Edit tour

Windows Analysis Report
PO874530040021 YIKANG INQUIRY.com.exe

Overview

General Information

Sample name:	PO874530040021 YIKANG INQUIRY.com.exe
Analysis ID:	1445948
MD5:	86a0fbc943d577f93faf00394997bb22
SHA1:	bc1bd20d88ce7f659dbab2752d670f8cce3ff8e3
SHA256:	b4834413f9bedbc2d64ba07d1401e4d1eb44a54adbca90bb79fc67bf03fa4ab5
Tags:	comexe
Infos:

Detection

GuLoader

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected GuLoader

AI detected suspicious sample

Opens the same file many times (likely Sandbox evasion)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

PO874530040021 YIKANG INQUIRY.com.exe (PID: 6396 cmdline: "C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe" MD5: 86A0FBC943D577F93FAF00394997BB22)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3711323210.0000000006BFD000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PO874530040021 YIKANG INQUIRY.com.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: PO874530040021 YIKANG INQUIRY.com.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 73.4% probability

Source: PO874530040021 YIKANG INQUIRY.com.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: PO874530040021 YIKANG INQUIRY.com.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Code function: 0_2_0040646B FindFirstFileA,FindClose,	0_2_0040646B
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Code function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004058BF

Source: PO874530040021 YIKANG INQUIRY.com.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: PO874530040021 YIKANG INQUIRY.com.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe

Code function: 0_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040535C

Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe

Code function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403348

Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	File created: C:\Windows\stepsire	Jump to behavior
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	File created: C:\Windows\stepsire\Diamondbacks22	Jump to behavior
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	File created: C:\Windows\resources\0809	Jump to behavior

Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Code function: 0_2_00406945	0_2_00406945
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Code function: 0_2_0040711C	0_2_0040711C
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Code function: 0_2_6ED81A98	0_2_6ED81A98

Source: PO874530040021 YIKANG INQUIRY.com.exe, 00000000.00000000.1192273033.0000000000455000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesolaarene frankeniaceae.exe4 vs PO874530040021 YIKANG INQUIRY.com.exe
Source: PO874530040021 YIKANG INQUIRY.com.exe	Binary or memory string: OriginalFilenamesolaarene frankeniaceae.exe4 vs PO874530040021 YIKANG INQUIRY.com.exe

Source: PO874530040021 YIKANG INQUIRY.com.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal76.troj.evad.winEXE@1/20@0/0

Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe

0_2_00403348

Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe

Code function: 0_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_0040460D

Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

0_2_0040216B

Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe

File created: C:\Users\user\AppData\Local\skolebetjents

Jump to behavior

Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe

File created: C:\Users\user~1\AppData\Local\Temp\nsjD839.tmp

Jump to behavior

Source: PO874530040021 YIKANG INQUIRY.com.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PO874530040021 YIKANG INQUIRY.com.exe

ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe

File read: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe

Jump to behavior

Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: polres.lnk.0.dr

LNK file: ..\..\user~1\AppData\Local\Temp\nseD905.tmp\Revitalizers\Forsoldet.Cho46

Source: PO874530040021 YIKANG INQUIRY.com.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.3711323210.0000000006BFD000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe

Code function: 0_2_6ED81A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_6ED81A98

Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe

Code function: 0_2_6ED82F60 push eax; ret

0_2_6ED82F8E

Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	File created: C:\Users\user\AppData\Local\Temp\nseD905.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	File created: C:\Users\user\AppData\Local\Temp\nseD905.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	File created: C:\Users\user\AppData\Local\Temp\nseD905.tmp\UserInfo.dll	Jump to dropped file

Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Opens the same file many times (likely Sandbox evasion)

Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe

File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\redargue\demonising.ini count: 408630

Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe

RDTSC instruction interceptor: First address: 6F01608 second address: 6F01608 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 mov edx, 0000006Ch 0x00000008 cmp edx, 1DAEFCFFh 0x0000000e jg 00007FDD0909CAFAh 0x00000014 pop edx 0x00000015 test ebx, 64F9669Ch 0x0000001b cmp ebx, ecx 0x0000001d jc 00007FDD09079DCFh 0x0000001f inc ebp 0x00000020 inc ebx 0x00000021 test bl, dl 0x00000023 rdtsc

Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nseD905.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nseD905.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nseD905.tmp\UserInfo.dll	Jump to dropped file

Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Code function: 0_2_0040646B FindFirstFileA,FindClose,	0_2_0040646B
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	Code function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004058BF

Source: PO874530040021 YIKANG INQUIRY.com.exe, 00000000.00000002.3646798597.0000000000748000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	API call chain: ExitProcess graph end node			graph_0-4034
Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe	API call chain: ExitProcess graph end node			graph_0-4027

Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe

Code function: 0_2_6ED81A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_6ED81A98

Source: C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe

0_2_00403348

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Access Token Manipulation	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO874530040021 YIKANG INQUIRY.com.exe	37%	ReversingLabs	Win32.Trojan.Nemesis
PO874530040021 YIKANG INQUIRY.com.exe	100%	Avira	TR/Injector.xdzso

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\nseD905.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nseD905.tmp\UserInfo.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nseD905.tmp\nsDialogs.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://nsis.sf.net/NSIS_Error	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	PO874530040021 YIKANG INQUIRY.com.exe	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	PO874530040021 YIKANG INQUIRY.com.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1445948
Start date and time:	2024-05-22 20:14:49 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO874530040021 YIKANG INQUIRY.com.exe
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@1/20@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 50 Number of non-executed functions: 26
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, SIHClient.exe, MoUsoCoreWorker.exe, backgroundTaskHost.exe, audiodg.exe, ShellExperienceHost.exe, WMIADAP.exe, conhost.exe, SgrmBroker.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: PO874530040021 YIKANG INQUIRY.com.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nseD905.tmp\UserInfo.dll	Benefits-Signature-RequestsPlan#241205.com.exe	Get hash	malicious	GuLoader	Browse
	SCOE-SP-21-091-003TKT KOREA.com.exe	Get hash	malicious	GuLoader	Browse
	PO#RMS9877946001 RMSMARINE SERVICE.com.exe	Get hash	malicious	Remcos, GuLoader	Browse
	PO#RMS9877946001 RMSMARINE SERVICE.com.exe	Get hash	malicious	GuLoader	Browse
C:\Users\user\AppData\Local\Temp\nseD905.tmp\System.dll	Benefits-Signature-RequestsPlan#241205.com.exe	Get hash	malicious	GuLoader	Browse
	SCOE-SP-21-091-003TKT KOREA.com.exe	Get hash	malicious	GuLoader	Browse
	PO#RMS9877946001 RMSMARINE SERVICE.com.exe	Get hash	malicious	Remcos, GuLoader	Browse
	PO#RMS9877946001 RMSMARINE SERVICE.com.exe	Get hash	malicious	GuLoader	Browse
	__824pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse
	__824pdf.exe	Get hash	malicious	GuLoader	Browse
	AyE60D4cst.exe	Get hash	malicious	FormBook, GuLoader	Browse
	AyE60D4cst.exe	Get hash	malicious	Unknown	Browse
	AyE60D4cst.exe	Get hash	malicious	Unknown	Browse
	Fatura_M23_890_Originalpdf.exe	Get hash	malicious	FormBook, GuLoader	Browse

Created / dropped Files

C:\Users\Public\Desktop\polres.lnk

Download File

Process:	C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	1302
Entropy (8bit):	3.1520707013371916
Encrypted:	false
SSDEEP:	12:8wl03sX2f0ye/tz+7RafgKDI/nZlAKkLIAiComgGsc8f6oJQ1Ankcm1f6XkXg1QP:8w17aRMgK8aDoVN6ouaY6Xco2Sovqy
MD5:	BE8BA03DD2EF5F9592C90FAFA8614701
SHA1:	005C4D35ADD2ED89545C717AEF3F72FFF8D19AA3
SHA-256:	E729B87D00DE0F977376EC454C25E066558C1869C451C2B4B731009BB068DFF8
SHA-512:	D041F572C95ED81AFA4124FA9531CA2B188E7BBAAAE44DA10BE50E3ADE276BC9EA99B28FA306EE1D9CAD21F72A149248B5512D3A9A872EE8A315C55EFABCB7DE
Malicious:	false
Reputation:	low
Preview:	L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....Z.1...........user~1..B............................................F.R.O.N.T.D.~.1.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....P.1...........Local.<............................................L.o.c.a.l.....N.1...........Temp..:............................................T.e.m.p.....b.1...........nseD905.tmp.H............................................n.s.e.D.9.0.5...t.m.p.....f.1...........Revitalizers..J............................................R.e.v.i.t.a.l.i.z.e.r.s.....n.2...........Forsoldet.Cho46.P............................................F.o.r.s.o.l.d.e.t...C.h.o.4.6.......J.....\.....\.F.R.O.N.T.D.~.1.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.n.s.e.D.9.0.5...t.m.p.\.R.e.v.i.t.a.l.i.z.e.r.s.\.F.o.r.s.o.l.d.e.t...C.h.o.4.6.:

C:\Users\user\AppData\Local\Temp\nseD905.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	11776
Entropy (8bit):	5.8545531334577525
Encrypted:	false
SSDEEP:	192:EPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4W:j7VpNo8gmOyRsVc4
MD5:	4CA4FD3FBEFA2F6E87E6E9EE87D1C0B3
SHA1:	7CDBEB5FF2B14B86AF04E075D0CA651183EA5DF4
SHA-256:	D09A8B3ADE4BA4B7292C0B3DA1BCB4B6C6E2012E0CCFD5E029A54AF73A9E1B57
SHA-512:	CF0F415A97FDC74568297FED4F1295D0D2AEF487A308141144EF8D5F04C669EF4795C273E745B81065429ADDE113FCDEDF4C22717A7AEEF60FDCD8D4D46F97F8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Benefits-Signature-RequestsPlan#241205.com.exe, Detection: malicious, Browse Filename: SCOE-SP-21-091-003TKT KOREA.com.exe, Detection: malicious, Browse Filename: PO#RMS9877946001 RMSMARINE SERVICE.com.exe, Detection: malicious, Browse Filename: PO#RMS9877946001 RMSMARINE SERVICE.com.exe, Detection: malicious, Browse Filename: __824pdf.exe, Detection: malicious, Browse Filename: __824pdf.exe, Detection: malicious, Browse Filename: AyE60D4cst.exe, Detection: malicious, Browse Filename: AyE60D4cst.exe, Detection: malicious, Browse Filename: AyE60D4cst.exe, Detection: malicious, Browse Filename: Fatura_M23_890_Originalpdf.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L...6.$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nseD905.tmp\UserInfo.dll

Download File

Process:	C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.3282212929259076
Encrypted:	false
SSDEEP:	48:qKOpbhg7V46Br1wHsl9rECxZShMmj3hTPRYBA:5OZOVZruHs1xH6hT+i
MD5:	035BDB470A6807313BD005BD98341FFC
SHA1:	5017D1E5A23F1C64594F737E6FCCD519729C3B3E
SHA-256:	26FA900E3426B4DD272707E1AAF428B5EE06BDC2CC2BBAECDAB6B54F11F38F27
SHA-512:	F888BAED5267B05B13722E839634254393AA99B2ADF1A2AE6E799D3A901665E7EBDA0FA1202DB20A6765A8AFF58E2ED6F4E822028BE426DB732EB10EC783AA05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Benefits-Signature-RequestsPlan#241205.com.exe, Detection: malicious, Browse Filename: SCOE-SP-21-091-003TKT KOREA.com.exe, Detection: malicious, Browse Filename: PO#RMS9877946001 RMSMARINE SERVICE.com.exe, Detection: malicious, Browse Filename: PO#RMS9877946001 RMSMARINE SERVICE.com.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..................[.........Rich..........................PE..L...;.$_...........!................\|........ ...............................P............@.........................@"......l ..<............................@..p.................................................... ..L............................text............................... ..`.rdata....... ......................@..@.data...X....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nseD905.tmp\nsDialogs.dll

Download File

Process:	C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.127127260486972
Encrypted:	false
SSDEEP:	96:oVDlD3cd51V1zL7xqEscxM2DjDf3GEst+Nt+jvcx488qndYv0PLE:oVp34z/x3sREskpxjdO0PLE
MD5:	EB2C74E05B30B29887B3219F4EA3FDAB
SHA1:	91173D46B34E7BAE57ACABDBD239111B5BCC4D9E
SHA-256:	D253CA5ABA34B925796777893F114CC741B015AF7868022AB1DB2341288C55ED
SHA-512:	1BB035260223EC585170F891C2624B9AE98671F225E74B913B40BB77B66E3B9C2016037BC8E4B0AE16367D82590A60A0A3BD95D05139EA2454F02020D1B54DAE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|..c8O`08O`08O`08Oa0.O`0.@=05O`0llP0=O`0.If09O`0.od09O`0Rich8O`0........PE..L.....$_...........!......... ......Y........0............................................@..........................6..k....0.......`.......................p.......................................................0...............................text............................... ..`.rdata..{....0......................@..@.data........@......................@....rsrc........`....... ..............@..@.reloc..t....p......."..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\skolebetjents\Improvisatorens\Laparocolpohysterotomy162.fra

Download File

Process:	C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe
File Type:	data
Category:	dropped
Size (bytes):	1298
Entropy (8bit):	4.819168094685199
Encrypted:	false
SSDEEP:	24:foIwTQX+y1uklbJlltkrwWGbvz/Nv/sQ4JUJibXC/V0TlnNqbcgX/vIO:fo1QMklbJllSMWGnB/kJUJIJNqH
MD5:	623272435DE8395E801ABF39701074A3
SHA1:	5E234E9270EFAB606464277FABE18436FD92E6BD
SHA-256:	FE85D7B25A41EE93F1A172F4F8F0489A83C24D03A0AC59066E79A1F58F9C5382
SHA-512:	C80FD2086FCA97387C41AE647801F4F0A991A2FC38E05A6488D069A3D222927B658038E76E05E71183A47372EE38180D9C0A43CCE63149955F1578869CF33A71
Malicious:	false
Reputation:	low
Preview:	....H.......O.....C...... .............3...9...f.........\...........B.\....``..]..........R...._...........e.Y...).).{.........}`..9u.....{......./.....n..F.Y.=.....'....w..s..+....................D...b....K....c.....R...6.......9n....d.H{..dd...7..t........0......,.W......#..\|[.......C........(...........}.X.................G....2...^...9...#<..9......O...g2...".....}Y..-...1.%e..........I,......"Rp................L.n.........Q..=.B..\....%N........{.....C...<...T....^.......P....a........]....l..w....l....?.......&.Fm.....,.=.............e`2.....Qge...q....{.....A...w..."....Xd..G...............~".............K........%....u.uKV.......i....<.v...........,....V...................d_.......,.n......f.y)....x.....&?@[Z.......v1h......i...L....u..,..?..^.?%Y..,:.......0....P...l.B....:..f........}.....\....q.c..U......4....`.+......u.0.B...........=.{......"..9..w.....d.......]....u..\..S......F.Z............."W......,..a.&E.C..........T............(.....{.......[.....>L$.....

