.C..O.3..m\\|Z..f)H..E..w....?u._./MT.N.2.w......U}v...@..B......ju.S(.9...t.N.d...'Q.c..-......iO...%F....u......w...........(...w.....>...;...^.;...O...MZ.N.._..[#x...R...]..6..[#x..zu.i....I...^u.\.i..........8....-t..xw.....t.....T]ijl........C<..+.....K.&O,$.<....+.Tg.=1..3..m......[..?......G.J.u.N...t....U.Q.....N...iwG..e.@.$......#x.......I......+l..3>....I..9...^a.o....?I...8_i.l....k4..H).%<..;.W....Z"%.b.-.M...t....)..C\|......+.k.....Z.....m.o

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\PrepareDlgProgress.gif

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	GIF image data, version 89a, 83 x 28
Category:	dropped
Size (bytes):	24915
Entropy (8bit):	7.8131110484157675
Encrypted:	false
SSDEEP:
MD5:	F550F449BAED1315C7965BD826C2510B
SHA1:	772E6E82765DCFDA319A68380981D77B83A3AB1B
SHA-256:	0EE7650C7FAF97126DDBC7D21812E093AF4F2317F3EDCFF16D2D6137D3C0544D
SHA-512:	7608140BC2D83F509A2AFDAACD394D0AA5A6F7816E96C11F4218E815C3AAABF9FC95DD3B3A44B165334772EBDAB7DFA585833850DB09442743E56B8E505F6A09
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	GIF89aS..............................!!!%%%)))---111444999===AAADDDIIILLLQQQUUUYYY^^^aaaeeehhhnnnpppuuuyyy\|\|\|................................................................................................!..NETSCAPE2.0.....!..Built with GIF Movie Gear 4.0.!.......,....S......@.pH,.....`h:..e.I.Z....< ...xL.....um..B&B.h<..\|..P .Sl.XJP.PR.s.............~...]ae.d.i.....06....60..i..........m......r..3...3...S.....m.......6.6...S...UL......6......\.C.......0`H;....#.O.@.Cl\x..^........H.u..d8A.$.....R.A...%r.).DJ!.)........@.v.i...&.. z..B.4.. ..".XY..X...JM2]...T.T'Z}.5..t...-9.T.gg..Y4d[.o...9.d].....Q.N.....J....\....."K...2a..&.x....#.zzn..P[7.{5..}......7g.a..\.$..s7.~z"...C~......2..me....$_59C..3-.....+w....Mp..8.8`.eV 8....2L1.(x...8.M..$P.\.`.......3.b.3x .......`........0..$<^P.%....6k.a..I(B..z4...}.I.G...)_x..g...`..E.Od...A..!.......,....S......@.pH,....r.l6..4.2.J...Hx.`/.`PN..a.n..Lmb.h8.....X$..h.X.Z[\................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\ProgressImageDarkOrange.png

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PNG image data, 121 x 14, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	219
Entropy (8bit):	5.7869487901911425
Encrypted:	false
SSDEEP:
MD5:	B4D916E069A248858BA7BA5289F979E7
SHA1:	FBDC7726862E8545AFF860C0A4510BE8C135720D
SHA-256:	71EF059A0A9EBC24563E1C6A9D4496486F7AB4CDD3D4C4C65C0283F92653D328
SHA-512:	3E530B80B6EB206176E13019BE3D846485ECF85C2D9AE3E3ED5FAF2674AF49F2C49E0EDBD5929E5F22D613F99274E0D7252830E60CA822A3F63102F953599929
Malicious:	false
Preview:	.PNG........IHDR...y...........0....sRGB.........gAMA......a.....pHYs..........+......bKGD..............tIME......0..>H...KIDATXG.... ..................-3w<...z.>fd.#......F.02.....`d.#......8....)......IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\TrialBinaryComponent

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	234496
Entropy (8bit):	6.472875496987401
Encrypted:	false
SSDEEP:
MD5:	A41D1B688B645D8F2BE08B0F20333C4D
SHA1:	B07605A2950DDE1D7255C406DAAD26038370BD89
SHA-256:	774C22EFC192167FB15CEBEB2AE5C25E323DB8051C13D82082D3B10D085F396C
SHA-512:	4DE8C9997A37A00304F9F6E1016DBDA81E86F69A8A5AB59D90DE5C4344834203D574246E881C8B33F6D0593F1CCCE51B6D01772D14B81F8A6CDB979FEBB04C06
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>..O_.O_.O_..-..D_..-.._....^_.....X_....._..-.Y_..-.@_.O_.._....Y_....N_...<.N_.....N_.RichO_.................PE..L......e.........."!...'.............E...............................................'....@A.........................m..l....n..x...............................L!..0=..p....................=......p<..@............................................text............................... ..`.rdata..............................@..@.data................b..............@....rsrc................n..............@..@.reloc..L!......."...r..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\Up

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	2.7901346596966383
Encrypted:	false
SSDEEP:
MD5:	FD64F54DB4CBF736A6FC0D7049F5991E
SHA1:	24D42FB471AAA7BCD54D7CCB36480F5ADD9B31D4
SHA-256:	C269353D19D50E2688DB102FEF8226CA492DB17133043D7EB5420EE8542D571C
SHA-512:	EC622AFAB084016F144864967A41D647E813282CB058F0F11E203865C0C175BA182E325A6D5164580FF00757C8475B61DE89CCC8E892E1B030E51B03AD4EAFB4
Malicious:	false
Preview:	......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\applogoicon.bmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PC bitmap, Windows 3.x format, 78 x 84 x 24, image size 19824, resolution 2835 x 2835 px/m, cbSize 19878, bits offset 54
Category:	dropped
Size (bytes):	19878
Entropy (8bit):	1.9713477137195046
Encrypted:	false
SSDEEP:
MD5:	AF7AD9A40809C0D00004383C656C3692
SHA1:	898B75659E67E7E1DCC9E028BA92B9888CE53BAC
SHA-256:	83BFDB826D2D753F31B12C1D0A62E36D96004DC32038AE85D9006CA578612B60
SHA-512:	B325313982285754CDFDC61B165D1968DDD0437A1C0BB46D35C04BE03E3444A3D189BADED903EB91806552D26C1544D0576D2F8EA754EA4776054CB237BFCAD5
Malicious:	false
Preview:	BM.M......6...(...N...T...........pM..................................................................................................................***IIIppp.....................pppWWW888.........................................................................................................................................................................................III........................................................WWW....................................................................................................................................................................WWW.............................ppppppppppppppp{{{...........................uuu..................................................................................................................................................$$$....................WWW.............................................CCC...................III.........................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\applogoicon.svg

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	1955
Entropy (8bit):	4.835536078360301
Encrypted:	false
SSDEEP:
MD5:	FF826E03EACA49A0F5ECA2845722B392
SHA1:	85D586FE9B2B6E96F50CACEEA75AD8C35DC1A6D2
SHA-256:	A5A804FE96B5412698C7375710886601EFE505E3FADCA2DA60570F22F5CAA60D
SHA-512:	35B5AB3D9BC04C220AC72D19AFCBEFFCCED6662E41B0EDA5751ECCF22C99C18DE149CEEC95EAC3ACC330F1C9F709FAC84584E9BDD57B344D6483EE3D093305AB
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Generator: Adobe Illustrator 25.4.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->..<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"... viewBox="0 0 61.6 61.6" style="enable-background:new 0 0 61.6 61.6;" xml:space="preserve">..<path style="fill:white;" d="M37.4,25l-1.2,4.6c0.6,1,1,2.1,1,3.4c0,3.5-2.8,6.3-6.3,6.3c-2.6,0-4.9-1.6-5.8-3.9l-4.4-1.1...c0.6,5.1,5,9,10.2,9c5.7,0,10.3-4.6,10.3-10.3C41.1,29.8,39.7,26.9,37.4,25z"/>..<path style="fill:white;" d="M31.638,8.748c13.893,0,25.196,11.303,25.196,25.196S45.531,59.14,31.638,59.14...S6.442,47.837,6.442,33.944S17.744,8.748,31.638,8.748 M31.638,6.748c-15.02,0-27.196,12.176-27.196,27.196...S16.618,61.14,31.638,61.14s27.196-12.176,27.196-27.196S46.657,6.748,31.638,6.748L31.638,6.748z"/>..<path style="fill:white;" d="M8.458,28.019L14.7,29.6l0.4-1.6c-0.7-1-0.9-2.2-0.6-3.4c0.6-2.3,3.1-3.5,5.6-2.9...c2.5,0.7,4,3,3.4,5.3c

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\backbutton

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PNG image data, 624 x 37, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	404
Entropy (8bit):	6.07293049970108
Encrypted:	false
SSDEEP:
MD5:	50E27244DF2B1690728E8252088A253C
SHA1:	B84AD02FD0ED3CB933FFBD123614A2495810442B
SHA-256:	71836C56EC4765D858DC756541123E44680F98DA255FAF1ECE7B83D79809B1C3
SHA-512:	BA3D3535BFD2F17919E1A99E89FDB1C9A83507FF3C2846C62770E210A50AEE1281445D510858D247CC9619861089AAF20F45B0B7C39F15C0EA039AC5498FA03E
Malicious:	false
Preview:	.PNG........IHDR...p...%.............bKGD.......C......pHYs.................tIME......1.!.@...!IDATx.....@..QJ00....\|..u......q.a..0..b .....{..O..rE.a....n.....).........M..0-....ca.\|.....U.q.<n.........u~b.W.d.....}......?^...&F....8.........@... ....p..............p...8.........@... .............. ....p...8.........@....8.........@... ....p....!.............Y.L..!..8...y...'.1./9....IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\backbutton.xaml

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1929
Entropy (8bit):	5.123149054536631
Encrypted:	false
SSDEEP:
MD5:	3DEC9F3886A7D180B1DA7A72541DBF81
SHA1:	07F3BA034BE78970A86D055DAED59BF7D87F8D21
SHA-256:	FB1C5DF8785650B20612B61A66ECBDA5E1ED323D6C8AC45B2EBCCBE9193779F8
SHA-512:	0250B81A2795FCAC69E3F2C95BDFF406F01FF207E81BEAD96B2739F28E26DD2D97D82CCCBFBD92B7141B1EABD2310DB048618FEF1CC5261FDFF212D19BB910BF
Malicious:	false
Preview:	<Button.. xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation".. xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml".. xmlns:d="http://schemas.microsoft.com/expression/blend/2008".. xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006".. mc:Ignorable="d">.. <Button.Resources>.. <SolidColorBrush x:Key="ButtonBorderBrushPointerOver" Color="[AiWinUIBtnBorderPointerOver]" />.. <SolidColorBrush x:Key="ButtonForegroundPointerOver" Color="[AiWinUIBtnForegroundPointerOver]" />.. <SolidColorBrush x:Key="ButtonBackgroundPointerOver" Color="[AiWinUIBtnBackgroundPointerOver]" Opacity="[AiWinUIBtnBackgroundOpacityPointerOver]" />.... <SolidColorBrush x:Key="ButtonBorderBrushPressed" Color="[AiWinUIBtnBorderPressed]" />.. <SolidColorBrush x:Key="ButtonForegroundPressed" Color="[AiWinUIBtnForegroundPressed]" />.. <SolidColorBrush x:Key="ButtonBackgroundPressed" Color="[AiWinUIBtnBackgroundPressed]" Opacity="[AiWinUIBtnBackgroundOpacityPressed]"

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\background

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PC bitmap, Windows 3.x format, 5 x 5 x 24, image size 80, resolution 3778 x 3778 px/m, cbSize 134, bits offset 54
Category:	dropped
Size (bytes):	134
Entropy (8bit):	1.690754928353098
Encrypted:	false
SSDEEP:
MD5:	A0EFB0E7B9CEE25B09E09A1A64E96BA6
SHA1:	0C1E18F6F5E6E5E6953E9FB99CA60FDEC35D6E39
SHA-256:	F044F542BC46464054084C63596877F06C6E2C215C0E954C4ACE9787CED82787
SHA-512:	7E53F9F564AAA529B3B15035671957C2923EC98DDEE93758EA7A4C8645EE9058962078771B853E3490290FDE1F57030DFF5092D40D69418776FFEE89F79C8A7C
Malicious:	false
Preview:	BM........6...(...................P...................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\backgroundDarkGray.bmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PC bitmap, Windows 3.x format, 5 x 5 x 24, image size 80, resolution 3778 x 3778 px/m, cbSize 134, bits offset 54
Category:	dropped
Size (bytes):	134
Entropy (8bit):	1.6907549283530976
Encrypted:	false
SSDEEP:
MD5:	53BDA4FA52D15D522CD38104C9395A2B
SHA1:	C1003C96ED396A42F96A2DC08E6C37BC4143BE88
SHA-256:	DF471B435B0B33748E57056F8319C1D135763DB6B85F7A553D581A38AAA2E243
SHA-512:	53657322FFDDD593ED94867D11C2B0FBDBC3A14E5AB69E5C250BFC5714838D97FDE6DE5C0104218E4A8B08A1EA8262A0C77144C8CBF373A579E46E86E9F4A958
Malicious:	false
Preview:	BM........6...(...................P...................999999999999999.999999999999999.999999999999999.999999999999999.999999999999999.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\backgroundprepare

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PC bitmap, Windows 3.x format, 5 x 5 x 24, image size 80, resolution 3778 x 3778 px/m, cbSize 134, bits offset 54
Category:	dropped
Size (bytes):	134
Entropy (8bit):	1.690754928353098
Encrypted:	false
SSDEEP:
MD5:	A0EFB0E7B9CEE25B09E09A1A64E96BA6
SHA1:	0C1E18F6F5E6E5E6953E9FB99CA60FDEC35D6E39
SHA-256:	F044F542BC46464054084C63596877F06C6E2C215C0E954C4ACE9787CED82787
SHA-512:	7E53F9F564AAA529B3B15035671957C2923EC98DDEE93758EA7A4C8645EE9058962078771B853E3490290FDE1F57030DFF5092D40D69418776FFEE89F79C8A7C
Malicious:	false
Preview:	BM........6...(...................P...................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\backgroundprepareDarkGray.bmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PC bitmap, Windows 3.x format, 5 x 5 x 24, image size 80, resolution 3778 x 3778 px/m, cbSize 134, bits offset 54
Category:	dropped
Size (bytes):	134
Entropy (8bit):	1.6907549283530976
Encrypted:	false
SSDEEP:
MD5:	53BDA4FA52D15D522CD38104C9395A2B
SHA1:	C1003C96ED396A42F96A2DC08E6C37BC4143BE88
SHA-256:	DF471B435B0B33748E57056F8319C1D135763DB6B85F7A553D581A38AAA2E243
SHA-512:	53657322FFDDD593ED94867D11C2B0FBDBC3A14E5AB69E5C250BFC5714838D97FDE6DE5C0104218E4A8B08A1EA8262A0C77144C8CBF373A579E46E86E9F4A958
Malicious:	false
Preview:	BM........6...(...................P...................999999999999999.999999999999999.999999999999999.999999999999999.999999999999999.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\backgroundsurface

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PC bitmap, Windows 3.x format, 5 x 5 x 24, image size 80, resolution 3778 x 3778 px/m, cbSize 134, bits offset 54
Category:	dropped
Size (bytes):	134
Entropy (8bit):	1.690754928353098
Encrypted:	false
SSDEEP:
MD5:	A0EFB0E7B9CEE25B09E09A1A64E96BA6
SHA1:	0C1E18F6F5E6E5E6953E9FB99CA60FDEC35D6E39
SHA-256:	F044F542BC46464054084C63596877F06C6E2C215C0E954C4ACE9787CED82787
SHA-512:	7E53F9F564AAA529B3B15035671957C2923EC98DDEE93758EA7A4C8645EE9058962078771B853E3490290FDE1F57030DFF5092D40D69418776FFEE89F79C8A7C
Malicious:	false
Preview:	BM........6...(...................P...................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\backgroundsurfaceDarkGray.bmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PC bitmap, Windows 3.x format, 5 x 5 x 24, image size 80, resolution 3778 x 3778 px/m, cbSize 134, bits offset 54
Category:	dropped
Size (bytes):	134
Entropy (8bit):	1.6907549283530976
Encrypted:	false
SSDEEP:
MD5:	53BDA4FA52D15D522CD38104C9395A2B
SHA1:	C1003C96ED396A42F96A2DC08E6C37BC4143BE88
SHA-256:	DF471B435B0B33748E57056F8319C1D135763DB6B85F7A553D581A38AAA2E243
SHA-512:	53657322FFDDD593ED94867D11C2B0FBDBC3A14E5AB69E5C250BFC5714838D97FDE6DE5C0104218E4A8B08A1EA8262A0C77144C8CBF373A579E46E86E9F4A958
Malicious:	false
Preview:	BM........6...(...................P...................999999999999999.999999999999999.999999999999999.999999999999999.999999999999999.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\browsebutton

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PNG image data, 168 x 26, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	253
Entropy (8bit):	6.4627211773425355
Encrypted:	false
SSDEEP:
MD5:	9554BE0BE090A59013222261971430AD
SHA1:	9E307B13B4480D0E18CFB1C667F7CFE6C62CC97C
SHA-256:	F4302EE2090BC7D7A27C4BC970AF6EB61C050F14F0876541A8D2F32BC41B9BAB
SHA-512:	AC316F784994DA4FED7DEB43FE785258223ABA5F43CC5532F3E7B874ADC0BC6DBCD8E95E631703606DFAA2C40BE2E2BB6FA5BC0A6217EFE657E74531654EA71C
Malicious:	false
Preview:	.PNG........IHDR.............#I......pHYs.................tIME......5a.aP....IDATx.....1.@..s.....S.....`0QP.............@f.....:E....=...]..~CDDk.d......r.q...~FD..U.\|..k..}..~..?&P...E. P.(..."P.(....@.(....@A......E...X.0/.....-.%....M....IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\browsebutton.xaml

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1929
Entropy (8bit):	5.123149054536631
Encrypted:	false
SSDEEP:
MD5:	3DEC9F3886A7D180B1DA7A72541DBF81
SHA1:	07F3BA034BE78970A86D055DAED59BF7D87F8D21
SHA-256:	FB1C5DF8785650B20612B61A66ECBDA5E1ED323D6C8AC45B2EBCCBE9193779F8
SHA-512:	0250B81A2795FCAC69E3F2C95BDFF406F01FF207E81BEAD96B2739F28E26DD2D97D82CCCBFBD92B7141B1EABD2310DB048618FEF1CC5261FDFF212D19BB910BF
Malicious:	false
Preview:	<Button.. xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation".. xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml".. xmlns:d="http://schemas.microsoft.com/expression/blend/2008".. xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006".. mc:Ignorable="d">.. <Button.Resources>.. <SolidColorBrush x:Key="ButtonBorderBrushPointerOver" Color="[AiWinUIBtnBorderPointerOver]" />.. <SolidColorBrush x:Key="ButtonForegroundPointerOver" Color="[AiWinUIBtnForegroundPointerOver]" />.. <SolidColorBrush x:Key="ButtonBackgroundPointerOver" Color="[AiWinUIBtnBackgroundPointerOver]" Opacity="[AiWinUIBtnBackgroundOpacityPointerOver]" />.... <SolidColorBrush x:Key="ButtonBorderBrushPressed" Color="[AiWinUIBtnBorderPressed]" />.. <SolidColorBrush x:Key="ButtonForegroundPressed" Color="[AiWinUIBtnForegroundPressed]" />.. <SolidColorBrush x:Key="ButtonBackgroundPressed" Color="[AiWinUIBtnBackgroundPressed]" Opacity="[AiWinUIBtnBackgroundOpacityPressed]"

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\checkbox

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PNG image data, 192 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1401
Entropy (8bit):	6.8648053065414425
Encrypted:	false
SSDEEP:
MD5:	66B8EDD5C8D3C2A537EDB010936DDA68
SHA1:	13D17A6CF6ABD165DEFA6A932FAC119E1F596AF4
SHA-256:	787B6E964CE0B74D08C69E3C4FCCD44AFDA06D473FD74A876A3EC2BD257684D4
SHA-512:	70142E2D4F48157108B240A7B09779F18A45F7267AE9DD8E7EBCB9544D71FFC45E2E273103E27D911607705E1920AFDFEFA45C3D01698CC807F37F71D99D1B0C
Malicious:	false
Preview:	.PNG........IHDR.............@.p(....tEXtSoftware.Adobe ImageReadyq.e<...fiTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:983120C3A95DE3119B6BB3872EBFD7FA" xmpMM:DocumentID="xmp.did:A83AC654DAA511E3ABF7D2281DD1A78E" xmpMM:InstanceID="xmp.iid:A83AC653DAA511E3ABF7D2281DD1A78E" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:6A4486C595DAE311A51EEE8397849EC8" stRef:documentID="xmp.did:983120C3A95DE3119B6BB3872EBFD7FA"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>k.O.....IDATx..1K.@.._j......(.....K..."H'?A.....

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\checkbox_for_ctrls

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PNG image data, 192 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	627
Entropy (8bit):	7.533289354244788
Encrypted:	false
SSDEEP:
MD5:	9C6E1CA14E8A1B292B939D097A1D66BA
SHA1:	98EC4B3B5C82C89D80D098C6542A771CE1B8BF6A
SHA-256:	2E3CA17AEC0C1E13FA3939123934EFAD87C3B98BB5FFAD9864C184D9B60F1C9F
SHA-512:	706A344E684C1C7F5584D52C4C554AF91C678E771452F973C513F5612985153C4A7DC661C86F7377A912F194C2969CF5A3719F0E9BE6D977B385AB12A4F2FC97
Malicious:	false
Preview:	.PNG........IHDR.............@.p(....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..Z1k.P...!.....R...Atqp.R.T....?.....-......8H..R;9....P(.....I.{i.^..>8..y....3Os].x...!L..} ......~F.>x&H.J.{../...n`......VK.E.v.E.'.7 ....<7..@.4L.z..'..Ui.t:-..R\|.-.?x..+.a.P.. .L.x<.qa"o.GHG...O.o.K..4....r.\.y].!/...>.D..7......Lfm'....,.3..W....S.[.R..k.l6.cW..=...^...%y....G..........f.P(..TA,...d..b.L...q....j....F^#..'.g............K.....t:.]...m.,k}m...o........5...D..?.^....f.l6a0.@...\|.>.........=....<U..A.O.s....=..0..a.X.xO....?..)..z)..t:.Q..6.)...G.(...o..Wq.....kt....(......!...`..s.t........IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\checkbox_for_list_ctrls

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PNG image data, 32 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	346
Entropy (8bit):	6.892395338954852
Encrypted:	false
SSDEEP:
MD5:	4DBD57A273392FB72294A9EB5ED63142
SHA1:	B593AD44A704523BF5FF62E6E2B9D07A1C514C02
SHA-256:	8610153731CD0F8DC40F4E686C73770F0696D80EB7B32E25168EB5EA97CC5A4B
SHA-512:	24010C7D7B467DB66AC44D5269C01612C191C124646C9136F841DFD822BC660133FC404B8FE03813231E292B18C107270EF494735E6CF768663B41CF9FAEDF9B
Malicious:	false
Preview:	.PNG........IHDR... .........w.}Y....bKGD..............pHYs.................tIME......).H......IDATH..=j.@...7.....Z..Ad.{[.._...dV#"X.....l.J.../ENu.p8.s...I)_.K...V../...e.. ..o...,..(.<.......w....q.....a.......K...u...L.DY.fw I..,.q..y&MSl.f...R..i6..5. ....(Bk.P.W...J]..}...l.F.4....R.!..8....gjb...{......,aK..[......IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\cmdlinkarrow

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	MS Windows icon resource - 3 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
Category:	dropped
Size (bytes):	2862
Entropy (8bit):	3.160430651939096
Encrypted:	false
SSDEEP:
MD5:	983358CE03817F1CA404BEFBE1E4D96A
SHA1:	75CE6CE80606BBB052DD35351ED95435892BAF8D
SHA-256:	7F0121322785C107BFDFE343E49F06C604C719BAFF849D07B6E099675D173961
SHA-512:	BDEE6E81A9C15AC23684C9F654D11CC0DB683774367401AA2C240D57751534B1E5A179FE4042286402B6030467DB82EEDBF0586C427FAA9B29BD5EF74B807F3E
Malicious:	false
Preview:	..............(...6...........h...^......... .h.......(....... .........................................................................................................................................................wv....."""""o.."""""o..www""......"/.....""......"/......r.........................?...........................................?......(....... ..................................................."..... .". .6.-.9.;.<.;.D.3.,...4...9...O.,.Q.$.M.2.S.:.\.1.U.$._.1.F.G.I.A.`.@.w.q...\|...q...{.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\completi

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	MS Windows icon resource - 2 icons, 48x48, 8 bits/pixel, 48x48, 32 bits/pixel
Category:	dropped
Size (bytes):	13430
Entropy (8bit):	5.905156325236297
Encrypted:	false
SSDEEP:
MD5:	244DF84C545247A478BEF4A1BBC1399D
SHA1:	C69ED79145BB40BA18A92996B0A242585AFE315E
SHA-256:	520E5248975B3B8E6C5D574D57080F901C88FE59D4DFF6A89FAB524FB51FE606
SHA-512:	BB2739344B369E5FCCB72B8762E30C38A2AC8EC949BDC8CB56619F526E3954ED5AE159D6BE4BAC2E0C10C4BC2F14820102A2D409AD17BB5A9BBD77E34441CF69
Malicious:	false
Preview:	......00..........&...00.... ..%......(...0...`...................................r?..uA..yF..~J..~M..uL..yL..}S..gE .jJ'.{S$.qfZ.~vl..L...N...P...U...Q...T...Y...Z...V...Y...S...[...Y...\...g...`...f...q...j...s...s...j...q...v...x...z...{...\#..]"..])..a)..e$..k$..j#..f+..m,..q"..e>..h8..f1..i3..o3..m;..q6..n%..v$..u"..{"..w...v).../..y$..z4..oN..qJ..uF..z^..zS..\|G...R..tg..yf...m.......&...1...=...2...<...;...:.....+..-..3..3..;..;...I...I...G...I...R...S...R...[..._...[...Z...a...k...w...x...\|...~...d...c...i...`...m...b...a...d...d...j...l...k...s...v...z..G..A..[..F..H..U..Q..[..\..L..X...e..i..d..i..r..v..s..\|..{..z..x..h..u...i...x.....++..;;..BB..TT..cc..uu.................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\custicon

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	MS Windows icon resource - 5 icons, 48x48, 8 bits/pixel, 32x32, 8 bits/pixel
Category:	dropped
Size (bytes):	21086
Entropy (8bit):	6.009410626000926
Encrypted:	false
SSDEEP:
MD5:	4E1EDBE834AAF76D9D1DAEC3DC08947E
SHA1:	218AD194CB40DF778EAFAEDA68F8A44BE25B94C1
SHA-256:	E5F4F6B5E24D6F7E2605ADD8E247DC0326F00C26725D315679C1C6FCE8A90C97
SHA-512:	4CF41E7080DF1E8606FBACC3B2F87C9416ED43FA55A2D938A1149124253486084B679BC7992CE8494DD0E22B91CD5AAA1FDD19800F5DE4F73B64A0A2BA3FCC84
Malicious:	false
Preview:	......00..........V... ..............00.... ..%...... .... .....N=........ .h....M..(...0...`...................................r?..uA..yF..~J..~M..uL..yL..}S..gE .jJ'.{S$.qfZ.~vl..L...N...P...U...Q...T...Y...Z...V...Y...S...[...Y...\...g...`...f...q...j...s...s...j...q...v...x...z...{...\#..]"..])..a)..e$..k$..j#..f+..m,..q"..e>..h8..f1..i3..o3..m;..q6..n%..v$..u"..{"..w...v).../..y$..z4..oN..qJ..uF..z^..zS..\|G...R..tg..yf...m.......&...1...=...2...<...;...:.....+..-..3..3..;..;...I...I...G...I...R...S...R...[..._...[...Z...a...k...w...x...\|...~...d...c...i...`...m...b...a...d...d...j...l...k...s...v...z..G..A..[..F..H..U..Q..[..\..L..X...e..i..d..i..r..v..s..\|..{..z..x..h..u...i...x.....++..;;..BB..TT..cc..uu.................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\exclamic

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PNG image data, 50 x 69, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	894
Entropy (8bit):	7.672619527214037
Encrypted:	false
SSDEEP:
MD5:	6E3CD37F71C99AFCE26784D2B7942591
SHA1:	68480C861CC0EFFB99EE8F9F98ED5B930FDD7C65
SHA-256:	05C27D934BDD94DFFD3AC6E315931E3B067CADB6D72F3CA688D0066444BCB5B0
SHA-512:	B6E4F784B10103B8D8401C6AED6E25967DD003CBEF30FE23F063D15BB8B1A8B235C9C61A00A5B6435EF5808CAC64BC5C14620D973C10B1208B034A6668063774
Malicious:	false
Preview:	.PNG........IHDR...2...E.............tEXtSoftware.Adobe ImageReadyq.e<... IDATx.._.TQ..gg...C..Ec...,...}Z....b3...l..K=.2)..D..cYJ.L6.d.".V.....{.{9....sf....a..s.=.{~.....g.F..J8.#E.h.-.E.H..."...E...g...`......gA...H...'8.......!.13..$.{.cs...../8.~.....}...g.......l..Y....~..fG...).....NdP..#M.m....7..d.MB..a...G.$r..{j..,.... .....k....-"Bj..)8h..\|`.l7E.......K.N...$'.!..Bj..<0K....fIv...3..9.-Pr.%M.23..N.... x...h........y0........6;..nY.....Q)b..'.G.Q...A..T...C...:...6......T!..&.xr..m.>J.e...5..\N.V.>...`...D$.=.k...bGl......H..R[.z.#B.....r...RQ.........$-.1./.rL.....M.F,)......?v.k%..2...G.....K..2...,a2..lr...$..:.)...?.q_.F. .+.J..R'\....y02f..l%..aH..K..5S...../...v.DT.. ..7.1..~)..z...d..#..d.A..."O.......>.M..<.....H.s.\...........m...Ev..".y"..^1..._..@.IbP.0..S.4....;.....;..."ZD.h.-.E...."ZD.h.-.EzK....&n..F..z....IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_bottom_left.bmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 3 x 24, resolution 2835 x 2835 px/m, cbSize 66, bits offset 54
Category:	dropped
Size (bytes):	66
Entropy (8bit):	2.0906995026238215
Encrypted:	false
SSDEEP:
MD5:	1FB3755FE9676FCA35B8D3C6A8E80B45
SHA1:	7C60375472C2757650AFBE045C1C97059CA66884
SHA-256:	384EBD5800BECADF3BD9014686E6CC09344F75CE426E966D788EB5473B28AA21
SHA-512:	DEE9DB50320A27DE65581C20D9E6CF429921EBEE9D4E1190C044CC6063D217CA89F5667DC0D93FAF7DCC2D931FE4E85C025C6F71C1651CBD2D12A43F915932C3
Malicious:	false
Preview:	BMB.......6...(.......................................ggg.ggg.ggg.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_bottom_left_inactive.bmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 3 x 24, resolution 2835 x 2835 px/m, cbSize 66, bits offset 54
Category:	dropped
Size (bytes):	66
Entropy (8bit):	2.0906995026238215
Encrypted:	false
SSDEEP:
MD5:	821930553EF406B0C82D9420D3351C78
SHA1:	8511C65F0048F8F30797A13B3D7D8264C314CBD4
SHA-256:	D5E9F3533CB7D727611AAFAA5AF22FA07EFEAEC0391A011ECF9803BED867DE7A
SHA-512:	9D55BB01E40BB411321E60FBB1E60748A7243392456030D81F853448AF0AF75E27EF87455AD1EEBF96AF754E803AABD1A82F0653DEDA52832769F5B74171D9CF
Malicious:	false
Preview:	BMB.......6...(.......................................ggg.ggg.ggg.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_bottom_mid.bmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PC bitmap, Windows 3.x format, 3 x 1 x 24, resolution 2835 x 2835 px/m, cbSize 66, bits offset 54
Category:	dropped
Size (bytes):	66
Entropy (8bit):	1.8512984188581219
Encrypted:	false
SSDEEP:
MD5:	71FA2730C42AE45C8B373053CC504731
SHA1:	EF523FC56F6566FBC41C7D51D29943E6BE976D5E
SHA-256:	205209FACDEBF400319DBCB1020F0545D7564B9415C47497528593E344795AFD
SHA-512:	EA4415619720CC1D9FB1BB89A14903BFD1471B89F9C4847DF4839084AAE573D49B4969D3799AD30FF25B71F6E31F8D9F30701E1240D3CD6A063819C04873F21F
Malicious:	false
Preview:	BMB.......6...(.......................................ggggggggg...

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_bottom_mid_inactive.bmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PC bitmap, Windows 3.x format, 3 x 1 x 24, resolution 2835 x 2835 px/m, cbSize 66, bits offset 54
Category:	dropped
Size (bytes):	66
Entropy (8bit):	1.8512984188581219
Encrypted:	false
SSDEEP:
MD5:	71FA2730C42AE45C8B373053CC504731
SHA1:	EF523FC56F6566FBC41C7D51D29943E6BE976D5E
SHA-256:	205209FACDEBF400319DBCB1020F0545D7564B9415C47497528593E344795AFD
SHA-512:	EA4415619720CC1D9FB1BB89A14903BFD1471B89F9C4847DF4839084AAE573D49B4969D3799AD30FF25B71F6E31F8D9F30701E1240D3CD6A063819C04873F21F
Malicious:	false
Preview:	BMB.......6...(.......................................ggggggggg...

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_bottom_right.bmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 3 x 24, resolution 2835 x 2835 px/m, cbSize 66, bits offset 54
Category:	dropped
Size (bytes):	66
Entropy (8bit):	2.0906995026238215
Encrypted:	false
SSDEEP:
MD5:	1FB3755FE9676FCA35B8D3C6A8E80B45
SHA1:	7C60375472C2757650AFBE045C1C97059CA66884
SHA-256:	384EBD5800BECADF3BD9014686E6CC09344F75CE426E966D788EB5473B28AA21
SHA-512:	DEE9DB50320A27DE65581C20D9E6CF429921EBEE9D4E1190C044CC6063D217CA89F5667DC0D93FAF7DCC2D931FE4E85C025C6F71C1651CBD2D12A43F915932C3
Malicious:	false
Preview:	BMB.......6...(.......................................ggg.ggg.ggg.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_bottom_right_inactive.bmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 3 x 24, resolution 2835 x 2835 px/m, cbSize 66, bits offset 54
Category:	dropped
Size (bytes):	66
Entropy (8bit):	2.0906995026238215
Encrypted:	false
SSDEEP:
MD5:	1FB3755FE9676FCA35B8D3C6A8E80B45
SHA1:	7C60375472C2757650AFBE045C1C97059CA66884
SHA-256:	384EBD5800BECADF3BD9014686E6CC09344F75CE426E966D788EB5473B28AA21
SHA-512:	DEE9DB50320A27DE65581C20D9E6CF429921EBEE9D4E1190C044CC6063D217CA89F5667DC0D93FAF7DCC2D931FE4E85C025C6F71C1651CBD2D12A43F915932C3
Malicious:	false
Preview:	BMB.......6...(.......................................ggg.ggg.ggg.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_caption_datGray.bmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 38 x 24, image size 152, resolution 3778 x 3778 px/m, cbSize 206, bits offset 54
Category:	dropped
Size (bytes):	206
Entropy (8bit):	1.496156669484015
Encrypted:	false
SSDEEP:
MD5:	6CD9ED7185A7378D8A34614EECC1B33A
SHA1:	D92D56B3E2D982683497DD686A0CF22E60DA5E73
SHA-256:	F55D19199AB2412FE28DBFB68361B2EF7F33046A90CCBEA42B145330D7E21792
SHA-512:	DF041961C6C6862F93E65A32C7F4E991833469A16258938C46E4BE8D320090E799248AE034299494B357769C47CDE21DF5B507C801606E011998565CA3E8806D
Malicious:	false
Preview:	BM........6...(.......&...............................999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_caption_inactive.bmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 38 x 24, image size 152, resolution 3778 x 3778 px/m, cbSize 206, bits offset 54
Category:	dropped
Size (bytes):	206
Entropy (8bit):	1.496156669484015
Encrypted:	false
SSDEEP:
MD5:	6CD9ED7185A7378D8A34614EECC1B33A
SHA1:	D92D56B3E2D982683497DD686A0CF22E60DA5E73
SHA-256:	F55D19199AB2412FE28DBFB68361B2EF7F33046A90CCBEA42B145330D7E21792
SHA-512:	DF041961C6C6862F93E65A32C7F4E991833469A16258938C46E4BE8D320090E799248AE034299494B357769C47CDE21DF5B507C801606E011998565CA3E8806D
Malicious:	false
Preview:	BM........6...(.......&...............................999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.999.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_left.bmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 3 x 24, image size 12, resolution 3779 x 3779 px/m, cbSize 66, bits offset 54
Category:	dropped
Size (bytes):	66
Entropy (8bit):	1.9556257941285895
Encrypted:	false
SSDEEP:
MD5:	30384472AE83FF8A7336B987292D8349
SHA1:	85D3E6CFFE47F5A0A4E1A87AC9DA729537783CD0
SHA-256:	F545EC56BC9B690A6B952471669A8316E18274D64E2EBC9E365FCF44363A125A
SHA-512:	7611F930A0A1089CC5004203EC128C916F0C2AEDAE3A6FCC2EAFFA8CD004DCBF154714E401947921A06896CA77C77DAEC7F9BDA82369AACD3BB666F8A0331963
Malicious:	false
Preview:	BMB.......6...(.......................................ggg.ggg.ggg.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_left_inactive.bmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 3 x 24, image size 12, resolution 3778 x 3778 px/m, cbSize 66, bits offset 54
Category:	dropped
Size (bytes):	66
Entropy (8bit):	1.9556257941285895
Encrypted:	false
SSDEEP:
MD5:	4B84F29FBCE81AAB5AF97A311D0E51E2
SHA1:	60723CF4B91C139661DB5ECB0964DECA1FC196EA
SHA-256:	C93BE5A7C979C534274FC1A965D26C126EFA5D58C14066B14937E5ABA3B9EB55
SHA-512:	775EADCCC44FDDBD1E0D4231BC90D222F0A9749199E1963449AD20285EA92941A5685CDC12C0CD8C0EF0A21E10BDACAF139E5C69CD5E402CC110679323C23DF1
Malicious:	false
Preview:	BMB.......6...(.......................................ggg.ggg.ggg.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_right.bmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 3 x 24, image size 12, resolution 3779 x 3779 px/m, cbSize 66, bits offset 54
Category:	dropped
Size (bytes):	66
Entropy (8bit):	1.9556257941285895
Encrypted:	false
SSDEEP:
MD5:	30384472AE83FF8A7336B987292D8349
SHA1:	85D3E6CFFE47F5A0A4E1A87AC9DA729537783CD0
SHA-256:	F545EC56BC9B690A6B952471669A8316E18274D64E2EBC9E365FCF44363A125A
SHA-512:	7611F930A0A1089CC5004203EC128C916F0C2AEDAE3A6FCC2EAFFA8CD004DCBF154714E401947921A06896CA77C77DAEC7F9BDA82369AACD3BB666F8A0331963
Malicious:	false
Preview:	BMB.......6...(.......................................ggg.ggg.ggg.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_right_inactive.bmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 3 x 24, image size 12, resolution 3778 x 3778 px/m, cbSize 66, bits offset 54
Category:	dropped
Size (bytes):	66
Entropy (8bit):	1.9556257941285895
Encrypted:	false
SSDEEP:
MD5:	4B84F29FBCE81AAB5AF97A311D0E51E2
SHA1:	60723CF4B91C139661DB5ECB0964DECA1FC196EA
SHA-256:	C93BE5A7C979C534274FC1A965D26C126EFA5D58C14066B14937E5ABA3B9EB55
SHA-512:	775EADCCC44FDDBD1E0D4231BC90D222F0A9749199E1963449AD20285EA92941A5685CDC12C0CD8C0EF0A21E10BDACAF139E5C69CD5E402CC110679323C23DF1
Malicious:	false
Preview:	BMB.......6...(.......................................ggg.ggg.ggg.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_top_left.bmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 25 x 24, image size 100, resolution 3779 x 3779 px/m, cbSize 154, bits offset 54
Category:	dropped
Size (bytes):	154
Entropy (8bit):	1.6524014132011313
Encrypted:	false
SSDEEP:
MD5:	1966F4308086A013B8837DDDF88F67AD
SHA1:	1B66C1B1AD519CAD2A273E2E5B2CFD77B8E3A190
SHA-256:	17B5CD496D98DB14E7C9757E38892883C7B378407E1F136889A9921ABE040741
SHA-512:	EC50F92B77BCA5117A9A262BA1951E37D6139B838099E1546AB2716C7BAFB0FC542CE7F1993A19591C832384DF01B722D87BB5A6A010091FC880DE6E5CFA6C17
Malicious:	false
Preview:	BM........6...(...................d...................ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_top_left_inactive.bmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 25 x 24, image size 100, resolution 3779 x 3779 px/m, cbSize 154, bits offset 54
Category:	dropped
Size (bytes):	154
Entropy (8bit):	1.6524014132011313
Encrypted:	false
SSDEEP:
MD5:	1966F4308086A013B8837DDDF88F67AD
SHA1:	1B66C1B1AD519CAD2A273E2E5B2CFD77B8E3A190
SHA-256:	17B5CD496D98DB14E7C9757E38892883C7B378407E1F136889A9921ABE040741
SHA-512:	EC50F92B77BCA5117A9A262BA1951E37D6139B838099E1546AB2716C7BAFB0FC542CE7F1993A19591C832384DF01B722D87BB5A6A010091FC880DE6E5CFA6C17
Malicious:	false
Preview:	BM........6...(...................d...................ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_top_mid.bmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PC bitmap, Windows 3.x format, 3 x 1 x 24, image size 12, resolution 3778 x 3778 px/m, cbSize 66, bits offset 54
Category:	dropped
Size (bytes):	66
Entropy (8bit):	1.9556257941285895
Encrypted:	false
SSDEEP:
MD5:	4E0AC65606B6AACD85E11C470CEB4E54
SHA1:	3F321E3BBDE641B7733B806B9EF262243FB8AF3B
SHA-256:	1D59FE11B3F1951C104F279C1338FC307940268971D016EBE929A9998A5038EE
SHA-512:	7B28BCB4E76AF3B863A7C3390B6CD3316C4631434E1D1E2DF8D6E0EB9987A61A4F1A24DE59567394E346D45E332403A0817ED0B0B64D7A624DBE48E30DB9BB64
Malicious:	false
Preview:	BMB.......6...(.......................................ggggggggg...

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_top_mid_inactive.bmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PC bitmap, Windows 3.x format, 3 x 1 x 24, image size 12, resolution 3778 x 3778 px/m, cbSize 66, bits offset 54
Category:	dropped
Size (bytes):	66
Entropy (8bit):	1.9556257941285895
Encrypted:	false
SSDEEP:
MD5:	4E0AC65606B6AACD85E11C470CEB4E54
SHA1:	3F321E3BBDE641B7733B806B9EF262243FB8AF3B
SHA-256:	1D59FE11B3F1951C104F279C1338FC307940268971D016EBE929A9998A5038EE
SHA-512:	7B28BCB4E76AF3B863A7C3390B6CD3316C4631434E1D1E2DF8D6E0EB9987A61A4F1A24DE59567394E346D45E332403A0817ED0B0B64D7A624DBE48E30DB9BB64
Malicious:	false
Preview:	BMB.......6...(.......................................ggggggggg...

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_top_right.bmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 25 x 24, image size 100, resolution 3779 x 3779 px/m, cbSize 154, bits offset 54
Category:	dropped
Size (bytes):	154
Entropy (8bit):	1.6524014132011313
Encrypted:	false
SSDEEP:
MD5:	1966F4308086A013B8837DDDF88F67AD
SHA1:	1B66C1B1AD519CAD2A273E2E5B2CFD77B8E3A190
SHA-256:	17B5CD496D98DB14E7C9757E38892883C7B378407E1F136889A9921ABE040741
SHA-512:	EC50F92B77BCA5117A9A262BA1951E37D6139B838099E1546AB2716C7BAFB0FC542CE7F1993A19591C832384DF01B722D87BB5A6A010091FC880DE6E5CFA6C17
Malicious:	false
Preview:	BM........6...(...................d...................ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_top_right_inactive.bmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 25 x 24, image size 100, resolution 3779 x 3779 px/m, cbSize 154, bits offset 54
Category:	dropped
Size (bytes):	154
Entropy (8bit):	1.6524014132011313
Encrypted:	false
SSDEEP:
MD5:	1966F4308086A013B8837DDDF88F67AD
SHA1:	1B66C1B1AD519CAD2A273E2E5B2CFD77B8E3A190
SHA-256:	17B5CD496D98DB14E7C9757E38892883C7B378407E1F136889A9921ABE040741
SHA-512:	EC50F92B77BCA5117A9A262BA1951E37D6139B838099E1546AB2716C7BAFB0FC542CE7F1993A19591C832384DF01B722D87BB5A6A010091FC880DE6E5CFA6C17
Malicious:	false
Preview:	BM........6...(...................d...................ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.ggg.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\info

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PNG image data, 50 x 69, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1149
Entropy (8bit):	7.7634420661257595
Encrypted:	false
SSDEEP:
MD5:	CCEA6A19293929C2E8744D36C79F8A4B
SHA1:	B352AD63F7956820B7CE4DE367C62E8ED0B91487
SHA-256:	C155D93A173E880A9CA4CAE1BE71CBED5DE3C6AAC84E05C734EE5898400B5296
SHA-512:	6A3043BE9BEC67A050F872B6031230602751CA60A3D1782E2B0E465002B6CE3AA399A106D861FDD3FC289E7CD3023A8DF56117992ED31B878D7DFB4BC8D089AE
Malicious:	false
Preview:	.PNG........IHDR...2...E.............tEXtSoftware.Adobe ImageReadyq.e<....IDATx.._HSq...I.r ..`%.\|2. ..A..I...HX..@....C/=.X/....EI..H.B1.!H....$>H.hVb.......ws.w..;..w.......,...J.._..'.....xB<!v.....V.....v.C,...:KL.3.Vf3D.......X...4E.C...RI...!F.+8$.L...'.O.$j.:".F...A.#~[.H..H....I..Q..V.H..Y{KD.j[V..!... :4..E..?......o...D.A...=...huJH/.......(BRM..;.L.BzG..C.N.....}..?.+...D.......R.4..bdZ...gkBg$.3.........-.!.9...f.r.!...f.V.h ^.=..me....m....Y..{ ..n......i.......Z.......n.n;.5O....}.k..K.....6.R._%.Om#0\|.@.+.A.w...IB.C8..2._{..{7.#.x..W\|..E..C=&....5..8.~9.......[..vFyN......K<.:l...M...1}......."!..w)$.k.EB..w.%..}w..M..?[....^r.F.O:."...2.]$$.}7.v..X.Nk........PB.f..9.}7...EU....g.Y..p..t..Kl4..s.!.1...>g..A:?.,J......v........$q...?.t....<....A.j:H..VP5.v..b.6....U.D..#.?(...e...R.b._@..Z....._.Ul..}f..}Ja..&L..3"..e...6_.}.U..b...;............A...L<....z....(3.9.Lb...2w.w...e......L.<.f..O..,..x....Q.&J.u.Qg

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\installlogoicon

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	MS Windows icon resource - 5 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
Category:	dropped
Size (bytes):	17630
Entropy (8bit):	5.501776622442267
Encrypted:	false
SSDEEP:
MD5:	488C247C4D7482E34D4576C44CEE79E0
SHA1:	92444B9622079CD8EB4C1D0C0E10E3E2DD8B4AD4
SHA-256:	EB276449EB326A407CE055001607F212FFCAEF01B5F849BB50A606BD9CD177A6
SHA-512:	E978672B01A2C5CD5C83DCBDC77CC80A60CA4A99283C30C7624E9DE49168BDD6686A5E6FDD913ED0A0E008D6D0D999129B3F25947A84DF7654ACD6C39906B6CA
Malicious:	false
Preview:	......00......h...V...00......................h...f...00.... ..%............ .h...v@..(...0...`.......................................................................................................................................p.......................0......................33.....................3333...................s33337..................333333p.......wwwwwwwww33333337........wwwwwwwss3333337p............ww#333333332............ws33333333330...........w333333333333p..........33333333333337..........;.............p.......................p........."""+......."""pp...........+...........pFffffffffff+.......f...pfffffffffff+.......fp..pfffffffffff+.......fp..pfffffffffff+.......fp..pfffffffffff(.......fp..pfffffffffff(.......fp..pfffffffffff(.......fp..pfffffffffff(.......fp..pfffffffffff/.......fp..p..fffffffffb"""""""fp..p...vffffffffffffffffp..px....fffffffffffffffp..pwx....ffffffffffffffp..pww.....fffffffffffffp..pwww.....ffffffffffffp..pwwww.....fffffffffffp..pwwwwx.....fffffff

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\insticon

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	5.2402145994884695
Encrypted:	false
SSDEEP:
MD5:	BFBE8F838AFC6156CF2362E81F713A52
SHA1:	73A87A86C6F039E7B9D2EED0BDF7E6B1D78029BE
SHA-256:	251099323513EA86DD5BC2C0BF8503AA364DB7B40B214C288FCC1A76A97B6D88
SHA-512:	CFFAAD785AF37E35D8825058F93939EBB3CCE18D5C7BDF2ACF0543D530BCD34A443ED6B9352D1F0DF90F41DFE118B03B8F92D63143521C87138D92F2F1D6F1EB
Malicious:	false
Preview:	......00......h...6...00..............00.... ..%..F...(...0...`.........................................................................................................................................................wwxwp..........xFg....wwx..............hffffgwwx..............vhffffffg...............fhffffff................fhfffffg................fhfffff.................fhfffff.................fhffffg.................fhffffo.................fhffffo.................fhffff..................fhffff.......x..........fhffff......ff..........fhffff......ff..........fhffff......vg..........fhffff.......x..........fhffff..................fhffff..................fhffffh.................fhff.fg.................fhff..f.................fhff..w.................fhff..w................fhff.w................fhfg....w...............fhfx.....x......p.......fhg.......x....v`.......fhgx.......wwfff`.......fhgx..........ff`.......fhfx..........ff`.......fhfw..........ff`.......fhgw..........vf`.......fh

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\lzmaextractor.dll

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22880
Entropy (8bit):	6.918561676951138
Encrypted:	false
SSDEEP:
MD5:	BAAE9B06CF4BECC1F237CFE825423541
SHA1:	C1A63FB330CCA407A4B876CDB325D52C3A072051
SHA-256:	B9158B69D0B15EC8BD75D22494866F414A337AD738D76E6C6E0DC788D762E3D4
SHA-512:	0D8C62B8D493349CC74B101FF2378010022705D552FB50B7EC36A54924FBDB12A4A2F171E401807E6D3D95316817B2D632AE7D19515107F5DF17E489EE8F2F23
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Er9B$.jB$.jB$.j.V.kM$.jB$.jr$.j...kG$.j...kC$.j...jC$.jB$.jC$.j...kC$.jRichB$.j........PE..L...)..e.........."!...'............@........ ...............................`.......m....@E........................p".......$.......@..h...............`=...P..`....!..p............................................ ..X............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...h....@......................@..@.reloc..`....P......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\metrobuttonimage

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PNG image data, 624 x 37, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	404
Entropy (8bit):	6.090863946477903
Encrypted:	false
SSDEEP:
MD5:	17368FF7073A6C7C2949D9A8EB743729
SHA1:	D770CD409CF1A95908D26A51BE8C646CACE83E4C
SHA-256:	16E6E7662F3A204061C18090A64A8679F10BC408BE802ABD2C7C0E9FE865CBB4
SHA-512:	CBC3A378335F131D0146E5FE40CEA38A741A0754A26304DAEBFDA6F82C394CF0E151654782C6C8C7BBF7C354FCB72A2C66A77A87DF528C2A3FA87C88F204059D
Malicious:	false
Preview:	.PNG........IHDR...p...%.............bKGD.......C......pHYs.................tIME........z....!IDATx.....@..QJ00....\|..u......q.a..0..b .....{..O..rE.a....n.....).........M..0-....ca.\|.....U.q.<n.........u~b.W.d.....}......?^...&F....8.........@... ....p..............p...8.........@... .............. ....p...8.........@....8.........@... ....p....!.............Y.L..!..8...y...'.1./9....IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\metrobuttonimage.xaml

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1929
Entropy (8bit):	5.123149054536631
Encrypted:	false
SSDEEP:
MD5:	3DEC9F3886A7D180B1DA7A72541DBF81
SHA1:	07F3BA034BE78970A86D055DAED59BF7D87F8D21
SHA-256:	FB1C5DF8785650B20612B61A66ECBDA5E1ED323D6C8AC45B2EBCCBE9193779F8
SHA-512:	0250B81A2795FCAC69E3F2C95BDFF406F01FF207E81BEAD96B2739F28E26DD2D97D82CCCBFBD92B7141B1EABD2310DB048618FEF1CC5261FDFF212D19BB910BF
Malicious:	false
Preview:	<Button.. xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation".. xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml".. xmlns:d="http://schemas.microsoft.com/expression/blend/2008".. xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006".. mc:Ignorable="d">.. <Button.Resources>.. <SolidColorBrush x:Key="ButtonBorderBrushPointerOver" Color="[AiWinUIBtnBorderPointerOver]" />.. <SolidColorBrush x:Key="ButtonForegroundPointerOver" Color="[AiWinUIBtnForegroundPointerOver]" />.. <SolidColorBrush x:Key="ButtonBackgroundPointerOver" Color="[AiWinUIBtnBackgroundPointerOver]" Opacity="[AiWinUIBtnBackgroundOpacityPointerOver]" />.... <SolidColorBrush x:Key="ButtonBorderBrushPressed" Color="[AiWinUIBtnBorderPressed]" />.. <SolidColorBrush x:Key="ButtonForegroundPressed" Color="[AiWinUIBtnForegroundPressed]" />.. <SolidColorBrush x:Key="ButtonBackgroundPressed" Color="[AiWinUIBtnBackgroundPressed]" Opacity="[AiWinUIBtnBackgroundOpacityPressed]"

