Play interactive tour

Edit tour

Analysis Report dY5HmgsBm6

Overview

General Information

Sample Name:	dY5HmgsBm6 (renamed file extension from none to exe)
Analysis ID:	397764
MD5:	ae8f9d9b8344d52f0872dfdc852e1dd4
SHA1:	7e9f4259cc193465317ee48b8428b36e74028390
SHA256:	95b5d0e36464afc8391a9d056926e5859506ead18937669554bde42f7a6d135b
Infos:
Most interesting Screenshot:

Detection

Diamondfox

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Diamondfox

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found evasive API chain (may stop execution after checking mutex)

PE file has a writeable .text section

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file contains strange resources

Sample file is different than original file name gathered from version info

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

dY5HmgsBm6.exe (PID: 6924 cmdline: 'C:\Users\user\Desktop\dY5HmgsBm6.exe' MD5: AE8F9D9B8344D52F0872DFDC852E1DD4)

CachemanControlPanel.exe (PID: 6988 cmdline: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe MD5: 5D3BF7A18887582B8A2CEA327F2E7BA6)

cleanup

Malware Configuration

Threatname: Diamondfox

{"gate": {"url[0]": "http://vladisfoxlink.ru/support/enfr/gate.php"}, "user_agent": {"agent[0]": "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36"}, "connection_key": {"key[0]": "1df2b4de68ad60874427e4d6057ea13f"}, "timers": {"connect": "60", "reconnect": "30", "process": "80", "reports": "70", "plugins": "300"}, "installation": {"name": "MicrosoftEdgeCPS", "subfolder": "EdgeCP", "path": "APPDATA", "mutex": "rV8Uqv6WyyQabAbuwVPeRHm6JxPMDa6t", "melt": "0", "antis": "0", "rip": "0", "setup": "0", "startup": "0"}}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: CachemanControlPanel.exe PID: 6988	JoeSecurity_Diamondfox	Yara detected Diamondfox	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000002.00000003.463135358.0000000002730000.00000004.00000040.sdmp

Malware Configuration Extractor: Diamondfox {"gate": {"url[0]": "http://vladisfoxlink.ru/support/enfr/gate.php"}, "user_agent": {"agent[0]": "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36"}, "connection_key": {"key[0]": "1df2b4de68ad60874427e4d6057ea13f"}, "timers": {"connect": "60", "reconnect": "30", "process": "80", "reports": "70", "plugins": "300"}, "installation": {"name": "MicrosoftEdgeCPS", "subfolder": "EdgeCP", "path": "APPDATA", "mutex": "rV8Uqv6WyyQabAbuwVPeRHm6JxPMDa6t", "melt": "0", "antis": "0", "rip": "0", "setup": "0", "startup": "0"}}

Multi AV Scanner detection for domain / URL

Show sources

Source: vladisfoxlink.ru

Virustotal: Detection: 9%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\libgraph31.dll	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\libxml3.dll	ReversingLabs: Detection: 20%

Multi AV Scanner detection for submitted file

Show sources

Source: dY5HmgsBm6.exe	Virustotal: Detection: 49%			Perma Link
Source: dY5HmgsBm6.exe	ReversingLabs: Detection: 34%

Source: dY5HmgsBm6.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: dY5HmgsBm6.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\storage\SIV32X\pdb\VCL\codecs\Obj\storage\build\Release\p.pdbr source: CachemanControlPanel.exe, 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp, CachemanControlPanel.exe.1.dr
Source:	Binary string: C:\libcrypto-1_1-x64\StartupManager\Bin\RelWithDebI.pdb source: CachemanControlPanel.exe, 00000002.00000002.467262960.000000006E4E9000.00000002.00020000.sdmp, libxml3.dll.1.dr
Source:	Binary string: d:\agent\_work\3\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.1.dr
Source:	Binary string: C:\storage\SIV32X\pdb\VCL\codecs\Obj\storage\build\Release\p.pdb source: CachemanControlPanel.exe, 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp, CachemanControlPanel.exe.1.dr
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Concurrentd.pdb source: Qt5Concurrentd.dll.1.dr
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Concurrentd.pdb"" source: Qt5Concurrentd.dll.1.dr

Source: C:\Users\user\Desktop\dY5HmgsBm6.exe	Code function: 1_2_0040646B FindFirstFileA,FindClose,	1_2_0040646B
Source: C:\Users\user\Desktop\dY5HmgsBm6.exe	Code function: 1_2_004027A1 FindFirstFileA,	1_2_004027A1
Source: C:\Users\user\Desktop\dY5HmgsBm6.exe	Code function: 1_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	1_2_004058BF
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_0040C837 wcsncpy,wcslen,wcscat,GetDriveTypeW,FindFirstFileW,FindClose,GetFileAttributesW,GetDriveTypeW,	2_2_0040C837

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://vladisfoxlink.ru/support/enfr/gate.php

Source: Joe Sandbox View

ASN Name: ASN-GIGENETUS ASN-GIGENETUS

Source: global traffic

TCP traffic: 192.168.2.6:49740 -> 45.85.90.225:80

Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe

Code function: 2_2_00408683 InternetOpenW,InternetSetOptionW,InternetConnectW,HttpOpenRequestW,HttpAddRequestHeadersW,HttpSendRequestW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

2_2_00408683

Source: unknown

DNS traffic detected: queries for: vladisfoxlink.ru

Source: Qt5Concurrentd.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Qt5Concurrentd.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Qt5Concurrentd.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Qt5Concurrentd.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Qt5Concurrentd.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Qt5Concurrentd.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Qt5Concurrentd.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Qt5Concurrentd.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Qt5Concurrentd.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Qt5Concurrentd.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: dY5HmgsBm6.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: dY5HmgsBm6.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Qt5Concurrentd.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Qt5Concurrentd.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: Qt5Concurrentd.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: CachemanControlPanel.exe, 00000002.00000003.463261074.0000000002A84000.00000004.00000040.sdmp	String found in binary or memory: http://vladisfoxlink.ru/support/enfr/gate.php
Source: CachemanControlPanel.exe, 00000002.00000003.463261074.0000000002A84000.00000004.00000040.sdmp	String found in binary or memory: http://vladisfoxlink.ru/support/enfr/gate.phpte.phpK
Source: dY5HmgsBm6.exe, 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp, zlib.dll.1.dr	String found in binary or memory: http://www.zlib.net/D
Source: CachemanControlPanel.exe, CachemanControlPanel.exe, 00000002.00000000.326512498.00000000006FD000.00000002.00020000.sdmp, CachemanControlPanel.exe.1.dr	String found in binary or memory: https://bitsum.com
Source: CachemanControlPanel.exe, 00000002.00000000.326512498.00000000006FD000.00000002.00020000.sdmp, CachemanControlPanel.exe.1.dr	String found in binary or memory: https://bitsum.com/
Source: CachemanControlPanel.exe, 00000002.00000000.326512498.00000000006FD000.00000002.00020000.sdmp, CachemanControlPanel.exe.1.dr	String found in binary or memory: https://bitsum.com/3Current
Source: CachemanControlPanel.exe	String found in binary or memory: https://ip.seeip.org/
Source: CachemanControlPanel.exe, 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp	String found in binary or memory: https://ip.seeip.org/Content-Type:
Source: Qt5Concurrentd.dll.1.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: C:\Users\user\Desktop\dY5HmgsBm6.exe

Code function: 1_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_0040535C

E-Banking Fraud:

Yara detected Diamondfox

Show sources

Source: Yara match

File source: Process Memory Space: CachemanControlPanel.exe PID: 6988, type: MEMORY

System Summary:

PE file has a writeable .text section

Show sources

Source: CachemanControlPanel.exe.1.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe

Code function: 2_2_00407EA1 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,

2_2_00407EA1

Source: C:\Users\user\Desktop\dY5HmgsBm6.exe

Code function: 1_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_00403348

Source: C:\Users\user\Desktop\dY5HmgsBm6.exe	Code function: 1_2_00406945	1_2_00406945
Source: C:\Users\user\Desktop\dY5HmgsBm6.exe	Code function: 1_2_0040711C	1_2_0040711C
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_0040E02E	2_2_0040E02E
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_004198A0	2_2_004198A0
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_004150A4	2_2_004150A4
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_0041C0A8	2_2_0041C0A8
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_00410950	2_2_00410950
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_004131B0	2_2_004131B0
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_0041F200	2_2_0041F200
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_0041F2C9	2_2_0041F2C9
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_0041F283	2_2_0041F283
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_0041FB40	2_2_0041FB40
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_0040F360	2_2_0040F360
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_00410360	2_2_00410360
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_00410B30	2_2_00410B30
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_0040E3A7	2_2_0040E3A7
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_0040F570	2_2_0040F570
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_0040DDF3	2_2_0040DDF3
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_0040FD80	2_2_0040FD80
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_0041B630	2_2_0041B630
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_0041EED0	2_2_0041EED0
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_0041EEF0	2_2_0041EEF0
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_0040E739	2_2_0040E739
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_0040F780	2_2_0040F780
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_0040EFB3	2_2_0040EFB3

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe 014D644ECCC232CD6906C5ABF8AFD3E53F94004057D4A1BB2771DFEA00F0AE4B
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\CachemanControlPanel\libgraph31.dll A276F57503BAD9A4BCA17E8E057993607E715C1FA6C7D2E136A2290A19EFD560

Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: String function: 004187A0 appears 32 times
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: String function: 00418710 appears 38 times
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: String function: 00418770 appears 33 times

Source: CachemanControlPanel.exe.1.dr

Static PE information: Resource name: RT_RCDATA type: COM executable for DOS

Source: dY5HmgsBm6.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CachemanControlPanel.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: dY5HmgsBm6.exe, 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenamezlib1.dll* vs dY5HmgsBm6.exe
Source: dY5HmgsBm6.exe, 00000001.00000002.327150069.0000000002330000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs dY5HmgsBm6.exe

Source: dY5HmgsBm6.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal96.troj.evad.winEXE@3/12@1/1

Source: C:\Users\user\Desktop\dY5HmgsBm6.exe

1_2_00403348

Source: C:\Users\user\Desktop\dY5HmgsBm6.exe

Code function: 1_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

1_2_0040460D

Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe

Code function: 2_2_004039B7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,GetCurrentProcessId,CloseHandle,

2_2_004039B7

Source: C:\Users\user\Desktop\dY5HmgsBm6.exe

Code function: 1_2_0040216B CoCreateInstance,MultiByteToWideChar,

1_2_0040216B

Source: C:\Users\user\Desktop\dY5HmgsBm6.exe

File created: C:\Users\user\AppData\Roaming\CachemanControlPanel

Jump to behavior

Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe

Mutant created: \Sessions\1\BaseNamedObjects\rV8Uqv6WyyQabAbuwVPeRHm6JxPMDa6t

Source: C:\Users\user\Desktop\dY5HmgsBm6.exe

File created: C:\Users\user\AppData\Local\Temp\nsuAFD0.tmp

Jump to behavior

Source: dY5HmgsBm6.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\dY5HmgsBm6.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\dY5HmgsBm6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: CachemanControlPanel.exe, 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp, CachemanControlPanel.exe.1.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: CachemanControlPanel.exe, 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp, CachemanControlPanel.exe.1.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: CachemanControlPanel.exe, 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp, CachemanControlPanel.exe.1.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: dY5HmgsBm6.exe	Virustotal: Detection: 49%
Source: dY5HmgsBm6.exe	ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\dY5HmgsBm6.exe

File read: C:\Users\user\Desktop\dY5HmgsBm6.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\dY5HmgsBm6.exe 'C:\Users\user\Desktop\dY5HmgsBm6.exe'
Source: C:\Users\user\Desktop\dY5HmgsBm6.exe	Process created: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe
Source: C:\Users\user\Desktop\dY5HmgsBm6.exe	Process created: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Jump to behavior

Source: C:\Users\user\Desktop\dY5HmgsBm6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: dY5HmgsBm6.exe

Static file information: File size 2573987 > 1048576

Source: dY5HmgsBm6.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\storage\SIV32X\pdb\VCL\codecs\Obj\storage\build\Release\p.pdbr source: CachemanControlPanel.exe, 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp, CachemanControlPanel.exe.1.dr
Source:	Binary string: C:\libcrypto-1_1-x64\StartupManager\Bin\RelWithDebI.pdb source: CachemanControlPanel.exe, 00000002.00000002.467262960.000000006E4E9000.00000002.00020000.sdmp, libxml3.dll.1.dr
Source:	Binary string: d:\agent\_work\3\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.1.dr
Source:	Binary string: C:\storage\SIV32X\pdb\VCL\codecs\Obj\storage\build\Release\p.pdb source: CachemanControlPanel.exe, 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp, CachemanControlPanel.exe.1.dr
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Concurrentd.pdb source: Qt5Concurrentd.dll.1.dr
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Concurrentd.pdb"" source: Qt5Concurrentd.dll.1.dr

Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe

Code function: 2_2_00412C47 LoadLibraryW,GetProcAddress,memset,FreeLibrary,LoadLibraryW,GetProcAddress,FreeLibrary,

2_2_00412C47

Source: CachemanControlPanel.exe.1.dr	Static PE information: section name: _RDATA
Source: Qt5Concurrentd.dll.1.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_0042E81E push cs; iretd	2_2_0042E7F2
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_0042E9CE push ebx; ret	2_2_0042E9CF
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_0042A5AB push 0000006Ah; retf	2_2_0042A684
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_0042A613 push 0000006Ah; retf	2_2_0042A684
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_0042A615 push 0000006Ah; retf	2_2_0042A684
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_0042E71C push cs; iretd	2_2_0042E7F2

Persistence and Installation Behavior:

Yara detected Diamondfox

Show sources

Source: Yara match

File source: Process Memory Space: CachemanControlPanel.exe PID: 6988, type: MEMORY

Source: C:\Users\user\Desktop\dY5HmgsBm6.exe	File created: C:\Users\user\AppData\Roaming\CachemanControlPanel\libgraph31.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dY5HmgsBm6.exe	File created: C:\Users\user\AppData\Roaming\CachemanControlPanel\libxml3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dY5HmgsBm6.exe	File created: C:\Users\user\AppData\Roaming\CachemanControlPanel\libgcc_s_seh-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dY5HmgsBm6.exe	File created: C:\Users\user\AppData\Roaming\CachemanControlPanel\libgstcontroller-1.0-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dY5HmgsBm6.exe	File created: C:\Users\user\AppData\Roaming\CachemanControlPanel\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dY5HmgsBm6.exe	File created: C:\Users\user\AppData\Roaming\CachemanControlPanel\libogg-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dY5HmgsBm6.exe	File created: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Jump to dropped file
Source: C:\Users\user\Desktop\dY5HmgsBm6.exe	File created: C:\Users\user\AppData\Roaming\CachemanControlPanel\libblkmaker-0.1-6.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dY5HmgsBm6.exe	File created: C:\Users\user\AppData\Roaming\CachemanControlPanel\zlib.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dY5HmgsBm6.exe	File created: C:\Users\user\AppData\Roaming\CachemanControlPanel\Qt5Concurrentd.dll	Jump to dropped file

Source: C:\Users\user\Desktop\dY5HmgsBm6.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after checking mutex)

Show sources

Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_2-16047

Source: C:\Users\user\Desktop\dY5HmgsBm6.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe

Code function: 2_2_004039B7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,GetCurrentProcessId,CloseHandle,

2_2_004039B7

Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 260000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 259884	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 259778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 259669	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 259560	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 259450	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 259341	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 259232	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 259122	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 259013	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 258899	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 258794	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 258685	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 258576	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 258466	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 258356	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 258246	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 258138	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 258029	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 257919	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 257810	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 257701	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 257591	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 257482	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 257372	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 257263	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 257153	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 257044	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 256935	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 256825	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 256716	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 256606	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 256497	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 256388	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 256277	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 256169	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 256060	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 255951	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 255841	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 255732	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 255622	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 255513	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 255412	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 255297	Jump to behavior

Source: C:\Users\user\Desktop\dY5HmgsBm6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CachemanControlPanel\libgraph31.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dY5HmgsBm6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CachemanControlPanel\libgstcontroller-1.0-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dY5HmgsBm6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CachemanControlPanel\libgcc_s_seh-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dY5HmgsBm6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CachemanControlPanel\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dY5HmgsBm6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CachemanControlPanel\libogg-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dY5HmgsBm6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CachemanControlPanel\libblkmaker-0.1-6.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dY5HmgsBm6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CachemanControlPanel\zlib.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dY5HmgsBm6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CachemanControlPanel\Qt5Concurrentd.dll	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe

API coverage: 9.6 %

Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -59000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -58894s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -58786s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -58678s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -58569s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -58454s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -58351s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -58241s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -58132s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -58023s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -57913s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -57804s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -57695s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -57585s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -57476s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -57365s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -57257s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -57148s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -57039s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -56929s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -56819s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -56711s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -56601s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -56491s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -56382s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -56272s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -56163s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -56053s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -55945s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -55835s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -55726s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -55616s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -55507s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -55398s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -55288s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -55179s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -55070s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -54960s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -54851s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -54741s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -54632s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -54523s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -54414s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -54304s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -54195s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -54085s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -53976s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -53861s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -53757s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -53648s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -53537s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -53429s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -53320s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -53210s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -53101s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -52991s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -52882s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -52773s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -52663s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -52554s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -52445s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -52335s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -52226s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -52117s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -52007s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -51898s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -51789s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -51679s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -51570s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -51461s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -51351s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -51241s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -51132s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -51023s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -50913s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -50804s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -50695s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -50585s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -50476s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -50367s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -50257s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -50148s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -50038s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -49929s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -49820s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -49710s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -49601s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -49492s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -49381s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -49273s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -49163s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -49054s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -48945s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -48836s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -48725s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -48616s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -48507s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -48398s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -48289s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -48179s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -48070s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -47960s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -47851s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -47741s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -47632s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -47523s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -47412s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -47168s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -47052s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -46942s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -46832s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -46723s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -46617s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -46505s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -46080s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -45974s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -45861s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -45758s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -45648s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -45538s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -45421s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -44825s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -44667s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -44554s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -44445s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -44336s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -44226s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -44116s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -44008s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -43898s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -43788s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -43680s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -43570s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -43460s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -43351s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -43242s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -43132s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -43023s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -42914s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -42804s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -42695s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -42585s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -42476s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -42366s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -42258s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -42148s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -42039s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -41929s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -41819s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -41711s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -41601s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -41492s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -41383s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -41273s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -41164s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -41054s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -40945s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -40836s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -40726s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -40617s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -40507s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -40398s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -40288s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -40179s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -40069s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -39961s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -39851s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -39741s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -39632s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -39523s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -39413s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -39304s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -39195s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -39085s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -38976s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -38867s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -38757s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -38648s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -38539s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -38428s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -38319s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -38210s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -38101s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -37992s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -37882s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -37773s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -37664s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -37555s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -37445s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -37335s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -37226s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -37116s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -37005s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -36898s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -36788s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -36680s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -36570s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -36460s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -36351s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -36242s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -36132s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -36023s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -35914s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -35803s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -35695s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -35586s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -35476s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -35365s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -35258s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -35148s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -35039s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -34929s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -34819s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -34711s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -34601s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -34491s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -34382s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -34273s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -34164s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -34054s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -33944s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -33835s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -33726s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -33617s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -33507s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -33395s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -33289s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -33179s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -33070s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -32961s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -32852s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -32742s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -32633s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -32523s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -32414s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -32304s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -32195s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -32086s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -31976s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -31865s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -31758s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -31648s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -31539s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -31430s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -31320s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -31211s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -31101s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -30992s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -30882s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -30770s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -30664s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -30554s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -30445s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -30336s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -30226s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -30117s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -30008s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -260000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -259884s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -259778s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -259669s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -259560s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -259450s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -259341s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -259232s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -259122s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -259013s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -258899s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -258794s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -258685s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -258576s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -258466s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -258356s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -258246s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -258138s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -258029s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -257919s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -257810s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -257701s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -257591s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -257482s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -257372s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -257263s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -257153s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -257044s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -256935s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -256825s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -256716s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -256606s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -256497s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -256388s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -256277s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -256169s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -256060s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -255951s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -255841s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -255732s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -255622s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -255513s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 6992	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -255412s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe TID: 4996	Thread sleep time: -255297s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\dY5HmgsBm6.exe	Code function: 1_2_0040646B FindFirstFileA,FindClose,	1_2_0040646B
Source: C:\Users\user\Desktop\dY5HmgsBm6.exe	Code function: 1_2_004027A1 FindFirstFileA,	1_2_004027A1
Source: C:\Users\user\Desktop\dY5HmgsBm6.exe	Code function: 1_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	1_2_004058BF
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Code function: 2_2_0040C837 wcsncpy,wcslen,wcscat,GetDriveTypeW,FindFirstFileW,FindClose,GetFileAttributesW,GetDriveTypeW,	2_2_0040C837

Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe

Code function: 2_2_0040C514 memset,GetSystemInfo,GlobalMemoryStatusEx,

2_2_0040C514

Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 59000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 58894	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 58786	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 58678	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 58569	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 58454	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 58351	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 58241	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 58132	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 58023	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 57913	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 57804	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 57695	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 57585	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 57476	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 57365	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 57257	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 57148	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 57039	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 56929	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 56819	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 56711	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 56601	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 56491	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 56382	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 56272	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 56163	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 56053	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 55945	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 55835	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 55726	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 55616	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 55507	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 55398	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 55288	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 55179	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 55070	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 54960	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 54851	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 54741	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 54632	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 54523	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 54414	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 54304	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 54195	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 54085	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 53976	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 53861	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 53757	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 53648	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 53537	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 53429	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 53320	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 53210	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 53101	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 52991	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 52882	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 52773	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 52663	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 52554	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 52445	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 52335	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 52226	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 52117	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 52007	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 51898	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 51789	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 51679	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 51570	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 51461	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 51351	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 51241	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 51132	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 51023	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 50913	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 50804	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 50695	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 50585	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 50476	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 50367	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 50257	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 50148	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 50038	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 49929	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 49820	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 49710	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 49601	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 49492	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 49381	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 49273	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 49163	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 49054	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 48945	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 48836	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 48725	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 48616	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 48507	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 48398	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 48289	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 48179	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 48070	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 47960	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 47851	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 47741	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 47632	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 47523	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 47412	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 47168	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 47052	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 46942	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 46832	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 46723	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 46617	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 46505	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 46080	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 45974	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 45861	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 45758	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 45648	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 45538	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 45421	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 44825	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 44667	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 44554	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 44445	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 44336	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 44226	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 44116	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 44008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 43898	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 43788	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 43680	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 43570	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 43460	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 43351	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 43242	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 43132	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 43023	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 42914	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 42804	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 42695	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 42585	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 42476	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 42366	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 42258	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 42148	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 42039	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 41929	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 41819	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 41711	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 41601	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 41492	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 41383	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 41273	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 41164	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 41054	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 40945	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 40836	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 40726	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 40617	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 40507	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 40398	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 40288	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 40179	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 40069	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 39961	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 39851	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 39741	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 39632	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 39523	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 39413	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 39304	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 39195	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 39085	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 38976	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 38867	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 38757	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 38648	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 38539	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 38428	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 38319	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 38210	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 38101	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 37992	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 37882	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 37773	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 37664	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 37555	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 37445	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 37335	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 37226	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 37116	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 37005	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 36898	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 36788	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 36680	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 36570	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 36460	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 36351	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 36242	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 36132	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 36023	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 35914	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 35803	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 35695	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 35586	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 35476	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 35365	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 35258	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 35148	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 35039	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 34929	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 34819	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 34711	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 34601	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 34491	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 34382	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 34273	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 34164	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 34054	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 33944	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 33835	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 33726	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 33617	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 33507	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 33395	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 33289	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 33179	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 33070	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 32961	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 32852	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 32742	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 32633	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 32523	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 32414	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 32304	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 32195	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 32086	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 31976	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 31865	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 31758	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 31648	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 31539	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 31430	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 31320	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 31211	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 31101	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 30992	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 30882	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 30770	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 30664	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 30554	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 30445	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 30336	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 30226	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 30117	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 30008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 260000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 259884	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 259778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 259669	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 259560	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 259450	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 259341	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 259232	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 259122	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 259013	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 258899	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 258794	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 258685	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 258576	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 258466	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 258356	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 258246	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 258138	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 258029	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 257919	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 257810	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 257701	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 257591	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 257482	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 257372	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 257263	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 257153	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 257044	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 256935	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 256825	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 256716	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 256606	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 256497	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 256388	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 256277	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 256169	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 256060	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 255951	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 255841	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 255732	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 255622	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 255513	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 255412	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	Thread delayed: delay time: 255297	Jump to behavior

Source: CachemanControlPanel.exe	Binary or memory string: vmGuestLib
Source: CachemanControlPanel.exe, 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp	Binary or memory string: ml--bdns.prowin32_PingStatus where address='DisplayName=AntiVirusProductcaptioninsmodules\vboxmrxnpLogicalDisk Where DriveType=4 get client -ftimersTEMP.dllosHOMEDRIVE\ref.confkey[L3Njb21tYSA=agent[id.conf
Source: CachemanControlPanel.exe	Binary or memory string: vboxmrxnp
Source: CachemanControlPanel.exe, 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp	Binary or memory string: ?p=7?p=8tagpluginsvmGuestLib*\|?lpc=connection_key?grf=?gpb=bdns.nu://reports?pcn=user_agent?gpp=7?gpp=8

Source: C:\Users\user\Desktop\dY5HmgsBm6.exe

API call chain: ExitProcess graph end node

graph_1-3343

Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe

Code function: 2_2_004039B7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,GetCurrentProcessId,CloseHandle,

2_2_004039B7

Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe

Code function: 2_2_00412C47 LoadLibraryW,GetProcAddress,memset,FreeLibrary,LoadLibraryW,GetProcAddress,FreeLibrary,

2_2_00412C47

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to inject code into remote processes

Show sources

Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe

Code function: 2_2_00407EA1 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,

2_2_00407EA1

Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe

Code function: 2_2_0040A1B0 cpuid

2_2_0040A1B0

Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe

Code function: 2_2_004E7BC6 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

2_2_004E7BC6

Source: C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe

Code function: 2_2_0040C5E3 GetUserNameW,

2_2_0040C5E3

Source: C:\Users\user\Desktop\dY5HmgsBm6.exe

1_2_00403348

Stealing of Sensitive Information:

Yara detected Diamondfox

Show sources

Source: Yara match

File source: Process Memory Space: CachemanControlPanel.exe PID: 6988, type: MEMORY

Remote Access Functionality:

Yara detected Diamondfox

Show sources

Source: Yara match

File source: Process Memory Space: CachemanControlPanel.exe PID: 6988, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API11	Path Interception	Access Token Manipulation1	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection11	Virtualization/Sandbox Evasion31	LSASS Memory	Security Software Discovery121	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Access Token Manipulation1	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection11	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	File and Directory Discovery2	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Information Discovery15	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
dY5HmgsBm6.exe	49%	Virustotal		Browse
dY5HmgsBm6.exe	6%	Metadefender		Browse
dY5HmgsBm6.exe	34%	ReversingLabs	Win32.Trojan.Wacatac

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	6%	Metadefender		Browse
C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	14%	ReversingLabs	Win32.Malware.Bulz
C:\Users\user\AppData\Roaming\CachemanControlPanel\Qt5Concurrentd.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\CachemanControlPanel\libblkmaker-0.1-6.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Roaming\CachemanControlPanel\libblkmaker-0.1-6.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\CachemanControlPanel\libgcc_s_seh-1.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Roaming\CachemanControlPanel\libgcc_s_seh-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\CachemanControlPanel\libgraph31.dll	12%	Metadefender		Browse
C:\Users\user\AppData\Roaming\CachemanControlPanel\libgraph31.dll	34%	ReversingLabs	Win32.Trojan.Bulz
C:\Users\user\AppData\Roaming\CachemanControlPanel\libgstcontroller-1.0-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\CachemanControlPanel\libogg-0.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Roaming\CachemanControlPanel\libogg-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\CachemanControlPanel\libxml3.dll	12%	Metadefender		Browse
C:\Users\user\AppData\Roaming\CachemanControlPanel\libxml3.dll	21%	ReversingLabs	Win32.Trojan.Bulz
C:\Users\user\AppData\Roaming\CachemanControlPanel\vcruntime140.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Roaming\CachemanControlPanel\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\CachemanControlPanel\zlib.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Roaming\CachemanControlPanel\zlib.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.dY5HmgsBm6.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366		Download File
1.0.dY5HmgsBm6.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366		Download File

Domains

Source	Detection	Scanner	Label	Link
vladisfoxlink.ru	9%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://ip.seeip.org/	1%	Virustotal		Browse
https://ip.seeip.org/	0%	Avira URL Cloud	safe
https://ip.seeip.org/Content-Type:	0%	Avira URL Cloud	safe
http://vladisfoxlink.ru/support/enfr/gate.phpte.phpK	0%	Avira URL Cloud	safe
http://vladisfoxlink.ru/support/enfr/gate.php	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.globalsign.cloud	104.18.24.243	true	false		unknown
vladisfoxlink.ru	45.85.90.225	true	true	9%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://vladisfoxlink.ru/support/enfr/gate.php	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ip.seeip.org/	CachemanControlPanel.exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://bitsum.com/	CachemanControlPanel.exe, 00000002.00000000.326512498.00000000006FD000.00000002.00020000.sdmp, CachemanControlPanel.exe.1.dr	false		high
http://nsis.sf.net/NSIS_Error	dY5HmgsBm6.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	dY5HmgsBm6.exe	false		high
https://ip.seeip.org/Content-Type:	CachemanControlPanel.exe, 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zlib.net/D	dY5HmgsBm6.exe, 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp, zlib.dll.1.dr	false		high
http://vladisfoxlink.ru/support/enfr/gate.phpte.phpK	CachemanControlPanel.exe, 00000002.00000003.463261074.0000000002A84000.00000004.00000040.sdmp	true	Avira URL Cloud: safe	unknown
https://bitsum.com/3Current	CachemanControlPanel.exe, 00000002.00000000.326512498.00000000006FD000.00000002.00020000.sdmp, CachemanControlPanel.exe.1.dr	false		high
https://bitsum.com	CachemanControlPanel.exe, CachemanControlPanel.exe, 00000002.00000000.326512498.00000000006FD000.00000002.00020000.sdmp, CachemanControlPanel.exe.1.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.85.90.225	vladisfoxlink.ru	Netherlands		32181	ASN-GIGENETUS	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	397764
Start date:	26.04.2021
Start time:	11:48:27
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	dY5HmgsBm6 (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@3/12@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 96.5%) Quality average: 82.7% Quality standard deviation: 25.6%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.147.198.201, 131.253.33.200, 13.107.22.200, 104.43.193.48, 23.211.6.115, 52.255.188.83, 93.184.221.240, 20.82.210.154, 92.122.213.194, 92.122.213.247, 52.155.217.156, 205.185.216.10, 205.185.216.42, 20.54.26.129, 184.30.20.56, 20.82.209.183 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, ocsp.msocsp.com, 2-01-3cf7-0009.cdx.cedexis.net, store-images.s-microsoft.com-c.edgekey.net, wu-fg-shim.trafficmanager.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, cs11.wpc.v0cdn.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, download.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, hostedocsp.globalsign.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:49:17	API Interceptor	511x Sleep call for process: CachemanControlPanel.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
45.85.90.225	kU110zA27l.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.14311.exe	Get hash	malicious	Browse
	reawz09cwj_DOC0107210_AGOSTO.doc	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
api.globalsign.cloud	Quotation ATB-PR28500KINH.exe	Get hash	malicious	Browse	104.18.25.243
	4831902122_p.exe	Get hash	malicious	Browse	104.18.25.243
	edLJhIqx8C.exe	Get hash	malicious	Browse	104.18.24.243
	4x1cYP0PFs.exe	Get hash	malicious	Browse	104.18.24.243
	DOCUMENTS.exe	Get hash	malicious	Browse	104.18.24.243
	DHL20212204_PDF.exe	Get hash	malicious	Browse	104.18.24.243
	WaybillDoc_5736357561.pdf.exe	Get hash	malicious	Browse	104.18.25.243
	SecuriteInfo.com.Trojan.PackedNET.677.32317.exe	Get hash	malicious	Browse	104.18.24.243
	1PGSqP9ZbC.exe	Get hash	malicious	Browse	104.18.25.243
	Yorauv6del.exe	Get hash	malicious	Browse	104.18.25.243
	Statistiken-04.20.21.doc	Get hash	malicious	Browse	104.18.25.243
	042021.htm	Get hash	malicious	Browse	104.18.25.243
	catalog-1840888847.xlsm	Get hash	malicious	Browse	104.18.24.243
	PO# 127119QUOTATION N 00319.pdf.exe	Get hash	malicious	Browse	104.18.25.243
	list015-PO#M0819T_pdf.jar	Get hash	malicious	Browse	104.18.24.243
	CSV AUHR001335017.exe	Get hash	malicious	Browse	104.18.25.243
	NEWURGENTORDER.exe	Get hash	malicious	Browse	104.18.25.243
	new file 1.exe	Get hash	malicious	Browse	104.18.24.243
	EXONE 2606202201.exe	Get hash	malicious	Browse	104.18.25.243
	DHL Delivery Documents.exe	Get hash	malicious	Browse	104.18.24.243
vladisfoxlink.ru	kU110zA27l.exe	Get hash	malicious	Browse	45.85.90.225
	SecuriteInfo.com.W32.AIDetect.malware1.14311.exe	Get hash	malicious	Browse	45.85.90.225
	reawz09cwj_DOC0107210_AGOSTO.doc	Get hash	malicious	Browse	45.85.90.225
	SecuriteInfo.com.Trojan.GenericKD.46105395.24334.exe	Get hash	malicious	Browse	45.85.90.7
	qbsubf8fng_AGOSTO_DOC21408001.doc	Get hash	malicious	Browse	45.85.90.7

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ASN-GIGENETUS	DFI_0451_587_032.doc	Get hash	malicious	Browse	45.85.90.14
	DFI0451587032.exe	Get hash	malicious	Browse	45.85.90.14
	kU110zA27l.exe	Get hash	malicious	Browse	45.85.90.225
	GO1eovBADG.exe	Get hash	malicious	Browse	45.85.90.92
	SecuriteInfo.com.W32.AIDetect.malware1.14311.exe	Get hash	malicious	Browse	45.85.90.225
	reawz09cwj_DOC0107210_AGOSTO.doc	Get hash	malicious	Browse	45.85.90.225
	juFSQ6AmWQ.exe	Get hash	malicious	Browse	45.85.90.92
	ADNOC_ RFQ N#U00ba 100400806-02.exe	Get hash	malicious	Browse	45.85.90.242
	Specification of 0974A02-01 0975A02-01 RFQ (2.exe	Get hash	malicious	Browse	45.85.90.235
	SecuriteInfo.com.Trojan.GenericKD.46105395.24334.exe	Get hash	malicious	Browse	45.85.90.7
	qbsubf8fng_AGOSTO_DOC21408001.doc	Get hash	malicious	Browse	45.85.90.7
	bins.sh	Get hash	malicious	Browse	45.85.90.131
	Goody b.exe	Get hash	malicious	Browse	69.65.3.206
	MT103_Swift-confirmation#4425-28373XXX.exe	Get hash	malicious	Browse	45.85.90.86
	PAYMENT CONFIRMATION.exe	Get hash	malicious	Browse	69.65.3.206
	MT103_Swift_Transfer#452-567-2XXX.exe	Get hash	malicious	Browse	45.85.90.86
	4IxLUYjMQ7.exe	Get hash	malicious	Browse	172.111.237.51
	payment details.exe	Get hash	malicious	Browse	69.65.3.206
	payment details.exe	Get hash	malicious	Browse	69.65.3.206
	AWB-9899691012.exe	Get hash	malicious	Browse	45.85.90.220

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Roaming\CachemanControlPanel\libblkmaker-0.1-6.dll	kU110zA27l.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.14311.exe	Get hash	malicious	Browse
	reawz09cwj_DOC0107210_AGOSTO.doc	Get hash	malicious	Browse
C:\Users\user\AppData\Roaming\CachemanControlPanel\Qt5Concurrentd.dll	kU110zA27l.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.14311.exe	Get hash	malicious	Browse
	reawz09cwj_DOC0107210_AGOSTO.doc	Get hash	malicious	Browse
C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe	kU110zA27l.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.14311.exe	Get hash	malicious	Browse
	reawz09cwj_DOC0107210_AGOSTO.doc	Get hash	malicious	Browse
C:\Users\user\AppData\Roaming\CachemanControlPanel\libgraph31.dll	kU110zA27l.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.14311.exe	Get hash	malicious	Browse
	reawz09cwj_DOC0107210_AGOSTO.doc	Get hash	malicious	Browse
C:\Users\user\AppData\Roaming\CachemanControlPanel\libgcc_s_seh-1.dll	kU110zA27l.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.14311.exe	Get hash	malicious	Browse
	reawz09cwj_DOC0107210_AGOSTO.doc	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe Download File
Process:	C:\Users\user\Desktop\dY5HmgsBm6.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3345920
Entropy (8bit):	6.587937511995749
Encrypted:	false
SSDEEP:	49152:RU18F61w5Ts0AzHc8ZqfV7xPmljnjWwIZnQjH0xe0bQBTAMUlZyu:ifSXmHc8ctVPmZnj7IywZF
MD5:	5D3BF7A18887582B8A2CEA327F2E7BA6
SHA1:	83843851B7B7BEB2B1853B813E7F0B1666B1BD62
SHA-256:	014D644ECCC232CD6906C5ABF8AFD3E53F94004057D4A1BB2771DFEA00F0AE4B
SHA-512:	3D4FFC844B211FAE199F3DA8B557CEC2F6E882B8BE42F3D99882EAA3E9D73018F8C06971CB783D223F3423D0C55788B7520BD57FD33D8D2DFE6C4BE9455E62D7
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 6%, Browse Antivirus: ReversingLabs, Detection: 14%
Joe Sandbox View:	Filename: kU110zA27l.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.AIDetect.malware1.14311.exe, Detection: malicious, Browse Filename: reawz09cwj_DOC0107210_AGOSTO.doc, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......$C..`"..`"..`"..;J..j"..;J..."..;J..r"...S..B"...S..o"...S..q"..;J..c"..`"..1"...P..c"...P..a"...P".a"...P..a"..Rich`"..!ep. e...... e..Rich!e..................PE..L......`.................x&.........dh........&...@...........................3.................................................P.....0.\.............................+.p.....................+.....0.+.@.............&.t............................text...Dv&......x&................. ....rdata..0.....&......\|&.............@..@.data...@.... ......................@..._RDATA...&..../..(..../.............@..@.rsrc...\.....0......2/.............@..@........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CachemanControlPanel\Qt5Concurrentd.dll Download File
Process:	C:\Users\user\Desktop\dY5HmgsBm6.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	76272
Entropy (8bit):	5.173103233206012
Encrypted:	false
SSDEEP:	1536:qDmWfeg9w00eRovEaEI5Zs8kJqsJpni/xCGWL/ftUfT:iu00eR6EaEI5Zs8kJqsJpni/xCGWLnA
MD5:	2378A50282D97268DA9EF31E5850F44A
SHA1:	96F5657D700769370E7DA406321DEB80E3A782A5
SHA-256:	EBA986E025DEB2B5E7E16D69A7F6E8266C5D3576074B36FDF4FD8CCC90824C7C
SHA-512:	65D63594F7406055E5CF24F53AE6987B9D4CF95189CB0705A33BBE8C358D7AA1FE169B121F723063ADD2548464CBAA8FB5E6B790B75407D6ECC2CB73621AF790
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: kU110zA27l.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.AIDetect.malware1.14311.exe, Detection: malicious, Browse Filename: reawz09cwj_DOC0107210_AGOSTO.doc, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.....w...w...w..v...w...v...w..r...w..s...w..t...w...v...w...v.W.w...r...w...w...w.......w.......w...u...w.Rich..w.........PE..L...3._...........!.........r.....................f.........................P.......Y....@.........................0..._.......d....0.......................@......,...8...........................h...@............................................text...g........................... ..`.rdata...E.......F..................@..@.data...............................@....idata..............................@..@.00cfg....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CachemanControlPanel\dxgi.dll Download File
Process:	C:\Users\user\Desktop\dY5HmgsBm6.exe
File Type:	data
Category:	dropped
Size (bytes):	76267
Entropy (8bit):	7.9942102850463606
Encrypted:	true
SSDEEP:	1536:LTC1hHQ8Ol3smLKj45olGALbifbtboj7AN4dxcPyQl9T/PdxvQe2gBqwklpQCF7:3Cxd7VlGAq5knAsCTLo/cqw6pP7
MD5:	87C8CC0F69619E3706B7B0F429D82263
SHA1:	88D543A169CD919874C914F5CAABE561BCE2E907
SHA-256:	34CC061FC29D7AF780331DCDEE70BA57925E235AEB45DAC6710CC3A3F78914C2
SHA-512:	5B9290317C2F04EB2FC9F87E671BF892383733480D0A0D90D898E399E0D97A1C4CBC113ABAE32BC97749BC573D292C624E7BA7F37970B8CA025E06FB85678C36
Malicious:	false
Reputation:	low
Preview:	DCD...98....PA30........N..?.."8`...............h}L.j..,..............................".............o............(...............,...033.133333.3..3.3333..0......33......G@..]..W'........?...-.?..P....4..t..r.-.........p %.eA..D.)..3..M`=x.$.Y..%.......Y.....?.a..Q.,....Q.0.G.;3..;s...fa..#..=.{07...3gh[.....0g....9g..8,.9...6.Y..0.;..u7.n.%...93w.~....Y....v....Q0kcFz8ksPD...f.#@..b.......l....f.....(8.....`..e.:.a..tf...F..a.9.....q.s.=<,..)G=..?<...0..............wi.p.(..h..#,T.....H.a....<.0...(..i.B..2.B..:.BA..1...5.z(...b.0.....!..++.d.1n6.nc..m....3[.=.}.6....hc.."{..21..8.U...&.....g.m.....\......O.le..R.83.....Ec. .0.'..\|.\|.F.N...).m..I...1....`..,.?.".^...Yf...B.....7Co...rs....>+.ene..n.lnc.g.9/.[Ivs3i.I.n.m>{..v7.0............3'.......8...P........H.:Y.U...A..b..1.1.H.f....1.9?f...y..{..-..K..........w..i...G(.h...J......&..$.j.Mn.....o....w....q....3...\|..n3....Gc..M.e&}7..6...t.4~...g.f1s....{\|Fz...'5.No......}.

C:\Users\user\AppData\Roaming\CachemanControlPanel\libblkmaker-0.1-6.dll Download File
Process:	C:\Users\user\Desktop\dY5HmgsBm6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	76188
Entropy (8bit):	5.153637021115198
Encrypted:	false
SSDEEP:	768:OCXGtEGupmGP9FAnIbGVgNy5dbOdr63EKcoD1vQIxxfIXdt:OFgcMAWGVgNy5dbOBJCQIxxgXdt
MD5:	C724B7986C72EA00CEA20E4EEA4E0C84
SHA1:	E5D823BE1B32561617F34078F45CB2AFD5331FEB
SHA-256:	7CF28A256B6A462546DB89E2C8C8A70D0D759FE62567AF20BDDF57E63D4963B7
SHA-512:	08B549A9DE0D4B28807070CE8BA2ECD5F74225BF0F434E91E3E544DA60A603D079A504735D5F4E10F2AD29F97BBFBF6A7B91E3265B249FD56BAF92E33B2769FE
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: kU110zA27l.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.AIDetect.malware1.14311.exe, Detection: malicious, Browse Filename: reawz09cwj_DOC0107210_AGOSTO.doc, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....2.V....a.....& .....<... .................p.............................................. .........................................Q.......p............p..................\........................... ...(....................................................text...0;.......<.................. .P`.data........P.......B..............@.`..rdata.......`.......D..............@.P@.pdata.......p.......H..............@.0@.xdata..,............L..............@.0@.bss....P.............................`..edata..Q............P..............@.0@.idata..p............T..............@.0..CRT....X............\..............@.@..tls....h............^..............@.`..reloc..\............`..............@.0B/4...................b..............@.PB/19.....$8.......:...d..............@..B/31..........@......................@..B/45.....:....P......................@..B/57.....

C:\Users\user\AppData\Roaming\CachemanControlPanel\libgcc_s_seh-1.dll Download File
Process:	C:\Users\user\Desktop\dY5HmgsBm6.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	76288
Entropy (8bit):	6.121662939383189
Encrypted:	false
SSDEEP:	1536:TVhSLCst8rZQk8HzR8+lXbPtccSPOrBT3SIKBx:itu7+lOcCO1TI/
MD5:	534B365361004828059600F05B34006D
SHA1:	D8FF411B0939A021F47C845C6A90F1240BAB5268
SHA-256:	438AE82FFD621A2413199155574CC85681F8986F05420B1485AA4BE936C3BC0B
SHA-512:	1CCB3732A82F2FEDCA85C27AFDD48E65DDE70D5B1620E436D457624A2CB796887C5E7DC2983A0794EBBBCADE3E5B9F9FC9320B390894471993C7B1E85268592D
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: kU110zA27l.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.AIDetect.malware1.14311.exe, Detection: malicious, Browse Filename: reawz09cwj_DOC0107210_AGOSTO.doc, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..................".........&......0.........Da....................................-......... ......................................P.......`............... ..................d...............................(....................a...............................text...............................`.P`.data...............................@.P..rdata..............................@.`@.pdata....... ......................@.0@.xdata.......0......................@.0@.bss....@....@........................`..edata.......P......................@.0@.idata.......`......................@.0..CRT....X....p.......$..............@.@..tls.................&..............@.@..reloc..d............(..............@.0B........................................................................................................................................................................

C:\Users\user\AppData\Roaming\CachemanControlPanel\libgraph31.dll Download File
Process:	C:\Users\user\Desktop\dY5HmgsBm6.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	72704
Entropy (8bit):	6.202479833405588
Encrypted:	false
SSDEEP:	1536:klv6q1ZwQpNmwLsBHvahLdYZPLdsWVcdyXWADttnY:eZZDNTsBHvS+VYyXWAJtnY
MD5:	040352D2528DF9A7EC3B5ADCA3BAB444
SHA1:	A08DBFA5D9EDC2EBA36FD0FE287E0FB1E37A7E97
SHA-256:	A276F57503BAD9A4BCA17E8E057993607E715C1FA6C7D2E136A2290A19EFD560
SHA-512:	B7C62EFCED3819419C539420B127C183D28FD39834DDD9ABCDC60641B3F2BC731E15543D3E53CF5F1DB06743CBE9CC74B2C03A6EBD5A7088795951E47A107CC6
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 12%, Browse Antivirus: ReversingLabs, Detection: 34%
Joe Sandbox View:	Filename: kU110zA27l.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.AIDetect.malware1.14311.exe, Detection: malicious, Browse Filename: reawz09cwj_DOC0107210_AGOSTO.doc, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........H..................O...............................................................@...........Rich...........................PE..L......`...........!.........................................................`............@.............................L...\...P....@.......................P..........8...............................@...............$............................text...(........................... ..`.rdata...[.......\..................@..@.data........ ......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CachemanControlPanel\libgstcontroller-1.0-0.dll Download File
Process:	C:\Users\user\Desktop\dY5HmgsBm6.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	76450
Entropy (8bit):	5.974759649110951
Encrypted:	false
SSDEEP:	1536:c8p2RxGoPW5Oa6uUDsCGln6K1Ax6K//u3D5NSSG3H0SATWzC9Y0JwazM1s7f:c8p2R1HnDsbn8xt/G8SG3H0SA4C9Y0JP
MD5:	8CF8B4B065BF720AE2D96DBA7B86F285
SHA1:	8D0CD6B3860EE0DC23AC261814F7C2DB282F127E
SHA-256:	6C6AEC02A64CAA9F868F2FDDC14F666CA4FFFD27D41010AFFD1A5826852B3D09
SHA-512:	81DBECEFB5A1FCFB470D56B8358455C79970507EBFCE966590CEEE94884466C9D9034F8CE4AE9E2B6633CB796A154F5ED93C66324E3963DEC30106A6F8DC9E1C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................&"...........................e.....................................\........ ......................................0.......@..................\|........................................... p..(....................D..`............................text...............................`.P`.data...P...........................@.P..rdata...#.......$..................@.`@.pdata..\|...........................@.0@.xdata..............................@.0@.bss......... ........................`..edata.......0......................@.0@.idata.......@......................@.0..CRT....X....`......................@.@..tls....h....p......................@.`..reloc..............................@.0B........................................................................................................................................................................

C:\Users\user\AppData\Roaming\CachemanControlPanel\libogg-0.dll Download File
Process:	C:\Users\user\Desktop\dY5HmgsBm6.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	84559
Entropy (8bit):	5.557238189374717
Encrypted:	false
SSDEEP:	768:RIBmX6tFu4kYOvBHwDFHs0YZqCC3m1/z0BDtZH5zhG4tZtVnDPo1SndQzJdn1W:KBmX6S4kYOvJGMRZABDflIQiMnAJd1W
MD5:	87A4E5BC51A9C2533AC5308F3343A76B
SHA1:	3427C4CD2F63DDB6787FBC3EE736B3B2433F0B91
SHA-256:	CCCDC7C91A6AD01D2E1AF8555FBDE94787BF5EE39A61703008D0C2ED7F9E6EBE
SHA-512:	0659A6407AB1B9451C79F684BE24C78FA8FFC3DE6B5DFDDE3AE90141567897001194F9849B50EF0A9643ABBCFA4F73C09254E771B0103A406DF04CC4D188359A
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....+.Y....T.....&".........<................hp.............................`................ .............................................. ..l............................P..h........................... @..(...................."...............................text...@........................... .P`.data...............................@.P..rdata..............................@.`@.pdata..............................@.0@.xdata..4...........................@.0@.bss....P.............................`..edata..............................@.0@.idata..l.... ......................@.0..CRT....X....0......................@.@..tls....h....@......................@.`..reloc..h....P......................@.0B........................................................................................................................................................................

C:\Users\user\AppData\Roaming\CachemanControlPanel\libxml3.dll Download File
Process:	C:\Users\user\Desktop\dY5HmgsBm6.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	545280
Entropy (8bit):	6.626107318819812
Encrypted:	false
SSDEEP:	12288:EJSjsd4Hd2kR6vk9YE0quvI1bi1TpD1BQwz9554Ya8Th7h:h956vk9YE0qwUwz934Ya8ThN
MD5:	5AE30E4CDABB5B269B7EB358AAE2D5E2
SHA1:	58AAE25BF64BD0B15BE33CEB47DDB6EF3802433A
SHA-256:	0B2CABAF0B2AEF51C3396B11E604C46B65EABC0CBDE3E257BC9C9FD1C2446C6F
SHA-512:	2D4A2AAD072BEBBC707AF9DCA22C54F6D9607E6F7BC8826BCB61B0321F4E0464884F4577DC51DCFB7A40A9B143CF9E26225694EF4668F629F632870D11AFA198
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 12%, Browse Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......'}i.c...c...c...ww..m...ww......ww..t....h..a....h..z....n..f....h..Q....h......ww..f...c........h..a....h..b....h..b....h..b...Richc...........................PE..L......`...........!.....~................................................................@..........................I......XJ..(............................@..,N......p...................@.......`...@............................................text....}.......~.................. ..`.rdata..............................@..@.data....7...`...&...F..............@....rsrc................l..............@..@.reloc..,N...@...P..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CachemanControlPanel\settings.xml Download File
Process:	C:\Users\user\Desktop\dY5HmgsBm6.exe
File Type:	data
Category:	dropped
Size (bytes):	502603
Entropy (8bit):	7.198074868822942
Encrypted:	false
SSDEEP:	3072:auYaHsoWaNGk4lwlaZLOmRE3+eanjLij/Uj5zsd+zqhCq1HmOIRAlLVLp8UDEYiF:a/EGk4lTZ9tziwYDChO2yVLatf6PM
MD5:	FA4B4F1F9869DA4A0209BBA251859EFC
SHA1:	FE7A4EE923D6EEB93E8A52778735120705D927A5
SHA-256:	05AF99365637A46D18B5BC60D20E7CBD8943F250A15976C672B3D29EE1472D2F
SHA-512:	F82EB33679935CB69BAAF3AD5EAA71DF3D750771B21B964597543D901483AAB89602F8603E474758AE6162157C06D37B36DB669086DCF31CEA7CE8D560094456
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<doc>.. <assembly>.. <name>System.Linq.Expressions</name>.. </assembly>.. <members>.. <member name="T:System.Linq.IOrderedQueryable">.. <summary>..........</summary>.. <filterpriority>2</filterpriority>.. </member>.. <member name="T:System.Linq.IOrderedQueryable`1">.. <summary>..........</summary>.. <typeparam name="T">................. Covariant............................................................</typeparam>.. </member>.. <member name="T:System.Linq.IQueryable">.. <summary>.........................</summary>.. <filterpriority>2</filterpriority>.. </member>.. <member name="P:System.Linq.IQueryable.ElementType">.. <summary>.....