C:\Users\user\AppData\Local\skolebetjents\Improvisatorens\Lrketr160.bel

Download File

Process:	C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe
File Type:	data
Category:	dropped
Size (bytes):	2561
Entropy (8bit):	4.870990376573247
Encrypted:	false
SSDEEP:	48:y140jm+d7sQ58IHJ6fIVOCVNiXKU6U0pqPscYD4YW3/gMqiLj:zYbKLCVNCF/0paRgpgIHiLj
MD5:	556C42AD236F523422A8D33C7E01D769
SHA1:	86AD2EE8FAD51E33C3D316083FE427E7D59F8BA2
SHA-256:	47C9FA08E1FDB45FF4B68936E127BEF728DF2558B79CEA6F9CF812E7A06580E5
SHA-512:	B50D36A5839AE51BADC821764FC93C7409F62CB97A7677C0C759E06217C48D58EC3AA4554746CA8EFDF23E37B2E8A4B4C629B34E91C50F611578A8D3A58B2042
Malicious:	false
Reputation:	low
Preview:	....8.o......^.....[8.6...,....;.o...}.......a.....@........&.....e..................Q......tOJ0...t...1.....-....g.........H.g...U........v..(`...........3.......d.......@...n...%..k.......A......`.................V..........;..........;.............s.._.....s.....&...A.P....^.......m...c.......j.........@}....w..\|jJ....f....~..vk...................4.................,.n....."...X.....B...k....F.......G...r........H........R......x........Y...V.....1....v.....:........s..1.......j.\|.J..........#9..U^......[.f&..@.4\|................Y.....................I9..........s...F....-....H.......0.,.}a...................J...g........Q....y.....V.)S......(.......o..................i...........&..h)..............As.v.r......~%....!.............s...4..~Z..'.N.............z...............s...U..Y..^......'....=...C...k...............h..i....)...D...8..&..E.n}...y....u...L.R..........C.....................8.+.....O...............;.....iF.......-....\|...~......FMS....O...F.1..1.;r....

C:\Users\user\AppData\Local\skolebetjents\Improvisatorens\Misdefine.vil

Download File

Process:	C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe
File Type:	data
Category:	dropped
Size (bytes):	2157
Entropy (8bit):	4.7880500800335914
Encrypted:	false
SSDEEP:	48:4HbrcqCyK/bteSTO8zQQZOtkcbHdDZ/U5M5KyHDr+2hX/GM/:IrcqCyit5jUaONHnmyP+25
MD5:	BC7EDBFCEF64A6C616650E2D9A5A7245
SHA1:	A87D7BD6A4174FA5BF293BE370C4C08B319A144B
SHA-256:	02A443F69D7695AFB9B48BFA4F79D2820C1F5C0ED7747EFFDC5CDC7E5DA04747
SHA-512:	6DF4FFC0CC1835E34C3D22282B6BF1502E852EB861AD5521C826945AFE8AF52347E34F32BF8EA5905431F1B42E3407D05E6D8E5352E63D018CFB1005FFD9F35E
Malicious:	false
Preview:	~.z..S....7........(.....-T.................E...........(.@..z.......m..W`...L..X............k.u..Q.....[....{..............K..i...........aP.).........8.......Q.o.....\|......D..N!.u..F....2<..E.......e............Z.........'.....n99..................C.J._.....:s..%.).........e.>@.7 ;..9..s.......[..H...f......w..........x.Mh9#.........[.............Bn........=... .o?..f.................o................q..&.#..{................D..M...s@..y.#.....UiZ..............R.....&......................z..Y......B........s..D.....D.2..........E....^.........:......n.V....h1... ..{.....}.........z.....3..1..................G.X........+m..............$....5.....;..@&^.......Ki.......k.B.M.z.L.M>.....d..................l.......g...v...I......5......v..........V...p..z.I.h.2.....v..1.3........y...e..H...%.....W...........i..............zt^...%!......U.............d..\E.q....".......?.[............E.......H....3b........h..............-.....#...r..Y....wLF..u................_...k..[..

C:\Users\user\AppData\Local\skolebetjents\Improvisatorens\Taino.Tan3

Download File

Process:	C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe
File Type:	data
Category:	dropped
Size (bytes):	176220
Entropy (8bit):	7.716050761096726
Encrypted:	false
SSDEEP:	3072:q+8rS1buYkoN9ES40H7yLYaJdwjOOENofevKwuMPANozwxOZpNksY:J8rKKYhT40HKglaSgXwQpU
MD5:	0214EE3B483B2BD30009DBC109B33F4D
SHA1:	79FDEF32D664A5ED7E377D8A8127BD91F4455D8F
SHA-256:	78B1099C045A7E1F8D3FC37177AC87EBC93AD1FFE082A705A1DAEB27BE55FF74
SHA-512:	A0D605B7F8BF37E29383F73C19194184A64E24B59A522A97A07DEFA68C4504761FF38E29ED6822A7C8C688CC9D57891D93982787C9C9EA4D6148E4A3C2A3C8CC
Malicious:	false
Preview:	.yy...................ee..H.....V...................................[[[[...........4...@.;.....WW..............M.n.....<...4444.......'''.................w..............#........N....................;....PP...W..........................OO...IIII........................H..................iiii...JJ.$$$..........K.5...........pp.........''''''..$.55.......MM....%%%......................w...)......xx..66666...X...............i................m.h.???.HH....................................._.......G.......=....................................e....8...F..P....b.................................`.........................W........,......44..........Y...ll.3................"..=....cc.........II.....>..........................kk.nn.............."............[.9.......ffff........................KKK...((.vvvv.....,.....E.........................t...........AA.........................$..BBB...............................J..e.8...............--.....WW.RR.............vv.>.H..--......C.................

C:\Users\user\AppData\Local\skolebetjents\Improvisatorens\Tgernes.sub

Download File

Process:	C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe
File Type:	data
Category:	dropped
Size (bytes):	15176
Entropy (8bit):	4.540591630619478
Encrypted:	false
SSDEEP:	192:6Xxh02zP8OAqkOKzLp2aBip254kSSwBFiqdwDbiK1+JDirLPA0Hd2fE:6Xxi2z0ntzN22ip44BniqifiK05H08fE
MD5:	D6ECEC90DDD9777C15163FE9F5346807
SHA1:	1FFDDBB693F9F12ECFF3E68B8806A257FEDD9DDE
SHA-256:	DAF8AC46EE15628FE4834408DE7FEB876F87E5625A205B85CB230B11CD41A3DE
SHA-512:	F491F1D279356C1A3B284C360CDE80CD274C94237255D7AD9A03AC64DD0EACB57E59C3F50E2C7CEB28A0D897537A40F54721E2C1D4D67B4C844E15998B1B5A28
Malicious:	false
Preview:	.....n..............k....e...7r....n....e....l....3....2...U:....:....C....r....e....a....t..."e....F....i....l.[[[e....A....(.--.m.... ..33r....4.... ....,.... ....i.... ....2....1....4....7....4....8....3....6....4....8....,..{{ ....i.$.. ....0....,..B. ....p...\ ..^^0....,.... ....i.}}. ....4...%,.... ....i../. ....1....2....8....,.... ....i.... .nn.0..7.)....i.......__r..=.5...&z....k....e....r....n..Q.e....l....3....2....:....:.NNNS...oe....t....F....i....l....e....P....o....i....n....t....e....r....(....i.... ....r....5..h.,.... ...ci.... ....2....2...v1....2...~ ....,.... ....i.... ....0....,...9i.Z.. ....0....)....i......GG.r...J3....z....k.Y..e....r....n....e..FFl....3....2..!.:....:....V....i....r....t....u....a...1l....A....l....l....o....c...4(..H.i.... ...!0....,....i.... ....2.@@@3....5....1.f..5....1....3....6....,...7 .(..i..uu ...q1....2....2....8.OO.8....,.... ..:.i.... ....6....4....)....p......7..r...v1....z....k....e...\|r....n....e....l....3....2....:.m..:..''R..Z.

C:\Users\user\AppData\Local\skolebetjents\Improvisatorens\sphagnaceae\Stuepigen.hor

Download File

Process:	C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe
File Type:	data
Category:	dropped
Size (bytes):	3947
Entropy (8bit):	4.982400359777868
Encrypted:	false
SSDEEP:	96:jExwfmqEDudI2enF8cEOJ1Zv0vp8+oXAv:jExYpwOOpIpv
MD5:	6968CFE66311AE9BB0DED77DE8492562
SHA1:	B2991E4B0427E879AD2ABDA54D94624B2D0EAC1E
SHA-256:	D15FD3D370057160C77A483D9659CF6E79B3892665E0D87D9EF8859E4BE1AE59
SHA-512:	111EF26E9DD6A1BE84C80FAEC57A6C144DB84A36CDC157E905F91985A221F91148B2B1ED92C2BF740458F959F495F8C559665C49A9E941399F3520139C3E4BE2
Malicious:	false
Preview:	}\......U.v....B.\..........v9...U...y........u..............RO.............(......E..[.....R.#...y.........J.. Kz.a..... .q...\|.g.`.).......h.=.......&........].aZ.......J..........H.n.........5.../..."...........<......+......Y...T..-..a0.....y.5......j.......k.t........... ..G.....n..........hLg........w..........2.<....b.r.h...........3....k.....&).....##8.".......,.../...s...../....../.........(.. .)I...:..............9.....8...yiW...........[.......................O..(............c.6.j<........._<.M...5...............v.............G..x......<.....k....(.;.)...\....\.......(..-....o..V.......e..5.....T.......................a..R......:....^......G...=.i..r..t..~..'.$e...p...[..,...^...........)..f..&......m...\...9....r...........L@.N...<.~.<1.........c...........)........F..;A.2....:S.....\c...........]...o.....h.....*e.#.w.....".....z.G..0.N..........a...........s....{)...i..2...E..5....L.a...D..../.A."....Z..........g.......}..H.z....m..../..%....2.w.......-\.

C:\Users\user\AppData\Local\skolebetjents\Improvisatorens\sphagnaceae\Talbehandlings88.uve

Download File

Process:	C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	4.773554728401994
Encrypted:	false
SSDEEP:	24:fyuYAol4nRKNjFyl0cfj8K692BpWtHEaqWtnQ0gaQzjWTePZMAM:fyuYApRZ3vg2BpWeapa9+AM
MD5:	AAEFD238CA955B45BC68D442FB059D5B
SHA1:	71FA1CA71CD483235E0121CB39C34F81511F975B
SHA-256:	241C8E953F55CE7B68983303E62DD43663DCAD2D32482318A0C9E13A59E37FFF
SHA-512:	6C9EAAD76DA058B89AC9413064605CCB4195EEBD477697D167F9EDE06DEDF6DD3A3723081317E4EE9DFCCEE5CE1AA27FFEC9AC5B9D21D3BF5B99D9EF752D6F6E
Malicious:	false
Preview:	...v............'......3..c.................X......."...r.$...(........V...._....[....C........-t.......<.^.Y..].../..........<?y..+.F.^..........E..........................}..7b..q.a.^.......c.........D....Z...8...M.g.....y.....)<........y..*.......Y.....5..S....m.=.G......p......j......O......#.....@.s....7.......z....................l ......]............t...........:...[..%.....)................................@.?......g........d..<....&.. .....6..................A................f......KX...#.....!.]......9Z..dk.....h..2A.h9..H.6O..@................X..2........t..k.a........................U....H......0w..&....+C......>.;%.....BC.....<.{......j'....'.........M.k..$:............tR..........J.....U..C...6....o.....p...................`.....D.......^.0.....;....(.,...V..aB!..L...].E.y........E............e...=.....x.........%.........................K............%....9..,.....(...............O.O...$.......Q........6...k......../..y.....\7...]....1.....\..&..&.........E.....+L..

C:\Users\user\AppData\Local\skolebetjents\Improvisatorens\sphagnaceae\Thunderhead118.dop

Download File

Process:	C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe
File Type:	data
Category:	dropped
Size (bytes):	4335
Entropy (8bit):	4.8827409322826085
Encrypted:	false
SSDEEP:	96:7S/jcLYcx/3Ii+AtAfS/hjHek1U0C1Duo9uPsfY6cKZci/5NeysyBm:7SbKnxFpAfSFHnU0C16o9tYuNeYm
MD5:	6C88A30B4D494FECB6B1364F0E591B9B
SHA1:	962C04C3D1A5DF4AA609AF206C3C351E25C8ED52
SHA-256:	6CE8E19EAF50DF4811F04535695C2146C0D9664E70428E27DA844D99FE8DCA7E
SHA-512:	5BB08D4B7111285D0AB31E5A102CB7DE12FFD14EDAEF6023FD42106A500B7D89179A373488D89FC9A561295446B9AC8890390D46F45BC40FBF4F8F986DC298B9
Malicious:	false
Preview:	.........1.~.Q....../.........2......X.T.......d......y..............~....5.....w..\........D...{....b........:3...7..........z\|.....+...`....)........'.1...e.'#.2+....=..........O..."..n.v....i.....V..3....3...d.8..3.........0<..5a.................4........(.....4...\|........%......j...[.............M..j................h.....f.........4.........Q..6K.........72_...w....,m.....5.(..n........y..Y.v......X..ia.........-rh.......,{........Kl..........C......k3...&............<.pod...../....L.........Y....b..1....e.....]t...T...........,......C..v.S..=.}...e.........z\|..=........#9T...q.[......5...........@............X.....O........l-.1......r...gD..mA..(........y..Ku_..:E........x.o..................r...............'{...~.......H.........N?O....^..TH...J........................\|........".. .....w.f..RZ................f.........B..B.O...c{9....w......0....u.g.V..*.<.\....i....U.t............j..O.h...JG.........z.....1C...K....\|........O...'..f...............U..0.9..........c.c.Q.

C:\Users\user\AppData\Local\skolebetjents\Improvisatorens\sphagnaceae\advancing.fol

Download File

Process:	C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe
File Type:	data
Category:	dropped
Size (bytes):	3775
Entropy (8bit):	4.950958257088217
Encrypted:	false
SSDEEP:	96:GfS1OD4x08ECtJTXQYMYS1SDNpDz97tS6KLva07ce7Z:ES1ODR8ECTMY2MNV97tBKDjhd
MD5:	7FEA240209F8B573DEFE77AF303502E9
SHA1:	FB010E47DAB492098E2B596AFCDAE259AAB5491F
SHA-256:	477003DCDB6BFBC409E90BB3E12BF4DE2437FC37E3944609B6D1563E0B4119F0
SHA-512:	60C18B95C470130A1613700C098F3F57BAFE80DBD9875CFDF7D023E847182428287F5BEDDF54A64A58869360019697C2E23E2CF02FC121F0365B2F0336EFDFC7
Malicious:	false
Preview:	.Z5.........U........a....6........X%........f..Y.T.....Q........E=....w.~...`....Yo..........xR...........S.................]..y......z....].~..:........u...........x......b......k.....B....9".......)i......6..j.p.M......h.F...5=..........`C.............?.^......L....V.1...!....._=..7..............C........................A...........+....7......Ni...0........@......+...............1....L.............5....6.....c.....}.......G.H....... .P.Tg..X...&.....4.......n.........w.."...M.-...g.....M.@.....Z...Hp...x.[r......~Y......... v..........t.[....m.W..0&............. ......xv........6......o......\X...]...S................>..<....N....g.a5e....)....i.S......O....e.........D.R.....w....................>.RB.V.U..h.&..........._.....Q..x.........q....JD..=..h&.N.......@..3..........#..1.3..........(R.{.$..5.m.p...X..=L...............Z.J;..7...u.s.l....G...U..{.....H.................................. ....M........._.b..i.....B.}.....2....M........"".!..........M.w...,...,J...4..