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\metroinstallbutton.xaml

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1844
Entropy (8bit):	5.118899204184053
Encrypted:	false
SSDEEP:
MD5:	6F0634CFDE72142DBB19339F4E16E86B
SHA1:	F2968128419E991AD75747BAE3726693A819A8F5
SHA-256:	0A33AB5090939B16C5BED367CA7F99B297C215714BAA1CA1B5F649B48FDC6D0B
SHA-512:	B833E1F64EC38633FBAAFEE6B3623F69604311F2ED60A2286F9EFE4FBD04FB25776771E7C5863F7D6B687360160CF25711CA92FE38AD270ED27588CBDAA8E3D0
Malicious:	false
Preview:	<Button.. xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation".. xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml".. xmlns:d="http://schemas.microsoft.com/expression/blend/2008".. xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006".. mc:Ignorable="d">.. <Button.Resources>.. <SolidColorBrush x:Key="ButtonBorderBrushPointerOver" Color="[AiWinUIBtnInstallBorderPointerOver]" />.. <SolidColorBrush x:Key="ButtonForegroundPointerOver" Color="[AiWinUIBtnInstallForegroundPointerOver]" />.. <SolidColorBrush x:Key="ButtonBackgroundPointerOver" Color="[AiWinUIBtnInstallBackgroundPointerOver]" Opacity="[AiWinUIBtnInstallBackgroundOpacityPointerOver]"/>.... <SolidColorBrush x:Key="ButtonBorderBrushPressed" Color="[AiWinUIBtnInstallBorderPressed]" />.. <SolidColorBrush x:Key="ButtonForegroundPressed" Color="[AiWinUIBtnInstallForegroundPressed]" />.. <SolidColorBrush x:Key="ButtonBackgroundPressed" Color="[AiWinUIBtnInstallBackgroundPressed]

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\metroinstallbuttonDarkOrange.png

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PNG image data, 1020 x 54, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1519
Entropy (8bit):	6.347870265221127
Encrypted:	false
SSDEEP:
MD5:	193113F1D841AAFDDFC681554AE75421
SHA1:	4BBFE08AE9DA90D1AE20840F5FD9E69A43B1445F
SHA-256:	0BAACADF12FBB742C419D09E274DCC51D8C9E1C48343E34187E382F83482A95C
SHA-512:	E54A6CD87BB61D178DC7ABCAA8B089011D7E29A913B170494A1CE6446555FD8818B8B2BC58DED68413FB3C3B3F35AA5D3209683D2D6E1B9B2B4D637EA6542094
Malicious:	false
Preview:	.PNG........IHDR.......6.....z:......sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.Adobe ImageReadyq.e<...{iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:6EBEC062F13411E7AD82B3277BCFF957" xmpMM:DocumentID="xmp.did:A022AF4F3D7311E8AA66DEAC3D714B23" xmpMM:InstanceID="xmp.iid:A022AF4E3D7311E8AA66DEAC3D714B23" xmp:CreatorTool="Adobe Photoshop CC (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:b1839a0d-ceae-ad4e-a85a-c206d569c72d" stRef:documentID="adobe:docid:photoshop:017f08e1-e985-8645-912a-21b91a5c4f40"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\metrorunapplicationbutton

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PNG image data, 732 x 163, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3645
Entropy (8bit):	7.649902255679471
Encrypted:	false
SSDEEP:
MD5:	49AD8E9164FD6FACB8A8BFD6F62972B8
SHA1:	E23605DF242772A047D6D3543AAA72241066ABB9
SHA-256:	914A0241A557591DFDCF3ED1EF0E557CEB153F32C716C53D13342DC5318BBB79
SHA-512:	843359888242B97B12185954FE6F04BBE8ED14C71F101A79D4863CCDCA7D1B03B4E1F0C6CACF26F87A91C5EACB0D4571481BCA81A0C3DFD8ADD475310A6269F2
Malicious:	false
Preview:	.PNG........IHDR..............B.T....bKGD..............pHYs.................tIME.........k.....IDATx...k.......FN...0h..&.lm)..X7...e..]mP.J...*V.5.$..S.....m$.5P..$.2[...(....'P..P..........lZ.....F...y...O`:.....xC..A..;"..B..mp....I....(Y....u.:oQ.^.v......@A..(..4.%.......@\|G.,..Qo..Q.]}....wow.....#p........7.. p........7.. p........7.. p........7.. p........7.. p.........'........n..@.........n..@.........n..@.........n..@.........n..@.........n..@............@............@............@............@............@............@.....n......@.....n......@.....n......@.....n......@.....n......@.....n............n............n............n............n...........:.....O.~.`.u9...I...^../.:o................\.}{.........8`T.X:)........./W..u.v..M.......4a%.x...O....N....N......M....Gk=VE....L..i...h{s....2g.......M..`Rf?......N.4%.....\|Q.$[.n.xVD......$c..........a....m.3cqs..4..v........E.6.2.;.....E{.}....i..i....s_.I..W..13w.7?....V...k.a~..a..S...k.O.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\metrorunapplicationbutton.xaml

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	ASCII text, with very long lines (373), with CRLF line terminators
Category:	dropped
Size (bytes):	1280
Entropy (8bit):	5.449752594903355
Encrypted:	false
SSDEEP:
MD5:	22BD7066191663A7AC473C022992BA83
SHA1:	80EA48D654C38A778A40CC722C3DD5AFCF1E2AD4
SHA-256:	79CF8899E16F8AC8D2BB7280C109458130C9758083B265EDF4AA57B2AD2C86BA
SHA-512:	E497440F5170D4C6D35BB901B418F5D91E2F09875CFEA7D0427532DBDBFFC655018AA010ADE1A479AFC0307B42DB057AA0D654699A088AF6FFEC146E9C22C1AA
Malicious:	false
Preview:	<Button xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" Foreground="[AiWinUIBtnRunForegroundNormal]" Background="[AiWinUIBtnRunBackgroundNormal]" Width="253" Height="879" HorizontalContentAlignment="Left" VerticalContentAlignment="Bottom" Margin="61,32,0,0" VerticalAlignment="Top" Padding="0,0,0,0">...<Button.ContentTemplate>....<DataTemplate>.. <PathIcon Margin="0,0,0,0" Width="68" Height="68" Data="m60.738 29.1a5.646 5.646 0 0 1 0 9.8l-44.796 25.992c-3.661 2.126-8.68-.303-8.68-4.9l0-51.983c0-4.597 5.02-7.026 8.68-4.9l44.796 25.992z" />.. </DataTemplate>...</Button.ContentTemplate>...<Button.Resources>....<ResourceDictionary>.....<SolidColorBrush x:Key="ButtonForegroundPointerOver" Color="[AiWinUIBtnRunForegroundPointerOver]"/>.....<SolidColorBrush x:Key="ButtonBackgroundPointerOver" Color="[AiWinUIBtnRunBackgroundPointerOver]"/>.....<SolidColorBrush x:Key="ButtonForegroundPressed" Color="[AiWinUIBt

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\modify.png

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PNG image data, 732 x 163, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	8884
Entropy (8bit):	7.831871615099465
Encrypted:	false
SSDEEP:
MD5:	59DDBB21FC06434DBA06E9963062E494
SHA1:	7E0A46FE879D9CD67A89EA6DD5769527DE76B8DD
SHA-256:	3AFA4FC86F860411A841900FB4BA7666D70C025BE1EDF6320B36AB632C51BE81
SHA-512:	700D51934DDD20DD8FAE5BB0D247DD3A17C450CC0D8B7DE1B870112189C8E94F82C9B4993F239DB5E51C61D7E7EF8E3BAAC9D46D69E994B1533E7A68AFC6487A
Malicious:	false
Preview:	.PNG........IHDR..............B.T....bKGD..............pHYs.................tIME.....3...... .IDATx...l.U...m#."$L...o.../.B\|...3?.......G..).....F..D..6..H.o.b.....}....]..Y.?jW......]....}n.......<..(.&<.\|o......)..~.9......wz.....\|i..............'#...f)}...................U.-"..........._.....<....X..6...]@.....,%;.p...RJ.....v=.N....z.....).v.<g.e......u...<o.s._I...8<D...... .M.I...^......C...?N.fM.ul)..F..4Y..+.![.W..@p...c...o.....:V..}.v...`^.W..8,...............qR...A..p.0."L.&.".YH^.6.4....+..0^.W..88D..V..x.EZ.Wk.M'y.;....-.D..x...........;E.s..w...}.\{............... ...~9m.\.B.z.6.m.`.d8..&\........g\|..f#../D.....m.._.W..@p..1..,.:lS1...@`.....p/.BN...ml.3.........M..."..m.4.........r.is..JtV.(F.......XN.g..Y..R.I...6.v\7@..+........X.e.x.O..<.....LFV".EJzQ../.O.....;...l.wUm...n.,FU..#k.....n..gJ.E..u.u.ne..f.........L....jW....n=o.)._.W..8...,.F..9...y.Wh.q....B.#;B.G[.WD7...!...<..*..'.k.M:.&...,4s.Y...g.I.{y_.......h.`...

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\modify.png.xaml

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	ASCII text, with very long lines (383), with CRLF line terminators
Category:	dropped
Size (bytes):	1416
Entropy (8bit):	5.259459132521691
Encrypted:	false
SSDEEP:
MD5:	0BB7D21BCB4565FF5FDF581B1DAA4219
SHA1:	152E568118137E04E626973975F43734FE816302
SHA-256:	3C4F55D5F3736CF3402A97B626E998AEEB25D7EB10BFC326A64602B71706119A
SHA-512:	56EFE54E5ED6BC01764139B8C736AAD328CC286FBFDD190D0999E053D13457AD982F8A0C6F97A0E5D0454E8F61C938C632ABF949101EC0A53C3EFFD42AC1BCA3
Malicious:	false
Preview:	<Button xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" Foreground="[AiWinUIBtnViewReadmeForegroundNormal]" Background="[AiWinUIBtnModifyBackgroundNormal]" Width="253" Height="879" HorizontalContentAlignment="Left" VerticalContentAlignment="Bottom" Margin="61,32,0,0" VerticalAlignment="Top" Padding="0,0,0,0">...<Button.ContentTemplate>....<DataTemplate>.....<TextBlock x:Name="Ico" FontFamily="Courier New" VerticalAlignment="Bottom" FontSize="100" FontWeight="Bold" >.. <TextBlock.RenderTransform>.. <CompositeTransform TranslateY="25"/>.. </TextBlock.RenderTransform>.. <Run Text="±"/>.. </TextBlock>....</DataTemplate>...</Button.ContentTemplate>...<Button.Resources>....<ResourceDictionary>.....<SolidColorBrush x:Key="ButtonForegroundPointerOver" Color="[AiWinUIBtnModifyForegroundPointerOver]"/>.....<SolidColorBrush x:Key="ButtonBackgroundPointe

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\nextcancelbuttons

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PNG image data, 624 x 37, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	404
Entropy (8bit):	6.095567249769711
Encrypted:	false
SSDEEP:
MD5:	583580E2C651F5C230FB3235B7CA0E3B
SHA1:	A9BD6AEEF43A6F4C0C00D1ECD98A585D7EB0AAA3
SHA-256:	65172283EE04F2FA18D0E57B21471BE2E68017D1F61816AAAA6BE070B446346F
SHA-512:	6C61E6C06C883113A7A0EFBD352120354C070F5C17D770B6B821C42CB9D9CA895992842B29B51BD3E569B0C95E93709DD7C1C2A26BCFF0AD425079F5302670CE
Malicious:	false
Preview:	.PNG........IHDR...p...%.............bKGD.......C......pHYs.................tIME........k.....!IDATx.....@..QJ00....\|..u......q.a..0..b .....{..O..rE.a....n.....).........M..0-....ca.\|.....U.q.<n.........u~b.W.d.....}......?^...&F....8.........@... ....p..............p...8.........@... .............. ....p...8.........@....8.........@... ....p....!.............Y.L..!..8...y...'.1./9....IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\nextcancelbuttons.xaml

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1929
Entropy (8bit):	5.123149054536631
Encrypted:	false
SSDEEP:
MD5:	3DEC9F3886A7D180B1DA7A72541DBF81
SHA1:	07F3BA034BE78970A86D055DAED59BF7D87F8D21
SHA-256:	FB1C5DF8785650B20612B61A66ECBDA5E1ED323D6C8AC45B2EBCCBE9193779F8
SHA-512:	0250B81A2795FCAC69E3F2C95BDFF406F01FF207E81BEAD96B2739F28E26DD2D97D82CCCBFBD92B7141B1EABD2310DB048618FEF1CC5261FDFF212D19BB910BF
Malicious:	false
Preview:	<Button.. xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation".. xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml".. xmlns:d="http://schemas.microsoft.com/expression/blend/2008".. xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006".. mc:Ignorable="d">.. <Button.Resources>.. <SolidColorBrush x:Key="ButtonBorderBrushPointerOver" Color="[AiWinUIBtnBorderPointerOver]" />.. <SolidColorBrush x:Key="ButtonForegroundPointerOver" Color="[AiWinUIBtnForegroundPointerOver]" />.. <SolidColorBrush x:Key="ButtonBackgroundPointerOver" Color="[AiWinUIBtnBackgroundPointerOver]" Opacity="[AiWinUIBtnBackgroundOpacityPointerOver]" />.... <SolidColorBrush x:Key="ButtonBorderBrushPressed" Color="[AiWinUIBtnBorderPressed]" />.. <SolidColorBrush x:Key="ButtonForegroundPressed" Color="[AiWinUIBtnForegroundPressed]" />.. <SolidColorBrush x:Key="ButtonBackgroundPressed" Color="[AiWinUIBtnBackgroundPressed]" Opacity="[AiWinUIBtnBackgroundOpacityPressed]"

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\optionslogoicon

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 8 bits/pixel, 48x48, 32 bits/pixel
Category:	dropped
Size (bytes):	14574
Entropy (8bit):	5.314402751771045
Encrypted:	false
SSDEEP:
MD5:	1791161295A8385E85B82A8C60B47A5C
SHA1:	8A715DA629DB0151D537E0E909E3C1141FCA6A23
SHA-256:	AFEF25522F3973F2BE6059B021C6AC62359A2FDEE782471EAC130394BD4F5B28
SHA-512:	B04D580240CBDE64B8F57ACA1BA7C0777988C8BDF6FCAAAEEB5142E3DAF9CF2E64A8DC2E4EE3A1BA69621330360B2548B1E46BD546D36187DF7803FA50052860
Malicious:	false
Preview:	......00..........6...00.... ..%............ .h....4..(...0...`...................................KKK._\U.[[[.lll.rrr.vvv.zzz.}}}..vW...[.....0..7..9..>...Y...U...X...Z...b...h...p...{...b...a...d...b..B..G..@..E..L..T..E..K..L..Q..V..[..Y..n..a..b..e..l..i...r...u...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\print.png

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PNG image data, 222 x 37, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	610
Entropy (8bit):	7.465246580945166
Encrypted:	false
SSDEEP:
MD5:	8AD92D3A3C118C9F608DD2A7801924FB
SHA1:	D722DB1BFC569781CE102074AE823B4B9B9592B5
SHA-256:	5C7B8366596A2CAAD9F804DA6D31B4124060B2FC6F12FFCD422621559E6E7AF1
SHA-512:	53A68DA00C894019B6056DFCA6F97BCECAB5C277AC3FB7B264A5D70C2492D65D18971D46F5477B2656D583174F552DAC44FA498ADC1C4CBC31263ADEAC3DDB6B
Malicious:	false
Preview:	.PNG........IHDR.......%.....-2Wm....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..Mn.0..C.;t.n...+....q.p(.U.=..u....).....O..V.e...Sf].5j..'=Q....W.`....}.._........?..C..Px.u0z...]'.l6\.B(zW{.....g....MKzGi.Z.k:.O.iR...<.cN.1Z.Z.2.[.....&..V.....S......o#.....i..Z....#O..f.e.b........wI5...&..Y.S.V...{.w.#.....Y....d.;.y.]x....q?.l...5...M.....).....G4".....5)zWk.B.OnG..g.5jR...<.8.....@.....d.N....I.;.4..:5S2...jR.<]k...`..@..@"B.....Zt....W..].y.E.45..+...&....;..?.~.Mhz.MC..X?.O..5.o.&<@....y....n5. !%..N.}w...a...w.....g.E....&...@.....P.3....\|...<..0..-.81i......IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\print.png.xaml

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1711
Entropy (8bit):	5.099246065486414
Encrypted:	false
SSDEEP:
MD5:	134BD85D740996455BC747605B6AF1A2
SHA1:	C20F6329FAD2A43B60D14C0E3BFF29CE79AA6B01
SHA-256:	3D68FEC559563414476D6FE03EF16AA5E580969AA8C2AD81166343F38204A411
SHA-512:	449B542006A2F0E180AA6E07009C3F7FB8F1C6C67038E940A57CA063431C202BB23531396D97DC8110DBBBDAB121DF07C232B881B164D016F2CAB33D4627DB4E
Malicious:	false
Preview:	<Button.. xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation".. xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml".. xmlns:d="http://schemas.microsoft.com/expression/blend/2008".. xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006".. mc:Ignorable="d">.. <Button.ContentTemplate>.. <DataTemplate>.. <FontIcon Glyph="" FontSize="25" />.. </DataTemplate>.. </Button.ContentTemplate>.. <Button.Resources>.. <SolidColorBrush x:Key="ButtonBorderBrushPointerOver" Color="[AiWinUIBtnPrintBorderPointerOver]" />.. <SolidColorBrush x:Key="ButtonForegroundPointerOver" Color="[AiWinUIBtnPrintForegroundPointerOver]" />.. <SolidColorBrush x:Key="ButtonBackgroundPointerOver" Color="Transparent" />.... <SolidColorBrush x:Key="ButtonBorderBrushPressed" Color="[AiWinUIBtnPrintBorderPressed]" />.. <SolidColorBrush x:Key="ButtonForegroundPressed" Color="[AiWinUIBtnPrintForegroundPressed]" />.. <SolidColorBrush x:Key="ButtonBackgro

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\printico

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	MS Windows icon resource - 2 icons, 32x32, 8 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	6518
Entropy (8bit):	5.116636834496781
Encrypted:	false
SSDEEP:
MD5:	BDC280616F9670F41C57C16BF08E8387
SHA1:	48F574183BB500CD1808BAC20A25CFC82C05E482
SHA-256:	6E5C2E9E923569F943E9F8A86EE5023034B3DB1F6434118A0D95F429F90FFBE7
SHA-512:	EC3E5C0E6306773A3700889C2B19D6DD8EFF54F73C1BF3C7CF239807FA1B512DDE7E30D486FCD78130090125A21E2401EB0E8B7667C992863CF7FD52B11CA2C7
Malicious:	false
Preview:	...... ..........&... .... .........(... ...@...................................FEE.JJJ.MLL._UL.RQQ.ZZY.]]\.``_.uk^.}kZ.baa.mml.qhh.tkk.rnn.zoh.ypp.\|tt.~~}..q^..ta..wd..zn..{h..~l.......p...t...y...}...}...{...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\remove.png

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PNG image data, 732 x 163, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	6437
Entropy (8bit):	7.730059270280445
Encrypted:	false
SSDEEP:
MD5:	897B1844BCA99F42FA3D527FF2091133
SHA1:	C66E509E0EBFA921CDB4E86EF76078FAD401EBEA
SHA-256:	3A05E6DECEA8E68C1946E82AB0F9197715D579B6B199F3A69BD958B7327D0BFE
SHA-512:	6AC18A51676D2E2E4A13523EF713D3AF927641FB0D7AC489C8BAE280FEDEE9E4D2A40A29D219CED354300D9D160DAEBF5C91693605CFE39ADEFDAA0FAC4EAEC9
Malicious:	false
Preview:	.PNG........IHDR..............B.T....bKGD..............pHYs.................tIME........@......IDATx...yX.u..... ....b......c.e,sK...j.i..{.G..j....lT4W.g*...x4.I..%KC.T.,.y.`0,.......?3....~...\|..66W......>0..G..{..qo..gx..I:U.;.E.....B..\.....f...\|.p..-{Z...E\|...(..<....-\|..l\|D.T....m...yw.....p.....n...............P......7.....7...@.....(.....(...........p.....p.....n...............P......7...........P.....P......7...@.....@.....(.................p.....n.....n.........P.....P......7...@.....@.....(.....(...........p.....p.....n...............P......7.....7...@.....(.....(...........p.....p.....n.....n.........P.....P......7...@.....@.....(.................p.....n.....n.........P.....P......7.....7...@.....(.....(...........p.....p.....n...............P......7.....7...@.....(.....(.................p.p...nWX........U..........p..N....eE...$..x.y^u.z(zi..t.Q.T.5. ,....;...j...6a.:w.=..P.Fl......u.C]V.).^.....iA...;.#.v.d..+I.i.V]V.Q...A..g.......e_...w..t..l..F....)..

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\remove.png.xaml

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	ASCII text, with very long lines (379), with CRLF line terminators
Category:	dropped
Size (bytes):	1403
Entropy (8bit):	5.471062774039721
Encrypted:	false
SSDEEP:
MD5:	09B52F0751DBFDAD9692E26CAFB502D4
SHA1:	CEA5CB8DE826B3E51365C79BAF7D98B98DF1C315
SHA-256:	1AFE980E62BEF1454DF195952E1B665D263F6E0BEF39077863B387AB0061688F
SHA-512:	87269A5C740A102C52C55EBECE0D76F54892EA9861EE1442B1941997DEE7496D390226B61E28F18808DD501C03F988E2B8B450EA6448D201481C3980C475DD52
Malicious:	false
Preview:	<Button xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" Foreground="[AiWinUIBtnRemoveForegroundNormal]" Background="[AiWinUIBtnRemoveBackgroundNormal]" Width="253" Height="879" HorizontalContentAlignment="Left" VerticalContentAlignment="Bottom" Margin="61,32,0,0" VerticalAlignment="Top" Padding="0,0,0,0">...<Button.ContentTemplate>....<DataTemplate>.....<PathIcon Margin="5,0,0,5" Width="60" Height="60" Data="M4.83 4.83a3.753 3.753 0 0 1 5.306 0L30 24.694l19.863-19.863a3.753 3.753 0 1 1 5.306 5.306L35.307 30l19.863 19.863a3.753 3.753 0 0 1-5.306 5.306L30 35.307l-19.863 19.863a3.753 3.753 0 0 1-5.306-5.306L24.694 30 4.83 10.137a3.753 3.753 0 0 1 0-5.306z" />....</DataTemplate>...</Button.ContentTemplate>...<Button.Resources>....<ResourceDictionary>.....<SolidColorBrush x:Key="ButtonForegroundPointerOver" Color="[AiWinUIBtnRemoveForegroundPointerOver]"/>.....<SolidColorBrush x:Key="ButtonBackgroundPointerOver" Color=

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\removico

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	MS Windows icon resource - 5 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
Category:	dropped
Size (bytes):	21598
Entropy (8bit):	3.72201218194023
Encrypted:	false
SSDEEP:
MD5:	299AA97601873786E924B17223257D14
SHA1:	E2F7DBBD7B59D69F4499029E40D3C6F559B5F632
SHA-256:	DBA117A25F8AFE1A3AACA4AE830D7A6BA982FDA3D543FD438515AB788643E4AE
SHA-512:	15AF787E74D4AF5896B73979C81DE93B3DB97B407322A929061583EA9F77609D0DB61C54CF69A2A522F4D635A0931A804FE1EC036FEF5544E3101C520AAEEC1C
Malicious:	false
Preview:	......00......h...V...00.............. ..........f...00.... ..%...... .... ......C..(...0...`....................................................................................................................................................p.....................y.......................y..p....................y......................wy................p.....wy................p.....wy......................ww...p...........w......ww...p...................wy......................wy.............yp.......ww......................wwy..p........y..........ww..p...................ww............p..........wy......................ww..p...................wwy......................ww.........p............wwy.p....................ww......................wwy.p....p...............ww.wy...................wwy......................wy....p.................y.......................y............................p.................q.....p.......................w......................y.p..............q.....ww.w..

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\repair.png

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PNG image data, 732 x 163, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	8947
Entropy (8bit):	7.826453111643436
Encrypted:	false
SSDEEP:
MD5:	CE23E801FACF4DC9980692913ECC5FB3
SHA1:	3EE1C26DF7EA641FB5E302E1617EBF689CA91B36
SHA-256:	A8856BD3783A5FC30504FD8AFCFABAA8295ECEFC0D91E5CDD00453F2137495D3
SHA-512:	A14345B93119B8AA51A72049454DE5D60A54CEF980CB84D0376B49418A2605AFCB3CCB9B91485EC4B64C1102E83EBF19342652138DB740352D6F65699FF73F42
Malicious:	false
Preview:	.PNG........IHDR..............B.T....bKGD..............pHYs.................tIME......+;wY... .IDATx...{@Tu.......(J^..&IV$......E.RJW........c.n...cY.n...DK..i...RHP.T.DQ..\|.pq5/.03..y...V........e.9.!su^p{.A\|.F...<.....6@}.k...>.wfnx.....,......n.c...F.7.......;.7..@.....7...`....p/........\|.......p....4......7.....n...............@......p....4.....h......n...........7...@......p..........h......n>................@......p....4.....h......n...........7...@......p..........h......n....4......7...@.................@......p....4.....h......n...........7...@......p..........h......n....4......7...@.................@......p....4.....h......n...........7...@......p..........h......n....4......7...@.................@......p....4.....h......n...........7...@......p..........h......n....4......7...@......9....T.z~M.Q....U.....(I:u.O.Oe...,m.Wf^*.........i.=.>N..t,..C.N...Z..-..i.JJ.....4...T....D.....P...0.;Q..C'2t.d..~...L.\....{H...{....j.GZ.g.u...YOw...[G...~M.T....z..

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\repair.png.xaml

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	ASCII text, with very long lines (584), with CRLF line terminators
Category:	dropped
Size (bytes):	1676
Entropy (8bit):	5.329204164329776
Encrypted:	false
SSDEEP:
MD5:	85676272B990DD8A7DE94D8C003235DF
SHA1:	9CE544231BAAB4FE263E976647CDDF28039A4811
SHA-256:	0191FF0112785B0FC6343DABF3AE268BABF28218771B068AC31D84C39F86BE43
SHA-512:	B8A2195BD09EFAA67A4DAA3E9F187B92B8342A31A42AF178D0928261030CB1A05D0024830055A298ABC759B911F8FD73A02247A229CDC7AA6785F114E5CD8E55
Malicious:	false
Preview:	<Button xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" Foreground="[AiWinUIBtnRepairForegroundNormal]" Background="[AiWinUIBtnRepairBackgroundNormal]" Width="253" Height="879" HorizontalContentAlignment="Left" VerticalContentAlignment="Bottom" Margin="61,32,0,0" VerticalAlignment="Top" Padding="0,0,0,0">...<Button.ContentTemplate>....<DataTemplate>.....<PathIcon Margin="5,0,0,5" Width="64" Height="64" Data="F1 M10 9l8 8c2 2 2 5 0 7s-5 2-7 0L3 17C0 22 1 28 6 33s11 5 16 3l23 23c2 2 5 2 7 0s2-5 0-7l-23-23c2-5 1-12-3-16S15 7 10 9zM43 29c1-1 1-1 1-1 1-1 2-1 3 0 0 0 1 0 1 1 1 1 2 3 1 5 0 0 1 1 1 1 1 1 3 3 4 4 0 0 0 0 0 0 0 0 0 0 1 0l7-7 2-2c0 0 0-1 0-1-1-1-1-1-2-2-1-1-1-1-2-2 0 0 0 0-1 0 0 0-2 0-2 0l0 0c-2 0-2-1-2-2l0 0c0 0 0-1 0-1 0 0 0-1-1-1-2-2-5-5-7-7-1-1-2-2-4-3-3-2-6-2-10-2-2 0-3 1-5 1-1 0-1 2 0 2 2 0 3 1 5 1 3 2 5 5 5 8 0 2-1 3-1 5l-2 2-6 5c-5 5-16 15-22 20-1 1-2 3-2 5 0 3 2 5 5 5 2 0 3-1 5-2 5-5 15-16 20-21l5-5

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\repairic

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	MS Windows icon resource - 4 icons, 48x48, 8 bits/pixel, 32x32, 8 bits/pixel
Category:	dropped
Size (bytes):	19942
Entropy (8bit):	6.307028314098947
Encrypted:	false
SSDEEP:
MD5:	2ED3D45BC22B79DB09136513AED402DD
SHA1:	8B2324CBFF902B85E349D61E46D9F88170B6BEDE
SHA-256:	4A8FA6335720D3E4F464AF244364923E741605B8AD3E1E28411F494E95EC11E4
SHA-512:	3AE91AE1FF3F460D5677C1AE636C0A0E5525AD2B88DE635FC57D48B5FE78747D3B7DD7683597DA9AC344F1E8884B10124C8DC3DE54E1581921AAC8734F3947F3
Malicious:	false
Preview:	......00..........F... ..............00.... ..%...... .... .....>=..(...0...`...................................r?..uA..yF..~J..yL..}S..hG#.{S$.OOO.QQQ.ZWQ.\\].b]R.ca].qgR.qfZ.^_`.abb.njb.mml.snc.~vl.uus.}}}..L...N...P...U...Q...T...Y...Z...V...Y...S...[...Y...\...g...`...f...j...s...s...j...q...v...z...{...\#..]"..])..a)..i%..e>..h8..f1..i3..o3..m;..q6..n%..w#..y$..z4..oN..sG..yF..xR..z^..zS..\|G...R..tg..yf...m..~z.......&...;...9.....+..-..3..3..;..;...X...I...I...G...L...R...S...V...R...[..._...[...Z...i...a...k...w...~...x...\|...~...e...`...m...b...a...d...d...j...l...k...y...v...v...}...}..G..A..[..F..H..Q..[..[..\..L..X...e..i..e..g..u..z..s..r..s..{..z..h..u...i...a...x...t...{.................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\runapplicationbutton

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PNG image data, 432 x 72, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	18599
Entropy (8bit):	7.975539117303291
Encrypted:	false
SSDEEP:
MD5:	F5A120B564FC7823D1C269B7A6E70473
SHA1:	1B85466C12F83B7872214F787390614DF50EADDB
SHA-256:	C178ED81DE4AA8B049EFCF0670C10CF2043A51C6BE1144EE95D09C1C2AFD6087
SHA-512:	96D285759F8A8C5D17D7CAC4EF224995DFA09554A3687C7F34E63651888C98A9C60095CD1A71C82030781FF6E7D58B7D49068BD9F53126FF7B775579D3368ACE
Malicious:	false
Preview:	.PNG........IHDR.......H.............tEXtSoftware.Adobe ImageReadyq.e<..HIIDATx..}.`T.....L..B.!..( ".V..j)j.g....^-O[......w..Z..k....^Q.P+...o!!...d....?...77..@2.Ir...L.$s8......X.d..k...p..5...U...\..].t...\|>$.M>.Vy.6$.!......]C..C>7M......c...1......F.qP\...cR./.........A).]6.....KC.......`.R>.RQ.......~}H...?.`..+q...x.A.WH.qx..l\V_.gU......6/.l.-.D..;.;.-.D.-.\|....\|......O.........l5>x.._.....tO..p...3!]......3.\.4._?...V.X..).D...X..0aB.~....#...`..?.}.OH.. ..#.l..t.?>...A.....\...{M>.....g.s......<{.o....\|.b..HmH>C.5$.#...x.........j.?.%.\|..Q...."Q#h..2?d...........=...v...6~.7.......~.h.D@}).o.~m...)....=k...~..sF..f.9.......%.R.D.....ES.IX.A.. ..M.:.o.}...rB.....o.$...../.~.=.E....v..?q..]?..(a.e...~...u..3N.I..a...a.a..[....5....p.....M...z....\<..(.....N.:L.7+..._.......ll..'.0a..'.\|..}-Z..rH:,=....wr.`.?/.}.1..@......6.=..U.?.$...3.C..2..<w.W..9...`G...;k.....e7..y..Ai....._.9.,....Q..0L8*..F...Yi..>.w...z..?..s.M>h`s/<.R4..

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\sys_close_down.png

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PNG image data, 28 x 26, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	273
Entropy (8bit):	6.777618611700067
Encrypted:	false
SSDEEP:
MD5:	F6A5E71E9CBE8D3654A2CDF91AAE98FA
SHA1:	8871A1AE25CFF6C5A3E6288A58FC5F4D7A92409D
SHA-256:	4801D63BD9BDC6279765BA785B0DA9E10730764A9C3645934A46C691547C0612
SHA-512:	1B3146DFDEF9C46123F27FA355790036F296D600BB10FBAD12363C71C8E3A840863512F4A581DAA18FFABB3EC5A3720A6337C4BAC54BE8B9B49D161B9459A1C9
Malicious:	false
Preview:	.PNG........IHDR..............T<.....pHYs.................tIME.....7,..:g....IDATH...;..1........bZ...x./.....s..).S.j..yHPH .~B>.$..t..a..`..4...3F4.....SJ'f^d..1... .0....y....a...6..=\|..b..o1.2s2....D.)......W.9W..........q..4...?...oph....k/S....T....IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\sys_close_hot.png

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PNG image data, 28 x 26, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	276
Entropy (8bit):	6.805669474753
Encrypted:	false
SSDEEP:
MD5:	17242D201D004BB34449AAB0428D2DF1
SHA1:	77A332C6A6C4BFC47A2120203CFEABB8A2268A6B
SHA-256:	15405855866FA2B7C60AFBC8BA720AAE8F2BA7FB60BFA641DC9D10361E56F033
SHA-512:	605A97E2614C664417D53263BE21C67B1504A46EE61B92B0A84AC18A7BAAB05EB56B72D4CF27372AE6C157928080BA16E24081E95458EB122BA18F3722C2D21F
Malicious:	false
Preview:	.PNG........IHDR..............T<.....pHYs.................tIME.....8.u.6.....IDATH......1.........B....eX.-x..R.g...r..z[.u.<$($..?!.y..t...L.p..`...#...v...)...-2.Y.A....m..f^..".@.h.m..k.?..X....03b.se.d,.4. ...`..>..Yk...S."4.Z<...W...........?....T'...e....IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\sys_close_inactive.png

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PNG image data, 28 x 26, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	225
Entropy (8bit):	6.103157225599965
Encrypted:	false
SSDEEP:
MD5:	8BA33E929EB0C016036968B6F137C5FA
SHA1:	B563D786BDDD6F1C30924DA25B71891696346E15
SHA-256:	BBCAC1632131B21D40C80FF9E14156D36366D2E7BB05EED584E9D448497152D5
SHA-512:	BA3A70757BD0DB308E689A56E2F359C4356C5A7DD9E2831F4162EA04381D4BBDBEF6335D97A2C55F588C7172E1C2EBF7A3BD481D30871F05E61EEA17246A958E
Malicious:	false
Preview:	.PNG........IHDR..............T<.....bKGD.......C......pHYs.................tIME.....28.......nIDATH.c`...`..8.H."??...b.6mb.%..,.b].q.F8....8.....?2..z..[BS.`...........~...Rl>.....'.R...../I.`........f.W......IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\sys_close_normal.png

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PNG image data, 28 x 26, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	225
Entropy (8bit):	6.103157225599965
Encrypted:	false
SSDEEP:
MD5:	8BA33E929EB0C016036968B6F137C5FA
SHA1:	B563D786BDDD6F1C30924DA25B71891696346E15
SHA-256:	BBCAC1632131B21D40C80FF9E14156D36366D2E7BB05EED584E9D448497152D5
SHA-512:	BA3A70757BD0DB308E689A56E2F359C4356C5A7DD9E2831F4162EA04381D4BBDBEF6335D97A2C55F588C7172E1C2EBF7A3BD481D30871F05E61EEA17246A958E
Malicious:	false
Preview:	.PNG........IHDR..............T<.....bKGD.......C......pHYs.................tIME.....28.......nIDATH.c`...`..8.H."??...b.6mb.%..,.b].q.F8....8.....?2..z..[BS.`...........~...Rl>.....'.R...../I.`........f.W......IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\sys_min_down.png

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PNG image data, 28 x 26, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	205
Entropy (8bit):	6.203914585440075
Encrypted:	false
SSDEEP:
MD5:	5E947815D865ACF099FA753283E09179
SHA1:	7D98046D20A73439C53044E0EBB5F0B34AFAEEA9
SHA-256:	C1D0663131FE901D890CDD9F18AF8F9A553BEE4848CBD978F5122E8383B5534B
SHA-512:	B22E31C37D84128B271C5E5A70FDCE90A3BBC02059D1BD032841B3383DBEECA56EC9ABE6335453ABC8DED1DE84E6FCAFB648D76D4DCC79246339E9A5EB6D5270
Malicious:	false
Preview:	.PNG........IHDR..............T<.....pHYs.................tIME.....7.... ...lIDATH.c......:......2'yFzX....&.:.Q.G-..p..Q..T[........{..u,TVVf.y3.z......DYx..].___F...X.FS...BFz7..2....L......IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\sys_min_hot.png

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PNG image data, 28 x 26, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	180
Entropy (8bit):	5.937625901388681
Encrypted:	false
SSDEEP:
MD5:	1A883668B735248518BFC4EEFD248113
SHA1:	1112803A0558A1AD049D1CAC6B8A9D626B582606
SHA-256:	BCBB601DAA5A139419F3CD0F6084615574C41B837426EBFF561B7846DFEC038E
SHA-512:	D321878ED517544C815FD0236BDFF6FCB6DA5C5C3658338AFBA646F1D8F2E246C6C880D4F592FF574A18F9EFDF160E5772BBF876FB207C8FD25C1F9DD9DDFD04
Malicious:	false
Preview:	.PNG........IHDR..............T<.....pHYs.................tIME.....7.qD.....SIDATH.c......:........N1zX....WL.t....Z8j....A.Y.U....W......Q.Bb....Q.G-$.0.!.....V.=d.....IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\sys_min_inactive.png

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PNG image data, 28 x 26, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	175
Entropy (8bit):	5.599077557708541
Encrypted:	false
SSDEEP:
MD5:	A2C4802002BB61994FAABDA60334A695
SHA1:	0A2B6B0CEB09425080C5BA4B9CBDEF533CF69EBA
SHA-256:	A3B59DBC5A39D551455FF838E71B5820560CA3484C6411B9D69DF33D8113619C
SHA-512:	34E130EDC650C3DE6020F2D2B5DC1404B7AEE0105EB7E315C15C5AA61398D174377E9B6A2AECC55F79F54C04812B8745C6739A201539E291538979E6B024DA31
Malicious:	false
Preview:	.PNG........IHDR..............T<.....bKGD.......C......pHYs.................tIME.....03.q.I...<IDATH.....0..A..K0-K.....Q..~.......PROMU..AI..c........[.....(.e....IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\sys_min_normal.png

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PNG image data, 28 x 26, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	238
Entropy (8bit):	6.297913308756489
Encrypted:	false
SSDEEP:
MD5:	516172D0EBF941237CEF32FCEE8CDF43
SHA1:	6BEE117996C16C7413BE876DFC15978D14813091
SHA-256:	56E64EAF6349ECE08005E6F7299DE413ED00112D53518215D90690BE2B2A4F1A
SHA-512:	46477A58AA7E9EEAE29E1C1D826BF045422709B7C8F428985C617B366012C58121D4404523A75EFE77FC6D8E061A6BB209743D0A2AF81545898F51C8855728EC
Malicious:	false
Preview:	.PNG........IHDR..............T<.....bKGD.......C......pHYs.................tIME...../...8{...{IDATH..K.. .E........p/."..A.................w...3o...a~..Y...C.j..fv".f.>...U...Wkm..;.... ..SJ.C..$...H..~.OD2......3(.W.d..w....IEND.B`.

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\viewreadmebutton

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PNG image data, 732 x 163, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	2310
Entropy (8bit):	7.214154490236292
Encrypted:	false
SSDEEP:
MD5:	C288A7A350A1A5A5EEE9ADA36CB6011C
SHA1:	D1174E488D08DC4AB9BBA3FD7653724D5553898F
SHA-256:	030E5BB7B7FFF395C38433516CF96988939CB794D9D62D550D7EAB9CEF7D2B2E
SHA-512:	DC7F9486699B4EB4B8295590112B540ED619C2B956948EEC3B72FE86226740F43392DD1898D5F27D553E775351C527AC316F4606389B92BEDFC996845649A859
Malicious:	false
Preview:	.PNG........IHDR..............B.T....bKGD..............pHYs.................tIME......3........IDATx..._h.......j..j.[.v..`em.+.c....a.....U..1.Z..!a.k{#.z..."[..FfC.n...j........x..w.1''.'5.z..~>7.....\|....{...S..F. .::..<.-.......LKi....3..y...3..MV.....@..7.-..;.Y......4.w4....._..hd.z^.o.o/r6...q.n......@.....n......@.....n......@.....n......@.....n......@.....n......@.v...@............@............@............@............@............@............@.....n......@.....n......@.....n......@.....n......@.....n......@.....n............n............n............n............n............n............n..@.........n..@.........n..@.........n..@.........n..@.........n..@......h}.[V...M;..ZI.S.....w7.<.h%...=.uu.o]..X.v<!C.....l}.>..n{....,k.y,.;...t....3..o..X.[..p..@....$..sNH^[....gO.r.........yl.:..qo.......V.].$...Dl_......W...OJ.....x..Dl}..........#""z..cgW{,n+............c._.K..u.k.o.o.Sou.H};j.q..m}n.}..n.j.{..s.X}.s...#.yC....?....../..\J.{..x

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\viewreadmebutton.xaml

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	ASCII text, with very long lines (387), with CRLF line terminators
Category:	dropped
Size (bytes):	1196
Entropy (8bit):	5.309056977458643
Encrypted:	false
SSDEEP:
MD5:	5480AF870DB76DBE15D1D1B0C6EC6550
SHA1:	6240E8A285903506484420667E87752B9AFB35FE
SHA-256:	4D2180ED426F960CF8968FBA251DA9D1D7BD76F4D5A3C2339EAEA28FC764B76A
SHA-512:	1174C8CF80B8C15DB61E79565C3A58B2768793D0586BAA5968754C44B9E8AFFCEEE37C22BD7B5859CDA65C22705713B5747625C6B7A9E758270FF2BA60F4F036
Malicious:	false
Preview:	<Button xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" Foreground="[AiWinUIBtnViewReadmeForegroundNormal]" Background="[AiWinUIBtnViewReadmeBackgroundNormal]" Width="253" Height="879" HorizontalContentAlignment="Left" VerticalContentAlignment="Bottom" Margin="61,32,0,0" VerticalAlignment="Top" Padding="0,0,0,0">...<Button.ContentTemplate>....<DataTemplate>.. <FontIcon Glyph="" FontSize="70" Margin="5,0,0,0" />.. </DataTemplate>...</Button.ContentTemplate>...<Button.Resources>....<ResourceDictionary>.....<SolidColorBrush x:Key="ButtonForegroundPointerOver" Color="[AiWinUIBtnViewReadmeForegroundPointerOver]"/>.....<SolidColorBrush x:Key="ButtonBackgroundPointerOver" Color="[AiWinUIBtnViewReadmeBackgroundPointerOver]"/>.....<SolidColorBrush x:Key="ButtonForegroundPressed" Color="[AiWinUIBtnViewReadmeForegroundPressed]"/>.....<SolidColorBrush x:Key="ButtonBackgroundPressed" Color="[AiWinUIBtnV

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\waitlogoicon

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	MS Windows icon resource - 2 icons, 48x48, 8 bits/pixel, 48x48, 32 bits/pixel
Category:	dropped
Size (bytes):	13430
Entropy (8bit):	4.460762662440214
Encrypted:	false
SSDEEP:
MD5:	3446EB64A3A4639003C0F6941A3254C6
SHA1:	D51159EE40B02A5EDB9B115E78CC132D6E35E00B
SHA-256:	CEA275DBB399BB7BDBB747511CF0316C699221D82EA075D65E4F5688B5EB4831
SHA-512:	2E019E66BB2EE3055CE3D066CAE2494B2E7EBCB500D4D4F71D0955D3D11F91371977BE94DB453A2CF43680A9E46ECDF2A53CBFE106A744D27B60AB944C753027
Malicious:	false
Preview:	......00..........&...00.... ..%......(...0...`...................................1...3...9...?...@...B...C!..C#..E%..H&..I(..K"..K,..M,..P/..T-..S2..P1..V6..V7..Y1..X9..a:..O(.W. ._7!.]=!.Z<$.W3..d=$.b:).`<5.^A).`@$.cD.dD(.hA(.lC*.lD+.fH..hH,.qI..vR,.lL0.oH4.jN6.hE;.vM1.oP4.lP:.lR=.qR6.zQ4.\|S4.~U5.}Z5.pR8.sT8.pT<.wX<.qNA.pVA.\|V@.u[D.{]A.~\M.~`D.{`I.~bH.zaM..W6..c?..cF..fG..eH..fN..dL..jM..lJ..kL..eS..nQ..nY..sZ..rU..uT..rZ..wY..p]..yZ..{]..~^..va..wd..y`...b..{f..\|i...j...o...o...o...r...q...t...~...f...f...i...h...j...m...i...l...n...p...p...~...r...t...v...}...x...\|.......q...s...t...u...w...y...~...}...................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\whitebackground

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 400x300, components 3
Category:	dropped
Size (bytes):	1728
Entropy (8bit):	0.9300953826985205
Encrypted:	false
SSDEEP:
MD5:	EB93C0ABAE8A7DE7AE6DC3755B12C802
SHA1:	5E288B9AD93663887681F577B8129DCD9B988062
SHA-256:	EDA260871BBA09273B71A165DC8B4F254B186046AB383722DC2D8803FA698725
SHA-512:	6B1A9C98A16DC19D417FE7B6DB6B4698036CACB6570816B063341F489B56CDC54769C07337488AA68FA8D9B39FDCCF04C7DFB4C8EBE536ACDF3FA7DE1464BC85
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d.................................................................................................................................................,...............K.....................................................................................?..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIAB0A.tmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616413524723048
Encrypted:	false
SSDEEP:
MD5:	D0C9613582605F3793FDAD7279DE428B
SHA1:	8B3E9FB67C7BEB20706544D360EE13C3AAD9C1D1
SHA-256:	8BD84F1156EBDFA44AFAAC8A4579BA56A8C7513E3D51E00822167EA144923726
SHA-512:	3640A0F53730CAD7323473F99A2049833DB58EAED00F94B75B4A03B07CC8AF99C104A40B2E888307055A5C9740B5FEA4B394AA15BC78A3102088CC0770713EAC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: Payslip-9583.exe, Detection: malicious, Browse Filename: test.exe, Detection: malicious, Browse Filename: test.exe, Detection: malicious, Browse Filename: 2024.04.02#U4e1a#U52a1#U5bf9#U63a5#U66f4#U65b0.txt.msi, Detection: malicious, Browse Filename: troca.msi, Detection: malicious, Browse Filename: Epdf_information.msi, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L......e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIAB79.tmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616413524723048
Encrypted:	false
SSDEEP:
MD5:	D0C9613582605F3793FDAD7279DE428B
SHA1:	8B3E9FB67C7BEB20706544D360EE13C3AAD9C1D1
SHA-256:	8BD84F1156EBDFA44AFAAC8A4579BA56A8C7513E3D51E00822167EA144923726
SHA-512:	3640A0F53730CAD7323473F99A2049833DB58EAED00F94B75B4A03B07CC8AF99C104A40B2E888307055A5C9740B5FEA4B394AA15BC78A3102088CC0770713EAC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L......e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIABD8.tmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616413524723048
Encrypted:	false
SSDEEP:
MD5:	D0C9613582605F3793FDAD7279DE428B
SHA1:	8B3E9FB67C7BEB20706544D360EE13C3AAD9C1D1
SHA-256:	8BD84F1156EBDFA44AFAAC8A4579BA56A8C7513E3D51E00822167EA144923726
SHA-512:	3640A0F53730CAD7323473F99A2049833DB58EAED00F94B75B4A03B07CC8AF99C104A40B2E888307055A5C9740B5FEA4B394AA15BC78A3102088CC0770713EAC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L......e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIABF8.tmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616413524723048
Encrypted:	false
SSDEEP:
MD5:	D0C9613582605F3793FDAD7279DE428B
SHA1:	8B3E9FB67C7BEB20706544D360EE13C3AAD9C1D1
SHA-256:	8BD84F1156EBDFA44AFAAC8A4579BA56A8C7513E3D51E00822167EA144923726
SHA-512:	3640A0F53730CAD7323473F99A2049833DB58EAED00F94B75B4A03B07CC8AF99C104A40B2E888307055A5C9740B5FEA4B394AA15BC78A3102088CC0770713EAC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L......e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIAC28.tmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616413524723048
Encrypted:	false
SSDEEP:
MD5:	D0C9613582605F3793FDAD7279DE428B
SHA1:	8B3E9FB67C7BEB20706544D360EE13C3AAD9C1D1
SHA-256:	8BD84F1156EBDFA44AFAAC8A4579BA56A8C7513E3D51E00822167EA144923726
SHA-512:	3640A0F53730CAD7323473F99A2049833DB58EAED00F94B75B4A03B07CC8AF99C104A40B2E888307055A5C9740B5FEA4B394AA15BC78A3102088CC0770713EAC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L......e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIAC48.tmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616413524723048
Encrypted:	false
SSDEEP:
MD5:	D0C9613582605F3793FDAD7279DE428B
SHA1:	8B3E9FB67C7BEB20706544D360EE13C3AAD9C1D1
SHA-256:	8BD84F1156EBDFA44AFAAC8A4579BA56A8C7513E3D51E00822167EA144923726
SHA-512:	3640A0F53730CAD7323473F99A2049833DB58EAED00F94B75B4A03B07CC8AF99C104A40B2E888307055A5C9740B5FEA4B394AA15BC78A3102088CC0770713EAC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L......e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIAC78.tmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616413524723048
Encrypted:	false
SSDEEP:
MD5:	D0C9613582605F3793FDAD7279DE428B
SHA1:	8B3E9FB67C7BEB20706544D360EE13C3AAD9C1D1
SHA-256:	8BD84F1156EBDFA44AFAAC8A4579BA56A8C7513E3D51E00822167EA144923726
SHA-512:	3640A0F53730CAD7323473F99A2049833DB58EAED00F94B75B4A03B07CC8AF99C104A40B2E888307055A5C9740B5FEA4B394AA15BC78A3102088CC0770713EAC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L......e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIACD7.tmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616413524723048
Encrypted:	false
SSDEEP:
MD5:	D0C9613582605F3793FDAD7279DE428B
SHA1:	8B3E9FB67C7BEB20706544D360EE13C3AAD9C1D1
SHA-256:	8BD84F1156EBDFA44AFAAC8A4579BA56A8C7513E3D51E00822167EA144923726
SHA-512:	3640A0F53730CAD7323473F99A2049833DB58EAED00F94B75B4A03B07CC8AF99C104A40B2E888307055A5C9740B5FEA4B394AA15BC78A3102088CC0770713EAC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L......e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIAD45.tmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616413524723048
Encrypted:	false
SSDEEP:
MD5:	D0C9613582605F3793FDAD7279DE428B
SHA1:	8B3E9FB67C7BEB20706544D360EE13C3AAD9C1D1
SHA-256:	8BD84F1156EBDFA44AFAAC8A4579BA56A8C7513E3D51E00822167EA144923726
SHA-512:	3640A0F53730CAD7323473F99A2049833DB58EAED00F94B75B4A03B07CC8AF99C104A40B2E888307055A5C9740B5FEA4B394AA15BC78A3102088CC0770713EAC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L......e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIAD94.tmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616413524723048
Encrypted:	false
SSDEEP:
MD5:	D0C9613582605F3793FDAD7279DE428B
SHA1:	8B3E9FB67C7BEB20706544D360EE13C3AAD9C1D1
SHA-256:	8BD84F1156EBDFA44AFAAC8A4579BA56A8C7513E3D51E00822167EA144923726
SHA-512:	3640A0F53730CAD7323473F99A2049833DB58EAED00F94B75B4A03B07CC8AF99C104A40B2E888307055A5C9740B5FEA4B394AA15BC78A3102088CC0770713EAC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L......e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIADC4.tmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616413524723048
Encrypted:	false
SSDEEP:
MD5:	D0C9613582605F3793FDAD7279DE428B
SHA1:	8B3E9FB67C7BEB20706544D360EE13C3AAD9C1D1
SHA-256:	8BD84F1156EBDFA44AFAAC8A4579BA56A8C7513E3D51E00822167EA144923726
SHA-512:	3640A0F53730CAD7323473F99A2049833DB58EAED00F94B75B4A03B07CC8AF99C104A40B2E888307055A5C9740B5FEA4B394AA15BC78A3102088CC0770713EAC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L......e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIB007.tmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616413524723048
Encrypted:	false
SSDEEP:
MD5:	D0C9613582605F3793FDAD7279DE428B
SHA1:	8B3E9FB67C7BEB20706544D360EE13C3AAD9C1D1
SHA-256:	8BD84F1156EBDFA44AFAAC8A4579BA56A8C7513E3D51E00822167EA144923726
SHA-512:	3640A0F53730CAD7323473F99A2049833DB58EAED00F94B75B4A03B07CC8AF99C104A40B2E888307055A5C9740B5FEA4B394AA15BC78A3102088CC0770713EAC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L......e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIB037.tmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616413524723048
Encrypted:	false
SSDEEP:
MD5:	D0C9613582605F3793FDAD7279DE428B
SHA1:	8B3E9FB67C7BEB20706544D360EE13C3AAD9C1D1
SHA-256:	8BD84F1156EBDFA44AFAAC8A4579BA56A8C7513E3D51E00822167EA144923726
SHA-512:	3640A0F53730CAD7323473F99A2049833DB58EAED00F94B75B4A03B07CC8AF99C104A40B2E888307055A5C9740B5FEA4B394AA15BC78A3102088CC0770713EAC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L......e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIB076.tmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	756576
Entropy (8bit):	6.616413524723048
Encrypted:	false
SSDEEP:
MD5:	D0C9613582605F3793FDAD7279DE428B
SHA1:	8B3E9FB67C7BEB20706544D360EE13C3AAD9C1D1
SHA-256:	8BD84F1156EBDFA44AFAAC8A4579BA56A8C7513E3D51E00822167EA144923726
SHA-512:	3640A0F53730CAD7323473F99A2049833DB58EAED00F94B75B4A03B07CC8AF99C104A40B2E888307055A5C9740B5FEA4B394AA15BC78A3102088CC0770713EAC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.1..lb..lb..lbRboc..lbRbic*.lbC.hc..lbC.oc..lbC.ic..lbRbhc..lbRbjc..lbRbmc..lb..mbD.lbq.ec..lbq.lc..lbq..b..lb...b..lbq.nc..lbRich..lb................PE..L......e.........."!...'............@.....................................................@A........................P...........,....................N..`=.......x..p...p...............................@...............x............................text............................... ..`.rdata..x...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\shiAA8C.tmp

Download File

Process:	C:\Users\user\Desktop\DiStem-0.9.10.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5038592
Entropy (8bit):	6.043058205786219
Encrypted:	false
SSDEEP:
MD5:	11F7419009AF2874C4B0E4505D185D79
SHA1:	451D8D0470CEDB268619BA1E7AE78ADAE0EBA692
SHA-256:	AC24CCE72F82C3EBBE9E7E9B80004163B9EED54D30467ECE6157EE4061BEAC95
SHA-512:	1EABBBFDF579A93BBB055B973AA3321FC8DC8DA1A36FDE2BA9A4D58E5751DC106A4A1BBC4AD1F425C082702D6FBB821AA1078BC5ADC6B2AD1B5CE12A68058805
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.D!...!...!...(.V.C...5..."...5...&...5...)...!......5...:...5... ...5...R...5.:. ...5... ...Rich!...................PE..d...p............." .........D...............................................`M.....'.M...`A........................................@.H.L&....I......@K.H.....I..............@M.....`J:.p.......................(....%..............@.......$.H......................text...4B.......D.................. ..`.wpp_sf.....`.......H.............. ..`.rdata...L......N.................@..@.data...hD...PI......*I.............@....pdata........I......2I.............@..@.didat.......0K.......J.............@....rsrc...H....@K.......J.............@..@.reloc.......@M.. ....L.............@..B........................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9440767387571976
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DiStem-0.9.10.exe
File size:	91'671'328 bytes
MD5:	b7ce9c421b63b546ed2ab4a85237347f
SHA1:	9628b349eb84055011555e1378f38923c5bff59d
SHA256:	34c2cb8faabda345e28fbd7d189da2d08d34209e30d39b355ec4e2ef44e59863
SHA512:	d39a52f7d1109e728627cf45b42c1d16da6223247db66f3a48199f28cc27e88248b8aad144a27ec8c91aca4e15191f086ea5e45feb0c91f1937dc5d1a9f51dae
SSDEEP:	1572864:GsPu5Z0z6GsPu5Z0z6tWXWKE4hZtteEUKXlCddAJ3tNNj32+79RxweJ18bzVgzpv:oXWK1fe1KVKq9h79Rxcgzpmlaf
TLSH:	BF182321355EC52AD56605F0662C9B6B901D7E390B71A4C7B3CCBE2F6BB00C71636E2B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........^............$...L...$.......5w......5w......5w......$.......$.......$.......$................t..s....t........}......t.....