C:\Users\user\AppData\Roaming\CachemanControlPanel\vcruntime140.dll Download File
Process:	C:\Users\user\Desktop\dY5HmgsBm6.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	76176
Entropy (8bit):	6.753729195941321
Encrypted:	false
SSDEEP:	1536:TpIhq3RcCBwca4EZEXNciFk+ikPC+ecbiLgavG:TpIY3RcCKcajodF4+ecbiLI
MD5:	5F9D90D666620944943B0D6D1CCA1945
SHA1:	08EAD2B72A4701349430D18D4A06D9343F777FA6
SHA-256:	9EC4AFAD505E0A3DAD760FA5B59C66606AE54DD043C16914CF56D7006E46D375
SHA-512:	BE7A2C9DAE85E425A280AF552DBD7EFD84373F780FA8472BAB9A5FF29376C3A82D9DFA1FEF32C6CF7F45BA6E389DE90E090CB579EEBFF12DCFE12E6F3E7764D1
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\|R.\|...\|...\|..%....\|.......\|...\|...\|.......\|.......\|.......\|.......\|.......\|.......\|..Rich.\|..................PE..L...LQ^`.........."!.........................................................@............@A......................................... ...................#...0.......#..8............................#..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CachemanControlPanel\zlib.dll Download File
Process:	C:\Users\user\Desktop\dY5HmgsBm6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84992
Entropy (8bit):	6.496389237373976
Encrypted:	false
SSDEEP:	1536:hoEz8+iLbyuv7MBe0HQOsgGu5myOT94vnToIff5IOcIOY3kNFoU4Pao:Jz8zLbyG7MBeD1YOT6TBfrSYUFotx
MD5:	F433B1AAB2D8F62EDFA2FD2E3686E5F0
SHA1:	C06891308B99388554C745FB80E359330D8FBCED
SHA-256:	193B8F5AD2B61B5850753EA83DF27EF776C5E43E041A6A984FB551CA8140A33A
SHA-512:	59C85C328C25F03FBA12E22A9B31AE5461941050D808F65565A361B6BD8413BEB45852DAB31088DB23BEB5DA205D0619EF3CF3A62ED4AB7848DE1A3FD7BC20A3
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........p+...E..E..E.i...E..yD..E.6....E..yF..E..y@..E..yA..E..uD..E..D..E..yA..E..yE..E..y...E..yG..E.Rich..E.........................PE..d....}.[.........." .........t......................................................g<....`......................................... C..H...hJ.......p..0....`..................X....4...............................4..................p............................text...C........................... ..`.rdata..._.......`..................@..@.data...8....P.......8..............@....pdata.......`.......:..............@..@.rsrc...0....p.......D..............@..@.reloc..X............J..............@..B................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.934552263340282
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	dY5HmgsBm6.exe
File size:	2573987
MD5:	ae8f9d9b8344d52f0872dfdc852e1dd4
SHA1:	7e9f4259cc193465317ee48b8428b36e74028390
SHA256:	95b5d0e36464afc8391a9d056926e5859506ead18937669554bde42f7a6d135b
SHA512:	27928930215dbb9217247d846c570a756b46866b17b0832c9de7c8a800e3d0457f64c28ddfb4a66372f3837695e8f1a5645804f222ac7344284facb68bc79b21
SSDEEP:	49152:qFUy7w/OQkyXuS18WPu8vE2uajZ3/qUlppUAr/n7oi/dyXUETzBJi3:qFnekR+08s2uaX9tdyZTzBJi3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG..sw..PG..VA..PG.Rich.PG.........PE..L...".$_.................f...\|......H3............@

File Icon


Icon Hash:	d482b0d0f0b0c2d4

Static PE Info

General
Entrypoint:	0x403348
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5F24D722 [Sat Aug 1 02:44:50 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ced282d9b261d1462772017fe2f6972b

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080B8h]
call dword ptr [004080BCh]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042F42Ch], eax
je 00007F8F94D565F3h
push ebx
call 00007F8F94D59756h
cmp eax, ebx
je 00007F8F94D565E9h
push 00000C00h
call eax
mov esi, 004082A0h
push esi
call 00007F8F94D596D2h
push esi
call dword ptr [004080CCh]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F8F94D565CDh
push 0000000Bh
call 00007F8F94D5972Ah
push 00000009h
call 00007F8F94D59723h
push 00000007h
mov dword ptr [0042F424h], eax
call 00007F8F94D59717h
cmp eax, ebx
je 00007F8F94D565F1h
push 0000001Eh
call eax
test eax, eax
je 00007F8F94D565E9h
or byte ptr [0042F42Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408288h]
mov dword ptr [0042F4F8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00429850h
call dword ptr [0040816Ch]
push 0040A188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8544	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0x351e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6457	0x6600	False	0.66823682598	data	6.43498570321	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1380	0x1400	False	0.4625	data	5.26100389731	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x25538	0x600	False	0.463541666667	data	4.133728555	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x30000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x38000	0x351e0	0x35200	False	0.398745404412	data	5.87127264524	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x38358	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x48b80	0xce43	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x559c8	0x94a8	data	English	United States
RT_ICON	0x5ee70	0x5488	data	English	United States
RT_ICON	0x642f8	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 57599, next used block 4278648832	English	United States
RT_ICON	0x68520	0x25a8	data	English	United States
RT_ICON	0x6aac8	0x10a8	data	English	United States
RT_ICON	0x6bb70	0x988	data	English	United States
RT_ICON	0x6c4f8	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x6c960	0x100	data	English	United States
RT_DIALOG	0x6ca60	0x11c	data	English	United States
RT_DIALOG	0x6cb80	0x60	data	English	United States
RT_GROUP_ICON	0x6cbe0	0x84	data	English	United States
RT_VERSION	0x6cc68	0x238	data	English	United States
RT_MANIFEST	0x6cea0	0x340	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Version Infos

Description	Data
LegalCopyright	(c) 1995-2021 by Outertech
ProductName	Cacheman Client
FileDescription	Cacheman Control Panel
FileVersion	1.0.0.39
CompanyName	Outertech
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source IP	Dest IP
04/26/21-11:49:16.348833	ICMP	384	ICMP PING	192.168.2.6	93.184.221.240
04/26/21-11:49:16.384321	ICMP	449	ICMP Time-To-Live Exceeded in Transit	84.17.52.126	192.168.2.6
04/26/21-11:49:16.422134	ICMP	384	ICMP PING	192.168.2.6	93.184.221.240
04/26/21-11:49:16.457652	ICMP	449	ICMP Time-To-Live Exceeded in Transit	5.56.20.161	192.168.2.6
04/26/21-11:49:16.484214	ICMP	384	ICMP PING	192.168.2.6	93.184.221.240
04/26/21-11:49:16.525271	ICMP	449	ICMP Time-To-Live Exceeded in Transit	81.95.15.57	192.168.2.6
04/26/21-11:49:16.528717	ICMP	384	ICMP PING	192.168.2.6	93.184.221.240
04/26/21-11:49:16.570252	ICMP	449	ICMP Time-To-Live Exceeded in Transit	152.195.101.202	192.168.2.6
04/26/21-11:49:16.570692	ICMP	384	ICMP PING	192.168.2.6	93.184.221.240
04/26/21-11:49:16.612022	ICMP	449	ICMP Time-To-Live Exceeded in Transit	152.195.101.129	192.168.2.6
04/26/21-11:49:16.614361	ICMP	384	ICMP PING	192.168.2.6	93.184.221.240
04/26/21-11:49:16.655081	ICMP	408	ICMP Echo Reply	93.184.221.240	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2021 11:50:17.326932907 CEST	49740	80	192.168.2.6	45.85.90.225
Apr 26, 2021 11:50:20.335309029 CEST	49740	80	192.168.2.6	45.85.90.225

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2021 11:49:07.748389959 CEST	54513	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:49:07.792071104 CEST	62044	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:49:07.797130108 CEST	53	54513	8.8.8.8	192.168.2.6
Apr 26, 2021 11:49:07.851512909 CEST	53	62044	8.8.8.8	192.168.2.6
Apr 26, 2021 11:49:08.030221939 CEST	63791	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:49:08.093974113 CEST	53	63791	8.8.8.8	192.168.2.6
Apr 26, 2021 11:49:08.543925047 CEST	64267	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:49:08.592582941 CEST	53	64267	8.8.8.8	192.168.2.6
Apr 26, 2021 11:49:08.621089935 CEST	49448	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:49:08.680793047 CEST	53	49448	8.8.8.8	192.168.2.6
Apr 26, 2021 11:49:09.444365978 CEST	60342	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:49:09.495984077 CEST	53	60342	8.8.8.8	192.168.2.6
Apr 26, 2021 11:49:10.384572029 CEST	61346	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:49:10.433298111 CEST	53	61346	8.8.8.8	192.168.2.6
Apr 26, 2021 11:49:11.289063931 CEST	51774	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:49:11.346793890 CEST	53	51774	8.8.8.8	192.168.2.6
Apr 26, 2021 11:49:12.211963892 CEST	56023	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:49:12.271348953 CEST	53	56023	8.8.8.8	192.168.2.6
Apr 26, 2021 11:49:13.074647903 CEST	58384	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:49:13.126473904 CEST	53	58384	8.8.8.8	192.168.2.6
Apr 26, 2021 11:49:14.000380039 CEST	60261	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:49:14.051873922 CEST	53	60261	8.8.8.8	192.168.2.6
Apr 26, 2021 11:49:14.893923998 CEST	56061	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:49:14.942894936 CEST	53	56061	8.8.8.8	192.168.2.6
Apr 26, 2021 11:49:16.199764013 CEST	58336	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:49:16.248863935 CEST	53	58336	8.8.8.8	192.168.2.6
Apr 26, 2021 11:49:16.271825075 CEST	53781	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:49:16.320822954 CEST	53	53781	8.8.8.8	192.168.2.6
Apr 26, 2021 11:49:17.390217066 CEST	54064	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:49:17.439023018 CEST	53	54064	8.8.8.8	192.168.2.6
Apr 26, 2021 11:49:18.622780085 CEST	52811	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:49:18.674583912 CEST	53	52811	8.8.8.8	192.168.2.6
Apr 26, 2021 11:49:19.586822987 CEST	55299	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:49:19.639607906 CEST	53	55299	8.8.8.8	192.168.2.6
Apr 26, 2021 11:49:20.643804073 CEST	63745	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:49:20.692651033 CEST	53	63745	8.8.8.8	192.168.2.6
Apr 26, 2021 11:49:21.459749937 CEST	50055	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:49:21.509036064 CEST	53	50055	8.8.8.8	192.168.2.6
Apr 26, 2021 11:49:22.254564047 CEST	61374	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:49:22.305295944 CEST	53	61374	8.8.8.8	192.168.2.6
Apr 26, 2021 11:49:23.144468069 CEST	50339	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:49:23.193371058 CEST	53	50339	8.8.8.8	192.168.2.6
Apr 26, 2021 11:49:24.021224976 CEST	63307	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:49:24.069824934 CEST	53	63307	8.8.8.8	192.168.2.6
Apr 26, 2021 11:49:42.311319113 CEST	49694	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:49:42.359826088 CEST	53	49694	8.8.8.8	192.168.2.6
Apr 26, 2021 11:49:45.912611008 CEST	54982	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:49:45.973793983 CEST	53	54982	8.8.8.8	192.168.2.6
Apr 26, 2021 11:50:01.149692059 CEST	50010	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:50:01.281064987 CEST	53	50010	8.8.8.8	192.168.2.6
Apr 26, 2021 11:50:02.000463963 CEST	63718	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:50:02.172791958 CEST	53	63718	8.8.8.8	192.168.2.6
Apr 26, 2021 11:50:02.335345030 CEST	62116	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:50:02.386960983 CEST	53	62116	8.8.8.8	192.168.2.6
Apr 26, 2021 11:50:02.751641035 CEST	63816	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:50:02.897742987 CEST	53	63816	8.8.8.8	192.168.2.6
Apr 26, 2021 11:50:03.030911922 CEST	55014	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:50:03.095846891 CEST	53	55014	8.8.8.8	192.168.2.6
Apr 26, 2021 11:50:03.383289099 CEST	62208	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:50:03.443824053 CEST	53	62208	8.8.8.8	192.168.2.6
Apr 26, 2021 11:50:03.990679026 CEST	57574	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:50:04.048022985 CEST	53	57574	8.8.8.8	192.168.2.6
Apr 26, 2021 11:50:04.613993883 CEST	51818	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:50:04.726411104 CEST	53	51818	8.8.8.8	192.168.2.6
Apr 26, 2021 11:50:05.267373085 CEST	56628	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:50:05.319027901 CEST	53	56628	8.8.8.8	192.168.2.6
Apr 26, 2021 11:50:06.146003962 CEST	60778	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:50:06.203610897 CEST	53	60778	8.8.8.8	192.168.2.6
Apr 26, 2021 11:50:08.035721064 CEST	53799	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:50:08.101006031 CEST	53	53799	8.8.8.8	192.168.2.6
Apr 26, 2021 11:50:08.587802887 CEST	54683	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:50:08.648570061 CEST	53	54683	8.8.8.8	192.168.2.6
Apr 26, 2021 11:50:16.483350992 CEST	59329	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:50:16.532052040 CEST	53	59329	8.8.8.8	192.168.2.6
Apr 26, 2021 11:50:17.239250898 CEST	64021	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:50:17.310776949 CEST	53	64021	8.8.8.8	192.168.2.6
Apr 26, 2021 11:50:18.794290066 CEST	56129	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:50:18.853596926 CEST	53	56129	8.8.8.8	192.168.2.6
Apr 26, 2021 11:50:19.879628897 CEST	58177	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:50:19.938446999 CEST	53	58177	8.8.8.8	192.168.2.6
Apr 26, 2021 11:50:48.570847034 CEST	50700	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:50:48.629894972 CEST	53	50700	8.8.8.8	192.168.2.6
Apr 26, 2021 11:50:51.346134901 CEST	54069	53	192.168.2.6	8.8.8.8
Apr 26, 2021 11:50:51.394746065 CEST	53	54069	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 26, 2021 11:50:17.239250898 CEST	192.168.2.6	8.8.8.8	0x296c	Standard query (0)	vladisfoxlink.ru	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Apr 26, 2021 11:49:08.093974113 CEST	8.8.8.8	192.168.2.6	0x965c	No error (0)	api.globalsign.cloud	104.18.24.243	A (IP address)	IN (0x0001)
Apr 26, 2021 11:49:08.093974113 CEST	8.8.8.8	192.168.2.6	0x965c	No error (0)	api.globalsign.cloud	104.18.25.243	A (IP address)	IN (0x0001)
Apr 26, 2021 11:50:17.310776949 CEST	8.8.8.8	192.168.2.6	0x296c	No error (0)	vladisfoxlink.ru	45.85.90.225	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: dY5HmgsBm6.exe PID: 6924 Parent PID: 5976

General

Start time:	11:49:15
Start date:	26/04/2021
Path:	C:\Users\user\Desktop\dY5HmgsBm6.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\dY5HmgsBm6.exe'
Imagebase:	0x400000
File size:	2573987 bytes
MD5 hash:	AE8F9D9B8344D52F0872DFDC852E1DD4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: CachemanControlPanel.exe PID: 6988 Parent PID: 6924

General

Start time:	11:49:16
Start date:	26/04/2021
Path:	C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe
Imagebase:	0x400000
File size:	3345920 bytes
MD5 hash:	5D3BF7A18887582B8A2CEA327F2E7BA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 6%, Metadefender, Browse Detection: 14%, ReversingLabs
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: dY5HmgsBm6.exe PID: 6924 Parent PID: 5976 dY5HmgsBm6.exeCOMMON

Execution Graph

Execution Coverage:	19.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.7%
Total number of Nodes:	1316
Total number of Limit Nodes:	19

Executed Functions

Function 00403348, Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 366
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			_entry_() {
				signed int _t42;
				intOrPtr* _t47;
				CHAR* _t51;
				char* _t53;
				CHAR* _t55;
				void* _t59;
				intOrPtr _t61;
				int _t62;
				int _t65;
				signed int _t66;
				int _t67;
				signed int _t69;
				void* _t93;
				signed int _t109;
				void* _t112;
				void* _t117;
				intOrPtr* _t118;
				char _t121;
				signed int _t140;
				signed int _t141;
				int _t149;
				void* _t150;
				intOrPtr* _t152;
				CHAR* _t155;
				CHAR* _t156;
				void* _t158;
				char* _t159;
				void* _t162;
				void* _t163;
				char _t188;

				 *(_t163 + 0x18) = 0;
				 *((intOrPtr*)(_t163 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t163 + 0x20) = 0;
				 *(_t163 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				_t42 = GetVersion() & 0xbfffffff;
				 *0x42f42c = _t42;
				if(_t42 != 6) {
					_t118 = E00406500(0);
					if(_t118 != 0) {
						 *_t118(0xc00);
					}
				}
				_t155 = "UXTHEME";
				do {
					E00406492(_t155); // executed
					_t155 =  &(_t155[lstrlenA(_t155) + 1]);
				} while ( *_t155 != 0);
				E00406500(0xb);
				 *0x42f424 = E00406500(9);
				_t47 = E00406500(7);
				if(_t47 != 0) {
					_t47 =  *_t47(0x1e);
					if(_t47 != 0) {
						 *0x42f42f =  *0x42f42f | 0x00000040;
					}
				}
				__imp__#17(_t158);
				__imp__OleInitialize(0); // executed
				 *0x42f4f8 = _t47;
				SHGetFileInfoA(0x429850, 0, _t163 + 0x38, 0x160, 0); // executed
				E004060F7("Name Setup", "NSIS Error");
				_t51 = GetCommandLineA();
				_t159 = "\"C:\\Users\\engineer\\Desktop\\dY5HmgsBm6.exe\" ";
				E004060F7(_t159, _t51);
				 *0x42f420 = 0x400000;
				_t53 = _t159;
				if("\"C:\\Users\\engineer\\Desktop\\dY5HmgsBm6.exe\" " == 0x22) {
					 *(_t163 + 0x14) = 0x22;
					_t53 =  &M00435001;
				}
				_t55 = CharNextA(E00405ABA(_t53,  *(_t163 + 0x14)));
				 *(_t163 + 0x1c) = _t55;
				while(1) {
					_t121 =  *_t55;
					_t171 = _t121;
					if(_t121 == 0) {
						break;
					}
					__eflags = _t121 - 0x20;
					if(_t121 != 0x20) {
						L13:
						__eflags =  *_t55 - 0x22;
						 *(_t163 + 0x14) = 0x20;
						if( *_t55 == 0x22) {
							_t55 =  &(_t55[1]);
							__eflags = _t55;
							 *(_t163 + 0x14) = 0x22;
						}
						__eflags =  *_t55 - 0x2f;
						if( *_t55 != 0x2f) {
							L25:
							_t55 = E00405ABA(_t55,  *(_t163 + 0x14));
							__eflags =  *_t55 - 0x22;
							if(__eflags == 0) {
								_t55 =  &(_t55[1]);
								__eflags = _t55;
							}
							continue;
						} else {
							_t55 =  &(_t55[1]);
							__eflags =  *_t55 - 0x53;
							if( *_t55 != 0x53) {
								L20:
								__eflags =  *_t55 - ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC");
								if( *_t55 != ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC")) {
									L24:
									__eflags =  *((intOrPtr*)(_t55 - 2)) - ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t55 - 2)) == ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=")) {
										 *((char*)(_t55 - 2)) = 0;
										__eflags =  &(_t55[2]);
										E004060F7("C:\\Users\\engineer\\AppData\\Roaming\\CachemanControlPanel",  &(_t55[2]));
										L30:
										_t156 = "C:\\Users\\engineer\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t156);
										_t59 = E00403317(_t171);
										_t172 = _t59;
										if(_t59 != 0) {
											L33:
											DeleteFileA("1033"); // executed
											_t61 = E00402EA1(_t174,  *(_t163 + 0x20)); // executed
											 *((intOrPtr*)(_t163 + 0x10)) = _t61;
											if(_t61 != 0) {
												L43:
												ExitProcess(); // executed
												__imp__OleUninitialize(); // executed
												_t184 =  *((intOrPtr*)(_t163 + 0x10));
												if( *((intOrPtr*)(_t163 + 0x10)) == 0) {
													__eflags =  *0x42f4d4;
													if( *0x42f4d4 == 0) {
														L67:
														_t62 =  *0x42f4ec;
														__eflags = _t62 - 0xffffffff;
														if(_t62 != 0xffffffff) {
															 *(_t163 + 0x14) = _t62;
														}
														ExitProcess( *(_t163 + 0x14));
													}
													_t65 = OpenProcessToken(GetCurrentProcess(), 0x28, _t163 + 0x18);
													__eflags = _t65;
													_t149 = 2;
													if(_t65 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t163 + 0x24);
														 *(_t163 + 0x38) = 1;
														 *(_t163 + 0x44) = _t149;
														AdjustTokenPrivileges( *(_t163 + 0x2c), 0, _t163 + 0x28, 0, 0, 0);
													}
													_t66 = E00406500(4);
													__eflags = _t66;
													if(_t66 == 0) {
														L65:
														_t67 = ExitWindowsEx(_t149, 0x80040002);
														__eflags = _t67;
														if(_t67 != 0) {
															goto L67;
														}
														goto L66;
													} else {
														_t69 =  *_t66(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t69;
														if(_t69 == 0) {
															L66:
															E0040140B(9);
															goto L67;
														}
														goto L65;
													}
												}
												E00405813( *((intOrPtr*)(_t163 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											if( *0x42f440 == 0) {
												L42:
												 *0x42f4ec =  *0x42f4ec | 0xffffffff;
												 *(_t163 + 0x18) = E0040390A( *0x42f4ec);
												goto L43;
											}
											_t152 = E00405ABA(_t159, 0);
											if(_t152 < _t159) {
												L39:
												_t181 = _t152 - _t159;
												 *((intOrPtr*)(_t163 + 0x10)) = "Error launching installer";
												if(_t152 < _t159) {
													_t150 = E0040577E(_t184);
													lstrcatA(_t156, "~nsu");
													if(_t150 != 0) {
														lstrcatA(_t156, "A");
													}
													lstrcatA(_t156, ".tmp");
													_t161 = "C:\\Users\\engineer\\Desktop";
													if(lstrcmpiA(_t156, "C:\\Users\\engineer\\Desktop") != 0) {
														_push(_t156);
														if(_t150 == 0) {
															E00405761();
														} else {
															E004056E4();
														}
														SetCurrentDirectoryA(_t156);
														_t188 = "C:\\Users\\engineer\\AppData\\Roaming\\CachemanControlPanel"; // 0x43
														if(_t188 == 0) {
															E004060F7("C:\\Users\\engineer\\AppData\\Roaming\\CachemanControlPanel", _t161);
														}
														E004060F7(0x430000,  *(_t163 + 0x1c));
														_t136 = "A";
														_t162 = 0x1a;
														 *0x430400 = "A";
														do {
															E0040618A(0, 0x429450, _t156, 0x429450,  *((intOrPtr*)( *0x42f434 + 0x120)));
															DeleteFileA(0x429450);
															if( *((intOrPtr*)(_t163 + 0x10)) != 0 && CopyFileA("C:\\Users\\engineer\\Desktop\\dY5HmgsBm6.exe", 0x429450, 1) != 0) {
																E00405ED6(_t136, 0x429450, 0);
																E0040618A(0, 0x429450, _t156, 0x429450,  *((intOrPtr*)( *0x42f434 + 0x124)));
																_t93 = E00405796(0x429450);
																if(_t93 != 0) {
																	CloseHandle(_t93);
																	 *((intOrPtr*)(_t163 + 0x10)) = 0;
																}
															}
															 *0x430400 =  *0x430400 + 1;
															_t162 = _t162 - 1;
														} while (_t162 != 0);
														E00405ED6(_t136, _t156, 0);
													}
													goto L43;
												}
												 *_t152 = 0;
												_t153 = _t152 + 4;
												if(E00405B7D(_t181, _t152 + 4) == 0) {
													goto L43;
												}
												E004060F7("C:\\Users\\engineer\\AppData\\Roaming\\CachemanControlPanel", _t153);
												E004060F7("C:\\Users\\engineer\\AppData\\Roaming\\CachemanControlPanel", _t153);
												 *((intOrPtr*)(_t163 + 0x10)) = 0;
												goto L42;
											}
											_t109 = (( *0x40a15b << 0x00000008 |  *0x40a15a) << 0x00000008 |  *0x40a159) << 0x00000008 | " _?=";
											while( *_t152 != _t109) {
												_t152 = _t152 - 1;
												if(_t152 >= _t159) {
													continue;
												}
												goto L39;
											}
											goto L39;
										}
										GetWindowsDirectoryA(_t156, 0x3fb);
										lstrcatA(_t156, "\\Temp");
										_t112 = E00403317(_t172);
										_t173 = _t112;
										if(_t112 != 0) {
											goto L33;
										}
										GetTempPathA(0x3fc, _t156);
										lstrcatA(_t156, "Low");
										SetEnvironmentVariableA("TEMP", _t156);
										SetEnvironmentVariableA("TMP", _t156);
										_t117 = E00403317(_t173);
										_t174 = _t117;
										if(_t117 == 0) {
											goto L43;
										}
										goto L33;
									}
									goto L25;
								}
								_t140 = _t55[4];
								__eflags = _t140 - 0x20;
								if(_t140 == 0x20) {
									L23:
									_t15 = _t163 + 0x20;
									 *_t15 =  *(_t163 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L24;
								}
								__eflags = _t140;
								if(_t140 != 0) {
									goto L24;
								}
								goto L23;
							}
							_t141 = _t55[1];
							__eflags = _t141 - 0x20;
							if(_t141 == 0x20) {
								L19:
								 *0x42f4e0 = 1;
								goto L20;
							}
							__eflags = _t141;
							if(_t141 != 0) {
								goto L20;
							}
							goto L19;
						}
					} else {
						goto L12;
					}
					do {
						L12:
						_t55 =  &(_t55[1]);
						__eflags =  *_t55 - 0x20;
					} while ( *_t55 == 0x20);
					goto L13;
				}
				goto L30;
			}

0x00403358
0x0040335c
0x00403364
0x00403368
0x0040336d
0x00403379
0x00403382
0x00403387
0x0040338a
0x00403391
0x00403398
0x00403398
0x00403391
0x0040339a
0x0040339f
0x004033a0
0x004033ac
0x004033b0
0x004033b6
0x004033c4
0x004033c9
0x004033d0
0x004033d4
0x004033d8
0x004033da
0x004033da
0x004033d8
0x004033e2
0x004033e9
0x004033ef
0x00403405
0x00403415
0x0040341a
0x00403420
0x00403427
0x00403433
0x0040343d
0x0040343f
0x00403441
0x00403446
0x00403446
0x00403456
0x0040345c
0x00403525
0x00403525
0x00403527
0x00403529
0x00000000
0x00000000
0x00403465
0x00403468
0x00403470
0x00403470
0x00403473
0x00403478
0x0040347a
0x0040347a
0x0040347b
0x0040347b
0x00403480
0x00403483
0x00403515
0x0040351a
0x0040351f
0x00403522
0x00403524
0x00403524
0x00403524
0x00000000
0x00403489
0x00403489
0x0040348a
0x0040348d
0x004034a5
0x004034d0
0x004034d2
0x004034e5
0x00403510
0x00403513
0x00403531
0x00403534
0x0040353d
0x00403542
0x00403548
0x00403553
0x00403555
0x0040355a
0x0040355c
0x004035b4
0x004035b9
0x004035c3
0x004035ca
0x004035ce
0x00403662
0x00403662
0x00403667
0x0040366d
0x00403672
0x00403796
0x0040379c
0x00403818
0x00403818
0x0040381d
0x00403820
0x00403822
0x00403822
0x0040382a
0x0040382a
0x004037ac
0x004037b4
0x004037b6
0x004037b7
0x004037c4
0x004037d7
0x004037df
0x004037e3
0x004037e3
0x004037eb
0x004037f0
0x004037f7
0x00403805
0x00403807
0x0040380d
0x0040380f
0x00000000
0x00000000
0x00000000
0x004037f9
0x004037ff
0x00403801
0x00403803
0x00403811
0x00403813
0x00000000
0x00403813
0x00000000
0x00403803
0x004037f7
0x00403681
0x00403688
0x00403688
0x004035da
0x00403652
0x00403652
0x0040365e
0x00000000
0x0040365e
0x004035e3
0x004035e7
0x0040361d
0x0040361d
0x0040361f
0x00403627
0x00403699
0x0040369b
0x004036a2
0x004036aa
0x004036aa
0x004036b5
0x004036ba
0x004036c9
0x004036cd
0x004036ce
0x004036d7
0x004036d0
0x004036d0
0x004036d0
0x004036dd
0x004036e3
0x004036e9
0x004036f1
0x004036f1
0x004036ff
0x00403704
0x00403716
0x0040371e
0x00403724
0x00403730
0x00403736
0x00403740
0x00403756
0x00403767
0x0040376d
0x00403774
0x00403777
0x0040377d
0x0040377d
0x00403774
0x00403781
0x00403787
0x00403787
0x0040378c
0x0040378c
0x00000000
0x004036c9
0x00403629
0x0040362b
0x00403636
0x00000000
0x00000000
0x0040363e
0x00403649
0x0040364e
0x00000000
0x0040364e
0x00403612
0x00403614
0x00403618
0x0040361b
0x00000000
0x00000000
0x00000000
0x0040361b
0x00000000
0x00403614
0x00403564
0x00403570
0x00403575
0x0040357a
0x0040357c
0x00000000
0x00000000
0x00403584
0x0040358c
0x0040359d
0x004035a5
0x004035a7
0x004035ac
0x004035ae
0x00000000
0x00000000
0x00000000
0x004035ae
0x00000000
0x00403513
0x004034d4
0x004034d7
0x004034da
0x004034e0
0x004034e0
0x004034e0
0x004034e0
0x00000000
0x004034e0
0x004034dc
0x004034de
0x00000000
0x00000000
0x00000000
0x004034de
0x0040348f
0x00403492
0x00403495
0x0040349b
0x0040349b
0x00000000
0x0040349b
0x00403497
0x00403499
0x00000000
0x00000000
0x00000000
0x00403499
0x00000000
0x00000000
0x00000000
0x0040346a
0x0040346a
0x0040346a
0x0040346b
0x0040346b
0x00000000
0x0040346a
0x00000000

APIs

SetErrorMode.KERNELBASE ref: 0040336D
GetVersion.KERNEL32 ref: 00403373
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033A6
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 004033E2
OleInitialize.OLE32(00000000), ref: 004033E9
SHGetFileInfoA.SHELL32(00429850,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 00403405
GetCommandLineA.KERNEL32(Name Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 0040341A
CharNextA.USER32(00000000,"C:\Users\user\Desktop\dY5HmgsBm6.exe" ,00000020,"C:\Users\user\Desktop\dY5HmgsBm6.exe" ,00000000,?,00000007,00000009,0000000B), ref: 00403456
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 00403553
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 00403564
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403570
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403584
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040358C
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040359D
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004035A5
DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 004035B9

Part of subcall function 00406500: GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
Part of subcall function 00406500: GetProcAddress.KERNEL32(00000000,?), ref: 0040652D

Part of subcall function 0040390A: lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\CachemanControlPanel,1033,Name Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Name Setup: Completed,00000000,00000002,747DFA90), ref: 004039FA
Part of subcall function 0040390A: lstrcmpiA.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\CachemanControlPanel,1033,Name Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Name Setup: Completed,00000000), ref: 00403A0D
Part of subcall function 0040390A: GetFileAttributesA.KERNEL32(: Completed), ref: 00403A18
Part of subcall function 0040390A: LoadImageA.USER32 ref: 00403A61
Part of subcall function 0040390A: RegisterClassA.USER32 ref: 00403A9E

ExitProcess.KERNEL32(?,?,00000007,00000009,0000000B), ref: 00403662

Part of subcall function 00403830: CloseHandle.KERNEL32(FFFFFFFF,00403667,?,?,00000007,00000009,0000000B), ref: 0040383B

OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 00403667
ExitProcess.KERNEL32 ref: 00403688
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004037A5
OpenProcessToken.ADVAPI32(00000000), ref: 004037AC
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004037C4
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004037E3
ExitWindowsEx.USER32(00000002,80040002), ref: 00403807
ExitProcess.KERNEL32 ref: 0040382A

Part of subcall function 00405813: MessageBoxIndirectA.USER32(0040A218), ref: 0040586E

Strings

C:\Users\user\AppData\Roaming\CachemanControlPanel, xrefs: 00403644
1033, xrefs: 004035B4
C:\Users\user\AppData\Local\Temp\, xrefs: 00403548, 0040354D, 00403563, 0040356F, 0040357E, 0040358B, 00403597, 0040359F, 00403698, 004036A9, 004036B4, 004036C0, 004036CD, 004036DC, 0040378B
NSIS Error, xrefs: 0040340B
C:\Users\user\Desktop\dY5HmgsBm6.exe, xrefs: 00403745
C:\Users\user\Desktop, xrefs: 004036BA, 004036BF, 004036EB
Low, xrefs: 00403586
TMP, xrefs: 004035A0
TEMP, xrefs: 00403598
", xrefs: 0040347B
~nsu, xrefs: 00403693
"C:\Users\user\Desktop\dY5HmgsBm6.exe" , xrefs: 00403420, 00403426, 004035DD
Name Setup, xrefs: 00403410
.tmp, xrefs: 004036AF
Error launching installer, xrefs: 0040361F
SeShutdownPrivilege, xrefs: 004037BE
\Temp, xrefs: 0040356A
UXTHEME, xrefs: 0040339A, 0040339F, 004033A5
C:\Users\user\AppData\Roaming\CachemanControlPanel, xrefs: 00403538, 00403639, 004036E3, 004036EC

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: Process$Exit$File$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
String ID: "$"C:\Users\user\Desktop\dY5HmgsBm6.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\CachemanControlPanel$C:\Users\user\AppData\Roaming\CachemanControlPanel$C:\Users\user\Desktop$C:\Users\user\Desktop\dY5HmgsBm6.exe$Error launching installer$Low$NSIS Error$Name Setup$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 562314493-262210370
Opcode ID: 1696fd18bf7af8dd94241a8e5af2d50579e181fcbe0ccea8defda79c6d91920a
Instruction ID: 2464a3ec660faf4d6335bd380e0cd13b62da1685a36c15adf6e00eeeb0483762
Opcode Fuzzy Hash: 1696fd18bf7af8dd94241a8e5af2d50579e181fcbe0ccea8defda79c6d91920a
Instruction Fuzzy Hash: 49C107705047416AD7216F759D89B2F3EACAB4530AF45443FF181BA2E2CB7C8A058B2F

Uniqueness

Uniqueness Score: -1.00%

Function 0040535C, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E0040535C(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t87;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				int _t96;
				long _t99;
				void* _t102;
				intOrPtr _t113;
				void* _t121;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t87 =  *0x42ec04; // 0x9005e
				_t157 = _a8;
				_t150 = 0;
				_v8 = _t87;
				if(_t157 != 0x110) {
					__eflags = _t157 - 0x405;
					if(_t157 == 0x405) {
						_t121 = CreateThread(0, 0, E004052F0, GetDlgItem(_a4, 0x3ec), 0,  &_a8); // executed
						FindCloseChangeNotification(_t121);
					}
					__eflags = _t157 - 0x111;
					if(_t157 != 0x111) {
						L17:
						__eflags = _t157 - 0x404;
						if(_t157 != 0x404) {
							L25:
							__eflags = _t157 - 0x7b;
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							__eflags = _a12 - _t89;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							__eflags = _t90 - _t150;
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E0040618A(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							_t96 = TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150);
							__eflags = _t96 - 1;
							if(_t96 == 1) {
								_t165 = 1;
								__eflags = 1;
								_v56 = _t150;
								_v44 = 0x42a890;
								_v40 = 0x1000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t99 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t150;
									_t165 = _t165 + _t99 + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
									__eflags = _t150 - _a12;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x42ebec - _t150; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42f428, 8); // executed
							__eflags =  *0x42f4cc - _t150;
							if( *0x42f4cc == _t150) {
								_t113 =  *0x42a068; // 0x68b54c
								E0040521E( *((intOrPtr*)(_t113 + 0x34)), _t150);
							}
							E00404154(1);
							goto L25;
						}
						 *0x429c60 = 2;
						E00404154(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E004041E2(_t157, _a12, _a16);
						}
						ShowWindow( *0x42ebf0, _t150);
						ShowWindow(_v8, 8);
						E004041B0(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x42f434;
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x42ebf0 = GetDlgItem(_a4, 0x403);
				 *0x42ebe8 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x42ec04 = _t128;
				_v8 = _t128;
				E004041B0( *0x42ebf0);
				 *0x42ebf4 = E00404AA1(4);
				 *0x42ec0c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56); // executed
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E0040417B(_a4);
				if(( *0x42f43c & 0x00000003) != 0) {
					ShowWindow( *0x42ebf0, _t150);
					if(( *0x42f43c & 0x00000002) != 0) {
						 *0x42ebf0 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E004041B0( *0x42ebe8);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x42f43c & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}

0x00405362
0x0040536a
0x0040536d
0x00405375
0x00405378
0x00405507
0x0040550d
0x0040552a
0x00405531
0x00405531
0x0040553d
0x00405543
0x00405565
0x00405565
0x0040556b
0x004055c0
0x004055c0
0x004055c3
0x00000000
0x00000000
0x004055c5
0x004055c8
0x004055cb
0x00000000
0x00000000
0x004055d5
0x004055db
0x004055dd
0x004055e0
0x004056dd
0x00000000
0x004056dd
0x004055ef
0x004055fb
0x00405604
0x0040560b
0x0040560f
0x00405612
0x0040561b
0x00405621
0x00405624
0x00405624
0x00405634
0x0040563a
0x0040563d
0x00405648
0x00405648
0x00405649
0x0040564c
0x00405653
0x0040565a
0x00405662
0x00405662
0x00405670
0x00405676
0x00405679
0x00405679
0x00405680
0x00405686
0x0040568f
0x00405696
0x0040569f
0x004056a1
0x004056a4
0x004056b3
0x004056b5
0x004056b8
0x004056b9
0x004056bc
0x004056bd
0x004056be
0x004056be
0x004056c6
0x004056d1
0x004056d7
0x004056d7
0x00000000
0x0040563d
0x0040556d
0x00405573
0x004055a1
0x004055a3
0x004055a9
0x004055ab
0x004055b4
0x004055b4
0x004055bb
0x00000000
0x004055bb
0x00405577
0x00405581
0x00000000
0x00405545
0x00405545
0x0040554b
0x00405586
0x00000000
0x0040558d
0x00405554
0x0040555b
0x00405560
0x00000000
0x00405560
0x00405543
0x0040537e
0x00405382
0x0040538a
0x0040538e
0x00405391
0x00405394
0x00405397
0x0040539a
0x0040539b
0x0040539c
0x004053b5
0x004053b8
0x004053c2
0x004053d1
0x004053d9
0x004053e1
0x004053e6
0x004053e9
0x004053f5
0x004053fe
0x00405407
0x00405429
0x0040542f
0x00405440
0x00405445
0x00405453
0x00405461
0x00405461
0x00405466
0x00405474
0x00405474
0x00405479
0x0040547c
0x00405481
0x0040548d
0x00405496
0x004054a3
0x004054b2
0x004054a5
0x004054aa
0x004054aa
0x004054be
0x004054be
0x004054d2
0x004054db
0x004054e4
0x004054f4
0x00405500
0x00405500
0x00000000

APIs

GetDlgItem.USER32 ref: 004053BB
GetDlgItem.USER32 ref: 004053CA
GetClientRect.USER32 ref: 00405407
GetSystemMetrics.USER32 ref: 0040540E
SendMessageA.USER32(?,0000101B,00000000,?), ref: 0040542F
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405440
SendMessageA.USER32(?,00001001,00000000,?), ref: 00405453
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405461
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405474
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405496
ShowWindow.USER32(?,00000008), ref: 004054AA
GetDlgItem.USER32 ref: 004054CB
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004054DB
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004054F4
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405500
GetDlgItem.USER32 ref: 004053D9

Part of subcall function 004041B0: SendMessageA.USER32(00000028,?,00000001,00403FE0), ref: 004041BE

GetDlgItem.USER32 ref: 0040551C
CreateThread.KERNELBASE ref: 0040552A
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00405531
ShowWindow.USER32(00000000), ref: 00405554
ShowWindow.USER32(?,00000008), ref: 0040555B
ShowWindow.USER32(00000008), ref: 004055A1
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004055D5
CreatePopupMenu.USER32 ref: 004055E6
AppendMenuA.USER32 ref: 004055FB
GetWindowRect.USER32 ref: 0040561B
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405634
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405670
OpenClipboard.USER32(00000000), ref: 00405680
EmptyClipboard.USER32 ref: 00405686
GlobalAlloc.KERNEL32(00000042,?), ref: 0040568F
GlobalLock.KERNEL32 ref: 00405699
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004056AD
GlobalUnlock.KERNEL32(00000000), ref: 004056C6
SetClipboardData.USER32 ref: 004056D1
CloseClipboard.USER32 ref: 004056D7

Strings

Name Setup: Completed, xrefs: 0040564C

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: Name Setup: Completed
API String ID: 4154960007-1721692471
Opcode ID: e77ccb86652fbc0499d97b80cacae04005d5d9073b444bb924cd904a6cf5059e
Instruction ID: ad896caeff922a337f51dbee0e8d50556c939e1053927b0f1ec287220421205b
Opcode Fuzzy Hash: e77ccb86652fbc0499d97b80cacae04005d5d9073b444bb924cd904a6cf5059e
Instruction Fuzzy Hash: 3DA14A70900608BFDB119F61DD89EAE7FB9FB08354F50403AFA45BA1A0CB754E519F68

Uniqueness

Uniqueness Score: -1.00%

Function 00403CA7, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00403CA7(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t68;
				struct HWND__* _t74;
				signed int _t87;
				struct HWND__* _t92;
				signed int _t100;
				int _t104;
				signed int _t116;
				signed int _t117;
				int _t118;
				signed int _t123;
				struct HWND__* _t126;
				struct HWND__* _t127;
				int _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;
				void* _t143;

				_t116 = _a8;
				if(_t116 == 0x110 || _t116 == 0x408) {
					_t35 = _a12;
					_t126 = _a4;
					__eflags = _t116 - 0x110;
					 *0x42a878 = _t35;
					if(_t116 == 0x110) {
						 *0x42f428 = _t126;
						 *0x42a88c = GetDlgItem(_t126, 1);
						_t92 = GetDlgItem(_t126, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x429858 = _t92;
						E0040417B(_t126);
						SetClassLongA(_t126, 0xfffffff2,  *0x42ec08); // executed
						 *0x42ebec = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42a878 = 1;
					}
					_t123 =  *0x40a1dc; // 0x2
					_t134 = 0;
					_t131 = (_t123 << 6) +  *0x42f460;
					__eflags = _t123;
					if(_t123 < 0) {
						L34:
						E004041C7(0x40b);
						while(1) {
							_t37 =  *0x42a878; // 0x1
							 *0x40a1dc =  *0x40a1dc + _t37;
							_t131 = _t131 + (_t37 << 6);
							_t39 =  *0x40a1dc; // 0x2
							__eflags = _t39 -  *0x42f464;
							if(_t39 ==  *0x42f464) {
								E0040140B(1);
							}
							__eflags =  *0x42ebec - _t134; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a1dc -  *0x42f464; // 0x2
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t131 + 0x14);
							E0040618A(_t117, _t126, _t131, 0x437800,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E0040417B(_t126);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E0040417B(_t126);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E0040417B(_t126);
							_t49 = GetDlgItem(_t126, 3);
							__eflags =  *0x42f4cc - _t134;
							_v32 = _t49;
							if( *0x42f4cc != _t134) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t49, _t117 & 0x00000008); // executed
							EnableWindow( *(_t135 + 0x30), _t117 & 0x00000100); // executed
							E0040419D(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x429858, _t118);
							__eflags = _t118 - _t134;
							if(_t118 == _t134) {
								_push(1);
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t126, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x38), 0xf4, _t134, 1);
							__eflags =  *0x42f4cc - _t134;
							if( *0x42f4cc == _t134) {
								_push( *0x42a88c);
							} else {
								SendMessageA(_t126, 0x401, 2, _t134);
								_push( *0x429858);
							}
							E004041B0();
							E004060F7(0x42a890, E00403C88());
							E0040618A(0x42a890, _t126, _t131,  &(0x42a890[lstrlenA(0x42a890)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t126, 0x42a890); // executed
							_push(_t134);
							_t68 = E00401389( *((intOrPtr*)(_t131 + 8)));
							__eflags = _t68;
							if(_t68 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x42ebf8); // executed
									 *0x42a068 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L58;
									}
									_t74 = CreateDialogParamA( *0x42f420,  *_t131 +  *0x42ec00 & 0x0000ffff, _t126,  *(0x40a1e0 +  *(_t131 + 4) * 4), _t131); // executed
									__eflags = _t74 - _t134;
									 *0x42ebf8 = _t74;
									if(_t74 == _t134) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E0040417B(_t74);
									GetWindowRect(GetDlgItem(_t126, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t126, _t135 + 0x10);
									SetWindowPos( *0x42ebf8, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									_push(_t134);
									E00401389( *((intOrPtr*)(_t131 + 0xc)));
									__eflags =  *0x42ebec - _t134; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42ebf8, 8); // executed
									E004041C7(0x405);
									goto L58;
								}
								__eflags =  *0x42f4cc - _t134;
								if( *0x42f4cc != _t134) {
									goto L61;
								}
								__eflags =  *0x42f4c0 - _t134;
								if( *0x42f4c0 != _t134) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42ebf8); // executed
						 *0x42f428 = _t134;
						EndDialog(_t126,  *0x429c60); // executed
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t87 = E00401389( *((intOrPtr*)(_t131 + 0x10)));
						__eflags = _t87;
						if(_t87 == 0) {
							goto L33;
						}
						SendMessageA( *0x42ebf8, 0x40f, 0, 1);
						__eflags =  *0x42ebec - _t134; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t126 = _a4;
					_t134 = 0;
					if(_t116 == 0x47) {
						SetWindowPos( *0x42a870, _t126, 0, 0, 0, 0, 0x13);
					}
					if(_t116 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a870,  ~(_a12 - 1) & _t116);
					}
					if(_t116 != 0x40d) {
						__eflags = _t116 - 0x11;
						if(_t116 != 0x11) {
							__eflags = _t116 - 0x111;
							if(_t116 != 0x111) {
								L26:
								return E004041E2(_t116, _a12, _a16);
							}
							_t133 = _a12 & 0x0000ffff;
							_t127 = GetDlgItem(_t126, _t133);
							__eflags = _t127 - _t134;
							if(_t127 == _t134) {
								L13:
								__eflags = _t133 - 1;
								if(_t133 != 1) {
									__eflags = _t133 - 3;
									if(_t133 != 3) {
										_t128 = 2;
										__eflags = _t133 - _t128;
										if(_t133 != _t128) {
											L25:
											SendMessageA( *0x42ebf8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42f4cc - _t134;
										if( *0x42f4cc == _t134) {
											_t100 = E0040140B(3);
											__eflags = _t100;
											if(_t100 != 0) {
												goto L26;
											}
											 *0x429c60 = 1;
											L21:
											_push(0x78);
											L22:
											E00404154();
											goto L26;
										}
										E0040140B(_t128);
										 *0x429c60 = _t128;
										goto L21;
									}
									__eflags =  *0x40a1dc - _t134; // 0x2
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t133);
								goto L22;
							}
							SendMessageA(_t127, 0xf3, _t134, _t134);
							_t104 = IsWindowEnabled(_t127);
							__eflags = _t104;
							if(_t104 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t126, _t134, _t134);
						return 1;
					} else {
						DestroyWindow( *0x42ebf8);
						 *0x42ebf8 = _a12;
						L58:
						if( *0x42b890 == _t134) {
							_t143 =  *0x42ebf8 - _t134; // 0x30290
							if(_t143 != 0) {
								ShowWindow(_t126, 0xa); // executed
								 *0x42b890 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x00403cb0
0x00403cb9
0x00403dfa
0x00403dfe
0x00403e02
0x00403e04
0x00403e09
0x00403e14
0x00403e1f
0x00403e24
0x00403e26
0x00403e28
0x00403e2b
0x00403e30
0x00403e3e
0x00403e4b
0x00403e52
0x00403e52
0x00403e53
0x00403e53
0x00403e58
0x00403e5e
0x00403e65
0x00403e6b
0x00403e6d
0x00403ead
0x00403eb2
0x00403eb7
0x00403eb7
0x00403ebc
0x00403ec5
0x00403ec7
0x00403ecc
0x00403ed2
0x00403ed6
0x00403ed6
0x00403edb
0x00403ee1
0x00000000
0x00000000
0x00403eec
0x00403ef2
0x00000000
0x00000000
0x00403efb
0x00403f03
0x00403f08
0x00403f0b
0x00403f11
0x00403f16
0x00403f19
0x00403f1f
0x00403f24
0x00403f27
0x00403f2d
0x00403f35
0x00403f3b
0x00403f41
0x00403f45
0x00403f4c
0x00403f4c
0x00403f4c
0x00403f56
0x00403f68
0x00403f74
0x00403f79
0x00403f83
0x00403f89
0x00403f8b
0x00403f90
0x00403f8d
0x00403f8d
0x00403f8d
0x00403fa0
0x00403fb8
0x00403fba
0x00403fc0
0x00403fd5
0x00403fc2
0x00403fcb
0x00403fcd
0x00403fcd
0x00403fdb
0x00403fec
0x00403ffd
0x00404004
0x0040400a
0x0040400e
0x00404013
0x00404015
0x00000000
0x0040401b
0x0040401b
0x0040401d
0x00000000
0x00000000
0x00404023
0x00404027
0x0040404c
0x00404052
0x00404058
0x0040405a
0x00000000
0x00000000
0x00404080
0x00404086
0x00404088
0x0040408d
0x00000000
0x00000000
0x00404093
0x00404096
0x00404099
0x004040b0
0x004040bc
0x004040d5
0x004040db
0x004040df
0x004040e4
0x004040ea
0x00000000
0x00000000
0x004040f4
0x004040ff
0x00000000
0x004040ff
0x00404029
0x0040402f
0x00000000
0x00000000
0x00404035
0x0040403b
0x00000000
0x00000000
0x00000000
0x00404041
0x00404015
0x0040410c
0x00404118
0x0040411f
0x00000000
0x00403e6f
0x00403e6f
0x00403e72
0x00403ea5
0x00403ea5
0x00403ea7
0x00000000
0x00000000
0x00000000
0x00403ea7
0x00403e74
0x00403e78
0x00403e7d
0x00403e7f
0x00000000
0x00000000
0x00403e8f
0x00403e97
0x00000000
0x00403e9d
0x00403ccb
0x00403ccb
0x00403ccf
0x00403cd4
0x00403ce3
0x00403ce3
0x00403cec
0x00403cf5
0x00403d00
0x00403d00
0x00403d0c
0x00403d28
0x00403d2b
0x00403d3e
0x00403d44
0x00403de7
0x00000000
0x00403df0
0x00403d4a
0x00403d57
0x00403d59
0x00403d5b
0x00403d7a
0x00403d7a
0x00403d7d
0x00403d82
0x00403d85
0x00403d95
0x00403d96
0x00403d98
0x00403dce
0x00403de1
0x00000000
0x00403de1
0x00403d9a
0x00403da0
0x00403db9
0x00403dbe
0x00403dc0
0x00000000
0x00000000
0x00403dc2
0x00403dae
0x00403dae
0x00403db0
0x00403db0
0x00000000
0x00403db0
0x00403da3
0x00403da8
0x00000000
0x00403da8
0x00403d87
0x00403d8d
0x00000000
0x00000000
0x00403d8f
0x00000000
0x00403d8f
0x00403d7f
0x00000000
0x00403d7f
0x00403d65
0x00403d6c
0x00403d72
0x00403d74
0x00000000
0x00000000
0x00000000
0x00403d74
0x00403d30
0x00000000
0x00403d0e
0x00403d14
0x00403d1e
0x00404125
0x0040412b
0x0040412d
0x00404133
0x00404138
0x0040413e
0x0040413e
0x00404133
0x00404148
0x00000000
0x00404148
0x00403d0c

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CE3
ShowWindow.USER32(?), ref: 00403D00
DestroyWindow.USER32 ref: 00403D14
SetWindowLongA.USER32 ref: 00403D30
GetDlgItem.USER32 ref: 00403D51
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403D65
IsWindowEnabled.USER32(00000000), ref: 00403D6C
GetDlgItem.USER32 ref: 00403E1A
GetDlgItem.USER32 ref: 00403E24
KiUserCallbackDispatcher.NTDLL(?,000000F2,?,0000001C,000000FF), ref: 00403E3E
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403E8F
GetDlgItem.USER32 ref: 00403F35
ShowWindow.USER32(00000000,?), ref: 00403F56
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F68
EnableWindow.USER32(?,?), ref: 00403F83
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F99
EnableMenuItem.USER32 ref: 00403FA0
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403FB8
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403FCB
lstrlenA.KERNEL32(Name Setup: Completed,?,Name Setup: Completed,00000000), ref: 00403FF5
SetWindowTextA.USER32(?,Name Setup: Completed), ref: 00404004
ShowWindow.USER32(?,0000000A), ref: 00404138

Strings

Name Setup: Completed, xrefs: 00403FE5, 00403FEB, 00403FF4, 00404002

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$CallbackDispatcherEnableMenuUser$DestroyEnabledLongSystemTextlstrlen
String ID: Name Setup: Completed
API String ID: 3906175533-1721692471
Opcode ID: f90a3406d0b8a8c4b834731162917c717653151454b1dbe7dd2907c4aa61ec43
Instruction ID: 5e2b37e592d4e435839d8b6e88a40281f914ef55e2ab9fcffeaa2cd4c4a1132c
Opcode Fuzzy Hash: f90a3406d0b8a8c4b834731162917c717653151454b1dbe7dd2907c4aa61ec43
Instruction Fuzzy Hash: 45C1D271600204AFDB21AF62ED88D2B3ABCEB95706F50053EF641B51F0CB799892DB1D