C:\Users\user\AppData\Local\skolebetjents\Improvisatorens\sphagnaceae\bepepper.txt

Download File

Process:	C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	499
Entropy (8bit):	4.255825957007059
Encrypted:	false
SSDEEP:	12:tVIa7sNyNSJY9GXCPtNAXZFn1a2Yxd810LZx:EEHEdCPtNEn1ahk0LZx
MD5:	AE6051F666A4BE61FEE72E82BE9472FF
SHA1:	75E78487542EB4829CBEC88DEA748B7F83D6D93E
SHA-256:	2967EBEB5E16E9FB16CEB5F2770CC1718C9085D5188DEC59F45A9B97640B926A
SHA-512:	4F4948CEB6320514C801951AF1A8ED746D8A28D9520DCECB96802415D1C083327B2D8D0A24299C72D78C70A7B4C1D8A4C1286AB20257841AAD72D6192981EE72
Malicious:	false
Preview:	mythicization thoth slagtemads overfill sptmejser bubaline.mellemkrigsaarene broderlandes tekstfelternes interviewernes,erfaringernes kursusforms dame spindeltrappe dkk overeksponeredes binderen tarmrensningsanlggenes muguet bladres scuffles agroan halvaben..udkldningernes regurgitate shellapple slutbetingelserne antimalarial reweaving systemdiskettens,rumbled demurrages uforstyrreligt unmannishly kexy digteres dmoniser erantisser bulter grahamsbrdets ikonerne..skjuleres liquescency syntactics.

C:\Users\user\AppData\Local\skolebetjents\Spadestrens\bjrneskindenes.gal

Download File

Process:	C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe
File Type:	data
Category:	dropped
Size (bytes):	3878
Entropy (8bit):	4.817147450439702
Encrypted:	false
SSDEEP:	48:O/imajgqrd1bZRfozJhxaYUtIG7IvoMzau1GVtvSZb6//znYehs+Fot/A2QGcEZ:LggOJhxzUKG7Y43e9SVWaK
MD5:	2F948404EA3C59278E0D9BFCBE8D4C40
SHA1:	5378D5D2B0FC0D0B8B966B5D902EB1BC7E6D779D
SHA-256:	28958123B65F320945BF723D1C61D73C3A8EB8312564074CB35E322FACB0DBEC
SHA-512:	B808F7FA33194C57581DE9E6D7DB8A8A5DB275C005894B69D150D26FCB4B3A412BB2AC52A13C0D55A0E62EEDDBC6AE6F19B2CCB19CE23290E7E035C335134B0C
Malicious:	false
Preview:	r.......I.'..u.m....}.......e.............!.r..........:.\.....@....+...{o.......r.............x....u.......&..K.f5.E3....Q&..:.V...j..\|...........M.O..[..f..............\|....[......../.....h...._......!N..&...<1.i.7%..K.....o..x....P..}..5......S............}...U..........G.)u...K....T.....z.r..C.H.............]..............9.q....-...............S.....F.;............F..}..Z.............,..i.....y.%.....u../.w.. ...C...X8.O>...........Q.......}.....$.............J............V}.........5..;...=.......j.........M..............=.Xv..:........~..^v..........4...5......e...].,.....3......u........l..i.............].......-........'S.&.^........_...'.q3$.........x.p....\|!......K..o..................40.........Q.>.....Uz.............M......b....Z..0...e...e..$...........1.......E......&.....D........E..........<......E..i.................3...`......p.4..........5E......[.N.....%1....(......M .7.........:.n...6............Cn.Y;......F..............d...o.......1n.;.v.{.......

C:\Users\user\AppData\Local\skolebetjents\Spadestrens\modalities.ali

Download File

Process:	C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe
File Type:	data
Category:	dropped
Size (bytes):	4824
Entropy (8bit):	4.954663209503854
Encrypted:	false
SSDEEP:	96:To5JpHQbnj0h4vYskWqKXYDC0zNo4/UdvwQI3m8mNly7wDXcNLZc:gHmnwh4gaoDC0zNfUPeVm3pXclc
MD5:	A8C0B0FD25B502DC728C818B01C4705E
SHA1:	83C8F134624D964B0946E634229C09262B786358
SHA-256:	03822E3B8D5042BBC7751BABF9A2510E4C41F75AABAEF9D7317DAFED5C2DA04D
SHA-512:	C945703CA4A7F28900A0929D4A6BBD4E2FFFE3323E574C5E4F8CE4D3A5A9FBAD948EA106BA030E66A66F52AAEFE957578A8FBABAB7FE3A42D0EDDAE095C285FD
Malicious:	false
Preview:	.R...j......C .^.....9..........+...........8V.x-:......x..N,.....\..D......!.L.g....@.....'..........x.....T..............P>.(........6.....F..f\...(...S....o.K.....7...4..Q,....P..8.... ......"...Aq... .U...9.W.............p.....l6n....Z........`...6.......A...1......T.......p.......iH.....B.a...............d.......................M...2.....m.......K...C..........< ............9p....H....b...................U.............2......S.A.r...8J!................(........G..............N...]....(..l........Y ..s.2....yI8....O........................j...................'...................rI.Q...@7%....E.........B.G........5..{...j...S/yQ.Q...,.......k...%....\... ...._.......*......\.....J.P../.........9......-..............Q.....-...........................~....&.....................u..........B....P......'.z.O..O......?......_..AV.....=.........~....y..-...............0.d..[......y.....................C.......^"..>.....v....n.N...).......\A....+.VJ..P.a...<...k.......L..-H.

C:\Users\user\AppData\Local\skolebetjents\Spadestrens\parkere.lov

Download File

Process:	C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe
File Type:	data
Category:	dropped
Size (bytes):	4214
Entropy (8bit):	5.046129082285061
Encrypted:	false
SSDEEP:	96:PCiBr5RPnr9McV1tvyZvDmRvNBlcF/XiEwyeivw:PVRPpMcftqZyRvHUXkbr
MD5:	9ADD6AD16F4E7B71089D9807757A8B85
SHA1:	0127249EDC98852B4AFC12B17D8C00EA4BDE8519
SHA-256:	82B86D8FB42303AE132DC37792151FDE087070B9AE5DD01BBC2D77B5762942F5
SHA-512:	0D52F35B9AC792E909DA465FF72B1C089515EE936E9A1DDCBA076D719431F43AC9C4E93B2C3C33BCF6A94A7638BCB543399F8D235301CEDD34D6A16CA543EDEA
Malicious:	false
Preview:	...R.......X...5...........Q.................s.....}...h.k...........r..C....].....y..........................A.....w......N.......\|..h......0...L......P.............x..M=......]....H.......`...... .........L....v..=..0.....E......+................/.......=u..Fh..'..`.........}.....U...kZ..V..h..nF...................+=..H...........N..........L..[...@?.g<.A..b........Z.......'..........l..L.0...#..............>...........3..'..%.............P.YP..Y......W.b....J@...W.f.;...4....v......=........V...Pe..... ..................~...6......%F........?.}........................8..3.............g.k..........I.....&..^........7.eGu..Rd...W......w.8.5P...H..Q........;.6......7u.........>..}.....\.a..`............)e./........k..,.L.E...2.............%+.1....\|..R.#....`.......V..`...4....................................Wix..@...x.\|.......&..S#...KO.......9.......2_"..OP...4..L.(tK.....P....R.............8....s...I+.6...A.5..........}....)....'}W)...Z....#y.%..8.p...x.................G

C:\Users\user\AppData\Local\skolebetjents\Spadestrens\retouchr.app

Download File

Process:	C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe
File Type:	data
Category:	dropped
Size (bytes):	4604
Entropy (8bit):	4.800828433192942
Encrypted:	false
SSDEEP:	96:2JZjKAUt4rE5yHGP/tmB4/cLodXL6FYYVtiCOfKRjY:iZjKAUt4Mh0CkenYQCRjY
MD5:	78C3F9CAADC9005059318C41AF371F53
SHA1:	47427BE3D4D5C20B10EBE761D44FC3C6DD82B92F
SHA-256:	38DA1491F6996D1BD6C41949BB0EE04431D1F26991849BE89B3A4FAE488B76B1
SHA-512:	250ACFC789595818403A27198C930A3DBE006336DE9DEC2C8C1E097C575D8CD1E2960A5B163975324FDC24B5CC9CE251FA28505CAE48A1FE8A9676BC17906120
Malicious:	false
Preview:	.......`C.....".(./...+...i.]M.._..........A.....3........6..(.J............c(....t.........1.........6u..-..I...."..........V.................~..........r....e...-....6.........Lb......K........4..9.....X...I".......&..V.....s..........y.....q........$.............2-...........V.....0..m.<........................<........................?..Y0..........r.................R.....@..Z%..O.}......;..............PI.....j...L......u.4..p...Y,.7-.......o.........../.../y.......OP..........~......t...Y$.ch...}...RY.%.........k................X.c...........]......v7.!......;.....t..h6...M....'...z.....'.r.G^..c...........V.4....b..:H....).w.a................'.T.j.,.V.m.......>.b......7....@......<....Z.......p.M../.........Q...........................\|D...4.c..n...">.@.....RZgm..<....I...l..&.S......f...........R......3.#..q.......i........9.....U.n......Ow.....................I....d...G........iu..n...A.X............'F...:....}w...W......:v.........T.o.f.x.!M..j....a.K2cg..........d.....

C:\Users\user\AppData\Local\skolebetjents\Spadestrens\serendipitously.int

Download File

Process:	C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe
File Type:	data
Category:	dropped
Size (bytes):	2293
Entropy (8bit):	5.0147763937793375
Encrypted:	false
SSDEEP:	48:RyaRUkDpACPmhYArwa+FoQTgxVEwCXxAVY0a+XOBj7A0ziFVx/:3UtZUos0VEwCBT9rleLx/
MD5:	66FE8032945556E76D24C01F08AA618B
SHA1:	2D1C5646DD4DE7BE749CA66729962DBDAB1AD4D6
SHA-256:	8A0A214E24B244B5482BA9B064199EA53BC3975C89F70C04E8CF3021EA49FE56
SHA-512:	01B1B5E568E90C4F0C303F743F6E8288A3CC82BFDCCBB8E5C95125A74F9531BC7A24831FFDAFE95678161AA41A793A092E52C44E0AE625150FD24BB84B469A79
Malicious:	false
Preview:	..C.\|........................;~f...n............x.!...A...D.q..Ne.....H.H..s...`....r.......................I....,...\|....................]..........&...........=...L.2...M...U...........&..b..........#...............TLf.........h.......'F..........................6!...k.............2.....S...s....U......g...:.. .....o...........5.m......z....cC..&..,w.y..............\...b.dZ.H.d............\|.,..t........@........k...`;.....q..@.W..z...Zy......%}3......o.. ..d.r.............JF..N.!........y...................A..e...............'............L..VGp.....~.....dY....<j.1D........1..........yl..)78....p.....F....v.5..........g......;...l ..u.J.............Z...w.................T.0.....Ll.....4.............g......`M...........0.....B..............m.......7.........:.z...v...}.l...................1........#..R.......J...^.......K........X...h..W.[.q.....<..'........'.........&.,......................5....#.......l.....e...B.s...GD.....8....................3..I...........s....{.\

C:\Users\user\AppData\Local\skolebetjents\Spadestrens\skonnertbrig.pan

Download File

Process:	C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe
File Type:	data
Category:	dropped
Size (bytes):	2256
Entropy (8bit):	4.849771089742746
Encrypted:	false
SSDEEP:	48:5wV8WDczEuKBEKKXiCPsWafh/QrJKmGhYbG5sM:5wVOWSyCdYQNDGN
MD5:	2A94C01E0FEC66A108816A0758176AAD
SHA1:	E13323600B9250DE1EB773D897D4278F57ADC5C4
SHA-256:	B2B861402ECF76335D00DF2551817EF8D8B1307D8D3E0A1349149779B26EB40A
SHA-512:	2081EB47CFABFD269D1708641D61FDB6D1AD0F402821CCE808FDD404F7382F8B36726590CBDE17A2F1FAD29F5160B99B21C24DF27842E5D433A76DE1670B109C
Malicious:	false
Preview:	e.X.......L......s....}.{....v..Y..............g..og.c...!X...'..5................. ....q......^...............3.6..{...............j....X.........u........8p..........u.................a.p.......f.....(.........[8.h..V..W. ..............K...+.....^..8............{.....)........a.N.......&...........L.........V.................D.h.....f......A....J\|c ..Y........\..m....3..... ...w.....<.b.............(..{k6................y1........h............O.....<...G.........P...........9T............e....,.........#q....`.......Z.....v.....-.F....D........(.........................e.....,........G.F........@..w-.................H............-0....(.........}..K.....U........6?......................(.......r....gq.J........3...i.J.......6................T=.........%..._....@.Y..........qg....]....A..!..#..c.Y...........B...0.a....@M....HA....................^.....@.....}...h...........p.....f....>....a].e.....H....Y,........HUP.......3...........k...#...........Y...U.b..#)...Q5..>....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.387579589434547
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PO874530040021 YIKANG INQUIRY.com.exe
File size:	330'201 bytes
MD5:	86a0fbc943d577f93faf00394997bb22
SHA1:	bc1bd20d88ce7f659dbab2752d670f8cce3ff8e3
SHA256:	b4834413f9bedbc2d64ba07d1401e4d1eb44a54adbca90bb79fc67bf03fa4ab5
SHA512:	c047b8a78a8513fa37a4147d45dfe92c3534693ab5394ee96d50090d71cd28097da09b409e4d00c0e5d6ef1451d29119156c80bd227d7eb5172ea8c7c3713c72
SSDEEP:	6144:A9X0GAbjQDWloo891UylPBX6xuY6RzWBw39tASqEHSVI9AWKw133:G0t/looK1UABXTUI9/Kw133
TLSH:	8464E1915AE446F7E368087050B7E771CF78AD7066040B03AAE4BBDBBB367869DDD042
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG..sw..PG..VA..PG.Rich.PG.........PE..L.....$_.................f...\|......H3............@

File Icon


Icon Hash:	968646a6c7060f66

Static PE Info

General

Entrypoint:	0x403348
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5F24A9AF [Fri Jul 31 23:30:55 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ced282d9b261d1462772017fe2f6972b

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080B8h]
call dword ptr [004080BCh]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042F42Ch], eax
je 00007FDD08B1A323h
push ebx
call 00007FDD08B1D486h
cmp eax, ebx
je 00007FDD08B1A319h
push 00000C00h
call eax
mov esi, 004082A0h
push esi
call 00007FDD08B1D402h
push esi
call dword ptr [004080CCh]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007FDD08B1A2FDh
push 0000000Bh
call 00007FDD08B1D45Ah
push 00000009h
call 00007FDD08B1D453h
push 00000007h
mov dword ptr [0042F424h], eax
call 00007FDD08B1D447h
cmp eax, ebx
je 00007FDD08B1A321h
push 0000001Eh
call eax
test eax, eax
je 00007FDD08B1A319h
or byte ptr [0042F42Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408288h]
mov dword ptr [0042F4F8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00429850h
call dword ptr [0040816Ch]
push 0040A188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8544	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x55000	0x19070	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6457	0x6600	f6e38befa56abea7a550141c731da779	False	0.6682368259803921	data	6.434985703212657	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1380	0x1400	569269e9338b2e8ce268ead1326e2b0b	False	0.4625	data	5.2610038973135005	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x25538	0x600	17edd496e40111b5a48947c480fda13c	False	0.4635416666666667	data	4.133728555004788	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x30000	0x25000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x55000	0x19070	0x19200	fe8809c5c9eeb1a0843e35f8758c2083	False	0.37116176927860695	data	5.512258056875945	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x552c8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.34928427777120546
RT_ICON	0x65af0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States	0.4194024563060935
RT_ICON	0x69d18	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.4966804979253112
RT_ICON	0x6c2c0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.5023452157598499
RT_ICON	0x6d368	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.6409574468085106
RT_DIALOG	0x6d7d0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x6d8d0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x6d9f0	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x6dab8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x6db18	0x4c	data	English	United States	0.8026315789473685
RT_VERSION	0x6db68	0x1c8	data	English	United States	0.5021929824561403
RT_MANIFEST	0x6dd30	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	14:15:38
Start date:	22/05/2024
Path:	C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe"
Imagebase:	0x400000
File size:	330'201 bytes
MD5 hash:	86A0FBC943D577F93FAF00394997BB22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.3711323210.0000000006BFD000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	21.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.3%
Total number of Nodes:	1547
Total number of Limit Nodes:	44