File Icon


Icon Hash:	1317467d3113160e

Static PE Info

General

Entrypoint:	0x60d030
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x65EEE7F4 [Mon Mar 11 11:16:04 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	36aca8edddb161c588fcf5afdc1ad9fa

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	26/06/2023 02:00:00 26/06/2025 01:59:59
Subject Chain	CN=DiRoots Ltd, O=DiRoots Ltd, L=London, C=GB, SERIALNUMBER=06635537, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=GB
Version:	3
Thumbprint MD5:	8A456453C02EFAA919CDD88887B37A67
Thumbprint SHA-1:	6C08592AC7B3DF4F3DBA8AB417EEDB1FC9D2D500
Thumbprint SHA-256:	18AD79D3EA06BD0D041F56DCC0514C8D6B2B4449E6D8E9DBD4DEC5FC5024ED0A
Serial:	0621C10DFBBF93B6BD8EEBE05D935B5D

Entrypoint Preview

Instruction
call 00007EFFE8BF9DCBh
jmp 00007EFFE8BF960Dh
push ebp
mov ebp, esp
and dword ptr [00750BACh], 00000000h
sub esp, 24h
or dword ptr [0074D020h], 01h
push 0000000Ah
call dword ptr [00699268h]
test eax, eax
je 00007EFFE8BF9942h
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]
push ebx
cpuid
mov esi, ebx
pop ebx
nop
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
xor ecx, ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-24h]
mov edi, dword ptr [ebp-20h]
mov dword ptr [ebp-0Ch], eax
xor edi, 756E6547h
mov eax, dword ptr [ebp-18h]
xor eax, 49656E69h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr [ebp-1Ch]
xor eax, 6C65746Eh
mov dword ptr [ebp-08h], eax
xor eax, eax
inc eax
push ebx
cpuid
mov esi, ebx
pop ebx
nop
lea ebx, dword ptr [ebp-24h]
mov dword ptr [ebx], eax
mov eax, dword ptr [ebp-04h]
or eax, dword ptr [ebp-08h]
or eax, edi
mov dword ptr [ebx+04h], esi
mov dword ptr [ebx+08h], ecx
mov dword ptr [ebx+0Ch], edx
jne 00007EFFE8BF97D5h
mov eax, dword ptr [ebp-24h]
and eax, 0FFF3FF0h
cmp eax, 000106C0h
je 00007EFFE8BF97B5h
cmp eax, 00020660h
je 00007EFFE8BF97AEh
cmp eax, 00020670h
je 00007EFFE8BF97A7h
cmp eax, 00030650h
je 00007EFFE8BF97A0h
cmp eax, 00030660h
je 00007EFFE8BF9799h
cmp eax, 00030670h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x34b628	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x35b000	0x42f74	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x576a2c8	0x2858
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x39e000	0x2d8dc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2ed460	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2ed500	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2beb60	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x299000	0x320	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x348abc	0x240	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x297fda	0x298000	6e684fa8cde42842810707292e428b10	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x299000	0xb3882	0xb3a00	76e0b483ace20fa6b50e38a8dd3227c6	False	0.3272863930932498	data	5.071176270508628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x34d000	0xcb80	0x3400	33c321ca4e864dbf1efeb50b97ecb65a	False	0.23482572115384615	data	4.4664544019125065	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x35a000	0x70c	0x800	8a73025a89b71b30c5fb7128867cbb6d	False	0.4091796875	data	4.565181365998227	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x35b000	0x42f74	0x43000	5306176c85527f82f5ce4f915e8d4d08	False	0.1594675548041045	data	4.855786254113139	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x39e000	0x2d8dc	0x2da00	965ee61f95d3643eebb27179ffce440d	False	0.47842465753424657	data	6.564426501337994	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x35b940	0x13e	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 5 important colors	English	United States	0.25471698113207547
RT_BITMAP	0x35ba80	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	English	United States	0.03017241379310345
RT_BITMAP	0x35c2a8	0x48a8	Device independent bitmap graphic, 290 x 16 x 32, image size 0	English	United States	0.11881720430107527
RT_BITMAP	0x360b50	0xa6a	Device independent bitmap graphic, 320 x 16 x 4, image size 2562, resolution 2834 x 2834 px/m	English	United States	0.21680420105026257
RT_BITMAP	0x3615bc	0x152	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 10 important colors	English	United States	0.5295857988165681
RT_BITMAP	0x361710	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	English	United States	0.4875478927203065
RT_ICON	0x361f38	0x3674	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9729555236728837
RT_ICON	0x3655ac	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/m	English	United States	0.0776203714657518
RT_ICON	0x375dd4	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 3779 x 3779 px/m	English	United States	0.14129664619744922
RT_ICON	0x379ffc	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/m	English	United States	0.19315352697095436
RT_ICON	0x37c5a4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m	English	United States	0.24648217636022515
RT_ICON	0x37d64c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 3779 x 3779 px/m	English	United States	0.3608156028368794
RT_DIALOG	0x37dab4	0xac	data	English	United States	0.7151162790697675
RT_DIALOG	0x37db60	0xcc	data	English	United States	0.6911764705882353
RT_DIALOG	0x37dc2c	0x1b4	data	English	United States	0.5458715596330275
RT_DIALOG	0x37dde0	0x136	data	English	United States	0.6064516129032258
RT_DIALOG	0x37df18	0x4c	data	English	United States	0.8289473684210527
RT_STRING	0x37df64	0x234	data	English	United States	0.4645390070921986
RT_STRING	0x37e198	0x182	data	English	United States	0.5103626943005182
RT_STRING	0x37e31c	0x50	data	English	United States	0.7375
RT_STRING	0x37e36c	0x9a	data	English	United States	0.37662337662337664
RT_STRING	0x37e408	0x2f6	data	English	United States	0.449868073878628
RT_STRING	0x37e700	0x5c0	data	English	United States	0.3498641304347826
RT_STRING	0x37ecc0	0x434	data	English	United States	0.32899628252788105
RT_STRING	0x37f0f4	0x100	data	English	United States	0.5703125
RT_STRING	0x37f1f4	0x484	data	English	United States	0.39186851211072665
RT_STRING	0x37f678	0x1ea	data	English	United States	0.44081632653061226
RT_STRING	0x37f864	0x18a	data	English	United States	0.5228426395939086
RT_STRING	0x37f9f0	0x216	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.46254681647940077
RT_STRING	0x37fc08	0x624	data	English	United States	0.3575063613231552
RT_STRING	0x38022c	0x660	data	English	United States	0.3474264705882353
RT_STRING	0x38088c	0x396	data	English	United States	0.3867102396514161
RT_GROUP_ICON	0x380c24	0x5a	data	English	United States	0.7666666666666667
RT_VERSION	0x380c80	0x2e4	data	English	United States	0.4554054054054054
RT_HTML	0x380f64	0x3835	ASCII text, with very long lines (443), with CRLF line terminators	English	United States	0.08298005420807561
RT_HTML	0x38479c	0x1316	ASCII text, with CRLF line terminators	English	United States	0.18399508800654932
RT_HTML	0x385ab4	0x8c77	HTML document, ASCII text, with CRLF line terminators	English	United States	0.08081426068578103
RT_HTML	0x38e72c	0x6acd	HTML document, ASCII text, with CRLF line terminators	English	United States	0.10679931238798873
RT_HTML	0x3951fc	0x6a2	HTML document, ASCII text, with CRLF line terminators	English	United States	0.3486454652532391
RT_HTML	0x3958a0	0x104a	HTML document, ASCII text, with CRLF line terminators	English	United States	0.2170263788968825
RT_HTML	0x3968ec	0x15b1	HTML document, ASCII text, with CRLF line terminators	English	United States	0.17612101566720692
RT_HTML	0x397ea0	0x205c	exported SGML document, ASCII text, with very long lines (659), with CRLF line terminators	English	United States	0.13604538870111058
RT_HTML	0x399efc	0x368d	HTML document, ASCII text, with CRLF line terminators	English	United States	0.10834228428213391
RT_HTML	0x39d58c	0x1d7	ASCII text, with CRLF line terminators	English	United States	0.6008492569002123
RT_MANIFEST	0x39d764	0x80f	XML 1.0 document, ASCII text, with CRLF, LF line terminators	English	United States	0.40814348036839554

Imports

DLL

Import

KERNEL32.dll

WriteFile, DeleteFileW, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, CreateEventExW, WaitForSingleObject, CreateProcessW, GetLastError, GetExitCodeProcess, SetEvent, RemoveDirectoryW, GetProcAddress, GetModuleHandleW, GetWindowsDirectoryW, CreateDirectoryW, GetTempPathW, GetTempFileNameW, MoveFileW, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetCurrentThreadId, RaiseException, SetLastError, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, lstrcmpW, CreateEventW, FindClose, FindFirstFileW, GetFullPathNameW, InitializeCriticalSection, lstrcpynW, CreateThread, LoadLibraryExW, GetCurrentProcess, Sleep, WideCharToMultiByte, GetDiskFreeSpaceExW, DecodePointer, GetExitCodeThread, GetCurrentProcessId, FreeLibrary, GetSystemDirectoryW, lstrlenW, VerifyVersionInfoW, VerSetConditionMask, lstrcmpiW, LoadLibraryW, GetDriveTypeW, CompareStringW, FindNextFileW, GetLogicalDriveStringsW, GetFileSize, GetFileAttributesW, GetShortPathNameW, GetFinalPathNameByHandleW, SetFileAttributesW, GetFileTime, CopyFileW, ReadFile, SetFilePointer, SetFileTime, SystemTimeToFileTime, MultiByteToWideChar, GetSystemInfo, WaitForMultipleObjects, GetVersionExW, CreateSemaphoreW, ReleaseSemaphore, GlobalMemoryStatus, GetModuleHandleA, GetProcessAffinityMask, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, LocalFree, LocalAlloc, SetUnhandledExceptionFilter, FileTimeToSystemTime, GetEnvironmentVariableW, GetSystemTime, GetDateFormatW, GetTimeFormatW, GetLocaleInfoW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, FormatMessageW, GetEnvironmentStringsW, InitializeCriticalSectionEx, CloseHandle, GetModuleFileNameA, GetCurrentThread, GetConsoleOutputCP, FlushFileBuffers, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, IsWow64Process, SetConsoleTextAttribute, GetStdHandle, GetConsoleScreenBufferInfo, OutputDebugStringW, GetTickCount, GetCommandLineW, SetCurrentDirectoryW, SetEndOfFile, EnumResourceLanguagesW, GetSystemDefaultLangID, GetUserDefaultLangID, GetLocalTime, ResetEvent, GlobalFree, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, CreateNamedPipeW, ConnectNamedPipe, TerminateThread, CompareFileTime, CopyFileExW, OpenEventW, PeekNamedPipe, WaitForSingleObjectEx, QueryPerformanceCounter, QueryPerformanceFrequency, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, EncodePointer, LCMapStringEx, CompareStringEx, GetCPInfo, GetSystemTimeAsFileTime, IsDebuggerPresent, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, RtlUnwind, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, ExitProcess, GetFileType, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetTimeZoneInformation, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, FindFirstFileExW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, ReadConsoleW, WriteConsoleW, LoadLibraryA, CreateFileW

imagehlp.dll

SymGetModuleBase, SymFunctionTableAccess, SymGetLineFromAddr, SymSetSearchPath, SymCleanup, SymInitialize, SymSetOptions, StackWalk

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	15:33:57
Start date:	16/04/2024
Path:	C:\Users\user\Desktop\DiStem-0.9.10.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DiStem-0.9.10.exe"
Imagebase:	0x930000
File size:	91'671'328 bytes
MD5 hash:	B7CE9C421B63B546ED2AB4A85237347F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	15:34:00
Start date:	16/04/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff76dd80000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	15:34:00
Start date:	16/04/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding D4A075D37BC1D68A01BCA1EB71DE32A6 C
Imagebase:	0x340000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.2%
Total number of Nodes:	1129
Total number of Limit Nodes:	56

Executed Functions

Function 00A849E0 Relevance: 49.8, APIs: 11, Strings: 17, Instructions: 819libraryloaderCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?,SystemFolder,0000000C), ref: 00A84C20
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00A84D0A
GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsFolder,0000000D), ref: 00A84E2F

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsVolume,0000000D), ref: 00A84F36

Part of subcall function 0093A840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00955436,00000000,*.*,?,?,?,?), ref: 0093A863

GetModuleFileNameW.KERNEL32(00000000,?,00000104,WindowsVolume,0000000D), ref: 00A85071
SHGetSpecialFolderLocation.SHELL32(00000000,?,WindowsVolume,0000000D), ref: 00A85152
LoadLibraryW.KERNEL32(shfolder.dll), ref: 00A851E2
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00A85222

Part of subcall function 00A78C10: LoadLibraryW.KERNEL32(Shlwapi.dll,-00000001,00000000,?,?,?,?,?,?,?,?,00A852FB,?), ref: 00A78C2F
Part of subcall function 00A78C10: GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00A78C45
Part of subcall function 00A78C10: FreeLibrary.KERNEL32(00000000), ref: 00A78C88

GetEnvironmentVariableW.KERNEL32(APPDATA,?,00000104), ref: 00A85440
SHGetPathFromIDListW.SHELL32(?,?), ref: 00A854B9
SHGetMalloc.SHELL32(00000000), ref: 00A854D2

Strings

WindowsFolder, xrefs: 00A84DA3, 00A84DB8, 00A84DC2
System32Folder, xrefs: 00A84C7E, 00A84C93, 00A84C9D
ProgramFiles, xrefs: 00A85395
TempFolder, xrefs: 00A84F62
Shlwapi.dll, xrefs: 00A852F1
PROGRAMFILES, xrefs: 00A8541D
WindowsVolume, xrefs: 00A84EAF, 00A84EC4, 00A84ECE
ProgramW6432, xrefs: 00A84A74
ProgramFiles64Folder, xrefs: 00A84A18
SystemFolder, xrefs: 00A84B81, 00A84B96, 00A84BA0
shfolder.dll, xrefs: 00A851DD
AppDataFolder, xrefs: 00A853A7, 00A853E5
ProgramFilesFolder, xrefs: 00A85361
SHGetFolderPathW, xrefs: 00A8521C
Shell32.dll, xrefs: 00A8531D
SETUPEXEDIR, xrefs: 00A8501E
APPDATA, xrefs: 00A85437, 00A8543F

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: DirectoryLibrary$AddressFolderLoadPathProcWindows$EnvironmentFileFindFreeFromHeapListLocationMallocModuleNameProcessResourceSpecialSystemVariable
String ID: APPDATA$AppDataFolder$PROGRAMFILES$ProgramFiles$ProgramFiles64Folder$ProgramFilesFolder$ProgramW6432$SETUPEXEDIR$SHGetFolderPathW$Shell32.dll$Shlwapi.dll$System32Folder$SystemFolder$TempFolder$WindowsFolder$WindowsVolume$shfolder.dll
API String ID: 2967964373-2261365735
Opcode ID: e0e402abbbb0d87cccc7194efc841486fea9c32b03c5af5b214abfb3693faa6b
Instruction ID: c8c2561f6f1e6fde4a60c67944693e9b47e530f5218d76eb50dfc4b4106a80a3
Opcode Fuzzy Hash: e0e402abbbb0d87cccc7194efc841486fea9c32b03c5af5b214abfb3693faa6b
Instruction Fuzzy Hash: A7620670A00619CBDB18EF24CC55BBEB7B6FF98314F5446A8D8169B291EB329E41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A88A70 Relevance: 36.4, APIs: 15, Strings: 5, Instructions: 1352libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

LoadLibraryExW.KERNEL32(00000000,00000000,00000001,00BAD246,00000000,00000000,00BAD246,00000000,?,?,00BAD246,000000FF), ref: 00A88C00

Strings

Full command line:, xrefs: 00A89268
Advinst_, xrefs: 00A895F5, 00A89607, 00A89611
Command line to pass to MSI:, xrefs: 00A8931B
" ====, xrefs: 00A88CFE
====== Starting logging of ", xrefs: 00A88CBA, 00A88CCC, 00A88CD6

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: HeapLibraryLoadProcess
String ID: ====== Starting logging of "$" ====$Advinst_$Command line to pass to MSI:$Full command line:
API String ID: 3872204244-3828228616
Opcode ID: dfd73b22a7d6ebddfe000bb7f821bed456d1dde1a9ce6f843e0cc99ced9516bd
Instruction ID: 6f642b47402338a47affe5728073aea3dabccb2a3f8f22689af516ff41f96092
Opcode Fuzzy Hash: dfd73b22a7d6ebddfe000bb7f821bed456d1dde1a9ce6f843e0cc99ced9516bd
Instruction Fuzzy Hash: 75B2A071A006058BDB04EF68C859BAEB7B5FF88324F18416DE916AB3D2DF349D05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AB3260 Relevance: 23.2, APIs: 10, Strings: 3, Instructions: 493
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00AB32DB
GetLastError.KERNEL32 ref: 00AB32E5
GetUserNameW.ADVAPI32(?,?), ref: 00AB332D
GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 00AB3367
GetEnvironmentVariableW.KERNEL32(UserDomain,?,00000000,-00000001,00000000), ref: 00AB33B2
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000,201B1858), ref: 00AB3598
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000), ref: 00AB371F
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000), ref: 00AB3768
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000), ref: 00AB37CA
RegCloseKey.ADVAPI32(?,?,?,?,80000001,00000001,00000000,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000031,?,00000000,80000001,00000001,00000000), ref: 00AB3904

Strings

UserDomain, xrefs: 00AB3362, 00AB33AD
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00AB37E3
Software, xrefs: 00AB35B8

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Close$EnvironmentNameUserVariable$ErrorLast
String ID: Software$Software\Microsoft\Windows\CurrentVersion\RunOnce$UserDomain
API String ID: 938064350-4079418357
Opcode ID: dc9431bc0f7216c247add8e50bd9c30b12230b9440eaddaeb3d1655b4a79fee7
Instruction ID: cf87cc8facb91956b7650cad07c7c7e83d80a2269745ac16d8940137e35076ab
Opcode Fuzzy Hash: dc9431bc0f7216c247add8e50bd9c30b12230b9440eaddaeb3d1655b4a79fee7
Instruction Fuzzy Hash: FD226BB1D04248EBEF24DFA4C859BEEBBB4EF54304F208159E505B7291DB746A88CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A6A020 Relevance: 16.6, APIs: 11, Instructions: 119
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00A6A072
OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00A6A07F
GetLastError.KERNEL32 ref: 00A6A089
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00A6A0AD
GetLastError.KERNEL32 ref: 00A6A0B7
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000000), ref: 00A6A0DD
AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00A6A114
EqualSid.ADVAPI32(00000000,?), ref: 00A6A123
FreeSid.ADVAPI32(?), ref: 00A6A132
FindCloseChangeNotification.KERNEL32(00000000), ref: 00A6A16C

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Token$ErrorInformationLastProcess$AllocateChangeCloseCurrentEqualFindFreeInitializeNotificationOpen
String ID:
API String ID: 2037597787-0
Opcode ID: d302ffff7552c37cd72e515c1c4516c64b4a3d9f4dff3047c4a11e8aecc31e6c
Instruction ID: 2b2854fa23997a9cbfe56b21206b6099b8d4fd29fd7b92a2f0a3da294d0a9349
Opcode Fuzzy Hash: d302ffff7552c37cd72e515c1c4516c64b4a3d9f4dff3047c4a11e8aecc31e6c
Instruction Fuzzy Hash: 50414871900209EBEF109FA0DC49BEEBBB8FF19714F104159E512B7290DB799908CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00931490 Relevance: 13.9, Strings: 11, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

AI_CF_FRAME_BORDER3_COLORS, xrefs: 00931665
AI_CF_CLOSEBTN_COLORS, xrefs: 009316FC
AI_CF_FRAME_BORDER1_COLORS, xrefs: 009315D0
AI_CF_CLOSEBTN_BORDER_COLORS, xrefs: 0093172F
AI_CF_FRAME_BASE_COLOR, xrefs: 009314CC
AI_CF_MINBTN_BASE_COLOR, xrefs: 0093154C
AI_CF_MINBTN_COLORS, xrefs: 00931696
AI_CF_CLOSEBTN_BASE_COLOR, xrefs: 0093158E
AI_CF_MINBTN_BORDER_COLORS, xrefs: 009316C9
AI_CF_FRAME_CAPTION2_COLORS, xrefs: 0093150A
AI_CF_FRAME_BORDER2_COLORS, xrefs: 00931612

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID:
String ID: AI_CF_CLOSEBTN_BASE_COLOR$AI_CF_CLOSEBTN_BORDER_COLORS$AI_CF_CLOSEBTN_COLORS$AI_CF_FRAME_BASE_COLOR$AI_CF_FRAME_BORDER1_COLORS$AI_CF_FRAME_BORDER2_COLORS$AI_CF_FRAME_BORDER3_COLORS$AI_CF_FRAME_CAPTION2_COLORS$AI_CF_MINBTN_BASE_COLOR$AI_CF_MINBTN_BORDER_COLORS$AI_CF_MINBTN_COLORS
API String ID: 0-1938184520
Opcode ID: 3c872e6beae89e3c121448b1f315afe808a0806d87cdc59eeaffa7581cee3e53
Instruction ID: 5de115982a5f65c709c950a666b96f6275ca1c67d29df0ffc531d28958b74505
Opcode Fuzzy Hash: 3c872e6beae89e3c121448b1f315afe808a0806d87cdc59eeaffa7581cee3e53
Instruction Fuzzy Hash: 68A12B70D4539CDAEB50CF60C9497DEBBB0AB66308F2482C9E5483B291DBB51A88DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00AA5A20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00AA5AFA

Strings

\, xrefs: 00AA5A74
\, xrefs: 00AA5A7C
\, xrefs: 00AA5A9E

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: DiskFreeSpace
String ID: \$\$\
API String ID: 1705453755-3791832595
Opcode ID: 0959e602276877f2dfe4fc96e06f5ee01e7abc5bf5fa23dd594e7956da885fbe
Instruction ID: 2242b57d97314ca79914e5f45049662d269c570bccf652d36ab2e28a454e2d6c
Opcode Fuzzy Hash: 0959e602276877f2dfe4fc96e06f5ee01e7abc5bf5fa23dd594e7956da885fbe
Instruction Fuzzy Hash: 1E41D572E00611C6CB30AF34848566BB7F0FF96355F154A1EE8D997580F7708D84839A

Uniqueness

Uniqueness Score: -1.00%

Function 0095F640 Relevance: 6.8, Strings: 5, Instructions: 569COMMON

Download Yara Rule

Strings

AI_EXIST_INSTANCES, xrefs: 0095F8C3
AI_EXIST_NEW_INSTANCES, xrefs: 0095FA29
MultipleInstances, xrefs: 0095F6A6
PropertyValue, xrefs: 0095FCE8
MultipleInstancesProps, xrefs: 0095F770, 0095FBDE

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID:
String ID: AI_EXIST_INSTANCES$AI_EXIST_NEW_INSTANCES$MultipleInstances$MultipleInstancesProps$PropertyValue
API String ID: 0-2308371840
Opcode ID: df8772aeb032140b9b6a9f6f68b349081406c4801eeb39bdb6048b7c7998ac95
Instruction ID: 233f199afdc2326937644b2ab21b1ebd8c3cd31a3828e87ff2dff17d0bd50edd
Opcode Fuzzy Hash: df8772aeb032140b9b6a9f6f68b349081406c4801eeb39bdb6048b7c7998ac95
Instruction Fuzzy Hash: AC32F571D00248DFDF04DFA4C8A9BEEBBB5EF48324F248159E505B7291DB746A88CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A76690 Relevance: 6.3, APIs: 4, Instructions: 328memoryCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,?,?,00000100), ref: 00A76793
LoadStringW.USER32(?,?,?,00000001), ref: 00A768B3
SysFreeString.OLEAUT32(00000000), ref: 00A76A4E
SysAllocStringLen.OLEAUT32(?,?), ref: 00A76A75

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: String$Load$AllocFree
String ID:
API String ID: 1561515232-0
Opcode ID: 4c2913448d1079b19f26f6f58584f2c49b5fb8fb915368c8f04181070b311c2e
Instruction ID: 34410b8fc1a45c5dd1dd6553c3a5a720a1e21348868d63e84818d26807500822
Opcode Fuzzy Hash: 4c2913448d1079b19f26f6f58584f2c49b5fb8fb915368c8f04181070b311c2e
Instruction Fuzzy Hash: 2EC18EB1D006489FDB04CFA8CD45BEEBBB5FF48304F24822AE415B7291EB746A44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00958FC0 Relevance: 6.1, APIs: 4, Instructions: 87timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(00000003,00000001,201B1858,?,?,?,?,00B69F44,000000FF), ref: 00959001
GetWindowLongW.USER32(00000003,000000FC), ref: 00959016
SetWindowLongW.USER32(00000003,000000FC,?), ref: 00959028
DeleteCriticalSection.KERNEL32(?,201B1858,?,?,?,?,00B69F44,000000FF), ref: 00959053

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: LongWindow$CriticalDeleteKillSectionTimer
String ID:
API String ID: 1032004442-0
Opcode ID: f5c30e6cfa5b8ee6df9178de89826e356536de52cf706ef50df069ae2a37c6c0
Instruction ID: bc9b5aa61218c5abf3a9fdb06ee73d84794f9863450c7b689b4b7b2e59ca99d2
Opcode Fuzzy Hash: f5c30e6cfa5b8ee6df9178de89826e356536de52cf706ef50df069ae2a37c6c0
Instruction Fuzzy Hash: F131D271504605EFEB20DF68CC04B9ABBF8BF05320F14429AE814A32D1D775E914CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B3C159 Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000008,00000000,00A9C861,?,?,?), ref: 00B3C15E
HeapAlloc.KERNEL32(00000000,?,?,?), ref: 00B3C165
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?), ref: 00B3C1AB
HeapFree.KERNEL32(00000000,?,?,?), ref: 00B3C1B2

Part of subcall function 00B3BFF7: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00B3C1A1,?,?,?,?), ref: 00B3C01B
Part of subcall function 00B3BFF7: HeapAlloc.KERNEL32(00000000,?,?,?,?), ref: 00B3C022

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Heap$Process$Alloc$Free
String ID:
API String ID: 1864747095-0
Opcode ID: 586cad1d35f55606e892258d745e3f9f4bfc201d6f79096a6b0461dd7ad58f1e
Instruction ID: c979ef31148ca032fa32619183025ce6c12e92a200ae3749215b4b3c856f44e0
Opcode Fuzzy Hash: 586cad1d35f55606e892258d745e3f9f4bfc201d6f79096a6b0461dd7ad58f1e
Instruction Fuzzy Hash: ACF09076604A1197D77027B86C0CD5B3EA5AF85B61F3144A8F546E7155DF20C801A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A28250 Relevance: 4.7, APIs: 3, Instructions: 234libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00A28292
GetSysColor.USER32(00000011), ref: 00A285C4

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

Part of subcall function 0093A840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00955436,00000000,*.*,?,?,?,?), ref: 0093A863

LoadLibraryExW.KERNEL32(?,00000000,00000000,00B9D99D,000000FF), ref: 00A28369

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ColorDirectoryFindHeapLibraryLoadProcessResourceSystem
String ID:
API String ID: 346497123-0
Opcode ID: 0caa8a8e1d6b8916014e329314a17546f7ebb9e91c4144b81dd5e5245f5ab5f4
Instruction ID: b705d70a68d650d0079e01446f4f0e4af157d5a4ec133425ba2a24e23cb435d3
Opcode Fuzzy Hash: 0caa8a8e1d6b8916014e329314a17546f7ebb9e91c4144b81dd5e5245f5ab5f4
Instruction Fuzzy Hash: 50A18EB0501645EFE714CF68C858B9ABBF0FF04318F20865DE8199B781D7BAA618CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A6E460 Relevance: 4.6, APIs: 3, Instructions: 92fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,?,?,00000000), ref: 00A6E4FF
FindClose.KERNEL32(00000000), ref: 00A6E55E

Part of subcall function 0093B010: RtlAllocateHeap.NTDLL(?,00000000,?,201B1858,00000000,00B639C0,000000FF,?,?,00C7843C,?,?,00AB48D7,80004005,201B1858,?), ref: 0093B05A

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Find$AllocateCloseFileFirstHeap
String ID:
API String ID: 1673784098-0
Opcode ID: 16927018037fcaedde46a0faca5c07d007c79b7fca35bcede25a4491985cb626
Instruction ID: ee1a87744c35c8da2e02b5cf85104a27d69a8e4dba3e2c93ac025593ec1c61f8
Opcode Fuzzy Hash: 16927018037fcaedde46a0faca5c07d007c79b7fca35bcede25a4491985cb626
Instruction Fuzzy Hash: 2831B278904218DBDF28DF54C949B6EB7B4FF48324F2041AAE91A97380EB315D45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00ACD210 Relevance: 3.1, Strings: 2, Instructions: 604COMMON

Download Yara Rule

Strings

Name, xrefs: 00ACD62D
{Binary Data}, xrefs: 00ACD562

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID:
String ID: Name${Binary Data}
API String ID: 0-874704490
Opcode ID: 9f5280ffbcbbdd70de80169af42410f2e9bd8070a806fca4b397bc640d191aaf
Instruction ID: 9b4e9238497de58fdc6aedc893c629de041612324c4f55c09c8b730734217bce
Opcode Fuzzy Hash: 9f5280ffbcbbdd70de80169af42410f2e9bd8070a806fca4b397bc640d191aaf
Instruction Fuzzy Hash: FD424970D00259DFDB24DF64C985BEEB7B5AF48304F1185AAE40AA7291EB74AE84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00AB48E0 Relevance: 3.1, APIs: 2, Instructions: 92filepipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,00007F90,00007F90,00001388,00000000,?,00000000,201B1858,?,?,00000000), ref: 00AB496B
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,00000000,201B1858,?,?,00000000), ref: 00AB4991

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Create$FileNamedPipe
String ID:
API String ID: 1328467360-0
Opcode ID: 1afc1f9a536b0435678a3b5c31b881e284cda7107b12b004f864182c20b5fefc
Instruction ID: c2e6ec58457ed0ca950d309a7828fe04ab75ec1a609f17e8185e9b5dcf6ee22c
Opcode Fuzzy Hash: 1afc1f9a536b0435678a3b5c31b881e284cda7107b12b004f864182c20b5fefc
Instruction Fuzzy Hash: 3B31F631A44746AFE721CF24DC05BAABBA5FB05720F10865EF565A73D1DB75A800CB44

Uniqueness

Uniqueness Score: -1.00%

Function 009723A0 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

__set_se_translator.LIBVCRUNTIME ref: 009723B8
SetUnhandledExceptionFilter.KERNEL32(00A6D2B0), ref: 009723CE

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ExceptionFilterUnhandled__set_se_translator
String ID:
API String ID: 2480343447-0
Opcode ID: 3ccbd4236ca5f4a5598bf8f3195eba51476eb953814d9092bc440a430af76863
Instruction ID: faa2f45218b745e6419451551277e80156a4cc5681317175d7cf4b6670c4e611
Opcode Fuzzy Hash: 3ccbd4236ca5f4a5598bf8f3195eba51476eb953814d9092bc440a430af76863
Instruction Fuzzy Hash: 68E0D837604250FFD7206374AD0EF4E7F64BB9A721F044455F105631A1CBA88845C765

Uniqueness

Uniqueness Score: -1.00%

Function 00AD0BB0 Relevance: 1.7, Strings: 1, Instructions: 404COMMON

Download Yara Rule

Strings

0e+00, xrefs: 00AD0E1D

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID:
String ID: 0e+00
API String ID: 0-2793203700
Opcode ID: 4b5f65845b219c394d8c16c8f7aa70c73c8fe17f046a58f278fb086a49843ac3
Instruction ID: 5b67587b932c7917324e36e954d744f7c43c135c2dac6a3d459b1107ee7c4e25
Opcode Fuzzy Hash: 4b5f65845b219c394d8c16c8f7aa70c73c8fe17f046a58f278fb086a49843ac3
Instruction Fuzzy Hash: 09D1AF72E042058FCB08DF6DD981BAEBBE5BB88310F14463EE45AE7351E770D9448B91

Uniqueness

Uniqueness Score: -1.00%

Function 00ABBB50 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 766960406ae230ec81c5e7264837ece8152866839494fb8f5f61cd9f3e942d96
Instruction ID: 3a8f035c60d311fb2568a0de3ab2904bc304be0a64c458954f94a9fd4b311678
Opcode Fuzzy Hash: 766960406ae230ec81c5e7264837ece8152866839494fb8f5f61cd9f3e942d96
Instruction Fuzzy Hash: 7A714BB0A00A4ADFDB04CF64C49879ABBE0FF49318F54419DD5059B782DBBAA919CFC1

Uniqueness

Uniqueness Score: -1.00%

Function 00A73D30 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 223
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,00000000), ref: 00A73DAA
RegQueryValueExW.KERNEL32(00000000,ProductType,00000000,00000000,?,?), ref: 00A73DDF
RegQueryValueExW.KERNEL32(00000000,ProductSuite,00000000,00000000,?,?), ref: 00A73E5E
RegCloseKey.KERNEL32(00000000), ref: 00A7403E

Strings

Blade, xrefs: 00A73F80
Terminal Server, xrefs: 00A73F04
BackOffice, xrefs: 00A73ED2
ProductSuite, xrefs: 00A73E53
Small Business, xrefs: 00A73EA0
CommunicationServer, xrefs: 00A73EEB
DataCenter, xrefs: 00A73F4F
Small Business(Restricted), xrefs: 00A73F1D
EmbeddedNT, xrefs: 00A73F36
WinNT, xrefs: 00A73DE9
ServerNT, xrefs: 00A73E0C
ProductType, xrefs: 00A73DD4
Personal, xrefs: 00A73F69
Compute Server, xrefs: 00A73FDC
Embedded(Restricted), xrefs: 00A73F97
SYSTEM\CurrentControlSet\Control\ProductOptions, xrefs: 00A73DA0
Storage Server, xrefs: 00A73FC5
Enterprise, xrefs: 00A73EB9
Security Appliance, xrefs: 00A73FAE

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
API String ID: 1586453840-3149529848
Opcode ID: 8787b9b2fceadc240fe921b5da25ff6c19d5ec7eb9c3cf53a18e6c97d5bee80a
Instruction ID: efe0b0a1be19682a14e2d64f00872db4a9a4907e333c13bc33273efde5b229f4
Opcode Fuzzy Hash: 8787b9b2fceadc240fe921b5da25ff6c19d5ec7eb9c3cf53a18e6c97d5bee80a
Instruction Fuzzy Hash: E471B172B003598ADF209F65CD517AE72B9EB41340F11C1B9E90EAF682EB34CE45DB46

Uniqueness

Uniqueness Score: -1.00%

Function 00A73980 Relevance: 37.0, APIs: 12, Strings: 9, Instructions: 227
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 00A739F8
RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 00A73A39
RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 00A73A5C
RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 00A73A8F
RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 00A73B08
RegQueryValueExW.KERNEL32(00000000,ReleaseId,00000000,00000000,?,?), ref: 00A73B7F
RegQueryValueExW.KERNEL32(00000000,CSDVersion,00000000,00000000,?,?), ref: 00A73BD5
GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00A73C73
GetProcAddress.KERNEL32(00000000), ref: 00A73C7A
GetCurrentProcess.KERNEL32(?), ref: 00A73CB1
IsWow64Process.KERNEL32 ref: 00A73CC0
RegCloseKey.ADVAPI32(00000000), ref: 00A73CFA

Strings

CurrentBuildNumber, xrefs: 00A73AFD
kernel32, xrefs: 00A73C6E
ReleaseId, xrefs: 00A73B74
CurrentMinorVersionNumber, xrefs: 00A73A51
CSDVersion, xrefs: 00A73BCA
CurrentMajorVersionNumber, xrefs: 00A73A2E
CurrentVersion, xrefs: 00A73A84
IsWow64Process, xrefs: 00A73C69
Software\Microsoft\Windows NT\CurrentVersion, xrefs: 00A739EE

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: QueryValue$Process$AddressCloseCurrentHandleModuleOpenProcWow64
String ID: CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$kernel32
API String ID: 2654979339-3583743485
Opcode ID: 27125ba53ecb182375401901f28c0389ba90683bf958f303e62db69d6a25a761
Instruction ID: f48840d0952507aa45dfb25cd60fc0af8989f822bdf21b332a033cb66b5cd354
Opcode Fuzzy Hash: 27125ba53ecb182375401901f28c0389ba90683bf958f303e62db69d6a25a761
Instruction Fuzzy Hash: E0A190B19007289FEF20CF60DC45B9EBBB5FB44715F1082E6E509A7290EB769A94CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00A535F0 Relevance: 31.9, APIs: 8, Strings: 10, Instructions: 355
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

GetModuleFileNameW.KERNEL32(00000000,?,00000104,201B1858,00000000,?,?,?,000000FF), ref: 00A53725
GetModuleHandleW.KERNEL32(kernel32,.local,?,?,?,?,000000FF), ref: 00A537CC
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00A5380B
SetSearchPathMode.KERNEL32 ref: 00A5383E
GetProcAddress.KERNEL32(00000000,SetDllDirectory), ref: 00A5386D
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00A538CF
SetDefaultDllDirectories.KERNELBASE ref: 00A53902

Part of subcall function 00A28250: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00A28292

Part of subcall function 0093B010: RtlAllocateHeap.NTDLL(?,00000000,?,201B1858,00000000,00B639C0,000000FF,?,?,00C7843C,?,?,00AB48D7,80004005,201B1858,?), ref: 0093B05A

FreeLibrary.KERNEL32(?,201B1858,00000000,00B639C0,000000FF,?,000000E1,80004005,?,?,000000FF), ref: 00A53B74

Part of subcall function 00A59280: EnterCriticalSection.KERNEL32(00C81F9C,201B1858), ref: 00A592BF
Part of subcall function 00A59280: DestroyWindow.USER32(00000000), ref: 00A592DD
Part of subcall function 00A59280: LeaveCriticalSection.KERNEL32(00C81F9C), ref: 00A59326

Strings

SetSearchPathMode, xrefs: 00A53805
SetDefaultDllDirectories, xrefs: 00A538C9
kernel32, xrefs: 00A537C7
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 00A53679, 00A53681
SetDllDirectory, xrefs: 00A53867
.local, xrefs: 00A537A6
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 00A53674
kernel32.dll, xrefs: 00A539E7
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 00A53697, 00A5369F
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 00A53692

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AddressProc$CriticalHeapModuleSection$AllocateDefaultDestroyDirectoriesDirectoryEnterFileFreeHandleLeaveLibraryModeNamePathProcessSearchSystemWindow
String ID: .local$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$SetDefaultDllDirectories$SetDllDirectory$SetSearchPathMode$kernel32$kernel32.dll
API String ID: 863123761-2126665378
Opcode ID: 65088a900b42cee68b66a816791b20d2aab922a166a5aba305dc0ba95e5b0c7c
Instruction ID: d924c06d04027aeb5a98dac63ad827bfb8004f2abb51719f542aec50f3e8b843
Opcode Fuzzy Hash: 65088a900b42cee68b66a816791b20d2aab922a166a5aba305dc0ba95e5b0c7c
Instruction Fuzzy Hash: BFE179B1500388DFDF24DF64D849BAE7BA4FB45318F104258F919AB291DBB49A08CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00A8BD90 Relevance: 24.9, APIs: 3, Strings: 11, Instructions: 378
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000010), ref: 00A8BE76
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00A8BEAA

Part of subcall function 0093A840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00955436,00000000,*.*,?,?,?,?), ref: 0093A863

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 00A8CD14
%hu, xrefs: 00A8CB77
Language selected programatically for UI:, xrefs: 00A8CE67
Language used for UI:, xrefs: 00A8CEFE
Software\Caphyon\Advanced Installer\, xrefs: 00A8CD00
Code returned to Windows by setup:, xrefs: 00A8C937
Languages of setup:, xrefs: 00A8DB8A
Advinst_Extract_, xrefs: 00A8BE0D, 00A8BE22, 00A8BE2C
AI_BOOTSTRAPPERLANGS, xrefs: 00A8D8AF, 00A8D8C1, 00A8D8CB
A valid language was received from commnad line. This is:, xrefs: 00A8CB3D
Language of a related product is:, xrefs: 00A8CD90

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ByteCharMultiWide$FindHeapProcessResource
String ID: %hu$A valid language was received from commnad line. This is:$AI_BOOTSTRAPPERLANGS$Advinst_Extract_$Code returned to Windows by setup:$Language of a related product is:$Language selected programatically for UI:$Language used for UI:$Languages of setup:$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$Software\Caphyon\Advanced Installer\
API String ID: 2083075878-297406034
Opcode ID: 57efb7f1db380afdaf22c31eeb22aad2eca486aa3d2b4c9715dac27c89b6b925
Instruction ID: d43ef2c7cdd1a4dde8f76085f331eef132490875ef902b67f217b57e587146d0
Opcode Fuzzy Hash: 57efb7f1db380afdaf22c31eeb22aad2eca486aa3d2b4c9715dac27c89b6b925
Instruction Fuzzy Hash: 47E1E231900658DFDB11EB68CC05BAEBBB5EF88320F144299E919A73D2DB349E01CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00AB42E0 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 371
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

SetWindowTextW.USER32(00000000,?), ref: 00AB4556
GetDlgItem.USER32(00000000,000007D1), ref: 00AB456D
SendMessageW.USER32(00000000,000000D2,00000000,00000000), ref: 00AB457F
SetFocus.USER32(00000000), ref: 00AB458A
GetDlgItem.USER32(00000000,000007D1), ref: 00AB45C8
GetDlgItem.USER32(00000000,0000042D), ref: 00AB45D8
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00AB45E8
SendMessageW.USER32(00000000,000000CC,?,00000000), ref: 00AB4604
RedrawWindow.USER32(00000000,00000000,00000000,00000105), ref: 00AB4614
EndDialog.USER32(00000000,00000002), ref: 00AB4631
GetDlgItem.USER32(00000000,000007D1), ref: 00AB4663
GetWindowTextLengthW.USER32(00000000), ref: 00AB4670
EndDialog.USER32(00000000,00000001), ref: 00AB46F0

Strings

PackageCode, xrefs: 00AB440A

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Item$MessageSendWindow$DialogText$FocusHeapLengthProcessRedraw
String ID: PackageCode
API String ID: 1882348448-1525858878
Opcode ID: 87c9320ce00bdd9e7505e2c67f451722fc618702ca3f29d3231b731c61155ab1
Instruction ID: d2f70ce6706ab4755623cd8051688734c7fc454cf753eb8b39ab9abb4021c055
Opcode Fuzzy Hash: 87c9320ce00bdd9e7505e2c67f451722fc618702ca3f29d3231b731c61155ab1
Instruction Fuzzy Hash: CDD12031600615AFEB14DF68CC48BAEBBA9FF48310F10421AF915A73E2DB75AC11CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00A8B9E0 Relevance: 23.9, APIs: 10, Strings: 3, Instructions: 1160
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 00A8BBF4
SetLastError.KERNEL32(0000000E), ref: 00A8BC11
GetCurrentThreadId.KERNEL32 ref: 00A8BC29
EnterCriticalSection.KERNEL32(00C872EC), ref: 00A8BC46
LeaveCriticalSection.KERNEL32(00C872EC), ref: 00A8BC69
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000010), ref: 00A8BE76
SetEvent.KERNEL32(?,?,00000000,?,00000001,?,?), ref: 00A8C103

Part of subcall function 00AB49F0: CloseHandle.KERNEL32(?,201B1858,?,00000010,?,00000000,00BB5343,000000FF,?,00A90382,00000000,00000000,00000000,00000001,?,0000000D), ref: 00AB4A2A

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00A8BEAA

Part of subcall function 0093A840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00955436,00000000,*.*,?,?,?,?), ref: 0093A863

Part of subcall function 00A551D0: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,00000000,00000000,00000000,?,00C82000,00AA8098,?), ref: 00A551E8
Part of subcall function 00A551D0: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,?,-00000001), ref: 00A5521A

DialogBoxParamW.USER32(000007D0,00000000,009B62A0,00000000), ref: 00A8BC86

Part of subcall function 0093B010: RtlAllocateHeap.NTDLL(?,00000000,?,201B1858,00000000,00B639C0,000000FF,?,?,00C7843C,?,?,00AB48D7,80004005,201B1858,?), ref: 0093B05A

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

Strings

Code returned to Windows by setup:, xrefs: 00A8C937
Advinst_Extract_, xrefs: 00A8BE0D, 00A8BE22, 00A8BE2C
FILES.7z, xrefs: 00A8C3FF

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ByteCharMultiWide$CriticalHeapSection$ActiveAllocateCloseCurrentDialogEnterErrorEventFindHandleLastLeaveParamProcessResourceThreadWindow
String ID: Advinst_Extract_$Code returned to Windows by setup:$FILES.7z
API String ID: 1122345507-2771609608
Opcode ID: 85725a6fe0bad2d4a8f7f8990f492cd6bd5ed1a97b4c36df003a248c196aaec6
Instruction ID: f6c842d323c4369fb084efc5077106636ae50cb0c14f3cfff287e22727d5d6ab
Opcode Fuzzy Hash: 85725a6fe0bad2d4a8f7f8990f492cd6bd5ed1a97b4c36df003a248c196aaec6
Instruction Fuzzy Hash: 4BA2BD30900648DFDB15EB68CC59BEEBBB5EF89320F148199E505A7392DB34AE45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00943380 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 263
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(Kernel32.dll,GetTempPath2W,?), ref: 00943477
GetProcAddress.KERNEL32(00000000), ref: 0094347E
GetWindowsDirectoryW.KERNEL32(?,00000104,201B1858,?,?), ref: 009434C4
PathFileExistsW.SHLWAPI(?), ref: 009434EC
CreateDirectoryW.KERNEL32(?,?,S-1-5-32-544,10000000,00000001,S-1-5-18,10000000,00000001), ref: 00943577

Part of subcall function 00B3CA85: AcquireSRWLockExclusive.KERNEL32(00C80888,?,?,?,0093B446,00C8149C,201B1858,?,?,00B63F3D,000000FF,?,00AB486D,201B1858,?), ref: 00B3CA90
Part of subcall function 00B3CA85: ReleaseSRWLockExclusive.KERNEL32(00C80888,?,?,0093B446,00C8149C,201B1858,?,?,00B63F3D,000000FF,?,00AB486D,201B1858,?), ref: 00B3CACA

GetTempPathW.KERNEL32(00000104,?,201B1858,?,?), ref: 0094359A

Part of subcall function 00B3CA34: AcquireSRWLockExclusive.KERNEL32(00C80888,?,?,0093B4B7,00C8149C,00BC7840), ref: 00B3CA3E
Part of subcall function 00B3CA34: ReleaseSRWLockExclusive.KERNEL32(00C80888,?,?,0093B4B7,00C8149C,00BC7840), ref: 00B3CA71
Part of subcall function 00B3CA34: WakeAllConditionVariable.KERNEL32(00C80884,?,?,0093B4B7,00C8149C,00BC7840), ref: 00B3CA7C

Strings

\SystemTemp\, xrefs: 009434CA
S-1-5-18, xrefs: 00943519
GetTempPath2W, xrefs: 0094346D
S-1-5-32-544, xrefs: 0094352A
Kernel32.dll, xrefs: 00943472

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ExclusiveLock$AcquireDirectoryPathRelease$AddressConditionCreateExistsFileHandleModuleProcTempVariableWakeWindows
String ID: GetTempPath2W$Kernel32.dll$S-1-5-18$S-1-5-32-544$\SystemTemp\
API String ID: 3143601600-595641723
Opcode ID: fe801801c4e76f0d313a4e5da7b3590208bc7a589914cca005c63f8d97411929
Instruction ID: fda9080e2180e6b31137fb921e2e74ca5abf429b36f8a78e2eebee28791bf97e
Opcode Fuzzy Hash: fe801801c4e76f0d313a4e5da7b3590208bc7a589914cca005c63f8d97411929
Instruction Fuzzy Hash: BAA1C3B1D00218EBDB20EFA4DD89BDDB7B4EB04714F1042A9E90AA7291EB745F44CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00A9C7F0 Relevance: 18.2, APIs: 12, Instructions: 190
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 00A9C82D
SetLastError.KERNEL32(0000000E,?,?,?), ref: 00A9C86A
GetCurrentThreadId.KERNEL32 ref: 00A9C8F5
SetWindowTextW.USER32(?,00000000), ref: 00A9C984
GetDlgItem.USER32(?,000003E9), ref: 00A9C992
SetWindowTextW.USER32(00000000,?), ref: 00A9C99E

Part of subcall function 00A92C10: GetDlgItem.USER32(?,00000002), ref: 00A92C2D
Part of subcall function 00A92C10: GetWindowRect.USER32(00000000,?), ref: 00A92C43
Part of subcall function 00A92C10: ShowWindow.USER32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00A9C84D), ref: 00A92C58
Part of subcall function 00A92C10: InvalidateRect.USER32(00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,00A9C84D), ref: 00A92C63
Part of subcall function 00A92C10: GetDlgItem.USER32(?,000003E9), ref: 00A92C71
Part of subcall function 00A92C10: GetWindowRect.USER32(00000000,?), ref: 00A92C87
Part of subcall function 00A92C10: SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,00000000), ref: 00A92CC6

GetDlgItem.USER32(?,00000002), ref: 00A9CA2E
SetWindowTextW.USER32(00000000,00000000), ref: 00A9CA36

Part of subcall function 0094BC50: RaiseException.KERNEL32(?,?,00000000,00000000,00A5926C,C0000005,00000001,201B1858,00C78AB8,04EFC648,?,00C81FAC,00C78AB8,00B63E40,000000FF), ref: 0094BC5C