Uniqueness

Uniqueness Score: -1.00%

Function 0040390A, Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E0040390A(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x42f434;
				_t17 = E00406500(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x42a890;
					"1033" = 0x30;
					 *0x436001 = 0x78;
					 *0x436002 = 0;
					E00405FDE(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a890, 0);
					__eflags =  *0x42a890; // 0x4e
					if(__eflags == 0) {
						E00405FDE(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040836A, 0x42a890, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					E00406055("1033",  *_t17() & 0x0000ffff);
				}
				E00403BCF(_t71, _t84);
				_t80 = "C:\\Users\\engineer\\AppData\\Roaming\\CachemanControlPanel";
				 *0x42f4c0 =  *0x42f43c & 0x00000020;
				 *0x42f4dc = 0x10000;
				if(E00405B7D(_t84, "C:\\Users\\engineer\\AppData\\Roaming\\CachemanControlPanel") != 0) {
					L16:
					if(E00405B7D(_t92, _t80) == 0) {
						E0040618A(0, _t74, _t76, _t80,  *((intOrPtr*)(_t76 + 0x118))); // executed
					}
					_t25 = LoadImageA( *0x42f420, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x42ec08 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403BCF(_t71, __eflags);
							__eflags =  *0x42f4e0;
							if( *0x42f4e0 != 0) {
								_t28 = E004052F0(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42ebec; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a870, 5); // executed
							_t34 = E00406492("RichEd20"); // executed
							__eflags = _t34;
							if(_t34 == 0) {
								E00406492("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x42ebc0);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42ebc0);
								 *0x42ebe4 = _t81;
								RegisterClassA(0x42ebc0);
							}
							_t36 =  *0x42ec00; // 0x0
							_t39 = DialogBoxParamA( *0x42f420, _t36 + 0x00000069 & 0x0000ffff, 0, E00403CA7, 0); // executed
							E0040385A(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x42f420;
						 *0x42ebc4 = E00401000;
						 *0x42ebd0 =  *0x42f420;
						 *0x42ebd4 = _t25;
						 *0x42ebe4 = 0x40a1f4;
						if(RegisterClassA(0x42ebc0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x42a870 = CreateWindowExA(0x80, 0x40a1f4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42f420, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x42e3c0;
					E00405FDE(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x42f478, 0x42e3c0, 0);
					_t57 =  *0x42e3c0; // 0x3a
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x42e3c1;
						 *((char*)(E00405ABA(0x42e3c1, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E004060F7(_t80, E00405A8F(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E00405AD6(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403910
0x00403919
0x00403920
0x00403922
0x00403936
0x00403948
0x0040394f
0x00403956
0x0040395c
0x00403961
0x00403967
0x0040397a
0x0040397a
0x00403985
0x00403924
0x0040392f
0x0040392f
0x0040398a
0x00403994
0x0040399d
0x004039a2
0x004039b3
0x00403a3a
0x00403a42
0x00403a4b
0x00403a4b
0x00403a61
0x00403a67
0x00403a75
0x00403af6
0x00403afe
0x00403b08
0x00403b0d
0x00403b13
0x00403b9d
0x00403ba2
0x00403ba4
0x00403bc0
0x00000000
0x00403bc0
0x00403ba6
0x00403bac
0x00403bb4
0x00403bb4
0x00000000
0x00403bac
0x00403b21
0x00403b2c
0x00403b31
0x00403b33
0x00403b3a
0x00403b3a
0x00403b45
0x00403b4d
0x00403b4f
0x00403b51
0x00403b5a
0x00403b5d
0x00403b63
0x00403b63
0x00403b69
0x00403b82
0x00403b93
0x00000000
0x00403b98
0x00403b00
0x00403b02
0x00000000
0x00403a77
0x00403a77
0x00403a83
0x00403a8d
0x00403a93
0x00403a98
0x00403aa7
0x00403bc5
0x00403bc5
0x00000000
0x00403bc5
0x00403ab6
0x00403af1
0x00000000
0x00403af1
0x004039b9
0x004039b9
0x004039bc
0x004039be
0x00000000
0x00000000
0x004039c8
0x004039d8
0x004039dd
0x004039e4
0x00000000
0x00000000
0x004039e8
0x004039ea
0x004039f7
0x004039f7
0x004039ff
0x00403a05
0x00403a2d
0x00403a35
0x00000000
0x00403a17
0x00403a18
0x00403a21
0x00403a27
0x00403a28
0x00000000
0x00403a28
0x00403a23
0x00403a25
0x00000000
0x00000000
0x00000000
0x00403a25
0x00403a05

APIs

Part of subcall function 00406500: GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
Part of subcall function 00406500: GetProcAddress.KERNEL32(00000000,?), ref: 0040652D

lstrcatA.KERNEL32(1033,Name Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Name Setup: Completed,00000000,00000002,747DFA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\dY5HmgsBm6.exe" ,00000000), ref: 00403985
lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\CachemanControlPanel,1033,Name Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Name Setup: Completed,00000000,00000002,747DFA90), ref: 004039FA
lstrcmpiA.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\CachemanControlPanel,1033,Name Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Name Setup: Completed,00000000), ref: 00403A0D
GetFileAttributesA.KERNEL32(: Completed), ref: 00403A18
LoadImageA.USER32 ref: 00403A61

Part of subcall function 00406055: wsprintfA.USER32 ref: 00406062

RegisterClassA.USER32 ref: 00403A9E
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403AB6
CreateWindowExA.USER32 ref: 00403AEB
ShowWindow.USER32(00000005,00000000), ref: 00403B21
GetClassInfoA.USER32 ref: 00403B4D
GetClassInfoA.USER32 ref: 00403B5A
RegisterClassA.USER32 ref: 00403B63
DialogBoxParamA.USER32 ref: 00403B82

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 0040393E
1033, xrefs: 0040392A, 00403980
C:\Users\user\AppData\Local\Temp\, xrefs: 0040390F
"C:\Users\user\Desktop\dY5HmgsBm6.exe" , xrefs: 0040390E
RichEd20, xrefs: 00403B27
_Nb, xrefs: 00403A7D, 00403AE5
Name Setup: Completed, xrefs: 00403936, 0040393C, 00403961, 0040396A, 0040397F
.exe, xrefs: 00403A07
.DEFAULT\Control Panel\International, xrefs: 00403970
RichEdit20A, xrefs: 00403B45, 00403B4B
: Completed, xrefs: 004039C8, 004039D0, 004039DD, 00403A27, 00403A2D
C:\Users\user\AppData\Roaming\CachemanControlPanel, xrefs: 00403994, 0040399C, 00403A34, 00403A3A, 00403A4A
RichEdit, xrefs: 00403B54
RichEd32, xrefs: 00403B35

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\dY5HmgsBm6.exe" $.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\CachemanControlPanel$Control Panel\Desktop\ResourceLocale$Name Setup: Completed$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 1975747703-575938592
Opcode ID: eddc3fe444e159470dd51134533c2a37fedb4af5c6bfbfbca7f7312343edc14b
Instruction ID: 74cd8b4f7d81cde8c77274d740e3983652abf123a0ec58253698c850822a2f16
Opcode Fuzzy Hash: eddc3fe444e159470dd51134533c2a37fedb4af5c6bfbfbca7f7312343edc14b
Instruction Fuzzy Hash: EC61A5702402016ED220FB669D46F373ABCEB4474DF50403FF995B62E3DA7DA9068A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA1, Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00402EA1(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				intOrPtr* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\engineer\\Desktop\\dY5HmgsBm6.exe";
				 *0x42f430 = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\engineer\\Desktop\\dY5HmgsBm6.exe", 0x400);
				_t89 = E00405C90(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\engineer\\Desktop";
				E004060F7("C:\\Users\\engineer\\Desktop", _t91);
				E004060F7("dY5HmgsBm6.exe", E00405AD6(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x42944c = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402E3D(1);
					__eflags =  *0x42f438 - _t82;
					if( *0x42f438 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t94 = GlobalAlloc(0x40, _v24);
						E00403300( *0x42f438 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004030D8(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x42f434 = _t94;
							 *0x42f43c =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42f440 =  *0x42f440 + 1;
								__eflags =  *0x42f440;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405C4B(0x42f460, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E00403300( *0x41d440);
					_t65 = E004032EA( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x42f438) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E004032EA(0x415440, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00402E3D(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42f438;
						if( *0x42f438 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402E3D(0);
							}
							goto L20;
						}
						E00405C4B( &_v44, 0x415440, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x41d440; // 0x27469f
						 *0x42f4e0 =  *0x42f4e0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x42f438 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x40a194
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x42944c; // 0x2746a3
						if(__eflags < 0) {
							_v12 = E004065B7(_v12, 0x415440, _t90);
						}
						 *0x41d440 =  *0x41d440 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 != 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00402ea9
0x00402eac
0x00402eaf
0x00402eb2
0x00402eb8
0x00402ec9
0x00402ece
0x00402ee1
0x00402ee6
0x00402ee9
0x00402eef
0x00000000
0x00402ef1
0x00402efc
0x00402f02
0x00402f13
0x00402f1a
0x00402f20
0x00402f22
0x00402f27
0x00402f29
0x00403014
0x00403016
0x0040301b
0x00403022
0x00000000
0x00000000
0x00403024
0x00403027
0x0040304b
0x00403056
0x00403061
0x00403066
0x00403069
0x0040306a
0x0040306b
0x0040306d
0x00403072
0x00403075
0x00403088
0x0040308c
0x00403094
0x00403099
0x0040309b
0x0040309b
0x0040309b
0x004030a3
0x004030a3
0x004030a6
0x004030a7
0x004030a7
0x004030aa
0x004030ac
0x004030ac
0x004030ac
0x004030b6
0x004030bc
0x004030ca
0x004030cf
0x00000000
0x004030cf
0x00000000
0x00403075
0x0040302f
0x0040303a
0x0040303f
0x00403041
0x00000000
0x00000000
0x00403046
0x00403049
0x00000000
0x00000000
0x00000000
0x00402f2f
0x00402f34
0x00402f39
0x00402f3d
0x00402f44
0x00402f49
0x00402f4b
0x00402f4d
0x00402f4d
0x00402f51
0x00402f56
0x00402f58
0x00403080
0x00403077
0x00000000
0x00403077
0x00402f5e
0x00402f65
0x00402fe1
0x00402fe5
0x00402fe9
0x00402fee
0x00000000
0x00402fe5
0x00402f6e
0x00402f73
0x00402f76
0x00402f7b
0x00000000
0x00000000
0x00402f7d
0x00402f84
0x00000000
0x00000000
0x00402f86
0x00402f8d
0x00000000
0x00000000
0x00402f8f
0x00402f96
0x00000000
0x00000000
0x00402f98
0x00402f9f
0x00000000
0x00000000
0x00402fa1
0x00402fa7
0x00402fb0
0x00402fb6
0x00402fb9
0x00402fbb
0x00402fc1
0x00000000
0x00000000
0x00402fc7
0x00402fcb
0x00402fd3
0x00402fd3
0x00402fd6
0x00402fd6
0x00402fd9
0x00402fdb
0x00402fdd
0x00402fdd
0x00000000
0x00402fdb
0x00402fcd
0x00402fd1
0x00000000
0x00000000
0x00000000
0x00402fef
0x00402fef
0x00402ff5
0x00403001
0x00403001
0x00403004
0x0040300a
0x0040300a
0x0040300a
0x00403012
0x00403012
0x00000000
0x00403012

APIs

GetTickCount.KERNEL32 ref: 00402EB2
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\dY5HmgsBm6.exe,00000400), ref: 00402ECE

Part of subcall function 00405C90: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\dY5HmgsBm6.exe,80000000,00000003), ref: 00405C94
Part of subcall function 00405C90: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6

GetFileSize.KERNEL32(00000000,00000000,dY5HmgsBm6.exe,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\dY5HmgsBm6.exe,C:\Users\user\Desktop\dY5HmgsBm6.exe,80000000,00000003), ref: 00402F1A
GlobalAlloc.KERNEL32(00000040,00000020), ref: 00403050

Strings

@TA, xrefs: 00402F2F
C:\Users\user\AppData\Local\Temp\, xrefs: 00402EA8
Error launching installer, xrefs: 00402EF1
soft, xrefs: 00402F8F
C:\Users\user\Desktop\dY5HmgsBm6.exe, xrefs: 00402EB8, 00402EC7, 00402EDB, 00402EFB
C:\Users\user\Desktop, xrefs: 00402EFC, 00402F01, 00402F07
Null, xrefs: 00402F98
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00403077
Inst, xrefs: 00402F86
"C:\Users\user\Desktop\dY5HmgsBm6.exe" , xrefs: 00402EA1
dY5HmgsBm6.exe, xrefs: 00402F0E

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\dY5HmgsBm6.exe" $@TA$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\dY5HmgsBm6.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$dY5HmgsBm6.exe$soft
API String ID: 2803837635-1120317479
Opcode ID: d2642f5c1e57ff917447350ecc80b65a471f1c26fbd3ec2d1bf2d56bf534e989
Instruction ID: b77d5a27d8a3a8735664692b17331c00252a13d20c8f5ee7c59d5cd6c332e3a5
Opcode Fuzzy Hash: d2642f5c1e57ff917447350ecc80b65a471f1c26fbd3ec2d1bf2d56bf534e989
Instruction Fuzzy Hash: B851E471A00204ABDF20AF64DD85FAF7AB8AB14359F60413BF500B22D1C7B89E858B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040618A, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E0040618A(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t38;
				CHAR* _t39;
				signed int _t41;
				char _t52;
				char _t53;
				char _t55;
				char _t57;
				void* _t65;
				char* _t66;
				signed int _t80;
				intOrPtr _t86;
				char _t88;
				void* _t89;
				CHAR* _t90;
				void* _t92;
				signed int _t97;
				signed int _t99;
				void* _t100;

				_t92 = __esi;
				_t89 = __edi;
				_t65 = __ebx;
				_t38 = _a8;
				if(_t38 < 0) {
					_t86 =  *0x42ebfc; // 0x68bf12
					_t38 =  *(_t86 - 4 + _t38 * 4);
				}
				_push(_t65);
				_push(_t92);
				_push(_t89);
				_t66 = _t38 +  *0x42f478;
				_t39 = 0x42e3c0;
				_t90 = 0x42e3c0;
				if(_a4 >= 0x42e3c0 && _a4 - 0x42e3c0 < 0x800) {
					_t90 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t88 =  *_t66;
					if(_t88 == 0) {
						break;
					}
					__eflags = _t90 - _t39 - 0x400;
					if(_t90 - _t39 >= 0x400) {
						break;
					}
					_t66 = _t66 + 1;
					__eflags = _t88 - 4;
					_a8 = _t66;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t90 = _t88;
							_t90 =  &(_t90[1]);
							__eflags = _t90;
						} else {
							 *_t90 =  *_t66;
							_t90 =  &(_t90[1]);
							_t66 = _t66 + 1;
						}
						continue;
					}
					_t41 =  *((char*)(_t66 + 1));
					_t80 =  *_t66;
					_t97 = (_t41 & 0x0000007f) << 0x00000007 | _t80 & 0x0000007f;
					_v24 = _t80;
					_v28 = _t80 | 0x00000080;
					_v16 = _t41;
					_v20 = _t41 | 0x00000080;
					_t66 = _a8 + 2;
					__eflags = _t88 - 2;
					if(_t88 != 2) {
						__eflags = _t88 - 3;
						if(_t88 != 3) {
							__eflags = _t88 - 1;
							if(_t88 == 1) {
								__eflags = (_t41 | 0xffffffff) - _t97;
								E0040618A(_t66, _t90, _t97, _t90, (_t41 | 0xffffffff) - _t97);
							}
							L42:
							_t90 =  &(_t90[lstrlenA(_t90)]);
							_t39 = 0x42e3c0;
							continue;
						}
						__eflags = _t97 - 0x1d;
						if(_t97 != 0x1d) {
							__eflags = (_t97 << 0xa) + 0x430000;
							E004060F7(_t90, (_t97 << 0xa) + 0x430000);
						} else {
							E00406055(_t90,  *0x42f428);
						}
						__eflags = _t97 + 0xffffffeb - 7;
						if(_t97 + 0xffffffeb < 7) {
							L33:
							E004063D2(_t90);
						}
						goto L42;
					}
					_t52 =  *0x42f42c;
					__eflags = _t52;
					_t99 = 2;
					if(_t52 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x42f4c4;
						if( *0x42f4c4 != 0) {
							_t99 = 4;
						}
						__eflags = _t80;
						if(__eflags >= 0) {
							__eflags = _t80 - 0x25;
							if(_t80 != 0x25) {
								__eflags = _t80 - 0x24;
								if(_t80 == 0x24) {
									GetWindowsDirectoryA(_t90, 0x400);
									_t99 = 0;
								}
								while(1) {
									__eflags = _t99;
									if(_t99 == 0) {
										goto L30;
									}
									_t53 =  *0x42f424;
									_t99 = _t99 - 1;
									__eflags = _t53;
									if(_t53 == 0) {
										L26:
										_t55 = SHGetSpecialFolderLocation( *0x42f428,  *(_t100 + _t99 * 4 - 0x18),  &_v8);
										__eflags = _t55;
										if(_t55 != 0) {
											L28:
											 *_t90 =  *_t90 & 0x00000000;
											__eflags =  *_t90;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t90);
										_v12 = _t55;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t57 =  *_t53( *0x42f428,  *(_t100 + _t99 * 4 - 0x18), 0, 0, _t90); // executed
									__eflags = _t57;
									if(_t57 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t90, 0x400);
							goto L30;
						} else {
							E00405FDE((_t80 & 0x0000003f) +  *0x42f478, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t80 & 0x0000003f) +  *0x42f478, _t90, _t80 & 0x00000040);
							__eflags =  *_t90;
							if( *_t90 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t90, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E0040618A(_t66, _t90, _t99, _t90, _v16);
							L30:
							__eflags =  *_t90;
							if( *_t90 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t52 - 0x5a04;
					if(_t52 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t90 =  *_t90 & 0x00000000;
				if(_a4 == 0) {
					return _t39;
				}
				return E004060F7(_a4, _t39);
			}

0x0040618a
0x0040618a
0x0040618a
0x00406190
0x00406195
0x00406197
0x004061a6
0x004061a6
0x004061ae
0x004061af
0x004061b0
0x004061b1
0x004061b4
0x004061bc
0x004061be
0x004061d5
0x004061d8
0x004061d8
0x004063af
0x004063af
0x004063b3
0x00000000
0x00000000
0x004061e5
0x004061eb
0x00000000
0x00000000
0x004061f1
0x004061f2
0x004061f5
0x004061f8
0x004063a2
0x004063ac
0x004063ae
0x004063ae
0x004063a4
0x004063a6
0x004063a8
0x004063a9
0x004063a9
0x00000000
0x004063a2
0x004061fe
0x00406202
0x00406212
0x00406219
0x0040621c
0x00406224
0x00406227
0x0040622e
0x0040622f
0x00406232
0x0040634f
0x00406352
0x00406382
0x00406385
0x0040638a
0x0040638e
0x0040638e
0x00406393
0x00406399
0x0040639b
0x00000000
0x0040639b
0x00406354
0x00406357
0x0040636c
0x00406373
0x00406359
0x00406360
0x00406360
0x0040637b
0x0040637e
0x00406347
0x00406348
0x00406348
0x00000000
0x0040637e
0x00406238
0x0040623f
0x00406241
0x00406242
0x0040625c
0x0040625c
0x00406263
0x00406263
0x0040626a
0x0040626e
0x0040626e
0x0040626f
0x00406271
0x004062aa
0x004062ad
0x004062bd
0x004062c0
0x004062c8
0x004062ce
0x004062ce
0x0040632d
0x0040632d
0x0040632f
0x00000000
0x00000000
0x004062d2
0x004062d9
0x004062da
0x004062dc
0x004062f6
0x00406304
0x0040630a
0x0040630c
0x0040632a
0x0040632a
0x0040632a
0x00000000
0x0040632a
0x00406312
0x0040631b
0x0040631e
0x00406324
0x00406328
0x00000000
0x00000000
0x00000000
0x00406328
0x004062de
0x004062e1
0x00000000
0x00000000
0x004062f0
0x004062f2
0x004062f4
0x00000000
0x00000000
0x00000000
0x004062f4
0x00000000
0x0040632d
0x004062b5
0x00000000
0x00406273
0x0040628e
0x00406293
0x00406296
0x00406336
0x00406336
0x0040633a
0x00406342
0x00406342
0x00000000
0x0040633a
0x004062a0
0x00406331
0x00406331
0x00406334
0x00000000
0x00000000
0x00000000
0x00406334
0x00406271
0x00406244
0x00406248
0x00000000
0x00000000
0x0040624a
0x0040624e
0x00000000
0x00000000
0x00406250
0x00406254
0x00000000
0x00406256
0x00406256
0x00000000
0x00406256
0x00406254
0x004063b9
0x004063c3
0x004063cf
0x004063cf
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 004062B5
GetWindowsDirectoryA.KERNEL32(: Completed,00000400,?,Completed,00000000,00405256,Completed,00000000), ref: 004062C8
SHGetSpecialFolderLocation.SHELL32(00405256,747DEA30,?,Completed,00000000,00405256,Completed,00000000), ref: 00406304
SHGetPathFromIDListA.SHELL32(747DEA30,: Completed), ref: 00406312
CoTaskMemFree.OLE32(747DEA30), ref: 0040631E
lstrcatA.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00406342
lstrlenA.KERNEL32(: Completed,?,Completed,00000000,00405256,Completed,00000000,00000000,00427A9C,747DEA30), ref: 00406394

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406284
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040633C
: Completed, xrefs: 004061B4, 00406281, 00406282, 00406283, 0040629F, 004062B4, 004062C7, 004062E3, 0040630E, 00406341, 00406347, 0040635F, 00406372, 0040638D, 00406393, 0040639B, 004063C5
Completed, xrefs: 004061AF

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-905382516
Opcode ID: 8246b69a52679e6fada9b088fd1c5cd7587de1068ebf998f283e7bad78f4f284
Instruction ID: 7f70e83a291e570019a42af90a820afb382591873456cc4d5332d159a7ba1b0c
Opcode Fuzzy Hash: 8246b69a52679e6fada9b088fd1c5cd7587de1068ebf998f283e7bad78f4f284
Instruction Fuzzy Hash: 58612470A00110AADF206F65CC90BBE3B75AB55310F52403FE943BA2D1C77C8962DB9E

Uniqueness

Uniqueness Score: -1.00%

Function 00401759, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E00401759(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				CHAR* _t83;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402BCE(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405AFC(_t82);
				_push(_t82);
				_t83 = "C:\\Users\\engineer\\AppData\\Roaming\\CachemanControlPanel\\CachemanControlPanel.exe";
				if(_t33 == 0) {
					lstrcatA(E00405A8F(E004060F7(_t83, "C:\\Users\\engineer\\AppData\\Roaming\\CachemanControlPanel")), ??);
				} else {
					E004060F7();
				}
				E004063D2(_t83);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E0040646B(_t83);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405C6B(_t83);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405C90(_t83, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E0040521E(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42f4c8;
						goto L32;
					} else {
						E004060F7(0x40ac38, 0x430000);
						E004060F7(0x430000, _t83);
						E0040618A(_t75, 0x40ac38, _t83, "C:\Users\engineer\AppData\Roaming\CachemanControlPanel",  *((intOrPtr*)(_t85 - 0x14)));
						E004060F7(0x430000, 0x40ac38);
						_t62 = E00405813("C:\Users\engineer\AppData\Roaming\CachemanControlPanel",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42f4c8 =  &( *0x42f4c8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(_t83);
								_push(0xfffffffa);
								E0040521E();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E0040521E(0xffffffea,  *(_t85 - 8)); // executed
				 *0x42f4f4 =  *0x42f4f4 + 1;
				_push(_t75);
				_push(_t75);
				_push( *(_t85 - 0xc));
				_push( *((intOrPtr*)(_t85 - 0x20)));
				_t43 = E004030D8(); // executed
				 *0x42f4f4 =  *0x42f4f4 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0xc)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E0040618A(_t75, _t80, _t83, _t83, 0xffffffee);
					} else {
						E0040618A(_t75, _t80, _t83, _t83, 0xffffffe9);
						lstrcatA(_t83,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(_t83);
					E00405813();
					goto L29;
				}
				goto L33;
			}

0x00401759
0x00401760
0x00401769
0x0040176c
0x0040176f
0x00401774
0x00401775
0x0040177c
0x00401798
0x0040177e
0x0040177f
0x0040177f
0x0040179e
0x004017a8
0x004017a8
0x004017ac
0x004017af
0x004017b4
0x004017b6
0x004017b8
0x004017bd
0x004017bd
0x004017c8
0x004017c8
0x004017d9
0x004017db
0x004017db
0x004017dc
0x004017dc
0x004017df
0x004017e2
0x004017e5
0x004017e5
0x004017ec
0x004017fb
0x00401800
0x00401803
0x00401806
0x00000000
0x00000000
0x00401808
0x0040180b
0x00401865
0x0040186a
0x004015b0
0x004027bf
0x004027bf
0x00402a5a
0x00402a5d
0x00402a5d
0x00000000
0x0040180d
0x00401813
0x0040181e
0x0040182b
0x00401836
0x0040184c
0x0040184c
0x0040184f
0x00000000
0x00401855
0x00401855
0x00401856
0x00401873
0x00402a63
0x00402a63
0x00402a63
0x00401858
0x00401858
0x00401859
0x00401492
0x00402387
0x00402387
0x00402387
0x00401856
0x0040184f
0x00402a65
0x00402a69
0x00402a69
0x00401883
0x00401888
0x0040188e
0x0040188f
0x00401890
0x00401893
0x00401896
0x0040189b
0x004018a1
0x004018a5
0x004018a7
0x004018af
0x004018bb
0x004018a9
0x004018a9
0x004018ad
0x00000000
0x00000000
0x004018ad
0x004018c4
0x004018ca
0x004018cc
0x00000000
0x004018d2
0x004018d2
0x004018d5
0x004018ed
0x004018d7
0x004018da
0x004018e3
0x004018e3
0x004018f2
0x004018f7
0x00402382
0x00000000
0x00402382
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe,C:\Users\user\AppData\Roaming\CachemanControlPanel,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe,C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe,00000000,00000000,C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe,C:\Users\user\AppData\Roaming\CachemanControlPanel,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 004060F7: lstrcpynA.KERNEL32(?,?,00000400,0040341A,Name Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00406104

Part of subcall function 0040521E: lstrlenA.KERNEL32(Completed,00000000,00427A9C,747DEA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,Completed,00000000,00427A9C,747DEA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
Part of subcall function 0040521E: lstrcatA.KERNEL32(Completed,00403233,00403233,Completed,00000000,00427A9C,747DEA30), ref: 0040527A
Part of subcall function 0040521E: SetWindowTextA.USER32(Completed,Completed), ref: 0040528C
Part of subcall function 0040521E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
Part of subcall function 0040521E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
Part of subcall function 0040521E: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA

Strings

C:\Users\user\AppData\Roaming\CachemanControlPanel, xrefs: 00401786
C:\Users\user\AppData\Roaming\CachemanControlPanel, xrefs: 00401826, 00401842
C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe, xrefs: 00401775, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Roaming\CachemanControlPanel$C:\Users\user\AppData\Roaming\CachemanControlPanel$C:\Users\user\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe
API String ID: 1941528284-2624279985
Opcode ID: 90f03a76fcf5146749e92d53d58810ea094b6bbbf58b510143803768f557fb10
Instruction ID: bb6028c3778eb4cec0c6c1d7eb8bf073a5325157b60575559d09146ef789c5eb
Opcode Fuzzy Hash: 90f03a76fcf5146749e92d53d58810ea094b6bbbf58b510143803768f557fb10
Instruction Fuzzy Hash: D4419A32900515BACB107BB5CC45DAF3678EF05329F20833FF426B51E1DA7C8A529A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040521E, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040521E(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42ec04; // 0x9005e
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42f4f4;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E0040618A(0, _t39, 0x42a070, 0x42a070, _a4);
					}
					_t26 = lstrlenA(0x42a070);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42ebe8, 0x42a070); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42a070;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52); // executed
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x42a070)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x42a070, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00405224
0x00405230
0x00405233
0x00405239
0x00405245
0x00405248
0x0040524b
0x00405251
0x00405251
0x00405257
0x0040525f
0x00405262
0x0040527f
0x00405283
0x0040528c
0x0040528c
0x00405296
0x0040529f
0x004052ab
0x004052b2
0x004052b6
0x004052b9
0x004052cc
0x004052da
0x004052da
0x004052de
0x004052e0
0x004052e3
0x00000000
0x004052e3
0x00405264
0x0040526c
0x00405274
0x0040527a
0x00000000
0x0040527a
0x00405274
0x00405262
0x004052ed

APIs

lstrlenA.KERNEL32(Completed,00000000,00427A9C,747DEA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
lstrlenA.KERNEL32(00403233,Completed,00000000,00427A9C,747DEA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
lstrcatA.KERNEL32(Completed,00403233,00403233,Completed,00000000,00427A9C,747DEA30), ref: 0040527A
SetWindowTextA.USER32(Completed,Completed), ref: 0040528C
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA

Strings

Completed, xrefs: 0040523E, 00405250, 00405256, 00405279, 00405285

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Completed
API String ID: 2531174081-3087654605
Opcode ID: ffc7fd16b0850e8ca78275056b27aa311aff222ca9cd1cb1225c1906ca535124
Instruction ID: 52f605d016cfd88bb70700c5a478074e15cc738f975766ab4ed8c3314b346ff2
Opcode Fuzzy Hash: ffc7fd16b0850e8ca78275056b27aa311aff222ca9cd1cb1225c1906ca535124
Instruction Fuzzy Hash: C721AC71900518BBDF119FA5DD8599FBFA8EF04354F1480BAF804B6291C7798E50CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00406492, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406492(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x40a014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}

0x004064a9
0x004064b2
0x004064b4
0x004064b4
0x004064b8
0x004064ca
0x004064c4
0x004064c4
0x004064c4
0x004064ce
0x004064e2
0x004064f6
0x004064fd

APIs

GetSystemDirectoryA.KERNEL32 ref: 004064A9
wsprintfA.USER32 ref: 004064E2
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064F6

Strings

%s%s.dll, xrefs: 004064DC
UXTHEME, xrefs: 0040649B
\, xrefs: 004064BA

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
Instruction ID: 03f82d29dddd483449b3488b7c2e1daaa1831c8d2f1a72e13e07ee25955ceb49
Opcode Fuzzy Hash: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
Instruction Fuzzy Hash: DDF0213051020A6BDB55D764DD0DFFB375CEB08304F14017AA58AF11C1DA78D5398B6D

Uniqueness

Uniqueness Score: -1.00%

Function 004030D8, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004030D8(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				char _v88;
				void* _t65;
				long _t70;
				intOrPtr _t75;
				long _t76;
				intOrPtr _t77;
				void* _t78;
				int _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				long _t96;
				signed int _t97;
				int _t98;
				int _t99;
				intOrPtr _t100;
				void* _t101;
				void* _t102;

				_t97 = _a16;
				_t92 = _a12;
				_v12 = _t97;
				if(_t92 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t92;
				if(_t92 == 0) {
					_v16 = 0x421448;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E00403300( *0x42f498 + _t62);
				}
				if(E004032EA( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t92 != 0) {
							if(_a16 < _t97) {
								_t97 = _a16;
							}
							if(E004032EA(_t92, _t97) != 0) {
								_v8 = _t97;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t92) {
							goto L44;
						}
						_t88 = _v12;
						while(1) {
							_t98 = _a16;
							if(_a16 >= _t88) {
								_t98 = _t88;
							}
							if(E004032EA(0x41d448, _t98) == 0) {
								goto L41;
							}
							if(E00405D37(_a8, 0x41d448, _t98) == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t98;
							_a16 = _a16 - _t98;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40bdac =  *0x40bdac & 0x00000000;
					 *0x40bda8 =  *0x40bda8 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40b890 = 8;
					 *0x415438 = 0x40d430;
					 *0x415434 = 0x40d430;
					 *0x415430 = 0x415430;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E004032EA(0x41d448, _t99) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t99;
						 *0x40b880 = 0x41d448;
						 *0x40b884 = _t99;
						while(1) {
							_t95 = _v16;
							 *0x40b888 = _t95;
							 *0x40b88c = _v12;
							_t75 = E00406625(0x40b880);
							_v24 = _t75;
							if(_t75 < 0) {
								break;
							}
							_t100 =  *0x40b888; // 0x427a9c
							_t101 = _t100 - _t95;
							_t76 = GetTickCount();
							_t96 = _t76;
							if(( *0x42f4f4 & 0x00000001) != 0 && (_t76 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v88, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E0040521E(0,  &_v88); // executed
								_v20 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t77 =  *0x40b888; // 0x427a9c
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_v16 = _t77;
									L23:
									if(_v24 != 1) {
										continue;
									}
									goto L44;
								}
								_t78 = E00405D37(_a8, _v16, _t101); // executed
								if(_t78 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t101;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x004030e0
0x004030e4
0x004030e7
0x004030ec
0x004030ee
0x004030ee
0x004030f5
0x004030f9
0x004030fe
0x00403100
0x00403100
0x00403107
0x0040310c
0x00403117
0x00403117
0x00403129
0x004032d8
0x004032d8
0x00000000
0x0040312f
0x00403133
0x00403285
0x004032c8
0x004032ca
0x004032ca
0x004032d6
0x004032dd
0x004032e0
0x00000000
0x00000000
0x00000000
0x00000000
0x004032d6
0x0040328a
0x00000000
0x00000000
0x0040328c
0x0040328f
0x00403292
0x00403295
0x00403297
0x00403297
0x004032a7
0x00000000
0x00000000
0x004032b5
0x0040327f
0x0040327f
0x004032da
0x004032da
0x00000000
0x004032da
0x004032b7
0x004032ba
0x004032c1
0x00000000
0x00000000
0x00000000
0x004032c3
0x00000000
0x0040328f
0x0040313f
0x00403141
0x00403148
0x0040314f
0x0040314f
0x00403156
0x0040315e
0x00403168
0x0040316d
0x00403175
0x0040317f
0x00403182
0x00000000
0x00000000
0x00000000
0x00000000
0x00403188
0x00403188
0x00403188
0x00403190
0x00403192
0x00403192
0x004031a3
0x00000000
0x00000000
0x004031a9
0x004031ac
0x004031b2
0x004031b8
0x004031b8
0x004031c3
0x004031c9
0x004031ce
0x004031d5
0x004031d8
0x00000000
0x00000000
0x004031de
0x004031e4
0x004031e6
0x004031ef
0x004031f1
0x0040321f
0x00403225
0x0040322e
0x00403233
0x00403233
0x00403238
0x00403273
0x00000000
0x00000000
0x00000000
0x0040323a
0x0040323e
0x00403255
0x0040325a
0x0040325d
0x00403260
0x00403263
0x00403267
0x00000000
0x00000000
0x00000000
0x0040326d
0x00403247
0x0040324e
0x00000000
0x00000000
0x00403250
0x00000000
0x00403250
0x00403238
0x0040327b
0x00000000
0x0040327b
0x00000000
0x00403188

APIs

GetTickCount.KERNEL32 ref: 0040313F
GetTickCount.KERNEL32 ref: 004031E6
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 0040320F
wsprintfA.USER32 ref: 0040321F

Strings

... %d%%, xrefs: 00403219

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 6105a75ac29723741842d4acb1fda97f5bbbd1560d169b08801a999ce2df6a86
Instruction ID: fb515496a62f3aa3a261881475cff076317c99cf113f2c02ef85df511ffa7adb
Opcode Fuzzy Hash: 6105a75ac29723741842d4acb1fda97f5bbbd1560d169b08801a999ce2df6a86
Instruction Fuzzy Hash: 68515C71900219ABCB10DF95DA44A9E7BA8EF54356F1481BFE800B72D0C7789A41CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405CBF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405CBF(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x40a3d4; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}

0x00405cc3
0x00405cc9
0x00405cca
0x00405cca
0x00405ccf
0x00405cd0
0x00405cd3
0x00405cdd
0x00405cea
0x00405ced
0x00405cf5
0x00000000
0x00000000
0x00405cf9
0x00000000
0x00000000
0x00405cfb
0x00000000
0x00405cfb
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405CD3
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000007,00000009,0000000B), ref: 00405CED

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405CC2
nsa, xrefs: 00405CCA
"C:\Users\user\Desktop\dY5HmgsBm6.exe" , xrefs: 00405CBF

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\dY5HmgsBm6.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3612807059
Opcode ID: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
Instruction ID: e7aa094648ebfea3bacdca9f43850832113df4cf88f6c4d01cd72ac7e01032f8
Opcode Fuzzy Hash: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
Instruction Fuzzy Hash: 0AF08236308308ABEB108F56ED04B9B7BACDF91750F10C03BFA44EB290D6B499548758

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E004015BB(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402BCE(0xfffffff0);
				_t13 = E00405B28(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E00405ABA(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E00405761(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E0040577E(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E004056E4(_t28);
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E004060F7("C:\\Users\\engineer\\AppData\\Roaming\\CachemanControlPanel", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}

0x004015bb
0x004015c2
0x004015c5
0x004015ca
0x004015ce
0x004015d0
0x004015d8
0x004015da
0x004015dc
0x004015e0
0x004015e3
0x004015fb
0x004015fc
0x004015e5
0x004015e5
0x004015e8
0x00000000
0x004015f3
0x004015f4
0x004015f4
0x004015e8
0x00401603
0x0040160a
0x00401617
0x00401617
0x0040160c
0x0040160d
0x00401615
0x00000000
0x00000000
0x00401615
0x0040160a
0x0040161a
0x0040161d
0x0040161f
0x00401620
0x004015d0
0x00401627
0x00401652
0x004022dd
0x00401629
0x0040162b
0x00401636
0x0040163c
0x00401644
0x0040164a
0x0040164a
0x00401644
0x00402a5d
0x00402a69

APIs

Part of subcall function 00405B28: CharNextA.USER32(?,?,0042BC98,?,00405B94,0042BC98,0042BC98,747DFA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,747DFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B36
Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B3B
Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B4F

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 004056E4: CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405727

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\CachemanControlPanel,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Roaming\CachemanControlPanel, xrefs: 00401631

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\CachemanControlPanel
API String ID: 1892508949-2369850399
Opcode ID: 8ea1f7cc9a8bf7522c8949f70cf2fb79c547dd436f64854b827cbeb5bc810ff8
Instruction ID: 2360f0c6ce39ff042ef5b5b007943225e6ab3dc636003d735fb75761c746189e
Opcode Fuzzy Hash: 8ea1f7cc9a8bf7522c8949f70cf2fb79c547dd436f64854b827cbeb5bc810ff8
Instruction Fuzzy Hash: C1110431204141EBCB307FB55D419BF37B09A52725B284A7FE591B22E3DA3D4943AA2E

Uniqueness

Uniqueness Score: -1.00%

Function 00405796, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405796(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42c098->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x42c098,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x0040579f
0x004057bf
0x004057c7
0x004057cc
0x00000000
0x004057d2
0x004057d6

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C098,Error launching installer), ref: 004057BF
CloseHandle.KERNEL32(?), ref: 004057CC

Strings

Error launching installer, xrefs: 004057A9

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: de0eed9ff358aa0300570f89c8dde483a6f9bec5cddf33796de70880124f880f
Instruction ID: 4c3df7556a0b034395016ee82922b733160aa74f7bc511f6187c6ec266d632ef
Opcode Fuzzy Hash: de0eed9ff358aa0300570f89c8dde483a6f9bec5cddf33796de70880124f880f
Instruction Fuzzy Hash: 4DE0B6B4600209BFEB109BA4ED89F7F7BBCEB04604F504525BE59F2290E67498199A7C

Uniqueness

Uniqueness Score: -1.00%

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42f470;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42ec0c =  *0x42ec0c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42ec0c, 0x7530,  *0x42ebf4), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c8a7ffa28b32ff67f29a84afd2625c26bb9c758fd8177903822af55b1e7359ed
Instruction ID: 5c958b1953f7fe6cfac6f5d6f257cc34f78b067395a477e057d2c1298905e336
Opcode Fuzzy Hash: c8a7ffa28b32ff67f29a84afd2625c26bb9c758fd8177903822af55b1e7359ed
Instruction Fuzzy Hash: F801D1317242209BE7195B79DD08B6A3698E710718F50823AF851F61F1DA78DC129B4D

Uniqueness

Uniqueness Score: -1.00%

Function 004052F0, Relevance: 3.0, APIs: 2, Instructions: 32
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E004052F0(signed int __eax) {
				intOrPtr _v0;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t12;

				_t11 =  *0x42f468;
				_t10 =  *0x42f46c;
				__imp__OleInitialize(0);
				 *0x42f4f8 =  *0x42f4f8 | __eax;
				E004041C7(0);
				if(_t10 != 0) {
					_t12 = _t11 + 0xc;
					while(1) {
						_t10 = _t10 - 1;
						if(( *(_t12 - 4) & 0x00000001) != 0 && E00401389( *_t12, _v0) != 0) {
							break;
						}
						_t12 = _t12 + 0x418;
						if(_t10 != 0) {
							continue;
						} else {
						}
						goto L7;
					}
					 *0x42f4cc =  *0x42f4cc + 1;
				}
				L7:
				E004041C7(0x404); // executed
				__imp__OleUninitialize(); // executed
				return  *0x42f4cc;
			}

0x004052f1
0x004052f8
0x00405300
0x00405306
0x0040530e
0x00405315
0x00405317
0x0040531a
0x0040531a
0x0040531f
0x00000000
0x00000000
0x00405330
0x00405338
0x00000000
0x00000000
0x0040533a
0x00000000
0x00405338
0x0040533c
0x0040533c
0x00405342
0x00405347
0x0040534c
0x00405359

APIs

OleInitialize.OLE32(00000000), ref: 00405300

Part of subcall function 004041C7: SendMessageA.USER32(00030290,00000000,00000000,00000000), ref: 004041D9

OleUninitialize.OLE32(00000404,00000000), ref: 0040534C

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: 27348f06ce87f1f66077e23d5001c35af5604e3d0fe1afc9f40ed646d81b47df
Instruction ID: d823475d3c08908343a682022f3e0037ab1e92dd3cc8d49a61ca0bec2af1321f
Opcode Fuzzy Hash: 27348f06ce87f1f66077e23d5001c35af5604e3d0fe1afc9f40ed646d81b47df
Instruction Fuzzy Hash: 75F090766006018AE3616B549D05B577370DFA0341F95413BFF48B32E0D6F5584A8E6D

Uniqueness

Uniqueness Score: -1.00%

Function 00406500, Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406500(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a240);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a240));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a244));
				}
				_t5 = E00406492(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406508
0x0040650b
0x00406512
0x0040651a
0x00406526
0x00000000
0x0040652d
0x0040651d
0x00406524
0x00000000
0x00406535
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
GetProcAddress.KERNEL32(00000000,?), ref: 0040652D

Part of subcall function 00406492: GetSystemDirectoryA.KERNEL32 ref: 004064A9
Part of subcall function 00406492: wsprintfA.USER32 ref: 004064E2
Part of subcall function 00406492: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064F6

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
Instruction ID: acae0596759e2787f84b09bdc6f4b17f60683fab7501ae0ee02ebffea3798694
Opcode Fuzzy Hash: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
Instruction Fuzzy Hash: F7E08672A0421177D2105A74BE0893B72A8DE89740302043EF546F2144D7389C71966D

Uniqueness

Uniqueness Score: -1.00%

Function 00405C90, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405C90(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405c94
0x00405ca1
0x00405cb6
0x00405cbc

APIs

GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\dY5HmgsBm6.exe,80000000,00000003), ref: 00405C94
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
Instruction ID: ee59d6d0e1d409ab4f08bbdf592326cff3c7222ef74ae4255e7f212f1854b30f
Opcode Fuzzy Hash: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
Instruction Fuzzy Hash: F5D09E31654201AFEF0D8F20DE16F2E7AA2EB84B00F11952CB782941E1DA715819AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00405C6B, Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C6B(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405c70
0x00405c76
0x00405c7b
0x00405c84
0x00405c84
0x00405c8d

APIs

GetFileAttributesA.KERNELBASE(?,?,00405883,?,?,00000000,00405A66,?,?,?,?), ref: 00405C70
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405C84

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction ID: e57869254d9b62c000b772120ebafc6e643eb49c03cb969dc299021a919e5f7f
Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction Fuzzy Hash: 67D0C972504521AFD2142728AE0889BBB55DB54271702CB36FDA5A26B1DB304C569A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405761, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405761(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405767
0x0040576f
0x00000000
0x00405775
0x00000000

APIs

CreateDirectoryA.KERNELBASE(?,00000000,0040333B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405767
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405775

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
Instruction ID: 5acf30d11c51c39224c83c09ee2e5989404a14e094893e30e7ab7d3df00569a4
Opcode Fuzzy Hash: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
Instruction Fuzzy Hash: 21C04C31244505EFD6105B30AE08F177A90AB50741F1644396186E10B0EA388455E96D

Uniqueness

Uniqueness Score: -1.00%

Function 00405D08, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D08(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405d0c
0x00405d1c
0x00405d24
0x00000000
0x00405d2b
0x00000000
0x00405d2d

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032FD,00000000,00000000,00403127,000000FF,00000004,00000000,00000000,00000000), ref: 00405D1C

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
Instruction ID: 6bc3b1048b15a49576125e72cb6f14b4cec2b2626e36b687d4021167e808d8fe
Opcode Fuzzy Hash: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
Instruction Fuzzy Hash: 2BE08C3221021EABCF109E608C08EEB3B6CEF00360F048833FD54E2140D234E8209BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405D37, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D37(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405d3b
0x00405d4b
0x00405d53
0x00000000
0x00405d5a
0x00000000
0x00405d5c

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032B3,00000000,0041D448,000000FF,0041D448,000000FF,000000FF,00000004,00000000), ref: 00405D4B

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 0f83f4d47d9459a9b0ba24ed2798b341cbbd10940215494d2392ac534f962254
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: 41E08C3220025AABCF10AFA08C04EEB3B6CEF00360F008833FA15E7050D630E8219BA8

Uniqueness

Uniqueness Score: -1.00%

Function 004041C7, Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004041C7(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x42ebf8; // 0x30290
				if(_t2 != 0) {
					_t3 = SendMessageA(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x004041c7
0x004041ce
0x004041d9
0x00000000
0x004041d9
0x004041df

APIs

SendMessageA.USER32(00030290,00000000,00000000,00000000), ref: 004041D9

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b93bfa62a0d17583d47994c5deeb5958d6a7eb45b0bac583054f51af99654720
Instruction ID: 4f5bfb943ccb7372f266285400f959559a3f08b639bcfa815988f1d16fb7a589
Opcode Fuzzy Hash: b93bfa62a0d17583d47994c5deeb5958d6a7eb45b0bac583054f51af99654720
Instruction Fuzzy Hash: A5C09BB17447017FEE20CB659D49F0777586750700F2544397755F60D4C674E461D61C

Uniqueness

Uniqueness Score: -1.00%

Function 00403300, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403300(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x0040330e
0x00403314

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403066,?), ref: 0040330E

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D

Uniqueness

Uniqueness Score: -1.00%

Function 004041B0, Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004041B0(int _a4) {
				long _t2;

				_t2 = SendMessageA( *0x42f428, 0x28, _a4, 1); // executed
				return _t2;
			}

0x004041be
0x004041c4

APIs

SendMessageA.USER32(00000028,?,00000001,00403FE0), ref: 004041BE

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 52ed36bf426171ca8e77ff219833bebd4cd9702e05723d5fb87fa54f4c2163d0
Instruction ID: 1318e1a831b13f4a694e23e2858010ee9933afb9cbbae162fbad06e3603bfc21
Opcode Fuzzy Hash: 52ed36bf426171ca8e77ff219833bebd4cd9702e05723d5fb87fa54f4c2163d0
Instruction Fuzzy Hash: A9B09236284A00ABDA215B50DE09F4A7A72A768701F408039B240250B0CAB200A5EB18

Uniqueness

Uniqueness Score: -1.00%

Function 0040419D, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040419D(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x42a88c, _a4); // executed
				return _t2;
			}

0x004041a7
0x004041ad

APIs

KiUserCallbackDispatcher.NTDLL(?,00403F79), ref: 004041A7

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 79f4c344832d221aace4b62902680fcbf7870811690861caeb07dff72c7a6dc1
Instruction ID: f9921b4c88a1a0ed6e9c6eedf741b01f94502565facb500019f25752580a62db
Opcode Fuzzy Hash: 79f4c344832d221aace4b62902680fcbf7870811690861caeb07dff72c7a6dc1
Instruction Fuzzy Hash: C5A011B2000000AFCB02AB00EF08C0ABBA2ABA0300B008838A280800388B320832EB0A

Uniqueness

Uniqueness Score: -1.00%

Function 00401F7B, Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00401F7B() {
				void* _t8;
				void* _t12;
				void* _t14;
				void* _t16;
				void* _t17;
				void* _t20;
				void* _t22;

				_t19 = E00402BCE(_t14);
				E0040521E(0xffffffeb, _t6); // executed
				_t8 = E00405796(_t19); // executed
				_t20 = _t8;
				if(_t20 == _t14) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x20)) != _t14) {
						_t12 = E00406575(_t16, _t20);
						if( *((intOrPtr*)(_t22 - 0x24)) < _t14) {
							if(_t12 != _t14) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E00406055(_t17, _t12);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x00401f81
0x00401f86
0x00401f8c
0x00401f91
0x00401f95
0x004027bf
0x00401f9b
0x00401f9e
0x00401fa1
0x00401fa9
0x00401fb6
0x00401fb8
0x00401fb8
0x00401fab
0x00401fad
0x00401fad
0x00401fa9
0x00401fbf
0x00401fc0
0x00401fc0
0x00402a5d
0x00402a69

APIs

Part of subcall function 0040521E: lstrlenA.KERNEL32(Completed,00000000,00427A9C,747DEA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,Completed,00000000,00427A9C,747DEA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
Part of subcall function 0040521E: lstrcatA.KERNEL32(Completed,00403233,00403233,Completed,00000000,00427A9C,747DEA30), ref: 0040527A
Part of subcall function 0040521E: SetWindowTextA.USER32(Completed,Completed), ref: 0040528C
Part of subcall function 0040521E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
Part of subcall function 0040521E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
Part of subcall function 0040521E: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA

Part of subcall function 00405796: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C098,Error launching installer), ref: 004057BF
Part of subcall function 00405796: CloseHandle.KERNEL32(?), ref: 004057CC

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FC0

Part of subcall function 00406575: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406586
Part of subcall function 00406575: GetExitCodeProcess.KERNEL32 ref: 004065A8

Part of subcall function 00406055: wsprintfA.USER32 ref: 00406062

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: baec25d5bd2dfe6d55721a489fba1732094f7a4d61ef90c6e2c4752007c8309d
Instruction ID: 93961662e530d2e5a08160df11036b73ffef590b917d11c16f189fde5a143e01
Opcode Fuzzy Hash: baec25d5bd2dfe6d55721a489fba1732094f7a4d61ef90c6e2c4752007c8309d
Instruction Fuzzy Hash: 88F09032A05021EBCB20BBA15E84DAFB2B5DF01318B21423FF502B21D1DB7C4D425A6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403830, Relevance: 1.3, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403830() {
				void* _t1;
				signed int _t6;

				_t1 =  *0x40a018; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
					_t6 =  *0x40a018;
				}
				E00403875();
				return E004058BF(_t6, 0x436800, 7);
			}

0x00403830
0x00403838
0x0040383b
0x00403841
0x00403841
0x00403841
0x00403848
0x00403859

APIs

CloseHandle.KERNEL32(FFFFFFFF,00403667,?,?,00000007,00000009,0000000B), ref: 0040383B

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 83a8e34a36ec992e53eb10e28b6b1173665ca16798591da3225f5f7867e87012
Instruction ID: 504de9a345f4e041b5d785333e0db00fbf57b3530eebac313f647de5124f4253
Opcode Fuzzy Hash: 83a8e34a36ec992e53eb10e28b6b1173665ca16798591da3225f5f7867e87012
Instruction Fuzzy Hash: D3C01231540704B6D1247F759D4F9093A58AB45736B608775B0F5B00F1D73C8669456D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040460D, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040460D(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;
				void* _t205;