Executed Functions

Function 00403348 Relevance: 93.1, APIs: 32, Strings: 21, Instructions: 366
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 0040336D
GetVersion.KERNEL32 ref: 00403373
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033A6
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 004033E2
OleInitialize.OLE32(00000000), ref: 004033E9
SHGetFileInfoA.SHELL32(00429850,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 00403405
GetCommandLineA.KERNEL32(Knugede Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 0040341A
CharNextA.USER32(00000000,"C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe",00000020,"C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe",00000000,?,00000007,00000009,0000000B), ref: 00403456
GetTempPathA.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 00403553
GetWindowsDirectoryA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 00403564
lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403570
GetTempPathA.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403584
lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040358C
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040359D
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004035A5
DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 004035B9

Part of subcall function 00406500: GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
Part of subcall function 00406500: GetProcAddress.KERNEL32(00000000,?), ref: 0040652D

Part of subcall function 0040390A: lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\skolebetjents,1033,Knugede Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Knugede Setup: Installing,00000000,00000002,771B3410), ref: 004039FA
Part of subcall function 0040390A: lstrcmpiA.KERNEL32(?,.exe), ref: 00403A0D
Part of subcall function 0040390A: GetFileAttributesA.KERNEL32(Call), ref: 00403A18
Part of subcall function 0040390A: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\skolebetjents), ref: 00403A61
Part of subcall function 0040390A: RegisterClassA.USER32(0042EBC0), ref: 00403A9E

Part of subcall function 00403830: CloseHandle.KERNEL32(000002EC,00403667,?,?,00000007,00000009,0000000B), ref: 0040383B

OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 00403667
ExitProcess.KERNEL32 ref: 00403688
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004037A5
OpenProcessToken.ADVAPI32(00000000), ref: 004037AC
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004037C4
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004037E3
ExitWindowsEx.USER32(00000002,80040002), ref: 00403807
ExitProcess.KERNEL32 ref: 0040382A

Part of subcall function 00405813: MessageBoxIndirectA.USER32(0040A218), ref: 0040586E

Strings

C:\Users\user\AppData\Local\skolebetjents\Spadestrens, xrefs: 00403644
\Temp, xrefs: 0040356A
1033, xrefs: 004035B4
TEMP, xrefs: 00403598
", xrefs: 0040347B
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403548, 0040354D, 00403563, 0040356F, 0040357E, 0040358B, 00403597, 0040359F, 00403698, 004036A9, 004036B4, 004036C0, 004036CD, 004036DC, 0040378B
100859904, xrefs: 0040371E, 00403781
TMP, xrefs: 004035A0
kernel32::EnumResourceTypesW(i 0,i r1,i 0), xrefs: 004036FA
~nsu, xrefs: 00403693
UXTHEME, xrefs: 0040339A, 0040339F, 004033A5
C:\Users\user\AppData\Local\skolebetjents, xrefs: 00403538, 00403639, 004036E3, 004036EC
C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe, xrefs: 00403745
NSIS Error, xrefs: 0040340B
C:\Users\user\Desktop, xrefs: 004036BA, 004036BF, 004036EB
Knugede Setup, xrefs: 00403410
.tmp, xrefs: 004036AF
Error launching installer, xrefs: 0040361F
"C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe", xrefs: 00403420, 00403426, 004035DD
Low, xrefs: 00403586
SeShutdownPrivilege, xrefs: 004037BE

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: Process$ExitFile$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
String ID: "$"C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe"$.tmp$100859904$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Local\skolebetjents$C:\Users\user\AppData\Local\skolebetjents\Spadestrens$C:\Users\user\Desktop$C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe$Error launching installer$Knugede Setup$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$kernel32::EnumResourceTypesW(i 0,i r1,i 0)$~nsu
API String ID: 3776617018-2606253957
Opcode ID: 9f7172ca61a1f038ac1aa6a8db1429cac06e36ed1de7e549aa4fc7ed9372f958
Instruction ID: 2464a3ec660faf4d6335bd380e0cd13b62da1685a36c15adf6e00eeeb0483762
Opcode Fuzzy Hash: 9f7172ca61a1f038ac1aa6a8db1429cac06e36ed1de7e549aa4fc7ed9372f958
Instruction Fuzzy Hash: 49C107705047416AD7216F759D89B2F3EACAB4530AF45443FF181BA2E2CB7C8A058B2F

Function 0040535C Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 004053BB
GetDlgItem.USER32(?,000003EE), ref: 004053CA
GetClientRect.USER32(?,?), ref: 00405407
GetSystemMetrics.USER32(00000002), ref: 0040540E
SendMessageA.USER32(?,0000101B,00000000,?), ref: 0040542F
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405440
SendMessageA.USER32(?,00001001,00000000,?), ref: 00405453
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405461
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405474
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405496
ShowWindow.USER32(?,00000008), ref: 004054AA
GetDlgItem.USER32(?,000003EC), ref: 004054CB
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004054DB
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004054F4
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405500
GetDlgItem.USER32(?,000003F8), ref: 004053D9

Part of subcall function 004041B0: SendMessageA.USER32(00000028,?,00000001,00403FE0), ref: 004041BE

GetDlgItem.USER32(?,000003EC), ref: 0040551C
CreateThread.KERNELBASE(00000000,00000000,Function_000052F0,00000000), ref: 0040552A
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00405531
ShowWindow.USER32(00000000), ref: 00405554
ShowWindow.USER32(?,00000008), ref: 0040555B
ShowWindow.USER32(00000008), ref: 004055A1
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004055D5
CreatePopupMenu.USER32 ref: 004055E6
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004055FB
GetWindowRect.USER32(?,000000FF), ref: 0040561B
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405634
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405670
OpenClipboard.USER32(00000000), ref: 00405680
EmptyClipboard.USER32 ref: 00405686
GlobalAlloc.KERNEL32(00000042,?), ref: 0040568F
GlobalLock.KERNEL32(00000000), ref: 00405699
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004056AD
GlobalUnlock.KERNEL32(00000000), ref: 004056C6
SetClipboardData.USER32(00000001,00000000), ref: 004056D1
CloseClipboard.USER32 ref: 004056D7

Strings

Knugede Setup: Installing, xrefs: 0040564C

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: Knugede Setup: Installing
API String ID: 4154960007-4213847685
Opcode ID: c436c8918fb38c7b5545f7f1a6554f2816d857099955c46476942f2c38664fdc
Instruction ID: ad896caeff922a337f51dbee0e8d50556c939e1053927b0f1ec287220421205b
Opcode Fuzzy Hash: c436c8918fb38c7b5545f7f1a6554f2816d857099955c46476942f2c38664fdc
Instruction Fuzzy Hash: 3DA14A70900608BFDB119F61DD89EAE7FB9FB08354F50403AFA45BA1A0CB754E519F68

Function 6ED81A98 Relevance: 20.1, APIs: 13, Instructions: 591stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6ED81215: GlobalAlloc.KERNELBASE(00000040,6ED81233,?,6ED812CF,-6ED8404B,6ED811AB,-000000A0), ref: 6ED8121D

GlobalAlloc.KERNELBASE(00000040,000014A4), ref: 6ED81BC4
lstrcpyA.KERNEL32(00000008,?), ref: 6ED81C0C
lstrcpyA.KERNEL32(00000408,?), ref: 6ED81C16
GlobalFree.KERNEL32(00000000), ref: 6ED81C29
GlobalFree.KERNEL32(?), ref: 6ED81D09
GlobalFree.KERNEL32(?), ref: 6ED81D0E
GlobalFree.KERNEL32(?), ref: 6ED81D13
GlobalFree.KERNEL32(00000000), ref: 6ED81EFA
lstrcpyA.KERNEL32(?,?), ref: 6ED82098
GetModuleHandleA.KERNEL32(00000008), ref: 6ED82114
LoadLibraryA.KERNEL32(00000008), ref: 6ED82125
GetProcAddress.KERNEL32(?,?), ref: 6ED8217E
lstrlenA.KERNEL32(00000408), ref: 6ED82198

Memory Dump Source

Source File: 00000000.00000002.3712504824.000000006ED81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.3712477997.000000006ED80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3712531514.000000006ED83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3712560392.000000006ED85000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ed80000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 18434ffc65926b1d6455b623f7a49cc53f7700fb512fffae5e979df67e436725
Instruction ID: 008d44c05908fa4159197104064f0eab1663217861f2a81f06168637e6549e0e
Opcode Fuzzy Hash: 18434ffc65926b1d6455b623f7a49cc53f7700fb512fffae5e979df67e436725
Instruction Fuzzy Hash: BE228AB195460ADEDB508FE9C8907EFBBF4FB06319F10462AD1B5A3180D7749A8DCB50

Function 004058BF Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 004058E8
lstrcatA.KERNEL32(0042B898,\*.*,0042B898,?,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405930
lstrcatA.KERNEL32(?,0040A014,?,0042B898,?,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405951
lstrlenA.KERNEL32(?,?,0040A014,?,0042B898,?,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405957
FindFirstFileA.KERNELBASE(0042B898,?,?,?,0040A014,?,0042B898,?,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405968
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405A15
FindClose.KERNEL32(00000000), ref: 00405A26

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 004058CC
"C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe", xrefs: 004058BF
\*.*, xrefs: 0040592A

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe"$C:\Users\user~1\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3109315623
Opcode ID: f3fd74a69a70d8db6e57e20adcaf86135d1334a53a37cdeda7ffd007c5e38f1d
Instruction ID: 53fbf83e18d3e9f22f7fd61ce8145b7df245fbcc76992db59ab4b54644bc6f5f
Opcode Fuzzy Hash: f3fd74a69a70d8db6e57e20adcaf86135d1334a53a37cdeda7ffd007c5e38f1d
Instruction Fuzzy Hash: 4251C470A00A49AADB21AB618D85BBF7A78DF52314F14427FF841711D2C73C8942DF6A

Function 0040216B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00408524,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F0
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022A2

Strings

C:\Users\user\AppData\Local\skolebetjents\Spadestrens, xrefs: 00402230

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\skolebetjents\Spadestrens
API String ID: 123533781-3052457471
Opcode ID: d5ac8e536bab36e1472226809c0cdf08a9d371e862c1e59943db98e9419baf02
Instruction ID: cfd0f9f97044ed47efa98841b374527745dcc5d1cf4597a5ef188e8ddd78f045
Opcode Fuzzy Hash: d5ac8e536bab36e1472226809c0cdf08a9d371e862c1e59943db98e9419baf02
Instruction Fuzzy Hash: DF510671A00208AFCB50DFE4C989E9D7BB6FF48314F2041AAF515EB2D1DA799981CB54

Function 0040646B Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(771B3410,0042C0E0,0042BC98,00405BC0,0042BC98,0042BC98,00000000,0042BC98,0042BC98,771B3410,?,C:\Users\user~1\AppData\Local\Temp\,004058DF,?,771B3410,C:\Users\user~1\AppData\Local\Temp\), ref: 00406476
FindClose.KERNELBASE(00000000), ref: 00406482

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
Instruction ID: 43645372537bfa69987f3f85d1e9d0a1072f39b89fcefe97c81bac3be47e5bfd
Opcode Fuzzy Hash: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
Instruction Fuzzy Hash: 9AD01231514120DFC3502B786D4C84F7A589F05330321CB36F86AF22E0C7348C2296EC

Function 004027A1 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(00000000,?,00000002), ref: 004027B0

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: a5b213f8be24180874f9adf411d6afc31dfa0cb9f64df1b0b64d1ebf68b7fd5b
Instruction ID: cbd12963852304709d998dbd60bf7e8f33587a64a337c4fd13578998f516bfb3
Opcode Fuzzy Hash: a5b213f8be24180874f9adf411d6afc31dfa0cb9f64df1b0b64d1ebf68b7fd5b
Instruction Fuzzy Hash: 3EF0A072604110DED711EBA49A49AFEB768AF61314F60457FF112B20C1D7B889469B3A

Function 00403CA7 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CE3
ShowWindow.USER32(?), ref: 00403D00
DestroyWindow.USER32 ref: 00403D14
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403D30
GetDlgItem.USER32(?,?), ref: 00403D51
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403D65
IsWindowEnabled.USER32(00000000), ref: 00403D6C
GetDlgItem.USER32(?,00000001), ref: 00403E1A
GetDlgItem.USER32(?,00000002), ref: 00403E24
SetClassLongA.USER32(?,000000F2,?), ref: 00403E3E
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403E8F
GetDlgItem.USER32(?,00000003), ref: 00403F35
ShowWindow.USER32(00000000,?), ref: 00403F56
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F68
EnableWindow.USER32(?,?), ref: 00403F83
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F99
EnableMenuItem.USER32(00000000), ref: 00403FA0
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403FB8
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403FCB
lstrlenA.KERNEL32(Knugede Setup: Installing,?,Knugede Setup: Installing,00000000), ref: 00403FF5
SetWindowTextA.USER32(?,Knugede Setup: Installing), ref: 00404004
ShowWindow.USER32(?,0000000A), ref: 00404138

Strings

Knugede Setup: Installing, xrefs: 00403FE5, 00403FEB, 00403FF4, 00404002

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Knugede Setup: Installing
API String ID: 3282139019-4213847685
Opcode ID: f90a3406d0b8a8c4b834731162917c717653151454b1dbe7dd2907c4aa61ec43
Instruction ID: 5e2b37e592d4e435839d8b6e88a40281f914ef55e2ab9fcffeaa2cd4c4a1132c
Opcode Fuzzy Hash: f90a3406d0b8a8c4b834731162917c717653151454b1dbe7dd2907c4aa61ec43
Instruction Fuzzy Hash: 45C1D271600204AFDB21AF62ED88D2B3ABCEB95706F50053EF641B51F0CB799892DB1D

Function 0040390A Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406500: GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
Part of subcall function 00406500: GetProcAddress.KERNEL32(00000000,?), ref: 0040652D

lstrcatA.KERNEL32(1033,Knugede Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Knugede Setup: Installing,00000000,00000002,771B3410,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe",00000000), ref: 00403985
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\skolebetjents,1033,Knugede Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Knugede Setup: Installing,00000000,00000002,771B3410), ref: 004039FA
lstrcmpiA.KERNEL32(?,.exe), ref: 00403A0D
GetFileAttributesA.KERNEL32(Call), ref: 00403A18
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\skolebetjents), ref: 00403A61