Part of subcall function 0093B010: RtlAllocateHeap.NTDLL(?,00000000,?,201B1858,00000000,00B639C0,000000FF,?,?,00C7843C,?,?,00AB48D7,80004005,201B1858,?), ref: 0093B05A

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Window$Item$RectText$ActiveAllocateCurrentErrorExceptionHeapInvalidateLastRaiseShowThread
String ID:
API String ID: 1085195845-0
Opcode ID: 896e55474998e63ca5db7a7c510b912fcc7b1e55ac72eeb99a0e9cd50dd0f3b5
Instruction ID: 342c0f51f9ccd221f656a4d215365c23952dbd8849b8bc35a4d5b3eccaae73f9
Opcode Fuzzy Hash: 896e55474998e63ca5db7a7c510b912fcc7b1e55ac72eeb99a0e9cd50dd0f3b5
Instruction Fuzzy Hash: 99717A71A00A05EFDB11DFA8CC48B5EBBF4FF08320F148669E525A72A1DB74A900CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00B3BEEB Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DecodePointer.KERNEL32(?,?,?,00B3C231,00C80844,?,?,?,00AB481D,?,?,?,00000001,?), ref: 00B3BEFD
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,00B3C231,00C80844,?,?,?,00AB481D,?,?,?,00000001), ref: 00B3BF12
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00B3BF8E

Strings

atlthunk.dll, xrefs: 00B3BF0D
AtlThunk_AllocateData, xrefs: 00B3BF23
AtlThunk_FreeData, xrefs: 00B3BF68
AtlThunk_InitData, xrefs: 00B3BF3A
AtlThunk_DataToCode, xrefs: 00B3BF51

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: 69526c62e20a7127883d519811cea0eb27f04a6c82fd714f1631efe2d6e99890
Instruction ID: b5dd6d2101637a8824479d692dcdf21b874fcffca3a6a9cb18245c7bfbd54eae
Opcode Fuzzy Hash: 69526c62e20a7127883d519811cea0eb27f04a6c82fd714f1631efe2d6e99890
Instruction Fuzzy Hash: 03018431A44710BECB61AB119C57F8A37D4AF01749F3410F8BD096B1EAEBA1C548CAC6

Uniqueness

Uniqueness Score: -1.00%

Function 00A787C0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 291
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,201B1858,00000000,00000000,?), ref: 00A7881B
GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?,?,00000000,00000000), ref: 00A789BD
Wow64DisableWow64FsRedirection.KERNEL32(00000000,?,?,00000000,00000000), ref: 00A78A5F
CopyFileW.KERNEL32(?,?,00000000,?,?,00000000,00000000), ref: 00A78A87
Wow64RevertWow64FsRedirection.KERNEL32(00000000,?,?,00000000), ref: 00A78AB3

Part of subcall function 0093B010: RtlAllocateHeap.NTDLL(?,00000000,?,201B1858,00000000,00B639C0,000000FF,?,?,00C7843C,?,?,00AB48D7,80004005,201B1858,?), ref: 0093B05A

DeleteFileW.KERNEL32(?,201B1858,?,00000000,00B63A10,000000FF,?,80070057,80004005,?), ref: 00A78B6D

Strings

shim_clone, xrefs: 00A789B7

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Wow64$File$Redirection$AllocateCopyDeleteDisableFolderHeapNamePathRevertTemp
String ID: shim_clone
API String ID: 4011074531-3944563459
Opcode ID: 43cc7b4eebcb0aa7f7dbc6ed4176f147cd0b6cbe993dd0e27d618e6cacafff43
Instruction ID: be334ae2f9c2d270d08d5b20527c24672d4264d5e9aee9a4a7d4147350a48a5a
Opcode Fuzzy Hash: 43cc7b4eebcb0aa7f7dbc6ed4176f147cd0b6cbe993dd0e27d618e6cacafff43
Instruction Fuzzy Hash: 88B1E371A406589FDB24DB24CC49BAEB7F4EF44300F54C0E9E90AA7292EF34AE44CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00A71A00 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 86
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(ComCtl32.dll,201B1858,?,00000000,00000000), ref: 00A71A3A
GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00A71A60
GetSystemMetrics.USER32(0000000C), ref: 00A71AA0
GetSystemMetrics.USER32(0000000B), ref: 00A71AB8
FreeLibrary.KERNEL32(00000000), ref: 00A71AE9

Strings

ComCtl32.dll, xrefs: 00A71A2E
LoadIconMetric, xrefs: 00A71A5A

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: LibraryMetricsSystem$AddressFreeLoadProc
String ID: ComCtl32.dll$LoadIconMetric
API String ID: 499052680-764666640
Opcode ID: 84c2d2d556f45046ad19ccd0f02f81c408d12bec9c7dcc1adf1104c4a5ccc829
Instruction ID: 95a06fabdc5073f3735b9c2bfcc0e68b6838a3b2da5918427c871d064c713357
Opcode Fuzzy Hash: 84c2d2d556f45046ad19ccd0f02f81c408d12bec9c7dcc1adf1104c4a5ccc829
Instruction Fuzzy Hash: 9D315071A41619EBDB118F58CD48BBFBBF8FB48791F00422AE819A3290D7755D00CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A9A8C0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 248
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,?), ref: 00A9AABE
SetFilePointer.KERNEL32(?,7FFFFFFF,00000000,00000000,?), ref: 00A9AB20
SetEndOfFile.KERNEL32(?), ref: 00A9AB29
FindCloseChangeNotification.KERNEL32(?), ref: 00A9AB42

Strings

Not enough disk space to extract file:, xrefs: 00A9A99B
%sholder%d.aiph, xrefs: 00A9AA9A

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: File$ChangeCloseCreateFindNotificationPointer
String ID: %sholder%d.aiph$Not enough disk space to extract file:
API String ID: 3635197886-929304071
Opcode ID: 60abac16fb1df6d325b16e9ae33c0667036fdc8d2df40d40b84d8597dc6b2639
Instruction ID: f4dfc847b860bf0b78efda10469d5300199144a016e1d068a78186a5243fea5f
Opcode Fuzzy Hash: 60abac16fb1df6d325b16e9ae33c0667036fdc8d2df40d40b84d8597dc6b2639
Instruction Fuzzy Hash: EB91CF75A006099BDF00DFA8CD45BAEB7F5FF88320F24415AE921A7390DB31AD01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9410 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(000000FF,-00000400,?,00000002,00000400,201B1858,?,?,?), ref: 00AB94B6
GetLastError.KERNEL32(?,?,?), ref: 00AB94C4
ReadFile.KERNEL32(000000FF,00000000,00000400,?,00000000,?,?,?), ref: 00AB94DF

Strings

ADVINSTSFX, xrefs: 00AB9513, 00AB95CE

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: File$ErrorLastPointerRead
String ID: ADVINSTSFX
API String ID: 64821003-4038163286
Opcode ID: c8a50775c423b9b933c4abbcfae43e1130421429218cfa1c0973284cf5edc61a
Instruction ID: a9f5a68d15ff1ad22a8df85983a8231fae7efa4c85c23442f15c5f720c408f1f
Opcode Fuzzy Hash: c8a50775c423b9b933c4abbcfae43e1130421429218cfa1c0973284cf5edc61a
Instruction Fuzzy Hash: B661C0B1A002099BDB15CF68C894BFFBBB9FB49324F244265E615A7282E7349D45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0094BD40 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 159threadCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000E,201B1858,?,?,?,00000000,00000000,?), ref: 0094BD7F
GetCurrentThreadId.KERNEL32 ref: 0094BDC3
EnterCriticalSection.KERNEL32(00C872EC), ref: 0094BDE3
LeaveCriticalSection.KERNEL32(00C872EC), ref: 0094BE07
CreateWindowExW.USER32(?,?,00000000,00C872EC,?,?,?,?,00000000,?,00000000), ref: 0094BE61

Part of subcall function 00B3C159: GetProcessHeap.KERNEL32(00000008,00000008,00000000,00A9C861,?,?,?), ref: 00B3C15E
Part of subcall function 00B3C159: HeapAlloc.KERNEL32(00000000,?,?,?), ref: 00B3C165

Strings

AXWIN UI Window, xrefs: 0094BEEA

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: CriticalHeapSection$AllocCreateCurrentEnterErrorLastLeaveProcessThreadWindow
String ID: AXWIN UI Window
API String ID: 213679520-1592869507
Opcode ID: 649b9b258f000420a6c22b8c2e9af0fc29d76865670d2567c3084f91e7c9a07d
Instruction ID: 6a28bdd8b466f66858f45acc3d8ee502e178370792a5d759ff366791f269e4a4
Opcode Fuzzy Hash: 649b9b258f000420a6c22b8c2e9af0fc29d76865670d2567c3084f91e7c9a07d
Instruction Fuzzy Hash: 74518F72604205AFEB20DF69DC45FAABBF8FB84714F10425AF915A7290D770E814CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0094BA61 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0094BB0F
GetWindowLongW.USER32(?,000000FC), ref: 0094BB1E
CallWindowProcW.USER32(?,?,00000082,?,?), ref: 0094BB39
GetWindowLongW.USER32(?,000000FC), ref: 0094BB53
SetWindowLongW.USER32(?,000000FC,?), ref: 0094BB65

Strings

$, xrefs: 0094BA91

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: 1002780da42d7d66d9876475fe8e1bb6a112ce74675186358be3aa251c1c94d5
Instruction ID: d6046122a3396259121b80422e708e28a5a8d4cca6e50f6298bc464bb12d8e6a
Opcode Fuzzy Hash: 1002780da42d7d66d9876475fe8e1bb6a112ce74675186358be3aa251c1c94d5
Instruction Fuzzy Hash: 164139B1604706AFD700DF19D884A1AFBF5FF88360F104A0AF995836A0C772E954CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00A92C10 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000002), ref: 00A92C2D
GetWindowRect.USER32(00000000,?), ref: 00A92C43
ShowWindow.USER32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00A9C84D), ref: 00A92C58
InvalidateRect.USER32(00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,00A9C84D), ref: 00A92C63
GetDlgItem.USER32(?,000003E9), ref: 00A92C71
GetWindowRect.USER32(00000000,?), ref: 00A92C87
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,00000000), ref: 00A92CC6

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Window$Rect$Item$InvalidateShow
String ID:
API String ID: 2147159307-0
Opcode ID: 11b92958fe01e6f3d3ba145a6a2fce8e83461234ba74b338e2b43e979c43184e
Instruction ID: eb86281f178008bc95775fa0cbd108a42944681fa9ea93a6938ad58c26dce6d0
Opcode Fuzzy Hash: 11b92958fe01e6f3d3ba145a6a2fce8e83461234ba74b338e2b43e979c43184e
Instruction Fuzzy Hash: E4216A71614601AFE300DF34DD49B6EBBE8EF8D700F00862AF955E26A0E770ED508B96

Uniqueness

Uniqueness Score: -1.00%

Function 00A97430 Relevance: 9.4, APIs: 6, Instructions: 447fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000,201B1858,00000000), ref: 00A97497
GetLastError.KERNEL32 ref: 00A977CA
GetLastError.KERNEL32 ref: 00A9785A
GetLastError.KERNEL32 ref: 00A974A6

Part of subcall function 00A71850: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,201B1858,?,00000000), ref: 00A7189B
Part of subcall function 00A71850: GetLastError.KERNEL32(?,00000000), ref: 00A718A5

ReadFile.KERNEL32(?,00000000,00000018,?,00000000), ref: 00A975B9
ReadFile.KERNEL32(?,?,00000000,00000000,00000000,00000001), ref: 00A97610

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ErrorLast$File$Read$FormatMessagePointer
String ID:
API String ID: 3903527278-0
Opcode ID: d3323c49c63cbd04c8f3022e2cd183f3eac9bfe848442f0fcd07729ef4cc80e9
Instruction ID: 31333cb2f84e94d072fcbbcd49333b36a36f4a9eb9b11df3abab499976d3e22f
Opcode Fuzzy Hash: d3323c49c63cbd04c8f3022e2cd183f3eac9bfe848442f0fcd07729ef4cc80e9
Instruction Fuzzy Hash: 3C029171E04609DFDB04DFA8C945BADBBF5FF48324F148259E425A7391EB74AA01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A8AC40 Relevance: 9.4, APIs: 3, Strings: 2, Instructions: 615COMMON

Download Yara Rule

Strings

/i , xrefs: 00A8B257
\\?\, xrefs: 00A8B18A

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: FindResource
String ID: /i $\\?\
API String ID: 1635176832-3071488798
Opcode ID: 9d1301475cc67602d9703282f8fddf8f65ecf24d7337613511393b9447bbe88e
Instruction ID: 8690e5496508d1269fdb644eda3755d3c5e836d86db86e5b6bedbcaab93012ae
Opcode Fuzzy Hash: 9d1301475cc67602d9703282f8fddf8f65ecf24d7337613511393b9447bbe88e
Instruction Fuzzy Hash: 18328070A00609DFDB18EFA8C858BADBBB5FF44314F144259E425AB2E1DB74AD06CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A97980 Relevance: 9.4, APIs: 6, Instructions: 364fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000,201B1858,00A94F6A,?,00000007), ref: 00A979D7
GetLastError.KERNEL32(?,00000007), ref: 00A97C95
GetLastError.KERNEL32(?,00000007), ref: 00A97D56
GetLastError.KERNEL32(?,00000007,?,?,?,?,?,?,?,?,00000000,00BAFD22,000000FF,?,00A966CA), ref: 00A979E6

Part of subcall function 00A71850: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,201B1858,?,00000000), ref: 00A7189B
Part of subcall function 00A71850: GetLastError.KERNEL32(?,00000000), ref: 00A718A5

ReadFile.KERNEL32(?,00000000,00000008,?,00000000,?,00000007), ref: 00A97AAA
ReadFile.KERNEL32(?,80070057,00000000,00000000,00000000,00000001,?,00000007), ref: 00A97B39

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ErrorLast$File$Read$FormatMessagePointer
String ID:
API String ID: 3903527278-0
Opcode ID: 62323b758e3f39ae8b8d6637df3472659d352c3d407110d080d229ab0c0dfe43
Instruction ID: bc73252e79a2fa9dd83fe4dc2cf548d33b6bca8a63c8a5ceb5805982d405dd27
Opcode Fuzzy Hash: 62323b758e3f39ae8b8d6637df3472659d352c3d407110d080d229ab0c0dfe43
Instruction Fuzzy Hash: FFE19170A04209DFDF04DFA8C985BADB7B5FF48314F144569E815AB392EB74AE05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A9CA60 Relevance: 9.1, APIs: 6, Instructions: 69threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00ABB8A0,00C12240,00000000,?), ref: 00A9CADD
GetLastError.KERNEL32 ref: 00A9CAEA
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 00A9CB13
GetExitCodeThread.KERNEL32(00000000,?), ref: 00A9CB2D
TerminateThread.KERNEL32(00000000,00000000), ref: 00A9CB45
CloseHandle.KERNEL32(00000000), ref: 00A9CB4E

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Thread$CloseCodeCreateErrorExitHandleLastObjectSingleTerminateWait
String ID:
API String ID: 1566822279-0
Opcode ID: 437a4371dd5055533400ebdce59f86db553b26b1916a90d3b04924e185122138
Instruction ID: 97ea2ec04d3d68e8d56a66064e6a48dd3d639de88f512db7775cce600c18936e
Opcode Fuzzy Hash: 437a4371dd5055533400ebdce59f86db553b26b1916a90d3b04924e185122138
Instruction Fuzzy Hash: DF31C7B5A006499FEF10DF94C949BEEBBF8FB08724F100259E921B72D0DB755A44CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00A8A2F0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 283COMMON

Download Yara Rule

APIs

Part of subcall function 00AB3260: GetUserNameW.ADVAPI32(?,?), ref: 00AB32DB
Part of subcall function 00AB3260: GetLastError.KERNEL32 ref: 00AB32E5
Part of subcall function 00AB3260: GetUserNameW.ADVAPI32(?,?), ref: 00AB332D
Part of subcall function 00AB3260: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 00AB3367
Part of subcall function 00AB3260: GetEnvironmentVariableW.KERNEL32(UserDomain,?,00000000,-00000001,00000000), ref: 00AB33B2

GetCurrentProcess.KERNEL32(00000008,?,?,?,?), ref: 00A8A605
OpenProcessToken.ADVAPI32(00000000), ref: 00A8A60C
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00A8A63B
CloseHandle.KERNEL32(00000000), ref: 00A8A650

Strings

\/:*?"<>|, xrefs: 00A8A3D1

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: EnvironmentNameProcessTokenUserVariable$CloseCurrentErrorHandleInformationLastOpen
String ID: \/:*?"<>|
API String ID: 3139386598-3830478854
Opcode ID: 5afcec66e07817274e7b3d8298e539a5f60bd7f32909c2e00f0a33c2393fe1be
Instruction ID: 38cf2ef2f902ff0f29fd35c138f9b353bf33d250d95bb1df61e39bc49a5fa629
Opcode Fuzzy Hash: 5afcec66e07817274e7b3d8298e539a5f60bd7f32909c2e00f0a33c2393fe1be
Instruction Fuzzy Hash: 2AC1DD71D04318CFDB15EFA4C8487AEBBB5BF54304F24425EE405AB291EB74AA45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A78E10 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 217COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(80004005,00B700F5,201B1858,?,?,00000000,00000000,?,00000000,00B700F5,000000FF,?,80004005,201B1858,?,00000000), ref: 00A78E75
GetFileVersionInfoW.KERNELBASE(80004005,?,00000000,000000FF,00000000,?,?,00000000,00000000,?,00000000,00B700F5,000000FF,?,80004005,201B1858), ref: 00A78EC3

Strings

ProductName, xrefs: 00A78F31
\StringFileInfo\%04x%04x\%s, xrefs: 00A78F3B
\VarFileInfo\Translation, xrefs: 00A78F05

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: FileInfoVersion$Size
String ID: ProductName$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
API String ID: 2104008232-2149928195
Opcode ID: 316d573e852074a79128322f0d8fdd3ef847e9953f0a617629cdb0a090c724af
Instruction ID: f38aba5d599152021b93edad39c537e3f7993ab156540b347581436841a571b7
Opcode Fuzzy Hash: 316d573e852074a79128322f0d8fdd3ef847e9953f0a617629cdb0a090c724af
Instruction Fuzzy Hash: F8719E70A00209DFDB04DFA8CC99BAEBBB9EF49314F148169E516A7291DB349D05CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ABA9C0 Relevance: 7.7, APIs: 5, Instructions: 175threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,201B1858,00000000,?), ref: 00ABAA00
CreateThread.KERNEL32(00000000,00000000,00ABADD0,?,00000000,?), ref: 00ABAA50
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00ABAB76
GetExitCodeThread.KERNEL32(00000000,?), ref: 00ABAB81
CloseHandle.KERNEL32(00000000), ref: 00ABABA1

Part of subcall function 0093B010: RtlAllocateHeap.NTDLL(?,00000000,?,201B1858,00000000,00B639C0,000000FF,?,?,00C7843C,?,?,00AB48D7,80004005,201B1858,?), ref: 0093B05A

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: CreateThread$AllocateCloseCodeEventExitHandleHeapObjectSingleWait
String ID:
API String ID: 978852114-0
Opcode ID: f24fe00d8244ddd6ec156238287c2d1fb70cab4a7f507b6a03b6a25d4b5e3ba9
Instruction ID: 4a3f69cf39b0eb6632b8d32125ee1b785e8131599677ec2e3e87db7bda933ba7
Opcode Fuzzy Hash: f24fe00d8244ddd6ec156238287c2d1fb70cab4a7f507b6a03b6a25d4b5e3ba9
Instruction Fuzzy Hash: 8F611675A002189FCB08CF58C984BADBBB5FF98710F254199E915BB392DB74AD01CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A6F3B0 Relevance: 7.5, APIs: 5, Instructions: 47windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjectsEx.USER32(00000001,000000FF,000000FF,000005FF,00000004), ref: 00A6F3C7
PeekMessageW.USER32(?,00000000), ref: 00A6F3F8
TranslateMessage.USER32(00000000), ref: 00A6F407
DispatchMessageW.USER32(00000000), ref: 00A6F412
MsgWaitForMultipleObjectsEx.USER32(00000001,00000000,000000FF,000005FF,00000004), ref: 00A6F428

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Message$MultipleObjectsWait$DispatchPeekTranslate
String ID:
API String ID: 4084795276-0
Opcode ID: c95a2b2f7c57a4789909d6c0912097ca5e37be2fea9d88ee6733cb950a25fdea
Instruction ID: 31e2dbf8aa5f2184cbd935f27578968a22d65e99fc4b212386c5b7ba90d86e35
Opcode Fuzzy Hash: c95a2b2f7c57a4789909d6c0912097ca5e37be2fea9d88ee6733cb950a25fdea
Instruction Fuzzy Hash: B7012470A843017FF720CF518D49B6FB7ECAB58B20F40462ABA28D10E0EB74C6448B26

Uniqueness

Uniqueness Score: -1.00%

Function 00A89B60 Relevance: 6.2, APIs: 4, Instructions: 159fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,201B1858,?,00000010,?,00A8E0C0,000000FF), ref: 00A89BC6
SetFilePointer.KERNEL32(00000000,?,00000010,00000000), ref: 00A89C0F
ReadFile.KERNEL32(00000000,201B1858,?,000000FF,00000000,00000078,?), ref: 00A89C51
CloseHandle.KERNEL32(00000000), ref: 00A89CE8

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: File$CloseCreateHandlePointerRead
String ID:
API String ID: 4133201480-0
Opcode ID: 931b35fc7c5200f7c6b79755f9f3e60ced26b799b3aaaa5e262c835ceadde6ef
Instruction ID: 8d7d284a787fcdefda109fd00fef32c75bd94cd62e28e0c79eef527121bc4652
Opcode Fuzzy Hash: 931b35fc7c5200f7c6b79755f9f3e60ced26b799b3aaaa5e262c835ceadde6ef
Instruction Fuzzy Hash: A851A271A006499FDB10DBA8CC48BBEBBF8EF49324F184259E511A72D1CB75AD05CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00A78D00 Relevance: 6.1, APIs: 4, Instructions: 96fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A787C0: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,201B1858,00000000,00000000,?), ref: 00A7881B

GetFileVersionInfoSizeW.KERNELBASE(?,00000000,?,201B1858,00000000,?,?,?,?,00000000,00BAA245,000000FF,00000000,00A78CB6,?), ref: 00A78D4D
GetFileVersionInfoW.KERNELBASE(?,00000000,00BAA245,00000000,00000000,?,?,00000000,00BAA245,000000FF,00000000,00A78CB6,?), ref: 00A78D79
GetLastError.KERNEL32(?,?,00000000,00BAA245,000000FF,00000000,00A78CB6,?), ref: 00A78DBE
DeleteFileW.KERNEL32(?), ref: 00A78DD1

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: File$InfoVersion$DeleteErrorFolderLastPathSize
String ID:
API String ID: 2825328469-0
Opcode ID: cdf0c78c0b1535330d91e6b5196bf881741e00d2ad640bed73ee334405b1e751
Instruction ID: 429d35180be5c201ddd2a18e6d261b20e7fb1bfbe8126cd73c2bcfdce72606f6
Opcode Fuzzy Hash: cdf0c78c0b1535330d91e6b5196bf881741e00d2ad640bed73ee334405b1e751
Instruction Fuzzy Hash: 1A316271940209AFEF10CFA5DD48BEEBBB8FF59710F14815AE905B3291DB389904CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00959640 Relevance: 6.1, APIs: 4, Instructions: 74timeCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,201B1858), ref: 009596AA
EnterCriticalSection.KERNEL32(?,201B1858), ref: 009596B7
SetTimer.USER32(00000000,00000001,0000000A,00000000), ref: 009596ED
LeaveCriticalSection.KERNEL32(?), ref: 00959708

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeaveTimer
String ID:
API String ID: 3379552715-0
Opcode ID: 817f0badd01c9535d0cfe95987046b73427946c10e57d2a74834d36b1a96e6b9
Instruction ID: ee2f59efb9e5983c154e870879e0071122bffffb2617801429d2b9e719433e24
Opcode Fuzzy Hash: 817f0badd01c9535d0cfe95987046b73427946c10e57d2a74834d36b1a96e6b9
Instruction Fuzzy Hash: 3421C436900244DFEF11CF64C844BE9BBB8FF1A325F1001AAEC59AB392D7325909DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A92BA0 Relevance: 6.0, APIs: 4, Instructions: 28threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A92BA9
DestroyWindow.USER32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00BADB80), ref: 00A92BB8
PostMessageW.USER32(?,00000401,00000000,00000000), ref: 00A92BD5
IsWindow.USER32(?), ref: 00A92BE3

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Window$CurrentDestroyMessagePostThread
String ID:
API String ID: 3186974096-0
Opcode ID: 779f64ce40ffbffefca5491f5e4ad653806f6e462ae37a367f61c23469958109
Instruction ID: e511ffbb460f30069d607297021e6f1280d83c3356d0790a12badb728c8b3bbd
Opcode Fuzzy Hash: 779f64ce40ffbffefca5491f5e4ad653806f6e462ae37a367f61c23469958109
Instruction Fuzzy Hash: 9BF0A030206710AFE7709F24EE4CB56BBE0BF09B10F04484DE18A969A1D7B5F880CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00A6E660 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 387COMMON

Download Yara Rule

APIs

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

PathIsUNCW.SHLWAPI(?,?), ref: 00A6E82D

Strings

\\?\, xrefs: 00A6E80F, 00A6E815
\\?\UNC\, xrefs: 00A6E709, 00A6E791, 00A6E797

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: HeapPathProcess
String ID: \\?\$\\?\UNC\
API String ID: 300331711-3019864461
Opcode ID: e0ffafb7dc1b0bd32301ec6f20e5333ba5dd59286291cd9639c157f6ca85a386
Instruction ID: f5a33508fa8c13e8ba1850fe37f8b33127ef6e012d033bf51cbaadd66e7d7a15
Opcode Fuzzy Hash: e0ffafb7dc1b0bd32301ec6f20e5333ba5dd59286291cd9639c157f6ca85a386
Instruction Fuzzy Hash: 76D1B175A006098BDB04DBA8CC95BAEB7F9FF88324F184169E511E73D1DB78AD05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AD95E0 Relevance: 4.7, APIs: 3, Instructions: 212synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD9C00: OpenEventW.KERNEL32(00000000,00000000,201B1858,_pbl_evt,00000008,?,?,00C0D430,00000001,201B1858,?), ref: 00AD9CAE
Part of subcall function 00AD9C00: CreateEventW.KERNEL32(00000000,00000001,00000001,?), ref: 00AD9CCB

WaitForSingleObject.KERNEL32(00000000,00000000,00000001,201B1858,?,?), ref: 00AD962E
ResetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00BB8BB9,000000FF), ref: 00AD9643

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Event$CreateObjectOpenResetSingleWait
String ID:
API String ID: 2109722436-0
Opcode ID: df5d9e625c78f6d1589208ee71114077d4ec92a0cf918ce18ec6f07c525277cf
Instruction ID: a7e1c8757b8e38203d056783c44d881770ddee86225801e70f83c75eed43c324
Opcode Fuzzy Hash: df5d9e625c78f6d1589208ee71114077d4ec92a0cf918ce18ec6f07c525277cf
Instruction Fuzzy Hash: 8D81D571D00244DFDB14CFA8C845BDEBBB0FF55314F24829AE405AB391D775AA85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A93D40 Relevance: 4.7, APIs: 3, Instructions: 196fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,201B1858,00000000,00000010,?,00000010,?), ref: 00A93DDB
GetLastError.KERNEL32 ref: 00A93E1D
GetLastError.KERNEL32(?), ref: 00A93EC1

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ErrorLast$CreateFile
String ID:
API String ID: 1722934493-0
Opcode ID: 2e672295c9c803e726658b060096f2bf82a310a4c061b71440837521aeac9359
Instruction ID: 2b3fe371b3eb90fe61f2781caccbfe42101b87740f3a29d4d6c335212b61b4a5
Opcode Fuzzy Hash: 2e672295c9c803e726658b060096f2bf82a310a4c061b71440837521aeac9359
Instruction Fuzzy Hash: 5461C031B00A06EFDF18DB69C845BA9B7F5FF44320F148659E825972D1EB70BA11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00ACC8C0 Relevance: 4.7, APIs: 3, Instructions: 185fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00ACD8A1,40000000,00000001,00000000,00000002,00000080,00000000,201B1858,?,?), ref: 00ACC922
WriteFile.KERNEL32(00000000,?,0000C800,0000C800,00000000,?,0000C800), ref: 00ACC9C8
CloseHandle.KERNEL32(00000000,?,0000C800), ref: 00ACCA3C

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: babcf523336ee8f6ad4137017c436b00b8036614ca18564005b7ec0116d22308
Instruction ID: 1f88357e7ff83cc6c118de3f94f9e4148c3a402a0a8b8879f959dd635bff7874
Opcode Fuzzy Hash: babcf523336ee8f6ad4137017c436b00b8036614ca18564005b7ec0116d22308
Instruction Fuzzy Hash: 5B517C71901209AFDB10DFA8D949FEEBBF9EF48314F204159F815A7290DB75AE04CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A6EA70 Relevance: 4.7, APIs: 3, Instructions: 185COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,201B1858,00000000,?,?,?,?,?,00BA8A85,000000FF,?,00A822EC,00000000,?,?), ref: 00A6EABB
CreateDirectoryW.KERNEL32(00BA8A85,00000000,?,00000000,00C05B58,00000001), ref: 00A6EB7A
GetLastError.KERNEL32 ref: 00A6EB88

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: CreateDirectoryErrorLastPath
String ID:
API String ID: 953296794-0
Opcode ID: 22c8e1c955cb98a005005dc1d04557566dcccd65196ae4fc7a0f52f36e3abb4a
Instruction ID: 1666bd2453bcf3821e7a0f1d40dd150a2b4337c49ccebccd0e55ce6a04357c20
Opcode Fuzzy Hash: 22c8e1c955cb98a005005dc1d04557566dcccd65196ae4fc7a0f52f36e3abb4a
Instruction Fuzzy Hash: 1361DF35A00609CFDB04DFA8C899BAEB7F4FF58314F148569E412E7291EB35A909CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A929A0 Relevance: 4.6, APIs: 3, Instructions: 80COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00A922F6), ref: 00A929A0
EnableWindow.USER32(?,00000000), ref: 00A92A35
DestroyWindow.USER32(00000000,00000000), ref: 00A92A5B

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Window$DestroyEnableErrorLast
String ID:
API String ID: 2755773105-0
Opcode ID: 678cc8640527c0ca971e5e44a4d17ce346340587938e15fcdd2e52af5e13300e
Instruction ID: 1c958447cb49f7e3f62dc77bcfa0e20e5e07e102d23dc74d911214b270889d06
Opcode Fuzzy Hash: 678cc8640527c0ca971e5e44a4d17ce346340587938e15fcdd2e52af5e13300e
Instruction Fuzzy Hash: E62106B6700109ABDB20EF18EC46BAA7798EB54320F004622FC04C7791D77AEC61CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00A6EEF0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 239COMMON

Download Yara Rule

APIs

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000025,00000000,201B1858,00000000,00000010,00000010), ref: 00A6F0B2

Part of subcall function 00A6F190: GetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,?,00000010,00000000,80004005), ref: 00A6F19D

Strings

USERPROFILE, xrefs: 00A6EF4A

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: EnvironmentFolderHeapPathProcessSpecialVariable
String ID: USERPROFILE
API String ID: 2976596683-2419442777
Opcode ID: 39f7a5cefd68c31c3644549a09cf48ccd082150ff9afd8d93be7c4b81813b701
Instruction ID: 1cd07e52014dbe4d52f9ad223c9e52b9d2ff6a248c43f937f8cb4ec5192d091c
Opcode Fuzzy Hash: 39f7a5cefd68c31c3644549a09cf48ccd082150ff9afd8d93be7c4b81813b701
Instruction Fuzzy Hash: BE71E275A00609DFDB14DF68DC49BAEB7B5FF88310F144269E92697382EB359D00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00ABBEB0 Relevance: 3.2, APIs: 2, Instructions: 158COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00ABBF02
EndDialog.USER32(00000000,00000001), ref: 00ABBF11

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: DialogWindow
String ID:
API String ID: 2634769047-0
Opcode ID: 609ed3bb0c70502ada129f41bd1df0def073378233bcc451bdee6a9935394f85
Instruction ID: 5b2664504f8090a18fcfa02487c13882c27c1f7584d800bf0083cca5aded6c5f
Opcode Fuzzy Hash: 609ed3bb0c70502ada129f41bd1df0def073378233bcc451bdee6a9935394f85
Instruction Fuzzy Hash: C2619E70A01644DFDB05CF68C948BADBBB4FF49320F158299E855AB392CB749E05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A06660 Relevance: 3.1, APIs: 2, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000004), ref: 00A066AA
DestroyWindow.USER32(00000004,?,?,?,?,?,?,?,?,000000FF), ref: 00A066B7

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Window$Destroy
String ID:
API String ID: 3707531092-0
Opcode ID: 98a9c5e9607abd292cd0b96524ecc77ad5b48914b9f3bc9361e429d4cf050c96
Instruction ID: aad041a56c64346615b4f7070c2756491dee154448c8ebf261ea93a9217d4c7c
Opcode Fuzzy Hash: 98a9c5e9607abd292cd0b96524ecc77ad5b48914b9f3bc9361e429d4cf050c96
Instruction Fuzzy Hash: 72319CB0808649EFCB15EF68C90578EFBF4BF01314F108299E155976D1DB74AA18CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00A72440 Relevance: 3.0, APIs: 2, Instructions: 41windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A71A00: LoadLibraryW.KERNEL32(ComCtl32.dll,201B1858,?,00000000,00000000), ref: 00A71A3A
Part of subcall function 00A71A00: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00A71A60
Part of subcall function 00A71A00: FreeLibrary.KERNEL32(00000000), ref: 00A71AE9

Part of subcall function 00A71A00: GetSystemMetrics.USER32(0000000C), ref: 00A71AA0
Part of subcall function 00A71A00: GetSystemMetrics.USER32(0000000B), ref: 00A71AB8

SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00A72482
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00A72491

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: LibraryMessageMetricsSendSystem$AddressFreeLoadProc
String ID:
API String ID: 1118950307-0
Opcode ID: 8a985d6732c531efb72b0ee9c25d5dc242c426f24d72658e2e3ee207c6163ecf
Instruction ID: d074211085c49047fd82cbcb76302d25fb883342319e338bdfd861a81067167f
Opcode Fuzzy Hash: 8a985d6732c531efb72b0ee9c25d5dc242c426f24d72658e2e3ee207c6163ecf
Instruction Fuzzy Hash: 80F0BE327512103BF620165D4C46F7BB29DDBC4BA1F10822AFA58AB2C1E9E16C0103EA

Uniqueness

Uniqueness Score: -1.00%

Function 00B54716 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00B5C2FA,?,00000000,?,?,00B5C59B,?,00000007,?,?,00B5C9F7,?,?), ref: 00B5472C
GetLastError.KERNEL32(?,?,00B5C2FA,?,00000000,?,?,00B5C59B,?,00000007,?,?,00B5C9F7,?,?), ref: 00B54737

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 0a9c8ebf7c53e1936fce8c58908469ae8c9a7559ca86f9cdb64f7e7bfff0e19c
Instruction ID: c9829f7d509a420adfe9b6f5106535d0d0c9d11aab8fc937576beff5325abbcb
Opcode Fuzzy Hash: 0a9c8ebf7c53e1936fce8c58908469ae8c9a7559ca86f9cdb64f7e7bfff0e19c
Instruction Fuzzy Hash: B2E08631500214A7DB113FA4AC0CF993BDDDB45356F044490FA0897070CB348D81D794

Uniqueness

Uniqueness Score: -1.00%

Function 00A551D0 Relevance: 2.6, APIs: 2, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,00000000,00000000,00000000,?,00C82000,00AA8098,?), ref: 00A551E8
MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,?,-00000001), ref: 00A5521A

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: de1ea2e5abc3d87c944861f8ad4450c244530d1d7d770f913e9350268dba47bb
Instruction ID: 14aaabdb561de416fdad3552a9415253d5660ed756dff6f4f528fd1b7b08ec4e
Opcode Fuzzy Hash: de1ea2e5abc3d87c944861f8ad4450c244530d1d7d770f913e9350268dba47bb
Instruction Fuzzy Hash: D001D236701112AFE6149B9ADC9DF5EB759FFD4322F204129F714AB2D0CB316C118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00959EF0 Relevance: 1.7, APIs: 1, Instructions: 229COMMON

Download Yara Rule

APIs

EqualRect.USER32(00000000,?), ref: 0095A029

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: EqualRect
String ID:
API String ID: 90978676-0
Opcode ID: d4e38f8e58c6f96172a111b7be22982caf35e312494ddd12b8598e8f8e74a50c
Instruction ID: 5fa78b42b28e518f5ad5224eb5f56ae6297a0c8845d695c6a5f74fac3d7d4fd6
Opcode Fuzzy Hash: d4e38f8e58c6f96172a111b7be22982caf35e312494ddd12b8598e8f8e74a50c
Instruction Fuzzy Hash: 70A13771D04608DFDB15DFA8C984BAEBBF8FF48304F204259E815A7251DB30AA48CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00A9C140 Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

APIs

EnumResourceLanguagesW.KERNEL32(?,00000010,00000001,00A9C280,?), ref: 00A9C18B

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: EnumLanguagesResource
String ID:
API String ID: 4141015960-0
Opcode ID: f7ce4b14fc8ba7a64ded5077577e4b9e08cba864c4534004b8116e9736d1b949
Instruction ID: dc24475377264e8f3b9c8a816287af1035bcfc2d372ba18fecb870b728fd936c
Opcode Fuzzy Hash: f7ce4b14fc8ba7a64ded5077577e4b9e08cba864c4534004b8116e9736d1b949
Instruction Fuzzy Hash: 3041D57190060AABDF10EF98C985BDEBBF4FF44324F10426AE411B7291DB75A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0093B010 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3E251: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,00000000,80004005,201B1858,?), ref: 00B3E2B1

RtlAllocateHeap.NTDLL(?,00000000,?,201B1858,00000000,00B639C0,000000FF,?,?,00C7843C,?,?,00AB48D7,80004005,201B1858,?), ref: 0093B05A

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AllocateExceptionHeapRaise
String ID:
API String ID: 3789339297-0
Opcode ID: 31d400cb025191530bdb9f7240e41f2e6557da1b929c7303b0d491c3e810e7cb
Instruction ID: 03d6224c3b0dcfc3ab250903b7ee38a5589302614c560c02af018f4f41bfd936
Opcode Fuzzy Hash: 31d400cb025191530bdb9f7240e41f2e6557da1b929c7303b0d491c3e810e7cb
Instruction Fuzzy Hash: E9F0A771544648FFC715CF44DD06F5ABBA8FB44B10F108669F919937E0DB75E9008A54

Uniqueness

Uniqueness Score: -1.00%

Function 00B54750 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,00B524BA,?,00B56703,?,00000000,?,00B464FA,00000000,00B524BA,?,?,?,?,00B522B4), ref: 00B54782

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d0d7f94bddaccf4dee667c05123a602d14678c0b2a922421fbdfc359f3f42254
Instruction ID: 77ee58e19c19a5a25b467d56d88effbeeb111f72247d8f351bc014bef0c50065
Opcode Fuzzy Hash: d0d7f94bddaccf4dee667c05123a602d14678c0b2a922421fbdfc359f3f42254
Instruction Fuzzy Hash: 13E0ED3114122897E6222A299C44B9A3BCEEB4B7EAF0901E0EC18D6180DF60DC8992E1

Uniqueness

Uniqueness Score: -1.00%

Function 00B55CF9 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c4e93a83729823f73cdd337c4f01fe7cd8635da57b2876c8f4e13197994181f
Instruction ID: c19e9e577062b732c068763ece3041834c839566f50f92d2cc5c0de1dc157dd6
Opcode Fuzzy Hash: 1c4e93a83729823f73cdd337c4f01fe7cd8635da57b2876c8f4e13197994181f
Instruction Fuzzy Hash: 46E0EC32901A25679F312E668819F9A3BEDEF41B93B0940E0AD14AB191DA61ED4896E0

Uniqueness

Uniqueness Score: -1.00%

Function 00B3C2F7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B3C2BC

Part of subcall function 00B39780: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00B3978B
Part of subcall function 00B39780: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B397F3
Part of subcall function 00B39780: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B39804

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 5ce785e9f98d7782590fa724541b647467d3a2561583ca66d1e13aa8059341ee
Instruction ID: 772abce00799346a741645223c25096af26d6840c118511cfa66af6d617e06f2
Opcode Fuzzy Hash: 5ce785e9f98d7782590fa724541b647467d3a2561583ca66d1e13aa8059341ee
Instruction Fuzzy Hash: CEB012C12AC100ED3504A1951C8BC3B258CC0C0F22B30C5AFF904C0080DC801C041336

Uniqueness

Uniqueness Score: -1.00%

Function 00B3C2ED Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B3C2BC

Part of subcall function 00B39780: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00B3978B
Part of subcall function 00B39780: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B397F3
Part of subcall function 00B39780: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B39804

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 46d93f71d8a89af7d59799504a2f932def81262eb64630649fcde726d489abed
Instruction ID: 1c2b6caa9109920e46bdc0f002f2844dea91eb9a0f13b329a78b4d707762d570
Opcode Fuzzy Hash: 46d93f71d8a89af7d59799504a2f932def81262eb64630649fcde726d489abed
Instruction Fuzzy Hash: 8AB012C12AC100ED3104A1855C8BC3B258CD0C4F21B3081AFF004C0080EC801C440236

Uniqueness

Uniqueness Score: -1.00%

Function 00B392FB Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B392C0

Part of subcall function 00B39780: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00B3978B
Part of subcall function 00B39780: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B397F3
Part of subcall function 00B39780: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B39804

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 02e54cf07ce4b4de5b679494b2a756fbae524d39b3af89cfb37500a8ccd3d993
Instruction ID: 8503828273b0211f9277717a7eb6538b0721b67dfd3191fd24a8ef1f74f7e6aa
Opcode Fuzzy Hash: 02e54cf07ce4b4de5b679494b2a756fbae524d39b3af89cfb37500a8ccd3d993
Instruction Fuzzy Hash: B6B012C12AC200FD320461445C47C7721CCC0C0B21F30836FF509C0080DDC11C8C113A

Uniqueness

Uniqueness Score: -1.00%

Function 00B392D3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B392C0

Part of subcall function 00B39780: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00B3978B
Part of subcall function 00B39780: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B397F3
Part of subcall function 00B39780: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B39804

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: da0cc58c277fac6cc872303d5118c93698f264df8eed2c8472f204bfcbb5e115
Instruction ID: 11b4fd5e60768a781487ec393dacf4e09a395718a0db46be7a6467c7ed2e4cc0
Opcode Fuzzy Hash: da0cc58c277fac6cc872303d5118c93698f264df8eed2c8472f204bfcbb5e115
Instruction Fuzzy Hash: B7B012D12BC100FD310561541D47C7721CCC0C0B21F30C27FF609C4080DDC22C09013A

Uniqueness

Uniqueness Score: -1.00%

Function 00B392DD Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B392C0

Part of subcall function 00B39780: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00B3978B
Part of subcall function 00B39780: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B397F3
Part of subcall function 00B39780: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B39804

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: b09e81b8fe88e2d8413b9386f8c7fc528259e0f7e51fe5f03b93f883f707f943
Instruction ID: de585452256323ee541f99a5b68dcb8f0d00799452bbd3798839e657a76a66a5
Opcode Fuzzy Hash: b09e81b8fe88e2d8413b9386f8c7fc528259e0f7e51fe5f03b93f883f707f943
Instruction Fuzzy Hash: 54B012C12AC300FD310461441C87C7721CCC0C0B25F30C26FFA09C0080DDC01C040137

Uniqueness

Uniqueness Score: -1.00%

Function 00B393B5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B39388

Part of subcall function 00B39780: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00B3978B
Part of subcall function 00B39780: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B397F3
Part of subcall function 00B39780: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B39804

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 7a94c7225a96addcd33418a2ce14e5637746a3b08d79c302f22c1e37ba9726e4
Instruction ID: 4010eb509af02d1fe63061a80ceefd328481744f8ee5275114bf10061b063b29
Opcode Fuzzy Hash: 7a94c7225a96addcd33418a2ce14e5637746a3b08d79c302f22c1e37ba9726e4
Instruction Fuzzy Hash: 0EB012C12EC300AD370461142C47CB6118CC0C4B31B30C16FF504C00C0E9C02C08413A

Uniqueness

Uniqueness Score: -1.00%

Function 00B39391 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B39388

Part of subcall function 00B39780: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00B3978B
Part of subcall function 00B39780: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B397F3
Part of subcall function 00B39780: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B39804

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: d3d586143f5f87e435214baec7b564799a35bfe165bc06aa80f2369d6b918694
Instruction ID: d0cce0620cc8be1b7d809326b71284e0dc2c0cd1c62fcee8706b48179fc97ddd
Opcode Fuzzy Hash: d3d586143f5f87e435214baec7b564799a35bfe165bc06aa80f2369d6b918694
Instruction Fuzzy Hash: F8B012C12FD300AD370461142C47CB6128CC0C8B3173082AFF014C00C0E9C02C88413A

Uniqueness

Uniqueness Score: -1.00%

Function 00B393F1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B39388

Part of subcall function 00B39780: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00B3978B
Part of subcall function 00B39780: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B397F3
Part of subcall function 00B39780: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B39804

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 06bf40ae31f8d0f2191457e6b2916e6f449676a10208b39dbfe3e4ea39de45a2
Instruction ID: 128868b24d247d33406b3083d2069f4ba4531dc6ad5006caee0594fc81685a64
Opcode Fuzzy Hash: 06bf40ae31f8d0f2191457e6b2916e6f449676a10208b39dbfe3e4ea39de45a2
Instruction Fuzzy Hash: FEB012C12EC300AE374461142D4BCB7118CC4C4B32730816FF004C00C0EDC22C09533A

Uniqueness

Uniqueness Score: -1.00%

Function 00B393E7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B39388

Part of subcall function 00B39780: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00B3978B
Part of subcall function 00B39780: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B397F3
Part of subcall function 00B39780: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B39804

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 4021c0e463a039d6e67556fb00af35159eaacaef8913f09d7ddb5825e9ab034d
Instruction ID: 0f701ff399595e7b366b2a940c2e12acfc54c194ba1811f678a84b28939b4dda
Opcode Fuzzy Hash: 4021c0e463a039d6e67556fb00af35159eaacaef8913f09d7ddb5825e9ab034d
Instruction Fuzzy Hash: DFB012C12ED300AE370471142C4BCB7128CC0C4B32730826FF104C00C0EDC12C48523A

Uniqueness

Uniqueness Score: -1.00%

Function 00B39323 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B392C0

Part of subcall function 00B39780: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00B3978B
Part of subcall function 00B39780: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B397F3
Part of subcall function 00B39780: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B39804

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: b2b24093099e4baa9bb412dbd08af23fd793d867ac16f04b16f70a9fb9e8fb77
Instruction ID: 8c68d9337c79cdbc8726d3ee3a0a59b06c7202df89430631df63fc2e20f0da6a
Opcode Fuzzy Hash: b2b24093099e4baa9bb412dbd08af23fd793d867ac16f04b16f70a9fb9e8fb77
Instruction Fuzzy Hash: ABB012C12AC200FD320861441C47C7722CCC0C0B61F30836FF509C0080DDC01C4C113A

Uniqueness

Uniqueness Score: -1.00%

Function 00B3932D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B392C0

Part of subcall function 00B39780: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00B3978B
Part of subcall function 00B39780: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B397F3
Part of subcall function 00B39780: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B39804

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: a3701327e8050531fc2636742c8495225f119c14e83f8aaa37372988870f1d1b
Instruction ID: 302210e0092d8ef430034fae80f1b3330c5a0e51ee0c810826918a5966a557dd
Opcode Fuzzy Hash: a3701327e8050531fc2636742c8495225f119c14e83f8aaa37372988870f1d1b
Instruction Fuzzy Hash: 87B012C12AC100FD310861441C47C7722DCC0C0B21F30C26FFA09C1080DDC01C08013B

Uniqueness

Uniqueness Score: -1.00%

Function 00B39319 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B392C0

Part of subcall function 00B39780: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00B3978B
Part of subcall function 00B39780: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B397F3
Part of subcall function 00B39780: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B39804

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 95f4ba05077c9f25a8df686b58f64282d91cc177ff44767ba369f463e1d4e362
Instruction ID: a6dad396f21a1cb518ff5b12204a35a39eac7e55c29e07224c29488915882fe3
Opcode Fuzzy Hash: 95f4ba05077c9f25a8df686b58f64282d91cc177ff44767ba369f463e1d4e362
Instruction Fuzzy Hash: 19B012C12AC100FD310861441D47C7722CCC0C0B21F30C26FF609C4180DDC21C05013A

Uniqueness

Uniqueness Score: -1.00%

Function 00B39305 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B392C0

Part of subcall function 00B39780: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00B3978B
Part of subcall function 00B39780: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B397F3
Part of subcall function 00B39780: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B39804

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 58b420ecb940dd2e53ee78880c25649a9f2c658e54b45426eb218151cced2cae
Instruction ID: 91fe1a90ffd4d0c010148017dd108a9a1d4c20990edcf82406938697cf54be97
Opcode Fuzzy Hash: 58b420ecb940dd2e53ee78880c25649a9f2c658e54b45426eb218151cced2cae
Instruction Fuzzy Hash: F9B012C12AC100FD310461445C47C7722CCC0C4B21F30C36FFA09C0080DDC11C04013B

Uniqueness

Uniqueness Score: -1.00%

Function 00B3930F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B392C0

Part of subcall function 00B39780: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00B3978B
Part of subcall function 00B39780: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B397F3
Part of subcall function 00B39780: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B39804

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: bbb751484a619aa8c34f765337e7eb54b1f022ea92449a0228b98997aa83c9b1
Instruction ID: aa7e68aa46f8b1d064a0ba3a9040b0b641d49baf6b71afab2b524660e187b3db
Opcode Fuzzy Hash: bbb751484a619aa8c34f765337e7eb54b1f022ea92449a0228b98997aa83c9b1
Instruction Fuzzy Hash: 19B012C12AC100FE310865441C47D7722CCC0C0B21F30826FF509C0080DDC01C04013A

Uniqueness

Uniqueness Score: -1.00%

Function 00B39366 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B39349

Part of subcall function 00B39780: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00B3978B
Part of subcall function 00B39780: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B397F3
Part of subcall function 00B39780: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B39804

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 21a3267a752a2e8263e893071f275eab2b53556888588df5f6e3693f023ff78a
Instruction ID: 9352584d0c0e69a5029db8f7a5b6ee1edb14f911df36e7e34458e9ca8cbaa0fd
Opcode Fuzzy Hash: 21a3267a752a2e8263e893071f275eab2b53556888588df5f6e3693f023ff78a
Instruction Fuzzy Hash: DDB012C12EC100FD360461461D8FC3B119CC1D0B21F31856BF104C10C0D8C11C05113A

Uniqueness

Uniqueness Score: -1.00%

Function 00B3935C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B39349

Part of subcall function 00B39780: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00B3978B
Part of subcall function 00B39780: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B397F3
Part of subcall function 00B39780: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B39804

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: def769dda4434f9896a3a54ac1d353c0b8a3bc884bfd97dede83c749222996ac
Instruction ID: 103e94342c12c6522c9e6da611d3889331236bd713b306fff5e8727492a26726
Opcode Fuzzy Hash: def769dda4434f9896a3a54ac1d353c0b8a3bc884bfd97dede83c749222996ac
Instruction Fuzzy Hash: 3CB012C12EC200FD364461461C8BC3B119CC2C0B21F31866BF104C10C0D8C01C44123A

Uniqueness

Uniqueness Score: -1.00%

Function 00B39488 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B39441

Part of subcall function 00B39780: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00B3978B
Part of subcall function 00B39780: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B397F3
Part of subcall function 00B39780: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B39804

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 3720218bf0a7128c5e82485c2d9e7b1111e1c732ab84b843b4d8dfa667e9e1a7
Instruction ID: 1997e8aa25305ccb07bde1120bd065a6cabacf476dea26088132e42d2cfc4405
Opcode Fuzzy Hash: 3720218bf0a7128c5e82485c2d9e7b1111e1c732ab84b843b4d8dfa667e9e1a7
Instruction Fuzzy Hash: DCB012C52AC100FD311465141D9BC3E118CC0C0F21F30816BF104C0180D8C45C060136

Uniqueness

Uniqueness Score: -1.00%

Function 00B3944A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B39441

Part of subcall function 00B39780: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00B3978B
Part of subcall function 00B39780: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B397F3
Part of subcall function 00B39780: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B39804

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 46990587ffa5a5688f3ffdee4e4971a58f1f67db3de574f86c9f261e1e7ed768
Instruction ID: 02616f10915c9f7358c16543a7a52e445000a2ad95526ad7da40211ca42d4e46
Opcode Fuzzy Hash: 46990587ffa5a5688f3ffdee4e4971a58f1f67db3de574f86c9f261e1e7ed768
Instruction Fuzzy Hash: CEB012C52AC100ED311465545DDBC3E119CC0C0B21F70836BF104C0180D8C55C06013A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00933480 Relevance: 289.5, Strings: 229, Instructions: 3218COMMON