				_t156 = __edx;
				_t82 =  *0x42a068; // 0x68b54c
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x430000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E004057F7(0x3fb, _t146);
					E004063D2(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004057F7(0x3fb, _t146);
							if(E00405B7D(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E004060F7(0x429860, _t146);
							_t87 = E00406500(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E004060F7(0x429860, _t146);
								_t89 = E00405B28(0x429860);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x429860,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x429860) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x429860,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405AD6(0x429860);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x429860) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404AA1(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x42ebfc; // 0x68bf12
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404A89(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x429850);
									} else {
										E004049C4(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42f4e4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E0040419D(0 | _v8 == _t158);
								if(_v8 == _t158) {
									_t205 =  *0x42a880 - _t158; // 0x0
									if(_t205 == 0) {
										E00404566();
									}
								}
								 *0x42a880 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x42a890;
							_v60 = E0040495E;
							_v56 = _t146;
							_v68 = E0040618A(_t146, 0x42a890, _t166, 0x429c68, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405A8F(_t146);
								_t125 =  *((intOrPtr*)( *0x42f434 + 0x11c));
								if( *((intOrPtr*)( *0x42f434 + 0x11c)) != 0 && _t146 == "C:\\Users\\engineer\\AppData\\Roaming\\CachemanControlPanel") {
									E0040618A(_t146, 0x42a890, _t166, 0, _t125);
									if(lstrcmpiA(0x42e3c0, 0x42a890) != 0) {
										lstrcatA(_t146, 0x42e3c0);
									}
								}
								 *0x42a880 =  *0x42a880 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					} else {
						_a8 = 0x40f;
						goto L12;
					}
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405AFC(_t146) != 0 && E00405B28(_t146) == 0) {
						E00405A8F(_t146);
					}
					 *0x42ebf8 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E0040417B(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E0040417B(_t166);
					E004041B0(_t165);
					_t138 = E00406500(8);
					if(_t138 == 0) {
						L53:
						return E004041E2(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}

0x0040460d
0x00404613
0x00404619
0x00404626
0x00404634
0x00404637
0x0040463f
0x00404645
0x00404645
0x00404651
0x00404654
0x004046c2
0x004046c9
0x004047a0
0x004047a7
0x004047b6
0x004047b6
0x004047ba
0x004047c4
0x004047d1
0x004047d3
0x004047d3
0x004047e1
0x004047e8
0x004047ef
0x004047f2
0x00404829
0x0040482b
0x00404831
0x00404836
0x0040483a
0x0040483c
0x0040483c
0x00404858
0x00000000
0x0040485a
0x0040485d
0x0040486b
0x00404871
0x00404872
0x00404875
0x00404878
0x00000000
0x00404878
0x004047f4
0x004047f6
0x004047fa
0x00000000
0x00000000
0x00000000
0x00000000
0x004047fc
0x004047fc
0x00404809
0x0040480e
0x00000000
0x00000000
0x00404812
0x00404814
0x00404814
0x0040481c
0x0040481e
0x00404821
0x00404824
0x00404827
0x00000000
0x00000000
0x00000000
0x00000000
0x00404827
0x00404884
0x0040488e
0x00404891
0x00404894
0x0040489b
0x0040489b
0x0040489d
0x0040489d
0x004048a2
0x004048a4
0x004048ac
0x004048b3
0x004048b5
0x004048c0
0x004048c0
0x004048b5
0x004048c7
0x004048d0
0x004048da
0x004048e2
0x004048fd
0x004048e4
0x004048ed
0x004048ed
0x004048e2
0x00404902
0x00404907
0x0040490c
0x00404915
0x00404915
0x0040491e
0x00404920
0x00404920
0x0040492c
0x00404934
0x00404936
0x0040493c
0x0040493e
0x0040493e
0x0040493c
0x00404943
0x00000000
0x00404943
0x004047f2
0x004047a9
0x004047b0
0x00000000
0x00000000
0x00000000
0x004047b0
0x004046cf
0x004046d8
0x004046f2
0x004046f7
0x00404701
0x00404708
0x00404714
0x00404717
0x0040471a
0x00404721
0x00404729
0x0040472c
0x00404730
0x00404737
0x0040473f
0x00404799
0x00404741
0x00404742
0x00404749
0x00404753
0x0040475b
0x00404768
0x0040477c
0x00404780
0x00404780
0x0040477c
0x00404785
0x00404792
0x00404792
0x0040473f
0x00000000
0x004046f7
0x004046e5
0x00000000
0x004046eb
0x004046eb
0x00000000
0x004046eb
0x00404656
0x00404663
0x0040466c
0x00404679
0x00404679
0x00404680
0x00404686
0x0040468f
0x00404692
0x00404695
0x0040469d
0x004046a0
0x004046a3
0x004046a9
0x004046b0
0x004046b7
0x00404949
0x0040495b
0x004046bd
0x004046c0
0x00000000
0x004046c0
0x004046b7

APIs

GetDlgItem.USER32 ref: 0040465C
SetWindowTextA.USER32(00000000,?), ref: 00404686
SHBrowseForFolderA.SHELL32(?,00429C68,?), ref: 00404737
CoTaskMemFree.OLE32(00000000), ref: 00404742
lstrcmpiA.KERNEL32(: Completed,Name Setup: Completed,00000000,?,?), ref: 00404774
lstrcatA.KERNEL32(?,: Completed), ref: 00404780
SetDlgItemTextA.USER32 ref: 00404792

Part of subcall function 004057F7: GetDlgItemTextA.USER32 ref: 0040580A

Part of subcall function 004063D2: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\dY5HmgsBm6.exe" ,747DFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040642A
Part of subcall function 004063D2: CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406437
Part of subcall function 004063D2: CharNextA.USER32(?,"C:\Users\user\Desktop\dY5HmgsBm6.exe" ,747DFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040643C
Part of subcall function 004063D2: CharPrevA.USER32(?,?,747DFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040644C

GetDiskFreeSpaceA.KERNEL32(00429860,?,?,0000040F,?,00429860,00429860,?,00000001,00429860,?,?,000003FB,?), ref: 00404850
MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040486B

Part of subcall function 004049C4: lstrlenA.KERNEL32(Name Setup: Completed,Name Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048DF,000000DF,00000000,00000400,?), ref: 00404A62
Part of subcall function 004049C4: wsprintfA.USER32 ref: 00404A6A
Part of subcall function 004049C4: SetDlgItemTextA.USER32 ref: 00404A7D

Strings

Name Setup: Completed, xrefs: 0040470A, 0040476D
: Completed, xrefs: 0040476E, 00404773, 0040477E
A, xrefs: 00404730
C:\Users\user\AppData\Roaming\CachemanControlPanel, xrefs: 0040475D

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: : Completed$A$C:\Users\user\AppData\Roaming\CachemanControlPanel$Name Setup: Completed
API String ID: 2624150263-1178911408
Opcode ID: 22496922587a79a87c82097af160ec6f00736279c4fa3eb8ac5991cd3654d7e0
Instruction ID: 02b07c61478aeb9ac600f99876a590f4236d4304051c708c1213a6c52027fc1c
Opcode Fuzzy Hash: 22496922587a79a87c82097af160ec6f00736279c4fa3eb8ac5991cd3654d7e0
Instruction Fuzzy Hash: CAA16FB1900209ABDB11EFA6DD45AAF77B8EF84314F14843BF601B62D1DB7C89418B69

Uniqueness

Uniqueness Score: -1.00%

Function 004058BF, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E004058BF(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E00405B7D(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73);
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x42f4c8 =  *0x42f4c8 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E004060F7(0x42b898, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405AD6(_t73);
					} else {
						lstrcatA(0x42b898, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x40a014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]);
						_t40 = FindFirstFileA(0x42b898,  &_v336);
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405ABA( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E004060F7(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E00405877(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E0040521E(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x42f4c8 =  *0x42f4c8 + 1;
										} else {
											E0040521E(0xfffffff1, _t73);
											E00405ED6(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004058BF(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x42b898 - 0x5c;
					if( *0x42b898 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E0040646B(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E00405A8F(_t73);
							_t40 = E00405877(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E0040521E(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E0040521E(0xfffffff1, _t73);
							return E00405ED6(_t72, _t73, 0);
						}
						L33:
						 *0x42f4c8 =  *0x42f4c8 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x004058c9
0x004058ce
0x004058d7
0x004058da
0x004058e2
0x004058e5
0x004058e8
0x004058f0
0x004058f2
0x004058f3
0x00000000
0x004058f3
0x004058fe
0x00405901
0x00405901
0x00405901
0x00405905
0x00405918
0x0040591f
0x00405924
0x00405928
0x00405938
0x0040592a
0x00405930
0x00405930
0x0040593d
0x00405940
0x0040594b
0x00405951
0x00405956
0x00405966
0x00405968
0x0040596e
0x00405971
0x00405974
0x00405a2c
0x00405a2c
0x00405a30
0x00405a32
0x00405a32
0x00405a32
0x00405a32
0x00000000
0x00000000
0x00000000
0x00000000
0x0040597a
0x0040597a
0x00405983
0x00405989
0x0040598e
0x00405991
0x00405993
0x00405997
0x00405999
0x00405999
0x00405997
0x0040599c
0x0040599f
0x004059b2
0x004059b4
0x004059b9
0x004059c0
0x004059db
0x004059e0
0x004059e2
0x00405a06
0x004059e4
0x004059e4
0x004059e7
0x004059fb
0x004059e9
0x004059ec
0x004059f4
0x004059f4
0x004059e7
0x004059c2
0x004059c8
0x004059ca
0x004059d0
0x004059d0
0x004059ca
0x00000000
0x004059c0
0x004059a1
0x004059a4
0x004059a6
0x00000000
0x00000000
0x004059a8
0x004059aa
0x00000000
0x00000000
0x004059ac
0x004059b0
0x00000000
0x00000000
0x00000000
0x00405a0b
0x00405a15
0x00405a1b
0x00405a1b
0x00405a26
0x00000000
0x00405a26
0x00405942
0x00405949
0x00000000
0x00000000
0x00000000
0x00405907
0x00405907
0x00405909
0x00405a36
0x00405a38
0x00405a3b
0x00405a8c
0x00405a8c
0x00405a8c
0x00405a3d
0x00405a40
0x00405a4b
0x00405a50
0x00405a52
0x00000000
0x00000000
0x00405a55
0x00405a61
0x00405a66
0x00405a68
0x00000000
0x00405a83
0x00405a6a
0x00405a6d
0x00000000
0x00000000
0x00405a72
0x00000000
0x00405a79
0x00405a42
0x00405a42
0x00000000
0x00405a42
0x0040590f
0x00405912
0x00000000
0x00000000
0x00000000
0x00405912

APIs

DeleteFileA.KERNEL32(?,?,747DFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058E8
lstrcatA.KERNEL32(0042B898,\*.*,0042B898,?,?,747DFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405930
lstrcatA.KERNEL32(?,0040A014,?,0042B898,?,?,747DFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405951
lstrlenA.KERNEL32(?,?,0040A014,?,0042B898,?,?,747DFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405957
FindFirstFileA.KERNEL32(0042B898,?,?,?,0040A014,?,0042B898,?,?,747DFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405968
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405A15
FindClose.KERNEL32(00000000), ref: 00405A26

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004058CC
\*.*, xrefs: 0040592A
"C:\Users\user\Desktop\dY5HmgsBm6.exe" , xrefs: 004058BF

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\dY5HmgsBm6.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-784778613
Opcode ID: 4def77bb891c7b3960c154a2ad73ead010234d10b8a13dea3fc18deabcd134ba
Instruction ID: 53fbf83e18d3e9f22f7fd61ce8145b7df245fbcc76992db59ab4b54644bc6f5f
Opcode Fuzzy Hash: 4def77bb891c7b3960c154a2ad73ead010234d10b8a13dea3fc18deabcd134ba
Instruction Fuzzy Hash: 4251C470A00A49AADB21AB618D85BBF7A78DF52314F14427FF841711D2C73C8942DF6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040216B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040216B() {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x38) = E00402BCE(0xfffffff0);
				 *(_t111 - 0xc) = E00402BCE(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x88)) = E00402BCE(2);
				 *((intOrPtr*)(_t111 - 0x34)) = E00402BCE(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x78)) = E00402BCE(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x90) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x74) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E00405AFC( *(_t111 - 0xc)) == 0) {
					E00402BCE(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x408524, _t87, 1, 0x408514, _t59);
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x408534, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\engineer\\AppData\\Roaming\\CachemanControlPanel");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x74));
						_t95 =  *((intOrPtr*)(_t111 - 0x34));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x90));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x88)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x78)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x38), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}

0x00402174
0x0040217e
0x00402188
0x00402195
0x004021a0
0x004021a3
0x004021bd
0x004021c3
0x004021c9
0x004021cc
0x004021d6
0x004021da
0x004021da
0x004021df
0x004021f0
0x004021f8
0x004022d4
0x004022d4
0x004022db
0x004021fe
0x004021fe
0x0040220d
0x00402211
0x00402214
0x0040221a
0x00402228
0x0040222b
0x0040222d
0x00402238
0x00402238
0x0040223d
0x0040223f
0x00402246
0x00402246
0x00402249
0x00402252
0x00402255
0x0040225a
0x0040225c
0x00402269
0x00402269
0x0040226c
0x00402278
0x0040227b
0x00402284
0x0040228a
0x00402291
0x004022aa
0x004022ac
0x004022ba
0x004022ba
0x004022aa
0x004022bd
0x004022c3
0x004022c3
0x004022c6
0x004022cc
0x004022d2
0x004022e7
0x00000000
0x00000000
0x00000000
0x004022d2
0x004022dd
0x00402a5d
0x00402a69

APIs

CoCreateInstance.OLE32(00408524,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F0
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022A2

Strings

C:\Users\user\AppData\Roaming\CachemanControlPanel, xrefs: 00402230

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\CachemanControlPanel
API String ID: 123533781-2369850399
Opcode ID: 163f96e7a228f668ad01f6fff9a08a3bf5921adb224fce9e1f45b383d9424720
Instruction ID: cfd0f9f97044ed47efa98841b374527745dcc5d1cf4597a5ef188e8ddd78f045
Opcode Fuzzy Hash: 163f96e7a228f668ad01f6fff9a08a3bf5921adb224fce9e1f45b383d9424720
Instruction Fuzzy Hash: DF510671A00208AFCB50DFE4C989E9D7BB6FF48314F2041AAF515EB2D1DA799981CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040646B, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040646B(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42c0e0);
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x42c0e0;
			}

0x00406476
0x0040647f
0x00000000
0x0040648c
0x00406482
0x00000000

APIs

FindFirstFileA.KERNEL32(747DFA90,0042C0E0,0042BC98,00405BC0,0042BC98,0042BC98,00000000,0042BC98,0042BC98,747DFA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,747DFA90,C:\Users\user\AppData\Local\Temp\), ref: 00406476
FindClose.KERNEL32(00000000), ref: 00406482

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
Instruction ID: 43645372537bfa69987f3f85d1e9d0a1072f39b89fcefe97c81bac3be47e5bfd
Opcode Fuzzy Hash: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
Instruction Fuzzy Hash: 9AD01231514120DFC3502B786D4C84F7A589F05330321CB36F86AF22E0C7348C2296EC

Uniqueness

Uniqueness Score: -1.00%

Function 004027A1, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004027A1(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402BCE(2), _t19 - 0x1d0) != 0xffffffff) {
					E00406055(__edi, _t6);
					_push(_t19 - 0x1a4);
					_push(__esi);
					E004060F7();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x004027b9
0x004027cd
0x004027d8
0x004027d9
0x00402918
0x004027bb
0x004027bb
0x004027bd
0x004027bf
0x004027bf
0x00402a5d
0x00402a69

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B0

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: fe0c6c70d9fc1c67409d165531832ab6862d9141dea2be007ff0faa3f611277f
Instruction ID: cbd12963852304709d998dbd60bf7e8f33587a64a337c4fd13578998f516bfb3
Opcode Fuzzy Hash: fe0c6c70d9fc1c67409d165531832ab6862d9141dea2be007ff0faa3f611277f
Instruction Fuzzy Hash: 3EF0A072604110DED711EBA49A49AFEB768AF61314F60457FF112B20C1D7B889469B3A

Uniqueness

Uniqueness Score: -1.00%

Function 00406945, Relevance: .3, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00406945(signed int __ebx, signed int* __esi) {
				signed int _t367;
				signed int _t396;
				signed int _t413;
				signed int _t414;
				signed int* _t417;
				void* _t419;

				L0:
				while(1) {
					L0:
					_t417 = __esi;
					_t396 = __ebx;
					if( *(_t419 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t414 = _t413 | 0xffffffff;
							 *_t417 = 0x11;
							L10:
							_t417[0x147] =  *(_t419 - 0x40);
							_t417[0x146] = _t396;
							( *(_t419 + 8))[1] =  *(_t419 - 0x34);
							L11:
							 *( *(_t419 + 8)) =  *(_t419 - 0x38);
							_t417[0x26ea] =  *(_t419 - 0x30);
							E004070B4( *(_t419 + 8));
							return _t414;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L159;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x408408; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x408408; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E0040711C( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L157:
									_t367 =  *_t417;
									if(_t367 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t367 * 4 +  &M00407074))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L159;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L157;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L157;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L157;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L159;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L159;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L157;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L157;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L159;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											_push(__esi);
											__al = __al | 0x0000008b;
											asm("enter 0xce2b, 0x81");
											goto 0x4089dd;
										case 6:
											L133:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L149:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L134:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L140:
												__esi[0x26ea] = __edi;
												__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L160;
												} else {
													goto L149;
												}
											}
											L135:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L140;
											}
											L136:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L149;
											} else {
												goto L140;
											}
										case 7:
											L150:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t351 = __ebp - 0x38;
												 *_t351 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t351;
											}
											goto L152;
										case 8:
											L4:
											while(_t396 < 3) {
												if( *(_t419 - 0x34) == 0) {
													goto L159;
												} else {
													 *(_t419 - 0x34) =  *(_t419 - 0x34) - 1;
													 *(_t419 - 0x40) =  *(_t419 - 0x40) | ( *( *(_t419 - 0x38)) & 0x000000ff) << _t396;
													 *(_t419 - 0x38) =  &(( *(_t419 - 0x38))[1]);
													_t396 = _t396 + 8;
													continue;
												}
											}
											_t396 = _t396 - 3;
											 *(_t419 - 0x40) =  *(_t419 - 0x40) >> 3;
											_t377 =  *(_t419 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t379 = _t377 >> 1;
											_t417[0x145] = ( ~(_t377 & 0x00000001) & 0x00000007) + 8;
											if(_t379 == 0) {
												L24:
												 *_t417 = 9;
												_t407 = _t396 & 0x00000007;
												 *(_t419 - 0x40) =  *(_t419 - 0x40) >> _t407;
												_t396 = _t396 - _t407;
												goto L157;
											}
											L6:
											_t382 = _t379 - 1;
											if(_t382 == 0) {
												L13:
												__eflags =  *0x42e3a8;
												if( *0x42e3a8 != 0) {
													L22:
													_t383 =  *0x40a42c; // 0x9
													_t417[4] = _t383;
													_t384 =  *0x40a430; // 0x5
													_t417[4] = _t384;
													_t385 =  *0x42d224; // 0x42db28
													_t417[5] = _t385;
													_t386 =  *0x42d220; // 0x42e328
													_t417[6] = _t386;
													L23:
													 *_t417 =  *_t417 & 0x00000000;
													goto L157;
												} else {
													_t26 = _t419 - 8;
													 *_t26 =  *(_t419 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t387 = 0x42d228;
													do {
														L15:
														__eflags = _t387 - 0x42d464;
														_t409 = 8;
														if(_t387 > 0x42d464) {
															__eflags = _t387 - 0x42d628;
															if(_t387 >= 0x42d628) {
																__eflags = _t387 - 0x42d688;
																if(_t387 < 0x42d688) {
																	_t409 = 7;
																}
															} else {
																_t409 = 9;
															}
														}
														L20:
														 *_t387 = _t409;
														_t387 = _t387 + 4;
														__eflags = _t387 - 0x42d6a8;
													} while (_t387 < 0x42d6a8);
													E0040711C(0x42d228, 0x120, 0x101, 0x40841c, 0x40845c, 0x42d224, 0x40a42c, 0x42db28, _t419 - 8);
													_push(0x1e);
													_pop(_t411);
													_push(5);
													_pop(_t390);
													memset(0x42d228, _t390, _t411 << 2);
													_t421 = _t421 + 0xc;
													_t413 = 0x42d228 + _t411;
													E0040711C(0x42d228, 0x1e, 0, 0x40849c, 0x4084d8, "(�B", 0x40a430, 0x42db28, _t419 - 8);
													 *0x42e3a8 =  *0x42e3a8 + 1;
													__eflags =  *0x42e3a8;
													goto L22;
												}
											}
											L7:
											_t394 = _t382 - 1;
											if(_t394 == 0) {
												 *_t417 = 0xb;
												goto L157;
											}
											L8:
											if(_t394 != 1) {
												goto L157;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L159;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L159;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405C4B( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L157;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L160;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L159;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L159;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E0040711C( &(__esi[3]), __edi, 0x101, 0x40841c, 0x40845c, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E0040711C(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x40849c, 0x4084d8, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L152:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L160:
												__edi = 0;
												goto L10;
											} else {
												L156:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L161:
													0 = 1;
													goto L10;
												}
												goto L157;
											}
									}
								}
								L158:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L159:
				_t414 = 0;
				_t417[0x147] =  *(_t419 - 0x40);
				_t417[0x146] = _t396;
				( *(_t419 + 8))[1] = 0;
				goto L11;
			}

0x00406945
0x00406945
0x00406945
0x00406945
0x00406945
0x00406949
0x00000000
0x00000000
0x0040694f
0x0040694f
0x00406952
0x00406955
0x0040695a
0x0040695c
0x0040695f
0x00406962
0x00406965
0x00406965
0x00406968
0x00000000
0x00000000
0x0040696a
0x0040696a
0x0040696d
0x00406972
0x00406974
0x00406977
0x0040697d
0x004066dc
0x004066dc
0x004066df
0x004066e5
0x004066eb
0x004066f4
0x004066fa
0x004066fd
0x00406704
0x00406709
0x0040670f
0x0040671a
0x0040671a
0x00406983
0x00406983
0x0040698d
0x00000000
0x00000000
0x00406993
0x00406993
0x00406997
0x0040699a
0x0040699a
0x0040699e
0x004069a4
0x004069a4
0x004069a7
0x004069aa
0x004069b0
0x00000000
0x00000000
0x004069b2
0x004069d4
0x004069d4
0x004069d7
0x00000000
0x00000000
0x004069b4
0x004069b8
0x00000000
0x00000000
0x004069be
0x004069be
0x004069c1
0x004069c4
0x004069c9
0x004069cb
0x004069ce
0x004069d1
0x004069d1
0x004069d9
0x004069d9
0x004069df
0x004069e2
0x004069e5
0x004069e5
0x004069ec
0x004069f0
0x004069f4
0x004069f7
0x004069fa
0x00406a00
0x00406a05
0x00000000
0x00000000
0x00406a07
0x00406a1b
0x00406a1b
0x00406a1f
0x00000000
0x00000000
0x00406a09
0x00406a0c
0x00406a0c
0x00406a13
0x00406a18
0x00406a18
0x00406a18
0x00406a21
0x00406a21
0x00406a24
0x00406a32
0x00406a38
0x00406a3d
0x00406a43
0x00406a49
0x00406a4f
0x00406a56
0x00406a6a
0x00406a6a
0x00407039
0x00407039
0x00407039
0x0040703e
0x00000000
0x00000000
0x00406676
0x00406676
0x00000000
0x00406c71
0x00406c71
0x00406c75
0x00406c78
0x00406c7b
0x00406c7e
0x00000000
0x00000000
0x00406c84
0x00406c84
0x00406ca9
0x00406ca9
0x00406ca9
0x00406cab
0x00000000
0x00000000
0x00406c89
0x00406c89
0x00406c8d
0x00000000
0x00000000
0x00406c93
0x00406c93
0x00406c96
0x00406c99
0x00406c9c
0x00406c9e
0x00406ca0
0x00406ca3
0x00406ca6
0x00406ca6
0x00406ca6
0x00406cad
0x00406cad
0x00406cb5
0x00406cb8
0x00406cbb
0x00406cbe
0x00406cc2
0x00406cc5
0x00406cc7
0x00406cca
0x00406ccc
0x00406ce0
0x00406ce0
0x00406ce3
0x00406cfd
0x00406cfd
0x00406d00
0x00000000
0x00000000
0x00406d06
0x00406d06
0x00406d09
0x00000000
0x00000000
0x00406d0f
0x00406d0f
0x00000000
0x00406d0f
0x00406ce5
0x00406ce8
0x00406cef
0x00406cf2
0x00000000
0x00406cf2
0x00406cce
0x00406cd2
0x00406cd5
0x00000000
0x00000000
0x00406d1a
0x00406d1a
0x00406d3f
0x00406d3f
0x00406d3f
0x00406d41
0x00000000
0x00000000
0x00406d1f
0x00406d1f
0x00406d23
0x00000000
0x00000000
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d34
0x00406d36
0x00406d39
0x00406d3c
0x00406d3c
0x00406d3c
0x00406d43
0x00406d4b
0x00406d4e
0x00406d51
0x00406d53
0x00406d56
0x00406d56
0x00406d58
0x00406d5c
0x00406d5f
0x00406d62
0x00406d65
0x00000000
0x00000000
0x00406d6b
0x00406d6b
0x00406d90
0x00406d90
0x00406d90
0x00406d92
0x00000000
0x00000000
0x00406d70
0x00406d70
0x00406d74
0x00000000
0x00000000
0x00406d7a
0x00406d7a
0x00406d7d
0x00406d80
0x00406d83
0x00406d85
0x00406d87
0x00406d8a
0x00406d8d
0x00406d8d
0x00406d8d
0x00406d94
0x00406d94
0x00406d9c
0x00406d9f
0x00406da2
0x00406da5
0x00406da9
0x00406dac
0x00406dae
0x00406db1
0x00406db4
0x00406dce
0x00406dce
0x00406dd1
0x00000000
0x00000000
0x00406dd7
0x00406dd7
0x00406dda
0x00406de1
0x00000000
0x00406de1
0x00406db6
0x00406db9
0x00406dc0
0x00406dc3
0x00000000
0x00000000
0x00406de9
0x00406de9
0x00406e0e
0x00406e0e
0x00406e0e
0x00406e10
0x00000000
0x00000000
0x00406dee
0x00406dee
0x00406df2
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfb
0x00406dfe
0x00406e01
0x00406e03
0x00406e05
0x00406e08
0x00406e0b
0x00406e0b
0x00406e0b
0x00406e12
0x00406e1a
0x00406e1d
0x00406e20
0x00406e22
0x00406e25
0x00406e27
0x00000000
0x00000000
0x00406e2d
0x00406e2d
0x00406e30
0x00406e31
0x00406e32
0x00406e34
0x00406e38
0x00000000
0x00406f33
0x00406f33
0x00406f36
0x00406f39
0x00406f3b
0x00406fd2
0x00406fd2
0x00406fd5
0x00406fd7
0x00406fd8
0x00406fd9
0x00406fdc
0x00000000
0x00406fdc
0x00406f41
0x00406f41
0x00406f47
0x00406f49
0x00406f6e
0x00406f71
0x00406f77
0x00406f7c
0x00406f82
0x00406f88
0x00406f8a
0x00406f8d
0x00406f96
0x00406f9c
0x00406f9c
0x00406f8f
0x00406f91
0x00406f93
0x00406f93
0x00406f9e
0x00406fa4
0x00406fa6
0x00406fa9
0x00406fab
0x00406fb1
0x00406fb3
0x00406fb5
0x00406fb7
0x00406fb9
0x00406fbc
0x00406fc5
0x00406fc8
0x00406fc8
0x00406fbe
0x00406fbe
0x00406fc1
0x00406fc1
0x00406fbc
0x00406fb3
0x00406fca
0x00406fcc
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fcc
0x00406f4b
0x00406f4b
0x00406f51
0x00406f57
0x00406f59
0x00000000
0x00000000
0x00406f5b
0x00406f5b
0x00406f5d
0x00406f5f
0x00406f66
0x00406f66
0x00406f68
0x00406f61
0x00406f61
0x00406f63
0x00406f63
0x00406f6a
0x00406f6c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fe4
0x00406fe4
0x00406fe7
0x00406fe9
0x00406fec
0x00406fef
0x00406fef
0x00406fef
0x00406fef
0x00000000
0x00000000
0x00000000
0x0040669d
0x00406681
0x00000000
0x00406687
0x0040668a
0x00406694
0x00406697
0x0040669a
0x00000000
0x0040669a
0x00406681
0x004066a5
0x004066a8
0x004066ac
0x004066b6
0x004066c0
0x004066c3
0x004066c9
0x004067fd
0x004067ff
0x00406805
0x00406808
0x0040680b
0x00000000
0x0040680b
0x004066cf
0x004066cf
0x004066d0
0x00406728
0x00406728
0x0040672f
0x004067d5
0x004067d5
0x004067da
0x004067dd
0x004067e2
0x004067e5
0x004067ea
0x004067ed
0x004067f2
0x004067f5
0x004067f5
0x00000000
0x00406735
0x00406735
0x00406735
0x00406735
0x00406739
0x0040673e
0x0040673e
0x0040673e
0x00406743
0x00406745
0x00406747
0x0040674c
0x00406752
0x00406757
0x00406759
0x00406759
0x0040674e
0x0040674e
0x0040674e
0x0040674c
0x0040675b
0x0040675e
0x00406760
0x00406763
0x00406763
0x00406797
0x0040679c
0x0040679e
0x0040679f
0x004067a1
0x004067a2
0x004067a2
0x004067a2
0x004067ca
0x004067cf
0x004067cf
0x00000000
0x004067cf
0x0040672f
0x004066d2
0x004066d2
0x004066d3
0x0040671d
0x00000000
0x0040671d
0x004066d5
0x004066d6
0x00000000
0x00000000
0x00000000
0x00000000
0x00406832
0x00406832
0x00406832
0x00406835
0x00000000
0x00000000
0x00406812
0x00406812
0x00406816
0x00000000
0x00000000
0x0040681c
0x0040681c
0x0040681f
0x00406822
0x00406827
0x00406829
0x0040682c
0x0040682f
0x0040682f
0x0040682f
0x00406837
0x00406837
0x0040683a
0x0040683c
0x00406841
0x00406844
0x00406846
0x00406849
0x00000000
0x00000000
0x0040684f
0x0040684f
0x00406851
0x00000000
0x00000000
0x00406857
0x00406857
0x0040685b
0x00000000
0x00000000
0x00406861
0x00406861
0x00406864
0x00406866
0x00406904
0x00406904
0x00406907
0x00406909
0x00406909
0x0040690c
0x0040690f
0x00406911
0x00406913
0x00406915
0x00406915
0x0040691e
0x00406923
0x00406926
0x00406929
0x0040692c
0x0040692f
0x0040692f
0x0040692f
0x00406932
0x00406938
0x00406938
0x0040693e
0x0040693e
0x0040693e
0x00000000
0x00406932
0x0040686c
0x0040686c
0x00406872
0x00406875
0x00406877
0x004068a2
0x004068a5
0x004068ab
0x004068b0
0x004068b6
0x004068bc
0x004068be
0x004068c1
0x004068ca
0x004068d0
0x004068d0
0x004068c3
0x004068c5
0x004068c7
0x004068c7
0x004068d2
0x004068d8
0x004068db
0x004068dd
0x004068df
0x004068e5
0x004068e7
0x004068e9
0x004068ec
0x004068f5
0x004068f5
0x004068f7
0x004068ee
0x004068ee
0x004068f1
0x004068f1
0x004068f9
0x004068f9
0x004068e7
0x004068fc
0x004068fe
0x00000000
0x00000000
0x00000000
0x00000000
0x004068fe
0x00406879
0x00406879
0x0040687f
0x00406885
0x00406887
0x00000000
0x00000000
0x00406889
0x00406889
0x0040688b
0x0040688d
0x00406890
0x00406897
0x00406897
0x00406899
0x00406892
0x00406892
0x00406894
0x00406894
0x0040689b
0x0040689d
0x004068a0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004069a4
0x004069a7
0x004069aa
0x004069b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b87
0x00406b87
0x00406b87
0x00406b8a
0x00406b8d
0x00406b8f
0x00406b92
0x00406b98
0x00406b9f
0x00406ba1
0x00000000
0x00000000
0x00406a75
0x00406a75
0x00406a9d
0x00406a9d
0x00406a9d
0x00406a9f
0x00000000
0x00000000
0x00406a7d
0x00406a7d
0x00406a81
0x00000000
0x00000000
0x00406a87
0x00406a87
0x00406a8a
0x00406a8d
0x00406a90
0x00406a92
0x00406a94
0x00406a97
0x00406a9a
0x00406a9a
0x00406a9a
0x00406aa1
0x00406aa1
0x00406aa9
0x00406aac
0x00406ab2
0x00406ab5
0x00406ab9
0x00406abd
0x00406ac0
0x00406ac3
0x00406adb
0x00406adb
0x00406ade
0x00406aec
0x00406aef
0x00406ae0
0x00406ae0
0x00406ae2
0x00406ae9
0x00406ae9
0x00406b18
0x00406b18
0x00406b18
0x00406b1b
0x00406b1d
0x00000000
0x00000000
0x00406af8
0x00406af8
0x00406afc
0x00000000
0x00000000
0x00406b02
0x00406b02
0x00406b05
0x00406b08
0x00406b0b
0x00406b0d
0x00406b0f
0x00406b12
0x00406b15
0x00406b15
0x00406b15
0x00406b1f
0x00406b1f
0x00406b21
0x00406b23
0x00406b2e
0x00406b31
0x00406b34
0x00406b36
0x00406b38
0x00406b3a
0x00406b3d
0x00406b40
0x00406b45
0x00406b48
0x00406b4b
0x00406b4e
0x00406b55
0x00406b58
0x00406b5a
0x00000000
0x00000000
0x00406b60
0x00406b60
0x00406b64
0x00406b75
0x00406b75
0x00406b75
0x00406b77
0x00406b77
0x00406b7b
0x00406b7b
0x00406b7b
0x00406b7d
0x00406b7e
0x00406b81
0x00406b81
0x00406b81
0x00406b84
0x00000000
0x00406b84
0x00406b66
0x00406b66
0x00406b69
0x00000000
0x00000000
0x00406b6f
0x00406b6f
0x00000000
0x00406b6f
0x00406ac5
0x00406ac5
0x00406ac7
0x00406ac9
0x00406acc
0x00406acf
0x00406ad3
0x00406ad3
0x00406ba7
0x00406ba7
0x00406baa
0x00406bb1
0x00406bb5
0x00406bb7
0x00406bba
0x00406bbd
0x00406bc2
0x00406bc5
0x00406bc7
0x00406bc8
0x00406bcb
0x00406bd6
0x00406bd9
0x00406bf0
0x00406bf5
0x00406bfc
0x00406c01
0x00406c05
0x00406c07
0x00406c07
0x00406c07
0x00406c0a
0x00406c0c
0x00000000
0x00406c12
0x00406c12
0x00406c16
0x00406c21
0x00406c34
0x00406c39
0x00406c3e
0x00406c40
0x00000000
0x00000000
0x00406c46
0x00406c46
0x00406c49
0x00406c4b
0x00406c59
0x00406c59
0x00406c5c
0x00406c5c
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6b
0x00406c6e
0x00000000
0x00406c6e
0x00406c4d
0x00406c4d
0x00406c53
0x00000000
0x00000000
0x00000000
0x00406c53
0x00000000
0x00000000
0x00000000
0x00406ff2
0x00406ff2
0x00406ff8
0x00406ffe
0x00407003
0x00407009
0x0040700f
0x00407011
0x00407014
0x0040701d
0x00407023
0x00407023
0x00407016
0x00407018
0x0040701a
0x0040701a
0x00407025
0x00407027
0x0040702a
0x00407065
0x00407065
0x00000000
0x0040702c
0x0040702c
0x0040702c
0x00407032
0x00407035
0x00407037
0x0040706c
0x0040706e
0x00000000
0x0040706e
0x00000000
0x00407037
0x00000000
0x00406676
0x00407044
0x00000000
0x00407044
0x00406a58
0x00406a5a
0x00000000
0x00000000
0x00406a5c
0x00406a5c
0x00406a5f
0x00000000
0x00406a5f
0x004069a4
0x00406965
0x00407049
0x0040704c
0x0040704e
0x00407057
0x0040705d
0x00000000

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
Instruction ID: f64ed9f862d89b69eb15ddc430260785fe10463149b241517d112065bf602f9e
Opcode Fuzzy Hash: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
Instruction Fuzzy Hash: 57E19BB190070ACFDB24CF59C880BAAB7F5EB45305F15892EE497A7291D378AA51CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0040711C, Relevance: .3, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040711C(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42d6a8 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42d6a8;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42d6a8 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}

0x00407127
0x0040712f
0x00407133
0x00407135
0x00407138
0x0040713a
0x0040713a
0x0040713c
0x00407143
0x00407145
0x00407145
0x0040714b
0x00407160
0x00407168
0x0040716a
0x0040716c
0x0040716f
0x00407170
0x00407170
0x00407176
0x00000000
0x00000000
0x00407178
0x0040717b
0x00000000
0x00000000
0x00000000
0x0040717b
0x0040717f
0x00407182
0x00407184
0x00407184
0x00407187
0x0040718d
0x0040718e
0x00000000
0x00000000
0x00000000
0x0040718e
0x00407193
0x00407196
0x00407198
0x00407198
0x0040719e
0x004071a0
0x004071b1
0x004071a4
0x004071a8
0x0040744d
0x00000000
0x0040744d
0x004071ae
0x004071af
0x004071af
0x004071b7
0x004071ba
0x004071be
0x004071c0
0x004071c2
0x004071c5
0x00000000
0x00000000
0x004071cd
0x004071d3
0x004071d5
0x004071d7
0x004071d8
0x004071ed
0x004071ed
0x004071f0
0x004071f2
0x004071f2
0x004071f4
0x004071f9
0x004071fb
0x00407202
0x00407204
0x0040720c
0x0040720c
0x0040720e
0x0040720f
0x0040721e
0x00407222
0x00407226
0x00407229
0x0040722c
0x00407231
0x00407234
0x0040723a
0x00407241
0x00407247
0x00407440
0x00407440
0x00407445
0x00407454
0x00000000
0x00000000
0x00000000
0x00407445
0x00407254
0x00407257
0x0040725a
0x0040725d
0x00407261
0x00000000
0x00000000
0x0040726c
0x0040726f
0x00407270
0x00407272
0x00407278
0x0040727b
0x00000000
0x00000000
0x00407281
0x00407282
0x00407285
0x00407288
0x0040728b
0x00407291
0x00407293
0x00407293
0x0040729b
0x0040729f
0x004072a4
0x004072c9
0x004072cf
0x004072d1
0x004072d3
0x004072d6
0x004072df
0x00000000
0x00000000
0x004072a6
0x004072a6
0x004072af
0x004072b3
0x00000000
0x00000000
0x004072c4
0x004072c4
0x004072c7
0x00000000
0x00000000
0x004072b7
0x004072ba
0x004072bc
0x004072c0
0x00000000
0x00000000
0x004072c2
0x004072c2
0x00000000
0x004072c4
0x004072e8
0x004072ee
0x004072f8
0x004072fa
0x004072ff
0x00407301
0x00407337
0x00407303
0x00407303
0x00407306
0x00407309
0x00407313
0x00407316
0x0040731d
0x00407328
0x0040732f
0x0040732f
0x00407339
0x0040733c
0x0040733e
0x00407344
0x00407344
0x0040734d
0x00407350
0x00407355
0x00407364
0x0040736c
0x00407371
0x00407395
0x0040739d
0x004073a1
0x004073a7
0x00407373
0x00407381
0x00407384
0x0040738a
0x0040738a
0x004073ab
0x00407366
0x00407366
0x00407366
0x004073bc
0x004073c0
0x004073cc
0x004073c7
0x004073ca
0x004073ca
0x004073d4
0x004073d9
0x004073e1
0x004073dd
0x004073df
0x004073df
0x004073e7
0x004073e9
0x004073f0
0x004073fa
0x00407404
0x00407420
0x00407424
0x00407269
0x0040726f
0x00407270
0x00407272
0x00407278
0x0040727b
0x00000000
0x00000000
0x00000000
0x0040727b
0x00000000
0x00000000
0x00000000
0x00000000
0x00407406
0x00407406
0x00407406
0x0040740b
0x00407414
0x0040741d
0x00000000
0x0040741d
0x0040742a
0x0040742a
0x0040742d
0x00407434
0x00407437
0x00000000
0x0040725a
0x004071da
0x004071dc
0x004071dc
0x004071e0
0x004071e3
0x004071e4
0x004071e4
0x00000000
0x004071dc
0x00407150
0x00407156
0x00000000

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f6c7e6b8620be82bccd3d2e3e98bb61de1be8b453b643f323292903d4af905
Instruction ID: 8f207273dfcdbc59f762b6c847d1a58b94b1624b669f9e87ec0d9a9138a8e2bc
Opcode Fuzzy Hash: 99f6c7e6b8620be82bccd3d2e3e98bb61de1be8b453b643f323292903d4af905
Instruction Fuzzy Hash: 0DC15A31E04259CBCF18CF68D4905EEBBB2BF98314F25826AD8567B380D734A942CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404B80, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404B80(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t203;
				void* _t205;
				intOrPtr _t206;
				intOrPtr _t207;
				long _t212;
				signed int _t216;
				signed int _t227;
				void* _t230;
				void* _t231;
				int _t237;
				long _t242;
				long _t243;
				signed int _t244;
				signed int _t250;
				signed int _t252;
				signed char _t253;
				signed char _t259;
				void* _t264;
				void* _t266;
				signed char* _t284;
				signed char _t285;
				long _t287;
				long _t290;
				void* _t291;
				signed int _t300;
				signed int _t308;
				void* _t309;
				void* _t310;
				signed char* _t316;
				int _t320;
				int _t321;
				signed int* _t322;
				int _t323;
				long _t324;
				signed int _t325;
				long _t327;
				int _t328;
				signed int _t329;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_v8 = GetDlgItem(_a4, 0x408);
				_t331 = SendMessageA;
				_v24 =  *0x42f468;
				_v28 =  *0x42f434 + 0x94;
				_t320 = 0x10;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t298 = _a16;
					} else {
						_a12 = 0;
						_t298 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t298;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t298 + 4)) == 0x408) {
							if(( *0x42f43d & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t242 = _v16;
									if( *((intOrPtr*)(_t242 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, 0,  *(_t242 + 0x5c));
									}
									_t243 = _v16;
									if( *((intOrPtr*)(_t243 + 8)) == 0xfffffe6a) {
										_t298 = _v24;
										_t244 =  *(_t243 + 0x5c);
										if( *((intOrPtr*)(_t243 + 0xc)) != 2) {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) & 0xffffffdf;
										} else {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t298 = 0 | _a8 != 0x00000413;
								_t250 = E00404ACE(_v8, _a8 != 0x413);
								_t325 = _t250;
								if(_t325 >= 0) {
									_t99 = _v24 + 8; // 0x8
									_t298 = _t250 * 0x418 + _t99;
									_t252 =  *_t298;
									if((_t252 & 0x00000010) == 0) {
										if((_t252 & 0x00000040) == 0) {
											_t253 = _t252 ^ 0x00000001;
										} else {
											_t259 = _t252 ^ 0x00000080;
											if(_t259 >= 0) {
												_t253 = _t259 & 0x000000fe;
											} else {
												_t253 = _t259 | 0x00000001;
											}
										}
										 *_t298 = _t253;
										E0040117D(_t325);
										_a12 = _t325 + 1;
										_a16 =  !( *0x42f43c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t298 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t230 =  *0x42a874; // 0x0
								if(_t230 != 0) {
									ImageList_Destroy(_t230);
								}
								_t231 =  *0x42a888; // 0x0
								if(_t231 != 0) {
									GlobalFree(_t231);
								}
								 *0x42a874 = 0;
								 *0x42a888 = 0;
								 *0x42f4a0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42f43d & 0x00000001) != 0) {
									_t321 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t321);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t321);
								}
								goto L93;
							} else {
								E004011EF(_t298, 0, 0);
								_t203 = _a12;
								if(_t203 != 0) {
									if(_t203 != 0xffffffff) {
										_t203 = _t203 - 1;
									}
									_push(_t203);
									_push(8);
									E00404B4E();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t298, 0, 0);
									_t205 =  *0x42a888; // 0x0
									_v36 = _t205;
									_t206 =  *0x42f468;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42f46c <= 0) {
										L86:
										if( *0x42f42c == 4) {
											InvalidateRect(_v8, 0, 1);
										}
										_t207 =  *0x42ebfc; // 0x68bf12
										if( *((intOrPtr*)(_t207 + 0x10)) != 0) {
											E00404A89(0x3ff, 0xfffffffb, E00404AA1(5));
										}
										goto L90;
									}
									_t322 = _t206 + 8;
									do {
										_t212 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t212 != 0) {
											_t300 =  *_t322;
											_v72 = _t212;
											_v76 = 8;
											if((_t300 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t322[4]);
												_t322[0] = _t322[0] & 0x000000fe;
											}
											if((_t300 & 0x00000040) == 0) {
												_t216 = (_t300 & 0x00000001) + 1;
												if((_t300 & 0x00000010) != 0) {
													_t216 = _t216 + 3;
												}
											} else {
												_t216 = 3;
											}
											_v68 = (_t216 << 0x0000000b | _t300 & 0x00000008) + (_t216 << 0x0000000b | _t300 & 0x00000008) | _t300 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t300 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageA(_v8, 0x110d, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t322 =  &(_t322[0x106]);
									} while (_v24 <  *0x42f46c);
									goto L86;
								} else {
									_t323 = E004012E2( *0x42a888);
									E00401299(_t323);
									_t227 = 0;
									_t298 = 0;
									if(_t323 <= 0) {
										L74:
										SendMessageA(_v12, 0x14e, _t298, 0);
										_a16 = _t323;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t227 * 4)) != 0) {
											_t298 = _t298 + 1;
										}
										_t227 = _t227 + 1;
									} while (_t227 < _t323);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t237 = SendMessageA(_v12, 0x147, 0, 0);
							if(_t237 == 0xffffffff) {
								goto L93;
							}
							_t324 = SendMessageA(_v12, 0x150, _t237, 0);
							if(_t324 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t324 * 4)) == 0) {
								_t324 = 0x20;
							}
							E00401299(_t324);
							SendMessageA(_a4, 0x420, 0, _t324);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					 *0x42f4a0 = _a4;
					_v20 = 2;
					 *0x42a888 = GlobalAlloc(0x40,  *0x42f46c << 2);
					_t264 = LoadImageA( *0x42f420, 0x6e, 0, 0, 0, 0);
					 *0x42a87c =  *0x42a87c | 0xffffffff;
					_v16 = _t264;
					 *0x42a884 = SetWindowLongA(_v8, 0xfffffffc, E00405192);
					_t266 = ImageList_Create(_t320, _t320, 0x21, 6, 0);
					 *0x42a874 = _t266;
					ImageList_AddMasked(_t266, _v16, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x42a874);
					if(SendMessageA(_v8, 0x111c, 0, 0) < _t320) {
						SendMessageA(_v8, 0x111b, _t320, 0);
					}
					DeleteObject(_v16);
					_t327 = 0;
					do {
						_t272 =  *((intOrPtr*)(_v28 + _t327 * 4));
						if( *((intOrPtr*)(_v28 + _t327 * 4)) != 0) {
							if(_t327 != 0x20) {
								_v20 = 0;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, 0, E0040618A(0, _t327, _t331, 0, _t272)), _t327);
						}
						_t327 = _t327 + 1;
					} while (_t327 < 0x21);
					_t328 = _a16;
					_push( *((intOrPtr*)(_t328 + 0x30 + _v20 * 4)));
					_push(0x15);
					E0040417B(_a4);
					_push( *((intOrPtr*)(_t328 + 0x34 + _v20 * 4)));
					_push(0x16);
					E0040417B(_a4);
					_t329 = 0;
					_v16 = 0;
					if( *0x42f46c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t316 = _v24 + 8;
						_v32 = _t316;
						do {
							_t284 =  &(_t316[0x10]);
							if( *_t284 != 0) {
								_v64 = _t284;
								_t285 =  *_t316;
								_v88 = _v16;
								_t308 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t308;
								_v44 = _t329;
								_v72 = _t285 & _t308;
								if((_t285 & 0x00000002) == 0) {
									if((_t285 & 0x00000004) == 0) {
										_t287 = SendMessageA(_v8, 0x1100, 0,  &_v88);
										_t309 =  *0x42a888; // 0x0
										 *(_t309 + _t329 * 4) = _t287;
									} else {
										_v16 = SendMessageA(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t290 = SendMessageA(_v8, 0x1100, 0,  &_v88);
									_t310 =  *0x42a888; // 0x0
									_v36 = 1;
									 *(_t310 + _t329 * 4) = _t290;
									_t291 =  *0x42a888; // 0x0
									_v16 =  *(_t291 + _t329 * 4);
								}
							}
							_t329 = _t329 + 1;
							_t316 =  &(_v32[0x418]);
							_v32 = _t316;
						} while (_t329 <  *0x42f46c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004041B0(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004041B0(_v12);
								L93:
								return E004041E2(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404b9e
0x00404ba6
0x00404bae
0x00404bb4
0x00404bcc
0x00404bcf
0x00404bd0
0x00404dfd
0x00404e04
0x00404e18
0x00404e06
0x00404e08
0x00404e0b
0x00404e0c
0x00404e13
0x00404e13
0x00404e24
0x00404e32
0x00404e35
0x00404e4b
0x00404ec0
0x00404ec3
0x00404ec5
0x00404ecf
0x00404edd
0x00404edd
0x00404edf
0x00404ee9
0x00404eef
0x00404ef2
0x00404ef5
0x00404f10
0x00404ef7
0x00404f01
0x00404f01
0x00404ef5
0x00404ee9
0x00000000
0x00404ec3
0x00404e50
0x00404e5b
0x00404e60
0x00404e67
0x00404e6c
0x00404e70
0x00404e7b
0x00404e7b
0x00404e7f
0x00404e83
0x00404e87
0x00404e9a
0x00404e89
0x00404e89
0x00404e90
0x00404e96
0x00404e92
0x00404e92
0x00404e92
0x00404e90
0x00404e9e
0x00404ea0
0x00404eb3
0x00404eb6
0x00404eb9
0x00404eb9
0x00404e83
0x00000000
0x00404e70
0x00404e52
0x00404e59
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404f13
0x00404f13
0x00404f1a
0x00404f8b
0x00404f93
0x00404f9b
0x00404f9b
0x00404fa4
0x00404fa6
0x00404fad
0x00404fb0
0x00404fb0
0x00404fb6
0x00404fbd
0x00404fc0
0x00404fc0
0x00404fc6
0x00404fcc
0x00404fd2
0x00404fd2
0x00404fdf
0x0040513f
0x00405146
0x00405163
0x00405169
0x0040517b
0x0040517b
0x00000000
0x00404fe5
0x00404fe7
0x00404fec
0x00404ff1
0x00404ff6
0x00404ff8
0x00404ff8
0x00404ff9
0x00404ffa
0x00404ffc
0x00404ffc
0x00405004
0x00405045
0x00405047
0x0040504c
0x00405057
0x0040505a
0x0040505f
0x00405066
0x00405069
0x0040510b
0x00405113
0x0040511b
0x0040511b
0x00405121
0x00405129
0x0040513a
0x0040513a
0x00000000
0x00405129
0x0040506f
0x00405072
0x00405078
0x0040507d
0x0040507f
0x00405081
0x00405087
0x0040508e
0x00405093
0x0040509a
0x0040509d
0x0040509d
0x004050a4
0x004050b0
0x004050b4
0x004050b6
0x004050b6
0x004050a6
0x004050a8
0x004050a8
0x004050d6
0x004050e2
0x004050f1
0x004050f1
0x004050f3
0x004050f6
0x004050ff
0x00000000
0x00405006
0x00405011
0x00405014
0x00405019
0x0040501b
0x0040501f
0x0040502f
0x00405039
0x0040503b
0x0040503e
0x00000000
0x00000000
0x00000000
0x00000000
0x00405021
0x00405021
0x00405027
0x00405029
0x00405029
0x0040502a
0x0040502b
0x00000000
0x00405021
0x00405004
0x00404fdf
0x00404f22
0x00000000
0x00404f38
0x00404f42
0x00404f47
0x00000000
0x00000000
0x00404f59
0x00404f5e
0x00404f6a
0x00404f6a
0x00404f6c
0x00404f7b
0x00404f7d
0x00404f81
0x00404f84
0x00000000
0x00404f84
0x00404f22
0x00404bd6
0x00404bd9
0x00404bdc
0x00404bec
0x00404bff
0x00404c0a
0x00404c10
0x00404c1e
0x00404c31
0x00404c36
0x00404c41
0x00404c4a
0x00404c60
0x00404c70
0x00404c7c
0x00404c7c
0x00404c81
0x00404c87
0x00404c89
0x00404c8c
0x00404c91
0x00404c96
0x00404c98
0x00404c98
0x00404cb8
0x00404cb8
0x00404cba
0x00404cbb
0x00404cc0
0x00404cc6
0x00404cca
0x00404ccf
0x00404cd7
0x00404cdb
0x00404ce0
0x00404ce5
0x00404ced
0x00404cf0
0x00404dbf
0x00404dd2
0x00000000
0x00404cf6
0x00404cf9
0x00404cfc
0x00404cff
0x00404cff
0x00404d04
0x00404d0d
0x00404d10
0x00404d14
0x00404d17
0x00404d1a
0x00404d23
0x00404d2c
0x00404d2f
0x00404d32
0x00404d35
0x00404d73
0x00404d96
0x00404d98
0x00404d9e
0x00404d75
0x00404d84
0x00404d84
0x00404d37
0x00404d3a
0x00404d48
0x00404d52
0x00404d54
0x00404d5a
0x00404d61
0x00404d64
0x00404d6c
0x00404d6c
0x00404d35
0x00404da4
0x00404da5
0x00404db1
0x00404db1
0x00404dbd
0x00404dd8
0x00404ddb
0x00404df8
0x00000000
0x00404ddd
0x00404de2
0x00404deb
0x0040517d
0x0040518f
0x0040518f
0x00404ddb
0x00000000
0x00404dbd
0x00404cf0