Part of subcall function 00406055: wsprintfA.USER32 ref: 00406062

RegisterClassA.USER32(0042EBC0), ref: 00403A9E
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403AB6
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403AEB
ShowWindow.USER32(00000005,00000000), ref: 00403B21
GetClassInfoA.USER32(00000000,RichEdit20A,0042EBC0), ref: 00403B4D
GetClassInfoA.USER32(00000000,RichEdit,0042EBC0), ref: 00403B5A
RegisterClassA.USER32(0042EBC0), ref: 00403B63
DialogBoxParamA.USER32(?,00000000,00403CA7,00000000), ref: 00403B82

Strings

Knugede Setup: Installing, xrefs: 00403936, 0040393C, 00403961, 0040396A, 0040397F
RichEdit20A, xrefs: 00403B45, 00403B4B
1033, xrefs: 0040392A, 00403980
C:\Users\user~1\AppData\Local\Temp\, xrefs: 0040390F
RichEdit, xrefs: 00403B54
RichEd32, xrefs: 00403B35
_Nb, xrefs: 00403A7D, 00403AE5
C:\Users\user\AppData\Local\skolebetjents, xrefs: 00403994, 0040399C, 00403A34, 00403A3A, 00403A4A
Control Panel\Desktop\ResourceLocale, xrefs: 0040393E
.DEFAULT\Control Panel\International, xrefs: 00403970
RichEd20, xrefs: 00403B27
Call, xrefs: 004039C8, 004039D0, 004039DD, 00403A27, 00403A2D
"C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe", xrefs: 0040390E
.exe, xrefs: 00403A07

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Local\skolebetjents$Call$Control Panel\Desktop\ResourceLocale$Knugede Setup: Installing$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 1975747703-1954797777
Opcode ID: eddc3fe444e159470dd51134533c2a37fedb4af5c6bfbfbca7f7312343edc14b
Instruction ID: 74cd8b4f7d81cde8c77274d740e3983652abf123a0ec58253698c850822a2f16
Opcode Fuzzy Hash: eddc3fe444e159470dd51134533c2a37fedb4af5c6bfbfbca7f7312343edc14b
Instruction Fuzzy Hash: EC61A5702402016ED220FB669D46F373ABCEB4474DF50403FF995B62E3DA7DA9068A2D

Function 00402EA1 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402EB2
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe,00000400), ref: 00402ECE

Part of subcall function 00405C90: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe,80000000,00000003), ref: 00405C94
Part of subcall function 00405C90: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6

GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe,C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe,80000000,00000003), ref: 00402F1A
GlobalAlloc.KERNELBASE(00000040,00000020), ref: 00403050

Strings

soft, xrefs: 00402F8F
C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe, xrefs: 00402EB8, 00402EC7, 00402EDB, 00402EFB
Inst, xrefs: 00402F86
C:\Users\user\Desktop, xrefs: 00402EFC, 00402F01, 00402F07
Null, xrefs: 00402F98
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00403077
Error launching installer, xrefs: 00402EF1
@TA, xrefs: 00402F2F
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00402EA8
"C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe", xrefs: 00402EA1

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe"$@TA$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-4107718005
Opcode ID: d2642f5c1e57ff917447350ecc80b65a471f1c26fbd3ec2d1bf2d56bf534e989
Instruction ID: b77d5a27d8a3a8735664692b17331c00252a13d20c8f5ee7c59d5cd6c332e3a5
Opcode Fuzzy Hash: d2642f5c1e57ff917447350ecc80b65a471f1c26fbd3ec2d1bf2d56bf534e989
Instruction Fuzzy Hash: B851E471A00204ABDF20AF64DD85FAF7AB8AB14359F60413BF500B22D1C7B89E858B5D

Function 0040618A Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 004062B5
GetWindowsDirectoryA.KERNEL32(Call,00000400,?,Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll,00000000,00405256,Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll,00000000), ref: 004062C8
SHGetSpecialFolderLocation.SHELL32(00405256,771B23A0,?,Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll,00000000,00405256,Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll,00000000), ref: 00406304
SHGetPathFromIDListA.SHELL32(771B23A0,Call), ref: 00406312
CoTaskMemFree.OLE32(771B23A0), ref: 0040631E
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406342
lstrlenA.KERNEL32(Call,?,Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll,00000000,00405256,Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll,00000000,00000000,00424248,771B23A0), ref: 00406394

Strings

Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll, xrefs: 004061AF
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040633C
Call, xrefs: 004061B4, 00406281, 00406282, 00406283, 0040629F, 004062B4, 004062C7, 004062E3, 0040630E, 00406341, 00406347, 0040635F, 00406372, 0040638D, 00406393, 0040639B, 004063C5
kernel32::EnumResourceTypesW(i 0,i r1,i 0), xrefs: 0040636C
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406284

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$kernel32::EnumResourceTypesW(i 0,i r1,i 0)
API String ID: 717251189-583608739
Opcode ID: 8246b69a52679e6fada9b088fd1c5cd7587de1068ebf998f283e7bad78f4f284
Instruction ID: 7f70e83a291e570019a42af90a820afb382591873456cc4d5332d159a7ba1b0c
Opcode Fuzzy Hash: 8246b69a52679e6fada9b088fd1c5cd7587de1068ebf998f283e7bad78f4f284
Instruction Fuzzy Hash: 58612470A00110AADF206F65CC90BBE3B75AB55310F52403FE943BA2D1C77C8962DB9E

Function 00401759 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\skolebetjents\Spadestrens,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\skolebetjents\Spadestrens,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 004060F7: lstrcpynA.KERNEL32(?,?,00000400,0040341A,Knugede Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00406104

Part of subcall function 0040521E: lstrlenA.KERNEL32(Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll,00000000,00424248,771B23A0,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll,00000000,00424248,771B23A0,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
Part of subcall function 0040521E: lstrcatA.KERNEL32(Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll,00403233,00403233,Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll,00000000,00424248,771B23A0), ref: 0040527A
Part of subcall function 0040521E: SetWindowTextA.USER32(Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll,Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll), ref: 0040528C
Part of subcall function 0040521E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
Part of subcall function 0040521E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
Part of subcall function 0040521E: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA

Strings

C:\Users\user\AppData\Local\skolebetjents\Spadestrens, xrefs: 00401786
C:\Users\user~1\AppData\Local\Temp\nseD905.tmp, xrefs: 004017A3, 00401812, 00401830
kernel32::EnumResourceTypesW(i 0,i r1,i 0), xrefs: 0040180D, 00401819, 00401831
Call, xrefs: 00401775, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll, xrefs: 00401826, 00401842

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp$C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll$C:\Users\user\AppData\Local\skolebetjents\Spadestrens$Call$kernel32::EnumResourceTypesW(i 0,i r1,i 0)
API String ID: 1941528284-409593584
Opcode ID: 010f478dded97bc789b326cc51ff6fef7f7987650baebaae1ab3de94b0d9d6fd
Instruction ID: bb6028c3778eb4cec0c6c1d7eb8bf073a5325157b60575559d09146ef789c5eb
Opcode Fuzzy Hash: 010f478dded97bc789b326cc51ff6fef7f7987650baebaae1ab3de94b0d9d6fd
Instruction Fuzzy Hash: D4419A32900515BACB107BB5CC45DAF3678EF05329F20833FF426B51E1DA7C8A529A6D

Function 0040521E Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll,00000000,00424248,771B23A0,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
lstrlenA.KERNEL32(00403233,Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll,00000000,00424248,771B23A0,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
lstrcatA.KERNEL32(Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll,00403233,00403233,Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll,00000000,00424248,771B23A0), ref: 0040527A
SetWindowTextA.USER32(Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll,Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll), ref: 0040528C
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA

Strings

Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll, xrefs: 0040523E, 00405250, 00405256, 00405279, 00405285

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll
API String ID: 2531174081-993787101
Opcode ID: ffc7fd16b0850e8ca78275056b27aa311aff222ca9cd1cb1225c1906ca535124
Instruction ID: 52f605d016cfd88bb70700c5a478074e15cc738f975766ab4ed8c3314b346ff2
Opcode Fuzzy Hash: ffc7fd16b0850e8ca78275056b27aa311aff222ca9cd1cb1225c1906ca535124
Instruction Fuzzy Hash: C721AC71900518BBDF119FA5DD8599FBFA8EF04354F1480BAF804B6291C7798E50CF98

Function 004030D8 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040313F
GetTickCount.KERNEL32 ref: 004031E6
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 0040320F
wsprintfA.USER32 ref: 0040321F

Strings

... %d%%, xrefs: 00403219
HBB, xrefs: 004031C3, 004031DE, 00403255

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$HBB
API String ID: 551687249-372310663
Opcode ID: ff3709436155857b8c5f020e51af957004c3e874c7d35684cf027f4474eb8925
Instruction ID: fb515496a62f3aa3a261881475cff076317c99cf113f2c02ef85df511ffa7adb
Opcode Fuzzy Hash: ff3709436155857b8c5f020e51af957004c3e874c7d35684cf027f4474eb8925
Instruction Fuzzy Hash: 68515C71900219ABCB10DF95DA44A9E7BA8EF54356F1481BFE800B72D0C7789A41CBAD

Function 004056E4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user~1\AppData\Local\Temp\), ref: 00405727
GetLastError.KERNEL32 ref: 0040573B
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405750
GetLastError.KERNEL32 ref: 0040575A

Strings

C:\Users\user\Desktop, xrefs: 004056E4
C:\Users\user~1\AppData\Local\Temp\, xrefs: 0040570A

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-2752704311
Opcode ID: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
Instruction ID: 199f41d5e308de8b96f609cf750b761cce64c3ab1ca85d652f9564a15c89f022
Opcode Fuzzy Hash: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
Instruction Fuzzy Hash: FF010471C00219EADF019BA0C944BEFBBB8EB04354F00403AD944B6290E7B89A48DBA9

Function 00406492 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004064A9
wsprintfA.USER32 ref: 004064E2
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064F6

Strings

%s%s.dll, xrefs: 004064DC
\, xrefs: 004064BA
UXTHEME, xrefs: 0040649B

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
Instruction ID: 03f82d29dddd483449b3488b7c2e1daaa1831c8d2f1a72e13e07ee25955ceb49
Opcode Fuzzy Hash: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
Instruction Fuzzy Hash: DDF0213051020A6BDB55D764DD0DFFB375CEB08304F14017AA58AF11C1DA78D5398B6D

Function 0040209D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 004020C8

Part of subcall function 0040521E: lstrlenA.KERNEL32(Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll,00000000,00424248,771B23A0,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll,00000000,00424248,771B23A0,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
Part of subcall function 0040521E: lstrcatA.KERNEL32(Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll,00403233,00403233,Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll,00000000,00424248,771B23A0), ref: 0040527A
Part of subcall function 0040521E: SetWindowTextA.USER32(Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll,Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll), ref: 0040528C
Part of subcall function 0040521E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
Part of subcall function 0040521E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
Part of subcall function 0040521E: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020D8
GetProcAddress.KERNEL32(00000000,?), ref: 004020E8
FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402152

Strings

kernel32::EnumResourceTypesW(i 0,i r1,i 0), xrefs: 0040211C

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: kernel32::EnumResourceTypesW(i 0,i r1,i 0)
API String ID: 2987980305-2481569558
Opcode ID: aa48683f2b5658276c8777460aba322a09bfb4319b529873e90e1392fbc4e3c9
Instruction ID: f7200b9d034bcb950a45a2beb12b39e5fe5f048be62c56950c98b25cd9e943c1
Opcode Fuzzy Hash: aa48683f2b5658276c8777460aba322a09bfb4319b529873e90e1392fbc4e3c9
Instruction Fuzzy Hash: 7A21C932600115EBCF207FA58F49A5F76B1AF14359F20423BF651B61D1CABC89829A5E

Function 00405CBF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405CD3
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000007,00000009,0000000B), ref: 00405CED

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405CC2
"C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe", xrefs: 00405CBF
nsa, xrefs: 00405CCA

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe"$C:\Users\user~1\AppData\Local\Temp\$nsa
API String ID: 1716503409-2536494488
Opcode ID: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
Instruction ID: e7aa094648ebfea3bacdca9f43850832113df4cf88f6c4d01cd72ac7e01032f8
Opcode Fuzzy Hash: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
Instruction Fuzzy Hash: 0AF08236308308ABEB108F56ED04B9B7BACDF91750F10C03BFA44EB290D6B499548758

Function 00402CD0 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D24
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402D70
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D79
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402D90
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D9B

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
Instruction ID: 1e980c0bf3dfe1ee8e8c0bbb525d6a304c4f3a3ada6f962fb42c7dde8bd75a6e
Opcode Fuzzy Hash: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
Instruction Fuzzy Hash: C6215771900108BBEF129F90CE89EEE7A7DEF44344F100076FA55B11E0E7B48E54AA68

Function 6ED816DB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

Part of subcall function 6ED81A98: GlobalFree.KERNEL32(?), ref: 6ED81D09
Part of subcall function 6ED81A98: GlobalFree.KERNEL32(?), ref: 6ED81D0E
Part of subcall function 6ED81A98: GlobalFree.KERNEL32(?), ref: 6ED81D13

GlobalFree.KERNEL32(00000000), ref: 6ED81786
FreeLibrary.KERNEL32(?), ref: 6ED81809
GlobalFree.KERNEL32(00000000), ref: 6ED8182E

Part of subcall function 6ED822AF: GlobalAlloc.KERNEL32(00000040,?), ref: 6ED822E0

Part of subcall function 6ED826B2: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6ED81757,00000000), ref: 6ED82782

Part of subcall function 6ED8156B: wsprintfA.USER32 ref: 6ED81599

Strings

, xrefs: 6ED8180F

Memory Dump Source

Source File: 00000000.00000002.3712504824.000000006ED81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.3712477997.000000006ED80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3712531514.000000006ED83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3712560392.000000006ED85000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ed80000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 72670c6a0854ed57a62fe24e4ee3f94b601f71ee5e808c6caeb22bada3514057
Instruction ID: e5f1ae7010fdc0c207365e968322c5292e077409602e9cc223a1af425abaac22
Opcode Fuzzy Hash: 72670c6a0854ed57a62fe24e4ee3f94b601f71ee5e808c6caeb22bada3514057
Instruction Fuzzy Hash: 90417FB1500205DBDB409FE89D95BDB37ACBF06318F048869E9699E186DB74C44ECBB0

Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6

Strings

!, xrefs: 00401C6A

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: b3808b2228016cded034fddbbda71ccd0a5c26c3e8a9a8fe6146862fd49d124c
Instruction ID: ba3ca6c87ae36af76b9178a01453159e8aa8f3f4b54328e0dc7fa76aa85262fd
Opcode Fuzzy Hash: b3808b2228016cded034fddbbda71ccd0a5c26c3e8a9a8fe6146862fd49d124c
Instruction Fuzzy Hash: 10216071A44208BEEB05AFB5D98AAAD7FB4EF44304F20447FF502B61D1D6B88541DB28

Function 00402476 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nseD905.tmp,00000023,00000011,00000002), ref: 004024C1
RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user~1\AppData\Local\Temp\nseD905.tmp,00000000,00000011,00000002), ref: 00402501
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user~1\AppData\Local\Temp\nseD905.tmp,00000000,00000011,00000002), ref: 004025E5

Strings

C:\Users\user~1\AppData\Local\Temp\nseD905.tmp, xrefs: 004024B2, 004024D4, 004024EB, 004024F6