Download Yara Rule

Strings

SelfUnregModules, xrefs: 009344BD
WriteEnvironmentStrings, xrefs: 0093672A
AI_GxUninstall, xrefs: 0093745A
UnregisterClassInfo, xrefs: 00934DA7
20000, xrefs: 00936C67
1500, xrefs: 009371F7
AppId, xrefs: 00934E12, 00934E21
AI_UninstallTasks, xrefs: 009373DD
InstallServices, xrefs: 00936B48
3000, xrefs: 00934F25, 00934F34
3000, xrefs: 009343AF, 009343BE
AI_ChainProductsPseudo, xrefs: 009377D7
100, xrefs: 0093652C
SelfReg, xrefs: 00934523, 00936A6B
1800, xrefs: 0093717A
PatchFiles, xrefs: 009360B5
RemoveFolders, xrefs: 00935B9D
AI_UserGroups, xrefs: 00937386, 0093757A
CreateFolders, xrefs: 00935CE3
15000, xrefs: 00935E61, 00935E70
AI_XmlElement, xrefs: 00937192, 009376F1
AI_PreRequisite, xrefs: 00936F7A, 00937000, 00937086, 0093710C
2000, xrefs: 009335FC, 00937279, 009372F6, 00937373, 009373F0, 00937567, 009375E4, 00937661
12000, xrefs: 00936947
3000, xrefs: 0093506B, 0093507A
UnregisterComPlus, xrefs: 00934377
Registry, xrefs: 00934B81, 00936644
RemoveODBC, xrefs: 00934603, 00934749, 0093488F
UnregisterMIMEInfo, xrefs: 00935179
WriteIniValues, xrefs: 009366A4
1500000, xrefs: 00936B5B
StopServices, xrefs: 009340EB, 00934231
MsiUnpublishAssemblies, xrefs: 00933D25
AI_XmlUninstall, xrefs: 009376CB, 00937751
1800, xrefs: 009376D9
CostInitialize, xrefs: 00933703
3000, xrefs: 00934DDF, 00934DEE
ODBCTranslator, xrefs: 009347AF, 009368D9
Patch, xrefs: 00936120, 0093612F
RemoveIniValues, xrefs: 009352BF, 00935405
30000, xrefs: 00936D6E
AI_ProcessGroups, xrefs: 00937554
RegisterTypeLibraries, xrefs: 009369BF
InstallODBC, xrefs: 0093682D, 009368B3, 00936939
AppId, xrefs: 00934E0D, 0093644A
3000000, xrefs: 0093673D
2000, xrefs: 00937562
PublishFeatures, xrefs: 00936DDD
MsiPublishAssemblies, xrefs: 00936D5B
MIME, xrefs: 009351DF, 009365C1
2000, xrefs: 009375DF
AI_XmlAttribute, xrefs: 0093720F, 00937777
15000, xrefs: 00936BDC
Environment, xrefs: 009356F7, 00936750
FileSize, xrefs: 0093604F
MsiAssembly, xrefs: 00936D86
3000, xrefs: 00933E97, 00933EA6
InstallFinalize, xrefs: 00936ED7
Component, xrefs: 00933769, 009339DD, 00933B28, 00933C51
2000, xrefs: 0093736E
Feature, xrefs: 0093400B, 00936E03
AI_DownloadPrereq, xrefs: 00936F54
Patch, xrefs: 0093611B
2000, xrefs: 0093765C
500, xrefs: 009374E5
12000, xrefs: 009363AC
RemoveEnvironmentStrings, xrefs: 00935691
AI_AppSearchEx, xrefs: 009374D7, 009374FD
1500, xrefs: 009352F7, 00935306
1500, xrefs: 009352F2, 00935438, 009371FC, 00937764
ProcessComponents, xrefs: 00933BEB
AI_InstallPostPrerequisite, xrefs: 009370E6
12000, xrefs: 0093683B
Shortcut, xrefs: 009355BB, 009363C4
UnpublishFeatures, xrefs: 00933FA5
100, xrefs: 00937468
Complus, xrefs: 009343DD, 00936AE8
5000, xrefs: 00936334
10000, xrefs: 009378DF
CreateShortcuts, xrefs: 0093639E
ProgId, xrefs: 0093653F
AppSearch, xrefs: 009335C9, 0093364A
10000, xrefs: 00936CED, 009378E4
12000, xrefs: 009348C7, 009348D6
AppId, xrefs: 00936445
100000, xrefs: 00936EEA
AI_DefaultActionCost, xrefs: 009378D1
CreateFolder, xrefs: 00935C03, 00935D49
UnregisterProgIdInfo, xrefs: 00935033
RegisterFonts, xrefs: 009367B0
AI_UninstallGroups, xrefs: 00937360
Location, xrefs: 00936FB4, 0093703A
15000, xrefs: 00936233, 00936242
ServiceControl, xrefs: 00934151, 00934297, 00936C7A
ODBCDriver, xrefs: 009348F5, 0093695F
12000, xrefs: 009368C1
Feature_, xrefs: 00933D8B, 00934F86, 009364D8, 00936D97, 00936F8D, 00937013, 00937099, 00937133
20000, xrefs: 00936C62
12000, xrefs: 00934636, 0093477C, 009348C2, 0093580A, 00935950, 00935AB1, 00935BD0, 00935D16, 009363B1, 00936840, 009368C6, 0093694C
IniFile, xrefs: 0093546B, 009366C5
12000, xrefs: 0093463B, 0093464A
100000, xrefs: 00936EE5
Feature, xrefs: 00934010, 0093401F
3000, xrefs: 00934B53, 00934B62
RegisterMIMEInfo, xrefs: 0093659B
3000, xrefs: 00933C1E, 00933E92, 00933FD8, 009343AA, 00934B4E, 00934C94, 00934DDA, 00934F20, 00935066, 009351AC, 009356C4, 00936437, 009365AE, 009369D2, 00936AD5
ODBCDataSource, xrefs: 00934669, 00936853
ServiceInstall, xrefs: 00936B6E
TypeLib, xrefs: 009369E5
SelfRegModules, xrefs: 00936A45
30000, xrefs: 009366B2
8000, xrefs: 00934A0D, 00934A1C
800, xrefs: 00933AE4
1500000, xrefs: 00936B56
WriteRegistryValues, xrefs: 0093661E
RemoveIniFile, xrefs: 00935325
8000, xrefs: 009367BE
ProgId, xrefs: 00935097, 009350B9
MIME, xrefs: 009351E4, 009351F3
SelfReg, xrefs: 00936A66
6000, xrefs: 00936631
Complus, xrefs: 00936AE3
Font, xrefs: 009367D1
ProgId, xrefs: 009350B4, 00936544
RemoveFiles, xrefs: 0093591D, 00935A63
Options, xrefs: 009370BB
3000, xrefs: 00936432
15000, xrefs: 009364AF
CostFinalize, xrefs: 00933988
15000, xrefs: 0093411E, 00934264, 00935E5C, 0093622E, 009364B4, 00936BE1, 00936DF0
AI_UninstallAccounts, xrefs: 009372E3
2000, xrefs: 009372F1
InstallFiles, xrefs: 00935F6F
AI_ProcessTasks, xrefs: 0093764E
UnregisterExtensionInfo, xrefs: 00934F08
12000, xrefs: 0093580F, 0093581E
MoveFile, xrefs: 00935E8F
1500, xrefs: 0093775F
InstallInitialize, xrefs: 00936E5A
8000, xrefs: 0093450B, 00934A08, 009367C3, 00936A58
AI_Game, xrefs: 00937287
BindImage, xrefs: 00936321, 00936347
6000, xrefs: 0093662C
FileCost, xrefs: 0093383D
2000, xrefs: 00937274
PatchSize, xrefs: 00936195
AI_Game, xrefs: 0093747B
StartServices, xrefs: 00936C54
AI_ProcessAccounts, xrefs: 009375D1
AI_UserAccounts, xrefs: 00937309, 009375F7
File, xrefs: 009338A3, 00935983, 00935FD5
12000, xrefs: 00935D1B, 00935D2A
2000, xrefs: 009373EB
800, xrefs: 00933AE9, 00933AF8
200000, xrefs: 00936E6D
AI_ScheduledTasks, xrefs: 00937674
Font, xrefs: 00934A40, 00934A4F
12000, xrefs: 00935BD5, 00935BE4
15000, xrefs: 00936DEB
RegisterComPlus, xrefs: 00936AC2
UnregisterFonts, xrefs: 009349D5
200000, xrefs: 00936E68
UnpublishComponents, xrefs: 00933E66
120000, xrefs: 0093557E
8000, xrefs: 009344F0, 00934510
3000, xrefs: 009365A9
3000, xrefs: 00936AD0
RegisterExtensionInfo, xrefs: 009364A1
AI_InstallPrerequisite, xrefs: 00937060
5000, xrefs: 0093632F
SelfReg, xrefs: 00934528, 00934537
IniFile, xrefs: 00935470, 0093547F
100, xrefs: 009360ED, 009360FC
DuplicateFile, xrefs: 0093583D, 00936261
3000, xrefs: 009369CD
AI_CountRowAction, xrefs: 00937854
12000, xrefs: 00935A94, 00935AB6
Feature, xrefs: 00936DFE
3000, xrefs: 009356C9, 009356D8
1500, xrefs: 0093543D, 0093544C
3000, xrefs: 00933FDD, 00933FEC
Complus, xrefs: 009343E2, 009343F1
3000000, xrefs: 00936738
15000, xrefs: 00934123, 00934132
100, xrefs: 009360E8, 00936531, 0093746D
InstallValidate, xrefs: 00933AB1
TypeLib, xrefs: 009369E0
RegisterClassInfo, xrefs: 00936424
MsiConfigureServices, xrefs: 00936BCE, 00936BF4
AI_ExtractPrereq, xrefs: 00936FDA
12000, xrefs: 00934781, 00934790
MIME, xrefs: 009365BC
12000, xrefs: 00935955, 00935964
RemoveExistingProducts, xrefs: 009334A4
30000, xrefs: 00933D58, 009366B7, 00936D73
10000, xrefs: 00936CE8
RemoveShortcuts, xrefs: 0093554B
3000, xrefs: 00933C23, 00933C32
RegisterProgIdInfo, xrefs: 0093651E
Extension, xrefs: 00934F53, 009364C7
PublishComponent, xrefs: 00933EC5, 00936D00
RemoveRegistryValues, xrefs: 00934B1B, 00934C61
Component_, xrefs: 00933EF8, 00934184, 009342CA, 00934410, 009346C1, 009347E2, 00934928, 00934BBE, 00934CFA, 00935358, 0093549E, 009355E4, 0093575E, 00935870, 009359B6, 00935C5B, 00935D7C, 00935EC2, 00936008, 00936294, 009363D7, 00936657, 009366DD, 00936763, 00936866, 009368EC, 00936972, 009369F8, 00936AFB, 00936B81, 00936C02, 00936C8D, 00936D13
AI_XmlInstall, xrefs: 0093716C, 009371E9
File, xrefs: 009338A8, 009338B7
Font, xrefs: 00934A3B, 009367D6
2000, xrefs: 00933601, 00933610
3000, xrefs: 009351B1, 009351C0
120000, xrefs: 00935583, 00935592
RemoveDuplicateFiles, xrefs: 009357D7
RemoveRegistry, xrefs: 00934CC7
Options, xrefs: 00937141
Options, xrefs: 009370C0, 00937146
IniFile, xrefs: 009366CA
AI_Game, xrefs: 0093728C, 00937480
30000, xrefs: 00933D5D, 00933D6C
RemoveFile, xrefs: 00935AC9
8000, xrefs: 00936A53
File, xrefs: 00935FDA, 00935FE9
AI_GxInstall, xrefs: 00937266
15000, xrefs: 00934269, 00934278
File, xrefs: 00935988, 00935997
MoveFiles, xrefs: 00935E29
3000, xrefs: 00934C99, 00934CA8
~, xrefs: 009370CA
1800, xrefs: 0093717F, 009376DE
DuplicateFiles, xrefs: 009361FB
500, xrefs: 009374EA
PublishComponents, xrefs: 00936CDA

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID:
String ID: 100$100$100$100$10000$10000$10000$100000$100000$12000$12000$12000$12000$12000$12000$12000$12000$12000$12000$12000$12000$12000$120000$120000$1500$1500$1500$1500$1500$15000$15000$15000$15000$15000$15000$15000$15000$1500000$1500000$1800$1800$1800$2000$2000$2000$2000$2000$2000$2000$2000$2000$20000$20000$200000$200000$3000$3000$3000$3000$3000$3000$3000$3000$3000$3000$3000$3000$3000$3000$3000$3000$30000$30000$30000$30000$3000000$3000000$500$500$5000$5000$6000$6000$800$800$8000$8000$8000$8000$8000$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_Game$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$AppId$AppId$AppSearch$BindImage$Complus$Complus$Complus$Component$Component_$CostFinalize$CostInitialize$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature$Feature$Feature_$File$File$File$File$FileCost$FileSize$Font$Font$Font$IniFile$IniFile$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$InstallValidate$Location$MIME$MIME$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$MsiUnpublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$Options$Options$Patch$Patch$PatchFiles$PatchSize$ProcessComponents$ProgId$ProgId$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveExistingProducts$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniFile$RemoveIniValues$RemoveODBC$RemoveRegistry$RemoveRegistryValues$RemoveShortcuts$SelfReg$SelfReg$SelfReg$SelfRegModules$SelfUnregModules$ServiceControl$ServiceInstall$Shortcut$StartServices$StopServices$TypeLib$TypeLib$UnpublishComponents$UnpublishFeatures$UnregisterClassInfo$UnregisterComPlus$UnregisterExtensionInfo$UnregisterFonts$UnregisterMIMEInfo$UnregisterProgIdInfo$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$~
API String ID: 0-3108495574
Opcode ID: 44a1e996b8fd3b5e5866e4a0f8afddefb8962d3a26e0538bba6525faec82b719
Instruction ID: 8e038a120ef3b4b13fd3906f1a4b57a6eb787f8954de73b57cb14080e54e61f0
Opcode Fuzzy Hash: 44a1e996b8fd3b5e5866e4a0f8afddefb8962d3a26e0538bba6525faec82b719
Instruction Fuzzy Hash: 5773E7B0E443C5A6D705EB60DD1D79F2A929BA3708F205358F2422B2E2DBF417C4DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00AA7750 Relevance: 39.0, APIs: 14, Strings: 8, Instructions: 524fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00C82024,C0000000,00000003,00000000,00000004,00000080,00000000,201B1858,-00000001,00C82018,00C82000), ref: 00AA77C5
GetLastError.KERNEL32 ref: 00AA77ED
OutputDebugStringW.KERNEL32(00000000,00000020), ref: 00AA7872
OutputDebugStringW.KERNEL32(00000000,?,0000001C), ref: 00AA79A2
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0000001C), ref: 00AA7A3E
WriteFile.KERNEL32(00000000,04EE1040,00000026,00000002,00000000,?,0000001D), ref: 00AA7BB5
FlushFileBuffers.KERNEL32(00000000,?,0000001D), ref: 00AA7BBE

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

WriteFile.KERNEL32(00000000,?,00000000,00000002,00000000,00BF76FC,00000002), ref: 00AA7C74
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001D), ref: 00AA7C7D
WriteFile.KERNEL32(00000000,?,00000000,00000002,00000000,00BF76FC,00000002), ref: 00AA7D29
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001D), ref: 00AA7D32

Strings

x64, xrefs: 00AA7C0E, 00AA7C1A
LOGGER->Reusing LOG file at:, xrefs: 00AA7947, 00AA7959, 00AA7963
server, xrefs: 00AA7C20, 00AA7C28
OS Version: %u.%u.%u SP%u (%s) [%s], xrefs: 00AA7C44
LOGGER->Creating LOG file at:, xrefs: 00AA7A86, 00AA7A98, 00AA7AA2
x86, xrefs: 00AA7C05
LOGGER->failed to create LOG at:, xrefs: 00AA782D, 00AA783F, 00AA7849
workstation, xrefs: 00AA7C1B

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: File$BuffersFlushWrite$DebugOutputString$CreateErrorHeapLastPointerProcess
String ID: LOGGER->Creating LOG file at:$LOGGER->Reusing LOG file at:$LOGGER->failed to create LOG at:$OS Version: %u.%u.%u SP%u (%s) [%s]$server$workstation$x64$x86
API String ID: 2331954151-4230748128
Opcode ID: ca1568a2c49283d5107417eb77ce6272353564a46fe1107a86e449c84a3348fe
Instruction ID: a1afed3398210411e6d453f3568ec06a98c9afe9ecb3c0d1e20406a60855cf00
Opcode Fuzzy Hash: ca1568a2c49283d5107417eb77ce6272353564a46fe1107a86e449c84a3348fe
Instruction Fuzzy Hash: D9128D71A00609DBDB05DB68CC49BAEBBB5FF89320F184259E925A73D1DB74AD01CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00962673 Relevance: 26.2, APIs: 3, Strings: 11, Instructions: 1650COMMON

Download Yara Rule

APIs

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

Part of subcall function 0093A840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00955436,00000000,*.*,?,?,?,?), ref: 0093A863

SysFreeString.OLEAUT32(00000000), ref: 00962CF2
SysFreeString.OLEAUT32(00000000), ref: 00963159
SysFreeString.OLEAUT32(00000000), ref: 009632EA

Part of subcall function 0093B010: RtlAllocateHeap.NTDLL(?,00000000,?,201B1858,00000000,00B639C0,000000FF,?,?,00C7843C,?,?,00AB48D7,80004005,201B1858,?), ref: 0093B05A

Strings

MsiGetBinaryPathIndirect, xrefs: 00963745
MsiEvaluateCondition, xrefs: 00963508
MsiSetProperty, xrefs: 00963390
MsiGetProperty, xrefs: 00963449
MessageBox, xrefs: 009638C3
MsiGetBinaryPath, xrefs: 00963686
MsiGetFormattedError, xrefs: 00963A41
MsiGetBytesCountText, xrefs: 00963982
MsiResolveFormatted, xrefs: 009635C7
GetFontHeight, xrefs: 00963B00
MsiPublishEvents, xrefs: 00963804

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: FreeString$Heap$AllocateFindProcessResource
String ID: GetFontHeight$MessageBox$MsiEvaluateCondition$MsiGetBinaryPath$MsiGetBinaryPathIndirect$MsiGetBytesCountText$MsiGetFormattedError$MsiGetProperty$MsiPublishEvents$MsiResolveFormatted$MsiSetProperty
API String ID: 3407375942-3153392536
Opcode ID: 84af4724e71793783825d5952c88358d41f0d419966049512ad914b17c60e116
Instruction ID: 3666778ec84845fb72c4fbfb9267df77631f3855fb60e5efaab68995fb3a7083
Opcode Fuzzy Hash: 84af4724e71793783825d5952c88358d41f0d419966049512ad914b17c60e116
Instruction Fuzzy Hash: 44E29F71D00648DFDB14DFA8C848BAEBBB4FF49310F24825AE415A7391EB74AA85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00952C40 Relevance: 26.1, APIs: 17, Instructions: 596windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00952C7C
GetWindowLongW.USER32(?,000000EB), ref: 00952D15
ShowWindow.USER32(?,00000000), ref: 00952D34
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00952D42
GetWindowRect.USER32(?,?), ref: 00952D59
ShowWindow.USER32(?,00000000), ref: 00952D7A
SetWindowLongW.USER32(00000000,000000EB,?), ref: 00952D91

Part of subcall function 0093B010: RtlAllocateHeap.NTDLL(?,00000000,?,201B1858,00000000,00B639C0,000000FF,?,?,00C7843C,?,?,00AB48D7,80004005,201B1858,?), ref: 0093B05A

GetClientRect.USER32(?,?), ref: 00952E88
ShowWindow.USER32(?,?,?,00000000), ref: 00952F3D
GetWindowLongW.USER32(?,000000EB), ref: 00952F71
ShowWindow.USER32(?,?,?,00000000), ref: 00952F8F
GetWindowRect.USER32(?,?), ref: 00952FB9
IsWindowVisible.USER32(?), ref: 0095311E
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00953148
GetWindowRect.USER32(?,?), ref: 009531F9
GetWindowRect.USER32(?,?), ref: 00953244
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00953282

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Window$Rect$LongShow$ClientMessageSend$AllocateHeapVisible
String ID:
API String ID: 1979148354-0
Opcode ID: 146399d407eb13059aaf06032a57d119de7248c40740f27726612553de471a65
Instruction ID: 0b13d5c3c7780e1859fa614fb843318c2b5f7c38bc14f881903b1cd220bba42b
Opcode Fuzzy Hash: 146399d407eb13059aaf06032a57d119de7248c40740f27726612553de471a65
Instruction Fuzzy Hash: 10329C70A046099FDB14CF65D884BAEBBF9BF89301F10855DF856A7260DB30E949CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A4A8C0 Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 389windowtimeCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00A4AB91
RedrawWindow.USER32(?,00000000,00000000,00000541), ref: 00A4ABA3
SendMessageW.USER32(?,00000443,00000000), ref: 00A4AC05
GetDC.USER32(00000000), ref: 00A4AC29
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A4AC34
MulDiv.KERNEL32(?,00000000), ref: 00A4AC3C
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 00A4AC61
GetObjectW.GDI32(00000000,0000005C,?), ref: 00A4AD5C
CreateFontIndirectW.GDI32(?), ref: 00A4AD70
SetTimer.USER32(?,?,?,00000000), ref: 00A4ADE0

Strings

Segoe UI, xrefs: 00A4AC13
NumberValidationTipMsg, xrefs: 00A4AA5D
NumberValidationTipTitle, xrefs: 00A4A95B

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: CreateFontWindow$CapsDeviceIndirectMessageObjectRedrawSendTimer
String ID: NumberValidationTipMsg$NumberValidationTipTitle$Segoe UI
API String ID: 3996265456-2319862951
Opcode ID: a9128f0b845c25d81313f78c03fa7010ba48091d6092fae315051a74450455c9
Instruction ID: 27934849acdf3bd03286aa737e973d85204ac0b45309ae3a74d6bea01688dde9
Opcode Fuzzy Hash: a9128f0b845c25d81313f78c03fa7010ba48091d6092fae315051a74450455c9
Instruction Fuzzy Hash: 51E1E231A00619AFEB18CF24CC59BEEB7B2FF88301F108259E556A72D1DB746A45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00972A20 Relevance: 22.1, APIs: 5, Strings: 7, Instructions: 1106stringsleepCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,?,msix,00000004,?,?,?,?, ?(-|/)+q,00BF936E,?), ref: 00972E83
lstrcmpiW.KERNEL32(?,?,msixbundle,0000000A,msix,00000004,?,?,?,?, ?(-|/)+q,00BF936E,?), ref: 00973003
std::_Throw_Cpp_error.LIBCPMT ref: 0097365B

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,?,?, ?(-|/)+q,00BF936E,?), ref: 009735B7

Part of subcall function 00954AD0: FindClose.KERNEL32(00000000), ref: 00954C1F

Part of subcall function 00A71850: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,201B1858,?,00000000), ref: 00A7189B
Part of subcall function 00A71850: GetLastError.KERNEL32(?,00000000), ref: 00A718A5

std::_Throw_Cpp_error.LIBCPMT ref: 00973927

Strings

Launch failed. Error:, xrefs: 00973406
?(-|/)+q, xrefs: 00972BBC
Return code of launched file:, xrefs: 00973502
Launching file:, xrefs: 00972ADB
msixbundle, xrefs: 00972EA2
appx, xrefs: 0097301E
msix, xrefs: 00972D51

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Cpp_errorThrow_lstrcmpistd::_$CloseErrorFindFormatHeapLastMessageProcessSleep
String ID: ?(-|/)+q$Launch failed. Error:$Launching file:$Return code of launched file:$appx$msix$msixbundle
API String ID: 2536901295-140134217
Opcode ID: 65027629b6842020c07bcf72355d1e7949fa64602ed72ecea8989cc34a2943bf
Instruction ID: f3739023b8fb1f833a79f85ae354d38e90678f1ea458b9902082c50e7604e94d
Opcode Fuzzy Hash: 65027629b6842020c07bcf72355d1e7949fa64602ed72ecea8989cc34a2943bf
Instruction Fuzzy Hash: ABA2ED72D00218CFDB24DF68C845BADB7B5BF49314F248299E819A72D1DB74AE85CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00947DD0 Relevance: 21.4, APIs: 14, Instructions: 411memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 009482B0: EnterCriticalSection.KERNEL32(00C872EC,201B1858,00000000,?,?,?,?,?,?,00947A15,00B6710D,000000FF), ref: 009482ED
Part of subcall function 009482B0: GetClassInfoExW.USER32 ref: 0094832D
Part of subcall function 009482B0: LoadCursorW.USER32(00000000,00007F00), ref: 00948368
Part of subcall function 009482B0: RegisterClassExW.USER32(00000030), ref: 00948391
Part of subcall function 009482B0: GetClassInfoExW.USER32(AtlAxWinLic140,00000030), ref: 009483D8
Part of subcall function 009482B0: LoadCursorW.USER32(00000000,00007F00), ref: 00948410
Part of subcall function 009482B0: RegisterClassExW.USER32(00000030), ref: 00948431

SysFreeString.OLEAUT32(00000000), ref: 00947E90
GetWindowLongW.USER32(?,000000EC), ref: 00947F99
GetWindowLongW.USER32(?,000000EC), ref: 00947FA9
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00947FB8
NtdllDefWindowProc_W.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00947A15,00000000), ref: 00947FCA
GetWindowLongW.USER32(?,000000EB), ref: 00947FD8
GetWindowTextLengthW.USER32(?), ref: 00948006
SetWindowTextW.USER32(?,00BF4720), ref: 00948086
GlobalAlloc.KERNEL32(00000042,00000000), ref: 009480B7
GlobalLock.KERNEL32(00000000), ref: 009480C5
GlobalUnlock.KERNEL32(?), ref: 00948117
SetWindowLongW.USER32(?,000000EB,00000000), ref: 009481AD
SysFreeString.OLEAUT32(00000000), ref: 009481D0
SysFreeString.OLEAUT32(00000000), ref: 0094823F

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Window$Long$Class$FreeGlobalString$CursorInfoLoadRegisterText$AllocCriticalEnterLengthLockNtdllProc_SectionUnlock
String ID:
API String ID: 4288170106-0
Opcode ID: 6bb650ab88bb05880dd3ac5c89ff948686bb741a96721422f50ddd8022b3df1c
Instruction ID: 000a90ae7d0b352ff5ed962814cd91467b96cde6506eea555eeeda401dab9ad8
Opcode Fuzzy Hash: 6bb650ab88bb05880dd3ac5c89ff948686bb741a96721422f50ddd8022b3df1c
Instruction Fuzzy Hash: 69E1CF71A04209EFEB10DFA4CC48FAFBBB8BF49710F144159E911A72A1CB799D05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00954AD0 Relevance: 20.0, APIs: 8, Strings: 3, Instructions: 725fileCOMMON

Download Yara Rule

APIs

FindClose.KERNEL32(00000000), ref: 00954C1F
PathIsUNCW.SHLWAPI(00000000,*.*,00000000), ref: 00954CE6
FindFirstFileW.KERNEL32(00000000,?,*.*,00000000), ref: 00954E79
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00954E93
GetFullPathNameW.KERNEL32(00000000,00000000,?,00000000), ref: 00954ED0
FindClose.KERNEL32(00000000), ref: 00954F34
SetLastError.KERNEL32(0000007B), ref: 00954F3E
PathIsUNCW.SHLWAPI(?,?,201B1858,*.*,?), ref: 009551A4

Strings

\\?\, xrefs: 00954DF7, 00954E63, 009552BE, 00955329
*.*, xrefs: 00954C48, 00954CB3, 00954CB4, 009550C6
\\?\UNC\, xrefs: 00954D06, 00954DE1, 009551C6, 009552A5

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Path$Find$CloseFullName$ErrorFileFirstLast
String ID: *.*$\\?\$\\?\UNC\
API String ID: 2310598285-1700010636
Opcode ID: da32df1819bfea1649523b1219d83b71e057c049c5e34301ff6294a36e35e1e0
Instruction ID: 58c0a843b803f4411655a1f309f82f63ad34c689e77370b70af3d02f59f2f727
Opcode Fuzzy Hash: da32df1819bfea1649523b1219d83b71e057c049c5e34301ff6294a36e35e1e0
Instruction Fuzzy Hash: 9842F030A006058FDB14DF69C859BAEB7B9FF44329F154168EC15AB3D2DB36AD48CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00947600 Relevance: 20.0, APIs: 13, Instructions: 453nativememoryCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(80070216,000000EC), ref: 0094784B
GetWindowLongW.USER32(00000000,000000EC), ref: 0094785B
SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 0094786A
NtdllDefWindowProc_W.NTDLL(00000000,?,201B1858,80070216,201B1858,00000000,?,?,?,80070216,201B1858,?), ref: 0094787A
GetWindowLongW.USER32(00000000,000000EB), ref: 00947888
NtdllDefWindowProc_W.NTDLL(00000000,?,201B1858,80070216,?,?,80070216,201B1858,?), ref: 009478B3
GetWindowTextLengthW.USER32(00000000), ref: 009478C7
SetWindowTextW.USER32(00000000,00BF4720), ref: 0094793E
GlobalAlloc.KERNEL32(00000042,00000000), ref: 0094796F
GlobalLock.KERNEL32(00000000), ref: 0094797D
GlobalUnlock.KERNEL32(?), ref: 009479CF
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00947A45
NtdllDefWindowProc_W.NTDLL(00000000,?,201B1858,00000000), ref: 00947AAB

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Window$Long$GlobalNtdllProc_$Text$AllocLengthLockUnlock
String ID:
API String ID: 3612958811-0
Opcode ID: 188172c9e8b76060a1484a544e1e705052ad51ec89b3da729f3660fb90a8ab7d
Instruction ID: 178298932e2e86314d60c244f74e0a749ba2a9a8e52197f575c6bf234d3d1806
Opcode Fuzzy Hash: 188172c9e8b76060a1484a544e1e705052ad51ec89b3da729f3660fb90a8ab7d
Instruction Fuzzy Hash: AFF1A071A042099FEB10DFA8CC88F6EB7B9EF89310F144569E915E7391DB749E01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A7CD70 Relevance: 19.8, APIs: 3, Strings: 8, Instructions: 539fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

FindFirstFileW.KERNEL32(?,?,00000000,00000000), ref: 00A7D241
FindClose.KERNEL32(00000000), ref: 00A7D275
FindClose.KERNEL32(00000000), ref: 00A7D321

Strings

No acceptable version found., xrefs: 00A7D8D6
No acceptable version found. It must be installed from package., xrefs: 00A7D8B3
No acceptable version found. It must be downloaded manually from a site., xrefs: 00A7D8C1
No acceptable version found. It is already downloaded and it will be installed., xrefs: 00A7D8CF
No acceptable version found. Operating System not supported., xrefs: 00A7D8C8
An acceptable version was found., xrefs: 00A7D8AC
Not selected for install., xrefs: 00A7D8DD
No acceptable version found. It must be downloaded., xrefs: 00A7D8BA

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Find$Close$FileFirstHeapProcess
String ID: An acceptable version was found.$No acceptable version found.$No acceptable version found. It is already downloaded and it will be installed.$No acceptable version found. It must be downloaded manually from a site.$No acceptable version found. It must be downloaded.$No acceptable version found. It must be installed from package.$No acceptable version found. Operating System not supported.$Not selected for install.
API String ID: 4254541338-749633484
Opcode ID: 0a0b4ba2f0f5333b3ea93770514900c1674731af0c80106c7e9b721fe0f72c4a
Instruction ID: 6aa4d3acde57a90a8e3484b14b6592cd5efd6c92f9da4195da3e180157854c97
Opcode Fuzzy Hash: 0a0b4ba2f0f5333b3ea93770514900c1674731af0c80106c7e9b721fe0f72c4a
Instruction Fuzzy Hash: 01227D35A00619CBDB14DF68C8987ADBBB1FF48310F1486ADD91A97382DB35AD06CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00A4A060 Relevance: 19.7, APIs: 13, Instructions: 170windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001036,00010000,00000000), ref: 00A4A0D8
GetParent.USER32(00000000), ref: 00A4A144
GetWindowRect.USER32(00000000), ref: 00A4A14B
GetParent.USER32(00000000), ref: 00A4A15A
GetDC.USER32(00000000), ref: 00A4A161
CreateCompatibleDC.GDI32(00000000), ref: 00A4A1BF
CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 00A4A1D8
SelectObject.GDI32(?,00000000), ref: 00A4A1E9
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00A4A202

Part of subcall function 009FCB60: IsWindowVisible.USER32(?), ref: 009FCBE3
Part of subcall function 009FCB60: GetWindowRect.USER32(?,?), ref: 009FCBFB
Part of subcall function 009FCB60: GetWindowRect.USER32(?,?), ref: 009FCC13
Part of subcall function 009FCB60: IntersectRect.USER32(?,?,?), ref: 009FCC30
Part of subcall function 009FCB60: EqualRect.USER32(?,?), ref: 009FCC40
Part of subcall function 009FCB60: GetSysColorBrush.USER32(0000000F), ref: 009FCC57

FillRect.USER32(?,?,00000000), ref: 00A4A218
DeleteDC.GDI32(?), ref: 00A4A238
SendMessageW.USER32(?,00001026,00000000,000000FF), ref: 00A4A256
SendMessageW.USER32(?,0000108A,00000000,00000011), ref: 00A4A26D

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Rect$Window$MessageSend$CompatibleCreateParent$BitmapBrushColorDeleteEqualFillIntersectObjectPointsSelectVisible
String ID:
API String ID: 2161025992-0
Opcode ID: 5acafb6abafbf1ab51260c63bfc7fa5981cc75e148821c6dc7ec7ce3244dcd38
Instruction ID: fd571714dff5b15a944c33d5f30990894d55a31532d042df2c197aea8e6ae28a
Opcode Fuzzy Hash: 5acafb6abafbf1ab51260c63bfc7fa5981cc75e148821c6dc7ec7ce3244dcd38
Instruction Fuzzy Hash: 1B615775D00218EFDB10CFA4CD49BADBBB8FF88710F24421AE915B7291DB746941CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0096F660 Relevance: 14.9, APIs: 1, Strings: 7, Instructions: 931windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000030,00000000,00000001), ref: 0096F6B4

Strings

SpawnDialog, xrefs: 0096FD8D
AiTabPage, xrefs: 0096F8C7, 0096FA11
`Dialog_`=', xrefs: 0096F7FB
' AND `Control_`=', xrefs: 0096F844
ControlEvent, xrefs: 0096F935
Title, xrefs: 0096FE23
Dialog, xrefs: 0096FE62, 0096FE8A, 00970025, 0097004F, 00970077

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: MessageSend
String ID: ' AND `Control_`='$AiTabPage$ControlEvent$Dialog$SpawnDialog$Title$`Dialog_`='
API String ID: 3850602802-1412757306
Opcode ID: debcb5585672b6411db2ced157618c3b340058af8b47c0461898ed466bef1ef9
Instruction ID: f2b7438a2877bcb6e87a10ccd37d66e4b03d4305035e3a578005927618509bb1
Opcode Fuzzy Hash: debcb5585672b6411db2ced157618c3b340058af8b47c0461898ed466bef1ef9
Instruction Fuzzy Hash: 22828D71D00258CFDB14DFA8C859BEEBBB5BF48314F244259E405A7392DB74AA85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A744A0 Relevance: 14.6, APIs: 7, Strings: 1, Instructions: 605COMMON

Download Yara Rule

APIs

Part of subcall function 00B3CA85: AcquireSRWLockExclusive.KERNEL32(00C80888,?,?,?,0093B446,00C8149C,201B1858,?,?,00B63F3D,000000FF,?,00AB486D,201B1858,?), ref: 00B3CA90
Part of subcall function 00B3CA85: ReleaseSRWLockExclusive.KERNEL32(00C80888,?,?,0093B446,00C8149C,201B1858,?,?,00B63F3D,000000FF,?,00AB486D,201B1858,?), ref: 00B3CACA

GetStdHandle.KERNEL32(000000F5,?,201B1858,?,?), ref: 00A74897
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?), ref: 00A7489E
GetStdHandle.KERNEL32(000000F5,0000000C,?,?), ref: 00A748B2
SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 00A748B9
GetStdHandle.KERNEL32(000000F5,000000FF,?,00000000,?,00000000,00BF76FC,00000002,?,?), ref: 00A74972
SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 00A74979
IsWindow.USER32(00000000), ref: 00A74C18

Strings

Error, xrefs: 00A74BAB

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ConsoleHandle$AttributeExclusiveLockText$AcquireBufferInfoReleaseScreenWindow
String ID: Error
API String ID: 2349801371-2619118453
Opcode ID: 07729f1cd4882f0323c059f8cab5a02101c8756e537021e6139a89452a6aa91b
Instruction ID: 67ac2b8422c9ff118449ba690ae393a92564814ed64dbfe4b93867863209deca
Opcode Fuzzy Hash: 07729f1cd4882f0323c059f8cab5a02101c8756e537021e6139a89452a6aa91b
Instruction Fuzzy Hash: 75429D71D00259CFDB24DF68CC45BEEBBB0BF48314F248299E419A7691EB746A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00964D40 Relevance: 12.9, APIs: 5, Strings: 2, Instructions: 636windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00964E2B

Part of subcall function 00B3CA85: AcquireSRWLockExclusive.KERNEL32(00C80888,?,?,?,0093B446,00C8149C,201B1858,?,?,00B63F3D,000000FF,?,00AB486D,201B1858,?), ref: 00B3CA90
Part of subcall function 00B3CA85: ReleaseSRWLockExclusive.KERNEL32(00C80888,?,?,0093B446,00C8149C,201B1858,?,?,00B63F3D,000000FF,?,00AB486D,201B1858,?), ref: 00B3CACA

Part of subcall function 00B3CA34: AcquireSRWLockExclusive.KERNEL32(00C80888,?,?,0093B4B7,00C8149C,00BC7840), ref: 00B3CA3E
Part of subcall function 00B3CA34: ReleaseSRWLockExclusive.KERNEL32(00C80888,?,?,0093B4B7,00C8149C,00BC7840), ref: 00B3CA71
Part of subcall function 00B3CA34: WakeAllConditionVariable.KERNEL32(00C80884,?,?,0093B4B7,00C8149C,00BC7840), ref: 00B3CA7C

SendMessageW.USER32(?,0000104D,00000000,?), ref: 0096531E
SendMessageW.USER32(?,0000102B,?,0000000F), ref: 009653CC
SendMessageW.USER32(?,00001003,00000001,?), ref: 00965473

Part of subcall function 00A62A10: __cftof.LIBCMT ref: 00A62A60

SendMessageW.USER32(?,0000101E,00000000,0000FFFE), ref: 00965626

Strings

AiFeatIco, xrefs: 009650AB
Icon, xrefs: 00965172

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: MessageSend$ExclusiveLock$AcquireRelease$ConditionVariableWake__cftof
String ID: AiFeatIco$Icon
API String ID: 1739475930-1280411655
Opcode ID: 9cd36489ae80506cb90824bf00ffa4cf20a23be46960919c30cbcb5e10c433db
Instruction ID: 6a4e0b199bc6b1c51e7f6f19aae436b17ef7465efb443545fbc4c5280e037127
Opcode Fuzzy Hash: 9cd36489ae80506cb90824bf00ffa4cf20a23be46960919c30cbcb5e10c433db
Instruction Fuzzy Hash: 28527A70900658DFDB24DF68CD58BEEBBB5AF89304F1445D9E44AAB2A1DB706E84CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0095AFE0 Relevance: 11.2, APIs: 2, Strings: 4, Instructions: 705COMMON

Download Yara Rule

Strings

AI_NO_BORDER_HOVER, xrefs: 0095B18A
AI_CONTROL_VISUAL_STYLE, xrefs: 0095B03A
AI_NO_BORDER_NORMAL, xrefs: 0095B0D5
AI_CONTROL_VISUAL_STYLE_EX, xrefs: 0095B4A5

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID:
String ID: AI_CONTROL_VISUAL_STYLE$AI_CONTROL_VISUAL_STYLE_EX$AI_NO_BORDER_HOVER$AI_NO_BORDER_NORMAL
API String ID: 0-932585912
Opcode ID: d972e8429b15e3bc41a9ac51955c194145558f5a621f16fee748a4dec3975b2a
Instruction ID: f19a77d3bd3e318cf857cbb6de06f72855df3c4770edbfbdc89ec927790b05bf
Opcode Fuzzy Hash: d972e8429b15e3bc41a9ac51955c194145558f5a621f16fee748a4dec3975b2a
Instruction Fuzzy Hash: CE424871D002188FDB18DF69CC54BAEB7F5FF84301F108249E855AB791DB74AA49CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B5E48F Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00B5E673

Strings

1#IND, xrefs: 00B5E594
1#SNAN, xrefs: 00B5E59B
1#QNAN, xrefs: 00B5E5A2
1#INF, xrefs: 00B5E5C5

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: bd2cc0637f43b218c9e747be7eaa801d826a86b1ea2ccf0470a040bcc67f7a6a
Instruction ID: 32a7e8ae14e06ef75a442583403716c92985be1389fb896ff19ecdd209b28338
Opcode Fuzzy Hash: bd2cc0637f43b218c9e747be7eaa801d826a86b1ea2ccf0470a040bcc67f7a6a
Instruction Fuzzy Hash: 6DD21B71E082298FDB65CE28DD407EAB7F5EB48306F1445EAD85DE7240E774AE858F40

Uniqueness

Uniqueness Score: -1.00%

Function 00AA3220 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 465COMMON

Download Yara Rule

APIs

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

GetLogicalDriveStringsW.KERNEL32(00000064,?), ref: 00AA3460
GetDriveTypeW.KERNEL32(?), ref: 00AA347A
Wow64DisableWow64FsRedirection.KERNEL32(00000000,00000000), ref: 00AA3523
Wow64RevertWow64FsRedirection.KERNEL32(00000000,00000000), ref: 00AA37C6

Strings

]%!, xrefs: 00AA33F8

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Wow64$DriveRedirection$DisableHeapLogicalProcessRevertStringsType
String ID: ]%!
API String ID: 4157823300-1069524040
Opcode ID: 5971971a812312bb345821ef245b7d312a9b161ea1c4fdcbf73dd248da21abf7
Instruction ID: 0dc8750fc0261d36b180fa7768dfdf598e6c77d13ed5f956dbdb223b07539684
Opcode Fuzzy Hash: 5971971a812312bb345821ef245b7d312a9b161ea1c4fdcbf73dd248da21abf7
Instruction Fuzzy Hash: DB02EF71A00259CFDF25DF28CC84BADB7B5AF49310F1485E9E51AA7281DB749E84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9950 Relevance: 9.2, APIs: 6, Instructions: 203fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,-00000010,?,201B1858,?,?,00000000), ref: 00AB9A1C
FindNextFileW.KERNEL32(?,00000000,?,00000000), ref: 00AB9A37

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: 340a392d315ddac57c3e88fbd9f096f5b5f4e1c6fd76bd4ccd03274bcf25c6a1
Instruction ID: 5536577c02f67572a23ba9f92392b0d04df3ca2c8360de7400b1e763ff8fac5c
Opcode Fuzzy Hash: 340a392d315ddac57c3e88fbd9f096f5b5f4e1c6fd76bd4ccd03274bcf25c6a1
Instruction Fuzzy Hash: 6A817A71900648DFDF10DFA8CC88AEEBBB8FF48324F144659E915A7292DB75AA05CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B3C0ED Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,00B3C009,00000000,?,00B3C1A1,?,?,?,?), ref: 00B3C0EF
GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,?,?,?,?), ref: 00B3C116
HeapAlloc.KERNEL32(00000000,?,?,?,?), ref: 00B3C11D
InitializeSListHead.KERNEL32(00000000,?,?,?,?), ref: 00B3C12A
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?), ref: 00B3C13F
HeapFree.KERNEL32(00000000,?,?,?,?), ref: 00B3C146

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID:
API String ID: 1475849761-0
Opcode ID: 90b214fbee43097ff25d277ec43431bbe840ce6e05a4b20dbdf68ee7aa15f547
Instruction ID: 69fff8a569a8b95adf0c7187d343975b026c2260747422028bfc2436f8503a43
Opcode Fuzzy Hash: 90b214fbee43097ff25d277ec43431bbe840ce6e05a4b20dbdf68ee7aa15f547
Instruction Fuzzy Hash: 12F062726416119BE7609F68AC0CF567BF8EF88712F150468F986E3250DF30C841E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00ABDCF0 Relevance: 7.9, APIs: 5, Instructions: 368fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,201B1858,?,00AAEFB0,00000000,?,?,?,00000000,00BB6CC5), ref: 00ABDD4D
SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000), ref: 00ABDD82
ReadFile.KERNEL32(00000000,00000000,0000000A,?,00000000), ref: 00ABDDA4
ReadFile.KERNEL32(00000000,?,00000005,?,00000000), ref: 00ABDE8D
CloseHandle.KERNEL32(00000000), ref: 00ABDF9D

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: File$Read$CloseCreateHandlePointer
String ID:
API String ID: 3856724686-0
Opcode ID: 1b78df8c6784de013d2cba98ca8237aacc2e2fd8a973110602f9c84d0f75d607
Instruction ID: 0553cddeaec3a2e63c6a7885000ad7083ef1947b14255ee895f1a57d92da8ac9
Opcode Fuzzy Hash: 1b78df8c6784de013d2cba98ca8237aacc2e2fd8a973110602f9c84d0f75d607
Instruction Fuzzy Hash: 98C1C135A01209DBDB14CB68C844BFEBBB9FF48720F18415DE916A7392EB359D01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B548A3 Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00B54930

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 824d4f2881ce02a16d810099f759d65f5230b762a5e6f5921a472dca0959219c
Instruction ID: 5eb7475b2a72e972aaaefd072d169a4536e1bdd60bf0a99be2624b3c9a30fb8d
Opcode Fuzzy Hash: 824d4f2881ce02a16d810099f759d65f5230b762a5e6f5921a472dca0959219c
Instruction Fuzzy Hash: 9FB149729042459FDB15CF68C881BEEBBE5EF55319F1582EAED04AB241C334DD89CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AA45D0 Relevance: 6.2, APIs: 4, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90254d5e49ca3bafc7307e59aebee9ce94c48a6801a55e92817f6fa14441010c
Instruction ID: 3b52bf6112a5bcc2dfa2cdade7d7846de8026793642e407e094797e3272be6ef
Opcode Fuzzy Hash: 90254d5e49ca3bafc7307e59aebee9ce94c48a6801a55e92817f6fa14441010c
Instruction Fuzzy Hash: 1891AD71901218DFDB50DF28CC49B99BBB4EF49324F1482D9E829A72D2DB719E44CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A6DB30 Relevance: 6.2, APIs: 4, Instructions: 163fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,00000000,00000000), ref: 00A6DBC2
FindFirstFileW.KERNEL32(?,00000000,0000002A), ref: 00A6DC66
FindClose.KERNEL32(00000000), ref: 00A6DC90
FindClose.KERNEL32(00000000), ref: 00A6DCE9

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 6bc12625d393115819849b6ed579b62da43ed78f9be4b8603bf431b54924d81b
Instruction ID: 2b906c4377833cffbae29fc67192e26dde0e9a699a0e6e94cd3550a34df5467f
Opcode Fuzzy Hash: 6bc12625d393115819849b6ed579b62da43ed78f9be4b8603bf431b54924d81b
Instruction Fuzzy Hash: 53510170E0024D9FDB24DF64CC08BAEB7B4FF59364F248659E915EB280E7B19A04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AA4A50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 195fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00000000,00000010), ref: 00AA4B0C
FindClose.KERNEL32(00000000), ref: 00AA4C8F

Part of subcall function 0093B010: RtlAllocateHeap.NTDLL(?,00000000,?,201B1858,00000000,00B639C0,000000FF,?,?,00C7843C,?,?,00AB48D7,80004005,201B1858,?), ref: 0093B05A

Strings

%d.%d.%d.%d, xrefs: 00AA4C08

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Find$AllocateCloseFileFirstHeap
String ID: %d.%d.%d.%d
API String ID: 1673784098-3491811756
Opcode ID: 8cec8c3ca69f1c31b15a933ec4dfb39499cadb0755d0fde2c8058da12a8bc8ed
Instruction ID: 82cf6de007d6dc30e6c566e60edf0c37c0de65ef77d2ed9f257cbc527d9065fb
Opcode Fuzzy Hash: 8cec8c3ca69f1c31b15a933ec4dfb39499cadb0755d0fde2c8058da12a8bc8ed
Instruction Fuzzy Hash: 31718E74905219DFDF20DF68CC48B9DBBB4EF88314F1082D9E819A7291DB759A84CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0096E420 Relevance: 5.4, Strings: 4, Instructions: 378COMMON

Download Yara Rule

Strings

= ", xrefs: 0096E758
Show, xrefs: 0096E720
<> ", xrefs: 0096E541
Hide, xrefs: 0096E4E4, 0096E505

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID:
String ID: <> "$ = "$Hide$Show
API String ID: 0-289022205
Opcode ID: 11209120c534711a39420b6e30ede21697b1ba37f5cc96c1aeeada1951bbbf50
Instruction ID: 21452729ccb7d5c641e8ed3c47fa95ac028cfe4b276665182b51afad6d58208a
Opcode Fuzzy Hash: 11209120c534711a39420b6e30ede21697b1ba37f5cc96c1aeeada1951bbbf50
Instruction Fuzzy Hash: CD024A70D00259CFDB24DF64C855BADB7B5BF55304F1085DAE40AA7292EB706E84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A9C2B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

GetLocaleInfoW.KERNEL32(00000000,00000002,00BF4720,00000000), ref: 00A9C331
GetLocaleInfoW.KERNEL32(00000000,00000002,?,-00000001,00000078,-00000001), ref: 00A9C36D

Strings

%d-%s, xrefs: 00A9C377

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: InfoLocale$HeapProcess
String ID: %d-%s
API String ID: 3246605784-1781338863
Opcode ID: 93c8da9f492bffe5003d2b1d9a58fbf9a3ce6e469cc2ea8d4197779d49730f69
Instruction ID: 948be2807ed22a473ac06406f672ef0339eb12247063ee6d4048e0070ae5a819
Opcode Fuzzy Hash: 93c8da9f492bffe5003d2b1d9a58fbf9a3ce6e469cc2ea8d4197779d49730f69
Instruction Fuzzy Hash: 85318972A00619ABDB04DF98CC4ABAEFBB4FF88724F104159E625A7291DB756900CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0095F0D0 Relevance: 5.3, Strings: 4, Instructions: 337COMMON

Download Yara Rule

Strings

OldProductCode, xrefs: 0095F40D, 0095F43F, 0095F45F, 0095F460
MultipleInstances, xrefs: 0095F112
ProductCode, xrefs: 0095F388, 0095F3D5, 0095F3D6
MultipleInstancesProps, xrefs: 0095F210

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID:
String ID: MultipleInstances$MultipleInstancesProps$OldProductCode$ProductCode
API String ID: 0-469785651
Opcode ID: 8f522f8014e0b85f729113a3dd0b92c6f38e885ba8471a3bdb8f658f355ca79e
Instruction ID: 40aa80ed37fa1b47faa82a2858a2ac068815428f5ac1399f80b340713e796929
Opcode Fuzzy Hash: 8f522f8014e0b85f729113a3dd0b92c6f38e885ba8471a3bdb8f658f355ca79e
Instruction Fuzzy Hash: 5EC1F576A00201CBDB18DF69C8A46BEB3B6FF85366F54457DDC126B640DB30AD4ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B395C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,00B3950B,0000001C,00B39700,00000000,?,?,?,?,?,?,?,00B3950B,00000004,00C80394,00B39790), ref: 00B395D7
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00B3950B,00000004,00C80394,00B39790), ref: 00B395F2

Strings

D, xrefs: 00B395E6

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: dffe2da2151f34331610dd2337918605f1fc1586d9bed289a840330776645446
Instruction ID: 853b2b8c90dd0e8122f168d62bd5f3c2f72d605a7b62b9e5e5853500e62020bb
Opcode Fuzzy Hash: dffe2da2151f34331610dd2337918605f1fc1586d9bed289a840330776645446
Instruction Fuzzy Hash: CF01F732A011096BDF14DF29CC0ABEE7BE9EFC4324F1DC160ED59D7254DA74D9018680

Uniqueness

Uniqueness Score: -1.00%

Function 00937AA0 Relevance: 4.7, APIs: 3, Instructions: 204COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00B35C52
GetVersionExW.KERNEL32(00000114), ref: 00B35CA1
IsProcessorFeaturePresent.KERNEL32(00000011), ref: 00B35CB9

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Version$FeaturePresentProcessor
String ID:
API String ID: 1871528217-0
Opcode ID: 65ef4a79b3b33ba59dc2f41b9af349272e3aa79aff2dcb848dd16f54dc84bc50
Instruction ID: 0923d8f4c7d53791dc126ad6fdb96f1ff365a680f3bfe3d0b9b2bf1d67bc375e
Opcode Fuzzy Hash: 65ef4a79b3b33ba59dc2f41b9af349272e3aa79aff2dcb848dd16f54dc84bc50
Instruction Fuzzy Hash: 9D6129327106604BE318CF2D8CC97AABBD5EBC8341F15467EE486C7290EAB8C505CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A502F0 Relevance: 4.7, APIs: 3, Instructions: 172fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,201B1858,?,?), ref: 00A503AF
FindNextFileW.KERNEL32(000000FF,00000010), ref: 00A504BA
FindClose.KERNEL32(000000FF), ref: 00A50515

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 05d760ad648fc53b82432fedc02302d7514921a79834eba0fd5bf6a187f043c1
Instruction ID: 97754afba504633509201fae6feb3ca91cf0e2e38857ed8b01dfef11e8fb4a1f
Opcode Fuzzy Hash: 05d760ad648fc53b82432fedc02302d7514921a79834eba0fd5bf6a187f043c1
Instruction Fuzzy Hash: 1D618B71A00258DFCF24DB64C899BEEBBB8FF44311F144199E849A7291DB702E88CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00952700 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000004), ref: 0095275B
GetWindowLongW.USER32(00000004,000000FC), ref: 00952774
SetWindowLongW.USER32(00000004,000000FC,?), ref: 00952786