APIs

GetDlgItem.USER32 ref: 00404B97
GetDlgItem.USER32 ref: 00404BA4
GlobalAlloc.KERNEL32(00000040,?), ref: 00404BF3
LoadImageA.USER32 ref: 00404C0A
SetWindowLongA.USER32 ref: 00404C24
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404C36
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404C4A
SendMessageA.USER32(?,00001109,00000002), ref: 00404C60
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404C6C
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404C7C
DeleteObject.GDI32(00000110), ref: 00404C81
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404CAC
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404CB8
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D52
SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404D82

Part of subcall function 004041B0: SendMessageA.USER32(00000028,?,00000001,00403FE0), ref: 004041BE

SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D96
GetWindowLongA.USER32 ref: 00404DC4
SetWindowLongA.USER32 ref: 00404DD2
ShowWindow.USER32(?,00000005), ref: 00404DE2
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404EDD
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404F42
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404F57
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404F7B
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404F9B
ImageList_Destroy.COMCTL32(00000000), ref: 00404FB0
GlobalFree.KERNEL32 ref: 00404FC0
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00405039
SendMessageA.USER32(?,00001102,?,?), ref: 004050E2
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 004050F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0040511B
ShowWindow.USER32(?,00000000), ref: 00405169
GetDlgItem.USER32 ref: 00405174
ShowWindow.USER32(00000000), ref: 0040517B

Strings

, xrefs: 00405153
M, xrefs: 00404D3A
N, xrefs: 00404E1B

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: fdda06af448e6c65fc04a67e7919175d0af5b83356ee1959317fb13923aa2151
Instruction ID: 99b70255f3faedab1c4ad885451b662392dfc0d6b29454a89b749d4faaca394f
Opcode Fuzzy Hash: fdda06af448e6c65fc04a67e7919175d0af5b83356ee1959317fb13923aa2151
Instruction Fuzzy Hash: 5D027DB0A00209AFDB20DF94DD85AAE7BB5FB44354F50813AF610BA2E0D7798D52CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004042E6, Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004042E6(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				intOrPtr _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t103;
				signed int _t106;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L11:
						__eflags = _a8 - 0x4e;
						if(_a8 != 0x4e) {
							__eflags = _a8 - 0x40b;
							if(_a8 == 0x40b) {
								 *0x42985c =  *0x42985c + 1;
								__eflags =  *0x42985c;
							}
							L25:
							_t110 = _a16;
							L26:
							return E004041E2(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x70b;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b) {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x201;
							if( *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
								_t100 =  *((intOrPtr*)(_t110 + 0x1c));
								_t109 =  *((intOrPtr*)(_t110 + 0x18));
								_v12 = _t100;
								__eflags = _t100 - _t109 - 0x800;
								_v16 = _t109;
								_v8 = 0x42e3c0;
								if(_t100 - _t109 < 0x800) {
									SendMessageA(_t52, 0x44b, 0,  &_v16);
									SetCursor(LoadCursorA(0, 0x7f02));
									_push(1);
									E0040458A(_a4, _v8);
									SetCursor(LoadCursorA(0, 0x7f00));
									_t110 = _a16;
								}
							}
						}
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x700;
						if( *((intOrPtr*)(_t110 + 8)) != 0x700) {
							goto L26;
						} else {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x100;
							if( *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
								goto L26;
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0xd;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42f428, 0x111, 1, 0);
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0x1b;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42f428, 0x10, 0, 0);
							}
							return 1;
						}
					}
					__eflags = _a12 >> 0x10;
					if(_a12 >> 0x10 != 0) {
						goto L25;
					}
					__eflags =  *0x42985c; // 0x0
					if(__eflags != 0) {
						goto L25;
					}
					_t103 =  *0x42a068; // 0x68b54c
					_t25 = _t103 + 0x14; // 0x68b560
					_t112 = _t25;
					__eflags =  *_t112 & 0x00000020;
					if(( *_t112 & 0x00000020) == 0) {
						goto L25;
					}
					_t106 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
					__eflags = _t106;
					 *_t112 = _t106;
					E0040419D(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
					E00404566();
					goto L11;
				} else {
					_t98 = _a16;
					_t113 =  *(_t98 + 0x30);
					if(_t113 < 0) {
						_t107 =  *0x42ebfc; // 0x68bf12
						_t113 =  *(_t107 - 4 + _t113 * 4);
					}
					_push( *((intOrPtr*)(_t98 + 0x34)));
					_t114 = _t113 +  *0x42f478;
					_push(0x22);
					_a16 =  *_t114;
					_v12 = _v12 & 0x00000000;
					_t115 = _t114 + 1;
					_v16 = _t115;
					_v8 = E004042B1;
					E0040417B(_a4);
					_push( *((intOrPtr*)(_t98 + 0x38)));
					_push(0x23);
					E0040417B(_a4);
					CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
					E0040419D( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
					_t99 = GetDlgItem(_a4, 0x3e8);
					E004041B0(_t99);
					SendMessageA(_t99, 0x45b, 1, 0);
					_t86 =  *( *0x42f434 + 0x68);
					if(_t86 < 0) {
						_t86 = GetSysColor( ~_t86);
					}
					SendMessageA(_t99, 0x443, 0, _t86);
					SendMessageA(_t99, 0x445, 0, 0x4010000);
					SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
					 *0x42985c = 0;
					SendMessageA(_t99, 0x449, _a16,  &_v16);
					 *0x42985c = 0;
					return 0;
				}
			}

0x004042f6
0x00404408
0x0040441b
0x00404477
0x00404477
0x0040447b
0x00404541
0x00404548
0x0040454a
0x0040454a
0x0040454a
0x00404550
0x00404550
0x00404553
0x00000000
0x0040455a
0x00404489
0x0040448b
0x0040448e
0x00404495
0x00404497
0x0040449e
0x004044a0
0x004044a3
0x004044a6
0x004044ab
0x004044b1
0x004044b4
0x004044bb
0x004044c9
0x004044e1
0x004044e3
0x004044eb
0x004044fa
0x004044fc
0x004044fc
0x004044bb
0x0040449e
0x004044ff
0x00404506
0x00000000
0x00404508
0x00404508
0x0040450f
0x00000000
0x00000000
0x00404511
0x00404515
0x00404526
0x00404526
0x00404528
0x0040452c
0x0040453a
0x0040453a
0x00000000
0x0040453e
0x00404506
0x00404423
0x00404426
0x00000000
0x00000000
0x0040442e
0x00404434
0x00000000
0x00000000
0x0040443a
0x00404440
0x00404440
0x00404443
0x00404446
0x00000000
0x00000000
0x00404469
0x00404469
0x0040446b
0x0040446d
0x00404472
0x00000000
0x004042fc
0x004042fc
0x004042ff
0x00404304
0x00404306
0x00404315
0x00404315
0x0040431c
0x0040431f
0x00404321
0x00404326
0x0040432f
0x00404335
0x00404341
0x00404344
0x0040434d
0x00404352
0x00404355
0x0040435a
0x00404371
0x00404378
0x0040438b
0x0040438e
0x004043a3
0x004043aa
0x004043af
0x004043b4
0x004043b4
0x004043c3
0x004043d2
0x004043e4
0x004043e9
0x004043f9
0x004043fb
0x00000000
0x00404401

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404371
GetDlgItem.USER32 ref: 00404385
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004043A3
GetSysColor.USER32(?), ref: 004043B4
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004043C3
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004043D2
lstrlenA.KERNEL32(?), ref: 004043D5
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004043E4
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004043F9
GetDlgItem.USER32 ref: 0040445B
SendMessageA.USER32(00000000), ref: 0040445E
GetDlgItem.USER32 ref: 00404489
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004044C9
LoadCursorA.USER32 ref: 004044D8
SetCursor.USER32(00000000), ref: 004044E1
LoadCursorA.USER32 ref: 004044F7
SetCursor.USER32(00000000), ref: 004044FA
SendMessageA.USER32(00000111,00000001,00000000), ref: 00404526
SendMessageA.USER32(00000010,00000000,00000000), ref: 0040453A

Strings

: Completed, xrefs: 004044B4
N, xrefs: 00404477

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: : Completed$N
API String ID: 3103080414-2140067464
Opcode ID: 745d5685d33c6010513eb6a6e6710873411dad37f80b0c9191fb1ce11dc8c820
Instruction ID: 2ba0dcbd17e821031ba3c657239c4b48ae58aa12c0a6ed8defdb88479dfe25c9
Opcode Fuzzy Hash: 745d5685d33c6010513eb6a6e6710873411dad37f80b0c9191fb1ce11dc8c820
Instruction Fuzzy Hash: CC61C2B1A00209BFDF10AF61DD45F6A3B69EB94754F00803AFB04BA1D1C7B8A951CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42f434;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "Name Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42f428;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Name Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C
Name Setup, xrefs: 00401150

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Name Setup
API String ID: 941294808-4002928617
Opcode ID: bb71a3ab4a4fa1f895d534f8b47170c1d9b9c824dc85430c64170ade6c4bb6c2
Instruction ID: fc049dc8deed713fddbaab3278265d12b48f61153473f3c5d5e2d7be2f7e1970
Opcode Fuzzy Hash: bb71a3ab4a4fa1f895d534f8b47170c1d9b9c824dc85430c64170ade6c4bb6c2
Instruction Fuzzy Hash: 33417D71400249AFCF058FA5DE459AFBFB9FF44314F00802AF591AA1A0CB74D955DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405D66, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D66(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x42c620 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameA( *(_t52 + 0x1c), 0x42ca20, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x42c220, "%s=%s\r\n", 0x42c620, 0x42ca20);
						_t53 = _t52 + 0x10;
						E0040618A(_t37, 0x400, 0x42ca20, 0x42ca20,  *((intOrPtr*)( *0x42f434 + 0x128)));
						_t12 = E00405C90(0x42ca20, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405D08(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405BF5(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405BF5(_t38, _t21 + 0xa, 0x40a3d8);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405C4B(_t24 + _t46, 0x42c220, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405D37(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405C90(_t44, 0, 1));
					_t12 = GetShortPathNameA(_t44, 0x42c620, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00405d66
0x00405d6f
0x00405d76
0x00405d8a
0x00405db2
0x00405dbd
0x00405dc1
0x00405de1
0x00405de8
0x00405df2
0x00405dff
0x00405e04
0x00405e09
0x00405e0d
0x00405e1c
0x00405e1e
0x00405e2b
0x00405e2f
0x00405eca
0x00000000
0x00405e45
0x00405e52
0x00405e76
0x00405e7a
0x00405e99
0x00405e9d
0x00405e9d
0x00405e9f
0x00405ea8
0x00405eb3
0x00405ebe
0x00405ec4
0x00000000
0x00405ec4
0x00405e7c
0x00405e7f
0x00405e8a
0x00405e86
0x00405e88
0x00405e89
0x00405e89
0x00405e91
0x00405e93
0x00000000
0x00405e93
0x00405e5d
0x00405e63
0x00000000
0x00405e63
0x00405e2f
0x00405e0d
0x00405d8c
0x00405d97
0x00405da0
0x00405da4
0x00000000
0x00000000
0x00405da4
0x00405ed5

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405EF7,?,?), ref: 00405D97
GetShortPathNameA.KERNEL32 ref: 00405DA0

Part of subcall function 00405BF5: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C05
Part of subcall function 00405BF5: lstrlenA.KERNEL32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C37

GetShortPathNameA.KERNEL32 ref: 00405DBD
wsprintfA.USER32 ref: 00405DDB
GetFileSize.KERNEL32(00000000,00000000,0042CA20,C0000000,00000004,0042CA20,?,?,?,?,?), ref: 00405E16
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E25
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E5D
SetFilePointer.KERNEL32(0040A3D8,00000000,00000000,00000000,00000000,0042C220,00000000,-0000000A,0040A3D8,00000000,[Rename],00000000,00000000,00000000), ref: 00405EB3
GlobalFree.KERNEL32 ref: 00405EC4
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405ECB

Part of subcall function 00405C90: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\dY5HmgsBm6.exe,80000000,00000003), ref: 00405C94
Part of subcall function 00405C90: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6

Strings

%s=%s, xrefs: 00405DD1
[Rename], xrefs: 00405E45, 00405E57

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: bb326c4fff2569f995f741f5889aaa438d16cb529eb983989e6eb254c782141b
Instruction ID: 2ccb2bf8dd744840d543bbc1a34bde763c5e5f86f0f2c8118c993f85f4779e4e
Opcode Fuzzy Hash: bb326c4fff2569f995f741f5889aaa438d16cb529eb983989e6eb254c782141b
Instruction Fuzzy Hash: 39310531600B15ABC2206B659D48F6B3A5CDF45755F14043BB981F62C2DF7CE9028AFD

Uniqueness

Uniqueness Score: -1.00%

Function 004063D2, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004063D2(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405AFC(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405ABA("*?|<>/\":", _t5))) == 0) {
							E00405C4B(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004063d4
0x004063dc
0x004063f0
0x004063f0
0x004063f6
0x00406403
0x00406403
0x00406404
0x00406406
0x0040640a
0x0040640c
0x00406415
0x00406417
0x00406431
0x00406439
0x00406439
0x0040643e
0x00406440
0x00406442
0x00406446
0x00406447
0x0040644a
0x00406452
0x00406454
0x00406458
0x00000000
0x00000000
0x0040645e
0x00406463
0x00000000
0x00000000
0x00000000
0x00406463
0x00406468

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\dY5HmgsBm6.exe" ,747DFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040642A
CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406437
CharNextA.USER32(?,"C:\Users\user\Desktop\dY5HmgsBm6.exe" ,747DFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040643C
CharPrevA.USER32(?,?,747DFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040644C

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004063D3
"C:\Users\user\Desktop\dY5HmgsBm6.exe" , xrefs: 0040640E
*?|<>/":, xrefs: 0040641A

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\dY5HmgsBm6.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-303537465
Opcode ID: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
Instruction ID: ed52d7626cbd5fe55056ecced6ac67fd73520a103458dc51ec5e44788bc33e0d
Opcode Fuzzy Hash: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
Instruction Fuzzy Hash: 6B1104518047A169FB3207380C40B7B7F888B97764F1A447FE8C6722C2C67C5CA796AD

Uniqueness

Uniqueness Score: -1.00%

Function 004041E2, Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004041E2(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x004041f4
0x004042aa
0x00000000
0x004042aa
0x00404205
0x00404209
0x00000000
0x00404223
0x00404223
0x0040422c
0x00000000
0x00000000
0x0040422e
0x0040423a
0x0040423d
0x0040423d
0x00404243
0x00404249
0x00404249
0x00404255
0x0040425b
0x00404262
0x00404265
0x00404268
0x0040426a
0x0040426a
0x00404272
0x00404278
0x00404278
0x00404282
0x00404287
0x0040428a
0x0040428f
0x00404292
0x00404292
0x004042a2
0x004042a2
0x00000000
0x004042a5

APIs

GetWindowLongA.USER32 ref: 004041FF
GetSysColor.USER32(00000000), ref: 0040423D
SetTextColor.GDI32(?,00000000), ref: 00404249
SetBkMode.GDI32(?,?), ref: 00404255
GetSysColor.USER32(?), ref: 00404268
SetBkColor.GDI32(?,?), ref: 00404278
DeleteObject.GDI32(?), ref: 00404292
CreateBrushIndirect.GDI32(?), ref: 0040429C

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction ID: 212a8ad98d70f233ee07b83b669a1ba7ccffb4b50a3226e4c630c70d8ffb5278
Opcode Fuzzy Hash: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction Fuzzy Hash: 3B2165716007059BCB309F78DD08B5BBBF4AF85750B04896EFD96A22E0C738E814CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00404ACE, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404ACE(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404adc
0x00404ae9
0x00404aef
0x00404b2d
0x00404b2d
0x00404b3c
0x00404b43
0x00000000
0x00404b45
0x00404af1
0x00404b00
0x00404b08
0x00404b0b
0x00404b1d
0x00404b23
0x00404b2a
0x00000000
0x00404b2a
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404AE9
GetMessagePos.USER32 ref: 00404AF1
ScreenToClient.USER32 ref: 00404B0B
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404B1D
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404B43

Strings

f, xrefs: 00404B1F

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction ID: cdc5f22e578355ebae6afd16dcadc4be4e42c2ab1ff41a6041c2d58f87c209b7
Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction Fuzzy Hash: 33014C71900219BADB01DBA4DD85BFEBBBCAF55715F10012ABA40B61D0D6B4A9018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402DBA, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DBA(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x41d440; // 0x27469f
					_t11 =  *0x42944c; // 0x2746a3
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402dc7
0x00402dd5
0x00402ddb
0x00402ddb
0x00402de9
0x00402deb
0x00402df1
0x00402df8
0x00402dfa
0x00402dfa
0x00402e10
0x00402e20
0x00402e32
0x00402e32
0x00402e3a

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD5
MulDiv.KERNEL32(0027469F,00000064,002746A3), ref: 00402E00
wsprintfA.USER32 ref: 00402E10
SetWindowTextA.USER32(?,?), ref: 00402E20
SetDlgItemTextA.USER32 ref: 00402E32

Strings

verifying installer: %d%%, xrefs: 00402E0A

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 79fc7e6e1ca0acae8e9a75e18e021abc494deab029f93f770ff90eafb88ab8ab
Instruction ID: 65898b716c6b5e3943ed5d7f8865a7929710e3ce64d80c757a7a8fa3a9c1cc58
Opcode Fuzzy Hash: 79fc7e6e1ca0acae8e9a75e18e021abc494deab029f93f770ff90eafb88ab8ab
Instruction Fuzzy Hash: BD01FF70640209FBEF20AF60DE4AEEE3769AB14345F008039FA06A51D0DBB59D55DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004056E4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056E4(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x408384;
				_v36.Group = 0x408384;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x408374;
				_v16.nLength = 0xc;
				if(CreateDirectoryA(_a4,  &_v16) != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x004056ef
0x004056f3
0x004056f6
0x004056fc
0x00405700
0x00405704
0x0040570c
0x00405713
0x00405719
0x00405720
0x0040572f
0x00405731
0x00000000
0x00405731
0x0040573b
0x00405742
0x00405758
0x00000000
0x00000000
0x00000000
0x0040575a
0x0040575e

APIs

CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405727
GetLastError.KERNEL32 ref: 0040573B
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405750
GetLastError.KERNEL32 ref: 0040575A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040570A
C:\Users\user\Desktop, xrefs: 004056E4

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-1229045261
Opcode ID: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
Instruction ID: 199f41d5e308de8b96f609cf750b761cce64c3ab1ca85d652f9564a15c89f022
Opcode Fuzzy Hash: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
Instruction Fuzzy Hash: FF010471C00219EADF019BA0C944BEFBBB8EB04354F00403AD944B6290E7B89A48DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004027DF, Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E004027DF(void* __ebx) {
				void* _t26;
				long _t31;
				void* _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0xc)) = 0xfffffd66;
				_t50 = E00402BCE(0xfffffff0);
				 *(_t56 - 0x78) = _t23;
				if(E00405AFC(_t50) == 0) {
					E00402BCE(0xffffffed);
				}
				E00405C6B(_t50);
				_t26 = E00405C90(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x42f438;
					 *(_t56 - 0x30) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E00403300(_t45);
						E004032EA(_t49,  *(_t56 - 0x30));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x38) = _t54;
						if(_t54 != _t45) {
							_push( *(_t56 - 0x20));
							_push(_t54);
							_push(_t45);
							_push( *((intOrPtr*)(_t56 - 0x24)));
							E004030D8();
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x8c) =  *_t54;
								E00405C4B( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x8c);
							}
							GlobalFree( *(_t56 - 0x38));
						}
						E00405D37( *(_t56 + 8), _t49,  *(_t56 - 0x30));
						GlobalFree(_t49);
						_push(_t45);
						_push(_t45);
						_push( *(_t56 + 8));
						_push(0xffffffff);
						 *((intOrPtr*)(_t56 - 0xc)) = E004030D8();
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0xc)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileA( *(_t56 - 0x78));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x004027df
0x004027e1
0x004027ed
0x004027f0
0x004027fa
0x004027fe
0x004027fe
0x00402804
0x00402811
0x00402819
0x0040281c
0x00402822
0x00402830
0x00402835
0x00402839
0x0040283c
0x00402845
0x00402851
0x00402855
0x00402858
0x0040285a
0x0040285d
0x0040285e
0x0040285f
0x00402862
0x00402887
0x00402869
0x0040286e
0x00402876
0x0040287c
0x00402881
0x00402881
0x0040288e
0x0040288e
0x0040289b
0x004028a1
0x004028a7
0x004028a8
0x004028a9
0x004028ac
0x004028b3
0x004028b3
0x004028b9
0x004028b9
0x004028c4
0x004028c5
0x004028c9
0x004028cd
0x004028d3
0x004028d3
0x004028da
0x004022dd
0x00402a5d
0x00402a69

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402833
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040284F
GlobalFree.KERNEL32 ref: 0040288E
GlobalFree.KERNEL32 ref: 004028A1
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 004028B9
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004028CD

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: e200f0a06a1b791de6fcd90df19bdd9ae0c902d0d002ce7977cb24af33c736ef
Instruction ID: 50ad9526884773a844389ca9465edd1da2989015e588fa45899e7f45ead5980e
Opcode Fuzzy Hash: e200f0a06a1b791de6fcd90df19bdd9ae0c902d0d002ce7977cb24af33c736ef
Instruction Fuzzy Hash: 78216D72800128BBDF217FA5CE49D9E7A79EF09364F24423EF550762D1CA794D418FA8

Uniqueness

Uniqueness Score: -1.00%

Function 004049C4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E004049C4(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E0040618A(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E0040618A(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E0040618A(_t41, _t47, 0x42a890, 0x42a890, _a8);
				wsprintfA(_t32 + lstrlenA(0x42a890), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x42ebf8, _a4, 0x42a890);
			}

0x004049ca
0x004049cf
0x004049d7
0x004049d8
0x004049e5
0x004049ed
0x004049ee
0x004049f0
0x004049f2
0x004049f4
0x004049f7
0x004049f7
0x004049fe
0x00404a04
0x00404a04
0x00404a0b
0x00404a12
0x00404a15
0x00404a18
0x00404a18
0x00404a1c
0x00404a2c
0x00404a2e
0x00404a31
0x004049da
0x004049da
0x004049e1
0x004049e1
0x00404a39
0x00404a44
0x00404a5a
0x00404a6a
0x00404a86

APIs

lstrlenA.KERNEL32(Name Setup: Completed,Name Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048DF,000000DF,00000000,00000400,?), ref: 00404A62
wsprintfA.USER32 ref: 00404A6A
SetDlgItemTextA.USER32 ref: 00404A7D

Strings

Name Setup: Completed, xrefs: 00404A54, 00404A59, 00404A5F, 00404A73
%u.%u%s%s, xrefs: 00404A4C

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$Name Setup: Completed
API String ID: 3540041739-970259760
Opcode ID: 5f94da5c7593bdf0e2880c0754fbf5196b9ea6ae0f0d3d8572f030c1a72350cb
Instruction ID: 22449cd78037b5055574fdfa12b268b27ceb02c465c900d7a820e94443fbddbc
Opcode Fuzzy Hash: 5f94da5c7593bdf0e2880c0754fbf5196b9ea6ae0f0d3d8572f030c1a72350cb
Instruction Fuzzy Hash: 1911E773A041243BDB00A56D9C41EAF3298DF81374F260237FA26F71D1E979CC1246A9

Uniqueness

Uniqueness Score: -1.00%

Function 00402CD0, Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402CD0(void* __eflags, void* _a4, char* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				char _v276;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E00405F7D(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v276);
						_push(0);
						while(RegEnumKeyA(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402CD0(__eflags, _v8,  &_v276, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v276);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406500(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyA(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueA(_v8, 0,  &_v276,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402cdb
0x00402ce4
0x00402ced
0x00402cf9
0x00402d02
0x00402d0c
0x00402d31
0x00402d37
0x00402d3c
0x00402d3d
0x00402d6d
0x00402d46
0x00402d48
0x00402d98
0x00402d9b
0x00000000
0x00402da1
0x00402d57
0x00402d5c
0x00402d5e
0x00000000
0x00000000
0x00402d66
0x00402d6b
0x00402d6c
0x00402d6c
0x00402d79
0x00402d81
0x00402d88
0x00000000
0x00402db1
0x00000000
0x00402d90
0x00402d1c
0x00402d2f
0x00000000
0x00000000
0x00000000
0x00402d2f
0x00402db7

APIs

RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D24
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402D70
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D79
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402D90
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D9B

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
Instruction ID: 1e980c0bf3dfe1ee8e8c0bbb525d6a304c4f3a3ada6f962fb42c7dde8bd75a6e
Opcode Fuzzy Hash: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
Instruction Fuzzy Hash: C6215771900108BBEF129F90CE89EEE7A7DEF44344F100076FA55B11E0E7B48E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D65, Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D65(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				CHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t58;
				long _t61;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x1b) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x20));
				} else {
					E00402BAC(2);
					 *((intOrPtr*)(__ebp - 0x38)) = __edx;
				}
				_t55 =  *(_t65 - 0x1c);
				 *(_t65 + 8) = _t30;
				_t58 = _t55 & 0x00000004;
				 *(_t65 - 0xc) = _t55 & 0x00000003;
				 *(_t65 - 0x34) = _t55 >> 0x1f;
				 *(_t65 - 0x30) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x24) & 0x0000ffff;
				} else {
					_t38 = E00402BCE(0x11);
				}
				 *(_t65 - 8) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x84);
				asm("sbb edi, edi");
				_t61 = LoadImageA( ~_t58 &  *0x42f420,  *(_t65 - 8),  *(_t65 - 0xc),  *(_t65 - 0x7c) *  *(_t65 - 0x34),  *(_t65 - 0x78) *  *(_t65 - 0x30),  *(_t65 - 0x1c) & 0x0000fef0);
				_t48 = SendMessageA( *(_t65 + 8), 0x172,  *(_t65 - 0xc), _t61);
				if(_t48 != _t53 &&  *(_t65 - 0xc) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x28)) >= _t53) {
					_push(_t61);
					E00406055();
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d65
0x00401d69
0x00401d7e
0x00401d6b
0x00401d6d
0x00401d73
0x00401d73
0x00401d84
0x00401d87
0x00401d91
0x00401d94
0x00401d9c
0x00401dad
0x00401db0
0x00401dbb
0x00401db2
0x00401db4
0x00401db4
0x00401dbf
0x00401dcc
0x00401df3
0x00401e02
0x00401e10
0x00401e18
0x00401e20
0x00401e20
0x00401e29
0x00401e2f
0x004029a5
0x004029a5
0x00402a5d
0x00402a69

APIs

GetDlgItem.USER32 ref: 00401D7E
GetClientRect.USER32 ref: 00401DCC
LoadImageA.USER32 ref: 00401DFC
SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
DeleteObject.GDI32(00000000), ref: 00401E20

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 64047181dbb11954f6248d6d4ebce6329301936260590e1bb013e11241bca830
Instruction ID: ea2313c62ec258575502bac7b5a91221d1b2f7c42d1e166e88532b570a834240
Opcode Fuzzy Hash: 64047181dbb11954f6248d6d4ebce6329301936260590e1bb013e11241bca830
Instruction Fuzzy Hash: 02212872A00109AFCB15DFA4DD85AAEBBB5EB48300F24417EF905F62A1DB389941DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00401E35, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E35(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402BAC(2);
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				0x40b838->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40b848 = E00402BAC(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				 *0x40b84f = 1;
				 *0x40b84c = _t15 & 0x00000001;
				 *0x40b84d = _t15 & 0x00000002;
				 *0x40b84e = _t15 & 0x00000004;
				E0040618A(_t9, _t31, _t33, 0x40b854,  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectA(0x40b838);
				_push(_t18);
				_push(_t33);
				E00406055();
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e35
0x00401e40
0x00401e42
0x00401e4f
0x00401e66
0x00401e6b
0x00401e78
0x00401e7d
0x00401e81
0x00401e8c
0x00401e93
0x00401ea5
0x00401eab
0x00401eb0
0x00401eba
0x00402620
0x00401569
0x004029a5
0x00402a5d
0x00402a69

APIs

GetDC.USER32(?), ref: 00401E38
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
ReleaseDC.USER32 ref: 00401E6B
CreateFontIndirectA.GDI32(0040B838), ref: 00401EBA

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 34521723c529513f9d2f25f2c915d7e6e1bbb21449fac5a346249fa94324e5da
Instruction ID: 5cb61850c30ba341adb392aac0b64178207aa51c0a8ebf491f77c064e1fc76ea
Opcode Fuzzy Hash: 34521723c529513f9d2f25f2c915d7e6e1bbb21449fac5a346249fa94324e5da
Instruction Fuzzy Hash: A9019E72500240AFE7007BB0AE4AB9A3FF8EB55311F10843EF281B61F2CB7904458B6C

Uniqueness

Uniqueness Score: -1.00%

Function 00401C2E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C2E(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				CHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402BAC(3);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 - 8) = _t29;
				_t30 = E00402BAC(4);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402BCE(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402BCE(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402BCE();
					_t32 = E00402BCE();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExA( *(_t64 - 8),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402BAC();
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t41 = E00402BAC(2);
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8));
						L10:
						 *(_t64 - 0xc) = _t36;
					} else {
						_t42 = SendMessageTimeoutA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8), _t46, _t56, _t64 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0xc));
					E00406055();
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c2e
0x00401c30
0x00401c37
0x00401c3a
0x00401c3d
0x00401c47
0x00401c4b
0x00401c4e
0x00401c57
0x00401c57
0x00401c5a
0x00401c5e
0x00401c67
0x00401c67
0x00401c6a
0x00401c6e
0x00401c70
0x00401cc5
0x00401cc7
0x00401cd0
0x00401cd8
0x00401cdb
0x00401cdb
0x00401ce4
0x00000000
0x00401c72
0x00401c79
0x00401c7b
0x00401c7e
0x00401c84
0x00401c8b
0x00401c8e
0x00401cb6
0x00401cea
0x00401cea
0x00401c90
0x00401c9e
0x00401ca6
0x00401ca9
0x00401ca9
0x00401c8e
0x00401ced
0x00401cf0
0x00401cf6
0x004029a5
0x004029a5
0x00402a5d
0x00402a69

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6

Strings

!, xrefs: 00401C6A

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: b3808b2228016cded034fddbbda71ccd0a5c26c3e8a9a8fe6146862fd49d124c
Instruction ID: ba3ca6c87ae36af76b9178a01453159e8aa8f3f4b54328e0dc7fa76aa85262fd
Opcode Fuzzy Hash: b3808b2228016cded034fddbbda71ccd0a5c26c3e8a9a8fe6146862fd49d124c
Instruction Fuzzy Hash: 10216071A44208BEEB05AFB5D98AAAD7FB4EF44304F20447FF502B61D1D6B88541DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00405A8F, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A8F(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40a014);
				}
				return _t7;
			}

0x00405a90
0x00405aa7
0x00405aaf
0x00405aaf
0x00405ab7

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403335,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405A95
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403335,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405A9E
lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405AAF

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A8F

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3936084776
Opcode ID: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction ID: 6078a555604e81c1816c45b3e60b5c3e7c31ed84b02af53c952a19e53ba35867
Opcode Fuzzy Hash: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction Fuzzy Hash: 68D0A7B26055307AE21126155C06ECB19488F463447060066F500BB193C77C4C114BFD

Uniqueness

Uniqueness Score: -1.00%

Function 0040209D, Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0040209D(void* __ebx, void* __eflags) {
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x42f4f8");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42f4c8 =  *0x42f4c8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402BCE(0xfffffff0);
				 *(_t34 + 8) = E00402BCE(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t30 = LoadLibraryExA(_t32, _t27, 8);
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E0040521E(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x430000, 0x40b878, 0x40a000);
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E004038AA(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t30 = GetModuleHandleA(_t32);
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x0040209d
0x0040209d
0x004020a2
0x004020a9
0x00402164
0x004022dd
0x004022dd
0x00402a5a
0x00402a5d
0x00402a69
0x00402a69
0x004020b8
0x004020c2
0x004020c5
0x004020d4
0x004020de
0x004020e2
0x0040215d
0x00000000
0x0040215d
0x004020e4
0x004020ed
0x004020f1
0x00402135
0x004020f3
0x004020f6
0x004020f9
0x00402129
0x004020fb
0x004020fe
0x00402107
0x00402109
0x00402109
0x00402107
0x004020f9
0x0040213d
0x00402152
0x00402152
0x00000000
0x0040213d
0x004020ce
0x004020d2
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 004020C8

Part of subcall function 0040521E: lstrlenA.KERNEL32(Completed,00000000,00427A9C,747DEA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,Completed,00000000,00427A9C,747DEA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
Part of subcall function 0040521E: lstrcatA.KERNEL32(Completed,00403233,00403233,Completed,00000000,00427A9C,747DEA30), ref: 0040527A
Part of subcall function 0040521E: SetWindowTextA.USER32(Completed,Completed), ref: 0040528C
Part of subcall function 0040521E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
Part of subcall function 0040521E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
Part of subcall function 0040521E: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020D8
GetProcAddress.KERNEL32(00000000,?), ref: 004020E8
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402152

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: cbbca793592133c54db2e53d3555cb6bc9ab1f80129fbdab1f6ba1bcbb37dc43
Instruction ID: f7200b9d034bcb950a45a2beb12b39e5fe5f048be62c56950c98b25cd9e943c1
Opcode Fuzzy Hash: cbbca793592133c54db2e53d3555cb6bc9ab1f80129fbdab1f6ba1bcbb37dc43
Instruction Fuzzy Hash: 7A21C932600115EBCF207FA58F49A5F76B1AF14359F20423BF651B61D1CABC89829A5E

Uniqueness

Uniqueness Score: -1.00%

Function 00402E3D, Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402E3D(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x429448; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x42f430;
						if(_t2 >  *0x42f430) {
							_t3 = CreateDialogParamA( *0x42f420, 0x6f, 0, E00402DBA, 0);
							 *0x429448 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E0040653C(0);
					}
				} else {
					_t6 =  *0x429448; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x429448 = 0;
					return _t6;
				}
			}

0x00402e44
0x00402e5e
0x00402e64
0x00402e6e
0x00402e74
0x00402e7a
0x00402e8b
0x00402e94
0x00000000
0x00402e99
0x00402ea0
0x00402e66
0x00402e6d
0x00402e6d
0x00402e46
0x00402e46
0x00402e4d
0x00402e50
0x00402e50
0x00402e56
0x00402e5d
0x00402e5d

APIs

DestroyWindow.USER32(00000000,00000000,0040301B,00000001), ref: 00402E50
GetTickCount.KERNEL32 ref: 00402E6E
CreateDialogParamA.USER32(0000006F,00000000,00402DBA,00000000), ref: 00402E8B
ShowWindow.USER32(00000000,00000005), ref: 00402E99

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 8c1e1bd8efa9ab411d4161537fee885c8283498bc89c51da2617a800704498c9
Instruction ID: cc5f9dcce599e9be0c1e5b41ef6f72156ec830c1ee92694e4cf82ced2ffe4824
Opcode Fuzzy Hash: 8c1e1bd8efa9ab411d4161537fee885c8283498bc89c51da2617a800704498c9
Instruction Fuzzy Hash: B6F05E30A45630EBC6317B64FE4CA8B7B64BB44B45B91047AF045B22E8C6740C83CBED

Uniqueness

Uniqueness Score: -1.00%

Function 00405B7D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405B7D(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E004060F7(0x42bc98, _a4);
				_t21 = E00405B28(0x42bc98);
				if(_t21 != 0) {
					E004063D2(_t21);
					if(( *0x42f43c & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x42bc98;
						while(1) {
							_t11 = lstrlenA(0x42bc98);
							_push(0x42bc98);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E0040646B();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405AD6(0x42bc98);
								continue;
							} else {
								goto L1;
							}
						}
						E00405A8F();
						return 0 | GetFileAttributesA(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405b89
0x00405b94
0x00405b98
0x00405b9f
0x00405bab
0x00405bb7
0x00405bb7
0x00405bcf
0x00405bd0
0x00405bd7
0x00405bd8
0x00000000
0x00000000
0x00405bbb
0x00405bc2
0x00405bca
0x00000000
0x00000000
0x00000000
0x00000000
0x00405bc2
0x00405bda
0x00000000
0x00405bee
0x00405bad
0x00405bb1
0x00000000
0x00000000
0x00000000
0x00000000
0x00405bb1
0x00405b9a
0x00000000

APIs

Part of subcall function 004060F7: lstrcpynA.KERNEL32(?,?,00000400,0040341A,Name Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00406104

Part of subcall function 00405B28: CharNextA.USER32(?,?,0042BC98,?,00405B94,0042BC98,0042BC98,747DFA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,747DFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B36
Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B3B
Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B4F

lstrlenA.KERNEL32(0042BC98,00000000,0042BC98,0042BC98,747DFA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,747DFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405BD0
GetFileAttributesA.KERNEL32(0042BC98,0042BC98,0042BC98,0042BC98,0042BC98,0042BC98,00000000,0042BC98,0042BC98,747DFA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,747DFA90,C:\Users\user\AppData\Local\Temp\), ref: 00405BE0

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B7D

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3936084776
Opcode ID: e638d3577084fc0f37fd401aa5ef1a5930802456fef8e272e5ea6ea3ca1dc2da
Instruction ID: a7953992a1868a2a025aeaadbe30fe94b9837340da5d1ec43b16535858986a89
Opcode Fuzzy Hash: e638d3577084fc0f37fd401aa5ef1a5930802456fef8e272e5ea6ea3ca1dc2da
Instruction Fuzzy Hash: 6DF02821105E6116D222323A1C05AAF3A74CE82364715013FF862B22D3CF7CB9139DBE

Uniqueness

Uniqueness Score: -1.00%

Function 00405192, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00405192(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t11;
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					__eflags = _t15 - 0x200;
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						__eflags = _t15 - 0x419;
						if(_t15 == 0x419) {
							__eflags =  *0x42a87c - _t16; // 0x0
							if(__eflags != 0) {
								_push(_t16);
								_push(6);
								 *0x42a87c = _t16;
								E00404B4E();
							}
						}
						L11:
						return CallWindowProcA( *0x42a884, _a4, _t15, _a12, _t16);
					}
					_t11 = IsWindowVisible(_a4);
					__eflags = _t11;
					if(_t11 == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404ACE(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 == 0x20) {
					E004041C7(0x413);
					return 0;
				}
				goto L10;
			}

0x00405196
0x004051a0
0x004051b6
0x004051bc
0x004051de
0x004051e1
0x004051e1
0x004051e7
0x004051e9
0x004051ef
0x004051f1
0x004051f2
0x004051f4
0x004051fa
0x004051fa
0x004051ef
0x00405204
0x00000000
0x00405212
0x004051c1
0x004051c7
0x004051c9
0x00405201
0x00405201
0x00000000
0x00405201
0x004051d5
0x004051d7
0x00000000
0x004051d7
0x004051a6
0x004051ad
0x00000000
0x004051b2
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 004051C1
CallWindowProcA.USER32 ref: 00405212

Part of subcall function 004041C7: SendMessageA.USER32(00030290,00000000,00000000,00000000), ref: 004041D9

Strings

, xrefs: 004051A2

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 9af3a59599e8879c459ffb9579ce68eec3d4baecce8abe749bc9c6a9b619fe8d
Instruction ID: 7056b910bbb205cd539ea3acc8ab51e06e0639846daa80cdaddfd33d10a348e5
Opcode Fuzzy Hash: 9af3a59599e8879c459ffb9579ce68eec3d4baecce8abe749bc9c6a9b619fe8d
Instruction Fuzzy Hash: 47017171200609ABEF20AF11DD80A5B3666EB84354F14413AFB107A1D1C77A8C62DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405FDE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00405FDE(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x400;
				_t21 = E00405F7D(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExA(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x3ff] = _t30[0x3ff] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00405fec
0x00405fee
0x00406006
0x0040600b
0x00406010
0x0040604d
0x0040604d
0x00406012
0x00406024
0x0040602f
0x00406035
0x0040603f
0x00000000
0x00000000
0x0040603f
0x00406052

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,: Completed,?,?,?,?,00000002,: Completed,?,00406293,80000002), ref: 00406024
RegCloseKey.ADVAPI32(?,?,00406293,80000002,Software\Microsoft\Windows\CurrentVersion,: Completed,: Completed,: Completed,?,Completed), ref: 0040602F

Strings

: Completed, xrefs: 00405FE1, 00406015

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: CloseQueryValue
String ID: : Completed
API String ID: 3356406503-2954849223
Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction ID: 43fb42cdfa68b2f9ef01d23c83e90927a4e1ed7766022ad00d18a88e1c3f91d6
Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction Fuzzy Hash: 9F01BC72100209ABCF22CF20CC09FDB3FA9EF45364F00403AF916A2191D238C968CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00403875, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403875() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x429854; // 0x0
				_t3 = E0040385A(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x429854 =  *0x429854 & 0x00000000;
				return _t3;
			}

0x00403876
0x0040387e
0x00403885
0x00403888
0x00403888
0x0040388a
0x0040388f
0x00403896
0x0040389c
0x004038a0
0x004038a1
0x004038a9

APIs

FreeLibrary.KERNEL32(?,747DFA90,00000000,C:\Users\user\AppData\Local\Temp\,0040384D,00403667,?,?,00000007,00000009,0000000B), ref: 0040388F
GlobalFree.KERNEL32 ref: 00403896

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403875

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3936084776
Opcode ID: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
Instruction ID: eaa0fdc8f68cdeff62b7926931e70464fa678e679eb7ff43971a821d65c68845
Opcode Fuzzy Hash: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
Instruction Fuzzy Hash: 20E08C335110205BC7613F54EA0471A77ECAF59B62F4A017EF8847B26087781C464A88

Uniqueness

Uniqueness Score: -1.00%

Function 00405AD6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405AD6(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x00405ad7
0x00405ae1
0x00405ae3
0x00405aea
0x00405af2
0x00000000
0x00000000
0x00000000
0x00405af2
0x00405af4
0x00405af9

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\dY5HmgsBm6.exe,C:\Users\user\Desktop\dY5HmgsBm6.exe,80000000,00000003), ref: 00405ADC
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\dY5HmgsBm6.exe,C:\Users\user\Desktop\dY5HmgsBm6.exe,80000000,00000003), ref: 00405AEA

Strings

C:\Users\user\Desktop, xrefs: 00405AD6

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3125694417
Opcode ID: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction ID: fbea36dfa466fa1ea2516b65251d52c814037185d06ce8b70eff5ee1363e4df1
Opcode Fuzzy Hash: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction Fuzzy Hash: 73D0A7B25089706EFB0352509C00B8F6E88CF17300F0A04A3E080A7191C7B84C424BFD

Uniqueness

Uniqueness Score: -1.00%

Function 00405BF5, Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BF5(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405c05
0x00405c07
0x00405c0a
0x00405c36
0x00405c0f
0x00405c18
0x00405c1d
0x00405c28
0x00405c2b
0x00405c47
0x00405c2d
0x00405c34
0x00000000
0x00405c34
0x00405c40
0x00405c44
0x00405c44
0x00405c3e
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C05
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C1D
CharNextA.USER32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C2E
lstrlenA.KERNEL32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C37

Memory Dump Source

Source File: 00000001.00000002.326832867.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326827711.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326840130.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.326848331.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326867979.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326880204.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.326888105.0000000000438000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dY5HmgsBm6.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
Instruction ID: 0c44f0240925c5b75b39479a83fd13515cb2c3d3321eb5bdfbc953cb3faf5d46
Opcode Fuzzy Hash: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
Instruction Fuzzy Hash: FBF0F631105A18FFDB12DFA4CD00D9EBBA8EF55350B2540B9E840F7210D634DE01AFA8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: CachemanControlPanel.exe PID: 6988 Parent PID: 6924 CachemanControlPanel.exeCOMMON

Execution Graph

Execution Coverage:	5.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6%
Total number of Nodes:	2000
Total number of Limit Nodes:	35

Executed Functions

Function 00408683, Relevance: 33.6, APIs: 11, Strings: 8, Instructions: 360
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(00000000,00000001,00430024,00430024,00000000), ref: 004087AB
InternetSetOptionW.WININET(00000000,00000002,000003E8,00000004), ref: 004087C7
InternetConnectW.WININET(00000000,00000000,00000000,00430024,00430024,00000003,00000000,00000000), ref: 00408877
HttpOpenRequestW.WININET(00000000,00000000,00000000,00000000,00000000,00430024,00430024,00000000), ref: 004088D4
HttpAddRequestHeadersW.WININET(?,00000000,00000000,?), ref: 00408936

Part of subcall function 004178A0: RtlAllocateHeap.NTDLL(00000008,?,00416A00,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00407D6F,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004178B1

Part of subcall function 00417970: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,-00000400,00408997,00000000,?,FFFFFFFF), ref: 004179DE
Part of subcall function 00417970: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,-00000400,00408997,00000000,?,FFFFFFFF), ref: 00417A23

HttpSendRequestW.WININET(00000000,00430024,00000000,00000000,00000000), ref: 004089BB

Part of subcall function 00418570: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 00418576
Part of subcall function 00418570: TlsGetValue.KERNEL32(00000022), ref: 00418585
Part of subcall function 00418570: SetLastError.KERNEL32(?), ref: 0041859B

Part of subcall function 004185B0: TlsGetValue.KERNEL32(00000022,00000000,00000000), ref: 004185BC
Part of subcall function 004185B0: RtlAllocateHeap.NTDLL(02A80000,00000000,?), ref: 004185E9

InternetReadFile.WININET(?,00000000,00000400,00000000), ref: 004089FB

Part of subcall function 00418640: wcslen.MSVCRT ref: 00418657

Part of subcall function 0040A212: TlsGetValue.KERNEL32(00000000,0040111B,0043101C,FFFFFFFF,00000002,00000000,00000000,00000001,00000020,00000000,00000000,0043383C,00000000,00000000,00000000,0000000C), ref: 0040A219

Part of subcall function 004185B0: HeapReAlloc.KERNEL32(02A80000,00000000,?,?), ref: 0041860C

InternetCloseHandle.WININET(00000000), ref: 00408A97
InternetCloseHandle.WININET(00000000), ref: 00408AA0
InternetCloseHandle.WININET(00000000), ref: 00408AA9
InternetCloseHandle.WININET(?), ref: 00408AB2

Strings

https, xrefs: 00408777
POST, xrefs: 00408813
Content-Type: application/x-www-form-urlencoded, xrefs: 004088F3
P, xrefs: 004087E5
/PT/, xrefs: 0040871D, 00408722
/PC/, xrefs: 00408756, 0040875B
/WS/, xrefs: 004086F4, 004086F9
GET, xrefs: 00408823

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Internet$CloseHandle$HeapHttpRequestValue$AllocateByteCharErrorLastMultiOpenWide$AllocConnectFileHeadersOptionReadSendwcslen
String ID: /PC/$/PT/$/WS/$Content-Type: application/x-www-form-urlencoded$GET$P$POST$https
API String ID: 3987038017-4095740890
Opcode ID: 8f01de06e087831ebc89afc92efd8858ca6f2ca5fac2ab1e332c51745d289c37
Instruction ID: 3c5e54382bbfbad3edbda9348b312964ee9a1374b3812383d6912d1de4640607
Opcode Fuzzy Hash: 8f01de06e087831ebc89afc92efd8858ca6f2ca5fac2ab1e332c51745d289c37
Instruction Fuzzy Hash: BEB13DB5108300BED601BB21DD42E7F7AAAEFC4718F50893FB190A51A2DE3DCD91961E

Uniqueness

Uniqueness Score: -1.00%

Function 00412C47, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 64
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(COMCTL32.DLL,?,?,?,?,?,?,?,?,00412FCB), ref: 00412C5A
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00412C6C
memset.MSVCRT ref: 00412C80
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,00412FCB), ref: 00412CA8
LoadLibraryW.KERNEL32(uxtheme.dll,?,?,?,?,?,?,?,?,00412FCB), ref: 00412CB3
GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 00412CC5
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,00412FCB), ref: 00412CE1

Strings

DllGetVersion, xrefs: 00412C66
IsAppThemed, xrefs: 00412CBF
uxtheme.dll, xrefs: 00412CAE
COMCTL32.DLL, xrefs: 00412C54

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Library$AddressFreeLoadProc$memset
String ID: COMCTL32.DLL$DllGetVersion$IsAppThemed$uxtheme.dll
API String ID: 4277437538-2634860346
Opcode ID: 6b6119feab4a63d868dfc7fdf57736a4da224e63bb35b5b60268a68276a81a9f
Instruction ID: 7519cd42efedb32353cb58b9a573c1bb66bbe77f84aa657e02aa22e0815e2163
Opcode Fuzzy Hash: 6b6119feab4a63d868dfc7fdf57736a4da224e63bb35b5b60268a68276a81a9f
Instruction Fuzzy Hash: B411C6317003166BD7106BF69E496EFBFACEB40741B501133FA05E2141EBB8C8548AE8

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 69.2, APIs: 9, Strings: 30, Instructions: 941
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040100F
GetModuleHandleW.KERNEL32(00000000), ref: 0040101C
HeapCreate.KERNEL32(00000000,00001000,00000000,00000000), ref: 00401035

Part of subcall function 00418520: HeapCreate.KERNEL32(00000000,00001000,00000000,?,0040104E,00000000,00001000,00000000,00000000), ref: 0041852C
Part of subcall function 00418520: TlsAlloc.KERNEL32(?,0040104E,00000000,00001000,00000000,00000000), ref: 00418537

Part of subcall function 00417B67: CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417B85
Part of subcall function 00417B67: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00417B94
Part of subcall function 00417B67: DeleteDC.GDI32(00000000), ref: 00417BA0

Part of subcall function 004176C0: HeapCreate.KERNEL32(00000000,00001000,00000000,00401058,00000000,00001000,00000000,00000000), ref: 004176C9

Part of subcall function 00412F2D: LoadLibraryW.KERNEL32(msimg32.dll), ref: 00412F3B
Part of subcall function 00412F2D: GetProcAddress.KERNEL32(00000000,AlphaBlend), ref: 00412F50
Part of subcall function 00412F2D: GetVersionExW.KERNEL32(?), ref: 00412F76

Part of subcall function 00411B7F: TlsAlloc.KERNEL32(0040107B,00000000,00001000,00000000,00000000), ref: 00411B7F

Part of subcall function 0040AAE7: InitializeCriticalSection.KERNEL32(004341B8,00000004,00000004,0040AABA,00000010,00000000,00000000,0040108F,00000000,00001000,00000000,00000000), ref: 0040AB0F

Part of subcall function 0040A9C2: InitializeCriticalSection.KERNEL32(00434190,00401094,00000000,00001000,00000000,00000000), ref: 0040A9C7

Part of subcall function 004117FF: HeapAlloc.KERNEL32(00000000,004338C4,?,00430D24,?,?,?,004010B2,0000000C,00000001,00000007,00430D24,004338DC,00000000,00001000,00000000), ref: 0041182F
Part of subcall function 004117FF: memset.MSVCRT ref: 0041186A

Part of subcall function 00418570: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 00418576
Part of subcall function 00418570: TlsGetValue.KERNEL32(00000022), ref: 00418585
Part of subcall function 00418570: SetLastError.KERNEL32(?), ref: 0041859B

Part of subcall function 004176E0: memcpy.MSVCRT ref: 00417717

Part of subcall function 004185B0: TlsGetValue.KERNEL32(00000022,00000000,00000000), ref: 004185BC
Part of subcall function 004185B0: RtlAllocateHeap.NTDLL(02A80000,00000000,?), ref: 004185E9

Part of subcall function 0040A212: TlsGetValue.KERNEL32(00000000,0040111B,0043101C,FFFFFFFF,00000002,00000000,00000000,00000001,00000020,00000000,00000000,0043383C,00000000,00000000,00000000,0000000C), ref: 0040A219

Part of subcall function 004185B0: HeapReAlloc.KERNEL32(02A80000,00000000,?,?), ref: 0041860C

Part of subcall function 00417730: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0043101C,?,?,?,00401116,0043101C,FFFFFFFF,00000002,00000000,00000000), ref: 00417812
Part of subcall function 00417730: MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000001,?,?,?,00401116,0043101C,FFFFFFFF,00000002,00000000), ref: 00417832

Part of subcall function 0040AB16: GetEnvironmentVariableW.KERNEL32(004338DC,00000000,00000000,?,?,00401215,00000000,00000000,0043387C,installation,name,00000000,0043389C,installation,subfolder,00000000), ref: 0040AB20
Part of subcall function 0040AB16: GetEnvironmentVariableW.KERNEL32(004338DC,00000000,00000001,00000000,00000000,?,?,00401215,00000000,00000000,0043387C,installation,name,00000000,0043389C,installation), ref: 0040AB42