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp
API String ID: 2655323295-3583422182
Opcode ID: 7a7c23c04c90be8b3e585445916e0e680a3a1629c3414f9b9df94d306a1b16c3
Instruction ID: f8068cdfa95035626473adca5f51816a5c1db3e2bbb00f719c7efdf62c59a762
Opcode Fuzzy Hash: 7a7c23c04c90be8b3e585445916e0e680a3a1629c3414f9b9df94d306a1b16c3
Instruction Fuzzy Hash: 12118171E00218AFEF10AFA59E89EAE7A74EB44314F20443BF505F71D1D6B99D419B28

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00405B28: CharNextA.USER32(?,?,0042BC98,?,00405B94,0042BC98,0042BC98,771B3410,?,C:\Users\user~1\AppData\Local\Temp\,004058DF,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405B36
Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B3B
Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B4F

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 004056E4: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user~1\AppData\Local\Temp\), ref: 00405727

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\skolebetjents\Spadestrens,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Local\skolebetjents\Spadestrens, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\skolebetjents\Spadestrens
API String ID: 1892508949-3052457471
Opcode ID: 6f48d1f4569c46ba79332d618e5f2744522d6a7c4d3c9928c8ba38f6ac20f072
Instruction ID: 2360f0c6ce39ff042ef5b5b007943225e6ab3dc636003d735fb75761c746189e
Opcode Fuzzy Hash: 6f48d1f4569c46ba79332d618e5f2744522d6a7c4d3c9928c8ba38f6ac20f072
Instruction Fuzzy Hash: C1110431204141EBCB307FB55D419BF37B09A52725B284A7FE591B22E3DA3D4943AA2E

Function 00405FDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400,Call,?,?,?,?,00000002,Call,?,00406293,80000002), ref: 00406024
RegCloseKey.KERNELBASE(?,?,00406293,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,?,Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll), ref: 0040602F

Strings

Call, xrefs: 00405FE1, 00406015

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction ID: 43fb42cdfa68b2f9ef01d23c83e90927a4e1ed7766022ad00d18a88e1c3f91d6
Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction Fuzzy Hash: 9F01BC72100209ABCF22CF20CC09FDB3FA9EF45364F00403AF916A2191D238C968CBA4

Function 00405796 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C098,Error launching installer), ref: 004057BF
CloseHandle.KERNEL32(?), ref: 004057CC

Strings

Error launching installer, xrefs: 004057A9

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: de0eed9ff358aa0300570f89c8dde483a6f9bec5cddf33796de70880124f880f
Instruction ID: 4c3df7556a0b034395016ee82922b733160aa74f7bc511f6187c6ec266d632ef
Opcode Fuzzy Hash: de0eed9ff358aa0300570f89c8dde483a6f9bec5cddf33796de70880124f880f
Instruction Fuzzy Hash: 4DE0B6B4600209BFEB109BA4ED89F7F7BBCEB04604F504525BE59F2290E67498199A7C

Function 00401B87 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(05E5F498), ref: 00401BF6
GlobalAlloc.KERNELBASE(00000040,00000404), ref: 00401C08

Strings

Call, xrefs: 00401BAE, 00401BB4, 00401BCE

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: 4f6e99611feb600a1a309dae17313cb646ed486db5988612a5590cb9f56acaba
Instruction ID: e4cc8bcb7752a4f6b3811e2611bd1e0fa57f8e281b648bd21e3e74c9503b19de
Opcode Fuzzy Hash: 4f6e99611feb600a1a309dae17313cb646ed486db5988612a5590cb9f56acaba
Instruction Fuzzy Hash: 74219673644101EBDB20EB65DE88E5E73E8EB44318711413BF602B72D1DB78D8529B5D

Function 00402588 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025BA
RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 004025CD
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user~1\AppData\Local\Temp\nseD905.tmp,00000000,00000011,00000002), ref: 004025E5

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 4c016d6c2f3ab1e124f4193e20d8829cd250ab49b329f1a0790d135f9ad07b97
Instruction ID: ee0fd62ac357f9525b55a30647733f0e3798e9bebba0400de635a53faed38b57
Opcode Fuzzy Hash: 4c016d6c2f3ab1e124f4193e20d8829cd250ab49b329f1a0790d135f9ad07b97
Instruction Fuzzy Hash: 22017C71604204FFE7219F549E99ABF7ABCEF40358F20403EF505A61C0DAB88A459629

Function 00402516 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 00402546
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user~1\AppData\Local\Temp\nseD905.tmp,00000000,00000011,00000002), ref: 004025E5

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 2ef09a9a702b63bf190a07099d6d1856d249049087cfb86ce3e8b1f22b1d0afe
Instruction ID: 101e8c123746c764c526cee79e76b60048690b918ccacca24166b7bb3c1ff757
Opcode Fuzzy Hash: 2ef09a9a702b63bf190a07099d6d1856d249049087cfb86ce3e8b1f22b1d0afe
Instruction Fuzzy Hash: EA11C171A00205EFDF25DF64CE985AE7AB4EF00355F20843FE446B72C0D6B88A86DB19

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c8a7ffa28b32ff67f29a84afd2625c26bb9c758fd8177903822af55b1e7359ed
Instruction ID: 5c958b1953f7fe6cfac6f5d6f257cc34f78b067395a477e057d2c1298905e336
Opcode Fuzzy Hash: c8a7ffa28b32ff67f29a84afd2625c26bb9c758fd8177903822af55b1e7359ed
Instruction Fuzzy Hash: F801D1317242209BE7195B79DD08B6A3698E710718F50823AF851F61F1DA78DC129B4D

Function 00402421 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 00402442
RegCloseKey.ADVAPI32(00000000), ref: 0040244B

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 3ec462def41d79965063c97be9dd4531427da1f66958383902fa6c2f68692ee0
Instruction ID: 28034f9d49707e31730e5ee4ae5769526bd8744af0d0927f07882998c216e066
Opcode Fuzzy Hash: 3ec462def41d79965063c97be9dd4531427da1f66958383902fa6c2f68692ee0
Instruction Fuzzy Hash: E3F09632600121DBE720BFA49B8EAAE72A59B40314F25453FF602B71C1D9F84E4246AE

Function 00401A1E Relevance: 3.0, APIs: 2, Instructions: 30stringCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNELBASE(00000000,?,00000400,00000001), ref: 00401A31
lstrcmpA.KERNEL32(?,?,?,00000400,00000001), ref: 00401A44

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: EnvironmentExpandStringslstrcmp
String ID:
API String ID: 1938659011-0
Opcode ID: ce4306d2a07f27be9225dd95e0d9a06ea23b17b85f17c9412fffb0a9b71968b5
Instruction ID: c1865f8cc46f1228928c2992524d711605dd36016a3aefe194dc66e9efe750da
Opcode Fuzzy Hash: ce4306d2a07f27be9225dd95e0d9a06ea23b17b85f17c9412fffb0a9b71968b5
Instruction Fuzzy Hash: 24F08231705201DBCB20DF769D04A9BBFA4EF91354B10803BE145F6190D6788502CA68

Function 00401EC5 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EE3
EnableWindow.USER32(00000000,00000000), ref: 00401EEE

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 8b7817ca22b79e9cee4aa1cb1be03623fa11f3862aed9c5f3b00cb70b3c6cfe0
Instruction ID: 2686c2d45ba130581374544c13beebfcaf73fd10f5aa92b185336ae358fe78f7
Opcode Fuzzy Hash: 8b7817ca22b79e9cee4aa1cb1be03623fa11f3862aed9c5f3b00cb70b3c6cfe0
Instruction Fuzzy Hash: 69E09232B04200EFD714EFA5EA8856E7BB0EB40325B20413FF001F20C1DAB848418A69

Function 00406500 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
GetProcAddress.KERNEL32(00000000,?), ref: 0040652D

Part of subcall function 00406492: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004064A9
Part of subcall function 00406492: wsprintfA.USER32 ref: 004064E2
Part of subcall function 00406492: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064F6

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
Instruction ID: acae0596759e2787f84b09bdc6f4b17f60683fab7501ae0ee02ebffea3798694
Opcode Fuzzy Hash: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
Instruction Fuzzy Hash: F7E08672A0421177D2105A74BE0893B72A8DE89740302043EF546F2144D7389C71966D

Function 00405C90 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe,80000000,00000003), ref: 00405C94
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
Instruction ID: ee59d6d0e1d409ab4f08bbdf592326cff3c7222ef74ae4255e7f212f1854b30f
Opcode Fuzzy Hash: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
Instruction Fuzzy Hash: F5D09E31654201AFEF0D8F20DE16F2E7AA2EB84B00F11952CB782941E1DA715819AB19

Function 00405761 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,0040333B,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405767
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405775

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
Instruction ID: 5acf30d11c51c39224c83c09ee2e5989404a14e094893e30e7ab7d3df00569a4
Opcode Fuzzy Hash: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
Instruction Fuzzy Hash: 21C04C31244505EFD6105B30AE08F177A90AB50741F1644396186E10B0EA388455E96D

Function 0040239C Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 004023D5

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: cd8b371b6f55f1d33d0eddf2f35f8062392e7128ea2648a4caa2e71cbd90ff81
Instruction ID: a2264a5e3b04165b7de03e79847980bb6a424129cbe2f78830b73284cd35be0b
Opcode Fuzzy Hash: cd8b371b6f55f1d33d0eddf2f35f8062392e7128ea2648a4caa2e71cbd90ff81
Instruction Fuzzy Hash: F8E04831610114ABD7203EB14F8D97F31A9DB44304B34153FBA11761C6D9FC5C414279

Function 0040171F Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SearchPathA.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401733

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: e053cd0a5a713bcd6573213f31fe775dca372833d122c7f25a227a8b80c7c065
Instruction ID: 99b882ef8ac932529d6fdfe3c41faefb6a71927cb26e20fd81cb329c01224dc0
Opcode Fuzzy Hash: e053cd0a5a713bcd6573213f31fe775dca372833d122c7f25a227a8b80c7c065
Instruction Fuzzy Hash: 93E0DF72304210EFD710DF649E49BAB37A8DF10368B20427AE111A60C2E6F89906873D

Function 00405FAB Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402C7F,00000000,?,?), ref: 00405FD4

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 33f0ef72135594440bd39ae1090de480165a05d63dfabbbeebd316e266d8c237
Instruction ID: 8c71f3c26dc4a4bf3eef9e60a583d004d00a96479e721722a8f6be6a9d57506c
Opcode Fuzzy Hash: 33f0ef72135594440bd39ae1090de480165a05d63dfabbbeebd316e266d8c237
Instruction Fuzzy Hash: 1CE0E6B201450ABEDF095F50DD0ED7B3B1DE704300F14452EF906D4050E6B5A9205A34

Function 00405D08 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032FD,00000000,00000000,00403127,000000FF,00000004,00000000,00000000,00000000), ref: 00405D1C

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
Instruction ID: 6bc3b1048b15a49576125e72cb6f14b4cec2b2626e36b687d4021167e808d8fe
Opcode Fuzzy Hash: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
Instruction Fuzzy Hash: 2BE08C3221021EABCF109E608C08EEB3B6CEF00360F048833FD54E2140D234E8209BA4

Function 00405D37 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032B3,00000000,0041D448,000000FF,0041D448,000000FF,000000FF,00000004,00000000), ref: 00405D4B

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 0f83f4d47d9459a9b0ba24ed2798b341cbbd10940215494d2392ac534f962254
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: 41E08C3220025AABCF10AFA08C04EEB3B6CEF00360F008833FA15E7050D630E8219BA8

Function 6ED82921 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(6ED8404C,00000004,00000040,6ED8403C), ref: 6ED8293F

Memory Dump Source

Source File: 00000000.00000002.3712504824.000000006ED81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.3712477997.000000006ED80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3712531514.000000006ED83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3712560392.000000006ED85000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ed80000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: bc6eed5021ea3443d8855d9a88e84117c09a2322b8851f33a25a39ad78f9a627
Instruction ID: 4d0a609a75d53f9c7ff1bc6daa243978ed3657ccdc547a980b133e2e1c02c664
Opcode Fuzzy Hash: bc6eed5021ea3443d8855d9a88e84117c09a2322b8851f33a25a39ad78f9a627
Instruction Fuzzy Hash: 1CF0C9B1928B80DEEB60CFB8C444B073FF8A31B758B12452AE15CD7241E334484BDB12

Function 00405F7D Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,0040600B,?,?,?,?,00000002,Call), ref: 00405FA1

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
Instruction ID: 8d979316dbb681ef417a562383420c35b8ea1d7cbf1ba97b3ef1f912197d15a8
Opcode Fuzzy Hash: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
Instruction Fuzzy Hash: 26D0EC7200460ABBDF115E90DD05FAB3B1DEB08310F044426FA05E5091D679D530AA25

Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5887674a1f5513ec9541be2dff6cbc71c684969360942c525d855edfecb85619
Instruction ID: 936ed37629fa473271aaed7dd48578ad272974d6d3f069640798472dc64bc079
Opcode Fuzzy Hash: 5887674a1f5513ec9541be2dff6cbc71c684969360942c525d855edfecb85619
Instruction Fuzzy Hash: F6D01232704115DBDB10EFA59B08A9E73B5EB10325B308277E111F21D1E6B9C9469A2D

Function 004041C7 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(000103F2,00000000,00000000,00000000), ref: 004041D9

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b93bfa62a0d17583d47994c5deeb5958d6a7eb45b0bac583054f51af99654720
Instruction ID: 4f5bfb943ccb7372f266285400f959559a3f08b639bcfa815988f1d16fb7a589
Opcode Fuzzy Hash: b93bfa62a0d17583d47994c5deeb5958d6a7eb45b0bac583054f51af99654720
Instruction Fuzzy Hash: A5C09BB17447017FEE20CB659D49F0777586750700F2544397755F60D4C674E461D61C

Function 00403300 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403066,?), ref: 0040330E

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D

Function 004041B0 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403FE0), ref: 004041BE

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 52ed36bf426171ca8e77ff219833bebd4cd9702e05723d5fb87fa54f4c2163d0
Instruction ID: 1318e1a831b13f4a694e23e2858010ee9933afb9cbbae162fbad06e3603bfc21
Opcode Fuzzy Hash: 52ed36bf426171ca8e77ff219833bebd4cd9702e05723d5fb87fa54f4c2163d0
Instruction Fuzzy Hash: A9B09236284A00ABDA215B50DE09F4A7A72A768701F408039B240250B0CAB200A5EB18

Function 0040419D Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403F79), ref: 004041A7

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 79f4c344832d221aace4b62902680fcbf7870811690861caeb07dff72c7a6dc1
Instruction ID: f9921b4c88a1a0ed6e9c6eedf741b01f94502565facb500019f25752580a62db
Opcode Fuzzy Hash: 79f4c344832d221aace4b62902680fcbf7870811690861caeb07dff72c7a6dc1
Instruction Fuzzy Hash: C5A011B2000000AFCB02AB00EF08C0ABBA2ABA0300B008838A280800388B320832EB0A

Function 00401F7B Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0040521E: lstrlenA.KERNEL32(Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll,00000000,00424248,771B23A0,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll,00000000,00424248,771B23A0,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
Part of subcall function 0040521E: lstrcatA.KERNEL32(Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll,00403233,00403233,Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll,00000000,00424248,771B23A0), ref: 0040527A
Part of subcall function 0040521E: SetWindowTextA.USER32(Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll,Skipped: C:\Users\user~1\AppData\Local\Temp\nseD905.tmp\System.dll), ref: 0040528C
Part of subcall function 0040521E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
Part of subcall function 0040521E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
Part of subcall function 0040521E: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA

Part of subcall function 00405796: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C098,Error launching installer), ref: 004057BF
Part of subcall function 00405796: CloseHandle.KERNEL32(?), ref: 004057CC

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FC0

Part of subcall function 00406575: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406586
Part of subcall function 00406575: GetExitCodeProcess.KERNEL32(?,?), ref: 004065A8

Part of subcall function 00406055: wsprintfA.USER32 ref: 00406062

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: d9e451cc79eab79a1af679e8d88f1dc4dd97fd96b8bc802c5400ef5df8be1ecc
Instruction ID: 93961662e530d2e5a08160df11036b73ffef590b917d11c16f189fde5a143e01
Opcode Fuzzy Hash: d9e451cc79eab79a1af679e8d88f1dc4dd97fd96b8bc802c5400ef5df8be1ecc
Instruction Fuzzy Hash: 88F09032A05021EBCB20BBA15E84DAFB2B5DF01318B21423FF502B21D1DB7C4D425A6E

Function 6ED8101B Relevance: 1.3, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?,6ED81019,00000001), ref: 6ED8102F

Memory Dump Source

Source File: 00000000.00000002.3712504824.000000006ED81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.3712477997.000000006ED80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3712531514.000000006ED83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3712560392.000000006ED85000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ed80000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 8901c2bcb136139e91bf2f5947b3c70595de4896b883834a931623b2b53b9343
Instruction ID: e84a43cd10f635a3d4ab3101fccb1040d32b8eb299ccfc7224d6a9d776a92ca3
Opcode Fuzzy Hash: 8901c2bcb136139e91bf2f5947b3c70595de4896b883834a931623b2b53b9343
Instruction Fuzzy Hash: D1C08CA1414201BEE52087FC4D09E1B63AC9B4A756F109800F66AC5080DB24C10C0231

Function 6ED81215 Relevance: 1.3, APIs: 1, Instructions: 4memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,6ED81233,?,6ED812CF,-6ED8404B,6ED811AB,-000000A0), ref: 6ED8121D

Memory Dump Source

Source File: 00000000.00000002.3712504824.000000006ED81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.3712477997.000000006ED80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3712531514.000000006ED83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3712560392.000000006ED85000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ed80000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 7c5367ede943331807f5bb3d99593acd8b247355dcec5a13aa2d6066db39c3b1
Instruction ID: 38ce085adc5dda4db321428bc0e4e555305f71c9c90e422de535d21418df6b33
Opcode Fuzzy Hash: 7c5367ede943331807f5bb3d99593acd8b247355dcec5a13aa2d6066db39c3b1
Instruction Fuzzy Hash: C7A00271964900DBFE429FE0890EF1B3B29E74B702F018040E31964194C6754413DB37

Non-executed Functions

Function 0040460D Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040465C
SetWindowTextA.USER32(00000000,?), ref: 00404686
SHBrowseForFolderA.SHELL32(?,00429C68,?), ref: 00404737
CoTaskMemFree.OLE32(00000000), ref: 00404742
lstrcmpiA.KERNEL32(Call,Knugede Setup: Installing), ref: 00404774
lstrcatA.KERNEL32(?,Call), ref: 00404780
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404792

Part of subcall function 004057F7: GetDlgItemTextA.USER32(?,?,00000400,004047C9), ref: 0040580A

Part of subcall function 004063D2: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe",771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,00403323,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040642A
Part of subcall function 004063D2: CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406437
Part of subcall function 004063D2: CharNextA.USER32(?,"C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe",771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,00403323,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040643C
Part of subcall function 004063D2: CharPrevA.USER32(?,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,00403323,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040644C

GetDiskFreeSpaceA.KERNEL32(00429860,?,?,0000040F,?,00429860,00429860,?,00000001,00429860,?,?,000003FB,?), ref: 00404850
MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040486B

Part of subcall function 004049C4: lstrlenA.KERNEL32(Knugede Setup: Installing,Knugede Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048DF,000000DF,00000000,00000400,?), ref: 00404A62
Part of subcall function 004049C4: wsprintfA.USER32 ref: 00404A6A
Part of subcall function 004049C4: SetDlgItemTextA.USER32(?,Knugede Setup: Installing), ref: 00404A7D

Strings

Knugede Setup: Installing, xrefs: 0040470A, 0040476D
C:\Users\user\AppData\Local\skolebetjents, xrefs: 0040475D
A, xrefs: 00404730
Call, xrefs: 0040476E, 00404773, 0040477E
kernel32::EnumResourceTypesW(i 0,i r1,i 0), xrefs: 00404626

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\skolebetjents$Call$Knugede Setup: Installing$kernel32::EnumResourceTypesW(i 0,i r1,i 0)
API String ID: 2624150263-11791383
Opcode ID: 22496922587a79a87c82097af160ec6f00736279c4fa3eb8ac5991cd3654d7e0
Instruction ID: 02b07c61478aeb9ac600f99876a590f4236d4304051c708c1213a6c52027fc1c
Opcode Fuzzy Hash: 22496922587a79a87c82097af160ec6f00736279c4fa3eb8ac5991cd3654d7e0
Instruction Fuzzy Hash: CAA16FB1900209ABDB11EFA6DD45AAF77B8EF84314F14843BF601B62D1DB7C89418B69

Function 00406945 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
Instruction ID: f64ed9f862d89b69eb15ddc430260785fe10463149b241517d112065bf602f9e
Opcode Fuzzy Hash: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
Instruction Fuzzy Hash: 57E19BB190070ACFDB24CF59C880BAAB7F5EB45305F15892EE497A7291D378AA51CF14

Function 0040711C Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f6c7e6b8620be82bccd3d2e3e98bb61de1be8b453b643f323292903d4af905
Instruction ID: 8f207273dfcdbc59f762b6c847d1a58b94b1624b669f9e87ec0d9a9138a8e2bc
Opcode Fuzzy Hash: 99f6c7e6b8620be82bccd3d2e3e98bb61de1be8b453b643f323292903d4af905
Instruction Fuzzy Hash: 0DC15A31E04259CBCF18CF68D4905EEBBB2BF98314F25826AD8567B380D734A942CF95

Function 00404B80 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B97
GetDlgItem.USER32(?,00000408), ref: 00404BA4
GlobalAlloc.KERNEL32(00000040,?), ref: 00404BF3
LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404C0A
SetWindowLongA.USER32(?,000000FC,00405192), ref: 00404C24
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404C36
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404C4A
SendMessageA.USER32(?,00001109,00000002), ref: 00404C60
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404C6C
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404C7C
DeleteObject.GDI32(00000110), ref: 00404C81
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404CAC
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404CB8
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D52
SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404D82

Part of subcall function 004041B0: SendMessageA.USER32(00000028,?,00000001,00403FE0), ref: 004041BE

SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D96
GetWindowLongA.USER32(?,000000F0), ref: 00404DC4
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404DD2
ShowWindow.USER32(?,00000005), ref: 00404DE2
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404EDD
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404F42
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404F57
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404F7B
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404F9B
ImageList_Destroy.COMCTL32(00000000), ref: 00404FB0
GlobalFree.KERNEL32(00000000), ref: 00404FC0
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00405039
SendMessageA.USER32(?,00001102,?,?), ref: 004050E2
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 004050F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0040511B
ShowWindow.USER32(?,00000000), ref: 00405169
GetDlgItem.USER32(?,000003FE), ref: 00405174
ShowWindow.USER32(00000000), ref: 0040517B

Strings

, xrefs: 00405153
M, xrefs: 00404D3A
N, xrefs: 00404E1B

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: fdda06af448e6c65fc04a67e7919175d0af5b83356ee1959317fb13923aa2151
Instruction ID: 99b70255f3faedab1c4ad885451b662392dfc0d6b29454a89b749d4faaca394f
Opcode Fuzzy Hash: fdda06af448e6c65fc04a67e7919175d0af5b83356ee1959317fb13923aa2151
Instruction Fuzzy Hash: 5D027DB0A00209AFDB20DF94DD85AAE7BB5FB44354F50813AF610BA2E0D7798D52CF58

Function 004042E6 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404371
GetDlgItem.USER32(00000000,000003E8), ref: 00404385
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004043A3
GetSysColor.USER32(?), ref: 004043B4
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004043C3
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004043D2
lstrlenA.KERNEL32(?), ref: 004043D5
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004043E4
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004043F9
GetDlgItem.USER32(?,0000040A), ref: 0040445B
SendMessageA.USER32(00000000), ref: 0040445E
GetDlgItem.USER32(?,000003E8), ref: 00404489
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004044C9
LoadCursorA.USER32(00000000,00007F02), ref: 004044D8
SetCursor.USER32(00000000), ref: 004044E1
LoadCursorA.USER32(00000000,00007F00), ref: 004044F7
SetCursor.USER32(00000000), ref: 004044FA
SendMessageA.USER32(00000111,00000001,00000000), ref: 00404526
SendMessageA.USER32(00000010,00000000,00000000), ref: 0040453A

Strings

N, xrefs: 00404477
Call, xrefs: 004044B4

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N
API String ID: 3103080414-3438112850
Opcode ID: 745d5685d33c6010513eb6a6e6710873411dad37f80b0c9191fb1ce11dc8c820
Instruction ID: 2ba0dcbd17e821031ba3c657239c4b48ae58aa12c0a6ed8defdb88479dfe25c9
Opcode Fuzzy Hash: 745d5685d33c6010513eb6a6e6710873411dad37f80b0c9191fb1ce11dc8c820
Instruction Fuzzy Hash: CC61C2B1A00209BFDF10AF61DD45F6A3B69EB94754F00803AFB04BA1D1C7B8A951CF98

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Knugede Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C
Knugede Setup, xrefs: 00401150

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Knugede Setup
API String ID: 941294808-1929030138
Opcode ID: bb71a3ab4a4fa1f895d534f8b47170c1d9b9c824dc85430c64170ade6c4bb6c2
Instruction ID: fc049dc8deed713fddbaab3278265d12b48f61153473f3c5d5e2d7be2f7e1970
Opcode Fuzzy Hash: bb71a3ab4a4fa1f895d534f8b47170c1d9b9c824dc85430c64170ade6c4bb6c2
Instruction Fuzzy Hash: 33417D71400249AFCF058FA5DE459AFBFB9FF44314F00802AF591AA1A0CB74D955DFA4

Function 00405D66 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405EF7,?,?), ref: 00405D97
GetShortPathNameA.KERNEL32(?,0042C620,00000400), ref: 00405DA0

Part of subcall function 00405BF5: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C05
Part of subcall function 00405BF5: lstrlenA.KERNEL32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C37

GetShortPathNameA.KERNEL32(?,0042CA20,00000400), ref: 00405DBD
wsprintfA.USER32 ref: 00405DDB
GetFileSize.KERNEL32(00000000,00000000,0042CA20,C0000000,00000004,0042CA20,?,?,?,?,?), ref: 00405E16
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E25
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E5D
SetFilePointer.KERNEL32(0040A3D8,00000000,00000000,00000000,00000000,0042C220,00000000,-0000000A,0040A3D8,00000000,[Rename],00000000,00000000,00000000), ref: 00405EB3
GlobalFree.KERNEL32(00000000), ref: 00405EC4
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405ECB

Part of subcall function 00405C90: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe,80000000,00000003), ref: 00405C94
Part of subcall function 00405C90: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6

Strings

%s=%s, xrefs: 00405DD1
[Rename], xrefs: 00405E45, 00405E57

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: bb326c4fff2569f995f741f5889aaa438d16cb529eb983989e6eb254c782141b
Instruction ID: 2ccb2bf8dd744840d543bbc1a34bde763c5e5f86f0f2c8118c993f85f4779e4e
Opcode Fuzzy Hash: bb326c4fff2569f995f741f5889aaa438d16cb529eb983989e6eb254c782141b
Instruction Fuzzy Hash: 39310531600B15ABC2206B659D48F6B3A5CDF45755F14043BB981F62C2DF7CE9028AFD

Function 6ED822F1 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 6ED82447

Part of subcall function 6ED81224: lstrcpynA.KERNEL32(00000000,?,6ED812CF,-6ED8404B,6ED811AB,-000000A0), ref: 6ED81234

GlobalAlloc.KERNEL32(00000040,?), ref: 6ED823C2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 6ED823D7
GlobalAlloc.KERNEL32(00000040,00000010), ref: 6ED823E8
CLSIDFromString.OLE32(00000000,00000000), ref: 6ED823F6
GlobalFree.KERNEL32(00000000), ref: 6ED823FD

Strings

@H3w, xrefs: 6ED823F6

Memory Dump Source

Source File: 00000000.00000002.3712504824.000000006ED81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.3712477997.000000006ED80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3712531514.000000006ED83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3712560392.000000006ED85000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ed80000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID: @H3w
API String ID: 3730416702-4275297014
Opcode ID: 13cf7264a5e1ebab398363cc2bf019e8c026ca5c33efd4f0d2b04d7c804bec24
Instruction ID: cbaf1e72a3df93ce4be41c3d37252c8b5ff2cef37f70d1810a95ee33133b5180
Opcode Fuzzy Hash: 13cf7264a5e1ebab398363cc2bf019e8c026ca5c33efd4f0d2b04d7c804bec24
Instruction Fuzzy Hash: E1418BB1508701EFE7108FA99844F6BB7ECFB62319F10492EE599DB190D730E949CB62

Function 004063D2 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe",771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,00403323,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040642A
CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406437
CharNextA.USER32(?,"C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe",771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,00403323,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040643C
CharPrevA.USER32(?,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000,00403323,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040644C

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 004063D3
"C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe", xrefs: 0040640E
*?|<>/":, xrefs: 0040641A

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe"$*?|<>/":$C:\Users\user~1\AppData\Local\Temp\
API String ID: 589700163-2153965668
Opcode ID: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
Instruction ID: ed52d7626cbd5fe55056ecced6ac67fd73520a103458dc51ec5e44788bc33e0d
Opcode Fuzzy Hash: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
Instruction Fuzzy Hash: 6B1104518047A169FB3207380C40B7B7F888B97764F1A447FE8C6722C2C67C5CA796AD

Function 004041E2 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 004041FF
GetSysColor.USER32(00000000), ref: 0040423D
SetTextColor.GDI32(?,00000000), ref: 00404249
SetBkMode.GDI32(?,?), ref: 00404255
GetSysColor.USER32(?), ref: 00404268
SetBkColor.GDI32(?,?), ref: 00404278
DeleteObject.GDI32(?), ref: 00404292
CreateBrushIndirect.GDI32(?), ref: 0040429C

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction ID: 212a8ad98d70f233ee07b83b669a1ba7ccffb4b50a3226e4c630c70d8ffb5278
Opcode Fuzzy Hash: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction Fuzzy Hash: 3B2165716007059BCB309F78DD08B5BBBF4AF85750B04896EFD96A22E0C738E814CB54

Function 6ED824D8 Relevance: 10.6, APIs: 7, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 6ED81215: GlobalAlloc.KERNELBASE(00000040,6ED81233,?,6ED812CF,-6ED8404B,6ED811AB,-000000A0), ref: 6ED8121D