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 21cd97a774d6dd9ee35e14f38f608f2eeb3cef2351a74095ba1217384a102431
Instruction ID: 1fd61f3684df027cf46de2cf09fd5c50871e41c1141f151cba875020b389c305
Opcode Fuzzy Hash: 21cd97a774d6dd9ee35e14f38f608f2eeb3cef2351a74095ba1217384a102431
Instruction Fuzzy Hash: CC41BEB0600B56EFDB10CF65C848B5ABBE8FF09324F104269E92497791DB76F918CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B416F3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00B417EB
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00B417F5
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00B41802

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 946d143fcc09d71a6ef0116591ffb267eba07e51e0dcfb403c120e9d2937d9e9
Instruction ID: a619a86b914ce686296dbf14b059cacdfe6d03a2fdfedbb46ec18a4fbc2c6da1
Opcode Fuzzy Hash: 946d143fcc09d71a6ef0116591ffb267eba07e51e0dcfb403c120e9d2937d9e9
Instruction Fuzzy Hash: F331C775901219ABCB21DF68DC89B9CBBF4BF08310F5045DAE41DA7251EB749F858F44

Uniqueness

Uniqueness Score: -1.00%

Function 0093A700 Relevance: 4.6, APIs: 3, Instructions: 65COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000000,00000000,201B1858,00000001,00000000,?,00000000,00B63770,000000FF,?,0093A6AC,?,?,?,000000A7,?), ref: 0093A72B
LockResource.KERNEL32(00000000,?,0093A6AC,?,?,?,000000A7,?,00000000,00B63E40,000000FF,?,0093A850,?,?,000000A7), ref: 0093A736
SizeofResource.KERNEL32(00000000,00000000,?,0093A6AC,?,?,?,000000A7,?,00000000,00B63E40,000000FF,?,0093A850,?,?), ref: 0093A744

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 96908bd5b5012cb36b069d8d46e356afc34f8e54069f9a85be20bd856dd7554c
Instruction ID: a98e55b29f6be231cb0433bd5a5dbdec9cf58638c193234283048fc20685866a
Opcode Fuzzy Hash: 96908bd5b5012cb36b069d8d46e356afc34f8e54069f9a85be20bd856dd7554c
Instruction Fuzzy Hash: 8D11E772E006649BC7318F19DC85FA6B7FCEB89721F000A2AEC5BD3250EA359C008A90

Uniqueness

Uniqueness Score: -1.00%

Function 0094A680 Relevance: 4.5, APIs: 3, Instructions: 28COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(0000001B,000000FC), ref: 0094A699
SetWindowLongW.USER32(0000001B,000000FC,?), ref: 0094A6A7
DestroyWindow.USER32(0000001B,?,?,?,?,?,?,?,?,?,?,?,?,80004003,?,00000000), ref: 0094A6D3

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Window$Long$Destroy
String ID:
API String ID: 3055081903-0
Opcode ID: 1672c6ff29305c80fe119a381734c02a2cdbea357dfb84692dd987020a1a94b6
Instruction ID: 1dafa9a955fbc2c1375bd850df8c21ed4924d002dd41e104353dffa921b84648
Opcode Fuzzy Hash: 1672c6ff29305c80fe119a381734c02a2cdbea357dfb84692dd987020a1a94b6
Instruction Fuzzy Hash: 46F03A31004B119BEB605F28ED08F96BBE5BF05721F194B1AE4AA929F0CB30E840EB05

Uniqueness

Uniqueness Score: -1.00%

Function 00ADD850 Relevance: 4.1, Strings: 3, Instructions: 314COMMON

Download Yara Rule

Strings

gfff, xrefs: 00ADD992
Show, xrefs: 00ADD9DA
) AND ( , xrefs: 00ADDA33

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID:
String ID: ) AND ( $Show$gfff
API String ID: 0-344708357
Opcode ID: c283f4bb9230312cd4022b2074649811a651899efb2e0014c7647995936193b3
Instruction ID: f876e966c6c5cf6758a02c8ad860ffd7cea248c6cad3a1eb76b3e3308c29d483
Opcode Fuzzy Hash: c283f4bb9230312cd4022b2074649811a651899efb2e0014c7647995936193b3
Instruction Fuzzy Hash: E7D16B71904258CFDB24DF68C845BAEBBB1BF45304F1486DAE44AA7381DB70AE84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B4C680 Relevance: 3.4, APIs: 2, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d27568dee6e504eeda6fcdcc351cfe64da91595b8b7e8ca66b4b8da94aa0efd7
Instruction ID: 1daaeba54163797f128648d4c37bd21d3205a9eb935fc7f38edc6c1ffc773cad
Opcode Fuzzy Hash: d27568dee6e504eeda6fcdcc351cfe64da91595b8b7e8ca66b4b8da94aa0efd7
Instruction Fuzzy Hash: CCF13E71E012199FDF14CFA8C880AADBBF1FF88714F1582A9E915A7385D730AE01DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00966500 Relevance: 3.3, APIs: 2, Instructions: 288windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000102B,00000000,?), ref: 0096662B
SendMessageW.USER32(?,0000102B,0000009B,-00000002), ref: 00966868

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: cfcfe84177daa3b2f6e3a08a81b38f94116fe1dc481b541c6101c96f9057fab8
Instruction ID: 1283a06a2395a7d92335d72a3dc6ad38b6563e95a80a6281242f84bb52f58601
Opcode Fuzzy Hash: cfcfe84177daa3b2f6e3a08a81b38f94116fe1dc481b541c6101c96f9057fab8
Instruction Fuzzy Hash: AEC19071A002068FDF18CF64C995BEDBBF9FF58304F18816AD85AAF295D734A941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A94060 Relevance: 3.2, APIs: 2, Instructions: 151fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,?,?,00000003,201B1858,00000000,?,00000000), ref: 00A94154
FindClose.KERNEL32(00000000,?,00000000), ref: 00A9419F

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 371078d0fa59e278b0eca43a29e6c50dd18addc1866ad3a239aaed2441211732
Instruction ID: a4118e934df8154ce7ff641d4486dd132bea23766731ea81aad1ad3384812f9b
Opcode Fuzzy Hash: 371078d0fa59e278b0eca43a29e6c50dd18addc1866ad3a239aaed2441211732
Instruction Fuzzy Hash: 20519E75A00609CFDB14DFA8C958BAEBBF4FF48314F244559E815AB381DB34AA06CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A71850 Relevance: 3.1, APIs: 2, Instructions: 145windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,201B1858,?,00000000), ref: 00A7189B
GetLastError.KERNEL32(?,00000000), ref: 00A718A5

Part of subcall function 0093B010: RtlAllocateHeap.NTDLL(?,00000000,?,201B1858,00000000,00B639C0,000000FF,?,?,00C7843C,?,?,00AB48D7,80004005,201B1858,?), ref: 0093B05A

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AllocateErrorFormatHeapLastMessage
String ID:
API String ID: 4114510652-0
Opcode ID: f8adb111eaa3d8b2a1c240805cd8cbc11d098d6d1babc05bef5f5f235fff66e9
Instruction ID: 128a83506f4512e9caaaf6e8634c1b4c041bf4b7bc3d96f1fa6e704e3e055700
Opcode Fuzzy Hash: f8adb111eaa3d8b2a1c240805cd8cbc11d098d6d1babc05bef5f5f235fff66e9
Instruction Fuzzy Hash: E441D271A04209DFEB14CF98CC55BAEBBF4FB88714F14826EE919A7380EB755900CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009B1610 Relevance: 3.1, APIs: 2, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000FC), ref: 009B1694
SetWindowLongW.USER32(00000000,000000FC,?), ref: 009B16A2

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 44583ed466ace5e8f05ea230a2792202c3ea97b844b2b3419c22678db527b2be
Instruction ID: 563eb559438c1aca88d4daf6d240e10c5a13ea49fe4258391ca866874a53689d
Opcode Fuzzy Hash: 44583ed466ace5e8f05ea230a2792202c3ea97b844b2b3419c22678db527b2be
Instruction Fuzzy Hash: F3313C71900205DFCB10DF58CA95B9ABBB9FF45320F544299E824AB2A1C775ED40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00975000 Relevance: 3.0, APIs: 2, Instructions: 10COMMON

Download Yara Rule

APIs

__set_se_translator.LIBVCRUNTIME ref: 00975005
SetUnhandledExceptionFilter.KERNEL32(Function_0013D2B0), ref: 0097501B

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ExceptionFilterUnhandled__set_se_translator
String ID:
API String ID: 2480343447-0
Opcode ID: 8792c6b213b3c9cfaba4787f6b5fce5c22db6e2967ad52ae404071eceb7b1794
Instruction ID: c3adb2872bc53f4c0a9853ccfea8ecb79ff6ecfa03d821084436e42de4976072
Opcode Fuzzy Hash: 8792c6b213b3c9cfaba4787f6b5fce5c22db6e2967ad52ae404071eceb7b1794
Instruction Fuzzy Hash: 0BD02271A08380FAE73053309A0B7583AA0371A318F148A08F04A01281DBE89848D303

Uniqueness

Uniqueness Score: -1.00%

Function 009B4B20 Relevance: 1.8, Strings: 1, Instructions: 523COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 009B4D05, 009B4EEF

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ExceptionRaise__floor_pentium4
String ID: unordered_map/set too long
API String ID: 996205981-306623848
Opcode ID: 9b3260d10d1552979808e984e59465948dc3838734410ee224254bec8c86a5d4
Instruction ID: c2bd877d6e972f8dd0c1ee68400711510253c0abfc17c581ec94cd22b22efde5
Opcode Fuzzy Hash: 9b3260d10d1552979808e984e59465948dc3838734410ee224254bec8c86a5d4
Instruction Fuzzy Hash: 7312C571A006099FCB15DF68C981BADFBF5FF88310F14826AE815AB392D735E951CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00948480 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00948623

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Color
String ID:
API String ID: 2811717613-0
Opcode ID: 5fdc3fa17ca723c4651541634c1699f343c55ad09db17ee72db1aa6c036a7f35
Instruction ID: 2ec12372243bc8c6b6dc3c504c6a200c5c494d53c44385e48bc6be26a151845b
Opcode Fuzzy Hash: 5fdc3fa17ca723c4651541634c1699f343c55ad09db17ee72db1aa6c036a7f35
Instruction Fuzzy Hash: 237108B1801B48CFE761CF68C94478ABBF0BB05324F144A5ED4A99B3D1D3B9A648CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0095E9B0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,-00002000,?,?,0095D008,?,?,?,?,?), ref: 0095EA00

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 2a2a3c5c1b58f45ba386dd067f9a683fda288a9521e11be55f45547d1543d238
Instruction ID: f27272028ce29849ee342c441ec4a0ce181ea7859d23cb2acb67aba18f42fc13
Opcode Fuzzy Hash: 2a2a3c5c1b58f45ba386dd067f9a683fda288a9521e11be55f45547d1543d238
Instruction Fuzzy Hash: 89F05E70004141DEE30D8B26C858A69B7AAFB45313F4849E6E444D6460D336DF48EF11

Uniqueness

Uniqueness Score: -1.00%

Function 00B1E8B0 Relevance: .7, Instructions: 682COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef9977990cd708d463955e4af472e49338d383904a95118471b1d6e4d7e274a4
Instruction ID: c302b9034d70e403b7ec416aeacbab0d2cb58f77278bbc46562f09e1f84f2d4a
Opcode Fuzzy Hash: ef9977990cd708d463955e4af472e49338d383904a95118471b1d6e4d7e274a4
Instruction Fuzzy Hash: 1322C3B3B543104BD75CCE5DCCA23ADB2D3ABD4218B0E853DB48AC3342EA7DD9598685

Uniqueness

Uniqueness Score: -1.00%

Function 00ADA260 Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb855accf280595d4f746f3887f50054d3f8b62d59af7f385b4c8d1fbfbfa914
Instruction ID: 6e9b845e2c69cbac8f24ec0ec7e01ab32626c21eb284a163998984904248d831
Opcode Fuzzy Hash: bb855accf280595d4f746f3887f50054d3f8b62d59af7f385b4c8d1fbfbfa914
Instruction Fuzzy Hash: 59127F76E002189FCB15DFA8D894AEDBBB5FF88310F15815AE816B7391DB34AD01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AD1020 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f32fb95ffd4e91efef9f3231099503a88f897aa6bbef464adc6e8550e6f84f26
Instruction ID: 60a446c8f058ab76f0ce02eb47fae1011ca6b9ab055f8bf63a26345dea0f29ce
Opcode Fuzzy Hash: f32fb95ffd4e91efef9f3231099503a88f897aa6bbef464adc6e8550e6f84f26
Instruction Fuzzy Hash: 75D1EDB1B043519FC7148F2DC88062BBBE1ABD9300F588A3EF89AC7355E675D9458B82

Uniqueness

Uniqueness Score: -1.00%

Function 00B4502C Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82a44eff8aec1306f33cf98916add98ee7aac588f9ad75282fa22711b482a75f
Instruction ID: b40e615d9ff551efcde6319cd5ce53502ea8fdfa899c6ecbe38604cadf854667
Opcode Fuzzy Hash: 82a44eff8aec1306f33cf98916add98ee7aac588f9ad75282fa22711b482a75f
Instruction Fuzzy Hash: 84E1AD74600E058FCB34CF68C580AAEB7F1FF45710B244A99D496AB392D770AE86EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B44C9E Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef2955d0fdfff5b6b5e91a845b46e453b055f473350c590baef8c0edc733efcb
Instruction ID: 72d7546d1341e22a1a9fd6bab3c156875cf222f2cba4a645daf0dac27ffd4b4f
Opcode Fuzzy Hash: ef2955d0fdfff5b6b5e91a845b46e453b055f473350c590baef8c0edc733efcb
Instruction Fuzzy Hash: C4C1BD34900A468FCB28CF68C4D077EB7E1FF45304F2446A9D89697692C731AF69EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00AC9620 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c428eefec9b9109d3d5e0ecaaa63b32ac1a678f9faf19883f83087edf380c9
Instruction ID: 48b648f1ff716dd04576ef939bdc07cb01cec05eff4f2745ed56ec834116fdc9
Opcode Fuzzy Hash: c0c428eefec9b9109d3d5e0ecaaa63b32ac1a678f9faf19883f83087edf380c9
Instruction Fuzzy Hash: 2591A272B083154BD708CE6DCD9135AF6E6ABC8310F1E853EF94AC73A1E678DC048681

Uniqueness

Uniqueness Score: -1.00%

Function 00B254D0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a24de45bb07b5d174ccc9c703771194d0ee25be8388c9545e90f9daaa51fce5d
Instruction ID: 3bb4c43b341888a208f1abb2f094497c70d3d54dc989c7c466bd6b9367c8c68b
Opcode Fuzzy Hash: a24de45bb07b5d174ccc9c703771194d0ee25be8388c9545e90f9daaa51fce5d
Instruction Fuzzy Hash: A921D1367209160BDB4CDB29EC76B7932D2E38535179892BDEA6BCB391E738C4128740

Uniqueness

Uniqueness Score: -1.00%

Function 00A06490 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 022c3e67d08038903f9f9c53160e9ba125d2d42236fa9e910ac58b5bdbf0527e
Instruction ID: d8e6c7f1c9cd1edf86e6dbb992cfe8cd3ccf0b5217b7766a6d8520da73d95452
Opcode Fuzzy Hash: 022c3e67d08038903f9f9c53160e9ba125d2d42236fa9e910ac58b5bdbf0527e
Instruction Fuzzy Hash: 064116B0905789EED704CF69C50878AFBF0BF19318F20829DD4589B781D3BAA658CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00952590 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213a67693209c2653519d3b4d7d389280afe8de96ba8fd621f12bafbd2940023
Instruction ID: 55a8e96fee95bba37609443cff193c8164ccc528941e124dee48cf585fcb8bc7
Opcode Fuzzy Hash: 213a67693209c2653519d3b4d7d389280afe8de96ba8fd621f12bafbd2940023
Instruction Fuzzy Hash: 2131F0B0405B84DEE321CF29C55834BBFF0BB05718F104A8DD4E64BB91C3BAA108CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0094AE70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2de93d63a872656c5b03078efc923e1b04b0d987dfc46b80289cb0dfcf508a82
Instruction ID: 2ca227ac94396e1858f88adc88aa8d7cd364e9d7fe3da64f85f8756231eb886d
Opcode Fuzzy Hash: 2de93d63a872656c5b03078efc923e1b04b0d987dfc46b80289cb0dfcf508a82
Instruction Fuzzy Hash: 40215CB1900348DFD701CF58C80479ABBF4FB49318F25829ED414AB392D37A9A06CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0094B4D0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 615be7e7ef9bc12bdff290a60f26bf7f2e4b0bd00db5a5bf5e0759d3cabb13a4
Instruction ID: 9f9f2579ed6a91d45cd3454ce0daf4f388326cca1b037d60b318f99e1ae375fc
Opcode Fuzzy Hash: 615be7e7ef9bc12bdff290a60f26bf7f2e4b0bd00db5a5bf5e0759d3cabb13a4
Instruction Fuzzy Hash: 0B214AB1900348DFD701CF58C80479ABBF4FB59318F25829AD414AB391D37A9A06CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0096CD10 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a774ab742f0796f2ed92ff8f67a65e8948aab8391acb9ae0feaaa7881a277bd8
Instruction ID: d0c1c55f8185f9820fbba75f18249e2c9de2737275f06fbbd84fae6ca3bba825
Opcode Fuzzy Hash: a774ab742f0796f2ed92ff8f67a65e8948aab8391acb9ae0feaaa7881a277bd8
Instruction Fuzzy Hash: C91112F1904208DFD740CF58D544759BBF4FB09328F20829EE8189B381D37A9A06CF84

Uniqueness

Uniqueness Score: -1.00%

Function 00B56646 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dd906c2af1998506b572fba2a078772f03f613e558d8da9e0d6a6a8d17cb55d
Instruction ID: 39a80ffd33427532f9f759e4a28fc25a147bff3d12d02a4af2b5439c07d0121f
Opcode Fuzzy Hash: 0dd906c2af1998506b572fba2a078772f03f613e558d8da9e0d6a6a8d17cb55d
Instruction Fuzzy Hash: 33F03972A11224AFCB26DB4CD805BA9B3FCEB49B66F5540D6E901EB291C6B0DE04C7C4

Uniqueness

Uniqueness Score: -1.00%

Function 00B5668A Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84adcf6e336c4bae0f721f8d2f7d32daac37cdaf3c253ded2eee1c659e4a4c20
Instruction ID: e70c4172635cb5315e67ccebbaa94dde6471be87677b980001907af353d351bb
Opcode Fuzzy Hash: 84adcf6e336c4bae0f721f8d2f7d32daac37cdaf3c253ded2eee1c659e4a4c20
Instruction Fuzzy Hash: 21E08C32A11228EBCB15DBCCCA44A8AF3ECEB44B01B5500D6FA01E3250C670DE04C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00948710 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 158windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 00948736
GetClientRect.USER32(?,?), ref: 0094874E
FillRect.USER32(00000000,?,00000000), ref: 0094876D
DeleteObject.GDI32(00000000), ref: 00948774
EndPaint.USER32(?,?), ref: 00948782
BeginPaint.USER32(?,?), ref: 009487B7
GetClientRect.USER32(?,?), ref: 009487CF
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 009487E8
CreateCompatibleDC.GDI32(00000000), ref: 009487FD
SelectObject.GDI32(00000000,00000000), ref: 0094880F
FillRect.USER32(00000000,?,00000000), ref: 0094883C
DeleteObject.GDI32(?), ref: 00948846
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,erty="VerticalContentAlignment" Value="Center" /> <Setter Property="HorizontalAlignment" Value="Left" /> <Setter Property="VerticalAlignment" Value="Top" /> <Setter Property="FontFamily" Value="{ThemeResource ContentControlThemeFontFamily}), ref: 0094888D
SelectObject.GDI32(00000000,?), ref: 0094889C
DeleteDC.GDI32(00000000), ref: 009488A3
DeleteObject.GDI32(00000000), ref: 009488AA
EndPaint.USER32(?,?), ref: 009488B8

Strings

erty="VerticalContentAlignment" Value="Center" /> <Setter Property="HorizontalAlignment" Value="Left" /> <Setter Property="VerticalAlignment" Value="Top" /> <Setter Property="FontFamily" Value="{ThemeResource ContentControlThemeFontFamily}, xrefs: 00948876

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Object$DeletePaintRect$BeginClientCompatibleCreateFillSelect$Bitmap
String ID: erty="VerticalContentAlignment" Value="Center" /> <Setter Property="HorizontalAlignment" Value="Left" /> <Setter Property="VerticalAlignment" Value="Top" /> <Setter Property="FontFamily" Value="{ThemeResource ContentControlThemeFontFamily}
API String ID: 1280635051-2249997030
Opcode ID: 52e08685bd6c773b21e564eab32ebb32c9b8404e1b91fb0fe17997941f26ccd0
Instruction ID: f457bae05e64f3a9f71eda5cb1669bc7ad7b6755fa90e363b74f339bcc6f94b9
Opcode Fuzzy Hash: 52e08685bd6c773b21e564eab32ebb32c9b8404e1b91fb0fe17997941f26ccd0
Instruction Fuzzy Hash: F9515C72204205BFE3119F64DC49F6FBBECFB48711F00452AFA56922A0DB75E800CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00AAEAA0 Relevance: 30.1, APIs: 9, Strings: 8, Instructions: 343COMMON

Download Yara Rule

Strings

Unable to get a temp file for script output, temp path: , xrefs: 00AAEBD7
txt, xrefs: 00AAEB8E
ps1, xrefs: 00AAEB61, 00AAEB73, 00AAEB7D
Unable to retrieve exit code from process., xrefs: 00AAEE57
powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new, xrefs: 00AAEC33
Unable to find file , xrefs: 00AAEAD6
Unable to retrieve PowerShell output from file: , xrefs: 00AAEE34
Unable to create process: , xrefs: 00AAECD8

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID:
String ID: Unable to create process: $Unable to find file $Unable to get a temp file for script output, temp path: $Unable to retrieve PowerShell output from file: $Unable to retrieve exit code from process.$powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new$ps1$txt
API String ID: 0-4129021124
Opcode ID: b1773e988eb40aa75d5a3498b443c1f36c5ad9f900895177c49cea5d39e651dd
Instruction ID: 8681664da1cb1b0472d65b8e4e4a0a6eb232afd31fee87c99236e4c38dc33837
Opcode Fuzzy Hash: b1773e988eb40aa75d5a3498b443c1f36c5ad9f900895177c49cea5d39e651dd
Instruction Fuzzy Hash: 47D1CD30D00609AFDB10DFA8C949BAEBBB5FF49320F148259E511B72D1DB34AA01CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A730 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 248COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(00000007,000001F6), ref: 00A7A778
GetDlgItem.USER32(00000007,000001F8), ref: 00A7A788
GetDlgItem.USER32(00000007,000001F7), ref: 00A7A7CE
SetWindowTextW.USER32(00000000,?), ref: 00A7A7E1
ShowWindow.USER32(00000000,00000005), ref: 00A7A83F
GetDlgItem.USER32(00000007,000001F7), ref: 00A7A865
SetWindowTextW.USER32(00000000,?), ref: 00A7A878
ShowWindow.USER32(00000000,00000000), ref: 00A7A8D5
ShowWindow.USER32(?,00000000), ref: 00A7A8E0
SetWindowPos.USER32(00000007,00000000,00000000,00000000,?,?,00000616), ref: 00A7A92D
GetDlgItem.USER32(?,000000FF), ref: 00A7A960
IsWindow.USER32(00000000), ref: 00A7A96A
IsRectEmpty.USER32(?), ref: 00A7A987
SetWindowPos.USER32(000000FF,00000000,?,?,?,?,00000014,?,000000FF,?,?,00000616), ref: 00A7A9B7

Strings

Details >>, xrefs: 00A7A84C
Details <<, xrefs: 00A7A7B5

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Window$Item$Show$Text$EmptyRect
String ID: Details <<$Details >>
API String ID: 4171068809-3763984547
Opcode ID: 9e9d61f84316c6b1b76e7aca6f8cac953bae4b5d3a91583c87b6532751cabf00
Instruction ID: 05d348b9280a8b4af690a050876d621283186b0872d52c941623f835dd42cc4a
Opcode Fuzzy Hash: 9e9d61f84316c6b1b76e7aca6f8cac953bae4b5d3a91583c87b6532751cabf00
Instruction Fuzzy Hash: B691D271900204AFEB14DF68DD59BAEBBF5EF98300F20C61DF506A76A1D734A941CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0096DA90 Relevance: 25.7, APIs: 17, Instructions: 178windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?,201B1858,?), ref: 0096DAE0
SendMessageW.USER32(?,00000318,00000000,00000004), ref: 0096DAF7
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0096DB05
SendMessageW.USER32(?,00001304,00000000,00000000), ref: 0096DB1D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0096DB35
SendMessageW.USER32(?,0000130A,00000000,?), ref: 0096DB63
CreateRectRgn.GDI32(?,?,?,?), ref: 0096DB9D
DeleteObject.GDI32(00000000), ref: 0096DBB4
GetClientRect.USER32(?,?), ref: 0096DBCD
CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 0096DC02
CreateRectRgn.GDI32(?,?,?,?), ref: 0096DC22
SelectClipRgn.GDI32(00000000,00000000), ref: 0096DC3B
GetParent.USER32(?), ref: 0096DC4B
SendMessageW.USER32(00000000,00000136,?,?), ref: 0096DC5C
DeleteObject.GDI32(00000000), ref: 0096DC6C
DeleteObject.GDI32(?), ref: 0096DC75
EndPaint.USER32(?,?), ref: 0096DC88

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: MessageRectSend$Create$DeleteObject$Paint$BeginClientClipParentSelect
String ID:
API String ID: 3183909887-0
Opcode ID: 7ecba17628880d3863ded6f1f05e6f0e59dc64f1004220cc511a2e010ae4c3da
Instruction ID: fa8e081c7e27422adce81620f5c67583dc446ead4175b303881c3e92d1c49c0d
Opcode Fuzzy Hash: 7ecba17628880d3863ded6f1f05e6f0e59dc64f1004220cc511a2e010ae4c3da
Instruction Fuzzy Hash: 5C612972D00218AFEB219FE4DC09FAEBBB9FF48710F10411AF616AB2A0D7756940CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0096C1B0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 231windowtimeCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,tooltips_class32,00000000,80000063,80000000,80000000,80000000,80000000,?,00000000,00000000,201B1858), ref: 0096C238

Part of subcall function 00949C20: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00949C62

SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 0096C343
SendMessageW.USER32(00000000,00000439,00000000,0000002C), ref: 0096C357
SendMessageW.USER32(00000000,00000421,00000003,?), ref: 0096C36C
SendMessageW.USER32(00000000,00000418,00000000,0000012C), ref: 0096C381
GetWindowTextLengthW.USER32(?), ref: 0096C388
SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 0096C398
ClientToScreen.USER32(?,?), ref: 0096C3B8
GetWindowRect.USER32(?,?), ref: 0096C3CA
PtInRect.USER32(?,?,?), ref: 0096C3DA
SendMessageW.USER32(00000000,00000412,00000000), ref: 0096C426
SendMessageW.USER32(00000000,00000411,00000001,0000002C), ref: 0096C43A
SetTimer.USER32(?,?,00001388,00000000), ref: 0096C45A

Strings

tooltips_class32, xrefs: 0096C232

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: MessageSend$Window$Rect$ClientCreateLengthLongScreenTextTimer
String ID: tooltips_class32
API String ID: 3976673834-1918224756
Opcode ID: 43e7b8225d784f88034df4841fbbd695c73114eab2bfc7d16a04a4aeee9b2da4
Instruction ID: ec65e40ec56308c51d965b2540b4c8a0d179b1bcb7854b5d9dae532c7d1e2481
Opcode Fuzzy Hash: 43e7b8225d784f88034df4841fbbd695c73114eab2bfc7d16a04a4aeee9b2da4
Instruction Fuzzy Hash: E59152B1A00218AFEB14CFA4CC55BAEBBF9FF48300F10852AF556EB290D775A914CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A410 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 128windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A71A00: LoadLibraryW.KERNEL32(ComCtl32.dll,201B1858,?,00000000,00000000), ref: 00A71A3A
Part of subcall function 00A71A00: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00A71A60
Part of subcall function 00A71A00: FreeLibrary.KERNEL32(00000000), ref: 00A71AE9

GetDlgItem.USER32(?,000001F4), ref: 00A7A44B
SendMessageW.USER32(00000000,00000170,00000000,00000000), ref: 00A7A45A
GetDC.USER32(00000000), ref: 00A7A466
GetDeviceCaps.GDI32(00000000), ref: 00A7A46D
MulDiv.KERNEL32(00000009,00000000), ref: 00A7A476
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,Courier New), ref: 00A7A49F
GetDlgItem.USER32(?,000001F6), ref: 00A7A4B0
IsWindow.USER32(00000000), ref: 00A7A4B9
SendMessageW.USER32(00000000,00000030,?,00000000), ref: 00A7A4D0
GetDlgItem.USER32(?,000001F8), ref: 00A7A4DE
GetWindowRect.USER32(?,?), ref: 00A7A4ED
GetWindowRect.USER32(00000000,?), ref: 00A7A501
GetWindowRect.USER32(00000000,?), ref: 00A7A515

Strings

Courier New, xrefs: 00A7A47C

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Window$ItemRect$LibraryMessageSend$AddressCapsCreateDeviceFontFreeLoadProc
String ID: Courier New
API String ID: 1731048342-2572734833
Opcode ID: ffb8e833f2fac9de5e55590f381896d2c0c0975b256e206268ddf1e18bc76eba
Instruction ID: 4c2d58dfeb90f9000ed07e4b26e4ca0c2ca491bf91fb9353928a17c40871a986
Opcode Fuzzy Hash: ffb8e833f2fac9de5e55590f381896d2c0c0975b256e206268ddf1e18bc76eba
Instruction Fuzzy Hash: 294184717803017FF7145F608D8AFAE37A5AF48B01F108529BB0A6E1E2DAB5A8408B59

Uniqueness

Uniqueness Score: -1.00%

Function 00A6A420 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 398libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Advapi32.dll,201B1858,00000000,00000000), ref: 00A6A4B1
GetLastError.KERNEL32 ref: 00A6A4DF

Part of subcall function 0093B010: RtlAllocateHeap.NTDLL(?,00000000,?,201B1858,00000000,00B639C0,000000FF,?,?,00C7843C,?,?,00AB48D7,80004005,201B1858,?), ref: 0093B05A

GetProcAddress.KERNEL32(00000000,ConvertStringSidToSidW), ref: 00A6A4F5
FreeLibrary.KERNEL32(00000000), ref: 00A6A511
GetLastError.KERNEL32 ref: 00A6A51E
GetLastError.KERNEL32 ref: 00A6A715
GetLastError.KERNEL32 ref: 00A6A77A

Strings

ConvertStringSidToSidW, xrefs: 00A6A4EF
Advapi32.dll, xrefs: 00A6A4AC

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ErrorLast$Library$AddressAllocateFreeHeapLoadProc
String ID: Advapi32.dll$ConvertStringSidToSidW
API String ID: 3460774402-1129428314
Opcode ID: f78b0d46d7778773247304ecc3cee55837c31d343a7c4a1e061cc8b33cf2cc76
Instruction ID: 1e7b640dbf89344298fde88bde3363f6b1ce4084cbad7885add318f4111736dd
Opcode Fuzzy Hash: f78b0d46d7778773247304ecc3cee55837c31d343a7c4a1e061cc8b33cf2cc76
Instruction Fuzzy Hash: 59F149B1C01209EBEF10DFA4D945BEEBBB4BF18314F244159E915B7281E774AA05CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 009482B0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 115registryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00C872EC,201B1858,00000000,?,?,?,?,?,?,00947A15,00B6710D,000000FF), ref: 009482ED
GetClassInfoExW.USER32 ref: 0094832D
LoadCursorW.USER32(00000000,00007F00), ref: 00948368
RegisterClassExW.USER32(00000030), ref: 00948391
GetClassInfoExW.USER32(AtlAxWinLic140,00000030), ref: 009483D8
LoadCursorW.USER32(00000000,00007F00), ref: 00948410
RegisterClassExW.USER32(00000030), ref: 00948431
LeaveCriticalSection.KERNEL32(00C872EC), ref: 00948463

Strings

WM_ATLGETHOST, xrefs: 009482F3
0, xrefs: 009483F5
AtlAxWinLic140, xrefs: 009483CD, 00948427
WM_ATLGETCONTROL, xrefs: 00948302
AtlAxWin140, xrefs: 0094831B, 00948383

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Class$CriticalCursorInfoLoadRegisterSection$EnterLeave
String ID: 0$AtlAxWin140$AtlAxWinLic140$WM_ATLGETCONTROL$WM_ATLGETHOST
API String ID: 927868316-283551416
Opcode ID: 7ae9f2a34c37db85eb5d3b822b3011b968244adcf11171581a1787cd58fa49a9
Instruction ID: 76ba961ed81cf7a7f939706bdeda87b0474a0a0ab30c1567a63f858a8ee5b7ff
Opcode Fuzzy Hash: 7ae9f2a34c37db85eb5d3b822b3011b968244adcf11171581a1787cd58fa49a9
Instruction Fuzzy Hash: 565117B1C10308DBDB11DFA4D848BEEBBF8FF08704F14455AE901B72A0DBB995498B99

Uniqueness

Uniqueness Score: -1.00%

Function 00972470 Relevance: 21.4, APIs: 4, Strings: 8, Instructions: 372libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,00000043), ref: 00972598
GetProcAddress.KERNEL32(00000000,InitializeEmbeddedUI), ref: 009725AA
GetProcAddress.KERNEL32(00000000,ShutdownEmbeddedUI), ref: 009725B8
GetProcAddress.KERNEL32(00000000,EmbeddedUIHandler), ref: 009725C7

Part of subcall function 0093B010: RtlAllocateHeap.NTDLL(?,00000000,?,201B1858,00000000,00B639C0,000000FF,?,?,00C7843C,?,?,00AB48D7,80004005,201B1858,?), ref: 0093B05A

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

Strings

INAN, xrefs: 009724A5
EmbeddedUIHandler, xrefs: 009725BE
InitializeEmbeddedUI, xrefs: 009725A4
build , xrefs: 009726CF
dda15b93, xrefs: 009726DE
SELECT `Data` FROM `Binary` WHERE `Name` = 'InstallerAnalytics.dll', xrefs: 009724F9
21.5.1, xrefs: 009726BA
ShutdownEmbeddedUI, xrefs: 009725B0

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AddressProc$Heap$AllocateLibraryLoadProcess
String ID: build $21.5.1$EmbeddedUIHandler$INAN$InitializeEmbeddedUI$SELECT `Data` FROM `Binary` WHERE `Name` = 'InstallerAnalytics.dll'$ShutdownEmbeddedUI$dda15b93
API String ID: 230625546-3637830537
Opcode ID: 36d4e976d3b4b6bd3695646eeffdfc69cccc2fb0816248b56d835d44ea88fdc5
Instruction ID: 2f4a194e4953cbb62996fc22f89ee6e1f1d7b50e63985f91c41411c585cac73e
Opcode Fuzzy Hash: 36d4e976d3b4b6bd3695646eeffdfc69cccc2fb0816248b56d835d44ea88fdc5
Instruction Fuzzy Hash: DDD1E171E00209DBCB04DF68CC55BAEBBB5FF88314F24815AE915A7381EB74AA04CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00941250 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 282libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,201B1858,00000000,?,?,?,?,?,?,?,?,?,?,?,201B1858), ref: 009412D3
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 009412D9
LoadLibraryW.KERNEL32(?,.dll,-00000001,00000000,00BF4720,00000000,00000000,00000000), ref: 0094149B

Strings

.dll, xrefs: 00941482
DllGetActivationFactory, xrefs: 009414DE
combase.dll, xrefs: 009412CE, 0094137F
CoIncrementMTAUsage, xrefs: 0094137A
RoGetActivationFactory, xrefs: 009412C9

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: LibraryLoad$AddressProc
String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
API String ID: 1469910268-2454113998
Opcode ID: ac8b26b4dd72d7cc1dcd91efa71d020bcd8b0cad0506fd8efc997f9ef2a4bc3c
Instruction ID: e23d45c8732d0f63cafbc60c1435d167e3c588b6fc67ad0bfa500689c115739c
Opcode Fuzzy Hash: ac8b26b4dd72d7cc1dcd91efa71d020bcd8b0cad0506fd8efc997f9ef2a4bc3c
Instruction Fuzzy Hash: CAB17A71D00219EFCB10DFA8D855FAEBBB9FF88704F144169E811A72A0EB749984CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0096ABB0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 132windowstringCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(00000000,0000005C,?), ref: 0096AC00
SendMessageW.USER32(?,0000043A,00000000,00000074), ref: 0096AC31
lstrcpynW.KERNEL32(?,?,00000020), ref: 0096ACB1
GetDC.USER32(?), ref: 0096ACD4
GetDeviceCaps.GDI32(00000000), ref: 0096ACDB
MulDiv.KERNEL32(?,00000048,00000000), ref: 0096ACEE
SendMessageW.USER32(?,00000444,00000000,00000074), ref: 0096AD20
GetObjectW.GDI32(00000000,0000005C,?), ref: 0096AD47
DeleteObject.GDI32(?), ref: 0096AD5D
CreateFontIndirectW.GDI32(?), ref: 0096AD79

Strings

?, xrefs: 0096ACF4
t, xrefs: 0096ACFC

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Object$MessageSend$CapsCreateDeleteDeviceFontIndirectlstrcpyn
String ID: ?$t
API String ID: 498247171-1995845436
Opcode ID: 48495c7ad158d0467c4408f67203d1d2b4e557cf689a8fc5e7e2f441b5488b48
Instruction ID: 9b7369676164493a844ec9830aad6dbe39734eb340b5699e62c2ae03b4a7617c
Opcode Fuzzy Hash: 48495c7ad158d0467c4408f67203d1d2b4e557cf689a8fc5e7e2f441b5488b48
Instruction Fuzzy Hash: FE516E71604381AFE720DF60DC49B9FBBE8BB88301F00091AF699D7191DB74E508CB96

Uniqueness

Uniqueness Score: -1.00%

Function 009B6EE0 Relevance: 19.7, APIs: 13, Instructions: 167COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000F0), ref: 009B6F27
GetParent.USER32(00000000), ref: 009B6F3A
GetWindow.USER32(00000000,00000004), ref: 009B6F45
GetWindowRect.USER32(00000000,?), ref: 009B6F53
GetWindowLongW.USER32(00000000,000000F0), ref: 009B6F66
MonitorFromWindow.USER32(00000000,00000002), ref: 009B6F7E
GetMonitorInfoW.USER32(00000000,?), ref: 009B6F94
GetWindowRect.USER32(00000000,?), ref: 009B6FBA
SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015), ref: 009B7075

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Window$LongMonitorRect$FromInfoParent
String ID:
API String ID: 1468510684-0
Opcode ID: ce6b07964c80f9e03321b42651bc93e7ea26db34bf177ad56f7a5f44c6413837
Instruction ID: cfe6d39557361f20e8fdbd4cbe7aaabcaa3f53415d62c043d6c41b54a3e6c8ef
Opcode Fuzzy Hash: ce6b07964c80f9e03321b42651bc93e7ea26db34bf177ad56f7a5f44c6413837
Instruction Fuzzy Hash: 2E516272904119AFDB20CFA8DD49BAEBBB9FB44720F254229F915E3290DB34AD04CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00A77620 Relevance: 19.5, APIs: 2, Strings: 9, Instructions: 213COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,201B1858,?), ref: 00A776B7
SymSetSearchPath.IMAGEHLP(201B1858,?,201B1858,?), ref: 00A77918

Strings

MODULE_BASE_ADDRESS, xrefs: 00A78347
%hs(), xrefs: 00A77DEA
*** Stack Trace (x86) ***, xrefs: 00A781D7
[0x%.8Ix] , xrefs: 00A78301
-> , xrefs: 00A77EFC
%hs:%ld, xrefs: 00A77BB4
SymFromAddr, xrefs: 00A780AE
Dbghelp.dll, xrefs: 00A780B3
<--------------------MORE--FRAMES-------------------->, xrefs: 00A7829D

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: FileModuleNamePathSearch
String ID: *** Stack Trace (x86) ***$ -> $%hs()$%hs:%ld$<--------------------MORE--FRAMES-------------------->$Dbghelp.dll$MODULE_BASE_ADDRESS$SymFromAddr$[0x%.8Ix]
API String ID: 1980563475-1582651777
Opcode ID: 122ef8bff8faa69b51abdceaf2a4759da8ff1f6a0c28186bf144398a3f3107bc
Instruction ID: 24274e88431a5caf71943f0e5a208c82f4560f64900458a22d133ea68099f7c2
Opcode Fuzzy Hash: 122ef8bff8faa69b51abdceaf2a4759da8ff1f6a0c28186bf144398a3f3107bc
Instruction Fuzzy Hash: 49915971D046688FDB28CB24CC59BEDB7B4AB4A314F1082DAE56DA7291DB305EC4CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00953A50 Relevance: 18.4, APIs: 12, Instructions: 357windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00953AA4
GetWindowRect.USER32(?,?), ref: 00953B86
GetClientRect.USER32(?,?), ref: 00953B98
GetWindowDC.USER32(?), ref: 00953BAA
CreateCompatibleDC.GDI32(00000000), ref: 00953C08
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00953C21
SelectObject.GDI32(?,00000000), ref: 00953C31

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: RectWindow$CompatibleCreate$BitmapClientObjectSelect
String ID:
API String ID: 2032541772-0
Opcode ID: 096d3f502ff123aae5a4c78f0cdfed478e6c61d829f04cbc3e04eb47364ec774
Instruction ID: 9d2b62810eef742710eb5e6389c59b08da18d0fe96665e29b399577f81b0bd56
Opcode Fuzzy Hash: 096d3f502ff123aae5a4c78f0cdfed478e6c61d829f04cbc3e04eb47364ec774
Instruction Fuzzy Hash: 4BE14A71D05618DFEB20CFA9C948B9EBBF8FF49301F10829AE849A7251DB746A44CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00A7D430 Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 441libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,00000000), ref: 00A7D596
GetProcAddress.KERNEL32(00000000), ref: 00A7D59D
GetCurrentProcess.KERNEL32(?,00000000,?,?,?,00000000), ref: 00A7D5D7

Strings

Search result:, xrefs: 00A7D879
kernel32, xrefs: 00A7D591
Undefined, xrefs: 00A7D8E4
IsWow64Process2, xrefs: 00A7D58C
Wrong OS or Os language for:, xrefs: 00A7D98F
Searching for:, xrefs: 00A7D6D9
Not selected for install., xrefs: 00A7D8FF, 00A7D900

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process2$Not selected for install.$Search result:$Searching for:$Undefined$Wrong OS or Os language for:$kernel32
API String ID: 4190356694-4272450043
Opcode ID: 0e922c0deee6baa619b8edc022d027de94fa9ca09aea2f876465221e776ddb24
Instruction ID: 78bbd0e5699f3e1944b267779a7782985fd14dd556c82d2da5c3f45db3e68bf1
Opcode Fuzzy Hash: 0e922c0deee6baa619b8edc022d027de94fa9ca09aea2f876465221e776ddb24
Instruction Fuzzy Hash: 16027D709006059FDB14DFA8CD98BAEBBB1FF44314F24C259E41AAB2D1DB35E946CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00AA7400 Relevance: 16.7, APIs: 11, Instructions: 214fileCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00C82000,201B1858,-00000001), ref: 00AA743C
EnterCriticalSection.KERNEL32(-00000001,201B1858,-00000001), ref: 00AA7449
WriteFile.KERNEL32(00000000,?,?,201B1858,00000000), ref: 00AA747B
FlushFileBuffers.KERNEL32(00000000,?,?,201B1858,00000000), ref: 00AA7484
WriteFile.KERNEL32(00000000,?,?,?,00000000,00BF46F0,00000001,?,?,201B1858,00000000), ref: 00AA751C
FlushFileBuffers.KERNEL32(00000000,?,?,201B1858,00000000), ref: 00AA7525
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,201B1858,00000000), ref: 00AA7568
FlushFileBuffers.KERNEL32(00000000,?,?,201B1858,00000000), ref: 00AA7571
WriteFile.KERNEL32(00000000,000000FF,?,?,00000000,00BF76FC,00000002,?,?,201B1858,00000000), ref: 00AA75DE
FlushFileBuffers.KERNEL32(00000000,?,?,201B1858,00000000), ref: 00AA75E7
LeaveCriticalSection.KERNEL32(00000000,?,?,201B1858,00000000), ref: 00AA7626

Part of subcall function 0093A840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00955436,00000000,*.*,?,?,?,?), ref: 0093A863

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: File$BuffersFlushWrite$CriticalSection$EnterFindInitializeLeaveResource
String ID:
API String ID: 1900893598-0
Opcode ID: 968fa53a3143158902a969ddfe4acf9176f6d80e31ea6bcf2de140fd05fd4748
Instruction ID: 54f3f39ed57d259222b0c43bd02d56254a7cce0ff05b01f9c24d72a920544eee
Opcode Fuzzy Hash: 968fa53a3143158902a969ddfe4acf9176f6d80e31ea6bcf2de140fd05fd4748
Instruction Fuzzy Hash: 21719A31A04648EFEB01DF68DC49BAEBBB9EF49310F144198F911A73A1DB359D05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AA8BA0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 308libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00A52A40: GetLastError.KERNEL32(201B1858,00BB2DDD,00BB2DDD,00BB2DDD,?,00000000,00BA458D,000000FF,?,80070057,00000000,?,?,00BB2DDD,00A69E4A,00000000), ref: 00A52AB1

GetProcAddress.KERNEL32(?,GetPackagePath), ref: 00AA8D5F
GetProcAddress.KERNEL32(?,GetPackagePath), ref: 00AA8DC8
GetLastError.KERNEL32(?,?,00BB30C5,000000FF,?,00A87650,?,?,?,?,?,?,00000000), ref: 00AA8DF2
FreeLibrary.KERNEL32(?,?,?,00000000,00000000,?,?,00BB30C5,000000FF), ref: 00AA8EF4

Strings

x64, xrefs: 00AA8C4A
neutral, xrefs: 00AA8C66
x86, xrefs: 00AA8C1C
Kernel32.dll, xrefs: 00AA8BCD
GetPackagePath, xrefs: 00AA8D59, 00AA8DC2

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AddressErrorLastProc$FreeLibrary
String ID: GetPackagePath$Kernel32.dll$neutral$x64$x86
API String ID: 329358263-4043905686
Opcode ID: 6dbe55c4dcceb5ec7825be051eb598761eb0be865b6172ed9695c508321eae0c
Instruction ID: 4456abd73adcf8710c48c9f8f305989ad7458733cced739abba134a6ecacd7dd
Opcode Fuzzy Hash: 6dbe55c4dcceb5ec7825be051eb598761eb0be865b6172ed9695c508321eae0c
Instruction Fuzzy Hash: D4C16874A00209DFDB04DFA8C988AADBBB5FF49314F148169E905E73A1EB79AD05CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0094B7B0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 154registryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00C872EC,201B1858,00000001,00C87308), ref: 0094B823
GetClassInfoExW.USER32(00000000,?,?), ref: 0094B85A
GetClassInfoExW.USER32(?,00000030), ref: 0094B871
LeaveCriticalSection.KERNEL32(00C872EC), ref: 0094B887
LoadCursorW.USER32(00930000,?), ref: 0094B8E0
GetClassInfoExW.USER32(?,?,?), ref: 0094B935
RegisterClassExW.USER32(?), ref: 0094B948
LeaveCriticalSection.KERNEL32(00C872EC), ref: 0094B978

Strings

ATL:%p, xrefs: 0094B900

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Class$CriticalInfoSection$Leave$CursorEnterLoadRegister
String ID: ATL:%p
API String ID: 269841140-4171052921
Opcode ID: 854b41f91cfe7ac21beaf1c2007ada066b071825249fcfb2ca63a94d9a2e1730
Instruction ID: aff7c4466fe5dec49ff2afc6411f2c624f2cb5c7f4cff7ce103b8c0e1ad065ab
Opcode Fuzzy Hash: 854b41f91cfe7ac21beaf1c2007ada066b071825249fcfb2ca63a94d9a2e1730
Instruction Fuzzy Hash: E151AC71D04B44DBDB20CF69C945BAAF7F8FF18714F10861DE996A36A0E770A984CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A4B5D0 Relevance: 15.2, APIs: 10, Instructions: 227windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?,201B1858,?,?), ref: 00A4B636
CallWindowProcW.USER32(?,?,?,?,?), ref: 00A4B659
SelectObject.GDI32(00000000,?), ref: 00A4B6E0
SetBkMode.GDI32(00000000,00000001), ref: 00A4B6EE
SetTextColor.GDI32(00000000), ref: 00A4B73D
GetWindowLongW.USER32(00000000), ref: 00A4B75E
SendMessageW.USER32(00000000), ref: 00A4B78A
DrawTextW.USER32(00000000,00000010,?,?,00000010), ref: 00A4B811
SelectObject.GDI32(00000000,?), ref: 00A4B81D
EndPaint.USER32(?,?,?,?,?,?), ref: 00A4B82E

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ObjectPaintSelectTextWindow$BeginCallColorDrawLongMessageModeProcSend
String ID:
API String ID: 1755490345-0
Opcode ID: 10238780e84e9aeb1f538f35a1916a429437d5a332bc6384de028d80d96d5afd
Instruction ID: 55083f83ea4768f6b82f9f5b1e9fa4ad4a59e283b86c7baab65b3cca53cec2d1
Opcode Fuzzy Hash: 10238780e84e9aeb1f538f35a1916a429437d5a332bc6384de028d80d96d5afd
Instruction Fuzzy Hash: CF917D35A00208EFEB15DFA4CC88BADBBB5FF88311F148159F916AB2A5CB759801DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A250 Relevance: 15.2, APIs: 10, Instructions: 154COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00A7A25E
DeleteObject.GDI32(?), ref: 00A7A2B6
EndDialog.USER32(?,00000000), ref: 00A7A336

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: DeleteDialogLongObjectWindow
String ID:
API String ID: 1328495006-0
Opcode ID: 4e4c16b8f9995f29ce5f75a7da9a4010b7442fe5bab5aeb062aae8c5e5c2b717
Instruction ID: 6c4f35e7cb8479713376d522e09c097ccd244d3147f2a05c8a47efcb5d65154f
Opcode Fuzzy Hash: 4e4c16b8f9995f29ce5f75a7da9a4010b7442fe5bab5aeb062aae8c5e5c2b717
Instruction Fuzzy Hash: EB41E6363152146BD7249F2CAC08BBF3798D795331F00C72BFD5AC66E0C662D8618796

Uniqueness

Uniqueness Score: -1.00%

Function 009FCB60 Relevance: 15.1, APIs: 10, Instructions: 131windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 009FCBE3
GetWindowRect.USER32(?,?), ref: 009FCBFB
GetWindowRect.USER32(?,?), ref: 009FCC13
IntersectRect.USER32(?,?,?), ref: 009FCC30
EqualRect.USER32(?,?), ref: 009FCC40
GetSysColorBrush.USER32(0000000F), ref: 009FCC57
GetWindowRect.USER32(?,?), ref: 009FCC80
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 009FCC95
GetWindowLongW.USER32(?,000000EC), ref: 009FCCA4
SetBrushOrgEx.GDI32(?,?,?,00000000), ref: 009FCCC2

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Window$Rect$Brush$ColorEqualIntersectLongPointsVisible
String ID:
API String ID: 2158939716-0
Opcode ID: cbe2f53b0162377449ed126708bd5d97db63633435ba08324f17db27b3904350
Instruction ID: d64567a838b95b5f374fa70de0f32063d9f0cee601c212a9862bd46e51ab24ac
Opcode Fuzzy Hash: cbe2f53b0162377449ed126708bd5d97db63633435ba08324f17db27b3904350
Instruction Fuzzy Hash: C3416D756083089FD300CF15D944B6BB7E9FF99705F148A2EF989A7220E730E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0094C480 Relevance: 15.1, APIs: 10, Instructions: 95windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 0094C4C1
GetClientRect.USER32(?,?), ref: 0094C4E8
CreateCompatibleDC.GDI32(?), ref: 0094C4F8
CreateCompatibleBitmap.GDI32(?,?,?), ref: 0094C519
DeleteDC.GDI32(00000000), ref: 0094C526
FillRect.USER32(?,?,00000006), ref: 0094C56A

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: CompatibleCreateRect$BitmapClientDeleteFill
String ID:
API String ID: 1262984673-0
Opcode ID: eefbef59d88f3ec643772e3d9f86d1a4a0438e9f7ec66149f4de155739205bf4
Instruction ID: 85475a7e0be5c8d0076b591c65773f74f5b0af111556895c5824f1d2cb520647
Opcode Fuzzy Hash: eefbef59d88f3ec643772e3d9f86d1a4a0438e9f7ec66149f4de155739205bf4
Instruction Fuzzy Hash: E331CFB21082019FD315DF28D88CF2EBBF8BF88310F14091EF98692261D775E844CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00A8E210 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 320processfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8FB30: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000010), ref: 00A8FB5D

Part of subcall function 00943380: GetModuleHandleW.KERNEL32(Kernel32.dll,GetTempPath2W,?), ref: 00943477
Part of subcall function 00943380: GetProcAddress.KERNEL32(00000000), ref: 0094347E
Part of subcall function 00943380: PathFileExistsW.SHLWAPI(?), ref: 009434EC

GetFileAttributesW.KERNEL32(?,?,00000003,?,00000001,?,00000000,00000000), ref: 00A8E3B8
SetFileAttributesW.KERNEL32(?,00000080), ref: 00A8E3CB
CopyFileW.KERNEL32(?,?,00000000), ref: 00A8E3D8

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00A8E51A
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00A8E530
CloseHandle.KERNEL32(?), ref: 00A8E551
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00A8E564

Strings

"%s" %s, xrefs: 00A8E44E

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: File$Wow64$AttributesHandleModuleProcessRedirectionRevert$AddressCloseCopyCreateExistsHeapNamePathProc
String ID: "%s" %s
API String ID: 3861218247-1070868581
Opcode ID: 7613e449c3d94f4e033b1b054fa64b405312b9440c85fbf9ca5745aa104e5a64
Instruction ID: aee97c403b24664823fda791b0084760aa025561e8abb9a242e92a52cf796a50
Opcode Fuzzy Hash: 7613e449c3d94f4e033b1b054fa64b405312b9440c85fbf9ca5745aa104e5a64
Instruction Fuzzy Hash: 3BD18030E00648DFDB14EBA8CD19BADBBB5FF89314F248259E411AB291EB75AD05CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00AAE860 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 193fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

Part of subcall function 0093A840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00955436,00000000,*.*,?,?,?,?), ref: 0093A863

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,ps1,ps1,00000003,?,00A87F88), ref: 00AAE978
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00AAE9BE
WriteFile.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 00AAE9DB
CloseHandle.KERNEL32(00000000), ref: 00AAE9F5
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 00AAEA34

Strings

ps1, xrefs: 00AAE8E1, 00AAE8F3, 00AAE8FD, 00AAE90E
Unable to get temp file , xrefs: 00AAE959
Unable to save script file , xrefs: 00AAEA04

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: File$CloseHandleWrite$CreateFindHeapProcessResource
String ID: Unable to get temp file $Unable to save script file $ps1
API String ID: 3201387394-4253966538
Opcode ID: 9047b4ea2cd374328ef3bf9f5f9265f6174f8ac4c57dc8397baa2a1b1cbe8155
Instruction ID: 2946d2e0b31bed61cd7541a311818a3c830e67c92ac59097e10f50ce1404abab
Opcode Fuzzy Hash: 9047b4ea2cd374328ef3bf9f5f9265f6174f8ac4c57dc8397baa2a1b1cbe8155
Instruction Fuzzy Hash: B161F331A00249EFDB10DBA8CC49BAEBBB5BF89714F144259E911AB3C1DB745E05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0093ECF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 179processsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 0093EE08
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 0093EE12
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 0093EE24
GetExitCodeProcess.KERNEL32(?,?), ref: 0093EE41
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 0093EE4B
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 0093EE58
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 0093EE62

Strings

"%s" %s, xrefs: 0093ED90

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ErrorLastProcess$CloseCodeCreateExitHandleHeapObjectSingleWait
String ID: "%s" %s
API String ID: 3234789809-1070868581
Opcode ID: b6d459b4c9037db0161f3d8dbce882e8c81435d8ad6d5c104cb0a1ca67f54e73
Instruction ID: c0a444ae07b570f28fef42a7f6205c0dfbfb1171742394d3b2790743e097ab18
Opcode Fuzzy Hash: b6d459b4c9037db0161f3d8dbce882e8c81435d8ad6d5c104cb0a1ca67f54e73
Instruction Fuzzy Hash: A7513A71E00619DBDB24DF64C808BAEB7B9FF48714F204629E925A72D0EB74A941CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B40230 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00B40267
___except_validate_context_record.LIBVCRUNTIME ref: 00B4026F
_ValidateLocalCookies.LIBCMT ref: 00B402F8
__IsNonwritableInCurrentImage.LIBCMT ref: 00B40323
_ValidateLocalCookies.LIBCMT ref: 00B40378
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00B4038E
___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00B403A3

Strings

csm, xrefs: 00B4030D

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record___vcrt_initialize_locks___vcrt_uninitialize_locks
String ID: csm
API String ID: 1385549066-1018135373
Opcode ID: 0952e2f368059c072e0474b6c2417bfe3c8f1dc71612485fd8b4837f491f48f1
Instruction ID: efc9ecee18b36d7c43d4c4e474a2cb12f14bc3579603c8eae59e1552c7a46793
Opcode Fuzzy Hash: 0952e2f368059c072e0474b6c2417bfe3c8f1dc71612485fd8b4837f491f48f1
Instruction Fuzzy Hash: 2341BF34A10208ABCF10EF68C885A9E7FF0EF49314F1484D5EA186B392C775AB45EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00ABA230 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 373fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00ABA35F
CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00ABA3B1
ReadFile.KERNEL32(00000000,?,000003FF,?,00000000), ref: 00ABA3F3
ReadFile.KERNEL32(00000000,00000000,000003FF,00000000,00000000,00000000), ref: 00ABA43E
CloseHandle.KERNEL32(00000000), ref: 00ABA4CE
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00ABA656

Strings

--verbose --log-file="%s" --remove-pack-file "%s" "%s", xrefs: 00ABA2EF

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: File$DeleteRead$CloseCreateHandleHeapProcess
String ID: --verbose --log-file="%s" --remove-pack-file "%s" "%s"
API String ID: 70679524-3685554107
Opcode ID: b1b698926ef4287ef1e333c1c5fc6ce559ca3e7ac718ed964dee153ad39975a7
Instruction ID: 9debd1c2cc83a2135ded825ddddda58bab7ed34607b96b416c1a3cdfbe9cfb78
Opcode Fuzzy Hash: b1b698926ef4287ef1e333c1c5fc6ce559ca3e7ac718ed964dee153ad39975a7
Instruction Fuzzy Hash: 51E1B0B0A006189FDB10DB28CC98B9DB7B8FF88310F5441E8E605A7392DB34AE45CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00A90B70 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 304filethreadCOMMON

Download Yara Rule

APIs

GetExitCodeThread.KERNEL32(?,?,201B1858,00000000,00000000,?,?,?,00000000,00BAEA05,000000FF,?,00A899C2,?,000000DC,00000000), ref: 00A90BB6

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00A90C6B
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00A90C95

Part of subcall function 0093A840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00955436,00000000,*.*,?,?,?,?), ref: 0093A863

Part of subcall function 00A551D0: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,00000000,00000000,00000000,?,00C82000,00AA8098,?), ref: 00A551E8
Part of subcall function 00A551D0: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,?,-00000001), ref: 00A5521A

WriteFile.KERNEL32(?,000000DC,?,000000FF,00000000,CLOSE,00000005), ref: 00A90E1A
FlushFileBuffers.KERNEL32(?), ref: 00A90E23

Part of subcall function 00AB49F0: CloseHandle.KERNEL32(?,201B1858,?,00000010,?,00000000,00BB5343,000000FF,?,00A90382,00000000,00000000,00000000,00000001,?,0000000D), ref: 00AB4A2A

Strings

CLOSE, xrefs: 00A90DDD, 00A90DEF, 00A90DF9
Advinst_Estimate_, xrefs: 00A90C02, 00A90C14, 00A90C1E

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ByteCharMultiWide$File$BuffersCloseCodeExitFindFlushHandleHeapProcessResourceThreadWrite
String ID: Advinst_Estimate_$CLOSE
API String ID: 1271795120-755230127
Opcode ID: 27f95e00657f202ef8a9c27544c66e5e9ac8cd17ad5b1fcf7b9fc2bf3a6c1f05
Instruction ID: 386809a848870a0239ed133ad3ac137cd94f07bef9d7529f8b2a285fc6cfd0e1
Opcode Fuzzy Hash: 27f95e00657f202ef8a9c27544c66e5e9ac8cd17ad5b1fcf7b9fc2bf3a6c1f05
Instruction Fuzzy Hash: CCB19071A00659DFDB00DBA8CC99BAEBBB5AF48320F184168F915A73D2DB349D05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A53280 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 286fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000), ref: 00A5337F
CloseHandle.KERNEL32(00000000), ref: 00A533A9
WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?), ref: 00A533EA
CloseHandle.KERNEL32(?), ref: 00A5345D

Strings

.bat, xrefs: 00A532D1
open, xrefs: 00A5348A
EXE, xrefs: 00A532D6

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: CloseFileHandle$CreateWrite
String ID: .bat$EXE$open
API String ID: 3602564925-2898749727
Opcode ID: 98c701245eabd238a973269d95b15daeb907190530b75d93d99d47e55a0a5f74
Instruction ID: e3c1a3736353aeb794a205b2db61507e16ccfebce0ad0bbbe00d69b9241298b9
Opcode Fuzzy Hash: 98c701245eabd238a973269d95b15daeb907190530b75d93d99d47e55a0a5f74
Instruction Fuzzy Hash: 79B19C71A00648DFDB10DFA8C848BADBBB5BF89315F148259E515AB3D1DB74AE09CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00932C50 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00C81FBC,00000000,201B1858,00000000,00BA4843,000000FF,?,201B1858), ref: 00932DC3
GetLastError.KERNEL32(?,201B1858), ref: 00932DCD

Strings

VolumeCostDifference, xrefs: 00932CA3
VolumeCostRequired, xrefs: 00932C99
VolumeCostAvailable, xrefs: 00932C90
VolumeCostVolume, xrefs: 00932C7D, 00932D35
VolumeCostSize, xrefs: 00932C87

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpin
String ID: VolumeCostAvailable$VolumeCostDifference$VolumeCostRequired$VolumeCostSize$VolumeCostVolume
API String ID: 439134102-34576578
Opcode ID: 3944508347c25976896b0e9e772dd7b93f51c4d99170890a3c16fb554bdcb27f
Instruction ID: 998cb33f87a0e8d0c6c43983873f4bb7177d5897bacff6e1dd3d6048b5e53c4d
Opcode Fuzzy Hash: 3944508347c25976896b0e9e772dd7b93f51c4d99170890a3c16fb554bdcb27f
Instruction Fuzzy Hash: CA51BFB1D042089FDB00CF98DC0979EBBF8FB08314F144669E925A72D0E779AA05CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00ABD610 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 104libraryloaderCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,?,80000002,80000002,00C82000), ref: 00ABD620
LoadLibraryW.KERNEL32(Shell32.dll,?,80000002,80000002,00C82000), ref: 00ABD633
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00ABD643
SHGetPathFromIDListW.SHELL32(?,00000000), ref: 00ABD6D2
SHGetMalloc.SHELL32(?), ref: 00ABD71A

Strings

SHGetSpecialFolderPathW, xrefs: 00ABD63D
Shell32.dll, xrefs: 00ABD62E

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AddressFolderFromLibraryListLoadLocationMallocPathProcSpecial
String ID: SHGetSpecialFolderPathW$Shell32.dll
API String ID: 2352187698-2988203397
Opcode ID: 8755de7d09042715ef33f4d417f5294362d19a06ae5aac1f3cccd4264afe8560
Instruction ID: dc0f18dc6b7281d92f29cd1f2c16e8a39106842288fa290ad4c468c69d5fb359
Opcode Fuzzy Hash: 8755de7d09042715ef33f4d417f5294362d19a06ae5aac1f3cccd4264afe8560
Instruction Fuzzy Hash: 2F31E871A007019BEB24AF64DC19BABB7F9BFD4711F04842CE489871E1FB719885CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00953880 Relevance: 12.2, APIs: 8, Instructions: 150COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009538A4
GetWindow.USER32(?,00000005), ref: 009538AF
GetWindow.USER32(00000000,00000002), ref: 00953A2C

Part of subcall function 00953700: GetWindowRect.USER32(?), ref: 00953724
Part of subcall function 00953700: GetWindowRect.USER32(?,?), ref: 00953738

GetWindowRect.USER32(?,?), ref: 00953952
GetWindowRect.USER32(00000000,?), ref: 00953966
GetWindowRect.USER32(00000000,?), ref: 00953984

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Window$Rect
String ID:
API String ID: 3200805268-0
Opcode ID: dd2bde3f3811968be5b3a4db921646c72944dae175ea60bda4f35d902897707f
Instruction ID: ddc10e5bc9a458b0f4239bdd3f7e2ee7eb8ea8f70bc47604fa340edfb0338b40
Opcode Fuzzy Hash: dd2bde3f3811968be5b3a4db921646c72944dae175ea60bda4f35d902897707f
Instruction Fuzzy Hash: 7951CF705047049FC710DF62C984B6BB7E9BF89741F508A1DF98293261EB70F988CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0095E830 Relevance: 12.1, APIs: 8, Instructions: 130COMMON

Download Yara Rule

APIs

GetWindowDC.USER32(?,201B1858,00000000,?,?,?,?,?,?,?,?,00000000,00B6ADA5,000000FF,?,0095E653), ref: 0095E872
GetWindowRect.USER32(?,?), ref: 0095E891
IsWindowEnabled.USER32(?), ref: 0095E8A0
SelectObject.GDI32(00000000,00000000), ref: 0095E90D
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0095E937
SelectObject.GDI32(?,?), ref: 0095E951
DeleteObject.GDI32(00000000), ref: 0095E960
DeleteDC.GDI32(?), ref: 0095E983

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ObjectWindow$DeleteRectSelect$ClipEnabledExclude
String ID:
API String ID: 3871716574-0
Opcode ID: 2274dc1a85c204414bd1aba7bff31c357406e30f3f4a6352dedaa4d4deb1e282
Instruction ID: a87916a75ff614c40cf5ffb7bfce861d4184bc8aa1221854ae6ebbd227e78b24
Opcode Fuzzy Hash: 2274dc1a85c204414bd1aba7bff31c357406e30f3f4a6352dedaa4d4deb1e282
Instruction Fuzzy Hash: CE413D71A00218AFEB04CFA9DD88BAEBBF9FB8C711F104159E905A3290D7756904CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0097D800 Relevance: 11.0, APIs: 7, Instructions: 467memorysynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

CreateThread.KERNEL32(00000000,00000000,0097D950,00BF9750,00000000,00000000), ref: 0097D8BC
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0097D8D5
CloseHandle.KERNEL32(00000000), ref: 0097D8EB
GetProcessHeap.KERNEL32(?,00000000), ref: 0097DAC5
HeapFree.KERNEL32(00000000,?,00000000), ref: 0097DACB
GetProcessHeap.KERNEL32(?,00000000), ref: 0097DB5C
HeapFree.KERNEL32(00000000,?,00000000), ref: 0097DB62

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Heap$Process$Free$CloseCreateHandleObjectSingleThreadWait
String ID:
API String ID: 3858748702-0
Opcode ID: 970ae1f6f38654ea4ae31a74561a1a5efdf038f5183c2cd47d8832bf504803fe
Instruction ID: 092041065a84c7e0607c4f8fab39b1426016e2db3980af26f41cb952798b6585
Opcode Fuzzy Hash: 970ae1f6f38654ea4ae31a74561a1a5efdf038f5183c2cd47d8832bf504803fe
Instruction Fuzzy Hash: 6A027D71D01218DFDB14CFA4C945BAEBBF8FF48314F248199E519AB291DB74AA05CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 009507A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 289registryCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,Caphyon.AI.ExtUI.IEClickSoundRemover,201B1858), ref: 00950841
GetLastError.KERNEL32 ref: 00950878
RegCloseKey.ADVAPI32(?,00BF4720,00000000,00BF4720,00000000,?,80000001,00000001,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033), ref: 00950AEE
CloseHandle.KERNEL32(?,201B1858,?,?,00000000,00B685BD,000000FF,?,00BF4720,00000000,00BF4720,00000000,?,80000001,00000001,00000000), ref: 00950B7E

Strings

Caphyon.AI.ExtUI.IEClickSoundRemover, xrefs: 00950836
AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 009508B0

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Close$CreateErrorEventHandleLast
String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current$Caphyon.AI.ExtUI.IEClickSoundRemover
API String ID: 1253123496-2079760225
Opcode ID: 5ada84b6405a8ce1b864859bcf74fbaa1b01228e4aa3fb2e2802400bc0e1e564
Instruction ID: f859da024d2dc19a3daaa5239bba8ec4637dc6ba75297f85f22f3ed1aeffa5f6
Opcode Fuzzy Hash: 5ada84b6405a8ce1b864859bcf74fbaa1b01228e4aa3fb2e2802400bc0e1e564
Instruction Fuzzy Hash: 8AC1EF70D00349EFDB14CF68C849BAEBBB5FF55300F148299E859A7681DB746A88CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A6BAD0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 241registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,201B1858), ref: 00A6BD14
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00A6BD24
RegCloseKey.ADVAPI32(00000000), ref: 00A6BD77

Strings

RegOpenKeyTransactedW, xrefs: 00A6BD1E
Advapi32.dll, xrefs: 00A6BD0F

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 4190037839-3913318428
Opcode ID: f0e3e73a980201ed3cdb1b40fab4f7672f0c7ecaff7611bd7e61a1ec7ade3d74
Instruction ID: 0d4d659e339cd71a2a65107d7afa047948dfa9617d3078f786b4bf8984c2a6d8
Opcode Fuzzy Hash: f0e3e73a980201ed3cdb1b40fab4f7672f0c7ecaff7611bd7e61a1ec7ade3d74
Instruction Fuzzy Hash: 1FA149B1D00348DFDB24DFA8C949B9EBBF4BF49304F104659E419EB291DB74AA44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00942B80 Relevance: 10.7, APIs: 7, Instructions: 223memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 00942C80
SysFreeString.OLEAUT32(00000000), ref: 00942D08
GetProcessHeap.KERNEL32(-000000FE,?,?), ref: 00942D80
HeapFree.KERNEL32(00000000,-000000FE,?,?), ref: 00942D86
GetProcessHeap.KERNEL32(-000000FE,00000000,?,00000000,00000000,00000000,201B1858,?,?,?), ref: 00942DB3
HeapFree.KERNEL32(00000000,-000000FE,00000000,?,00000000,00000000,00000000,201B1858,?,?,?), ref: 00942DB9
SysFreeString.OLEAUT32(00000000), ref: 00942DD1

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Free$Heap$String$Process
String ID:
API String ID: 2680101141-0
Opcode ID: 0d1d45d727620f7fb50c92f2d2b46f7bccaa66e48f5ff77c257951f78de78f09
Instruction ID: baca053d9570c4fed28bac562f292b8b96bca7674334a38a03fffbd81fa6f7bf
Opcode Fuzzy Hash: 0d1d45d727620f7fb50c92f2d2b46f7bccaa66e48f5ff77c257951f78de78f09
Instruction Fuzzy Hash: 72915770D01219DBDF10DFA8C845BAEBBB8BF48314F644599E851AB2D1DB789A04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00940974 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 216libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,.dll,00000004,-00000001,00000000,00BF4720,00000000,00000000,00000000), ref: 00940A7D
GetProcAddress.KERNEL32(00000000,DllGetActivationFactory), ref: 00940AC6

Strings

.dll, xrefs: 00940A64
DllGetActivationFactory, xrefs: 00940AC0

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll$DllGetActivationFactory
API String ID: 2574300362-1250754257
Opcode ID: b63109ca885b162bf92ca13a6164be73017ba05add73aaf563aa7dd8fc4a2681
Instruction ID: d33fbfe0cd112be5e1ecfd0e6a51d35bf060523f3d4f905f2875160e0e4dc5f5
Opcode Fuzzy Hash: b63109ca885b162bf92ca13a6164be73017ba05add73aaf563aa7dd8fc4a2681
Instruction Fuzzy Hash: CE919970D00208EFDF14DFA8D899FADBBB5FF84308F248559E611A7291DB749A44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A6E040 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 179fileCOMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,00000000,?,?,00B68AAD,000000FF,?,00A6E398,?), ref: 00A6E0F0

Part of subcall function 0093A840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00955436,00000000,*.*,?,?,?,?), ref: 0093A863

RemoveDirectoryW.KERNEL32(?,201B1858,?,?,00000000,?,?,00B68AAD,000000FF,?,00A6E398,?,00000000), ref: 00A6E12B
GetLastError.KERNEL32(?,201B1858,?,?,00000000,?,?,00B68AAD,000000FF,?,00A6E398,?,00000000), ref: 00A6E13B
DeleteFileW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,00000000,?,00000000,00B68AAD,000000FF,?,80004005,201B1858), ref: 00A6E210
GetLastError.KERNEL32(?,?,00000000,?,00000000,00B68AAD,000000FF,?,80004005,201B1858,?,?,00000000,?,?,00B68AAD), ref: 00A6E25B

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

Strings

\\?\, xrefs: 00A6E0B1, 00A6E0C3, 00A6E0CD, 00A6E1D1, 00A6E1E3, 00A6E1ED

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: DirectoryErrorLastRemove$DeleteFileFindHeapProcessResource
String ID: \\?\
API String ID: 728736790-4282027825
Opcode ID: c9d596733d3cba8183aec8f6b5f15b98d6a33562b539a49c3c5cd9cbc9800457
Instruction ID: 9073a9406d97b84a606e225370e6b86fb075e35d76d88b9103cd1a5fc3cd0a15
Opcode Fuzzy Hash: c9d596733d3cba8183aec8f6b5f15b98d6a33562b539a49c3c5cd9cbc9800457
Instruction Fuzzy Hash: B651903AA00619DFDB10DB68DC58BAEB7B8FF49321F14465AE961933D0DB789904CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00950530 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 150fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,?,201B185A), ref: 00950673
CloseHandle.KERNEL32(00000000), ref: 009506D0

Part of subcall function 00B3CA85: AcquireSRWLockExclusive.KERNEL32(00C80888,?,?,?,0093B446,00C8149C,201B1858,?,?,00B63F3D,000000FF,?,00AB486D,201B1858,?), ref: 00B3CA90
Part of subcall function 00B3CA85: ReleaseSRWLockExclusive.KERNEL32(00C80888,?,?,0093B446,00C8149C,201B1858,?,?,00B63F3D,000000FF,?,00AB486D,201B1858,?), ref: 00B3CACA

WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 00950737
CloseHandle.KERNEL32(00000000,?), ref: 0095075D

Part of subcall function 00B3CA34: AcquireSRWLockExclusive.KERNEL32(00C80888,?,?,0093B4B7,00C8149C,00BC7840), ref: 00B3CA3E
Part of subcall function 00B3CA34: ReleaseSRWLockExclusive.KERNEL32(00C80888,?,?,0093B4B7,00C8149C,00BC7840), ref: 00B3CA71
Part of subcall function 00B3CA34: WakeAllConditionVariable.KERNEL32(00C80884,?,?,0093B4B7,00C8149C,00BC7840), ref: 00B3CA7C

Strings

aix, xrefs: 00950631
html, xrefs: 0095062C

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ExclusiveLock$AcquireCloseFileHandleRelease$ConditionCreateVariableWakeWrite
String ID: aix$html
API String ID: 3683816281-2369804267
Opcode ID: ffb8e725976fe93f718f0d7b120b9ad569acf98e03b988e14be6765df1f6b91d
Instruction ID: 73b24c3953c368329da9649cfde8ad871aea256f9b835d6eac9ff72b780c2351
Opcode Fuzzy Hash: ffb8e725976fe93f718f0d7b120b9ad569acf98e03b988e14be6765df1f6b91d
Instruction Fuzzy Hash: 0E6191B0904348DFDB10DFA4DD49B9EBBF4BB44709F20465DE8016B291EBB56A08CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00A6FB80 Relevance: 10.6, APIs: 7, Instructions: 121processsynchronizationCOMMON

Download Yara Rule

APIs

Wow64DisableWow64FsRedirection.KERNEL32(00000000,201B1858,00000000,00000000), ref: 00A6FBE9
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00A6FC61
GetLastError.KERNEL32 ref: 00A6FC72
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A6FC8E
GetExitCodeProcess.KERNEL32(?,000000FF), ref: 00A6FC9F
CloseHandle.KERNEL32(?), ref: 00A6FCA9
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00A6FCC4

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Wow64$ProcessRedirection$CloseCodeCreateDisableErrorExitHandleLastObjectRevertSingleWait
String ID:
API String ID: 1153077990-0
Opcode ID: 2d7e8f04ba498413e96022658e64e22a71be648b5099324bf254e2536bd85231
Instruction ID: 494bd4f27b8b31cc39f45ee9e7cd0b8023de45b0e26dbc3ef5d797004e825bab
Opcode Fuzzy Hash: 2d7e8f04ba498413e96022658e64e22a71be648b5099324bf254e2536bd85231
Instruction Fuzzy Hash: E941A271E043499FEB10CFA9DD49BAEBBF4AF49310F148269E820A7290DB349940CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A78C10 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Shlwapi.dll,-00000001,00000000,?,?,?,?,?,?,?,?,00A852FB,?), ref: 00A78C2F
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00A78C45
FreeLibrary.KERNEL32(00000000), ref: 00A78C88
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,00A852FB,?), ref: 00A78CA4

Strings

DllGetVersion, xrefs: 00A78C3F
Shlwapi.dll, xrefs: 00A78C28

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Library$Free$AddressLoadProc
String ID: DllGetVersion$Shlwapi.dll
API String ID: 1386263645-2240825258
Opcode ID: f25af7a6fbbecc2b75d481a929930fb091e0d5ec8bc30f5adaea9b4d6ecbba64
Instruction ID: 57c3d30e1ab41b8f23fb6963d0a3debee508a60dc89839f7875851a60ae4782e
Opcode Fuzzy Hash: f25af7a6fbbecc2b75d481a929930fb091e0d5ec8bc30f5adaea9b4d6ecbba64
Instruction Fuzzy Hash: 6721AC76A003059BC314DF69DC8992BFBE4EFDD311F40492EF859D3201EE3898458BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B39511 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00B3958C,00B394EF,00B39790), ref: 00B39528
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00B3953E
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00B39553

Strings

ReleaseSRWLockExclusive, xrefs: 00B39548
KERNEL32.DLL, xrefs: 00B39523
AcquireSRWLockExclusive, xrefs: 00B39538

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 1acf299240d0047aaeda9de7eda6c577e570b730a5973634bf806dfed92d5674
Instruction ID: f3ca03c64eb91eeca927f3438e9cec9c737c20f9797e8fb9fa0e317df0b16c1a
Opcode Fuzzy Hash: 1acf299240d0047aaeda9de7eda6c577e570b730a5973634bf806dfed92d5674
Instruction Fuzzy Hash: C7F0C2327153229B5FA25FA46CC476A77D8EE29355F3600F9E902D3220E6A0CC859794

Uniqueness

Uniqueness Score: -1.00%

Function 00953370 Relevance: 9.2, APIs: 6, Instructions: 194windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 009533FA
GetClientRect.USER32(?,?), ref: 0095341B
GetParent.USER32(?), ref: 0095343B
SendMessageW.USER32(00000000,00000135,?,?), ref: 0095344B
FillRect.USER32(?,?,00000000), ref: 00953459
EndPaint.USER32(?,?), ref: 0095361C

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: PaintRect$BeginClientFillMessageParentSend
String ID:
API String ID: 732421049-0
Opcode ID: 787832bb159e84df44f9a954fc44bb112166a17f5fe51428b8e0ee3cce7dbf71
Instruction ID: 11ef83f8abe163c24a32652a07923ba13e69df5796143a1a8d8452d24fa3d957
Opcode Fuzzy Hash: 787832bb159e84df44f9a954fc44bb112166a17f5fe51428b8e0ee3cce7dbf71
Instruction Fuzzy Hash: 8C912970900219DFEF21CF69C948BADBBB8FF48304F148199E909A7252DB75AE85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00975410 Relevance: 9.2, APIs: 6, Instructions: 156COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0097545A
std::_Lockit::_Lockit.LIBCPMT ref: 0097547C
std::_Lockit::~_Lockit.LIBCPMT ref: 009754A4
__Getctype.LIBCPMT ref: 00975585
std::_Facet_Register.LIBCPMT ref: 009755E7
std::_Lockit::~_Lockit.LIBCPMT ref: 0097561B

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 7d75c755f30f3981b601043ef0b39531103f48b2ffad0540e6b67fe60985f329
Instruction ID: 808b4fb512bcbd3265628414e72e42bc6a9ef4156399118e5d7b71a37d264f55
Opcode Fuzzy Hash: 7d75c755f30f3981b601043ef0b39531103f48b2ffad0540e6b67fe60985f329
Instruction Fuzzy Hash: D6619CB2C00649DBDB40CF58C9417AEFBF4FF54314F258299D809AB391E774AA85CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00975210 Relevance: 9.1, APIs: 6, Instructions: 142COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0097524D
std::_Lockit::_Lockit.LIBCPMT ref: 0097526F
std::_Lockit::~_Lockit.LIBCPMT ref: 00975297
__Getcoll.LIBCPMT ref: 00975361
std::_Facet_Register.LIBCPMT ref: 009753A6
std::_Lockit::~_Lockit.LIBCPMT ref: 009753E7

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcollRegister
String ID:
API String ID: 1184649410-0
Opcode ID: 4d14f4c0a551242fd1584f799f39eb68e535723e4f055147c65a121a1a0ecb23
Instruction ID: 3568e4399cd825bbeb76dace2b858980436eef33a02b54dcdeb75470e170ee0e
Opcode Fuzzy Hash: 4d14f4c0a551242fd1584f799f39eb68e535723e4f055147c65a121a1a0ecb23
Instruction Fuzzy Hash: 0C519B72D00608DFDB01DF98D885B9DFBF4FF40314F2581A9E8196B292E7B4AA05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0094ED60 Relevance: 9.1, APIs: 6, Instructions: 130COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(00000000,0000005C,?), ref: 0094EDED
GetDC.USER32(?), ref: 0094EE3C
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0094EE4B
ReleaseDC.USER32(00000000), ref: 0094EE92

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: CapsDeviceObjectRelease
String ID:
API String ID: 2638590286-0
Opcode ID: 2e00da402faa098f0523e5e816be46014120cd03d995f59a80494bac22e85c44
Instruction ID: 8af77cf1b557eec14b0091638f194ab8d047f699620ee4491aded6e0c4ffa91c
Opcode Fuzzy Hash: 2e00da402faa098f0523e5e816be46014120cd03d995f59a80494bac22e85c44
Instruction Fuzzy Hash: B8510875A00349DFDB20DFA5D848BAE7BF8FF08311F10452AF91AA7291D7389904CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00B3E13A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B3E131,00B3E0F4,?,?,009723BD,00A6CC90,?,00000008), ref: 00B3E148
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B3E156
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B3E16F
SetLastError.KERNEL32(00000000,00B3E131,00B3E0F4,?,?,009723BD,00A6CC90,?,00000008), ref: 00B3E1C1

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: be5d1ca7e8ec8925b4323f4bb521d4e8f60067de7b7e1d4ccc659219b00546b4
Instruction ID: 68600652b42b7cac87cf94c2edc21978588ce5524c851449b7d6da17af42f309
Opcode Fuzzy Hash: be5d1ca7e8ec8925b4323f4bb521d4e8f60067de7b7e1d4ccc659219b00546b4
Instruction Fuzzy Hash: 2A01D83255C7126EA72416B96C85B6E3AE9EF02B75F3002AAF134B11E1EF618C416155

Uniqueness

Uniqueness Score: -1.00%

Function 0096D840 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

CreateWindowExW.USER32(?,SysTabControl32,?,46010000,00000000,80000000,00000000,00000000,?,00000309,00000000), ref: 0096D95A
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0096D969
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 0096D975

Part of subcall function 0093A840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00955436,00000000,*.*,?,?,?,?), ref: 0093A863

Strings

TabHost, xrefs: 0096D8CA, 0096D8DC, 0096D8E6
SysTabControl32, xrefs: 0096D952

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: MessageSend$CreateFindHeapProcessResourceWindow
String ID: SysTabControl32$TabHost
API String ID: 2520390496-2872506973
Opcode ID: 0a1bfc155e9f0dcd5e19803b1a4b923a04e2a4808317130f82c29150420fd1f1
Instruction ID: 23c561730d4c79f38cb39752f883cc75e60d075ed0b1c3eae5b60b511ad8ffed
Opcode Fuzzy Hash: 0a1bfc155e9f0dcd5e19803b1a4b923a04e2a4808317130f82c29150420fd1f1
Instruction Fuzzy Hash: 5E618035A002149FDB10DF69C884BAEBBB9FF8C310F144169E915AB391DB35AD05CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00A6FCF0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00A6FE94
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00A6FEB0
GetExitCodeProcess.KERNEL32(00000000,00BA8DA7), ref: 00A6FEC1
CloseHandle.KERNEL32(00000000), ref: 00A6FECF

Strings

open, xrefs: 00A6FD70

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: CloseCodeErrorExitHandleLastObjectProcessSingleWait
String ID: open
API String ID: 2321548817-2758837156
Opcode ID: ee2482a41f595e6edbe6b96836e22e17dfc1ff2011d323a4102f148795a198c2
Instruction ID: a21ecf2ffddccba98a60941f1654c7b4034c302cff9883e30f8af0e41cf82857
Opcode Fuzzy Hash: ee2482a41f595e6edbe6b96836e22e17dfc1ff2011d323a4102f148795a198c2
Instruction Fuzzy Hash: 0D717A71A006498FDB14CF68D8487AEBBB4FF49324F144269E825A73D1DB79AD05CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00AA7220 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00C82000,201B1858,?), ref: 00AA725F
EnterCriticalSection.KERNEL32(?,201B1858,?), ref: 00AA726C
OutputDebugStringW.KERNEL32(00A88D82,?,00000000), ref: 00AA7335
LeaveCriticalSection.KERNEL32(?,00000000), ref: 00AA73C7

Part of subcall function 0093B010: RtlAllocateHeap.NTDLL(?,00000000,?,201B1858,00000000,00B639C0,000000FF,?,?,00C7843C,?,?,00AB48D7,80004005,201B1858,?), ref: 0093B05A

Strings

Logger::SetLogFile( %s ) while OLD path is:%s, xrefs: 00AA72B3

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: CriticalSection$AllocateDebugEnterHeapInitializeLeaveOutputString
String ID: Logger::SetLogFile( %s ) while OLD path is:%s
API String ID: 117955849-1927537607
Opcode ID: e073c4f9f294c6dbd3c59c7076f29e91b22b213d18a4af23565902efe9191b3b
Instruction ID: 9636091e752be61660e9fcfb502e46a5d384f3f1f98a62d1d9f47da44ebc8078
Opcode Fuzzy Hash: e073c4f9f294c6dbd3c59c7076f29e91b22b213d18a4af23565902efe9191b3b
Instruction Fuzzy Hash: 1451C035904609CFCF01DF68C844BAEBBB5EF89310F150199ED11AB392DB359D06DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A57300 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,201B1858,00000000), ref: 00A57345
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 00A5736E
RegCloseKey.ADVAPI32(00000000), ref: 00A573DA

Strings

RegCreateKeyTransactedW, xrefs: 00A57368
Advapi32.dll, xrefs: 00A57340

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 4190037839-2994018265
Opcode ID: a51ce6f0bace2c59aaa022406269274d0997351fb8c458179c0beac852222cd5
Instruction ID: 37bc2b9de8ffe050205594de525ce197a6dac9b4d1f88d00cc64315c0529a72c
Opcode Fuzzy Hash: a51ce6f0bace2c59aaa022406269274d0997351fb8c458179c0beac852222cd5
Instruction Fuzzy Hash: 01317072604205EBEB258F54DC45FAEBBB8FB48721F10412AFD05EB290DB75A904DB94

Uniqueness

Uniqueness Score: -1.00%

Function 009746A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 009746F2
OpenProcessToken.ADVAPI32(00000000,00000028,00000000), ref: 009746FF
GetLastError.KERNEL32 ref: 0097473D
CloseHandle.KERNEL32(00000000), ref: 00974774

Strings

SeShutdownPrivilege, xrefs: 0097470D

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Process$CloseCurrentErrorHandleLastOpenToken
String ID: SeShutdownPrivilege
API String ID: 2767541406-3733053543
Opcode ID: 160884d28ca0c6c5b28e709e8c80471b38a3b1042efc2a180ba1c867e3463229
Instruction ID: 1ebc7bc749ecad16f62f6cc86258052ab7e36dc987bc8d4830fe64b5a7d4013a
Opcode Fuzzy Hash: 160884d28ca0c6c5b28e709e8c80471b38a3b1042efc2a180ba1c867e3463229
Instruction Fuzzy Hash: CF315C71A402089FEB10DFA0DC49BEEBBF8FB09710F104159E515BB290DB75A904CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00A4A2F0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 76libraryloaderwindowCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(SetWindowTheme), ref: 00A4A3BD
SendMessageW.USER32(?,00001036,00010000,00010000), ref: 00A4A408

Part of subcall function 00B3CA85: AcquireSRWLockExclusive.KERNEL32(00C80888,?,?,?,0093B446,00C8149C,201B1858,?,?,00B63F3D,000000FF,?,00AB486D,201B1858,?), ref: 00B3CA90
Part of subcall function 00B3CA85: ReleaseSRWLockExclusive.KERNEL32(00C80888,?,?,0093B446,00C8149C,201B1858,?,?,00B63F3D,000000FF,?,00AB486D,201B1858,?), ref: 00B3CACA

Part of subcall function 00A28250: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00A28292

Part of subcall function 00B3CA34: AcquireSRWLockExclusive.KERNEL32(00C80888,?,?,0093B4B7,00C8149C,00BC7840), ref: 00B3CA3E
Part of subcall function 00B3CA34: ReleaseSRWLockExclusive.KERNEL32(00C80888,?,?,0093B4B7,00C8149C,00BC7840), ref: 00B3CA71
Part of subcall function 00B3CA34: WakeAllConditionVariable.KERNEL32(00C80884,?,?,0093B4B7,00C8149C,00BC7840), ref: 00B3CA7C

Strings

SetWindowTheme, xrefs: 00A4A3B2
UxTheme.dll, xrefs: 00A4A351
explorer, xrefs: 00A4A3E8

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$AddressConditionDirectoryMessageProcSendSystemVariableWake
String ID: SetWindowTheme$UxTheme.dll$explorer
API String ID: 1065053019-3123591815
Opcode ID: 0c8d68b3c5c5948c92616c4dec28304743ab694faa5a34b671ebfb0a62f2bed1
Instruction ID: ddf3131e8fee66d764ca2bdfb670d03a6f821ccbb77cfe781d56b4f0db923334
Opcode Fuzzy Hash: 0c8d68b3c5c5948c92616c4dec28304743ab694faa5a34b671ebfb0a62f2bed1
Instruction Fuzzy Hash: EE21A0B5A88705EBC720DF64DC46F9D7BA4EB54B20F200365F525A72D0E770B9408B59

Uniqueness

Uniqueness Score: -1.00%

Function 00954590 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

BitBlt.GDI32(?,?,?,?,?,?,?,?,erty="VerticalContentAlignment" Value="Center" /> <Setter Property="HorizontalAlignment" Value="Left" /> <Setter Property="VerticalAlignment" Value="Top" /> <Setter Property="FontFamily" Value="{ThemeResource ContentControlThemeFontFamily}), ref: 009545E1
SelectObject.GDI32(?,?), ref: 009545EC
DeleteObject.GDI32(?), ref: 009545FE
DeleteDC.GDI32(?), ref: 00954623

Strings

erty="VerticalContentAlignment" Value="Center" /> <Setter Property="HorizontalAlignment" Value="Left" /> <Setter Property="VerticalAlignment" Value="Top" /> <Setter Property="FontFamily" Value="{ThemeResource ContentControlThemeFontFamily}, xrefs: 009545CA

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: DeleteObject$Select
String ID: erty="VerticalContentAlignment" Value="Center" /> <Setter Property="HorizontalAlignment" Value="Left" /> <Setter Property="VerticalAlignment" Value="Top" /> <Setter Property="FontFamily" Value="{ThemeResource ContentControlThemeFontFamily}
API String ID: 207189511-2249997030
Opcode ID: 804ff9b2232c917c06c34df96cd27df4d537f65ac532f654cfdeed327bfcd268
Instruction ID: e8b069b3269c1541efdd349031a39a7d2e26d83de449d09e5e56d93ade69a61d
Opcode Fuzzy Hash: 804ff9b2232c917c06c34df96cd27df4d537f65ac532f654cfdeed327bfcd268
Instruction Fuzzy Hash: EC111971605606FFE710CF6ADD48F6ABBB8FF49721F10421AE814D3690D775A950CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0094C5A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0094C5CB
BitBlt.GDI32(00000000,?,?,?,00000000,?,00000000,00000000,erty="VerticalContentAlignment" Value="Center" /> <Setter Property="HorizontalAlignment" Value="Left" /> <Setter Property="VerticalAlignment" Value="Top" /> <Setter Property="FontFamily" Value="{ThemeResource ContentControlThemeFontFamily}), ref: 0094C5F6
DeleteDC.GDI32(?), ref: 0094C5FD
ReleaseDC.USER32(?,?), ref: 0094C60A

Strings

erty="VerticalContentAlignment" Value="Center" /> <Setter Property="HorizontalAlignment" Value="Left" /> <Setter Property="VerticalAlignment" Value="Top" /> <Setter Property="FontFamily" Value="{ThemeResource ContentControlThemeFontFamily}, xrefs: 0094C5DF

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ClientDeleteRectRelease
String ID: erty="VerticalContentAlignment" Value="Center" /> <Setter Property="HorizontalAlignment" Value="Left" /> <Setter Property="VerticalAlignment" Value="Top" /> <Setter Property="FontFamily" Value="{ThemeResource ContentControlThemeFontFamily}
API String ID: 2015589292-2249997030
Opcode ID: 2be3e247034f22dcf34421973b9bfe1d82c4fdd6ef371c30199015a345785301
Instruction ID: f8a386ee815760eafe57c076db7405ff0caea79f8efde9adfba36651ecc0f762
Opcode Fuzzy Hash: 2be3e247034f22dcf34421973b9bfe1d82c4fdd6ef371c30199015a345785301
Instruction Fuzzy Hash: 18010572204201AFE304DF69CC89F2FBBE9FB88311F444519F54992661D774E8148BA6

Uniqueness

Uniqueness Score: -1.00%

Function 009556A0 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 346memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,00000000,?,00000000,201B1858), ref: 00955766
HeapFree.KERNEL32(00000000,?,00000000,?,00000000,201B1858), ref: 0095576C
GetProcessHeap.KERNEL32(?,00000000), ref: 00955905
HeapFree.KERNEL32(00000000,?,00000000), ref: 0095590B

Strings

#, xrefs: 00955A35

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: #
API String ID: 3859560861-1885708031
Opcode ID: 3c2f8e25af4bac86c194c60bfa463da279193c5b72051bbe6c24e5b972d7d0ba
Instruction ID: 5a06a9e14b98382db19f46a2565df356725f35c67ba793f8670e8e54e9695440
Opcode Fuzzy Hash: 3c2f8e25af4bac86c194c60bfa463da279193c5b72051bbe6c24e5b972d7d0ba
Instruction Fuzzy Hash: A6D18A71D01609CFDB04CFA9C9A4BEEBBF4FF84325F6042A9D81567291D7791A08CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0094E520 Relevance: 7.8, APIs: 5, Instructions: 306COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00C81F9C,201B1858,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00B67E85), ref: 0094E58A
GetModuleFileNameW.KERNEL32(0000FFFF,00000104,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00B67E85), ref: 0094E604

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: CriticalEnterFileModuleNameSection
String ID:
API String ID: 764724386-0
Opcode ID: dbdfd2f7227a19c95f83b518236c0219c8de4dc15a280bb97a76005abbc00fff
Instruction ID: 79d629ec8556f133a2034bce826c8be8d4da5bc5b301aeb6f3a26f220ffd17d1
Opcode Fuzzy Hash: dbdfd2f7227a19c95f83b518236c0219c8de4dc15a280bb97a76005abbc00fff
Instruction Fuzzy Hash: EFC16D75A00259DFDB11CF68D848FAEBBB8BF49314F144059E805E73A1DB79AD05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009592C0 Relevance: 7.7, APIs: 5, Instructions: 238windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000001), ref: 00959332
GetParent.USER32(00000001), ref: 0095935D
SendMessageW.USER32(00000000,00000138,?,00000001), ref: 0095936D
FillRect.USER32(?,?,00000000), ref: 0095937B
ReleaseDC.USER32(00000001,00000000), ref: 0095954E

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: FillMessageParentRectReleaseSend
String ID:
API String ID: 2215362955-0
Opcode ID: 93dc928a3f2ef4f8d122e57aac850d6adb140375ef7616ace5aee0f62fad5ac4
Instruction ID: ba54a97d90d076fd379f17d71a7d465e255d51e8f2465ab9dcf30d8c72b2109d
Opcode Fuzzy Hash: 93dc928a3f2ef4f8d122e57aac850d6adb140375ef7616ace5aee0f62fad5ac4
Instruction Fuzzy Hash: 1E9159B1A01619EFEF15CFA5CD44BAEBBB8FF08301F144129E905E7660E731A915CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A4B220 Relevance: 7.7, APIs: 5, Instructions: 163windowCOMMON

Download Yara Rule

APIs

GetWindowDC.USER32(?,201B1858,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00BA332D), ref: 00A4B250
GetWindowRect.USER32(?,00000000), ref: 00A4B270
IsWindowEnabled.USER32(?), ref: 00A4B2A1
GetFocus.USER32 ref: 00A4B2AF
DeleteDC.GDI32(?), ref: 00A4B3EE

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Window$DeleteEnabledFocusRect
String ID:
API String ID: 733580484-0
Opcode ID: 149ce0fdee779cf2c1a14f0871837a1ceeb305022993b5deaf0f93005c954326
Instruction ID: ba6a70a100c9ee903fc5e0a932b95e89fd756cc031067c539f77c530f39001e8
Opcode Fuzzy Hash: 149ce0fdee779cf2c1a14f0871837a1ceeb305022993b5deaf0f93005c954326
Instruction Fuzzy Hash: FB6125B4A00619EFEF14DFA4D888BEDBBF8FF48300F14416AE415A7290DB75A944CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00A4B420 Relevance: 7.6, APIs: 5, Instructions: 146windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00A4B489

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

Part of subcall function 009547D0: GetWindowTextLengthW.USER32(?), ref: 009547D7

IsWindowEnabled.USER32(?), ref: 00A4B4CD
GetFocus.USER32 ref: 00A4B4DA
GetDC.USER32(?), ref: 00A4B508

Part of subcall function 00A74070: SelectObject.GDI32(?,?), ref: 00A740D3
Part of subcall function 00A74070: SetTextColor.GDI32(?,?), ref: 00A74122
Part of subcall function 00A74070: DrawTextW.USER32(?,?,?,?,00000024), ref: 00A74140
Part of subcall function 00A74070: SelectObject.GDI32(?,?), ref: 00A7414C

CallWindowProcW.USER32(?,?,?,?,?), ref: 00A4B537

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: TextWindow$ObjectSelect$CallClientColorDrawEnabledFocusHeapLengthProcProcessRect
String ID:
API String ID: 2968277462-0
Opcode ID: bf54a1d5548ba46a1d85ffc92257c4527efb1bec915c192340dd115147ae68ff
Instruction ID: 78fb6db71ae223889c49a8fe1ada49ed919a58d7bd5feb213068e446673cdf4e
Opcode Fuzzy Hash: bf54a1d5548ba46a1d85ffc92257c4527efb1bec915c192340dd115147ae68ff
Instruction Fuzzy Hash: 6C510675900208DFDB01DF64D984BADBBB5FF48320F18816AE816AB2A1DB35ED00CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00948AB0 Relevance: 7.6, APIs: 5, Instructions: 132windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00948B0F
GetDlgItem.USER32(?,?), ref: 00948B34
SendMessageW.USER32(?,?,?,?), ref: 00948C08

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ItemMessageSendWindow
String ID:
API String ID: 799199299-0
Opcode ID: ed1776e5e4a4656d73a268ce300f7a934509631beb44905d1b6687dba223eb8b
Instruction ID: 86f688fff1c68da2a8c5cb393d649c1cf79b55240227d9843cf46359487c9c2e
Opcode Fuzzy Hash: ed1776e5e4a4656d73a268ce300f7a934509631beb44905d1b6687dba223eb8b
Instruction Fuzzy Hash: 8341B1B2205101AFD7198F18DC98E7FB7B9FB88311F148A6AE546C75A1DF22ED10DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00A679F0 Relevance: 7.6, APIs: 5, Instructions: 125COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00A67A24
std::_Lockit::_Lockit.LIBCPMT ref: 00A67A46
std::_Lockit::~_Lockit.LIBCPMT ref: 00A67A6E
std::_Facet_Register.LIBCPMT ref: 00A67B57
std::_Lockit::~_Lockit.LIBCPMT ref: 00A67B8B

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: b9f119f78ddf94af361097c63070c1ccfdbc3587bfe02e833a0bf192525e820e
Instruction ID: 265f6b907db93940ae1463e0ec2ff552657a7541f5e5dd4dcaaca1eec61ce1e3
Opcode Fuzzy Hash: b9f119f78ddf94af361097c63070c1ccfdbc3587bfe02e833a0bf192525e820e
Instruction Fuzzy Hash: 9151DD71908249DFDB01CF98C884BAEBBF4FF50318F244199E815AB391E7B4AE05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00965CC0 Relevance: 7.6, APIs: 5, Instructions: 122windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000), ref: 00965D51
SendMessageW.USER32(?,00001012,00000000,?), ref: 00965DA5
SendMessageW.USER32(?,0000102C,000000FF,0000F000), ref: 00965DC1
SendMessageW.USER32(?,0000102B,000000FF,?), ref: 00965DF3
SetFocus.USER32(00000000), ref: 00965E10

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: MessageSend$Focus
String ID:
API String ID: 3982298024-0
Opcode ID: c9433964dd958cf4680dc2df455056d349be1f27a825555d3fad184679bb675d
Instruction ID: 5d3b31c7b94aa96685e7282a7471bea5064d43fe8803292234226258e8103589
Opcode Fuzzy Hash: c9433964dd958cf4680dc2df455056d349be1f27a825555d3fad184679bb675d
Instruction Fuzzy Hash: F1416D75A00609DFDB20CF64C848BADBBF5FF48710F10822AE826A7791DB74A851CF84

Uniqueness

Uniqueness Score: -1.00%

Function 0096AA10 Relevance: 7.6, APIs: 5, Instructions: 113windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000C5,?,00000000), ref: 0096AA5B
GetClientRect.USER32(?,?), ref: 0096AA95
GetDC.USER32(?), ref: 0096AAAC
GetDeviceCaps.GDI32(00000000), ref: 0096AAB3
GetObjectW.GDI32(00000000,0000005C,?), ref: 0096AAF2

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: CapsClientDeviceMessageObjectRectSend
String ID:
API String ID: 4027903330-0
Opcode ID: a41f5437a617b5c5311f5131ec96ea5bc1f4795996eea347947b9357ccaddec0
Instruction ID: 2140475d1b5255eb6cc320416b3a5cc7f102972fe4c05946d9e259d4e7426666
Opcode Fuzzy Hash: a41f5437a617b5c5311f5131ec96ea5bc1f4795996eea347947b9357ccaddec0
Instruction Fuzzy Hash: 95418B316043059FE721DB35C849F9EBBE8BF88300F004A1AF54AA72A1DB35A915CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00959810 Relevance: 7.6, APIs: 5, Instructions: 113timeCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(201B1858,201B1858,?), ref: 0095984F
EnterCriticalSection.KERNEL32(?,201B1858,?), ref: 0095985C
KillTimer.USER32(?,00000001), ref: 009598A4
SetTimer.USER32(?,00000001,?,00000000), ref: 0095991C
LeaveCriticalSection.KERNEL32(?,?,00000000,?), ref: 00959933

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: CriticalSection$Timer$EnterInitializeKillLeave
String ID:
API String ID: 160562401-0
Opcode ID: 5383f992aa605702e1161ba13aae70cc251379b3904de0a671c0c7ac9545f3c1
Instruction ID: e78a52b8644ea1e2460c9740ae254c062dbd230b8e130a45f8d82ff42ecf1478
Opcode Fuzzy Hash: 5383f992aa605702e1161ba13aae70cc251379b3904de0a671c0c7ac9545f3c1
Instruction Fuzzy Hash: 7D41C134600741DFEB21CF29C844BAABBB5FF46311F104569EDA6D7391CB31A919CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00952860 Relevance: 7.6, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000FC,00000000), ref: 009528B6
GetClientRect.USER32(?,00000000), ref: 009528DC
GetParent.USER32(?), ref: 009528EA

Part of subcall function 00B3C159: GetProcessHeap.KERNEL32(00000008,00000008,00000000,00A9C861,?,?,?), ref: 00B3C15E
Part of subcall function 00B3C159: HeapAlloc.KERNEL32(00000000,?,?,?), ref: 00B3C165

SetWindowLongW.USER32(?,000000EB), ref: 0095292B
ShowWindow.USER32(?,00000000), ref: 0095294D

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Window$HeapLong$AllocClientParentProcessRectShow
String ID:
API String ID: 3563161840-0
Opcode ID: bf79922fb37993acf58a3463d07aa22a99cea303ec31c5033bd45ec81fd76c34
Instruction ID: 396eaa77bb891c424c8ecc4ad0786e26174fe47be158db84d204aaf38409e976
Opcode Fuzzy Hash: bf79922fb37993acf58a3463d07aa22a99cea303ec31c5033bd45ec81fd76c34
Instruction Fuzzy Hash: 9C316D756002149FDB14EF69DC84A2E7BE9FF89311B54419AFC05AB262DB34DC05CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A6A9B0 Relevance: 7.6, APIs: 6, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(?,?,?), ref: 00A6A9C2
LocalFree.KERNEL32(?,?,?), ref: 00A6A9D6
GetLastError.KERNEL32 ref: 00A6AA18
LocalAlloc.KERNEL32(00000040,00000014), ref: 00A6AA58
GetLastError.KERNEL32 ref: 00A6AA72
LocalFree.KERNEL32(?), ref: 00A6AA83

Part of subcall function 0093B010: RtlAllocateHeap.NTDLL(?,00000000,?,201B1858,00000000,00B639C0,000000FF,?,?,00C7843C,?,?,00AB48D7,80004005,201B1858,?), ref: 0093B05A

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Local$Free$ErrorLast$AllocAllocateHeap
String ID:
API String ID: 1027944315-0
Opcode ID: 2eefcb676664b4516904fe4cdf69c0b57c980dadac7488ae249a8986d934b088
Instruction ID: 02d77497d6fc8047a671dade2d1211e7c454b927fd9c653efb75284dac4750ec
Opcode Fuzzy Hash: 2eefcb676664b4516904fe4cdf69c0b57c980dadac7488ae249a8986d934b088
Instruction Fuzzy Hash: 14311971600701AFE7208FA5D949B5BB7F8FF58741F04492AE986E2550E774D908CF52

Uniqueness

Uniqueness Score: -1.00%

Function 0094C250 Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0094C292
ClientToScreen.USER32(?,?), ref: 0094C2A4
GetParent.USER32(?), ref: 0094C2AE
ScreenToClient.USER32(00000000,?), ref: 0094C2C0
ScreenToClient.USER32(00000000,?), ref: 0094C2D0

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ClientScreen$Parent
String ID:
API String ID: 3677003336-0
Opcode ID: a933f1435a6c4957c18028d1c37cb329d03ec655548df76a445391f761ee1bed
Instruction ID: c26078114deb1257c4c52710b6d1730eb23b578bbe8b29c9f578c858a38f6c65
Opcode Fuzzy Hash: a933f1435a6c4957c18028d1c37cb329d03ec655548df76a445391f761ee1bed
Instruction Fuzzy Hash: 6E214D72204202AFE315DF68CC45E6FBBE9FF98710F40492DF899D2220E771D9448B62

Uniqueness

Uniqueness Score: -1.00%

Function 00942680 Relevance: 7.6, APIs: 5, Instructions: 60memorywindowCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 009426CA
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 009426D0
FormatMessageW.KERNEL32(00001300,00000000,?,00000400,00000000,00000000,00000000), ref: 009426F3
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00B65A66,000000FF), ref: 0094271B
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,00B65A66,000000FF), ref: 00942721

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Heap$FreeProcess$FormatMessage
String ID:
API String ID: 1606019998-0
Opcode ID: 685cbfab7e21ee0ee4ffc7b82c38b336e4ca1cf4ba5937b481eb4c290a04ca41
Instruction ID: 48d9ea611ecb0cd219244e17a5141b53ffdbb256c3b4c429abe2a5b829110ff8
Opcode Fuzzy Hash: 685cbfab7e21ee0ee4ffc7b82c38b336e4ca1cf4ba5937b481eb4c290a04ca41
Instruction Fuzzy Hash: 92114CB1A44219ABEB10DBA4CD46FAFBBF8FB04B04F104559F514A72C1DBB59A0487A1

Uniqueness

Uniqueness Score: -1.00%

Function 00AAEFB0 Relevance: 7.6, APIs: 5, Instructions: 60fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00AAEFB0,80000000,00000000,00000000,00000003,00000080,00000000,201B1858,?,00AAEFB0), ref: 00AAEFEC
GetLastError.KERNEL32 ref: 00AAF00A
ReadFile.KERNEL32(00000000,201B1858,00000004,00AAEFB0,00000000), ref: 00AAF020
GetLastError.KERNEL32 ref: 00AAF02A
CloseHandle.KERNEL32(00000000), ref: 00AAF049

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleRead
String ID:
API String ID: 3160720760-0
Opcode ID: f32e5c0eb3487bff520d0348b4034444fc0f515028e32dbe6473895b086eedc3
Instruction ID: 3dcd1d8ba5f903013e118ef99eca3a2642863c3a38a71f2261b7c41b115bbd4d
Opcode Fuzzy Hash: f32e5c0eb3487bff520d0348b4034444fc0f515028e32dbe6473895b086eedc3
Instruction Fuzzy Hash: 5E116375A00205AFD7209F94DD09F6ABBB8EB49B60F100269EA11B72D0EBB559048794

Uniqueness

Uniqueness Score: -1.00%

Function 0095E100 Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 0095E10A
SendMessageW.USER32(?,?,?,0000102B), ref: 0095E161
SendMessageW.USER32(?,?,?,0000102B), ref: 0095E1B4
SendMessageW.USER32(?,00001043,00000000,00000000), ref: 0095E1C9
SendMessageW.USER32(?,00001013,00000000,00000000), ref: 0095E1DA

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: dd4009c592fbccc4b49a17460983aedf4b9e3988d8a145f27a048988617173cc
Instruction ID: 260dc6a0d8d784e6c2de8a75b9215835508f8077ba40e219917430b8a2c7d592
Opcode Fuzzy Hash: dd4009c592fbccc4b49a17460983aedf4b9e3988d8a145f27a048988617173cc
Instruction Fuzzy Hash: D2211F31918786A7E320CF50DD45B1ABBF5BFDD718F206B0EF584211A4E7B195848B8A

Uniqueness

Uniqueness Score: -1.00%

Function 00A938C0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 372COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(00000010,201B1858,?,00000010,?), ref: 00A93BFE

Part of subcall function 00A6A020: GetCurrentProcess.KERNEL32 ref: 00A6A072
Part of subcall function 00A6A020: OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00A6A07F
Part of subcall function 00A6A020: GetLastError.KERNEL32 ref: 00A6A089
Part of subcall function 00A6A020: FindCloseChangeNotification.KERNEL32(00000000), ref: 00A6A16C

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

Part of subcall function 0093A840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00955436,00000000,*.*,?,?,?,?), ref: 0093A863

Strings

Extraction path set to:, xrefs: 00A93C61
\\?\, xrefs: 00A93C0B
[WindowsVolume], xrefs: 00A9395C, 00A9396E, 00A93978

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Process$Find$ChangeCloseCurrentErrorHeapLastNotificationOpenPathResourceToken
String ID: Extraction path set to:$[WindowsVolume]$\\?\
API String ID: 1213284423-3538578949
Opcode ID: 2cb3ceb9adab40a9a2347578a38b3b2f9caa401cf33636b2712ea7627c4881f9
Instruction ID: 2c3ba5c833af0b7f1ac2a8a546e2924a32f998d0f23b5f3ef1820fded8d12436
Opcode Fuzzy Hash: 2cb3ceb9adab40a9a2347578a38b3b2f9caa401cf33636b2712ea7627c4881f9
Instruction Fuzzy Hash: B4D1D431A006099FDF04DBA8C994BAEB7F5FF44324F244258E915A73D2DB74AE05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A19C10 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 358COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,00C874CC,00000000), ref: 00A19F0C

Strings

Dialog, xrefs: 00A19D3A
`Dialog` = ', xrefs: 00A19CED
AI_FRAME_NO_CAPTION_, xrefs: 00A19C61

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: InfoParametersSystem
String ID: AI_FRAME_NO_CAPTION_$Dialog$`Dialog` = '
API String ID: 3098949447-2270296660
Opcode ID: dd6d4a888e7653101b7cf6aecd675ce5fb0b7b4f9d4dcaac4bcd71041bb14a0c
Instruction ID: c0e7c614b29a0a8590afce8a1950c9d0dba0fd6cf7fa0bf5a0469c7c87369803
Opcode Fuzzy Hash: dd6d4a888e7653101b7cf6aecd675ce5fb0b7b4f9d4dcaac4bcd71041bb14a0c
Instruction Fuzzy Hash: 7BD1AF71D04208DFCB14DF68D955B9EBBB5FF88314F24826AE815A72A2E770A944CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0096A790 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 310windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,RichEdit20W,?,?,00000000,80000000,00000000,00000000,00000000,00000000,00000000), ref: 0096A96B
SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 0096A97A
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 0096A986

Part of subcall function 0093B010: RtlAllocateHeap.NTDLL(?,00000000,?,201B1858,00000000,00B639C0,000000FF,?,?,00C7843C,?,?,00AB48D7,80004005,201B1858,?), ref: 0093B05A

Strings

RichEdit20W, xrefs: 0096A963

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: MessageSend$AllocateCreateHeapWindow
String ID: RichEdit20W
API String ID: 2359350451-4173859555
Opcode ID: 16e861e05539ed441d77b617f3d7aff848d52dfed4348005cd36b19a2871ffe6
Instruction ID: 8f5bb88e526465daa094cde6dc8885dc0de123f652a4897d4f5fa5f7753d7e1f
Opcode Fuzzy Hash: 16e861e05539ed441d77b617f3d7aff848d52dfed4348005cd36b19a2871ffe6
Instruction Fuzzy Hash: 3EC17A71E002189FDB14CFA8C894BAEBBB9EF48310F14416AE916B7391DB75AD01CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00AA82D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 00ABD610: SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,?,80000002,80000002,00C82000), ref: 00ABD620
Part of subcall function 00ABD610: LoadLibraryW.KERNEL32(Shell32.dll,?,80000002,80000002,00C82000), ref: 00ABD633
Part of subcall function 00ABD610: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00ABD643

PathFileExistsW.SHLWAPI(?,ADVINST_LOGS,0000000C,00C82000), ref: 00AA83C6

Part of subcall function 0093B010: RtlAllocateHeap.NTDLL(?,00000000,?,201B1858,00000000,00B639C0,000000FF,?,?,00C7843C,?,?,00AB48D7,80004005,201B1858,?), ref: 0093B05A

Strings

ADVINST_LOGS, xrefs: 00AA83B9
Everyone, xrefs: 00AA83E9

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AddressAllocateExistsFileFolderHeapLibraryLoadLocationPathProcSpecial
String ID: ADVINST_LOGS$Everyone
API String ID: 3321256476-3921853867
Opcode ID: c59be74a8774d2e4a62a5de4630eadee08fa96adf72eaa94a7f082c50f023627
Instruction ID: dd47119d3977127d7c6563a585db5938117d3e60308e561fe8e4d6df0819efe3
Opcode Fuzzy Hash: c59be74a8774d2e4a62a5de4630eadee08fa96adf72eaa94a7f082c50f023627
Instruction Fuzzy Hash: 98A1CC71D01209CBDB04DFA8C959BAEBBB1AF49324F244158E912AB3D1DB395E04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00964AD0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 234windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0093B010: RtlAllocateHeap.NTDLL(?,00000000,?,201B1858,00000000,00B639C0,000000FF,?,?,00C7843C,?,?,00AB48D7,80004005,201B1858,?), ref: 0093B05A

Part of subcall function 00A49E40: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,00000000,?,0095D678,?,80004005,?), ref: 00A49ECA
Part of subcall function 00A49E40: RedrawWindow.USER32(?,00000000,00000000,00000541,?,?,?,00000000,?,0095D678,?,80004005,?), ref: 00A49EDB
Part of subcall function 00A49E40: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A49F04

SendMessageW.USER32(?,00001036,00000004,00000004), ref: 00964CA1
SendMessageW.USER32(?,00001036,00000400,00000400), ref: 00964CBC
SendMessageW.USER32(?,00001061,00000000,?), ref: 00964D1C

Strings

QuickSelectionList, xrefs: 00964BB8, 00964BCA, 00964BD4

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: MessageSend$Window$AllocateHeapRedraw
String ID: QuickSelectionList
API String ID: 884508843-3633591268
Opcode ID: 66069ed5e1a7670ad78a1bc541e7cc3f8b38070e00aa9dfa164941fa9e3cc021
Instruction ID: 3d0df3140f641d1109d6aecdf90ed49725ea706de4c15b20fadfdd57289734e4
Opcode Fuzzy Hash: 66069ed5e1a7670ad78a1bc541e7cc3f8b38070e00aa9dfa164941fa9e3cc021
Instruction Fuzzy Hash: 2D81AC35A002089FDB14DFA4D884BAEBBF5FF88324F14056AF915A7391DB34A904CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00AB08A0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 221COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00AB09D3

Strings

User refused to install a newer version., xrefs: 00AB0A71
User accepted to install a newer version., xrefs: 00AB0A68, 00AB0A8F, 00AB0A90

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ActiveWindow
String ID: User accepted to install a newer version.$User refused to install a newer version.
API String ID: 2558294473-4113633398
Opcode ID: ab6ae40bf833b590f4fb6863b392f4c514eff0859aa222cde2387a78e0662ad7
Instruction ID: 7c6e18cecde6275ff54158f4cc3489aaa6a769062ff12dd4bb912e16cbf56f0c
Opcode Fuzzy Hash: ab6ae40bf833b590f4fb6863b392f4c514eff0859aa222cde2387a78e0662ad7
Instruction Fuzzy Hash: AC81E731A006089FDB05DF68C855BAEBBF5EF89324F14815DE815A7392DB359D02CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00AA87B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,201B1858,?,80000002,80000002), ref: 00AA8803
CloseHandle.KERNEL32(?,201B1858,80000002,?,00000000,00BB3033,000000FF,?,80004005,?,80000002), ref: 00AA89A0
CloseHandle.KERNEL32(00000000,201B1858,80000002,?,00000000,00BB3033,000000FF,?,80004005,?,80000002), ref: 00AA89CF

Strings

LOG, xrefs: 00AA8877

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: CloseHandle$FileModuleName
String ID: LOG
API String ID: 3884789274-429402703
Opcode ID: 18aa9927e3fbc1b587760b171ab27c39a7e87fc78dad75f2ec9c27de10f9b9c4
Instruction ID: 5fe796616d087d9861277ef968712dd626fd59d918117d8f3a30b64fc56e4574
Opcode Fuzzy Hash: 18aa9927e3fbc1b587760b171ab27c39a7e87fc78dad75f2ec9c27de10f9b9c4
Instruction Fuzzy Hash: BD61D071A00248DFDB24DF68C848BABB7F5FF49700F54466DE816DB290EB789A04CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9720 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,201B1858), ref: 00AB9757

Part of subcall function 00A551D0: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,00000000,00000000,00000000,?,00C82000,00AA8098,?), ref: 00A551E8
Part of subcall function 00A551D0: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,?,-00000001), ref: 00A5521A

Strings

*.*, xrefs: 00AB97ED, 00AB9808
.pack, xrefs: 00AB9AE1
.jar, xrefs: 00AB9BBF

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ByteCharMultiWide$ObjectSingleWait
String ID: *.*$.jar$.pack
API String ID: 3339361032-3892993289
Opcode ID: 71354940398b3da21341f88a125572d1a38a4d0ec20517dc58362c75e0e1bf0e
Instruction ID: 3ba59f74e8a526fd6b0029df8fed21a75e2b423c130e2b31d6cf93543ab79479
Opcode Fuzzy Hash: 71354940398b3da21341f88a125572d1a38a4d0ec20517dc58362c75e0e1bf0e
Instruction Fuzzy Hash: 8E615274E006199FDB04DFA8C894BDEB7B9FF49320F144259E521A7392DB34A905CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A6E160 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,00000000,?,00000000,00B68AAD,000000FF,?,80004005,201B1858), ref: 00A6E210

Part of subcall function 0093A840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00955436,00000000,*.*,?,?,?,?), ref: 0093A863

DeleteFileW.KERNEL32(?,201B1858,?,?,?,?,00000000,00B68AAD,000000FF,?,00A6DF7A), ref: 00A6E24B
GetLastError.KERNEL32(?,?,00000000,?,00000000,00B68AAD,000000FF,?,80004005,201B1858,?,?,00000000,?,?,00B68AAD), ref: 00A6E25B

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

Strings

\\?\, xrefs: 00A6E0B1, 00A6E0C3, 00A6E0CD, 00A6E1D1, 00A6E1E3, 00A6E1ED

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: DeleteFile$ErrorFindHeapLastProcessResource
String ID: \\?\
API String ID: 2079828947-4282027825
Opcode ID: 4365c0c048aac37e70e9ccb6dd10e9f1bf156bd542ad74bd9b70f13b4dee13bf
Instruction ID: fb439d06a5c0241fd71640a70c87e8386e3fae82ed78b4329759f44969e6cb24
Opcode Fuzzy Hash: 4365c0c048aac37e70e9ccb6dd10e9f1bf156bd542ad74bd9b70f13b4dee13bf
Instruction Fuzzy Hash: 06318F3AA00619DFDB00DBA8CD58BAEB7B9FF49321F14465AE961D3390DB359904CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00942A60 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoOriginateLanguageException), ref: 00942AA4
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00942AAA

Strings

RoOriginateLanguageException, xrefs: 00942A9A
combase.dll, xrefs: 00942A9F

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoOriginateLanguageException$combase.dll
API String ID: 2574300362-3996158991
Opcode ID: b0a3a0fd969a561e33c11aaa13c75336cff59b9ec9149e4fb0f9909c0d69c082
Instruction ID: 2cab69c319cf904a9ce63f522f1e1244940ff1c17944ad5f10ce79987f5707e4
Opcode Fuzzy Hash: b0a3a0fd969a561e33c11aaa13c75336cff59b9ec9149e4fb0f9909c0d69c082
Instruction Fuzzy Hash: 69317A71900219EBDB20DF94C945BEEBBF8FB44714F54026AF911A72D0DBB45A44CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00AAB870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00000000,00AA95BA,00000000,201B1858,?,?,00000000), ref: 00AAB87E
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00000000,00AA95BA,00000000,201B1858,?,?,00000000), ref: 00AAB8A9
GetLastError.KERNEL32(00AA95BA,00000000,201B1858,?,?,00000000,?,?,?,?,?,00BB32F5,000000FF,?,00AA8FF2,?), ref: 00AAB913

Strings

AdvancedInstaller, xrefs: 00AAB8FA

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: CreateEvent$ErrorLast
String ID: AdvancedInstaller
API String ID: 1131763895-1372594473
Opcode ID: 51b8ce8e131c4bc358b0ceea7de105d0008748c9ecaeefef4e020b7e752ea378
Instruction ID: 102026e23832919535a3a699edfd0d155346eb3b040f272d19fca62b570c83ed
Opcode Fuzzy Hash: 51b8ce8e131c4bc358b0ceea7de105d0008748c9ecaeefef4e020b7e752ea378
Instruction Fuzzy Hash: C8217231650304EBEB14AF25DC89F163BA8FF8A705F100069F9019B2D6DB76E801CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A772C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3CA85: AcquireSRWLockExclusive.KERNEL32(00C80888,?,?,?,0093B446,00C8149C,201B1858,?,?,00B63F3D,000000FF,?,00AB486D,201B1858,?), ref: 00B3CA90
Part of subcall function 00B3CA85: ReleaseSRWLockExclusive.KERNEL32(00C80888,?,?,0093B446,00C8149C,201B1858,?,?,00B63F3D,000000FF,?,00AB486D,201B1858,?), ref: 00B3CACA

LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 00A7731E
GetProcAddress.KERNEL32(00000000), ref: 00A77325

Part of subcall function 00B3CA34: AcquireSRWLockExclusive.KERNEL32(00C80888,?,?,0093B4B7,00C8149C,00BC7840), ref: 00B3CA3E
Part of subcall function 00B3CA34: ReleaseSRWLockExclusive.KERNEL32(00C80888,?,?,0093B4B7,00C8149C,00BC7840), ref: 00B3CA71
Part of subcall function 00B3CA34: WakeAllConditionVariable.KERNEL32(00C80884,?,?,0093B4B7,00C8149C,00BC7840), ref: 00B3CA7C

Strings

SymFromAddr, xrefs: 00A77314
Dbghelp.dll, xrefs: 00A77319

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$AddressConditionLibraryLoadProcVariableWake
String ID: Dbghelp.dll$SymFromAddr
API String ID: 1702099962-642441706
Opcode ID: 50ba352b90cddeb55192d95903f481ec235402fa89fd0f47b6e200dd917c5524
Instruction ID: 7f0e911f6a3e4d4320542fb09dae850ed3345930c2b21af388b76b00b0c5902e
Opcode Fuzzy Hash: 50ba352b90cddeb55192d95903f481ec235402fa89fd0f47b6e200dd917c5524
Instruction Fuzzy Hash: 9801B1B1948605DFC714CF94DC45F9C77A4F708B24F2043A5E826A37D0E774A600DB15

Uniqueness

Uniqueness Score: -1.00%

Function 00B4120C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,00B411BD,?,?,00000000,?,?,?,00B412E7,00000002,FlsGetValue,00BEECEC,FlsGetValue), ref: 00B41219
GetLastError.KERNEL32(?,00B411BD,?,?,00000000,?,?,?,00B412E7,00000002,FlsGetValue,00BEECEC,FlsGetValue,?,?,00B3E15B), ref: 00B41223
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00B4124B

Strings

api-ms-, xrefs: 00B41230

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 464d5b505fa7677513ce72335b0cbcd03ff7a1dd667953fc3ab0f2dc9cc6994d
Instruction ID: c464ebf3907b7aecde41aa45dce5b08bbeb4e7b72d9380e6ff7cae564006553d
Opcode Fuzzy Hash: 464d5b505fa7677513ce72335b0cbcd03ff7a1dd667953fc3ab0f2dc9cc6994d
Instruction Fuzzy Hash: 84E04F30A80204F7FF101B65EC4AF193BAAEF40B44F108460FA0CE90E1DBA1DA90A695

Uniqueness

Uniqueness Score: -1.00%

Function 00943780 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,00000000,00000000,?,201B1858,?,00000004), ref: 009437DB
DeleteFileW.KERNEL32(?,?,00000004), ref: 0094381F
CreateDirectoryW.KERNEL32(?,00000000,?,00000004), ref: 0094382E

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: File$CreateDeleteDirectoryNameTemp
String ID:
API String ID: 2411147693-0
Opcode ID: 0786daaa3dabcad8258c1281ef2bfa77db8385bc9800625c8b5d493e1713723f
Instruction ID: 3219dd4781647c0c337ddcf972deef1c698b5f4a8859011141bc9c7168460a7d
Opcode Fuzzy Hash: 0786daaa3dabcad8258c1281ef2bfa77db8385bc9800625c8b5d493e1713723f
Instruction Fuzzy Hash: D7D17E70D04249DFDB24DF68C959BADBBB4FF54304F20829AE815A7291EB746B84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0095D4A0 Relevance: 6.3, APIs: 4, Instructions: 337windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001037,00000000,00000000), ref: 0095D61D
SendMessageW.USER32(?,00001036,00000000,00000000), ref: 0095D636

Part of subcall function 0093B010: RtlAllocateHeap.NTDLL(?,00000000,?,201B1858,00000000,00B639C0,000000FF,?,?,00C7843C,?,?,00AB48D7,80004005,201B1858,?), ref: 0093B05A

Part of subcall function 00A49E40: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,00000000,?,0095D678,?,80004005,?), ref: 00A49ECA
Part of subcall function 00A49E40: RedrawWindow.USER32(?,00000000,00000000,00000541,?,?,?,00000000,?,0095D678,?,80004005,?), ref: 00A49EDB
Part of subcall function 00A49E40: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A49F04

SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 0095D773
SendMessageW.USER32(?,00001061,00000000,00000005), ref: 0095D86F

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: MessageSend$Window$AllocateHeapRedraw
String ID:
API String ID: 884508843-0
Opcode ID: b193a019fa48ec552155059d2c44cc21854dc3477408deb6a784f823acb44642
Instruction ID: afde163f5a2ded95864b3111fd50b6da2921a9383d0a4df5d2888fce7436ad3b
Opcode Fuzzy Hash: b193a019fa48ec552155059d2c44cc21854dc3477408deb6a784f823acb44642
Instruction Fuzzy Hash: BFD19C71E01209EFDB14DFA8C884BEEBBB5FF48315F10421AE915A7290DB75A944CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00947BA0 Relevance: 6.3, APIs: 4, Instructions: 309memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 00947C88
SysFreeString.OLEAUT32(00000000), ref: 00947CDC
SysFreeString.OLEAUT32(00000000), ref: 00947CFE
SysFreeString.OLEAUT32(00000000), ref: 00947E90

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 1c2ab14777fb55bc528b737020bb3583d70aaa05326f0824a97195d45cb79ef0
Instruction ID: 8c3f09205b6bfed1accd10f55eb1dc1283a6f5580389d233f39211893948caab
Opcode Fuzzy Hash: 1c2ab14777fb55bc528b737020bb3583d70aaa05326f0824a97195d45cb79ef0
Instruction Fuzzy Hash: 63B14A71A0425ADFDB10DFA8CC44FAEBBB8EF48714F104169E915E7290DB74AE05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00967120 Relevance: 6.3, APIs: 4, Instructions: 279windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000001,0000110A,00000004,?), ref: 00967221
SendMessageW.USER32(00000001,0000110A,00000001,00000000), ref: 00967256
SendMessageW.USER32(?,0000110A,00000004,?), ref: 00967412
SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 00967438

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0d57b3371f001d30507d86f596bcc53d243d579dbcb547b4d934471c58267b77
Instruction ID: 2490bc24b8babaf883f004edc6a6e5ad646cb5375d27941ee0387cbc58e0810c
Opcode Fuzzy Hash: 0d57b3371f001d30507d86f596bcc53d243d579dbcb547b4d934471c58267b77
Instruction Fuzzy Hash: 62B16B71A04218DFDB15CFA8D884BAEBBF9FF48314F1545AAE815AB391DB30AC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0095E330 Relevance: 6.2, APIs: 4, Instructions: 222COMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 0095E441
IsWindowEnabled.USER32(?), ref: 0095E497
CopyRect.USER32(00000000,?), ref: 0095E501
IsWindowEnabled.USER32(?), ref: 0095E51A

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: EnabledWindow$CopyRect
String ID:
API String ID: 2919275910-0
Opcode ID: e5a87f8713aaaa3dd5cfe3b5a976127a946a88770e300117253b816affc9632b
Instruction ID: 0c62a3ec81cfd70fd722e840d2ee22ba2e90b88721cbbf2dd71fb3443d4a926b
Opcode Fuzzy Hash: e5a87f8713aaaa3dd5cfe3b5a976127a946a88770e300117253b816affc9632b
Instruction Fuzzy Hash: 9E819F71A006149FDB18CF69C898BADBBE5FB8C311F148159EC12A7391DB34AD06CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00A591A0 Relevance: 6.2, APIs: 4, Instructions: 217COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(00C81FBC,201B1858,00C78AB8,04EFC648,?,00C81FAC,00C78AB8,00B63E40,000000FF,?,00A593FF), ref: 00A59242
EnterCriticalSection.KERNEL32(00C81F9C,201B1858), ref: 00A592BF
DestroyWindow.USER32(00000000), ref: 00A592DD
LeaveCriticalSection.KERNEL32(00C81F9C), ref: 00A59326

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: CriticalSection$DeleteDestroyEnterLeaveWindow
String ID:
API String ID: 307358592-0
Opcode ID: dedd67a00bd5c54066a452859307faccfa3990821585acd4369a76c01d5c368a
Instruction ID: 2ed6b3742fa47270b6931476159d9f050bd6889864b90eac2eb310801027376a
Opcode Fuzzy Hash: dedd67a00bd5c54066a452859307faccfa3990821585acd4369a76c01d5c368a
Instruction Fuzzy Hash: 54718172A00614DBDB209F58DC49B5BBBF8FF48721F18416DEC15AB391DB74A804CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A92140 Relevance: 6.2, APIs: 4, Instructions: 184COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00A8CC72,00000000,?,00000000,00000000,?,00000000,?,?,?,00A8CC72,?,00000003), ref: 00A9220D
GetLastError.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,00A8CC72,?,00000003,00000009,201B1858,00000000), ref: 00A9221E
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00A8CC72,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00A9223F
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00A8CC72,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00A92291

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: a86d14cee1d312545cbb909de2f67b061aa1e3be3baaa80695d8fd7630a7d018
Instruction ID: 030f3f434bcaa5cff55b43e68c122faba9955353059bf997a4f3ac49deb56a45
Opcode Fuzzy Hash: a86d14cee1d312545cbb909de2f67b061aa1e3be3baaa80695d8fd7630a7d018
Instruction Fuzzy Hash: 97513871704305BBEF205B649C41FAB77ECFF44700F244629FA45EA281EB76D9109756

Uniqueness

Uniqueness Score: -1.00%

Function 00A86DC0 Relevance: 6.2, APIs: 4, Instructions: 174COMMON

Download Yara Rule

APIs

GetShortPathNameW.KERNEL32(?,00000000,00000000), ref: 00A86E22
GetShortPathNameW.KERNEL32(?,?,?), ref: 00A86EA1
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00A86EF1
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,00000000,00000000), ref: 00A86F27

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ByteCharMultiNamePathShortWide
String ID:
API String ID: 3379522384-0
Opcode ID: 517d42926c512e804279d3c9ef43116e3904dcf41aed81954d2bc890c5853190
Instruction ID: 906e33e8f306bcb39e7eaca87c0d51bb8380475e633b99efbc97890c9517afc6
Opcode Fuzzy Hash: 517d42926c512e804279d3c9ef43116e3904dcf41aed81954d2bc890c5853190
Instruction Fuzzy Hash: 16519171A00215AFE714DF58DC89F6EB7A5FF44324F104659FA259B290DB31AD00CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A93550 Relevance: 6.2, APIs: 4, Instructions: 160fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,201B1858), ref: 00A9362D
GetLastError.KERNEL32 ref: 00A93635
RemoveDirectoryW.KERNEL32(?,201B1858), ref: 00A9369D
GetLastError.KERNEL32 ref: 00A936A5

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ErrorLast$DeleteDirectoryFileRemove
String ID:
API String ID: 50330452-0
Opcode ID: c6a688f6421e7488233c1056bfad8e15319bcc64a31c1693e1a3976ce0aa0200
Instruction ID: 6a48ef7b5afc8fec4c699b375bc80254c94c3c6c97bb18bd9a7137a8c517b316
Opcode Fuzzy Hash: c6a688f6421e7488233c1056bfad8e15319bcc64a31c1693e1a3976ce0aa0200
Instruction Fuzzy Hash: B651B3B2A00219DFDF15CFA8C988BEEB7F4FF05304F154469D905AB251DB34AA08CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00948900 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 009489E2
IsChild.USER32(?,00000000), ref: 009489EC
GetWindow.USER32(?,00000005), ref: 009489FB
SetFocus.USER32(00000000), ref: 00948A02

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Focus$ChildWindow
String ID:
API String ID: 501040988-0
Opcode ID: fe88950b0c8f649256709661f8630588767d46d592420a362ba9e42078cb7f35
Instruction ID: 8eb71cd56ddb3449b6e5e609aa4f7a891ceedfab746d592b68bed485dad9c7dd
Opcode Fuzzy Hash: fe88950b0c8f649256709661f8630588767d46d592420a362ba9e42078cb7f35
Instruction Fuzzy Hash: E2316971600A5AEFEB14CF24CC49F6ABBB8FB49711F10425AE919932A0DF74AC10CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00A74070 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00954640: CreateCompatibleDC.GDI32(?), ref: 0095469B
Part of subcall function 00954640: CreateCompatibleBitmap.GDI32(?,?,?), ref: 009546B4
Part of subcall function 00954640: SelectObject.GDI32(?,00000000), ref: 009546C0
Part of subcall function 00954640: SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 009546D9

SelectObject.GDI32(?,?), ref: 00A740D3
SetTextColor.GDI32(?,?), ref: 00A74122
DrawTextW.USER32(?,?,?,?,00000024), ref: 00A74140
SelectObject.GDI32(?,?), ref: 00A7414C

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ObjectSelect$CompatibleCreateText$BitmapColorDrawViewport
String ID:
API String ID: 1496946490-0
Opcode ID: 0ed0fe999dbc3dedaf8b699e86b96a46e92e657ca44b615b9a03450208981f5d
Instruction ID: 3e2bab15b3ad04d0383a207825bbddf10f8d271f479d5891ee9d7bd71ce5931c
Opcode Fuzzy Hash: 0ed0fe999dbc3dedaf8b699e86b96a46e92e657ca44b615b9a03450208981f5d
Instruction Fuzzy Hash: 48316931901208FFDB10DF94DD4AB9DBBB5FF08320F208226F915A61A0E7316E64DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00AC15C0 Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00AC160A
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AC161D
GetDC.USER32(00000000), ref: 00AC1677
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AC168A

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: CapsDevice
String ID:
API String ID: 328075279-0
Opcode ID: 8f00a840fdbcc4a14d2651f1debe52852a18594e53ee8695f8ee683e1b8cdcbf
Instruction ID: 4f8a3081843d74ef91578b90bd88620ee3d9e4b56c5157a62cdca26d0d17bf04
Opcode Fuzzy Hash: 8f00a840fdbcc4a14d2651f1debe52852a18594e53ee8695f8ee683e1b8cdcbf
Instruction Fuzzy Hash: 44318FB1A00A15AFD712CF74DC49B5EB7B8FF0A3A1F10832AE416E2291EB3459018B50

Uniqueness

Uniqueness Score: -1.00%

Function 009537B0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00000004,?), ref: 009537DC
ScreenToClient.USER32(?,?), ref: 009537EB
ScreenToClient.USER32(?,?), ref: 009537FB
SetWindowPos.USER32(00000004,00000000,?,?,00000000,00000000,00000015,?,0095322D,?,?,?), ref: 0095385E

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ClientScreenWindow$Rect
String ID:
API String ID: 3998357320-0
Opcode ID: 091830f6ae4faa66ce559c4703fb0b57313dc67c5c180c18c7a0ee729e167c3c
Instruction ID: 3b27c4ebf5c2f8b28b3e0de927c13a6fe77af38d0bae5c90be13937954bc854b
Opcode Fuzzy Hash: 091830f6ae4faa66ce559c4703fb0b57313dc67c5c180c18c7a0ee729e167c3c
Instruction Fuzzy Hash: 19216971604206AFE314CF28DC85F6FB7A9EBC9711F00851DF95897290D730E9058BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00959730 Relevance: 6.1, APIs: 4, Instructions: 71timeCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,201B1858), ref: 0095979A
EnterCriticalSection.KERNEL32(?,201B1858), ref: 009597A7
SetTimer.USER32(00000000,00000001,0000000A,00000000), ref: 009597D7
LeaveCriticalSection.KERNEL32(?), ref: 009597EE

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeaveTimer
String ID:
API String ID: 3379552715-0
Opcode ID: e8a4571bebf93b229288c2a3df09fe8a2a119f0b4dcb78491a640547db2d2dd7
Instruction ID: 75e301a213a947b80720bfb2dc82a7cb065571e6b675456e8ee365a09d486294
Opcode Fuzzy Hash: e8a4571bebf93b229288c2a3df09fe8a2a119f0b4dcb78491a640547db2d2dd7
Instruction Fuzzy Hash: 8921D336900244DFEF11CF64CC44B99BBB8FF1A325F1005AAEC55AB391D7329905CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AAD780 Relevance: 6.1, APIs: 4, Instructions: 69synchronizationCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?,?,00000000,00000000,00AAC9C2,?,?,?,?,?,00000003,00000000,201B1858,?,00000000), ref: 00AAD793
GetLastError.KERNEL32(?,?,00000000,00000000,00AAC9C2,?,?,?,?,?,00000003,00000000,201B1858,?,00000000), ref: 00AAD7C0
WaitForSingleObject.KERNEL32(?,0000000A,?,?,00000000,00000000,00AAC9C2,?,?,?,?,?,00000003,00000000,201B1858), ref: 00AAD7FA
SetEvent.KERNEL32(?,?,?,00000000,00000000,00AAC9C2,?,?,?,?,?,00000003,00000000,201B1858,?,00000000), ref: 00AAD823

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Event$ErrorLastObjectResetSingleWait
String ID:
API String ID: 708712559-0
Opcode ID: fa66a120f568e011264e1c89a9b4a576e9c5a0fba0a98aadc22240ce2fc9a073
Instruction ID: 659aad69f967fc2f877ecd3a48fe52a74f06b69c5cc3fa71783645ed7c5a8493
Opcode Fuzzy Hash: fa66a120f568e011264e1c89a9b4a576e9c5a0fba0a98aadc22240ce2fc9a073
Instruction Fuzzy Hash: 4C1196316007408FEB305B55D88CB577BA5FBAA325F00482EE4C3839A1C778E899D750

Uniqueness

Uniqueness Score: -1.00%

Function 00954640 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 0095469B
CreateCompatibleBitmap.GDI32(?,?,?), ref: 009546B4
SelectObject.GDI32(?,00000000), ref: 009546C0
SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 009546D9

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: CompatibleCreate$BitmapObjectSelectViewport
String ID:
API String ID: 1881423421-0
Opcode ID: f6f3bf67b2f4dda5603c292921c20314804a6b2bee4010d1f45d345511fcc54d
Instruction ID: ede824c5703b2fef4950bc4d87d0b3f3a31d55686392fa9fff1826e59c19d01a
Opcode Fuzzy Hash: f6f3bf67b2f4dda5603c292921c20314804a6b2bee4010d1f45d345511fcc54d
Instruction Fuzzy Hash: F921F975504B04EFE720CF58C944B6ABBF8FB08710F108A1EE896976A0D775A944CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B3A1B4 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B3A1BB
std::_Lockit::_Lockit.LIBCPMT ref: 00B3A1C6
std::_Lockit::~_Lockit.LIBCPMT ref: 00B3A234

Part of subcall function 00B3A317: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00B3A32F

std::locale::_Setgloballocale.LIBCPMT ref: 00B3A1E1

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: 51c4431af5853de7b88427850e4f72c60b28ecc581b88fa862f41a628ebfd44d
Instruction ID: 7e06a7b69e7941d9195cbb88ed6ac1467628083adb24f1592f456bea92204ebf
Opcode Fuzzy Hash: 51c4431af5853de7b88427850e4f72c60b28ecc581b88fa862f41a628ebfd44d
Instruction Fuzzy Hash: A6015A75A006609BCB06FB20D855A7EBBE1FF89740F340089E85157381DF34AE46CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00940FB0 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00940FC0

Part of subcall function 00B39E5C: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,00940FD6,?,00000000,00000000), ref: 00B39E68
Part of subcall function 00B39E5C: GetExitCodeThread.KERNEL32(?,00000000,?,?,?,00940FD6,?,00000000,00000000), ref: 00B39E81
Part of subcall function 00B39E5C: CloseHandle.KERNEL32(?,?,?,?,00940FD6,?,00000000,00000000), ref: 00B39E93

std::_Throw_Cpp_error.LIBCPMT ref: 00940FE9
std::_Throw_Cpp_error.LIBCPMT ref: 00940FF0
std::_Throw_Cpp_error.LIBCPMT ref: 00940FF7

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$Thread$CloseCodeCurrentExitHandleObjectSingleWait
String ID:
API String ID: 2210105531-0
Opcode ID: 723dd1671e16b83c06fd95ab31e443f05f8f8382f175fe9bfcb4471184faa747
Instruction ID: 616ea916e297f186eca97575486ea9aa4d6e5010896bc61d8246b03d63b112c1
Opcode Fuzzy Hash: 723dd1671e16b83c06fd95ab31e443f05f8f8382f175fe9bfcb4471184faa747
Instruction Fuzzy Hash: E8F02E304007149BD7306B948C03F11B3C8DB00F00F1045FDB759568C2EAF1A444C692

Uniqueness

Uniqueness Score: -1.00%

Function 00A68E90 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00A69076

Strings

iostream, xrefs: 00A69250
ios_base::failbit set, xrefs: 00A69152

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ___std_exception_copy
String ID: ios_base::failbit set$iostream
API String ID: 2659868963-302468714
Opcode ID: 4fa8988efc2d85b477b738c008d22d6eaef3981641716580aaec114b6f848de2
Instruction ID: be78e46a9b56952ed2dab9b6d8fb40bf40fd6d4e083ec22730c543f66fb3eff1
Opcode Fuzzy Hash: 4fa8988efc2d85b477b738c008d22d6eaef3981641716580aaec114b6f848de2
Instruction Fuzzy Hash: 2DC17DB1D00258DFDB14DFA8C845B9EFBB5FF49310F24825AE824AB282D7745A45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00AA6F90 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00BAC43F,000000FF), ref: 00AA714B
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00BAC43F,000000FF), ref: 00AA7204

Strings

<< Advanced Installer (x86) Log >>, xrefs: 00AA70A3

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: CloseCriticalDeleteHandleHeapProcessSection
String ID: << Advanced Installer (x86) Log >>
API String ID: 1977327082-396061572
Opcode ID: 648ad047b9649aca5040ef8f62926fb12353971437fcf856874776ab1f4a3ab6
Instruction ID: 0b9ae874de34ae666533ebff06cb34c4ce4252a61a9d74049f18bb488a5790c4
Opcode Fuzzy Hash: 648ad047b9649aca5040ef8f62926fb12353971437fcf856874776ab1f4a3ab6
Instruction Fuzzy Hash: 9771C271A00244CBDB02DF68C8587AEBBF5FF89314F24429DE815AB381DB759A05CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00AAF990 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 198fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,201B1878,00000000,00000000,-00000002,00C0F398,?,?,201B1858,00BB41E6,000000FF), ref: 00AAFA50

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

Part of subcall function 00A71850: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,201B1858,?,00000000), ref: 00A7189B
Part of subcall function 00A71850: GetLastError.KERNEL32(?,00000000), ref: 00A718A5

Strings

Downloading of updates failed. Error:, xrefs: 00AAFAD7
upd, xrefs: 00AAF9CF

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: CopyErrorFileFormatHeapLastMessageProcess
String ID: Downloading of updates failed. Error:$upd
API String ID: 2459518595-329979656
Opcode ID: 1fff828971bb73f6656bb4135d8c7c7b64943280dcf682fcaeab97c8479d5c25
Instruction ID: cfd9cb303888883b95678205e6a68b7e92bf9216991bf43da863ca0b9f925a16
Opcode Fuzzy Hash: 1fff828971bb73f6656bb4135d8c7c7b64943280dcf682fcaeab97c8479d5c25
Instruction Fuzzy Hash: 84711435A00245DFDB18DB68CC55BAEB7B5FF85324F18826CE4269B2D1DB34AE05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A99C60 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 177COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,201B1858,00000000,?,?,?,00A8950E,00000000), ref: 00A99DB8

Strings

Extraction path set to:, xrefs: 00A99E1D
\\?\, xrefs: 00A99DC5

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Path
String ID: Extraction path set to:$\\?\
API String ID: 2875597873-2975605734
Opcode ID: 763e5bc157c811ff85561c4ec82eba8bb04aa4a4f0b02130477f44c175d57a07
Instruction ID: e3a831370c8e6be04e53013ddd6509648625dca03ef405efdd860b3d221d226e
Opcode Fuzzy Hash: 763e5bc157c811ff85561c4ec82eba8bb04aa4a4f0b02130477f44c175d57a07
Instruction Fuzzy Hash: A061BF71A00619ABDF14DB68C884BAEB7B5FF88324F14425DE525A7391CB35A902CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A5EFA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,201B1858), ref: 00A5F042

Strings

\\?\, xrefs: 00A5F13F, 00A5F16A
\\?\UNC\, xrefs: 00A5F069, 00A5F0CA

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Path
String ID: \\?\$\\?\UNC\
API String ID: 2875597873-3019864461
Opcode ID: 90ebc8ca0fa4f8b672e502c9b8cd1b6bd6a25b77fb1b9c664e9203f08c3b49d7
Instruction ID: c7b4aab8aa03fa859aa75cbfd2a9e4a7dc10b03671249edab4b0f16b72bf6704
Opcode Fuzzy Hash: 90ebc8ca0fa4f8b672e502c9b8cd1b6bd6a25b77fb1b9c664e9203f08c3b49d7
Instruction Fuzzy Hash: 7F51BEB0D00204DFDB24DF68D845BAEF7F4FF54304F108669E95567281EB716948CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AD9C00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

OpenEventW.KERNEL32(00000000,00000000,201B1858,_pbl_evt,00000008,?,?,00C0D430,00000001,201B1858,?), ref: 00AD9CAE
CreateEventW.KERNEL32(00000000,00000001,00000001,?), ref: 00AD9CCB

Strings

_pbl_evt, xrefs: 00AD9C82

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Event$CreateOpen
String ID: _pbl_evt
API String ID: 2335040897-4023232351
Opcode ID: ead7f1a4325bcf00199107b1ad3bfac7b550cefbb3761e7e0090d46f728f0274
Instruction ID: ae754f458dc7b30c3c4c2114aac1525cea4768dd33659ad1698056c766e46587
Opcode Fuzzy Hash: ead7f1a4325bcf00199107b1ad3bfac7b550cefbb3761e7e0090d46f728f0274
Instruction Fuzzy Hash: AB5190B1D14608EFDB10DFA4CC46BEEB7B8EF04714F10825AE916B7290EB746A04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AA85F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,80000002,201B1858,?,80000002,00C82000), ref: 00AA862F
CreateDirectoryW.KERNEL32(80000002,00000000,?,80000002,00C82000), ref: 00AA8690

Strings

ADVINST_LOGS, xrefs: 00AA8668

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: CreateDirectoryPathTemp
String ID: ADVINST_LOGS
API String ID: 2885754953-2492584244
Opcode ID: 3e22362a6bdd2032272559e404982055f759665b030802e81db77e4cd9ae9fce
Instruction ID: 1aead313944f5658f5459c8e88d5c28659da1ce14d1c4dade5fb347a1ac149ca
Opcode Fuzzy Hash: 3e22362a6bdd2032272559e404982055f759665b030802e81db77e4cd9ae9fce
Instruction Fuzzy Hash: 0551B175940259CBDB209F28C848BB9B3B4FF15714F2446AEE855972D0EF785D81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AA7DC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0093B3A0: GetProcessHeap.KERNEL32 ref: 0093B3F5

WriteFile.KERNEL32(?,00000005,?,?,00000000,00BF76FC,00000002,?,00000000,CPU: ,00000005), ref: 00AA7EB1
FlushFileBuffers.KERNEL32(?), ref: 00AA7EBA

Part of subcall function 0093A840: FindResourceW.KERNEL32(00000000,?,00000006,?,?,000000A7,80070057,8007000E,80004005,00955436,00000000,*.*,?,?,?,?), ref: 0093A863

Strings

CPU: , xrefs: 00AA7E18, 00AA7E2A, 00AA7E34

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: File$BuffersFindFlushHeapProcessResourceWrite
String ID: CPU:
API String ID: 2793600070-1724696780
Opcode ID: c6afbc7ff191ba7e22a3b4143e9a3d5f01881524f6fb161fb7601b25f2066b41
Instruction ID: 9c882e201d20992453d725e0c1aa274ad1997171ebea88ca6b1f0313c02d4eb5
Opcode Fuzzy Hash: c6afbc7ff191ba7e22a3b4143e9a3d5f01881524f6fb161fb7601b25f2066b41
Instruction Fuzzy Hash: 7E418B71A00609ABDB10DB68CC49BAEBBB5FF89320F144259E921A73D1DB74AD05CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A76C70 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(000013FF,00000000,?,00000000,00000000,00000000,00000000,201B1858,00C0C968), ref: 00A76CDC
LocalFree.KERNEL32(00000000,00000000,-00000002), ref: 00A76DD3

Part of subcall function 00A62CE0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00A62D8A

Strings

Failed to get Windows error message [win32 error 0x, xrefs: 00A76CFA

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: FormatFreeIos_base_dtorLocalMessagestd::ios_base::_
String ID: Failed to get Windows error message [win32 error 0x
API String ID: 201254970-3373098694
Opcode ID: 42564615bb76e79151c51aa0a0da135b0571b6e8b5bb1eb74bb2daf40f9b03d4
Instruction ID: 5c93585721e31092dd555ab6908d9015ed911228ac92544cdc7a200adf6dde28
Opcode Fuzzy Hash: 42564615bb76e79151c51aa0a0da135b0571b6e8b5bb1eb74bb2daf40f9b03d4
Instruction Fuzzy Hash: BB41C171A007089BDB10CF68CD0AB9FBBF8EF44310F148259E445AB2D1DBB4AA48CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0097D2C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0097D2EB
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0097D34E

Strings

bad locale name, xrefs: 0097D371

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: de8fe935e84253c0e05dc2778467ad766a35cb31a879d91dfcf7f01d38f55379
Instruction ID: c973c7bb8c5ac31a2e252b59c85b54a386b8d9a0bb408d03fcc1347bf23ce7f6
Opcode Fuzzy Hash: de8fe935e84253c0e05dc2778467ad766a35cb31a879d91dfcf7f01d38f55379
Instruction Fuzzy Hash: 0521FF71A05784DFD720CF68C804B5BBBF4AF15704F14869DE48997B81D3B9EA08CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0097D950 Relevance: 5.3, APIs: 4, Instructions: 300memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,00000000), ref: 0097DAC5
HeapFree.KERNEL32(00000000,?,00000000), ref: 0097DACB
GetProcessHeap.KERNEL32(?,00000000), ref: 0097DB5C
HeapFree.KERNEL32(00000000,?,00000000), ref: 0097DB62

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 0ed44ea383bd126fb244b7cbce1b87e9653ef7ac9cc6b5fb00c1dd0da849fd86
Instruction ID: 720d94e51ead2a3b7bbb610c6e9aaf0975351d6e99ab1fc1797772dc6dab20e8
Opcode Fuzzy Hash: 0ed44ea383bd126fb244b7cbce1b87e9653ef7ac9cc6b5fb00c1dd0da849fd86
Instruction Fuzzy Hash: 5BC18BB2D01219DFDB14CFA4C855FAEBBB8BF48314F148199E509AB291DB74AE05CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0095E7B9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

GetParent.USER32(0000000F), ref: 0095E7EC

Strings

Unknown exception, xrefs: 0095E7C1
C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 0095E7D1

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: Parent
String ID: C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h$Unknown exception
API String ID: 975332729-9186675
Opcode ID: 30be4f08cac56557221f00db4886ebf4f16c968903988962e50f0b401fa96a4f
Instruction ID: d6f413ae37fc60250a23d644a5ab4f8a937cb5a491c75cd503584c17a047ca2b
Opcode Fuzzy Hash: 30be4f08cac56557221f00db4886ebf4f16c968903988962e50f0b401fa96a4f
Instruction Fuzzy Hash: A801FB30D0928CEEDB01E7E8C9197DDBFF1AB51304F544099E1416B292DBB55E48DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0094588E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 009458BB

Strings

Unknown exception, xrefs: 00945896
C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 009458A6

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ActiveWindow
String ID: C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
API String ID: 2558294473-2631306498
Opcode ID: 2f2d53f176b85a3e5326e5bec0d98ab435e80f79f6cd79ab135886b789c0b6fa
Instruction ID: ff70f57d3827480817ac5c7a461b570ce894dc7a401c6f9bd3069e2e3b3016c6
Opcode Fuzzy Hash: 2f2d53f176b85a3e5326e5bec0d98ab435e80f79f6cd79ab135886b789c0b6fa
Instruction Fuzzy Hash: 4EF0E730D0A28CEADB02E7E8CA157DDBFF5AB51304F544099E1416B292DBB51F08EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00945BA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00945BD8

Strings

Unknown exception, xrefs: 00945BB0
C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00945BC3

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: ActiveWindow
String ID: C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
API String ID: 2558294473-2631306498
Opcode ID: 647789a689d5ca106efda03d0e2677b647296c007e62fdb239966ba94b5a568d
Instruction ID: 7aadcc9311cdada9c1d0924ae022413f98220e0dd21e237b1a5f5873fee56311
Opcode Fuzzy Hash: 647789a689d5ca106efda03d0e2677b647296c007e62fdb239966ba94b5a568d
Instruction Fuzzy Hash: BEF03C30D0A28CDADB12E7E8C9157DDBFF06B51304F544099E1416B282DBB51F08EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B3BDDA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0094CA20: InitializeCriticalSectionAndSpinCount.KERNEL32(00C80810,00000000,201B1858,00930000,Function_002339C0,000000FF,?,00B3BE09,?,?,?,00937BEA), ref: 0094CA45
Part of subcall function 0094CA20: GetLastError.KERNEL32(?,00B3BE09,?,?,?,00937BEA), ref: 0094CA4F

IsDebuggerPresent.KERNEL32(?,?,?,00937BEA), ref: 00B3BE0D
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00937BEA), ref: 00B3BE1C

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00B3BE17

Memory Dump Source

Source File: 00000000.00000002.2541931587.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.2541904466.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542284993.0000000000BC9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542371470.0000000000C7D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542392324.0000000000C7F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542414400.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542438289.0000000000C8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_DiStem-0.jbxd

Similarity

API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 450123788-631824599
Opcode ID: ec689615ef754475276da46db650f86a311932c7fc6e266948b0532beb9d7a0b
Instruction ID: 817134d8aa6445bf3587bd23eab09ee659def27c97cc13e14a7364ac5a5c47f4
Opcode Fuzzy Hash: ec689615ef754475276da46db650f86a311932c7fc6e266948b0532beb9d7a0b
Instruction Fuzzy Hash: CCE092706003618FD330AF69E508B96BBE4AF0C700F148CACEA96CB240DBB4E444CB51

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DiStem-0.9.10.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\DiRoots, LDA\DiStem 0.9.10\install\DiStem-0.9.10.aiui

C:\ProgramData\DiRoots, LDA\DiStem 0.9.10\install\DiStem-0.9.10.msi

C:\ProgramData\DiRoots, LDA\DiStem 0.9.10\install\holder0.aiph

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\DiRoots.CustomActions

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\ExternalUICleaner.dll

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\New

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\PluginLogo

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\PrepareDlgProgress.gif

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\ProgressImageDarkOrange.png

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\TrialBinaryComponent

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\Up

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\applogoicon.bmp

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\applogoicon.svg

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\backbutton

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\backbutton.xaml

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\background

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\backgroundDarkGray.bmp

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\backgroundprepare

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\backgroundprepareDarkGray.bmp

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\backgroundsurface

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\backgroundsurfaceDarkGray.bmp

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\browsebutton

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\browsebutton.xaml

Windows Analysis Report
DiStem-0.9.10.exe