Part of subcall function 00418640: wcslen.MSVCRT ref: 00418657

CreateMutexW.KERNEL32(00000000,00000001,00433878,installation,mutex,00000000,00430236,02A804F8,00000000,00000001,00000000,00433874,\ref.conf,02A804F8,00000000,installation), ref: 004013DA
GetLastError.KERNEL32(00000000,00000001,00433878,installation,mutex,00000000,00430236,02A804F8,00000000,00000001,00000000,00433874,\ref.conf,02A804F8,00000000,installation), ref: 004013E5
ExitProcess.KERNEL32(00000000,00430024,00000002,installation,melt,00000000,00000000,00000BB8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000006), ref: 00401C21
HeapDestroy.KERNEL32(00000000,00430024,00000002,installation,melt,00000000,00000000,00000BB8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000006), ref: 00401C31
ExitProcess.KERNEL32(00000000,00430024,00000002,installation,melt,00000000,00000000,00000BB8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000006), ref: 00401C36

Part of subcall function 00405A53: LoadLibraryW.KERNEL32(.dll,00000000,00000000,00000000,00000000,?,004012CA,00433874,\ref.conf,02A804F8,00000000,installation,antis,00000000,00000000,00433880), ref: 00405AF1

Part of subcall function 0040C4F3: timeBeginPeriod.WINMM(00000001,00401A08,00000BB8,00430236,02A804F8,00000000,00000000,00433844,.exe,02A804C0,00430236,02A804F8,00000000,installation,setup,00000000), ref: 0040C4FE

Part of subcall function 00403E49: IsUserAdmin.SETUPAPI ref: 00403E5E

Strings

startup, xrefs: 004016F2, 004016F7
installation, xrefs: 0040118D, 00401192, 004011B6, 004011BB, 004011DF, 004011E4, 0040124C, 00401251, 004013AF, 004013B4, 0040141A, 0040141F, 004016F8, 004016FD, 00401942, 00401947, 00401BC3, 00401BC8
connect, xrefs: 004018D2, 004018D7
agent[, xrefs: 0040155C, 00401561
reports, xrefs: 00401812, 00401817
client, xrefs: 0040175E, 00401763, 00401787, 0040178C
gate, xrefs: 0040146C, 00401471, 0040151B, 00401520
Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 00401147, 0040114C
antis, xrefs: 00401246, 0040124B
connection_key, xrefs: 00401602, 00401607
mutex, xrefs: 004013A9, 004013AE
\ref.conf, xrefs: 00401288, 0040128D
cache-, xrefs: 00401A9F
0C, xrefs: 00401044
reconnect, xrefs: 0040148A, 0040148F
melt, xrefs: 00401BBD, 00401BC2
timers, xrefs: 00401490, 00401495, 004017B8, 004017BD, 00401818, 0040181D, 00401878, 0040187D, 004018D8, 004018DD
key[, xrefs: 004015C9, 004015CE
.exe, xrefs: 00401370, 00401375, 004019B0, 004019B5
user_agent, xrefs: 00401595, 0040159A
subfolder, xrefs: 004011B0, 004011B5
plugins, xrefs: 004017B2, 004017B7
group, xrefs: 00401781, 00401786
setup, xrefs: 0040193C, 00401941
name, xrefs: 004011D9, 004011DE
tag, xrefs: 00401758, 0040175D
process, xrefs: 00401872, 00401877
path, xrefs: 00401187, 0040118C
rip, xrefs: 00401414, 00401419
url[, xrefs: 004014E2, 004014E7

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Heap$Create$Alloc$ErrorLastValue$ByteCharCriticalEnvironmentExitInitializeLibraryLoadMultiProcessSectionVariableWidememset$AddressAdminAllocateBeginCapsDeleteDestroyDeviceHandleModuleMutexPeriodProcUserVersionmemcpytimewcslen
String ID: .exe$0C$Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY$\ref.conf$agent[$antis$cache-$client$connect$connection_key$gate$group$installation$key[$melt$mutex$name$path$plugins$process$reconnect$reports$rip$setup$startup$subfolder$tag$timers$url[$user_agent
API String ID: 1354275910-1173278696
Opcode ID: 72fb5140bed1084b1f6b89e3f2106b886fd02423d9df48959d16b229a2a8ed71
Instruction ID: 5e6db7f5274bafce55e7ce43137c992fa097692b6d2be9716319cb4b14df053e
Opcode Fuzzy Hash: 72fb5140bed1084b1f6b89e3f2106b886fd02423d9df48959d16b229a2a8ed71
Instruction Fuzzy Hash: CB4207B96402007EE2447B766D82ABE36EEDBD4719F10D93FB400A51A2DD3C8DD1662E

Uniqueness

Uniqueness Score: -1.00%

Function 00412F2D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(msimg32.dll), ref: 00412F3B
GetProcAddress.KERNEL32(00000000,AlphaBlend), ref: 00412F50
GetVersionExW.KERNEL32(?), ref: 00412F76

Strings

msimg32.dll, xrefs: 00412F36
AlphaBlend, xrefs: 00412F4A

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: AddressLibraryLoadProcVersion
String ID: AlphaBlend$msimg32.dll
API String ID: 2685220120-3639726679
Opcode ID: 160743ed2209961bf497b8ab71eab2eccffd13f21afd8dfd674947a525f838dd
Instruction ID: 06276db0fc9ba84a4aad0d4ea3832d61d8aa26a30f8f94dcaa6d2cfa87493b4a
Opcode Fuzzy Hash: 160743ed2209961bf497b8ab71eab2eccffd13f21afd8dfd674947a525f838dd
Instruction Fuzzy Hash: 9E01C071B102198BCB288F20EF897D573F8A714725F1011B6E608D2290E7B894D9AE6E

Uniqueness

Uniqueness Score: -1.00%

Function 00417B67, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00417EA7: HeapAlloc.KERNEL32(00000008,00000038,?,00417B76,00000004,00000010,00417BB4,?,00401053,00000000,00001000,00000000,00000000), ref: 00417EB2
Part of subcall function 00417EA7: HeapAlloc.KERNEL32(00000008,00001000,?,00417B76,00000004,00000010,00417BB4,?,00401053,00000000,00001000,00000000), ref: 00417EE1
Part of subcall function 00417EA7: InitializeCriticalSection.KERNEL32(00000020,?,00417B76,00000004,00000010,00417BB4,?,00401053,00000000,00001000,00000000), ref: 00417EEE

CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417B85
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00417B94
DeleteDC.GDI32(00000000), ref: 00417BA0

Strings

DISPLAY, xrefs: 00417B80

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: AllocHeap$CapsCreateCriticalDeleteDeviceInitializeSection
String ID: DISPLAY
API String ID: 2433457814-865373369
Opcode ID: 9423453d03031f6c30412892c8207754e845483fbef31712679cb496fa469a08
Instruction ID: 1231037f6495305c5889d530bfa287352df8421bde6d6d0a49fd9f844b838046
Opcode Fuzzy Hash: 9423453d03031f6c30412892c8207754e845483fbef31712679cb496fa469a08
Instruction Fuzzy Hash: A9E048B16852216FD310AB61BC09FE73768FB44746F0151A6B905E65D0C7F458805AAD

Uniqueness

Uniqueness Score: -1.00%

Function 004187D0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcslen.MSVCRT ref: 004187DE
RtlAllocateHeap.NTDLL(02A80000,00000000,?,?,00000000), ref: 004187F9

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 004187D0

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: AllocateHeapwcslen
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 1345907364-3176450862
Opcode ID: b3562ecaac1de147926a6ea2a0af9cd12d139f88880aca86f773959f1819e59e
Instruction ID: 8771bba1796b14abd35d22a7a254b7e906f7b953320745c81cae72fe20eede13
Opcode Fuzzy Hash: b3562ecaac1de147926a6ea2a0af9cd12d139f88880aca86f773959f1819e59e
Instruction Fuzzy Hash: 88F05EB5A00208FFCB04EFA4C844E9A73B8EF88318F10C15DF9088B340DA75EA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00418550, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapDestroy.KERNELBASE(02A80000,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00401C2B,00000000,00430024,00000002,installation,melt,00000000,00000000,00000BB8,00000000,00000000,00000000,00000000,00000000), ref: 00418559
TlsFree.KERNEL32(00000022), ref: 00418566

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 00418550

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: DestroyFreeHeap
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 3293292866-3176450862
Opcode ID: 8b00878808a95b931a5506806f90fbc5b3ddde3ae783f722fb87c20c729aa98d
Instruction ID: c9f893ddf158d9eedf30ebc796fc552c767cc27477c09fe34e3ed93c32061efd
Opcode Fuzzy Hash: 8b00878808a95b931a5506806f90fbc5b3ddde3ae783f722fb87c20c729aa98d
Instruction Fuzzy Hash: DDC04C75615205DBC60CABA4FF4885B77ACA7886017403565B60583220CAB5F400CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 004188D0, Relevance: 4.6, APIs: 3, Instructions: 75
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32(00000022,00001000,00000000,00000000), ref: 004188DC
RtlReAllocateHeap.NTDLL(02A80000,00000000,?,?), ref: 00418937
HeapReAlloc.KERNEL32(02A80000,00000000,?,000FFFF6), ref: 00418981

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Heap$AllocAllocateValue
String ID:
API String ID: 1566162415-0
Opcode ID: aef585887fbf2e801a0943c96021bb97876ca3429b4e8cd843820f53fd5631cc
Instruction ID: 0fbfacc5a734ef1e09f863a6cef04630cf83f8fc68f1c65456e43bca00c9a9f7
Opcode Fuzzy Hash: aef585887fbf2e801a0943c96021bb97876ca3429b4e8cd843820f53fd5631cc
Instruction Fuzzy Hash: 9D31B574A00209EFCB04CF98D694A9DB7B5FB88318F20C1A9E845AB355C731AE81DF84

Uniqueness

Uniqueness Score: -1.00%

Function 004185B0, Relevance: 4.6, APIs: 3, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32(00000022,00000000,00000000), ref: 004185BC
RtlAllocateHeap.NTDLL(02A80000,00000000,?), ref: 004185E9
HeapReAlloc.KERNEL32(02A80000,00000000,?,?), ref: 0041860C

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Heap$AllocAllocateValue
String ID:
API String ID: 1566162415-0
Opcode ID: 96dea2c415d371175326177c8b01b83b3aea3fc76d16007666b839674a00bf32
Instruction ID: 0b3564f57bff6a3c22bf37c8f2f50f100e93119f5e469cc445a38e39922f3316
Opcode Fuzzy Hash: 96dea2c415d371175326177c8b01b83b3aea3fc76d16007666b839674a00bf32
Instruction Fuzzy Hash: D311FB74A00208EFC708DF98D994E9ABBB6FF88310F10C199E8099B354D775AE81CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00418520, Relevance: 3.0, APIs: 2, Instructions: 12
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,?,0040104E,00000000,00001000,00000000,00000000), ref: 0041852C
TlsAlloc.KERNEL32(?,0040104E,00000000,00001000,00000000,00000000), ref: 00418537

Part of subcall function 00419000: HeapAlloc.KERNEL32(02A80000,00000000,0000000C,?,?,00418547,?,0040104E,00000000,00001000,00000000,00000000), ref: 0041900E
Part of subcall function 00419000: HeapAlloc.KERNEL32(02A80000,00000000,00000010,?,?,00418547,?,0040104E,00000000,00001000,00000000,00000000), ref: 00419022
Part of subcall function 00419000: TlsSetValue.KERNEL32(00000022,00000000,?,?,00418547,?,0040104E,00000000,00001000,00000000,00000000), ref: 0041904B

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: AllocHeap$CreateValue
String ID:
API String ID: 493873155-0
Opcode ID: 78c2c0c0c07cac62f1ec53d2f66c29e3876caa767cca0b542a5b70da64064170
Instruction ID: 0d125e3cdd7032c22b7ffeac5eb257d78f434ecb57c9d1a851f662740cab3c45
Opcode Fuzzy Hash: 78c2c0c0c07cac62f1ec53d2f66c29e3876caa767cca0b542a5b70da64064170
Instruction Fuzzy Hash: 3FD0803454530567D7147FB1BE0EB457FB4A704B85F102077F644562D0D6F46040C51C

Uniqueness

Uniqueness Score: -1.00%

Function 00417730, Relevance: 2.6, APIs: 2, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0043101C,?,?,?,00401116,0043101C,FFFFFFFF,00000002,00000000,00000000), ref: 00417812
MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000001,?,?,?,00401116,0043101C,FFFFFFFF,00000002,00000000), ref: 00417832

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: d24b1900dd2734c72ebb843afdd96ba6c6d82ae8885cf87f0c476a4ee9f05af6
Instruction ID: c00abbf960adee3d0edad9a4a2567d52d6a0582dac33a8d482c5aaa4d1fe8794
Opcode Fuzzy Hash: d24b1900dd2734c72ebb843afdd96ba6c6d82ae8885cf87f0c476a4ee9f05af6
Instruction Fuzzy Hash: 5E31263610C3055AD7345E748C80BFBB7A9EF80364F24471FFAB1062C1DA79A881C769

Uniqueness

Uniqueness Score: -1.00%

Function 00408BB3, Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00418710: TlsGetValue.KERNEL32(00000022,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00404AE3,00000000), ref: 00418727

Part of subcall function 00418570: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 00418576
Part of subcall function 00418570: TlsGetValue.KERNEL32(00000022), ref: 00418585
Part of subcall function 00418570: SetLastError.KERNEL32(?), ref: 0041859B

Part of subcall function 004185B0: TlsGetValue.KERNEL32(00000022,00000000,00000000), ref: 004185BC
Part of subcall function 004185B0: RtlAllocateHeap.NTDLL(02A80000,00000000,?), ref: 004185E9

GetModuleFileNameW.KERNEL32(00000000,00000000,00000400,00000000,00000400,00000000,00000000,00001000,00000000,004012EF,00000001,00000000,00433874,\ref.conf,02A804F8,00000000), ref: 00408BF6

Part of subcall function 0040C98E: memmove.MSVCRT ref: 0040C9F8

Part of subcall function 0040A200: TlsGetValue.KERNEL32(?,?,0040819F,00000000,00000002,00000000,00000000,00000000,00000000,00404B56,00000000,00000000,00000001,00000001,00000006,00000000), ref: 0040A208

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Value$ErrorLast$AllocateFileHeapModuleNamememmove
String ID:
API String ID: 4186491432-0
Opcode ID: 519a5f2df4cb9efcb1940f9290fab02e45dc6c3f7633f14c4f3d0396c2a33224
Instruction ID: dfad88e31201a60bca71200c0e2e917d238116b7a53534fa5764cd053a75b2ee
Opcode Fuzzy Hash: 519a5f2df4cb9efcb1940f9290fab02e45dc6c3f7633f14c4f3d0396c2a33224
Instruction Fuzzy Hash: 34011ABA60820079F50032729E42E7F76ADDBC0718F20CC3FB544A50A2DD3D8DD2612E

Uniqueness

Uniqueness Score: -1.00%

Function 004178A0, Relevance: 1.5, APIs: 1, Instructions: 10
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00416A00,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00407D6F,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004178B1

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 014e06c44eedf72f864cf5f4bccbe57ff615cde333a800e5a5b8fef4433f5551
Instruction ID: 7e86721d88d3ce07b1106d8c4c3afbef5ad9907f2bd5d0025e144fa018d6bba2
Opcode Fuzzy Hash: 014e06c44eedf72f864cf5f4bccbe57ff615cde333a800e5a5b8fef4433f5551
Instruction Fuzzy Hash: 03C08C703041006AE210AB208E08E13B2A8BBB0702F00C1357940D2030DA30D850D72C

Uniqueness

Uniqueness Score: -1.00%

Function 00417C3F, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsFree.KERNEL32(00401C68,00401C26,00000000,00430024,00000002,installation,melt,00000000,00000000,00000BB8,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00417C5C

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Free
String ID:
API String ID: 3978063606-0
Opcode ID: aa6af9673f1bbe2c58e7615ed852a0d64bc20d56dec7e313c9be00a3e4f0119b
Instruction ID: eb288b85b48c32f9e4eae089c254f08455f866ae05fe5284637a17ab30625fc2
Opcode Fuzzy Hash: aa6af9673f1bbe2c58e7615ed852a0d64bc20d56dec7e313c9be00a3e4f0119b
Instruction Fuzzy Hash: 2EC04C74109500DADF1D9B04EE5C3DA3671A794306F8531759141406B097B818C8DA4C

Uniqueness

Uniqueness Score: -1.00%

Function 004176C0, Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,00401058,00000000,00001000,00000000,00000000), ref: 004176C9

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 09b5d79ccfeef75f47126ec15d3ca90387355639b8aaa74fa636c0960585f891
Instruction ID: 0b8493055920dceaf826dff0ee9a24664562e59d1baa424ebd4b4d3ac4319635
Opcode Fuzzy Hash: 09b5d79ccfeef75f47126ec15d3ca90387355639b8aaa74fa636c0960585f891
Instruction Fuzzy Hash: E5B0127828130056E2106B105C06B4536506344B83F202160F780691E8C6E02080850C

Uniqueness

Uniqueness Score: -1.00%

Function 004176B0, Relevance: 1.5, APIs: 1, Instructions: 3memoryCOMMON

Download Yara Rule

APIs

HeapDestroy.KERNELBASE(00401C6D,00401C26,00000000,00430024,00000002,installation,melt,00000000,00000000,00000BB8,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004176B6

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: DestroyHeap
String ID:
API String ID: 2435110975-0
Opcode ID: be6c3e3a4ed24d0e642c62fa803ea010b154476a0cb1b07011b756beb45e0ad3
Instruction ID: 5a8a3dc7f93015dc990b4be8d15d1344688ac09c3aab1d116acd2d17537b8726
Opcode Fuzzy Hash: be6c3e3a4ed24d0e642c62fa803ea010b154476a0cb1b07011b756beb45e0ad3
Instruction Fuzzy Hash: 779002385000008BCE056B10EE0844A3B61A78034130173B0A5415113486621591DA4C

Uniqueness

Uniqueness Score: -1.00%

Function 00412F20, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00401C59,00401C26,00000000,00430024,00000002,installation,melt,00000000,00000000,00000BB8,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00412F26

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: c6395dcad5b770e0143b5b68f27e48159df21151849e5ada74fd8836b156cbd6
Instruction ID: 103c28104c35aaeb3d559824fec656e073f83bab52f9213d56a4647c953672eb
Opcode Fuzzy Hash: c6395dcad5b770e0143b5b68f27e48159df21151849e5ada74fd8836b156cbd6
Instruction Fuzzy Hash: C59002305000C08FCE096B10EF095443A75A7803123006170D2018017096611454DB08

Uniqueness

Uniqueness Score: -1.00%

Function 00419120, Relevance: 1.3, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041912A

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: aa66453bd3091b542903cc8698100348030e536ae2a08d13a9d84c896f0ed048
Instruction ID: 3d064ecb93fb3f2bf6d57a64116dd6a8d57b64d273da11784b4fd6676e6407f2
Opcode Fuzzy Hash: aa66453bd3091b542903cc8698100348030e536ae2a08d13a9d84c896f0ed048
Instruction Fuzzy Hash: 05B012B5404201AFC604CB54FE8980BFBE8FFD0240F809824F049C6030C334E114CB1B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00407EA1, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 171injectionthreadprocessCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,000000F8,?,?,00000040), ref: 00407F8A
NtUnmapViewOfSection.NTDLL(?,?), ref: 00407FA0
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?), ref: 00407FC3
WriteProcessMemory.KERNEL32(?,?,?,?,00000000,?,?,?,00003000,00000040,00000000,00000000,00000000,00000000,00000000,00000004), ref: 00407FE9
WriteProcessMemory.KERNEL32(?,?,?,?,00000000,?,?,00000028), ref: 00408078
GetThreadContext.KERNEL32(?,?), ref: 004080AA
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?), ref: 004080DC
SetThreadContext.KERNEL32(?,?,?,?,?,00000004,00000000,?,?), ref: 0040810C
ResumeThread.KERNEL32(?,?,?,?,?,?,00000004,00000000,?,?), ref: 0040811B

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 00407EA1

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Process$MemoryThreadWrite$Context$AllocCreateResumeSectionUnmapViewVirtual
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 3932078547-3176450862
Opcode ID: 6cda5cc3daef51f03a1118b180d6b3c25dd1e520ed89062c43841e8820beb168
Instruction ID: f72b3a053dca83f2f24490b4290ac8229286aacf070d2431c1197390f0c723e8
Opcode Fuzzy Hash: 6cda5cc3daef51f03a1118b180d6b3c25dd1e520ed89062c43841e8820beb168
Instruction Fuzzy Hash: A1613C71148349AFCB31EF50CC81BCFB3A9FF88304F40881EF69856191D775AA688B5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C837, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 115fileCOMMON

Download Yara Rule

APIs

wcsncpy.MSVCRT ref: 0040C866
wcslen.MSVCRT ref: 0040C87A
wcscat.MSVCRT ref: 0040C8A7
GetDriveTypeW.KERNEL32(?), ref: 0040C8B3
FindFirstFileW.KERNEL32(?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00000000), ref: 0040C8F6
FindClose.KERNEL32(00000000), ref: 0040C920
GetFileAttributesW.KERNEL32(?), ref: 0040C95A
GetDriveTypeW.KERNEL32(?), ref: 0040C96F

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 0040C8CB
:, xrefs: 0040C890

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: DriveFileFindType$AttributesCloseFirstwcscatwcslenwcsncpy
String ID: :$Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 172296787-3083913587
Opcode ID: 96641e49902afa07c7611e4a6f5972a09b498ab9555f039dc14ee386fb6e34f8
Instruction ID: 3c0650f9738dc0c4728bf1713aaab36060c93e10baf55f61dc00705825c10516
Opcode Fuzzy Hash: 96641e49902afa07c7611e4a6f5972a09b498ab9555f039dc14ee386fb6e34f8
Instruction Fuzzy Hash: 4631C9B3545305D6C620EB649885E6B73A9AF81310F204F3BE191F31D0D778D985D75E

Uniqueness

Uniqueness Score: -1.00%

Function 004039B7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 143processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004039F1
Process32FirstW.KERNEL32(?,?), ref: 00403A0C
Process32NextW.KERNEL32(?,?), ref: 00403A22
CloseHandle.KERNEL32(?,?,00000000), ref: 00403B3A

Part of subcall function 0040A200: TlsGetValue.KERNEL32(?,?,0040819F,00000000,00000002,00000000,00000000,00000000,00000000,00404B56,00000000,00000000,00000001,00000001,00000006,00000000), ref: 0040A208

Part of subcall function 004187A0: HeapFree.KERNEL32(02A80000,00000000,00000000,?,00000000,?,0041FFFD,00000000,00000000,00000000), ref: 004187B8

GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 00403A3E

Part of subcall function 00418570: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 00418576
Part of subcall function 00418570: TlsGetValue.KERNEL32(00000022), ref: 00418585
Part of subcall function 00418570: SetLastError.KERNEL32(?), ref: 0041859B

Part of subcall function 004176E0: memcpy.MSVCRT ref: 00417717

Part of subcall function 00418640: wcslen.MSVCRT ref: 00418657

Part of subcall function 004185B0: TlsGetValue.KERNEL32(00000022,00000000,00000000), ref: 004185BC
Part of subcall function 004185B0: RtlAllocateHeap.NTDLL(02A80000,00000000,?), ref: 004185E9

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 004039B7

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Value$ErrorHeapLastProcess32$AllocateCloseCreateCurrentFirstFreeHandleNextProcessSnapshotToolhelp32memcpywcslen
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 719671296-3176450862
Opcode ID: 536ef4af239ac7718063b422224ffc1580f13f7942d88d2975f683eff2dec3e7
Instruction ID: ed5b67eebec5cb5b443be5d127fb0a8b27c000d4536197cc3c446200d9639ccf
Opcode Fuzzy Hash: 536ef4af239ac7718063b422224ffc1580f13f7942d88d2975f683eff2dec3e7
Instruction Fuzzy Hash: 8E411FB65043447AD610BB729D86AFF77ADEBC4718F10882FB04496142EE3CDE85962E

Uniqueness

Uniqueness Score: -1.00%

Function 0040F360, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000008,00000000,00000000), ref: 0040F39D
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000008,00000008,00000000,00000000), ref: 0040F3B1

Strings

b9sDdTlHgHHPc, xrefs: 0040F3C9

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: b9sDdTlHgHHPc
API String ID: 626452242-34561903
Opcode ID: bc91d954c702cfd97358d2097a5e33c26f372d7827f954d7f3c24e36c96ae16f
Instruction ID: a5bf63edb4100709863f0b6eb7c538e9ad8fe8534d816338255157c38cf5943e
Opcode Fuzzy Hash: bc91d954c702cfd97358d2097a5e33c26f372d7827f954d7f3c24e36c96ae16f
Instruction Fuzzy Hash: BD516A321083955AE731CE2988017EB7BD0ABA7314F14547EE9C9AB7C3C579890FC75A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C514, Relevance: 4.6, APIs: 3, Instructions: 60COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C523
GetSystemInfo.KERNEL32(0000000C,?,?,?,00000000,00000000,00433854,0043101C,FFFFFFFF,00000002,00000000,00000000,00000001,00000020,00000000,00000000), ref: 0040C537
GlobalMemoryStatusEx.KERNEL32(00000000), ref: 0040C54D

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: GlobalInfoMemoryStatusSystemmemset
String ID:
API String ID: 3103902362-0
Opcode ID: 0b2908797d24ed53770c9e15be3b2c2acf5413506e374d60448f601c0276bf88
Instruction ID: 534d3538bbb9868ce28a38815dedbf90a5aaac1205c576e6224131a206a0edfe
Opcode Fuzzy Hash: 0b2908797d24ed53770c9e15be3b2c2acf5413506e374d60448f601c0276bf88
Instruction Fuzzy Hash: 3511E978E01128EBCB14DBD5DD84A9EB7B5FB48300F204762E905BB3C4D238FD069A89

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5E3, Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

Part of subcall function 004188D0: TlsGetValue.KERNEL32(00000022,00001000,00000000,00000000), ref: 004188DC
Part of subcall function 004188D0: RtlReAllocateHeap.NTDLL(02A80000,00000000,?,?), ref: 00418937

GetUserNameW.ADVAPI32(00000000,00000000), ref: 0040C5FE

Part of subcall function 004189B0: TlsGetValue.KERNEL32(00000022,?,0043101C,0041779D,00000000,00000000,00000007,?,?,?,00401116,0043101C,FFFFFFFF,00000002,00000000,00000000), ref: 004189BA

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Value$AllocateHeapNameUser
String ID:
API String ID: 2635446157-0
Opcode ID: bf0dedebb5e64075ccdaa5853708b9240f9af3f5019348e202621cff274b4f62
Instruction ID: 1d5e9e947f5f8d3bd63a7a5b9719a14f5b1e4b15b5a75373e830f134c4033555
Opcode Fuzzy Hash: bf0dedebb5e64075ccdaa5853708b9240f9af3f5019348e202621cff274b4f62
Instruction Fuzzy Hash: BAE092B1800118FBDB10ABA2CD09CEF7F2CEB04390F10056AB90462140DA399E1196AE

Uniqueness

Uniqueness Score: -1.00%

Function 0040A1B0, Relevance: 1.3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

Strings

<8C, xrefs: 0040A1B2

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID:
String ID: <8C
API String ID: 0-712665399
Opcode ID: 6c4e5a90e962732a6225da3609039a7749263e3bffb7dbc5fafd9da71a1820ef
Instruction ID: 0c683275490bcabb3b46bbabec03a7bf1525a8b7e7810facacdcbfe32042ada8
Opcode Fuzzy Hash: 6c4e5a90e962732a6225da3609039a7749263e3bffb7dbc5fafd9da71a1820ef
Instruction Fuzzy Hash: 5AF0B6B5949A07AFD3598F1AE580601FBE4BB88210B64862EA45C83B10E334E5A18F98

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC0C, Relevance: 75.6, APIs: 40, Strings: 3, Instructions: 395memorypipesynchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040AC56
CreatePipe.KERNEL32(?,?,?,00000000,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,?,00433880,02A88EB0,00430236,00000000,00000000,0043387C,installation,name,00000000), ref: 0040ACDE
CreatePipe.KERNEL32(?,?,?,00000000,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,?,00433880,02A88EB0,00430236,00000000,00000000,0043387C,installation,name,00000000), ref: 0040AD33
CreatePipe.KERNEL32(?,?,?,00000000,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,?,00433880,02A88EB0,00430236,00000000,00000000,0043387C,installation,name,00000000), ref: 0040AD79
GetStdHandle.KERNEL32(000000F6), ref: 0040ADC3
GetStdHandle.KERNEL32(000000F5), ref: 0040ADD7
GetStdHandle.KERNEL32(000000F4), ref: 0040ADEB
wcslen.MSVCRT ref: 0040AE17
wcslen.MSVCRT ref: 0040AE25
HeapAlloc.KERNEL32(00000000,00000000), ref: 0040AE3F
wcscpy.MSVCRT ref: 0040AE57
wcscat.MSVCRT ref: 0040AE5E
wcscat.MSVCRT ref: 0040AE69
wcscpy.MSVCRT ref: 0040AE75
wcscat.MSVCRT ref: 0040AE90
wcscat.MSVCRT ref: 0040AE9D
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,?,?,?), ref: 0040AED7
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 0040AEF5
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 0040AF01
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 0040AF0D
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 0040AF13
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,?,?,?), ref: 0040AF27
EnterCriticalSection.KERNEL32(004341B8,?,00000000,?,?,?), ref: 0040AF39
LeaveCriticalSection.KERNEL32(004341B8,?,00000000,?,?,?), ref: 0040AF50
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 0040AF84
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 0040AF9B
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 0040AFA7
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 0040AFB3
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 0040AFBF
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 0040AFCB
CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 0040AFD7
wcslen.MSVCRT ref: 0040AFF1
wcscpy.MSVCRT ref: 0040B017
memset.MSVCRT ref: 0040B043
ShellExecuteExW.SHELL32 ref: 0040B0A0
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040B0BF
EnterCriticalSection.KERNEL32(004341B8), ref: 0040B0D1
LeaveCriticalSection.KERNEL32(004341B8), ref: 0040B0E8

Part of subcall function 0040ABB4: GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,00000000,?,?,0040AD9C,?), ref: 0040ABC3
Part of subcall function 0040ABB4: GetCurrentProcess.KERNEL32(?,00000000,?,?,0040AD9C,?), ref: 0040ABCF
Part of subcall function 0040ABB4: DuplicateHandle.KERNEL32(00000000,?,?,0040AD9C,?), ref: 0040ABD6
Part of subcall function 0040ABB4: CloseHandle.KERNEL32(?,?,?,0040AD9C,?), ref: 0040ABE2

HeapFree.KERNEL32(00000000,?), ref: 0040B124

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 0040AC13
x, xrefs: 0040AFD9
`Pxt Fw Uxt, xrefs: 0040ADB2

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Handle$Close$CreateCriticalSectionwcscat$PipeProcesswcscpywcslen$CurrentEnterHeapLeaveObjectSingleWaitmemset$AllocDuplicateExecuteFreeShell
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY$`Pxt Fw Uxt$x
API String ID: 550696126-3931963186
Opcode ID: f665636fc65fa11609da4e3299dcfe9842a0f89316d981efb886f48c125c998c
Instruction ID: 05a40b855c393bc71a8864245f9e2202cf2a3e9f3a0ef0d98c01c47f486452e6
Opcode Fuzzy Hash: f665636fc65fa11609da4e3299dcfe9842a0f89316d981efb886f48c125c998c
Instruction Fuzzy Hash: 4FE17A715083419FD321DF24C845BABBBE4FF88354F144A3FF599A2290EB788954CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00420B9A, Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00420BC0

Part of subcall function 004216BC: _atan2f.LIBCMT ref: 004216D5
Part of subcall function 004216BC: SelectObject.GDI32(?,?), ref: 00421702

wcslen.MSVCRT ref: 00420BFA
GetTextExtentPoint32W.GDI32(00000000,?,00000000,?), ref: 00420C03
_logf.LIBCMT ref: 00420C42

Part of subcall function 004217BC: sin.MSVCRT ref: 004217C7

_logf.LIBCMT ref: 00420C52

Part of subcall function 0042177F: cos.MSVCRT ref: 0042178A

_logf.LIBCMT ref: 00420C98
_logf.LIBCMT ref: 00420CB1
memset.MSVCRT ref: 00420D8C
CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 00420DCA
SelectObject.GDI32(00000000,00000000), ref: 00420DDC
SetBkMode.GDI32(?,00000002), ref: 00420DF1
SetTextAlign.GDI32(?,00000000), ref: 00420E06
SetBkColor.GDI32(00000000,00000000), ref: 00420E0F
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00420E1B
GetStockObject.GDI32(00000004), ref: 00420E35
FillRect.USER32(00000000,00000000,00000000), ref: 00420E42
GetObjectW.GDI32(00000000,00000018,?), ref: 00420E50
wcslen.MSVCRT ref: 00420E62
TextOutW.GDI32(00000000,?,?,?,00000000), ref: 00420E7F
DeleteDC.GDI32(00000000), ref: 00420ECD
DeleteObject.GDI32(00000000), ref: 00420ED8

Strings

(, xrefs: 00420D94

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Object$Text_logf$ColorCreateDeleteSelectwcslen$AlignCompatibleExtentFillModePoint32RectSectionStock_atan2fmemset
String ID: (
API String ID: 1946677379-3887548279
Opcode ID: 8d1d3991b3ad8bc1875c61d0d534c60fef7dd16b0e0e635c8db770be3e24974f
Instruction ID: 451dcdaa8748e6389e68b49eb2dc2becbb11f90dd46d1fce7bf54d39f17819e7
Opcode Fuzzy Hash: 8d1d3991b3ad8bc1875c61d0d534c60fef7dd16b0e0e635c8db770be3e24974f
Instruction Fuzzy Hash: 59919A71209355DFC320EF65E948A2FBBE8FF84700F414D2EF485A2262DB74D9648B5A

Uniqueness

Uniqueness Score: -1.00%

Function 004157E0, Relevance: 32.0, APIs: 21, Instructions: 457memoryCOMMON

Download Yara Rule

APIs

codecvt.LIBCPMTD ref: 00415830
codecvt.LIBCPMTD ref: 00415874
codecvt.LIBCPMTD ref: 00415948
codecvt.LIBCPMTD ref: 0041598C
codecvt.LIBCPMTD ref: 004159D6
HeapFree.KERNEL32(02930000,00000000,00000000), ref: 00415A03
codecvt.LIBCPMTD ref: 00415A55
codecvt.LIBCPMTD ref: 00415A9F
??3@YAXPAX@Z.MSVCRT ref: 00415ADC
HeapFree.KERNEL32(02930000,00000000,00000000), ref: 00415B42
??3@YAXPAX@Z.MSVCRT ref: 00415B6C
??3@YAXPAX@Z.MSVCRT ref: 00415B94
codecvt.LIBCPMTD ref: 00415BC9
codecvt.LIBCPMTD ref: 00415C07
codecvt.LIBCPMTD ref: 00415C51
codecvt.LIBCPMTD ref: 00415C9B
codecvt.LIBCPMTD ref: 00415CE5
codecvt.LIBCPMTD ref: 00415D2F
codecvt.LIBCPMTD ref: 00415D79
codecvt.LIBCPMTD ref: 00415DC3
codecvt.LIBCPMTD ref: 00415E0D

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: codecvt$??3@$FreeHeap
String ID:
API String ID: 1748457837-0
Opcode ID: 5ee7a6a3cc168251f8d358bb8634df6ed69fad4beeb2f5d75fe98671a63071d6
Instruction ID: 190b61ec59d6a314bba0a793155db7ebf6a27c18f3ba3e4e29e2e6f1d4dbbd65
Opcode Fuzzy Hash: 5ee7a6a3cc168251f8d358bb8634df6ed69fad4beeb2f5d75fe98671a63071d6
Instruction Fuzzy Hash: E4328F74A00218DFDB18DF54C594BDEBBB1BB88344F24819AE8096B391D779AEC5CF84

Uniqueness

Uniqueness Score: -1.00%

Function 0040BBC2, Relevance: 30.2, APIs: 11, Strings: 9, Instructions: 157stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00420630: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00000000,0040BBE4,00000000), ref: 00420661
Part of subcall function 00420630: malloc.MSVCRT ref: 00420671
Part of subcall function 00420630: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,-00000001,00000000,00000000,00000000,00000000), ref: 0042068B

Part of subcall function 00420630: malloc.MSVCRT ref: 004206A0

strcmp.MSVCRT ref: 0040BBF7
strcmp.MSVCRT ref: 0040BC1A
strcmp.MSVCRT ref: 0040BC38
strcmp.MSVCRT ref: 0040BC56
strcmp.MSVCRT ref: 0040BC74
strcmp.MSVCRT ref: 0040BC92
strcmp.MSVCRT ref: 0040BCB3
strcmp.MSVCRT ref: 0040BCD4
HeapAlloc.KERNEL32(00000000,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00001000), ref: 0040BD14
strncpy.MSVCRT ref: 0040BD26
HeapFree.KERNEL32(00000000,00000000,00000000,?), ref: 0040BD49

Part of subcall function 0040BA9C: strstr.MSVCRT ref: 0040BAA8

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 0040BD05
/US/, xrefs: 0040BC50
/PS/, xrefs: 0040BC6E
/PT/, xrefs: 0040BCCE
/AN/, xrefs: 0040BCAD
/PM/, xrefs: 0040BC8C
/PC/, xrefs: 0040BBF1
/WS/, xrefs: 0040BC14
/PO/, xrefs: 0040BC32

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: strcmp$ByteCharHeapMultiWidemalloc$AllocFreestrncpystrstr
String ID: /AN/$/PC/$/PM/$/PO/$/PS/$/PT/$/US/$/WS/$Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 1669209463-1270636949
Opcode ID: eb2c9b37329305b6619bf9f0a9ffeb49130971a1b93d5a1f14a5509c20d9dcbe
Instruction ID: 286bf1c7d78f5721acf62dd1ba4a318037c4de6c3b217ab86fdae707a63dc284
Opcode Fuzzy Hash: eb2c9b37329305b6619bf9f0a9ffeb49130971a1b93d5a1f14a5509c20d9dcbe
Instruction Fuzzy Hash: 6A4142721083466AE215AB65AC46E7B76ACEF81718F50083FF801B11D2EF3C994599AE

Uniqueness

Uniqueness Score: -1.00%

Function 00406997, Relevance: 26.7, APIs: 1, Strings: 14, Instructions: 403COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00430024,00000000,00000000,00000000,00430116,$C$C,00430116,?,00000000,00000000,?,L3Njb21tYSA=,00000000,00000008,00000000,.log), ref: 00406D6C

Part of subcall function 004187A0: HeapFree.KERNEL32(02A80000,00000000,00000000,?,00000000,?,0041FFFD,00000000,00000000,00000000), ref: 004187B8

Part of subcall function 00411A76: HeapFree.KERNEL32(00000000,-00000018,00430D24,00000000,00411810,00430D24,?,?,?,004010B2,0000000C,00000001,00000007,00430D24,004338DC,00000000), ref: 00411AB7

Strings

?pl=1, xrefs: 00406A27, 00406A2C
$C$C, xrefs: 00406E5F, 00406C1D, 00406B85, 00406E55
?gpp=, xrefs: 00406B1B, 00406B20
$C$C, xrefs: 00406DE5
hst, xrefs: 00406A12
?p=, xrefs: 00406BC3, 00406BC8
$C$C, xrefs: 00406CF8, 00406CFC
Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 00406997
L3Njb21tYSA=, xrefs: 00406CBE, 00406CC3
rdp, xrefs: 00406A05
.log, xrefs: 00406C5E, 00406C63
L1Zpc2l0VGltZUZpbHRlclR5cGUgMiAvVmlzaXRUaW1lRmlsdGVyVmFsdWUgNiAvc2NvbW1hIA==, xrefs: 00406C9F, 00406CA4
ins, xrefs: 004069DE
ftp, xrefs: 004069F8

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: FreeHeap$ExistsFilePath
String ID: $C$C$$C$C$$C$C$.log$?gpp=$?p=$?pl=1$Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY$L1Zpc2l0VGltZUZpbHRlclR5cGUgMiAvVmlzaXRUaW1lRmlsdGVyVmFsdWUgNiAvc2NvbW1hIA==$L3Njb21tYSA=$ftp$hst$ins$rdp
API String ID: 1326849783-2552739294
Opcode ID: cce5e528d5d44bf4fc5d0fa200c0480a0c1a16264767edbbd71277aa7389ef32
Instruction ID: ef7ec449c7042876fab9e70802ac5068f39e00fa98b555098825a3abadb390b6
Opcode Fuzzy Hash: cce5e528d5d44bf4fc5d0fa200c0480a0c1a16264767edbbd71277aa7389ef32
Instruction Fuzzy Hash: 67C152B5504300BAD600BF62DD82A6F76EAEFC8708F50C93FB044A51A2DE3DDD91562E

Uniqueness

Uniqueness Score: -1.00%

Function 00428AC3, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 144windowCOMMON

Download Yara Rule

APIs

GetIconInfo.USER32(?,?), ref: 00428AD5

Part of subcall function 00412DCF: GetObjectType.GDI32(?), ref: 00412DE9
Part of subcall function 00412DCF: GetObjectW.GDI32(?,00000054,?), ref: 00412E05

DeleteObject.GDI32(?), ref: 00428AF8
CreateCompatibleDC.GDI32(00000000), ref: 00428B05
GetObjectW.GDI32(?,00000018,?), ref: 00428B27
memset.MSVCRT ref: 00428B3A
CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 00428B7C
SelectObject.GDI32(00000000,00000000), ref: 00428B98
DrawIconEx.USER32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000002), ref: 00428BB2
SelectObject.GDI32(00000000,?), ref: 00428BBD
GetObjectW.GDI32(?,00000018,?), ref: 00428BCA
GetPixel.GDI32(00000000,00000000,00000000), ref: 00428C06

Strings

(, xrefs: 00428B57

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Object$CreateIconSelect$CompatibleDeleteDrawInfoPixelSectionTypememset
String ID: (
API String ID: 3561727912-3887548279
Opcode ID: 75454fec3c0dcf8d06d4278aa9ad02416addedc9ca9e634728a610f5dece0b2e
Instruction ID: a34ab14a4423eb234f8afa27f93db3f83a5ca9dcec38ea9a156ea1a412bd32e7
Opcode Fuzzy Hash: 75454fec3c0dcf8d06d4278aa9ad02416addedc9ca9e634728a610f5dece0b2e
Instruction Fuzzy Hash: 62416EB120A314AFD7119F65DD84A6FBBE8EF88740F40482EF580D2220DB74DD518B66

Uniqueness

Uniqueness Score: -1.00%

Function 00421549, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 135windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00421558
SelectObject.GDI32(00000000,?), ref: 00421569
CreateCompatibleDC.GDI32(00000000), ref: 00421570
GetObjectW.GDI32(?,00000018,?,?,?,00000000), ref: 0042158A
memset.MSVCRT ref: 004215BC
CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 00421607
SelectObject.GDI32(00000000,00000000), ref: 00421619
BitBlt.GDI32(00000000,00000000,00000000,00000028,00000028,00000000,00000000,00000000,00CC0020), ref: 00421644
SetStretchBltMode.GDI32(00000000,00000004), ref: 00421659
SetBrushOrgEx.GDI32(00000000,00000000,00000000,00000000), ref: 00421666
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00421686
DeleteDC.GDI32(00000000), ref: 004216A3
DeleteDC.GDI32(00000000), ref: 004216AB

Strings

(, xrefs: 004215C4

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: CreateObject$CompatibleDeleteSelectStretch$BrushModeSectionmemset
String ID: (
API String ID: 1241336042-3887548279
Opcode ID: 483f9741b7e97e59c4994ca989e201f32c77134c98c697970a7294df045b80e2
Instruction ID: 663ffc12b3781deb1270b704fcbee70233a22c1baa6ab7ef341390dc88e8ab68
Opcode Fuzzy Hash: 483f9741b7e97e59c4994ca989e201f32c77134c98c697970a7294df045b80e2
Instruction Fuzzy Hash: 85418BB1608314BFD311AB60ED44F7FBBADEF98704F50182EF941922A0D7B49D449B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00420FF8, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(0000000D), ref: 0042101A
SelectObject.GDI32(00000000,?), ref: 00421035
DeleteObject.GDI32(?), ref: 0042104C
GetTextExtentPoint32W.GDI32(00000000,0042F6F0,00000002,?), ref: 0042106B
memset.MSVCRT ref: 00421098
CreateDIBSection.GDI32(?,00000028,00000000,?,00000000,00000000), ref: 004210DD
GetObjectW.GDI32(00000000,00000018,?), ref: 004210F4
SelectObject.GDI32(?,00000000), ref: 0042111D
DeleteObject.GDI32(?), ref: 0042112E
SetBkMode.GDI32(?,00000002), ref: 00421142
SetTextAlign.GDI32(?,00000000), ref: 00421150
SetBkColor.GDI32(?,00000000), ref: 0042115E
SetTextColor.GDI32(?,00FFFFFF), ref: 0042116F

Strings

(, xrefs: 004210AE

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Object$Text$ColorDeleteSelect$AlignCreateExtentModePoint32SectionStockmemset
String ID: (
API String ID: 2443382557-3887548279
Opcode ID: 174cadc52f7eb31a479a1011d5b1988d87d7c35983f2bea53f31ef484db9c75b
Instruction ID: 35469bf677930ac05a70dd70de18b3cde08c7604cd6c14a59225586b22c7b08c
Opcode Fuzzy Hash: 174cadc52f7eb31a479a1011d5b1988d87d7c35983f2bea53f31ef484db9c75b
Instruction Fuzzy Hash: FA414C75A00604EBDB219FA5DD09BEEBBB8FF88701F10442AF55AE22A0D774A941DB14

Uniqueness

Uniqueness Score: -1.00%

Function 0042897F, Relevance: 24.1, APIs: 16, Instructions: 115windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 0042898A
SelectObject.GDI32(00000000,?), ref: 004289A6
GetTextMetricsW.GDI32(00000000,?), ref: 004289AE
GetTextExtentPoint32W.GDI32(00000000,0042F728,00000001,?), ref: 004289CB
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004289E0
SelectObject.GDI32(00000000,00000000), ref: 004289F2
SetBkMode.GDI32(00000000,00000002), ref: 004289F7
SetTextAlign.GDI32(00000000,00000000), ref: 004289FF
SetBkColor.GDI32(00000000,00000000), ref: 00428A07
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00428A13
GetStockObject.GDI32(00000004), ref: 00428A37
FillRect.USER32(00000000,?,00000000), ref: 00428A44
TextOutW.GDI32(00000000,00000000,00000000,0042F728,00000001), ref: 00428A54
GetPixel.GDI32(00000000,?,00000000), ref: 00428A7A
DeleteDC.GDI32(00000000), ref: 00428AA6
DeleteObject.GDI32(00000000), ref: 00428AB2

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Text$Object$ColorCompatibleCreateDeleteSelect$AlignBitmapExtentFillMetricsModePixelPoint32RectStock
String ID:
API String ID: 4164013142-0
Opcode ID: d9da3921e475873fa00fa4b29398704d6578978569df4dfb7a87ce4c0e86c49a
Instruction ID: 7bd7968b5c5ca07f02ab4ff7871987801383328132c855cdb7c62ff5ec3f1e07
Opcode Fuzzy Hash: d9da3921e475873fa00fa4b29398704d6578978569df4dfb7a87ce4c0e86c49a
Instruction Fuzzy Hash: AA3159B1205311AFD311DF68ED88A3F7BF8EF89B51F00042EF945D2250DB64D8059B6A

Uniqueness

Uniqueness Score: -1.00%

Function 0042897A, Relevance: 24.1, APIs: 16, Instructions: 111windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 0042898A
SelectObject.GDI32(00000000,?), ref: 004289A6
GetTextMetricsW.GDI32(00000000,?), ref: 004289AE
GetTextExtentPoint32W.GDI32(00000000,0042F728,00000001,?), ref: 004289CB
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004289E0
SelectObject.GDI32(00000000,00000000), ref: 004289F2
SetBkMode.GDI32(00000000,00000002), ref: 004289F7
SetTextAlign.GDI32(00000000,00000000), ref: 004289FF
SetBkColor.GDI32(00000000,00000000), ref: 00428A07
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00428A13
GetStockObject.GDI32(00000004), ref: 00428A37
FillRect.USER32(00000000,?,00000000), ref: 00428A44
TextOutW.GDI32(00000000,00000000,00000000,0042F728,00000001), ref: 00428A54
GetPixel.GDI32(00000000,?,00000000), ref: 00428A7A
DeleteDC.GDI32(00000000), ref: 00428AA6
DeleteObject.GDI32(00000000), ref: 00428AB2

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Text$Object$ColorCompatibleCreateDeleteSelect$AlignBitmapExtentFillMetricsModePixelPoint32RectStock
String ID:
API String ID: 4164013142-0
Opcode ID: c0a39278aeb1addf9fa0765cc1d9b15e75e2f932edea1d0c2a7986a4e82dc3be
Instruction ID: 6ee40499ff3680907a5a3f1a74366b00b354716b642d065a4a1f32d3cdaed320
Opcode Fuzzy Hash: c0a39278aeb1addf9fa0765cc1d9b15e75e2f932edea1d0c2a7986a4e82dc3be
Instruction Fuzzy Hash: B73158B1345311AFD311DF68ED88A3F7BE8EF89B51F00042EF941D2250DBA8D8059B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00413A4A, Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 431filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 00413B86
HeapAlloc.KERNEL32(00000008), ref: 00413C59
HeapFree.KERNEL32(00000000,?), ref: 00413E03
HeapFree.KERNEL32(00000000,00000000), ref: 00413E19

Part of subcall function 004146E5: HeapAlloc.KERNEL32(00000008,00000450,?,?,?,?,?,?), ref: 00414704
Part of subcall function 004146E5: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 004147FA

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00413EF1
memcpy.MSVCRT ref: 00413F17
WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00413F6B
memcpy.MSVCRT ref: 00413F80
CloseHandle.KERNEL32(?), ref: 00413FB1
DeleteFileW.KERNEL32(?), ref: 00413FBC

Strings

, xrefs: 00413D8C
(, xrefs: 00413B32

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Heap$File$Alloc$FreeWritememcpy$CloseCreateDeleteHandle
String ID: $(
API String ID: 3606555581-55695022
Opcode ID: ee055060dc97740285fe6aa0357f3909fbac68ec831672dd4ef7a29edea06b80
Instruction ID: 9aab3accc877f4fce0584e022fe851d7e1862128cea8e6ea30a189e11ad4578c
Opcode Fuzzy Hash: ee055060dc97740285fe6aa0357f3909fbac68ec831672dd4ef7a29edea06b80
Instruction Fuzzy Hash: 6EF1E6B19083459FD720DF15DC407ABBBE4AFC4305F08492EF98897351E739EA498B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0042044E, Relevance: 19.6, APIs: 13, Instructions: 74memoryregistrythreadCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,?,00418768,004186D0,00000000), ref: 0042045E
InitializeCriticalSection.KERNEL32(00434170,?,?,00418768,004186D0,00000000), ref: 0042046A
TlsGetValue.KERNEL32(?,?,00418768,004186D0,00000000), ref: 00420480
HeapAlloc.KERNEL32(00000008,00000014,?,?,00418768,004186D0,00000000), ref: 0042049A
EnterCriticalSection.KERNEL32(00434170,?,?,00418768,004186D0,00000000), ref: 004204AB
LeaveCriticalSection.KERNEL32(00434170,?,?,?,00418768,004186D0,00000000), ref: 004204C7
GetCurrentProcess.KERNEL32(00000000,00100000,00000000,00000000,?,?,?,00418768,004186D0,00000000), ref: 004204E0
GetCurrentThread.KERNEL32 ref: 004204E3
GetCurrentProcess.KERNEL32(00000000,?,?,?,00418768,004186D0,00000000), ref: 004204EA
DuplicateHandle.KERNEL32(00000000,?,?,?,00418768,004186D0,00000000), ref: 004204ED
RegisterWaitForSingleObject.KERNEL32(0000000C,00000000,00420546,00000000,000000FF,00000008), ref: 00420503
TlsSetValue.KERNEL32(00000000,?,?,?,00418768,004186D0,00000000), ref: 00420510
HeapAlloc.KERNEL32(00000000,0000000C,?,?,00418768,004186D0,00000000), ref: 00420521

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: AllocCriticalCurrentSection$HeapProcessValue$DuplicateEnterHandleInitializeLeaveObjectRegisterSingleThreadWait
String ID:
API String ID: 298514914-0
Opcode ID: 268e4a9056980c488d98ab2233537914818aab873ea479ddd1690247689a55cd
Instruction ID: 554a9c1731e24c2a84e7252e7f5383d5cc338bdefa2102db05b93ad078862be6
Opcode Fuzzy Hash: 268e4a9056980c488d98ab2233537914818aab873ea479ddd1690247689a55cd
Instruction Fuzzy Hash: 7C213E71600311AFEB14AF64ED8CB567FE8FB58311F14953AF905972A1CBB49884CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00416AF0, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 275COMMON

Download Yara Rule

APIs

wcsncpy.MSVCRT ref: 00416BE5

Part of subcall function 00418A10: TlsGetValue.KERNEL32(00000022,?,0043101C,0041641C,00000000,?,?,0043101C,?,00401123,0043101C,FFFFFFFF,00000002,00000000,00000000,00000001), ref: 00418A1A

_wcsdup.MSVCRT ref: 00416C2E
_wcsdup.MSVCRT ref: 00416C49
_wcsdup.MSVCRT ref: 00416C6C
wcsncpy.MSVCRT ref: 00416D58
??3@YAXPAX@Z.MSVCRT ref: 00416DBC
??3@YAXPAX@Z.MSVCRT ref: 00416DCF
??3@YAXPAX@Z.MSVCRT ref: 00416DE2
wcsncpy.MSVCRT ref: 00416E0E

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 00416AF4

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: ??3@_wcsdupwcsncpy$Value
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 3451606040-3176450862
Opcode ID: c31b8d68d93be028ae30bd20fd853dd16fee187e129d4efbe8e2dbaa0548d6fc
Instruction ID: f848b04c40278aa31661382ef494c5d6cfb73ceee9585c61303d1483f4ecf2aa
Opcode Fuzzy Hash: c31b8d68d93be028ae30bd20fd853dd16fee187e129d4efbe8e2dbaa0548d6fc
Instruction Fuzzy Hash: 2DA1AF716083019BC7209F18D8816ABB7B1FF90348F46092EF89597351E739DC95CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 00406EB9, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 115windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00406F13
GetSystemMetrics.USER32(00000001), ref: 00406F21
GetDC.USER32(00000000), ref: 00406F4E
BitBlt.GDI32(00CC0020,00000000,00000000,00000001,00000001,00000000,00000000,00000000,00CC0020), ref: 00406F93
ReleaseDC.USER32(00000000,00000000), ref: 00406FA6

Part of subcall function 004187A0: HeapFree.KERNEL32(02A80000,00000000,00000000,?,00000000,?,0041FFFD,00000000,00000000,00000000), ref: 004187B8

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 00406EB9
g2, xrefs: 00407034
\tmpshot.bmp, xrefs: 00406EF9, 00406EFE
TEMP, xrefs: 00406EEE, 00406EF3

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: MetricsSystem$FreeHeapRelease
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY$TEMP$\tmpshot.bmp$g2
API String ID: 3029261087-3445587791
Opcode ID: a6d68533a64e2df9fa28498c2616752b529fecbbc4f187444c9636541abbbdf3
Instruction ID: 5e7c0da0fc53af7da53a8348919dd6667e29752873d446d4b25990864b06b304
Opcode Fuzzy Hash: a6d68533a64e2df9fa28498c2616752b529fecbbc4f187444c9636541abbbdf3
Instruction Fuzzy Hash: 5C416BB1048301BED601BB61DC02F5FBBA9EF84708F10893EF594651A1DA3AD9649B5B

Uniqueness

Uniqueness Score: -1.00%

Function 00401C6E, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 225registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00418710: TlsGetValue.KERNEL32(00000022,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00404AE3,00000000), ref: 00418727

RegOpenKeyExW.ADVAPI32(0000000C,?,00000000,?,?,?,00000001,00000000,00000000,?,00000001,00000000,00000000,<8C,00000000,00000000), ref: 00401DAF
RegCloseKey.ADVAPI32(00000000,0000000C,?,00000000,?,?,?,00000001,00000000,00000000,?,00000001,00000000,00000000,<8C,00000000), ref: 00401DCA

Part of subcall function 00418640: wcslen.MSVCRT ref: 00418657

Part of subcall function 0040A200: TlsGetValue.KERNEL32(?,?,0040819F,00000000,00000002,00000000,00000000,00000000,00000000,00404B56,00000000,00000000,00000001,00000001,00000006,00000000), ref: 0040A208

Part of subcall function 004187A0: HeapFree.KERNEL32(02A80000,00000000,00000000,?,00000000,?,0041FFFD,00000000,00000000,00000000), ref: 004187B8

Strings

<8C, xrefs: 00401EB1, 00401F19
<8C, xrefs: 00401C7C

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Value$CloseFreeHeapOpenwcslen
String ID: <8C$<8C
API String ID: 689962378-4290658125
Opcode ID: e8c4dcb519f094cf7b3edc37b57dd1c8d19b0ff8dc08de08a2de002e6668cc76
Instruction ID: 8537c1fc74a1aecd84c5a569c6264c3bf3b37e8840bf3e92ee522402ead88e76
Opcode Fuzzy Hash: e8c4dcb519f094cf7b3edc37b57dd1c8d19b0ff8dc08de08a2de002e6668cc76
Instruction Fuzzy Hash: 37512AB5508300BEE6017B619D46F7F76AAEBC4718F60C83FB144A51A2DA3DCC91962E

Uniqueness

Uniqueness Score: -1.00%

Function 004208F7, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 146COMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00420902
GetObjectW.GDI32(?,00000018,?), ref: 00420924
memset.MSVCRT ref: 0042093A
CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 00420988
GetDIBits.GDI32(00000000,?,00000000,?,?,?,00000000), ref: 004209B3
DeleteObject.GDI32(00000000), ref: 00420A7D
DeleteDC.GDI32(00000000), ref: 00420A86

Strings

(, xrefs: 00420955

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: CreateDeleteObject$BitsCompatibleSectionmemset
String ID: (
API String ID: 2223183535-3887548279
Opcode ID: 0250f949b7a22ab322ceeba0500a4545d4bde395ab45c42fa7d6234fc3322447
Instruction ID: 96dd73bc3e0c4326fafac672ce9342f69552ba2661e7ba198c4e73433065c985
Opcode Fuzzy Hash: 0250f949b7a22ab322ceeba0500a4545d4bde395ab45c42fa7d6234fc3322447
Instruction Fuzzy Hash: 8C418BB26083159FC310CF65E880A2FBBE9FFD8314F84492EF99593212E775D8058B56

Uniqueness

Uniqueness Score: -1.00%

Function 00411D6E, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(00000000,00000018,?,?,?,?,?,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00000000,00000018,00406F45,FFFFFFFF,?,?), ref: 00411DD0
CreateCompatibleDC.GDI32(00000000), ref: 00411E5E
SelectObject.GDI32(00000000,00000000), ref: 00411E6E
CreateSolidBrush.GDI32(?), ref: 00411E8D
FillRect.USER32(?,?,00000000), ref: 00411EA0
DeleteObject.GDI32(00000000), ref: 00411EA7
DeleteDC.GDI32(?), ref: 00411EAE

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 00411D76

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Object$CreateDelete$BrushCompatibleFillRectSelectSolid
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 3640381715-3176450862
Opcode ID: 3e7b80619ae022638b7ffcd92e0263bcd394e8833c37ff5206bdbcbfeea26069
Instruction ID: 5d2f578523fddd707af583cf65cf112e0326cf9f23bf6446753309bf76c97b9a
Opcode Fuzzy Hash: 3e7b80619ae022638b7ffcd92e0263bcd394e8833c37ff5206bdbcbfeea26069
Instruction Fuzzy Hash: 704188759093449FC7109F99C8409AFBBE5BF89710F004A2EFE9093360C7B5D9818B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00411F28, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00417DD4: EnterCriticalSection.KERNEL32(00000020,?,?,?,0040D25F,00000000,004091C8,00001000,00000000,FFFFFFFF,?,00000000,00000000,00000000,00401B6E,004338C8), ref: 00417DDF
Part of subcall function 00417DD4: LeaveCriticalSection.KERNEL32(00000020,?,?,?,0040D25F,00000000,004091C8,00001000,00000000,FFFFFFFF,?,00000000,00000000,00000000,00401B6E,004338C8), ref: 00417DF9

GetObjectType.GDI32(00000000), ref: 00411F4B
GetObjectW.GDI32(?,00000054,?,?,00000000,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,?,?,?,?,?,?,?,?,00406F60), ref: 00411F7F
CreateCompatibleDC.GDI32(00000000), ref: 00411F99

Part of subcall function 00420844: HeapAlloc.KERNEL32(00000008,00000184,?,00411FB8,-00000011,?,00000054,?,?,00000000,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY), ref: 00420852
Part of subcall function 00420844: TlsSetValue.KERNEL32(00000000,?,00411FB8,-00000011,?,00000054,?,?,00000000,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY), ref: 00420861

GdiGetBatchLimit.GDI32 ref: 00411FE2
GdiSetBatchLimit.GDI32(00000001), ref: 00411FF0
SelectObject.GDI32(?), ref: 00412002
DeleteObject.GDI32 ref: 0041205E

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 00411F2B

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Object$BatchCriticalLimitSection$AllocCompatibleCreateDeleteEnterHeapLeaveSelectTypeValue
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 908520410-3176450862
Opcode ID: ea3bf0c1da6a3cca6275b8913d1675f3ab75cfc08bfcb77f65ee24ee0de24fbb
Instruction ID: c149a4a3e12a3397e3585b967bd8ca8be6e2d99ea89cd9ff1ae5934156ef8c69
Opcode Fuzzy Hash: ea3bf0c1da6a3cca6275b8913d1675f3ab75cfc08bfcb77f65ee24ee0de24fbb
Instruction Fuzzy Hash: 3A31D0B1A00716ABD7259F25DD487EBBAE4FF49700F00422AF608D2210D7B9D9A5CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 004183BE, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 53librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Kernel32.dll,?,00000000,?,00000004,00000000,004181D0,0043412C,h4AC,00000000,?,?,77E34620,0040BFB1,?,00000010), ref: 004183CC
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 004183E1
FreeLibrary.KERNEL32(00000000), ref: 004183FC
InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 0041840B
Sleep.KERNEL32(00000000), ref: 0041841D
InterlockedExchange.KERNEL32(?,00000002), ref: 00418430

Strings

InitOnceExecuteOnce, xrefs: 004183DB
Kernel32.dll, xrefs: 004183C5

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: ExchangeInterlockedLibrary$AddressCompareFreeLoadProcSleep
String ID: InitOnceExecuteOnce$Kernel32.dll
API String ID: 2918862794-1339284965
Opcode ID: 2a024053e845fcfb5b4d344be4b4d810f7f3c43a962b44670668b06982312d27
Instruction ID: 535d70f41936a1272df456fe688a735577c3d48d109d265f64d84dc01e7ab52e
Opcode Fuzzy Hash: 2a024053e845fcfb5b4d344be4b4d810f7f3c43a962b44670668b06982312d27
Instruction Fuzzy Hash: 0C01D431300216BBD7246F50AE4DFEB3768EF41B51F50412EFA05A1190EFA84941D66D

Uniqueness

Uniqueness Score: -1.00%

Function 00408D2B, Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 382COMMON

Download Yara Rule

APIs

Part of subcall function 00418710: TlsGetValue.KERNEL32(00000022,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00404AE3,00000000), ref: 00418727

Part of subcall function 004117FF: HeapAlloc.KERNEL32(00000000,004338C4,?,00430D24,?,?,?,004010B2,0000000C,00000001,00000007,00430D24,004338DC,00000000,00001000,00000000), ref: 0041182F
Part of subcall function 004117FF: memset.MSVCRT ref: 0041186A

Part of subcall function 00418570: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 00418576
Part of subcall function 00418570: TlsGetValue.KERNEL32(00000022), ref: 00418585
Part of subcall function 00418570: SetLastError.KERNEL32(?), ref: 0041859B

Part of subcall function 0040A212: TlsGetValue.KERNEL32(00000000,0040111B,0043101C,FFFFFFFF,00000002,00000000,00000000,00000001,00000020,00000000,00000000,0043383C,00000000,00000000,00000000,0000000C), ref: 0040A219

Part of subcall function 004172D0: CharLowerW.USER32(00000000,00000000,004338DC,00001000,00001000,?,?,00000000,00408DDA,00000001,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00417321

Part of subcall function 004185B0: TlsGetValue.KERNEL32(00000022,00000000,00000000), ref: 004185BC
Part of subcall function 004185B0: RtlAllocateHeap.NTDLL(02A80000,00000000,?), ref: 004185E9

Part of subcall function 00408BB3: GetModuleFileNameW.KERNEL32(00000000,00000000,00000400,00000000,00000400,00000000,00000000,00001000,00000000,004012EF,00000001,00000000,00433874,\ref.conf,02A804F8,00000000), ref: 00408BF6

Part of subcall function 00418640: wcslen.MSVCRT ref: 00418657

Part of subcall function 004185B0: HeapReAlloc.KERNEL32(02A80000,00000000,?,?), ref: 0041860C

Part of subcall function 00407270: PathFileExistsW.SHLWAPI(00000000,00408E1B,00000000,00000000,id.conf,00000001,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00407284

Part of subcall function 0040C5A6: GetComputerNameW.KERNEL32(00000000,00000000), ref: 0040C5BF

Part of subcall function 0040C5E3: GetUserNameW.ADVAPI32(00000000,00000000), ref: 0040C5FE

Part of subcall function 0040C627: _mbscpy.MSVCRT ref: 0040C639

Part of subcall function 00405B39: GetDiskFreeSpaceExW.KERNEL32(HOMEDRIVE,00000000,00000000,?,?,00000000,00000000), ref: 00405BA3

Part of subcall function 004061FB: IsUserAdmin.SETUPAPI ref: 00406209

Part of subcall function 00407868: GetSystemPowerStatus.KERNEL32(00000000), ref: 00407884

Part of subcall function 0040AB16: GetEnvironmentVariableW.KERNEL32(004338DC,00000000,00000000,?,?,00401215,00000000,00000000,0043387C,installation,name,00000000,0043389C,installation,subfolder,00000000), ref: 0040AB20
Part of subcall function 0040AB16: GetEnvironmentVariableW.KERNEL32(004338DC,00000000,00000001,00000000,00000000,?,?,00401215,00000000,00000000,0043387C,installation,name,00000000,0043389C,installation), ref: 0040AB42

Part of subcall function 00403F5D: GetSystemMetrics.USER32(00000000), ref: 00403F84
Part of subcall function 00403F5D: GetSystemMetrics.USER32(00000001), ref: 00403FB0

GetCurrentProcessId.KERNEL32(00001050,00000000,0000104C,00000000,00001048,00000000,00000000,00001044,00000000,00000000,00001040,00000000,00000000,0000103C,02A804A0,00000000), ref: 00409065

Part of subcall function 004169D0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00407D6F,00000000,00000000,00000000,00000000), ref: 004169F2
Part of subcall function 004169D0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00407D6F,00000000,00000000,00000000), ref: 00416A16

Part of subcall function 004187A0: HeapFree.KERNEL32(02A80000,00000000,00000000,?,00000000,?,0041FFFD,00000000,00000000,00000000), ref: 004187B8

Part of subcall function 00411A76: HeapFree.KERNEL32(00000000,-00000018,00430D24,00000000,00411810,00430D24,?,?,?,004010B2,0000000C,00000001,00000007,00430D24,004338DC,00000000), ref: 00411AB7

Strings

AZERIA, xrefs: 00408E9A
Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 00408D2B
USERDOMAIN, xrefs: 00408F8F, 00408F94
\ID.txt, xrefs: 004090D8, 004090DD
APPDATA, xrefs: 004090CD, 004090D2
id.conf, xrefs: 00408DF7, 00408DFC

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Heap$Value$CharFreeNameSystem$AllocByteEnvironmentErrorFileLastMetricsMultiUserVariableWide$AdminAllocateComputerCurrentDiskExistsLowerModulePathPowerProcessSpaceStatus_mbscpymemsetwcslen
String ID: APPDATA$AZERIA$Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY$USERDOMAIN$\ID.txt$id.conf
API String ID: 932627432-3283602350
Opcode ID: 655f3cb89067b2944fbe51a659b85dc0b26e5eb61c111174d6c3259188e8b2ae
Instruction ID: 17a0492749ee171e7570c13b29198b5cb4f486783486d0b6bc8872483b9ccc98
Opcode Fuzzy Hash: 655f3cb89067b2944fbe51a659b85dc0b26e5eb61c111174d6c3259188e8b2ae
Instruction Fuzzy Hash: 3CA1CBB9900204BADA00BBB29D86DFF37AEDFC4718B50C82FB50496152ED3CDAC5566D

Uniqueness

Uniqueness Score: -1.00%

Function 00412DCF, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

GetObjectType.GDI32(?), ref: 00412DE9
GetObjectW.GDI32(?,00000054,?), ref: 00412E05
GetObjectW.GDI32(?,00000018,?), ref: 00412E1F
HeapFree.KERNEL32(00000000,00000000,?,?), ref: 00412E84
HeapFree.KERNEL32(00000000,00000000,?,?), ref: 00412EA8

Strings

, xrefs: 00412E33
, xrefs: 00412E0C

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Object$FreeHeap$Type
String ID: $
API String ID: 1123114911-227171996
Opcode ID: b310897a81aec26b74e9ef2ab5141737f45265cb2f9cde3872b3f0464e62496e
Instruction ID: 31a28a84187b9297c609bb5d7ab21936ab0a9af418b51e63587c0e63e4057229
Opcode Fuzzy Hash: b310897a81aec26b74e9ef2ab5141737f45265cb2f9cde3872b3f0464e62496e
Instruction Fuzzy Hash: 8021A131A4031AABDB249B50DE41BFF73B8EB44755F104036E941E6290D7F85DE2CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00412CF0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,00000018), ref: 00412D03
CreateCompatibleDC.GDI32(00000000), ref: 00412D2E
HeapAlloc.KERNEL32(00000000,?,?,?), ref: 00412D5A
GetDIBits.GDI32(00000000), ref: 00412DA2
HeapFree.KERNEL32(00000000,00000000), ref: 00412DB4
DeleteDC.GDI32(00000000), ref: 00412DBD

Strings

(, xrefs: 00412D8C

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Heap$AllocBitsCompatibleCreateDeleteFreeObject
String ID: (
API String ID: 3437057831-3887548279
Opcode ID: 546e06f3618acfc45a8370284466942fc26102c2756b7937810e763e4a49db85
Instruction ID: af44a6d8d879b6cdd7ce86dce192f1e8102c130d652fe3dba5794174a50b480e
Opcode Fuzzy Hash: 546e06f3618acfc45a8370284466942fc26102c2756b7937810e763e4a49db85
Instruction Fuzzy Hash: C62175B1108300AFD3119F55ED8496BBBE8FF89755F00192EF980D2220DBB5CC548BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00417CCE, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,?,?,?,00416161,00000078,00000000,00416140,?,0040105D,00000000,00001000,00000000,00000000), ref: 00417CF3
HeapAlloc.KERNEL32(00000008,00000000,?,?,?,?,00416161,00000078,00000000,00416140,?,0040105D,00000000,00001000,00000000,00000000), ref: 00417D07
TlsSetValue.KERNEL32(00000000,?,?,?,?,00416161,00000078,00000000,00416140,?,0040105D,00000000,00001000,00000000,00000000), ref: 00417D14
TlsGetValue.KERNEL32(000000DC,?,?,?,?,00416161,00000078,00000000,00416140,?,0040105D,00000000,00001000,00000000,00000000), ref: 00417D2B
HeapReAlloc.KERNEL32(00000008,00000000,?,?,?,?,00416161,00000078,00000000,00416140,?,0040105D,00000000,00001000,00000000,00000000), ref: 00417D3A
TlsSetValue.KERNEL32(00000000,?,?,?,?,00416161,00000078,00000000,00416140,?,0040105D,00000000,00001000,00000000,00000000), ref: 00417D49

Strings

@aA, xrefs: 00417D4F

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: AllocValue$Heap
String ID: @aA
API String ID: 2472784365-4075192114
Opcode ID: a60e3111ce40df6b38e8e859a7ba1e0c2d19757b058c76926b9e05abd4dd1c0a
Instruction ID: 67471e2488e3b8108ce889357509af6361c6e1ab8197f1249617cf0410779e1a
Opcode Fuzzy Hash: a60e3111ce40df6b38e8e859a7ba1e0c2d19757b058c76926b9e05abd4dd1c0a
Instruction Fuzzy Hash: C9119332604710AFDB14AF65FC48AA67BF8EB5C762B05513AF940C3370C775AC808BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040B316, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00417C63: TlsGetValue.KERNEL32(?,0040B326,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,004057C5,00001000,00000000,00000000,00404EE2,00000000,00000000,00000000,&env=,00000000,00000000), ref: 00417C6A
Part of subcall function 00417C63: HeapAlloc.KERNEL32(00000008,00000000,?,0040B326,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,004057C5,00001000,00000000,00000000,00404EE2,00000000,00000000,00000000,&env=), ref: 00417C85
Part of subcall function 00417C63: TlsSetValue.KERNEL32(00000000,?,0040B326,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,004057C5,00001000,00000000,00000000,00404EE2,00000000,00000000,00000000,&env=,00000000), ref: 00417C94

HeapFree.KERNEL32(00000000,?,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,004057C5,00001000,00000000,00000000,00404EE2,00000000,00000000,00000000,&env=,00000000,00000000), ref: 0040B337
GetEnvironmentStringsW.KERNEL32(?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,004057C5,00001000,00000000,00000000,00404EE2,00000000,00000000,00000000,&env=,00000000,00000000,00000000,&soft=), ref: 0040B340
wcslen.MSVCRT ref: 0040B355
HeapAlloc.KERNEL32(00000000,-00000002,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,004057C5,00001000,00000000,00000000,00404EE2,00000000,00000000,00000000,&env=,00000000), ref: 0040B373
memcpy.MSVCRT ref: 0040B383
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,004057C5,00001000,00000000,00000000,00404EE2,00000000,00000000,00000000,&env=,00000000,00000000,00000000), ref: 0040B392

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 0040B316

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Heap$AllocEnvironmentFreeStringsValue$memcpywcslen
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 465591631-3176450862
Opcode ID: fdeb6fef8dd0efbccbd19207ff281280781a5d9d39aafe8725714ceadcad9b13
Instruction ID: ae288f45fb4fba18520dc57ce6be21278d91371cb65e009a3ff3823c60110092
Opcode Fuzzy Hash: fdeb6fef8dd0efbccbd19207ff281280781a5d9d39aafe8725714ceadcad9b13
Instruction Fuzzy Hash: D9017531500224BBCB257F65ECC899B7FB8EF447D5315813AFC0996260D775895186D8

Uniqueness

Uniqueness Score: -1.00%

Function 00412740, Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

ceil.MSVCRT ref: 004127B6
malloc.MSVCRT ref: 004127D9
malloc.MSVCRT ref: 004127F3
floor.MSVCRT ref: 0041285D
floor.MSVCRT ref: 0041287A
ceil.MSVCRT ref: 00412899
ceil.MSVCRT ref: 004128B2
fabs.MSVCRT ref: 00412923

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: ceil$floormalloc$fabs
String ID:
API String ID: 2390561812-0
Opcode ID: 600848e19833fdb915ac058d955d94c3d4f2e002ddfe75e3aea5d33201af125e
Instruction ID: f3fcaec0a881847267bfc4b5c8ec98a1515fd05fd920d2e7bf2c0f979cf6f0e1
Opcode Fuzzy Hash: 600848e19833fdb915ac058d955d94c3d4f2e002ddfe75e3aea5d33201af125e
Instruction Fuzzy Hash: F181BEB2A08701DBC301BF15D54455ABBF4FF84390F610D9EF5C1A22A1EB76D8A49B8B

Uniqueness

Uniqueness Score: -1.00%

Function 0040B863, Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 80stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040B86C
strstr.MSVCRT ref: 0040B87E
_strnicmp.MSVCRT ref: 0040B8A6
strstr.MSVCRT ref: 0040B8BC
strstr.MSVCRT ref: 0040B8E1
strstr.MSVCRT ref: 0040B8FA
strlen.MSVCRT ref: 0040B90C

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 0040B864

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: strstr$strlen$_strnicmp
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 1937589361-3176450862
Opcode ID: 76b1045469e0245dff2553b007267e0819efdbaee095344e88c804c9375a3c19
Instruction ID: 5cbda4975f95f48ba78014d50b48f52ba4ae89f0bce569994b3d9789deff4d44
Opcode Fuzzy Hash: 76b1045469e0245dff2553b007267e0819efdbaee095344e88c804c9375a3c19
Instruction Fuzzy Hash: B311E7736087166BE2262E655C8192BB7D8EB91754F25043FF980723D1FB3D8C02539E

Uniqueness

Uniqueness Score: -1.00%

Function 00404DDB, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 181COMMON

Download Yara Rule

APIs

Part of subcall function 00418710: TlsGetValue.KERNEL32(00000022,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00404AE3,00000000), ref: 00418727

Part of subcall function 00418570: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 00418576
Part of subcall function 00418570: TlsGetValue.KERNEL32(00000022), ref: 00418585
Part of subcall function 00418570: SetLastError.KERNEL32(?), ref: 0041859B

Part of subcall function 00418640: wcslen.MSVCRT ref: 00418657

Part of subcall function 004039B7: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004039F1
Part of subcall function 004039B7: Process32FirstW.KERNEL32(?,?), ref: 00403A0C
Part of subcall function 004039B7: Process32NextW.KERNEL32(?,?), ref: 00403A22
Part of subcall function 004039B7: GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 00403A3E

Part of subcall function 0040A212: TlsGetValue.KERNEL32(00000000,0040111B,0043101C,FFFFFFFF,00000002,00000000,00000000,00000001,00000020,00000000,00000000,0043383C,00000000,00000000,00000000,0000000C), ref: 0040A219

Part of subcall function 004169D0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00407D6F,00000000,00000000,00000000,00000000), ref: 004169F2
Part of subcall function 004169D0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00407D6F,00000000,00000000,00000000), ref: 00416A16

Part of subcall function 004059BB: GetTickCount.KERNEL32 ref: 004059ED

Part of subcall function 004186A0: TlsGetValue.KERNEL32(00000022,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00404B45,00000001,00000001,00000006,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 004186AA

Part of subcall function 00408683: InternetOpenW.WININET(00000000,00000001,00430024,00430024,00000000), ref: 004087AB
Part of subcall function 00408683: InternetSetOptionW.WININET(00000000,00000002,000003E8,00000004), ref: 004087C7

Part of subcall function 0040AA1A: CreateThread.KERNEL32 ref: 0040AA33
Part of subcall function 0040AA1A: EnterCriticalSection.KERNEL32(00434190,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,?,00404F65,00000000,00000000,&er=1,00000000,00000000,00000000,&env=,00000000,00000000,00000000), ref: 0040AA45
Part of subcall function 0040AA1A: WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,?,00404F65,00000000,00000000,&er=1,00000000,00000000,00000000,&env=,00000000), ref: 0040AA5C
Part of subcall function 0040AA1A: CloseHandle.KERNEL32(00000008,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,?,00404F65,00000000,00000000,&er=1,00000000,00000000,00000000,&env=,00000000,00000000,00000000), ref: 0040AA68
Part of subcall function 0040AA1A: LeaveCriticalSection.KERNEL32(00434190,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,?,00404F65,00000000,00000000,&er=1,00000000,00000000,00000000,&env=,00000000,00000000,00000000), ref: 0040AAAB

PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,&er=1,00000000,00000000,00000000,&env=,00000000), ref: 00404FAF

Part of subcall function 00408683: InternetConnectW.WININET(00000000,00000000,00000000,00430024,00430024,00000003,00000000,00000000), ref: 00408877
Part of subcall function 00408683: HttpOpenRequestW.WININET(00000000,00000000,00000000,00000000,00000000,00430024,00430024,00000000), ref: 004088D4
Part of subcall function 00408683: HttpAddRequestHeadersW.WININET(?,00000000,00000000,?), ref: 00408936

Strings

&env=, xrefs: 00404EBA, 00404EBF
&soft=, xrefs: 00404E79, 00404E7E
&er=1, xrefs: 00404F09, 00404F0E
&ref=, xrefs: 00404FE3, 00404FE8
&proc=, xrefs: 00404E38, 00404E3D

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Value$Internet$ByteCharCreateCriticalErrorHttpLastMultiOpenProcess32RequestSectionWide$CloseConnectCountCurrentEnterExistsFileFirstHandleHeadersLeaveNextObjectOptionPathProcessSingleSnapshotThreadTickToolhelp32Waitwcslen
String ID: &env=$&er=1$&proc=$&ref=$&soft=
API String ID: 2836524744-2666957756
Opcode ID: 8b9e864f6b8440a422e835446f3ca6957ada43615bbe1f2e44edacd14fbf2a0a
Instruction ID: cd10d1e333f84532abc327abded1a4e38b940fbd6fc88dc9f114c5da659bfbdd
Opcode Fuzzy Hash: 8b9e864f6b8440a422e835446f3ca6957ada43615bbe1f2e44edacd14fbf2a0a
Instruction Fuzzy Hash: F24108BA5003007AE5407BB2AD87EBE36ADDFD4719B50C83FB440B51A2DD3D89D1662E

Uniqueness

Uniqueness Score: -1.00%

Function 004020FB, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 172registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 00402156
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,?,?,00000000,00020019,?), ref: 00402192
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 004021EE
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,00000000), ref: 0040229F
RegCloseKey.ADVAPI32(00000000,?,?,00000000,?,00000000,?,?,?,00000000,00020019,?), ref: 004022ED

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 004020FB

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 1586453840-3176450862
Opcode ID: 6c9580eb88d2f1b345745aa3c4a728e94441160c3cb641defe0415a1676366de
Instruction ID: 23c924af39f916994596fa9df9482e0d540c5780d3637c3aa7157ccb99e762e3
Opcode Fuzzy Hash: 6c9580eb88d2f1b345745aa3c4a728e94441160c3cb641defe0415a1676366de
Instruction Fuzzy Hash: DA517D72108300AED701EF51CD85B6FBBE9EB98318F10883EF184A51E1D679DD959B2B

Uniqueness

Uniqueness Score: -1.00%

Function 0040D640, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138memoryfileCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00001000,00430D24,004338DC), ref: 0040D650
ReadFile.KERNEL32(?,000007FF,00000002,?,00000000), ref: 0040D6BD
HeapReAlloc.KERNEL32(00000008,?,00000000), ref: 0040D714
ReadFile.KERNEL32(?,000007FF,00000002,?,00000000), ref: 0040D791

Part of subcall function 0040D390: memcpy.MSVCRT ref: 0040D3D7

SetFilePointer.KERNEL32(?,000000FE,?,00000001), ref: 0040D7C6

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 0040D66D

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: File$AllocHeapRead$Pointermemcpy
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 90066635-3176450862
Opcode ID: ff82b2b37c71b620f9bd45e4bd4cfe982f1a38d801607e27e665c5271512a94e
Instruction ID: b10e450864e0f07a927103a4a7e8d44a32e8943feeaaec03f904f78881a89d72
Opcode Fuzzy Hash: ff82b2b37c71b620f9bd45e4bd4cfe982f1a38d801607e27e665c5271512a94e
Instruction Fuzzy Hash: 94418D759043029FD724EF58C845B6BB7E4EB84310F404A2EF895A72D1D778888ECB6B

Uniqueness

Uniqueness Score: -1.00%

Function 0040D4B0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 134memoryfileCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 0040D4C8
ReadFile.KERNEL32(?,?,00000001,?,00000000,00000000,00001000,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00000000), ref: 0040D527
HeapReAlloc.KERNEL32(00000008,?,?), ref: 0040D56D
ReadFile.KERNEL32(?,?,00000001,?,00000000), ref: 0040D5DE

Part of subcall function 0040D390: memcpy.MSVCRT ref: 0040D3D7

SetFilePointer.KERNEL32(?,000000FF,?,00000001), ref: 0040D611

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 0040D4E5

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: File$AllocHeapRead$Pointermemcpy
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 90066635-3176450862
Opcode ID: 7086492cf1892e17745e9fa85beb9d8f72ef5bfb658d6778648d5717f8417940
Instruction ID: 0257778187a983b746f26efc7778f6c5f6cb4b1d6e68d3976ba57411af2562b0
Opcode Fuzzy Hash: 7086492cf1892e17745e9fa85beb9d8f72ef5bfb658d6778648d5717f8417940
Instruction Fuzzy Hash: 8F41BF74908301AFD714DF58C840B6BBBE4EB88314F54493AF984A62D1D3B9D98DCB6B

Uniqueness

Uniqueness Score: -1.00%

Function 0040D390, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0040D3D7

Part of subcall function 0040CA80: WriteFile.KERNEL32(?,00000000,?,?,00000000,?,?,0040D34E,?), ref: 0040CAA7

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 0040D425

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: FileWritememcpy
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 4212128793-3176450862
Opcode ID: a680476142aadcedf96089f29330afbb44f866e065024c2314c34561267240e0
Instruction ID: 604ca519519078a20c106cbc031b6c2955c52e3ed9db635ae069167e3b6451e0
Opcode Fuzzy Hash: a680476142aadcedf96089f29330afbb44f866e065024c2314c34561267240e0
Instruction Fuzzy Hash: 3B3151766007009FC310DF69E884D5BB7E4EFD4355F04843EF64697651C735A818CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040B3E9, Relevance: 10.6, APIs: 7, Instructions: 110memoryfileCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002000), ref: 0040B41B
HeapReAlloc.KERNEL32(00000008,00000000,00000000), ref: 0040B447
ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 0040B47D
HeapAlloc.KERNEL32(00000000,00001000), ref: 0040B4A1
HeapReAlloc.KERNEL32(00000008,00000000,00001000), ref: 0040B4CC
ReadFile.KERNEL32(?,?,00000001,?,00000000), ref: 0040B4FC
HeapFree.KERNEL32(00000000,00000000,00000000,?), ref: 0040B527

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Heap$Alloc$FileRead$Free
String ID:
API String ID: 313634878-0
Opcode ID: 49a273a2fbc72ee78493fe5fc313325230be89da784bccd384b040df613edda4
Instruction ID: d74077c3dccb0411af24ea0c992bd4fba55b85ec084ea6112605becf6dbda7eb
Opcode Fuzzy Hash: 49a273a2fbc72ee78493fe5fc313325230be89da784bccd384b040df613edda4
Instruction Fuzzy Hash: 2731F630104301BAE721AF14DD45B677BE8EF88396F44093AF981E12A2D3799D45C7EE

Uniqueness

Uniqueness Score: -1.00%

Function 00417560, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

CharLowerW.USER32(://,00000000,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,?,00000001,00000020,00000000,00000000,?,00000000), ref: 00417586
CharLowerW.USER32(00000000,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,?,00000001,00000020,00000000,00000000,?,00000000), ref: 004175C0
CharLowerW.USER32(?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,?,00000001,00000020,00000000,00000000,?,00000000), ref: 004175EF
CharLowerW.USER32(?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,?,00000001,00000020,00000000,00000000,?,00000000), ref: 004175F5

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 00417564
://, xrefs: 00417585

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: CharLower
String ID: ://$Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 1615517891-740708298
Opcode ID: f4689b3ee5d095cabfab1703e997065afb5c7fce1c32e2b2be06053163b71d4b
Instruction ID: 084c16a66c849ce4fca715c936a354e24890b302862ae0a6bad428861d8d54c9
Opcode Fuzzy Hash: f4689b3ee5d095cabfab1703e997065afb5c7fce1c32e2b2be06053163b71d4b
Instruction Fuzzy Hash: EE21F376A083058BC710AF5D98405BBB7B0FF847A1F49056AED8893300E638EE45DBB9

Uniqueness

Uniqueness Score: -1.00%

Function 00413800, Relevance: 10.6, APIs: 7, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

fseek.MSVCRT ref: 00413814
ftell.MSVCRT ref: 0041381C
fseek.MSVCRT ref: 0041382A
HeapAlloc.KERNEL32(00000000,00000000), ref: 00413844
fread.MSVCRT ref: 00413858
fread.MSVCRT ref: 0041389B
HeapFree.KERNEL32(00000000,?), ref: 004138DB

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Heapfreadfseek$AllocFreeftell
String ID:
API String ID: 1109645428-0
Opcode ID: b5d1c404307008722dce6354acf4bab98ba5db22b678ed754315a30897d95242
Instruction ID: d8dcd5c0fe382b30f642068d4789b420bd7b8f142926d17b473ca410bbbff52b
Opcode Fuzzy Hash: b5d1c404307008722dce6354acf4bab98ba5db22b678ed754315a30897d95242
Instruction Fuzzy Hash: 9E21BD71A00B00AFDB31AF15CC41B92B3F0FB44712F10492EF545A36A0E3B9E9D49B99

Uniqueness

Uniqueness Score: -1.00%

Function 00405A53, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00418710: TlsGetValue.KERNEL32(00000022,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00404AE3,00000000), ref: 00418727

LoadLibraryW.KERNEL32(.dll,00000000,00000000,00000000,00000000,?,004012CA,00433874,\ref.conf,02A804F8,00000000,installation,antis,00000000,00000000,00433880), ref: 00405AF1

Part of subcall function 004187A0: HeapFree.KERNEL32(02A80000,00000000,00000000,?,00000000,?,0041FFFD,00000000,00000000,00000000), ref: 004187B8

Strings

vboxmrxnp, xrefs: 00405A67
SbieDll, xrefs: 00405A81
pthreadVC, xrefs: 00405AB5
vmGuestLib, xrefs: 00405A9B
.dll, xrefs: 00405ADE, 00405AE3

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: FreeHeapLibraryLoadValue
String ID: .dll$SbieDll$pthreadVC$vboxmrxnp$vmGuestLib
API String ID: 671220262-1336096769
Opcode ID: 94328756cd8523f7bef57009d2dbdc5007e78e239842ba8846e401f586356074
Instruction ID: aa2b340956360de76597681a5f4e8b04b19ef0628b8e3fa18d1737790e01e208
Opcode Fuzzy Hash: 94328756cd8523f7bef57009d2dbdc5007e78e239842ba8846e401f586356074
Instruction Fuzzy Hash: 5A118C74318300AAD700BA61C8C297FB3A5DF94308F20CE3FB0855A582DA3C9D959E2F

Uniqueness

Uniqueness Score: -1.00%

Function 0040BAC1, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 61stringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 0040BACB
strstr.MSVCRT ref: 0040BAE4
strstr.MSVCRT ref: 0040BAF1
strstr.MSVCRT ref: 0040BB0E
strstr.MSVCRT ref: 0040BB19
strlen.MSVCRT ref: 0040BB37

Strings

://, xrefs: 0040BAC2

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: strstr$strlen
String ID: ://
API String ID: 1600229599-1869659232
Opcode ID: 8755d747628641fc4eaeb87bb3ae8a7b7afd39ea878b54986d3951a4eadcd0f7
Instruction ID: 9cd49c2b000f72edf8b78726718344312d50be720e9eb3a9c172630c8c6f5ac4
Opcode Fuzzy Hash: 8755d747628641fc4eaeb87bb3ae8a7b7afd39ea878b54986d3951a4eadcd0f7
Instruction Fuzzy Hash: 2C01B537604B252BD72665256C41E6BA2A9EE85760776043BFA04B37C4EF3CED0241ED

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA1A, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 0040AA33
EnterCriticalSection.KERNEL32(00434190,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,?,00404F65,00000000,00000000,&er=1,00000000,00000000,00000000,&env=,00000000,00000000,00000000), ref: 0040AA45
WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,?,00404F65,00000000,00000000,&er=1,00000000,00000000,00000000,&env=,00000000), ref: 0040AA5C
CloseHandle.KERNEL32(00000008,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,?,00404F65,00000000,00000000,&er=1,00000000,00000000,00000000,&env=,00000000,00000000,00000000), ref: 0040AA68

Part of subcall function 004184AD: HeapFree.KERNEL32(00000000,-00000008,0040A9AD,00433914,00000008,?,?,00401C40,00401C26,00000000,00430024,00000002,installation,melt,00000000,00000000), ref: 004184E6

LeaveCriticalSection.KERNEL32(00434190,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,?,00404F65,00000000,00000000,&er=1,00000000,00000000,00000000,&env=,00000000,00000000,00000000), ref: 0040AAAB

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 0040AA1B

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: CriticalSection$CloseCreateEnterFreeHandleHeapLeaveObjectSingleThreadWait
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 3708593966-3176450862
Opcode ID: f29892adba61d6632501d582b0dd8544b23aa32e8770617dcb23fdaec087b04f
Instruction ID: 65ed5098b9e5cd2c6e6978fcabe992e980075ef59320fe1a943a06d220993a97
Opcode Fuzzy Hash: f29892adba61d6632501d582b0dd8544b23aa32e8770617dcb23fdaec087b04f
Instruction Fuzzy Hash: EE11A772200211AFD714AF55ED04E67BBA8EF48751720512BF81497290EBB45D91CE99

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA1C, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 0040BA26
strstr.MSVCRT ref: 0040BA3F
strstr.MSVCRT ref: 0040BA4C
strstr.MSVCRT ref: 0040BA69
strstr.MSVCRT ref: 0040BA79
strlen.MSVCRT ref: 0040BA87

Strings

://, xrefs: 0040BA1D

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: strstr$strlen
String ID: ://
API String ID: 1600229599-1869659232
Opcode ID: 5327235400316155df61653ff2e2c1186778f6510a2fef410859c32df4bd3241
Instruction ID: f53babc7fef0ff7b45b3fff066183071ce2d12eaf28ca6a23346491e3e80fd36
Opcode Fuzzy Hash: 5327235400316155df61653ff2e2c1186778f6510a2fef410859c32df4bd3241
Instruction Fuzzy Hash: 4301F773B05B312AD72A55256C81E5B52C8DE45764722003FF905B32C0EF3C9D0209DD

Uniqueness

Uniqueness Score: -1.00%

Function 004182C1, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00434134,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00000000,00000000,0041244B,?,00000000,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00000000,?,00411D21,?,00000000,?,00406FC1,?), ref: 004182D5
LeaveCriticalSection.KERNEL32(00434134,?,00411D21,?,00000000,?,00406FC1,?,00000000,00000000,00000000,?,FFFFFFFF,?,?,00000000), ref: 0041832A

Part of subcall function 004182C1: HeapFree.KERNEL32(00000000,?,?,00411D21,?,00000000,?,00406FC1,?,00000000,00000000,00000000,?,FFFFFFFF,?,?), ref: 00418323

DeleteCriticalSection.KERNEL32(00000020,00000000,00000000,00000000,0041244B,?,00000000,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00000000,?,00411D21,?,00000000,?,00406FC1,?), ref: 00418343
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,0041244B,?,00000000,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00000000,?,00411D21,?,00000000,?,00406FC1), ref: 00418352

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 004182CE

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: CriticalSection$FreeHeap$DeleteEnterLeave
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 3171405041-3176450862
Opcode ID: a1d6ff9b9420ca61bb49accdd957426d605d4ddadb4ece1a1d052ab279f64fda
Instruction ID: 19010fbf9cb8ba23d2b8811f4ded92570abf09322a556f0702dac86d86cc8bb6
Opcode Fuzzy Hash: a1d6ff9b9420ca61bb49accdd957426d605d4ddadb4ece1a1d052ab279f64fda
Instruction Fuzzy Hash: 44116D31101A05DFC728AF15E948B9BBBF4FF54702F18442EE95683220CB79A881CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00412070, Relevance: 10.5, APIs: 7, Instructions: 40windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00412082
SelectObject.GDI32(00000000,?), ref: 00412095
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 004120B7
DeleteDC.GDI32(00000000), ref: 004120BE
DeleteDC.GDI32(?), ref: 004120CB
DeleteObject.GDI32(?), ref: 004120DC
GdiSetBatchLimit.GDI32(?), ref: 004120E8

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Delete$Object$BatchCompatibleCreateLimitSelect
String ID:
API String ID: 408043411-0
Opcode ID: 7eb654bf28427414ab8bae5166c87a1fb384f2d45649617488611fbf3eb0212c
Instruction ID: 645af82c45e2f8310a057cc87378489cec180b6db861871d1b92f4a1a251744e
Opcode Fuzzy Hash: 7eb654bf28427414ab8bae5166c87a1fb384f2d45649617488611fbf3eb0212c
Instruction Fuzzy Hash: 3401FB72201604EFC7221B61EE08FE7BEA9FF89341F05542AF29A81120CB766460EB24

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB00, Relevance: 9.2, APIs: 6, Instructions: 157filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?), ref: 0040CB71
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?), ref: 0040CBB2
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?), ref: 0040CBFC
CreateFileW.KERNEL32(?,40000000,?,00000000,00000005,00000000,00000000), ref: 0040CC1E
HeapAlloc.KERNEL32(00000000,00001000,?), ref: 0040CC57
SetFilePointer.KERNEL32(?,00000000,?,00000002), ref: 0040CCAA

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: File$Create$AllocHeapPointer
String ID:
API String ID: 4207849991-0
Opcode ID: 794090ebd384d7f14941866f14c70bd05677a27e7f71147f131c1db57209f8af
Instruction ID: 287d703d32fe690a8e16c76b5cbdd554604a44036c2df8f946676b3293783a9d
Opcode Fuzzy Hash: 794090ebd384d7f14941866f14c70bd05677a27e7f71147f131c1db57209f8af
Instruction Fuzzy Hash: 7F51B4B1608300ABE3208F25ED85B277AE5EB44764F200A3AF955B73E0D7B9E8458759

Uniqueness

Uniqueness Score: -1.00%

Function 00419160, Relevance: 9.1, APIs: 7, Instructions: 375COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0041927A

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 146266741ae6cd853a77c5024080cb58a96640ee573b4baa164e31b08e97ba08
Instruction ID: 7c9037d25d1962fb33e1b697db64366df65fb2d8c234d9406baaa4b4850b8cd7
Opcode Fuzzy Hash: 146266741ae6cd853a77c5024080cb58a96640ee573b4baa164e31b08e97ba08
Instruction Fuzzy Hash: DED18C716047059FC724DF69C8909ABB7E1FF88314B28892EE89A87701D779FC85CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00418194, Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00434134,0043412C,h4AC,00000000,?,?,77E34620,0040BFB1,?,00000010,00010000,00000004,?), ref: 004181D5
HeapAlloc.KERNEL32(00000000,00000018), ref: 0041820C
LeaveCriticalSection.KERNEL32(00434134), ref: 00418265
HeapAlloc.KERNEL32(00000000,00000038,00000000,?,?,77E34620,0040BFB1,?,00000010,00010000,00000004,?), ref: 00418276
InitializeCriticalSection.KERNEL32(00000020), ref: 004182B2

Strings

h4AC, xrefs: 004181C1

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: CriticalSection$AllocHeap$EnterInitializeLeave
String ID: h4AC
API String ID: 2544007295-4194509778
Opcode ID: fc52d2f7b9a0e020f6a7a9f069f50c8eb770e6d8954a95e5d94db27be9662ebb
Instruction ID: 9e9369f791690ab54b645ae2d84d8fadd2d3635a321b3f052cbe72292077839e
Opcode Fuzzy Hash: fc52d2f7b9a0e020f6a7a9f069f50c8eb770e6d8954a95e5d94db27be9662ebb
Instruction Fuzzy Hash: C831E272601B069FC721CF59D848A97BBF0FB84751F18466FE88597310DB78E881CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00420EEA, Relevance: 9.1, APIs: 6, Instructions: 84COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00420F30
GetTextExtentPoint32W.GDI32(?,?,00000000,?), ref: 00420F3E
GetStockObject.GDI32(00000004), ref: 00420F6C
FillRect.USER32(?,?,00000000), ref: 00420F7E
wcslen.MSVCRT ref: 00420FA5
TextOutW.GDI32(?,00000000,00000000,?,00000000), ref: 00420FB6

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Textwcslen$ExtentFillObjectPoint32RectStock
String ID:
API String ID: 936965569-0
Opcode ID: ac283097ffb213dc85b768b67bc323809a8fb40e50309105418e5999bb69746f
Instruction ID: 997df7aa2b5b2257af776fe704ff3f1510b3b6ef6a6a81a6db400470fb68605d
Opcode Fuzzy Hash: ac283097ffb213dc85b768b67bc323809a8fb40e50309105418e5999bb69746f
Instruction Fuzzy Hash: 49314A71204701AFD721DF29DD44AABB7E8FF88704F41082EF599C2261E7B4E844CB66

Uniqueness

Uniqueness Score: -1.00%

Function 004216BC, Relevance: 9.1, APIs: 6, Instructions: 66COMMON

Download Yara Rule

APIs

_atan2f.LIBCMT ref: 004216D5

Part of subcall function 00421799: fmod.MSVCRT ref: 004217AC

SelectObject.GDI32(?,?), ref: 00421702
GetObjectW.GDI32(?,0000005C,?,?), ref: 0042171B
DeleteObject.GDI32(?), ref: 00421749
CreateFontIndirectW.GDI32(?), ref: 00421753
SelectObject.GDI32(?,00000000), ref: 00421767

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Object$Select$CreateDeleteFontIndirect_atan2ffmod
String ID:
API String ID: 1891428117-0
Opcode ID: 4dd1f7aac9f086462723607c261486d3041e3b118eeda5caf935c96eb2849626
Instruction ID: 5db56162e49b22d30abcc26634b764df94c95182ef9f4b32226d482238023057
Opcode Fuzzy Hash: 4dd1f7aac9f086462723607c261486d3041e3b118eeda5caf935c96eb2849626
Instruction Fuzzy Hash: 9021A2B0A01759DFDB109FA0ED4CAEB7FB8FF84311F50487AE856A6160DB349821CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00411C88, Relevance: 9.1, APIs: 6, Instructions: 54COMMON

Download Yara Rule

APIs

GetObjectType.GDI32(00000000), ref: 00411CD1
DeleteObject.GDI32(00000000), ref: 00411CDE

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Object$DeleteType
String ID:
API String ID: 1880294369-0
Opcode ID: 05016fb70f9bb151aa73d083722e38705d2fac40da92da85ffc6a5a57b2ffec2
Instruction ID: cee4bee1cdb563a57488dc97cbd1fa94efa7d076e46b1f820e9b5d47e4575ab9
Opcode Fuzzy Hash: 05016fb70f9bb151aa73d083722e38705d2fac40da92da85ffc6a5a57b2ffec2
Instruction Fuzzy Hash: 7811A0B5105611EFCB221F60EE486AB7EB2FF80311B205A2AF24250070C77A5CD1EB5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB4C, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51stringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 0040BB59
strstr.MSVCRT ref: 0040BB71
strstr.MSVCRT ref: 0040BB7E
strstr.MSVCRT ref: 0040BB9C

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 0040BB66
://, xrefs: 0040BB4E

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: strstr
String ID: ://$Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 1392478783-740708298
Opcode ID: 3c316bf7e960b257c30a0fc10dde0313564711ea264348df36b4f3bec94b4657
Instruction ID: 457b88b3bffdcc1c46247ab3063a861ea074ddf2ace89d699709526af7964219
Opcode Fuzzy Hash: 3c316bf7e960b257c30a0fc10dde0313564711ea264348df36b4f3bec94b4657
Instruction Fuzzy Hash: 4EF0D1327097252BCA3969196CD1D2B32A4DE89724B22047FF801767C5DFBD9D0106DE

Uniqueness

Uniqueness Score: -1.00%

Function 0040B95D, Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 0040B96A
strstr.MSVCRT ref: 0040B982
strstr.MSVCRT ref: 0040B98F
strstr.MSVCRT ref: 0040B9AB

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 0040B977
://, xrefs: 0040B95F

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: strstr
String ID: ://$Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 1392478783-740708298
Opcode ID: 186a7dc2ec94cfe95b2df07d66f19cfa177a9606fec4381fd11b7f1eff6cd309
Instruction ID: 66e8118851eccd3037b595669a4bb100727363f62911f2429a9edfce30e43dbf
Opcode Fuzzy Hash: 186a7dc2ec94cfe95b2df07d66f19cfa177a9606fec4381fd11b7f1eff6cd309
Instruction Fuzzy Hash: 4BF0F6B274972926C6266925AC82F5F2389DE86724B26043FF900722C1EF7E8D0545DD

Uniqueness

Uniqueness Score: -1.00%

Function 004203D0, Relevance: 9.0, APIs: 6, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

UnregisterWait.KERNEL32(?), ref: 004203DA
CloseHandle.KERNEL32(?), ref: 004203E3
EnterCriticalSection.KERNEL32(00434170), ref: 004203EF
LeaveCriticalSection.KERNEL32(00434170), ref: 00420414
HeapFree.KERNEL32(00000000,?), ref: 00420432
HeapFree.KERNEL32(?,?), ref: 00420444

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: CriticalFreeHeapSection$CloseEnterHandleLeaveUnregisterWait
String ID:
API String ID: 4204870694-0
Opcode ID: d6e3a218d48f6e14dded63591b0fd6c716f4fc6abd935872479a99d046c68521
Instruction ID: 2c31465e422d4553dfd882c223db886fa24cd90375f858dc5dfd14b10e6c88fe
Opcode Fuzzy Hash: d6e3a218d48f6e14dded63591b0fd6c716f4fc6abd935872479a99d046c68521
Instruction Fuzzy Hash: 08018C31301612AFCB18AF11ED88A1ABFF8FF49312314953DF20683621C371AC12CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00417340, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 167memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,?), ref: 0041740A
wcsncpy.MSVCRT ref: 00417460

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 00417344

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: AllocHeapwcsncpy
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 2304708654-3176450862
Opcode ID: b4e071cd1772d0abc4855a79c19f66107f2cbdcfbf221aaa4b7a00905f0a8280
Instruction ID: e98cb44a260608e4182e02c8ced9d4522559d51d906dfe8ed9a6999018797bec
Opcode Fuzzy Hash: b4e071cd1772d0abc4855a79c19f66107f2cbdcfbf221aaa4b7a00905f0a8280
Instruction Fuzzy Hash: 0C51E4345083059BC7249F28D8406ABBBF4FF84348F540A1EFC5597390E778EA95C79A

Uniqueness

Uniqueness Score: -1.00%

Function 00417070, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 158COMMON

Download Yara Rule

APIs

Part of subcall function 004188D0: TlsGetValue.KERNEL32(00000022,00001000,00000000,00000000), ref: 004188DC
Part of subcall function 004188D0: RtlReAllocateHeap.NTDLL(02A80000,00000000,?,?), ref: 00418937

_isnan.MSVCRT ref: 00417113

Strings

%%.%df, xrefs: 004171A4
-Infinity, xrefs: 004170D4
NaN, xrefs: 0041711F
+Infinity, xrefs: 00417097

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: AllocateHeapValue_isnan
String ID: %%.%df$+Infinity$-Infinity$NaN
API String ID: 2412093236-1490034909
Opcode ID: d7b139aa5b844761cc268f01ec11fe0a5f66cf6737c467e30edefb91cc8381f6
Instruction ID: de77808571c42264773c6ac9b2fbd13e8e813b6b5c8ed4380cf91e5ff9d991e3
Opcode Fuzzy Hash: d7b139aa5b844761cc268f01ec11fe0a5f66cf6737c467e30edefb91cc8381f6
Instruction Fuzzy Hash: E941677561820145CB18A638C8157F772B0EF80358F55456FE986DB3C1FB3D89C682AE

Uniqueness

Uniqueness Score: -1.00%

Function 0040D800, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120memoryfileCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 0040D818
HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,00000000,00001000,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00000000), ref: 0040D891
ReadFile.KERNEL32(?,00001000,00000001,?,00000000,?,00000000,00000000,00001000,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00000000), ref: 0040D8F9

Part of subcall function 0040D390: memcpy.MSVCRT ref: 0040D3D7

SetFilePointer.KERNEL32(?,?,?,000000FF,?,00000001), ref: 0040D92D

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 0040D835

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: AllocFileHeap$PointerReadmemcpy
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 3421085004-3176450862
Opcode ID: 074115ea11e0b427c3c517fea541aaaaaf869a13e32407ce3aaba481758b7403
Instruction ID: e4f1d5556fb928c12640f93b328587f0ceb042ce7165f1c1576916950bd281f7
Opcode Fuzzy Hash: 074115ea11e0b427c3c517fea541aaaaaf869a13e32407ce3aaba481758b7403
Instruction Fuzzy Hash: 2D418171A08341AFD711DF58C804B6BB7E4EF88320F54863AF9A5A23D1D378D94D8B5A

Uniqueness

Uniqueness Score: -1.00%

Function 00420630, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00000000,0040BBE4,00000000), ref: 00420661
malloc.MSVCRT ref: 00420671
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,-00000001,00000000,00000000,00000000,00000000), ref: 0042068B
malloc.MSVCRT ref: 004206A0

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 00420631

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: ByteCharMultiWidemalloc
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 2735977093-3176450862
Opcode ID: 28630af12029844732587fc1ca7a6ee525355a27aa7019c0b227d08c4ccccc88
Instruction ID: f4b3866a816ce089b5947586675732e6ce367cc0bb439e8c3c5ba19d5e3088ee
Opcode Fuzzy Hash: 28630af12029844732587fc1ca7a6ee525355a27aa7019c0b227d08c4ccccc88
Instruction Fuzzy Hash: D401647734031877E3204684AC02FB7379CCBC5B55F19007AFB055E2C1DAA3A8108279

Uniqueness

Uniqueness Score: -1.00%

Function 004206D0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000,00000000,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00000000,0040F178,00000000), ref: 00420704
malloc.MSVCRT ref: 00420714
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,?,00000000), ref: 00420731
malloc.MSVCRT ref: 00420746

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 004206D1

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: ByteCharMultiWidemalloc
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 2735977093-3176450862
Opcode ID: 4e6c7f4fe451c67c1e8009194e563fc1c50adab8e19c291f6d61bd2852b63332
Instruction ID: 990851a164917dcec1a9a8c30d1f161f41bf450f97a8fe1959177edd6c8dde5a
Opcode Fuzzy Hash: 4e6c7f4fe451c67c1e8009194e563fc1c50adab8e19c291f6d61bd2852b63332
Instruction Fuzzy Hash: A601647B34131177E3206655AC42FB737ACCBC5B59F19007AFB015E2C1C6A3A800C679

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD6F, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 111memorystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040BD8C

Part of subcall function 00420630: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00000000,0040BBE4,00000000), ref: 00420661
Part of subcall function 00420630: malloc.MSVCRT ref: 00420671
Part of subcall function 00420630: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,-00000001,00000000,00000000,00000000,00000000), ref: 0042068B

Part of subcall function 00420620: ??3@YAXPAX@Z.MSVCRT ref: 00420624

strlen.MSVCRT ref: 0040BE4A
HeapAlloc.KERNEL32(00000000,00000001,00000000,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,0040BEF9,00000000,00000002,00000000,0040895B,?,00000000,00000000), ref: 0040BE5D
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,0040BEF9,00000000,00000002,00000000,0040895B,?,00000000,00000000), ref: 0040BEBE

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 0040BD6F

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: ByteCharHeapMultiWide$??3@AllocFreemallocmemsetstrlen
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 1922441055-3176450862
Opcode ID: a7949d3c7374cccf97a303ebfc1442db897773fb78bc4bc4e2a8b196ac99322e
Instruction ID: d77bd93ffdbe98b8aaae46f08a288c859705130d0c9c5f6cda46591a52929e92
Opcode Fuzzy Hash: a7949d3c7374cccf97a303ebfc1442db897773fb78bc4bc4e2a8b196ac99322e
Instruction Fuzzy Hash: F54138702056C0E9F3168F28DC047A23F91AF55319F18607EE5805A3E3C3FE498187AE

Uniqueness

Uniqueness Score: -1.00%

Function 00418820, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00418835
HeapAlloc.KERNEL32(02A80000,00000000,0000000A), ref: 00418859
HeapReAlloc.KERNEL32(02A80000,00000000,00000000,0000000A), ref: 0041887D
HeapFree.KERNEL32(02A80000,00000000,00000000,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,0040A04F,?,ABCDEF0123456789,00407B15,00000001,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004188B4

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 00418820

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Heap$Alloc$Freewcslen
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 2479713791-3176450862
Opcode ID: d91023e457b6647fce4757e07e3148700fd969f97ad8b2eea91240fdf247e20b
Instruction ID: c0afb1a15f72de34bd64a205038330ddf41e67d19a3b23b7f99008c7e74f6415
Opcode Fuzzy Hash: d91023e457b6647fce4757e07e3148700fd969f97ad8b2eea91240fdf247e20b
Instruction Fuzzy Hash: A6210B74A04209EFDB08DF94D994FAAB7B9FB48354F1081A9F9098B340D775EA81CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00418058, Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00418339,00000000,00000000,00000000,0041244B,?,00000000,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00000000,?,00411D21,?), ref: 0041806A
HeapFree.KERNEL32(00000000,?,?,00000000,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00418339,00000000,00000000,00000000,0041244B,?,00000000,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00000000,?,00411D21), ref: 00418081
HeapFree.KERNEL32(00000000,?,?,00000000,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00418339,00000000,00000000,00000000,0041244B,?,00000000,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00000000,?,00411D21), ref: 0041809D
LeaveCriticalSection.KERNEL32(?,?,00000000,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00418339,00000000,00000000,00000000,0041244B,?,00000000,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00000000,?,00411D21,?), ref: 004180BA

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 00418058

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: CriticalFreeHeapSection$EnterLeave
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 1298188129-3176450862
Opcode ID: 8298402a71231ff66aec90ad3fa0ceba738a7e07d5f705bb74bf9a5afe216a01
Instruction ID: 704e1c12c3f959d1d7dbbc09bb1394a3284ccf85f589cfc2c2b50e3b05a4a768
Opcode Fuzzy Hash: 8298402a71231ff66aec90ad3fa0ceba738a7e07d5f705bb74bf9a5afe216a01
Instruction Fuzzy Hash: 4F017C76A0061EEBC7149F55DD04963BBACFB08791306022EA904C3610CB31E8A4CFE8

Uniqueness

Uniqueness Score: -1.00%

Function 0040B9CA, Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 35stringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 0040B9D4
strstr.MSVCRT ref: 0040B9EA
strstr.MSVCRT ref: 0040B9FE
strlen.MSVCRT ref: 0040BA0A

Strings

://, xrefs: 0040B9CB

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: strstr$strlen
String ID: ://
API String ID: 1600229599-1869659232
Opcode ID: fc335dbf6f4f73445ddf8089ea3ac1b63498fd613cf3bf87e8f8762eb244d875
Instruction ID: 93ba1f561194dc4fd83d3bf3a3312234015b039d5ef331d6952857c7b9e9935c
Opcode Fuzzy Hash: fc335dbf6f4f73445ddf8089ea3ac1b63498fd613cf3bf87e8f8762eb244d875
Instruction Fuzzy Hash: 35E03036B09B312AD2295565BC42E4B5794EA45B74B21492FF804B67C0EA3C9C024ACD

Uniqueness

Uniqueness Score: -1.00%

Function 0040B208, Relevance: 7.5, APIs: 6, Instructions: 31COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,?,00403DEE,00000000,00000000,wmic, /FORMAT:List,004338DC, get ,00000000,00000007,004338DC,00000000,00430024,0000000E), ref: 0040B216
CloseHandle.KERNEL32(?,?,?,00403DEE,00000000,00000000,wmic, /FORMAT:List,004338DC, get ,00000000,00000007,004338DC,00000000,00430024,0000000E), ref: 0040B221
CloseHandle.KERNEL32(?,?,?,00403DEE,00000000,00000000,wmic, /FORMAT:List,004338DC, get ,00000000,00000007,004338DC,00000000,00430024,0000000E), ref: 0040B22C
CloseHandle.KERNEL32(?,?,?,00403DEE,00000000,00000000,wmic, /FORMAT:List,004338DC, get ,00000000,00000007,004338DC,00000000,00430024,0000000E), ref: 0040B237
EnterCriticalSection.KERNEL32(004341B8,?,?,00403DEE,00000000,00000000,wmic, /FORMAT:List,004338DC, get ,00000000,00000007,004338DC,00000000,00430024,0000000E), ref: 0040B23F
LeaveCriticalSection.KERNEL32(004341B8,?,?,00403DEE,00000000,00000000,wmic, /FORMAT:List,004338DC, get ,00000000,00000007,004338DC,00000000,00430024,0000000E), ref: 0040B253

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: CloseHandle$CriticalSection$EnterLeave
String ID:
API String ID: 10009202-0
Opcode ID: 8d0b667200de551d9d601715a835257667999377c8bcea5d45c4e7db0e80d622
Instruction ID: 58bab87571f8a7adf22744d209e2c3736f371e4e35ac808e4962eb905e504322
Opcode Fuzzy Hash: 8d0b667200de551d9d601715a835257667999377c8bcea5d45c4e7db0e80d622
Instruction Fuzzy Hash: A0F05432000601EBC72A7F15EC08BABB7E5EF94361F15893EE055510B087B86886DF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040B600, Relevance: 7.5, APIs: 5, Instructions: 21memorythreadCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(0040B74B,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00000000,00407B37,00000001,00000001,00000000,00000000,00000000,00000000,00000000,00000000,004072B4,0000000C), ref: 0040B609
HeapAlloc.KERNEL32(00000000,00000090,74786580,0040B74B,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00000000,00407B37,00000001,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0040B62C
TlsSetValue.KERNEL32(00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00000000,00407B37,00000001,00000001,00000000,00000000,00000000,00000000,00000000,00000000,004072B4,0000000C), ref: 0040B639
GetCurrentThreadId.KERNEL32 ref: 0040B63F
GetTickCount.KERNEL32 ref: 0040B647

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Alloc$CountCurrentHeapThreadTickValue
String ID:
API String ID: 2417412593-0
Opcode ID: 9be7f52909bc8a29f2b41f49fde044e1e4e4ba8de77024330408803f1210213c
Instruction ID: e17548aa91f972a2254ef31a49f3085a23ab91ff7a8570beac815e9b82d9ecd2
Opcode Fuzzy Hash: 9be7f52909bc8a29f2b41f49fde044e1e4e4ba8de77024330408803f1210213c
Instruction Fuzzy Hash: 90E052B1401658EFDB14BF60FE09B657AE4EB48716F052635F801D52B0C7B909858B9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040738A, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMON

Download Yara Rule

APIs

Part of subcall function 00418710: TlsGetValue.KERNEL32(00000022,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00404AE3,00000000), ref: 00418727

PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040739F
PathFileExistsW.SHLWAPI(?,00000001,00000000,00000000,?,?,?,0043012E,00000004,00000001,00000008,00430D10,?,00000000,00000000,00000000), ref: 00407519

Part of subcall function 00418570: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 00418576
Part of subcall function 00418570: TlsGetValue.KERNEL32(00000022), ref: 00418585
Part of subcall function 00418570: SetLastError.KERNEL32(?), ref: 0041859B

Part of subcall function 004185B0: TlsGetValue.KERNEL32(00000022,00000000,00000000), ref: 004185BC
Part of subcall function 004185B0: RtlAllocateHeap.NTDLL(02A80000,00000000,?), ref: 004185E9

Part of subcall function 004167D0: _wcsncoll.MSVCRT ref: 00416833
Part of subcall function 004167D0: memmove.MSVCRT ref: 004168C1
Part of subcall function 004167D0: wcsncpy.MSVCRT ref: 004168D9

Part of subcall function 004185B0: HeapReAlloc.KERNEL32(02A80000,00000000,?,?), ref: 0041860C

Part of subcall function 00418640: wcslen.MSVCRT ref: 00418657

Part of subcall function 004186A0: TlsGetValue.KERNEL32(00000022,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00404B45,00000001,00000001,00000006,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 004186AA

Part of subcall function 0040A212: TlsGetValue.KERNEL32(00000000,0040111B,0043101C,FFFFFFFF,00000002,00000000,00000000,00000001,00000020,00000000,00000000,0043383C,00000000,00000000,00000000,0000000C), ref: 0040A219

Part of subcall function 00408683: InternetOpenW.WININET(00000000,00000001,00430024,00430024,00000000), ref: 004087AB
Part of subcall function 00408683: InternetSetOptionW.WININET(00000000,00000002,000003E8,00000004), ref: 004087C7

Part of subcall function 00408683: InternetConnectW.WININET(00000000,00000000,00000000,00430024,00430024,00000003,00000000,00000000), ref: 00408877
Part of subcall function 00408683: HttpOpenRequestW.WININET(00000000,00000000,00000000,00000000,00000000,00430024,00430024,00000000), ref: 004088D4
Part of subcall function 00408683: HttpAddRequestHeadersW.WININET(?,00000000,00000000,?), ref: 00408936

Strings

?prf=1, xrefs: 004075A2, 004075A7
&bc=, xrefs: 00407422, 00407427

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Value$Internet$ErrorExistsFileHeapHttpLastOpenPathRequest$AllocAllocateConnectHeadersOption_wcsncollmemmovewcslenwcsncpy
String ID: &bc=$?prf=1
API String ID: 3838261891-718013633
Opcode ID: 5c2105a1db9c05ee78b19dc8fb3a6b2f6f2924e686be54ab30b3610594193cbf
Instruction ID: 136c6bcb7b3fdd978dd739e794595f8712a02167c63226c769ced1a24834e022
Opcode Fuzzy Hash: 5c2105a1db9c05ee78b19dc8fb3a6b2f6f2924e686be54ab30b3610594193cbf
Instruction Fuzzy Hash: A95162B55043017BD600BF61DC82E6F76EAEB84708F108C3EB544A51A2DA3DDD85972E

Uniqueness

Uniqueness Score: -1.00%

Function 00417970, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,-00000400,00408997,00000000,?,FFFFFFFF), ref: 004179DE
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,-00000400,00408997,00000000,?,FFFFFFFF), ref: 00417A0E
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,-00000400,00408997,00000000,?,FFFFFFFF), ref: 00417A23

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 00417975

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 626452242-3176450862
Opcode ID: 73f52a8bba5e60f559d4018ae96e36a316d1539bd508eccb86cb0731838b6358
Instruction ID: 9b1de5452ca8d69f68347f153090abba6648ada4c3b91980cb872940dea89594
Opcode Fuzzy Hash: 73f52a8bba5e60f559d4018ae96e36a316d1539bd508eccb86cb0731838b6358
Instruction Fuzzy Hash: 9D3126367483056AE7308A698C81FBB73B9DFD4B50F20441BFA405F3C0EAB56D458229

Uniqueness

Uniqueness Score: -1.00%

Function 004167D0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

_wcsncoll.MSVCRT ref: 00416833
memmove.MSVCRT ref: 004168C1
wcsncpy.MSVCRT ref: 004168D9

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 004167D5

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: _wcsncollmemmovewcsncpy
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 2558734708-3176450862
Opcode ID: e2c284a2c59b299eaf4ee511ff30d75b7021ea62174bfc68ac34a2f1a594b971
Instruction ID: 5774c2a71589d278255316321f3ac6f3064f5d93ebf46a40af74692c885d908c
Opcode Fuzzy Hash: e2c284a2c59b299eaf4ee511ff30d75b7021ea62174bfc68ac34a2f1a594b971
Instruction Fuzzy Hash: 1D31A2369053159BC720BF548880AFB73A5FF84384F16492FE8C557351EB68ED82C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 0040CCF0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00417E13: EnterCriticalSection.KERNEL32(00001020,00000000,?,?,0040CD05,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,004091B0,FFFFFFFF,?,00000000,00000000,00000000,00401B6E), ref: 00417E1E
Part of subcall function 00417E13: LeaveCriticalSection.KERNEL32(00001020,?,?,0040CD05,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,004091B0,FFFFFFFF,?,00000000,00000000,00000000,00401B6E,004338C8), ref: 00417E99

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,004091B0,FFFFFFFF,?,00000000), ref: 0040CD23
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000005,00000000,00000000,?,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,004091B0,FFFFFFFF,?,00000000), ref: 0040CD3F
HeapAlloc.KERNEL32(00000000,00001000,?,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,004091B0,FFFFFFFF,?,00000000,00000000,00000000,00401B6E,004338C8,00000000), ref: 0040CD62

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 0040CCF0

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: CreateCriticalFileSection$AllocEnterHeapLeave
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 49537883-3176450862
Opcode ID: 1c34f782a05ac56bf6410788316c331a96aab0ada6e89efa1cf56f22bd693a81
Instruction ID: cd39cbdd33df1d8f29d3cd003fd24e5ddc1ce8780a56f5fa6b8125932503c6df
Opcode Fuzzy Hash: 1c34f782a05ac56bf6410788316c331a96aab0ada6e89efa1cf56f22bd693a81
Instruction Fuzzy Hash: D2218E71200740ABD2305F1AAC88F17BEF8EFC5B60F11473AF565A26E0D67598558B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040B2B3, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 00417C63: TlsGetValue.KERNEL32(?,0040B326,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,004057C5,00001000,00000000,00000000,00404EE2,00000000,00000000,00000000,&env=,00000000,00000000), ref: 00417C6A
Part of subcall function 00417C63: HeapAlloc.KERNEL32(00000008,00000000,?,0040B326,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,004057C5,00001000,00000000,00000000,00404EE2,00000000,00000000,00000000,&env=), ref: 00417C85
Part of subcall function 00417C63: TlsSetValue.KERNEL32(00000000,?,0040B326,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,004057C5,00001000,00000000,00000000,00404EE2,00000000,00000000,00000000,&env=,00000000), ref: 00417C94

wcschr.MSVCRT ref: 0040B2D0
wcslen.MSVCRT ref: 0040B2E1
wcscpy.MSVCRT ref: 0040B302

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 0040B2B3

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Value$AllocHeapwcschrwcscpywcslen
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 2703276150-3176450862
Opcode ID: 2830058facb7e3753524095e2828f86d441b866023264cd3fe8054b513c27505
Instruction ID: 38b6ae4d63d667d9dbafe7c5a5129ea52d611c4ce83951e441f3a5b49696a6c8
Opcode Fuzzy Hash: 2830058facb7e3753524095e2828f86d441b866023264cd3fe8054b513c27505
Instruction Fuzzy Hash: CCF022370087007BD229AB66EC8AC6B7398DF84370311813FF504AB281EF399801839C

Uniqueness

Uniqueness Score: -1.00%

Function 0040C735, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

wcsncpy.MSVCRT ref: 0040C753
wcslen.MSVCRT ref: 0040C765
CreateDirectoryW.KERNEL32(?,00000000), ref: 0040C7A5

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 0040C735

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: CreateDirectorywcslenwcsncpy
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 961886536-3176450862
Opcode ID: 7305a74c3504d862b0693f66dbc2e7e676aa5082e07282e2ac24c4bf3e44f99f
Instruction ID: 3ba95a8e9af320a23fcbf282ae6ba797452cbe2538eccb5bb49096544e0cffdf
Opcode Fuzzy Hash: 7305a74c3504d862b0693f66dbc2e7e676aa5082e07282e2ac24c4bf3e44f99f
Instruction Fuzzy Hash: 9C01A7B4400219DACB28DB64CCC9AAA73A8EF04300F2043BBE515E31D1E7388A94DF4A

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB53, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004188D0: TlsGetValue.KERNEL32(00000022,00001000,00000000,00000000), ref: 004188DC
Part of subcall function 004188D0: RtlReAllocateHeap.NTDLL(02A80000,00000000,?,?), ref: 00418937

GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401A80,00000000,00000000,00000000,00000000,00000006,00000000,00000000,00430236), ref: 0040AB6F
wcscmp.MSVCRT ref: 0040AB7D
memmove.MSVCRT ref: 0040AB95

Strings

\\?\, xrefs: 0040AB75, 0040AB8F

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: AllocateFileHeapModuleNameValuememmovewcscmp
String ID: \\?\
API String ID: 2309408642-4282027825
Opcode ID: a81e059373165dd1a03f766b15f40a16fe89045bfcc344d124597f16493a74d5
Instruction ID: 8c3411c3b14226c7e4b263ad9ce69aedf44cf3b3a7cec09574a5718fa21f4c5b
Opcode Fuzzy Hash: a81e059373165dd1a03f766b15f40a16fe89045bfcc344d124597f16493a74d5
Instruction Fuzzy Hash: 87F0E2B31003013AC20077769C89C6B7AACEB95374B50023FF515D2590EA29D82482B9

Uniqueness

Uniqueness Score: -1.00%

Function 004146E5, Relevance: 6.4, APIs: 5, Instructions: 148memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000008,00000450,?,?,?,?,?,?), ref: 00414704
HeapAlloc.KERNEL32(00000000,?), ref: 00414767
memcpy.MSVCRT ref: 004147D2
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 004147FA
HeapFree.KERNEL32(00000000,00000000), ref: 0041488E

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Heap$Alloc$Freememcpy
String ID:
API String ID: 2973548000-0
Opcode ID: 21604710463d8e599cdd61330dda8d1fa7ab9989177b0e0bb27bda841b6fa119
Instruction ID: acc546f1e3a6ca03d6c5b43bdacddd43cfe1f47c8e07581174647a9f369c0157
Opcode Fuzzy Hash: 21604710463d8e599cdd61330dda8d1fa7ab9989177b0e0bb27bda841b6fa119
Instruction Fuzzy Hash: 4951DF746047419FD324EF28C880A67BBF4FF89354F044A2EF495963A1D374E985CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401F31, Relevance: 6.1, APIs: 4, Instructions: 142registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00418710: TlsGetValue.KERNEL32(00000022,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00404AE3,00000000), ref: 00418727

RegOpenKeyExW.ADVAPI32(00000000,00001000,00000000,00001000,00001000,00001000,00000001,00000000,00000000,00001000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00402068
RegCloseKey.ADVAPI32(00000000,00000000,00001000,00000000,00001000,00001000,00001000,00000001,00000000,00000000,00001000,00000001,00000000,00000000,00000000,00000000), ref: 00402083
RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000000,00001000), ref: 004020C7
RegCloseKey.ADVAPI32(00001000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000000), ref: 004020D4

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Close$InfoOpenQueryValue
String ID:
API String ID: 4130832526-0
Opcode ID: 45a50ca21baa18b3d345847b8b8faf07d46b323eb7ebbf446c159730ffe67bca
Instruction ID: 0e9d086506c378460acc155e1f51a85814b58dfa23dc9ad1d8aba89365207148
Opcode Fuzzy Hash: 45a50ca21baa18b3d345847b8b8faf07d46b323eb7ebbf446c159730ffe67bca
Instruction Fuzzy Hash: EC412974108300BEE6117B61CD4AA7F76AAEBC4718F10C93FB184661E2DA7D8C91D62E

Uniqueness

Uniqueness Score: -1.00%

Function 00404914, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 139COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040497F

Part of subcall function 004187A0: HeapFree.KERNEL32(02A80000,00000000,00000000,?,00000000,?,0041FFFD,00000000,00000000,00000000), ref: 004187B8

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 00404914
@C, xrefs: 00404A97
PC, xrefs: 00404AA9

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: FreeHeapInitialize
String ID: @C$Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY$PC
API String ID: 166756831-1029251199
Opcode ID: deaa994a7fcb4ae4cab6a9f968cd89247e86013451127cbc1fa5669bb2610999
Instruction ID: 19cc3a0f44592c03131b753eaa9dc6896efcedf454b515a6778ad9df84cffc17
Opcode Fuzzy Hash: deaa994a7fcb4ae4cab6a9f968cd89247e86013451127cbc1fa5669bb2610999
Instruction Fuzzy Hash: 2F5108B1108201AFD700EF64D885E0BBBE8AF88314F14493DF599E7261DB39E9598B57

Uniqueness

Uniqueness Score: -1.00%

Function 0042117D, Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

GetObjectType.GDI32(00000000), ref: 00421188
GetObjectW.GDI32(00000000,00000054,?), ref: 0042119E
GetObjectW.GDI32(00000000,00000018,?), ref: 0042120D
DeleteObject.GDI32(00000000), ref: 00421250

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Object$DeleteType
String ID:
API String ID: 1880294369-0
Opcode ID: 61ea1224b2f9a32b6189e9ed9a660db11ad70cc2f0fa5ef4d5a8c547dafb258f
Instruction ID: 1218b1f38ce59c05a6364bd0815929ebd11134acd2d9f38e5a34235b1284056a
Opcode Fuzzy Hash: 61ea1224b2f9a32b6189e9ed9a660db11ad70cc2f0fa5ef4d5a8c547dafb258f
Instruction Fuzzy Hash: BA218E31A01539FBCF229E90AC40DEF3B69AF29354F840246FA05B11A0C739CD619BE9

Uniqueness

Uniqueness Score: -1.00%

Function 004121C3, Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 004121CE
memset.MSVCRT ref: 004121E1
CreateDIBSection.GDI32(00000000,00000028,00000000,00000000,00000000,00000000), ref: 00412221
DeleteDC.GDI32(00000000), ref: 0041222A

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Create$CompatibleDeleteSectionmemset
String ID:
API String ID: 2003947935-0
Opcode ID: 42f5d1143b386d35c0d67154a89b1cb09a904d8fa7a10b69d25e21b3a1398081
Instruction ID: b9058a125b476e0bd9b5174dfe032ff59b179c194d773674dfcba8743e997c6f
Opcode Fuzzy Hash: 42f5d1143b386d35c0d67154a89b1cb09a904d8fa7a10b69d25e21b3a1398081
Instruction Fuzzy Hash: B6014075911228ABCB10DFA9ED09DDEB7BCEF49710F00401AF904E3250E6B4991487A9

Uniqueness

Uniqueness Score: -1.00%

Function 00412432, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004182C1: EnterCriticalSection.KERNEL32(00434134,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00000000,00000000,0041244B,?,00000000,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00000000,?,00411D21,?,00000000,?,00406FC1,?), ref: 004182D5
Part of subcall function 004182C1: HeapFree.KERNEL32(00000000,?,?,00411D21,?,00000000,?,00406FC1,?,00000000,00000000,00000000,?,FFFFFFFF,?,?), ref: 00418323
Part of subcall function 004182C1: LeaveCriticalSection.KERNEL32(00434134,?,00411D21,?,00000000,?,00406FC1,?,00000000,00000000,00000000,?,FFFFFFFF,?,?,00000000), ref: 0041832A

HeapFree.KERNEL32(00000000,?,00000000,?,00000000,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00000000,?,00411D21,?,00000000,?,00406FC1,?,00000000,00000000), ref: 00412470
HeapFree.KERNEL32(00000000,?,?,00000000,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00000000,?,00411D21,?,00000000,?,00406FC1,?,00000000,00000000,00000000), ref: 00412489
HeapFree.KERNEL32(00000000,00000000,?,00000000,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00000000,?,00411D21,?,00000000,?,00406FC1,?,00000000,00000000,00000000), ref: 00412493

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 0041243C

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: FreeHeap$CriticalSection$EnterLeave
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 177673914-3176450862
Opcode ID: 5e96d49670aed5afeab2948676332a60579a7723a950df61f7429b34146f08ba
Instruction ID: c23c06232ff69018985a420cdf63478be6713de22b319fbc30e07c1c694b4078
Opcode Fuzzy Hash: 5e96d49670aed5afeab2948676332a60579a7723a950df61f7429b34146f08ba
Instruction Fuzzy Hash: 40011D31100605BFD616AF19DE80D67BBF8FB49754705452AB40493620C776FCA1DAA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040B560, Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

floor.MSVCRT ref: 0040B574
floor.MSVCRT ref: 0040B5A1
ceil.MSVCRT ref: 0040B5D7

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: floor$ceil
String ID:
API String ID: 336488799-0
Opcode ID: 37631b848a6609e4ebe49b527d1d80fd1d2e7e0d54e8e1d4e55d37267a0c9bfd
Instruction ID: f85e8895866d771c11a413de973f46c973506992b1b38ec38b8edf60660cc283
Opcode Fuzzy Hash: 37631b848a6609e4ebe49b527d1d80fd1d2e7e0d54e8e1d4e55d37267a0c9bfd
Instruction Fuzzy Hash: D301E834908605EFCA107B10F84911EFFA0FF90724F95C8A9E4D821196DA35847CCB5F

Uniqueness

Uniqueness Score: -1.00%

Function 0040ABB4, Relevance: 6.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,00000000,?,?,0040AD9C,?), ref: 0040ABC3
GetCurrentProcess.KERNEL32(?,00000000,?,?,0040AD9C,?), ref: 0040ABCF
DuplicateHandle.KERNEL32(00000000,?,?,0040AD9C,?), ref: 0040ABD6
CloseHandle.KERNEL32(?,?,?,0040AD9C,?), ref: 0040ABE2

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: CurrentHandleProcess$CloseDuplicate
String ID:
API String ID: 1410216518-0
Opcode ID: 33c99e83e0009c6bcef4029bcc3ec2362cf96975f7eab3cffe9dcd820fa688a0
Instruction ID: 078a8b30389f9945110c720821267111a19b36a3759753f42c70faf59451e87b
Opcode Fuzzy Hash: 33c99e83e0009c6bcef4029bcc3ec2362cf96975f7eab3cffe9dcd820fa688a0
Instruction Fuzzy Hash: B3E06D35200209BFEB14AF95DD09F5ABBBCEF04710F100124F900D6260DBB1A910CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00418710, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000022,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00404AE3,00000000), ref: 00418727

Part of subcall function 0042044E: TlsAlloc.KERNEL32(?,?,00418768,004186D0,00000000), ref: 0042045E
Part of subcall function 0042044E: InitializeCriticalSection.KERNEL32(00434170,?,?,00418768,004186D0,00000000), ref: 0042046A
Part of subcall function 0042044E: TlsGetValue.KERNEL32(?,?,00418768,004186D0,00000000), ref: 00420480
Part of subcall function 0042044E: HeapAlloc.KERNEL32(00000008,00000014,?,?,00418768,004186D0,00000000), ref: 0042049A
Part of subcall function 0042044E: EnterCriticalSection.KERNEL32(00434170,?,?,00418768,004186D0,00000000), ref: 004204AB
Part of subcall function 0042044E: LeaveCriticalSection.KERNEL32(00434170,?,?,?,00418768,004186D0,00000000), ref: 004204C7
Part of subcall function 0042044E: GetCurrentProcess.KERNEL32(00000000,00100000,00000000,00000000,?,?,?,00418768,004186D0,00000000), ref: 004204E0
Part of subcall function 0042044E: GetCurrentThread.KERNEL32 ref: 004204E3
Part of subcall function 0042044E: GetCurrentProcess.KERNEL32(00000000,?,?,?,00418768,004186D0,00000000), ref: 004204EA
Part of subcall function 0042044E: DuplicateHandle.KERNEL32(00000000,?,?,?,00418768,004186D0,00000000), ref: 004204ED
Part of subcall function 0042044E: RegisterWaitForSingleObject.KERNEL32(0000000C,00000000,00420546,00000000,000000FF,00000008), ref: 00420503
Part of subcall function 0042044E: TlsSetValue.KERNEL32(00000000,?,?,?,00418768,004186D0,00000000), ref: 00420510
Part of subcall function 0042044E: HeapAlloc.KERNEL32(00000000,0000000C,?,?,00418768,004186D0,00000000), ref: 00420521

TlsGetValue.KERNEL32(00000022,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00404AE3,00000000), ref: 00418741
TlsGetValue.KERNEL32(00000022), ref: 00418757

Part of subcall function 00418520: HeapCreate.KERNEL32(00000000,00001000,00000000,?,0040104E,00000000,00001000,00000000,00000000), ref: 0041852C
Part of subcall function 00418520: TlsAlloc.KERNEL32(?,0040104E,00000000,00001000,00000000,00000000), ref: 00418537

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 00418710

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Value$Alloc$CriticalCurrentHeapSection$Process$CreateDuplicateEnterHandleInitializeLeaveObjectRegisterSingleThreadWait
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 1511732703-3176450862
Opcode ID: af2310562c703aedf8dd3d98fa96ecd737ec24b75379dd452fbd8a4041e34835
Instruction ID: c09ea1a98049a414030a84ddb92d1143a438cec1236d9d198fda07a5ce27492c
Opcode Fuzzy Hash: af2310562c703aedf8dd3d98fa96ecd737ec24b75379dd452fbd8a4041e34835
Instruction Fuzzy Hash: B4E09271200201ABC208BBB1BF099E733ACD704718320562FF214821E1CEB898C1DB6F

Uniqueness

Uniqueness Score: -1.00%

Function 004190A0, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00404AEC,?,00000000), ref: 004190A6
TlsGetValue.KERNEL32(00000022), ref: 004190B5
SetLastError.KERNEL32(?), ref: 004190CB

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 004190A0

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: ErrorLast$Value
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 1883355122-3176450862
Opcode ID: 0524db695ba4735544f78c652b154e614e48ca7cb25f2c6756704311e73c146a
Instruction ID: 2b3dd9437271b942bf13f2fe52d933277596aa301d273a6797c1349f6051e44d
Opcode Fuzzy Hash: 0524db695ba4735544f78c652b154e614e48ca7cb25f2c6756704311e73c146a
Instruction Fuzzy Hash: ACE0BF79901208EFC704EFA8EA4885DBBF8EB48211B1095A5E905D3310D6719951DB55

Uniqueness

Uniqueness Score: -1.00%

Function 0040839B, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 235COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(?,00000000,?,00000001,00000000,00000000,00000000,00430024,00000000,00430024,?,00000000,00000000,?pcn=,00000000,00000000), ref: 004084C3

Part of subcall function 00418570: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 00418576
Part of subcall function 00418570: TlsGetValue.KERNEL32(00000022), ref: 00418585
Part of subcall function 00418570: SetLastError.KERNEL32(?), ref: 0041859B

Part of subcall function 00418640: wcslen.MSVCRT ref: 00418657

Part of subcall function 004186A0: TlsGetValue.KERNEL32(00000022,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00404B45,00000001,00000001,00000006,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 004186AA

Part of subcall function 0040A212: TlsGetValue.KERNEL32(00000000,0040111B,0043101C,FFFFFFFF,00000002,00000000,00000000,00000001,00000020,00000000,00000000,0043383C,00000000,00000000,00000000,0000000C), ref: 0040A219

Part of subcall function 00408683: InternetOpenW.WININET(00000000,00000001,00430024,00430024,00000000), ref: 004087AB
Part of subcall function 00408683: InternetSetOptionW.WININET(00000000,00000002,000003E8,00000004), ref: 004087C7

Part of subcall function 004185B0: TlsGetValue.KERNEL32(00000022,00000000,00000000), ref: 004185BC
Part of subcall function 004185B0: RtlAllocateHeap.NTDLL(02A80000,00000000,?), ref: 004185E9

Part of subcall function 004185B0: HeapReAlloc.KERNEL32(02A80000,00000000,?,?), ref: 0041860C

Strings

?pcn=, xrefs: 004083FA, 004083FF
?lpc=, xrefs: 004084FB, 00408500

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Value$ErrorHeapInternetLast$AllocAllocateExistsFileOpenOptionPathwcslen
String ID: ?lpc=$?pcn=
API String ID: 809141536-1095368061
Opcode ID: da892263a3271f18461a17ee992343837e05821a09bad1aba0ef942097584386
Instruction ID: 5a14a4b77de11aac561ead76d5a441be77f12fa97676e37856e629325259bb47
Opcode Fuzzy Hash: da892263a3271f18461a17ee992343837e05821a09bad1aba0ef942097584386
Instruction Fuzzy Hash: 1C613CB5504300BFD600BF61DD829AF76EEEBD4308F50883EB544A61A2DA3DDE91962D

Uniqueness

Uniqueness Score: -1.00%

Function 00403E49, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00418710: TlsGetValue.KERNEL32(00000022,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00404AE3,00000000), ref: 00418727

IsUserAdmin.SETUPAPI ref: 00403E5E

Part of subcall function 00418570: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 00418576
Part of subcall function 00418570: TlsGetValue.KERNEL32(00000022), ref: 00418585
Part of subcall function 00418570: SetLastError.KERNEL32(?), ref: 0041859B

Part of subcall function 0040793C: SHGetSpecialFolderLocation.SHELL32(00000000,00000001,00000000,00000001,00000000,00000000,00000013,00403EAC,00000007,00000000,00000000,00000000,004037C8,00000001,?,?), ref: 0040795C
Part of subcall function 0040793C: SHGetPathFromIDListW.SHELL32(?,?), ref: 00407998

Part of subcall function 00418640: wcslen.MSVCRT ref: 00418657

Part of subcall function 004185B0: TlsGetValue.KERNEL32(00000022,00000000,00000000), ref: 004185BC
Part of subcall function 004185B0: RtlAllocateHeap.NTDLL(02A80000,00000000,?), ref: 004185E9

PathFileExistsW.SHLWAPI(?,00000000,.lnk,?,00000007,00000000,00000000,00000000,004037C8,00000001,?,?,pidl.conf,00000001,00000000,00000000), ref: 00403EE1

Strings

.lnk, xrefs: 00403E83, 00403E88, 00403EB6, 00403EBB

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Value$ErrorLastPath$AdminAllocateExistsFileFolderFromHeapListLocationSpecialUserwcslen
String ID: .lnk
API String ID: 2786636982-24824748
Opcode ID: 6df6401ed240c804f2b3c3390a7bd55d8495fedea9e5acb7ad8bfe2dca0286d6
Instruction ID: aa0a164e640024c76f35ebae998885afcfb72f425ed5f250aeb5e5c9458f5a9b
Opcode Fuzzy Hash: 6df6401ed240c804f2b3c3390a7bd55d8495fedea9e5acb7ad8bfe2dca0286d6
Instruction Fuzzy Hash: BF216AB9608201BAE640BA72CC42B7F76ADDFD4709F10C93FB144A5192DE3DCD81626E

Uniqueness

Uniqueness Score: -1.00%

Function 00415EB0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

codecvt.LIBCPMTD ref: 00415F5D

Strings

V[A, xrefs: 00415F18, 00415F30, 00415F1D
V[A, xrefs: 00415EB6, 00415EF8, 00415F3A, 00415F78, 00415F43, 00415F6E, 00415F01, 00415EBF, 00415EEE

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: codecvt
String ID: V[A$V[A
API String ID: 3662085145-3242595788
Opcode ID: d7a440dceab96d64faece2974184388f27742db449bd5e04e91a6bc50bf2541d
Instruction ID: 8161cb448381d23d65c2fb48248412d9a65882e6af44408985668f4ca878458e
Opcode Fuzzy Hash: d7a440dceab96d64faece2974184388f27742db449bd5e04e91a6bc50bf2541d
Instruction Fuzzy Hash: 24318574A00609DFDB04CF44C594BEEBBB1FB88344F108199D9056B391C779AE86DF84

Uniqueness

Uniqueness Score: -1.00%

Function 0040CDC0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00417E13: EnterCriticalSection.KERNEL32(00001020,00000000,?,?,0040CD05,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,004091B0,FFFFFFFF,?,00000000,00000000,00000000,00401B6E), ref: 00417E1E
Part of subcall function 00417E13: LeaveCriticalSection.KERNEL32(00001020,?,?,0040CD05,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,004091B0,FFFFFFFF,?,00000000,00000000,00000000,00401B6E,004338C8), ref: 00417E99

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00000000,?,?,00000000,004056AE,FFFFFFFF,?,00430D24), ref: 0040CDF3
HeapAlloc.KERNEL32(00000000,00001000,?,?,00000000,004056AE,FFFFFFFF,?,00430D24,00000000,00000000,00000000,00000000,004072E5,00000000,00000000), ref: 0040CE15

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 0040CDDF

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: CriticalSection$AllocCreateEnterFileHeapLeave
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 3705299215-3176450862
Opcode ID: 4a7d217bcf300da0512bd09958e99e0ea7039dd9ea8a5b2e5e89620a7ee1074a
Instruction ID: 95523ca6d68832a4aadad2b257726d2d91a3262477870f57c5ce0b1a80e4298a
Opcode Fuzzy Hash: 4a7d217bcf300da0512bd09958e99e0ea7039dd9ea8a5b2e5e89620a7ee1074a
Instruction Fuzzy Hash: B5118271200700ABD2305F1AEC88B57BBF9EBC5B61F10473EF565972E0C775A8558BA8

Uniqueness

Uniqueness Score: -1.00%

Function 004169D0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00407D6F,00000000,00000000,00000000,00000000), ref: 004169F2
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00407D6F,00000000,00000000,00000000), ref: 00416A16

Strings

Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY, xrefs: 004169D0

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY
API String ID: 626452242-3176450862
Opcode ID: 54e8f9440038e49b0d6f0c2ceb64a24e9cfe66aecf19c3a7f57bdeac9f30da18
Instruction ID: 39a873e3e1c93b0c92f6a7c3c7a92f061da19fe1c0096474e85eb958f8424f51
Opcode Fuzzy Hash: 54e8f9440038e49b0d6f0c2ceb64a24e9cfe66aecf19c3a7f57bdeac9f30da18
Instruction Fuzzy Hash: 6FF06D3678532537E231215A5C06F6739988BC6FB0F3602327B24BE2C086E5B80085BC

Uniqueness

Uniqueness Score: -1.00%

Function 0040C7FB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12fileCOMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(00000002,00000080,0040C834,00000000,00000000,00404DF0,00401927,000003E8,00000000,00000000,?,timers,connect,00000000,00000000,000003E8), ref: 0040C812
DeleteFileW.KERNEL32(00000000,0040C834,00000000,00000000,00404DF0,00401927,000003E8,00000000,00000000,?,timers,connect,00000000,00000000,000003E8,00000000), ref: 0040C81C

Strings

t, xrefs: 0040C812

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: File$AttributesDelete
String ID: t
API String ID: 2910425767-2238339752
Opcode ID: ad1c291215ac35ab42d62515913f68220a005732bc84298c94e07d5002785b25
Instruction ID: b306eba7cbb2bca043322e4ac5a5bbe2c344cc2d24da8a39c2f9c3c32f6deea9
Opcode Fuzzy Hash: ad1c291215ac35ab42d62515913f68220a005732bc84298c94e07d5002785b25
Instruction Fuzzy Hash: 03D05E31008301E6C3452710D94D71B7AE0BF80702F00C939F485500F1C7744894E70E

Uniqueness

Uniqueness Score: -1.00%

Function 0041B060, Relevance: 5.2, APIs: 4, Instructions: 196COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0041B095
memcpy.MSVCRT ref: 0041B11B
memset.MSVCRT ref: 0041B22B
memset.MSVCRT ref: 0041B264

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: e7feb2428207918bdbbe68e8bd60c1366d5a9154358d43a2f2714e5ebec1e49e
Instruction ID: 268f2de06b31dd2433eb91a9e1064fd862cf9558c48e75ca899d24dd93ef507e
Opcode Fuzzy Hash: e7feb2428207918bdbbe68e8bd60c1366d5a9154358d43a2f2714e5ebec1e49e
Instruction Fuzzy Hash: E2718B36600B018FC720CF2AC9959A7F7E2FF88354B15492EE99287B51D739F895CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00417EFA, Relevance: 5.1, APIs: 4, Instructions: 134memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,00000000,0040C253,?,00000001,00000000,?,00000000,?,0040C036,?,?,00000000), ref: 00417F0E
HeapAlloc.KERNEL32(00000000,?,00000001,00000000,?,00000000,0040C253,?,00000001,00000000,?,00000000,?,0040C036,?,?), ref: 00417FC3
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00417FE6
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 0041803E

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: AllocCriticalHeapSection$EnterLeave
String ID:
API String ID: 830345296-0
Opcode ID: ef83a424be5230a86b39ecc6d34ebf564b0a5d0e71246dd9aa724a29f9ee61ed
Instruction ID: 23705f2559c574ce396f17cbada3c18a4d1e591e9be55e5c4d69a412d2f82599
Opcode Fuzzy Hash: ef83a424be5230a86b39ecc6d34ebf564b0a5d0e71246dd9aa724a29f9ee61ed
Instruction Fuzzy Hash: AE510371604B069FC728CF29D580962FBF4FF487503158A2EE89A87A10D735F996CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040C1F2, Relevance: 5.1, APIs: 4, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0040C25A
HeapAlloc.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,?,0040C036,?,?,00000000), ref: 0040C270
wcscpy.MSVCRT ref: 0040C27B
memset.MSVCRT ref: 0040C2A9

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: AllocHeapmemsetwcscpywcslen
String ID:
API String ID: 1807340688-0
Opcode ID: ec33e3908c6c771793e816267602e7e2e7672a70ad24028b13a2c1f0b4c416dc
Instruction ID: 58c5f6168ff7a60003f67b2cd0c4914594f31e853226de6b5d99fba91dbbf87e
Opcode Fuzzy Hash: ec33e3908c6c771793e816267602e7e2e7672a70ad24028b13a2c1f0b4c416dc
Instruction Fuzzy Hash: F821F476500700EFC3219FA5D881B27B7E4EF89318F144A3FF58562A91CB39A805CB19

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF1C, Relevance: 5.1, APIs: 4, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040C068: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,0040BF2A,?), ref: 0040C093
Part of subcall function 0040C068: HeapFree.KERNEL32(00000000,?,?,?,0040BF2A,?), ref: 0040C09F
Part of subcall function 0040C068: HeapFree.KERNEL32(00000000,?,?,?,?,0040BF2A,?), ref: 0040C0B3
Part of subcall function 0040C068: HeapFree.KERNEL32(00000000,?,?,?,0040BF2A,?), ref: 0040C0C9

HeapAlloc.KERNEL32(00000000,0000003C,?), ref: 0040BF3A
HeapAlloc.KERNEL32(00000008,?), ref: 0040BF60
HeapAlloc.KERNEL32(00000008,?,?,00000010,00010000,00000004,?), ref: 0040BFBD
HeapFree.KERNEL32(00000000,00000000), ref: 0040BFD7

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: Heap$Free$Alloc
String ID:
API String ID: 3901518246-0
Opcode ID: 90ed4249fb475afdad791bcb49ba754730ae4c8223294c0f93cfd3c01d989e2c
Instruction ID: 34ba8a4f319ab73104d89e8476fde803eb39aca07ad07745b6ca894eb89de08d
Opcode Fuzzy Hash: 90ed4249fb475afdad791bcb49ba754730ae4c8223294c0f93cfd3c01d989e2c
Instruction Fuzzy Hash: 48215772600612BBD7149F2ADC01B06BBE4FB48B11F40822AF508E7A90C7B1E861CFDC

Uniqueness

Uniqueness Score: -1.00%

Function 00417E13, Relevance: 5.1, APIs: 4, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00001020,00000000,?,?,0040CD05,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,004091B0,FFFFFFFF,?,00000000,00000000,00000000,00401B6E), ref: 00417E1E
HeapReAlloc.KERNEL32(00000008,?,?,?,?,0040CD05,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,004091B0,FFFFFFFF,?,00000000,00000000,00000000), ref: 00417E5E
LeaveCriticalSection.KERNEL32(00001020,?,?,0040CD05,00000000,?,?,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,004091B0,FFFFFFFF,?,00000000,00000000,00000000,00401B6E,004338C8), ref: 00417E99

Part of subcall function 004184ED: HeapAlloc.KERNEL32(00000008,00000000,00417D67,00434120,00000014,?,?,?,?,00416161,00000078,00000000,00416140,?,0040105D,00000000), ref: 004184F9

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: AllocCriticalHeapSection$EnterLeave
String ID:
API String ID: 830345296-0
Opcode ID: dd34c7134b2f3baa6c34e33b9ce0de47b92842a7f9949afb813079d0ee80df53
Instruction ID: 676c71ca03bd6d7b500d677f7790eac57bfd58da78af71c9cb47e2531e497145
Opcode Fuzzy Hash: dd34c7134b2f3baa6c34e33b9ce0de47b92842a7f9949afb813079d0ee80df53
Instruction Fuzzy Hash: 8B115832208711AFC7249F28EC80E56B7F9EB48321B04892AF496D36A0D734FC80CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040C068, Relevance: 5.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040C0D1: memset.MSVCRT ref: 0040C139

Part of subcall function 004182C1: EnterCriticalSection.KERNEL32(00434134,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00000000,00000000,0041244B,?,00000000,Ek6bHA/CQopuNheX5LWBQA9gqDaVyrZ8oE2Ks8+o52Tq5oiyZ0h5HAiYzDRgIxRVGucC0CXTjg9nc7l7HnoYlTGGI+srb+Cf8cixyJaRyDTbhC9O7L5nj8M8ugVbGjo8scSc4YelMSbe8kH21DZdW//C4qxYv07dUftYjY1c60Nn00IuatNP3eFff2HsVH1XhEiQMZ+Cm2RsaYYn0wnP4eAhaUVOm/cpWmbN993FUHBUKYLXsglXyMIHliUFA263hNfY,00000000,?,00411D21,?,00000000,?,00406FC1,?), ref: 004182D5
Part of subcall function 004182C1: HeapFree.KERNEL32(00000000,?,?,00411D21,?,00000000,?,00406FC1,?,00000000,00000000,00000000,?,FFFFFFFF,?,?), ref: 00418323
Part of subcall function 004182C1: LeaveCriticalSection.KERNEL32(00434134,?,00411D21,?,00000000,?,00406FC1,?,00000000,00000000,00000000,?,FFFFFFFF,?,?,00000000), ref: 0041832A

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,0040BF2A,?), ref: 0040C093
HeapFree.KERNEL32(00000000,?,?,?,0040BF2A,?), ref: 0040C09F
HeapFree.KERNEL32(00000000,?,?,?,?,0040BF2A,?), ref: 0040C0B3
HeapFree.KERNEL32(00000000,?,?,?,0040BF2A,?), ref: 0040C0C9

Memory Dump Source

Source File: 00000002.00000002.463581366.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.463559227.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463853572.0000000000438000.00000080.00020000.sdmp Download File
Associated: 00000002.00000002.465100835.0000000000667000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.465125871.0000000000669000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465184420.0000000000674000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.465472418.00000000006E2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465481211.00000000006E6000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.465509927.00000000006F2000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465516678.00000000006F4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465534688.00000000006F9000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.465552892.00000000006FD000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_CachemanControlPanel.jbxd

Similarity

API ID: FreeHeap$CriticalSection$EnterLeavememset
String ID:
API String ID: 4254243056-0
Opcode ID: f261dfb08539aeb4de2043b4239043ae99f607715914f62d8fdbfc996957e3cf
Instruction ID: bb1b9e47252b3d7416027ea759061f43e2fc256de630eea5c341f22563d4a6da
Opcode Fuzzy Hash: f261dfb08539aeb4de2043b4239043ae99f607715914f62d8fdbfc996957e3cf
Instruction Fuzzy Hash: 08F03132101505FFDA11AF56DD80C17BBFDFF49765341112AB40492530C733AC61DAA8

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report dY5HmgsBm6

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Diamondfox

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Function 00403348, Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 366
stringcomfileCOMMON

Function 0040535C, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 00403CA7, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 0040390A, Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402EA1, Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 181
memoryCOMMON

Function 0040618A, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Function 00401759, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Function 0040521E, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 00406492, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 004030D8, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 166
COMMON

Function 00405CBF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 004015BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Function 00405796, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 004052F0, Relevance: 3.0, APIs: 2, Instructions: 32
comCOMMON

Function 00406500, Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Function 00405C90, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 00405C6B, Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Function 00405761, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Function 00405D08, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 00405D37, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 004041C7, Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Function 00403300, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 004041B0, Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Function 0040419D, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 00401F7B, Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Function 00403830, Relevance: 1.3, APIs: 1, Instructions: 11
COMMON

Function 0040460D, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274
stringCOMMON

Function 004058BF, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 0040216B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Function 0040646B, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 004027A1, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Function 00406945, Relevance: .3, Instructions: 334
COMMONCrypto

Function 0040711C, Relevance: .3, Instructions: 300
COMMONCrypto