GlobalFree.KERNEL32(?), ref: 6ED825DE
GlobalFree.KERNEL32(00000000), ref: 6ED82618

Memory Dump Source

Source File: 00000000.00000002.3712504824.000000006ED81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.3712477997.000000006ED80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3712531514.000000006ED83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3712560392.000000006ED85000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ed80000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 3e84eb0265009df316c4d78c3cf97f9d095227279840b3fb9edd7288cbcb4c54
Instruction ID: 8883d45c1fb813d7cf2416aa498fe77215f9f9536b3b944ccbcab8c45dbb410e
Opcode Fuzzy Hash: 3e84eb0265009df316c4d78c3cf97f9d095227279840b3fb9edd7288cbcb4c54
Instruction Fuzzy Hash: 1541A071558601EFD705CF94CC98C6B77BEEB87308B0049AAF55197210E735D90ACB62

Function 00404ACE Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404AE9
GetMessagePos.USER32 ref: 00404AF1
ScreenToClient.USER32(?,?), ref: 00404B0B
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404B1D
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404B43

Strings

f, xrefs: 00404B1F

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction ID: cdc5f22e578355ebae6afd16dcadc4be4e42c2ab1ff41a6041c2d58f87c209b7
Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction Fuzzy Hash: 33014C71900219BADB01DBA4DD85BFEBBBCAF55715F10012ABA40B61D0D6B4A9018BA4

Function 00401E35 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E38
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
ReleaseDC.USER32(?,00000000), ref: 00401E6B
CreateFontIndirectA.GDI32(0040B838), ref: 00401EBA

Strings

Times New Roman, xrefs: 00401EA0

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Times New Roman
API String ID: 3808545654-927190056
Opcode ID: 34521723c529513f9d2f25f2c915d7e6e1bbb21449fac5a346249fa94324e5da
Instruction ID: 5cb61850c30ba341adb392aac0b64178207aa51c0a8ebf491f77c064e1fc76ea
Opcode Fuzzy Hash: 34521723c529513f9d2f25f2c915d7e6e1bbb21449fac5a346249fa94324e5da
Instruction Fuzzy Hash: A9019E72500240AFE7007BB0AE4AB9A3FF8EB55311F10843EF281B61F2CB7904458B6C

Function 00402DBA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD5
MulDiv.KERNEL32(000509D5,00000064,000509D9), ref: 00402E00
wsprintfA.USER32 ref: 00402E10
SetWindowTextA.USER32(?,?), ref: 00402E20
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E32

Strings

verifying installer: %d%%, xrefs: 00402E0A

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 79fc7e6e1ca0acae8e9a75e18e021abc494deab029f93f770ff90eafb88ab8ab
Instruction ID: 65898b716c6b5e3943ed5d7f8865a7929710e3ce64d80c757a7a8fa3a9c1cc58
Opcode Fuzzy Hash: 79fc7e6e1ca0acae8e9a75e18e021abc494deab029f93f770ff90eafb88ab8ab
Instruction Fuzzy Hash: BD01FF70640209FBEF20AF60DE4AEEE3769AB14345F008039FA06A51D0DBB59D55DB59

Function 004027DF Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402833
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040284F
GlobalFree.KERNEL32(?), ref: 0040288E
GlobalFree.KERNEL32(00000000), ref: 004028A1
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 004028B9
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004028CD

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: e200f0a06a1b791de6fcd90df19bdd9ae0c902d0d002ce7977cb24af33c736ef
Instruction ID: 50ad9526884773a844389ca9465edd1da2989015e588fa45899e7f45ead5980e
Opcode Fuzzy Hash: e200f0a06a1b791de6fcd90df19bdd9ae0c902d0d002ce7977cb24af33c736ef
Instruction Fuzzy Hash: 78216D72800128BBDF217FA5CE49D9E7A79EF09364F24423EF550762D1CA794D418FA8

Function 004049C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(Knugede Setup: Installing,Knugede Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048DF,000000DF,00000000,00000400,?), ref: 00404A62
wsprintfA.USER32 ref: 00404A6A
SetDlgItemTextA.USER32(?,Knugede Setup: Installing), ref: 00404A7D

Strings

%u.%u%s%s, xrefs: 00404A4C
Knugede Setup: Installing, xrefs: 00404A54, 00404A59, 00404A5F, 00404A73

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$Knugede Setup: Installing
API String ID: 3540041739-2661620914
Opcode ID: 5f94da5c7593bdf0e2880c0754fbf5196b9ea6ae0f0d3d8572f030c1a72350cb
Instruction ID: 22449cd78037b5055574fdfa12b268b27ceb02c465c900d7a820e94443fbddbc
Opcode Fuzzy Hash: 5f94da5c7593bdf0e2880c0754fbf5196b9ea6ae0f0d3d8572f030c1a72350cb
Instruction Fuzzy Hash: 1911E773A041243BDB00A56D9C41EAF3298DF81374F260237FA26F71D1E979CC1246A9

Function 6ED81837 Relevance: 7.7, APIs: 5, Instructions: 194COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 6ED81893
GlobalFree.KERNEL32(?), ref: 6ED81A2A
GlobalFree.KERNEL32(?), ref: 6ED81A2F

Memory Dump Source

Source File: 00000000.00000002.3712504824.000000006ED81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.3712477997.000000006ED80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3712531514.000000006ED83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3712560392.000000006ED85000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ed80000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: b86969fc7c19a30852fc5e6a809f36f751a3c44746a1de4a0a3c4739096b8299
Instruction ID: a43f377bc03d6435f327f67ac13d398cfbf27e12fefe80697a1734724eb3d9e7
Opcode Fuzzy Hash: b86969fc7c19a30852fc5e6a809f36f751a3c44746a1de4a0a3c4739096b8299
Instruction Fuzzy Hash: 3E511232D1419AEEDB40AFE9C8446AFBBB9FB46349F04059AD474A3100C371EA8EC761

Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D7E
GetClientRect.USER32(?,?), ref: 00401DCC
LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DFC
SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
DeleteObject.GDI32(00000000), ref: 00401E20

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 64047181dbb11954f6248d6d4ebce6329301936260590e1bb013e11241bca830
Instruction ID: ea2313c62ec258575502bac7b5a91221d1b2f7c42d1e166e88532b570a834240
Opcode Fuzzy Hash: 64047181dbb11954f6248d6d4ebce6329301936260590e1bb013e11241bca830
Instruction Fuzzy Hash: 02212872A00109AFCB15DFA4DD85AAEBBB5EB48300F24417EF905F62A1DB389941DB54

Function 00405A8F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,00403335,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405A95
CharPrevA.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,00403335,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405A9E
lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405AAF

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405A8F

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 2659869361-2382934351
Opcode ID: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction ID: 6078a555604e81c1816c45b3e60b5c3e7c31ed84b02af53c952a19e53ba35867
Opcode Fuzzy Hash: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction Fuzzy Hash: 68D0A7B26055307AE21126155C06ECB19488F463447060066F500BB193C77C4C114BFD

Function 00402E3D Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040301B,00000001), ref: 00402E50
GetTickCount.KERNEL32 ref: 00402E6E
CreateDialogParamA.USER32(0000006F,00000000,00402DBA,00000000), ref: 00402E8B
ShowWindow.USER32(00000000,00000005), ref: 00402E99

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 8c1e1bd8efa9ab411d4161537fee885c8283498bc89c51da2617a800704498c9
Instruction ID: cc5f9dcce599e9be0c1e5b41ef6f72156ec830c1ee92694e4cf82ced2ffe4824
Opcode Fuzzy Hash: 8c1e1bd8efa9ab411d4161537fee885c8283498bc89c51da2617a800704498c9
Instruction Fuzzy Hash: B6F05E30A45630EBC6317B64FE4CA8B7B64BB44B45B91047AF045B22E8C6740C83CBED

Function 00405B7D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004060F7: lstrcpynA.KERNEL32(?,?,00000400,0040341A,Knugede Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00406104

Part of subcall function 00405B28: CharNextA.USER32(?,?,0042BC98,?,00405B94,0042BC98,0042BC98,771B3410,?,C:\Users\user~1\AppData\Local\Temp\,004058DF,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405B36
Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B3B
Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B4F

lstrlenA.KERNEL32(0042BC98,00000000,0042BC98,0042BC98,771B3410,?,C:\Users\user~1\AppData\Local\Temp\,004058DF,?,771B3410,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405BD0
GetFileAttributesA.KERNEL32(0042BC98,0042BC98,0042BC98,0042BC98,0042BC98,0042BC98,00000000,0042BC98,0042BC98,771B3410,?,C:\Users\user~1\AppData\Local\Temp\,004058DF,?,771B3410,C:\Users\user~1\AppData\Local\Temp\), ref: 00405BE0

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405B7D

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 3248276644-2382934351
Opcode ID: e638d3577084fc0f37fd401aa5ef1a5930802456fef8e272e5ea6ea3ca1dc2da
Instruction ID: a7953992a1868a2a025aeaadbe30fe94b9837340da5d1ec43b16535858986a89
Opcode Fuzzy Hash: e638d3577084fc0f37fd401aa5ef1a5930802456fef8e272e5ea6ea3ca1dc2da
Instruction Fuzzy Hash: 6DF02821105E6116D222323A1C05AAF3A74CE82364715013FF862B22D3CF7CB9139DBE

Function 00405192 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004051C1
CallWindowProcA.USER32(?,?,?,?), ref: 00405212

Part of subcall function 004041C7: SendMessageA.USER32(000103F2,00000000,00000000,00000000), ref: 004041D9

Strings

, xrefs: 004051A2

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 9af3a59599e8879c459ffb9579ce68eec3d4baecce8abe749bc9c6a9b619fe8d
Instruction ID: 7056b910bbb205cd539ea3acc8ab51e06e0639846daa80cdaddfd33d10a348e5
Opcode Fuzzy Hash: 9af3a59599e8879c459ffb9579ce68eec3d4baecce8abe749bc9c6a9b619fe8d
Instruction Fuzzy Hash: 47017171200609ABEF20AF11DD80A5B3666EB84354F14413AFB107A1D1C77A8C62DE6E

Function 00403875 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,771B3410,00000000,C:\Users\user~1\AppData\Local\Temp\,0040384D,00403667,?,?,00000007,00000009,0000000B), ref: 0040388F
GlobalFree.KERNEL32(0079D348), ref: 00403896

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403875

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 1100898210-2382934351
Opcode ID: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
Instruction ID: eaa0fdc8f68cdeff62b7926931e70464fa678e679eb7ff43971a821d65c68845
Opcode Fuzzy Hash: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
Instruction Fuzzy Hash: 20E08C335110205BC7613F54EA0471A77ECAF59B62F4A017EF8847B26087781C464A88

Function 00405AD6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe,C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe,80000000,00000003), ref: 00405ADC
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe,C:\Users\user\Desktop\PO874530040021 YIKANG INQUIRY.com.exe,80000000,00000003), ref: 00405AEA

Strings

C:\Users\user\Desktop, xrefs: 00405AD6

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3976562730
Opcode ID: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction ID: fbea36dfa466fa1ea2516b65251d52c814037185d06ce8b70eff5ee1363e4df1
Opcode Fuzzy Hash: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction Fuzzy Hash: 73D0A7B25089706EFB0352509C00B8F6E88CF17300F0A04A3E080A7191C7B84C424BFD

Function 6ED810E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6ED8115B
GlobalFree.KERNEL32(00000000), ref: 6ED811B4
GlobalFree.KERNEL32(?), ref: 6ED811C7
GlobalFree.KERNEL32(?), ref: 6ED811F5

Memory Dump Source

Source File: 00000000.00000002.3712504824.000000006ED81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6ED80000, based on PE: true

Associated: 00000000.00000002.3712477997.000000006ED80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3712531514.000000006ED83000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3712560392.000000006ED85000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ed80000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 1f360aa5148c73ba75cbbaf5028b9dce796f4514dbb44c35fd0478b411b954f1
Instruction ID: f5f08e0b0ae5cd7a6807d75e6c482919dfea251e7d1516cc23410859aa62e0ee
Opcode Fuzzy Hash: 1f360aa5148c73ba75cbbaf5028b9dce796f4514dbb44c35fd0478b411b954f1
Instruction Fuzzy Hash: C6319CB1924646AFEB118FE9D959B6B7FFCEB07250B140516E864C6290EB34DC0ECB20

Function 00405BF5 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C05
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405C1D
CharNextA.USER32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C2E
lstrlenA.KERNEL32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C37

Memory Dump Source

Source File: 00000000.00000002.3645041934.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3644943485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645129299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3645224309.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3646003424.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO874530040021 YIKANG INQUIRY.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
Instruction ID: 0c44f0240925c5b75b39479a83fd13515cb2c3d3321eb5bdfbc953cb3faf5d46
Opcode Fuzzy Hash: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
Instruction Fuzzy Hash: FBF0F631105A18FFDB12DFA4CD00D9EBBA8EF55350B2540B9E840F7210D634DE01AFA8

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO874530040021 YIKANG INQUIRY.com.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Desktop\polres.lnk

C:\Users\user\AppData\Local\Temp\nseD905.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nseD905.tmp\UserInfo.dll

C:\Users\user\AppData\Local\Temp\nseD905.tmp\nsDialogs.dll

C:\Users\user\AppData\Local\skolebetjents\Improvisatorens\Laparocolpohysterotomy162.fra

C:\Users\user\AppData\Local\skolebetjents\Improvisatorens\Lrketr160.bel

C:\Users\user\AppData\Local\skolebetjents\Improvisatorens\Misdefine.vil

C:\Users\user\AppData\Local\skolebetjents\Improvisatorens\Taino.Tan3

C:\Users\user\AppData\Local\skolebetjents\Improvisatorens\Tgernes.sub

C:\Users\user\AppData\Local\skolebetjents\Improvisatorens\sphagnaceae\Stuepigen.hor

C:\Users\user\AppData\Local\skolebetjents\Improvisatorens\sphagnaceae\Talbehandlings88.uve

C:\Users\user\AppData\Local\skolebetjents\Improvisatorens\sphagnaceae\Thunderhead118.dop

C:\Users\user\AppData\Local\skolebetjents\Improvisatorens\sphagnaceae\advancing.fol

C:\Users\user\AppData\Local\skolebetjents\Improvisatorens\sphagnaceae\bepepper.txt

C:\Users\user\AppData\Local\skolebetjents\Spadestrens\bjrneskindenes.gal

C:\Users\user\AppData\Local\skolebetjents\Spadestrens\modalities.ali

C:\Users\user\AppData\Local\skolebetjents\Spadestrens\parkere.lov

C:\Users\user\AppData\Local\skolebetjents\Spadestrens\retouchr.app

C:\Users\user\AppData\Local\skolebetjents\Spadestrens\serendipitously.int

C:\Users\user\AppData\Local\skolebetjents\Spadestrens\skonnertbrig.pan

Static File Info

General

Windows Analysis Report
PO874530040021 YIKANG INQUIRY.com.exe

Function 00403348 Relevance: 93.1, APIs: 32, Strings: 21, Instructions: 366
stringcomfileCOMMON

Function 0040535C Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 004058BF Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 00403CA7 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 0040390A Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402EA1 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 181
memoryCOMMON

Function 0040618A Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 199
stringCOMMON

Function 00401759 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147
stringtimeCOMMON

Function 0040521E Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 004030D8 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166
COMMON

Function 004056E4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Function 00406492 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 0040209D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Function 00405CBF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 00402CD0 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON