Edit tour

Windows Analysis Report
SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe

Overview

General Information

Sample name:	SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe
Analysis ID:	1446070
MD5:	4a47cddaecb9c32a7dda070fa85534ee
SHA1:	5f0794d9906e046fbd7d6aebcf8320bf63717bf8
SHA256:	6091ebc6ab4572afe5fb8f16ddff0d6395abf68e19baf572442940e4344f977b
Tags:	exe
Infos:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe (PID: 2156 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe" MD5: 4A47CDDAECB9C32A7DDA070FA85534EE)

SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp (PID: 612 cmdline: "C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp" /SL5="$203F2,492927,56832,C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe" MD5: A2C4D52C66B4B399FACADB8CC8386745)

TXT to ePub converter.exe (PID: 6452 cmdline: "C:\Program Files (x86)\txt to epub converter\TXT to epub converter.exe" MD5: 8612893894937FCDBAF1EDCEEE250C18)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00452A60 FindFirstFileA,GetLastError,	1_2_00452A60
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00474F88 FindFirstFileA,FindNextFileA,FindClose,	1_2_00474F88
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_004980A4
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00464158
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00462750 FindFirstFileA,FindNextFileA,FindClose,	1_2_00462750
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00463CDC

Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2465220778.0000000006020000.00000004.00001000.00020000.00000000.sdmp, TXT to ePub converter.exe, 00000005.00000000.2463906666.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-IAGUC.tmp.1.dr	String found in binary or memory: http://www.daisy.org/z3986/2005/ncx/
Source: is-IAGUC.tmp.1.dr	String found in binary or memory: http://www.epubforwindows.com
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2468314414.0000000002081000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2065845650.0000000002081000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2065760061.0000000002340000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2067802930.0000000002218000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2466398394.0000000002218000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2067734484.0000000003100000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.epubforwindows.com/
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2468314414.0000000002081000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2065845650.0000000002081000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2067802930.0000000002218000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2466398394.0000000002218000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.epubforwindows.com/.
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2465220778.0000000006020000.00000004.00001000.00020000.00000000.sdmp, TXT to ePub converter.exe, 00000005.00000000.2463906666.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-IAGUC.tmp.1.dr	String found in binary or memory: http://www.epubforwindows.com/buynow.htm
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2465220778.0000000006020000.00000004.00001000.00020000.00000000.sdmp, TXT to ePub converter.exe, 00000005.00000000.2463906666.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-IAGUC.tmp.1.dr	String found in binary or memory: http://www.epubforwindows.com/buynow.htmU
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2465220778.0000000006020000.00000004.00001000.00020000.00000000.sdmp, TXT to ePub converter.exe, 00000005.00000000.2463906666.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-IAGUC.tmp.1.dr	String found in binary or memory: http://www.idpf.org/2007/opf
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-736GC.tmp.1.dr, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp.0.dr	String found in binary or memory: http://www.innosetup.com/
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2468314414.0000000002081000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2065845650.0000000002081000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2065760061.0000000002340000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2465905142.0000000000823000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2067802930.0000000002218000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000002.2467674961.000000000083B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2466398394.0000000002218000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2067734484.0000000003100000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2465974307.000000000083A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.luckhan.com/
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2066259101.0000000002094000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2066126533.0000000002340000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-736GC.tmp.1.dr, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2066259101.0000000002094000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2066126533.0000000002340000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-736GC.tmp.1.dr, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/psU

Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00423B84 NtdllDefWindowProc_A,	1_2_00423B84
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_004125D8 NtdllDefWindowProc_A,	1_2_004125D8
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00478AC0 NtdllDefWindowProc_A,	1_2_00478AC0
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_0042F520 NtdllDefWindowProc_A,	1_2_0042F520
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00457594 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	1_2_00457594

Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp

Code function: 1_2_0042E934: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

1_2_0042E934

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe	Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_004555E4

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe	Code function: 0_2_0040840C	0_2_0040840C
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_004706A8	1_2_004706A8
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_004809F7	1_2_004809F7
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_004673A4	1_2_004673A4
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_0043035C	1_2_0043035C
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_004444C8	1_2_004444C8
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_004345C4	1_2_004345C4
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00444A70	1_2_00444A70
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00486BD0	1_2_00486BD0
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00430EE8	1_2_00430EE8
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_0045F0C4	1_2_0045F0C4
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00445168	1_2_00445168
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_0045B174	1_2_0045B174
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_004352C8	1_2_004352C8
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00469404	1_2_00469404
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00445574	1_2_00445574
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_004519BC	1_2_004519BC
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00487B30	1_2_00487B30
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_0043DD50	1_2_0043DD50
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_0048DF54	1_2_0048DF54

Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: String function: 00408C0C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: String function: 00406AC4 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: String function: 0040595C appears 117 times
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: String function: 00457F1C appears 73 times
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: String function: 00403400 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: String function: 00445DD4 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: String function: 00457D10 appears 96 times
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: String function: 004344DC appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: String function: 004078F4 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: String function: 00403494 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: String function: 00403684 appears 225 times
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: String function: 00453344 appears 97 times
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: String function: 004460A4 appears 59 times

Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-736GC.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-736GC.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-736GC.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2066259101.0000000002094000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2066126533.0000000002340000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe

Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: clean4.winEXE@5/18@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe	Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_004555E4

Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp

Code function: 1_2_00455E0C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,

1_2_00455E0C

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe

Code function: 0_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource,

0_2_00409C34

Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp

File created: C:\Program Files (x86)\txt to epub converter

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe

File created: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp

Jump to behavior

Source: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe	String found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe	String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe "C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe	Process created: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp "C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp" /SL5="$203F2,492927,56832,C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe"
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Process created: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe "C:\Program Files (x86)\txt to epub converter\TXT to epub converter.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe	Process created: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp "C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp" /SL5="$203F2,492927,56832,C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Process created: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe "C:\Program Files (x86)\txt to epub converter\TXT to epub converter.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: TXT to ePub Converter.lnk.1.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe
Source: Uninstall TXT to ePub Converter.lnk.1.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\txt to epub converter\unins000.exe

Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Automated click: I accept the agreement

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp

Code function: 1_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_004502C0

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe	Code function: 0_2_004065C8 push 00406605h; ret	0_2_004065FD
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe	Code function: 0_2_004040B5 push eax; ret	0_2_004040F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe	Code function: 0_2_00408104 push ecx; mov dword ptr [esp], eax	0_2_00408109
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe	Code function: 0_2_00404185 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe	Code function: 0_2_00404206 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe	Code function: 0_2_0040C218 push eax; ret	0_2_0040C219
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe	Code function: 0_2_004042E8 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe	Code function: 0_2_00404283 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe	Code function: 0_2_00408F38 push 00408F6Bh; ret	0_2_00408F63
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_0040994C push 00409989h; ret	1_2_00409981
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00483F88 push 00484096h; ret	1_2_0048408E
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_004062B4 push ecx; mov dword ptr [esp], eax	1_2_004062B5
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_004104E0 push ecx; mov dword ptr [esp], edx	1_2_004104E5
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00412928 push 0041298Bh; ret	1_2_00412983
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00494CAC push ecx; mov dword ptr [esp], ecx	1_2_00494CB1
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_0040CE38 push ecx; mov dword ptr [esp], edx	1_2_0040CE3A
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_004592D0 push 00459314h; ret	1_2_0045930C
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_0040F398 push ecx; mov dword ptr [esp], edx	1_2_0040F39A
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00443440 push ecx; mov dword ptr [esp], ecx	1_2_00443444
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_0040546D push eax; ret	1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_0040553D push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_004055BE push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00485678 push ecx; mov dword ptr [esp], ecx	1_2_0048567D
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_0040563B push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_004056A0 push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_004517F8 push 0045182Bh; ret	1_2_00451823
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_004519BC push ecx; mov dword ptr [esp], eax	1_2_004519C1
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00477B08 push ecx; mov dword ptr [esp], edx	1_2_00477B09
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00419C28 push ecx; mov dword ptr [esp], ecx	1_2_00419C2D
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_0045FD1C push ecx; mov dword ptr [esp], ecx	1_2_0045FD20
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00499D30 pushad ; retf	1_2_00499D3F

Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	File created: C:\Program Files (x86)\txt to epub converter\is-IAGUC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	File created: C:\Users\user\AppData\Local\Temp\is-4PPEK.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	File created: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe	File created: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	File created: C:\Program Files (x86)\txt to epub converter\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	File created: C:\Program Files (x86)\txt to epub converter\is-736GC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	File created: C:\Users\user\AppData\Local\Temp\is-4PPEK.tmp\_isetup\_setup64.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\txt to epub converter	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\txt to epub converter\TXT to ePub Converter.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\txt to epub converter\Uninstall TXT to ePub Converter.lnk	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_0042285C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	1_2_0042285C
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423C0C
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423C0C
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_004241DC IsIconic,SetActiveWindow,SetFocus,	1_2_004241DC
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00424194 IsIconic,SetActiveWindow,	1_2_00424194
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00418384 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	1_2_00418384
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00417598 IsIconic,GetCapture,	1_2_00417598
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_0048393C IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	1_2_0048393C
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00417CCE IsIconic,SetWindowPos,	1_2_00417CCE
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00417CD0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	1_2_00417CD0

Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp

Code function: 1_2_0041F118 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

1_2_0041F118

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-4PPEK.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\txt to epub converter\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\txt to epub converter\is-736GC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-4PPEK.tmp\_isetup\_setup64.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_0-5448

Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00452A60 FindFirstFileA,GetLastError,	1_2_00452A60
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00474F88 FindFirstFileA,FindNextFileA,FindClose,	1_2_00474F88
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_004980A4
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00464158
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00462750 FindFirstFileA,FindNextFileA,FindClose,	1_2_00462750
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: 1_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00463CDC

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe

Code function: 0_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

0_2_00409B78

Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp

Code function: 1_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_004502C0

Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp

Code function: 1_2_00478504 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

1_2_00478504

Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp

Code function: 1_2_0042E09C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,

1_2_0042E09C

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe	Code function: GetLocaleInfoA,	0_2_0040520C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe	Code function: GetLocaleInfoA,	0_2_00405258
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: GetLocaleInfoA,	1_2_00408568
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Code function: GetLocaleInfoA,	1_2_004085B4

Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp

Code function: 1_2_004585C8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,

1_2_004585C8

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe

Code function: 0_2_004026C4 GetSystemTime,

0_2_004026C4

Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp

Code function: 1_2_0045559C GetUserNameA,

1_2_0045559C

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe

Code function: 0_2_00405CF4 GetVersionExA,

0_2_00405CF4

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Exploitation for Privilege Escalation	2 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Access Token Manipulation	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Process Injection	2 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 Deobfuscate/Decode Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	2 Obfuscated Files or Information	LSA Secrets	3 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	25 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe (copy)	7%	ReversingLabs
C:\Program Files (x86)\txt to epub converter\is-736GC.tmp	7%	ReversingLabs
C:\Program Files (x86)\txt to epub converter\is-IAGUC.tmp	7%	ReversingLabs
C:\Program Files (x86)\txt to epub converter\unins000.exe (copy)	7%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-4PPEK.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-4PPEK.tmp\_isetup\_shfoldr.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp	4%	ReversingLabs

Source	Detection	Scanner	Label
http://www.innosetup.com/	0%	URL Reputation	safe
http://www.remobjects.com/psU	0%	URL Reputation	safe
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	0%	URL Reputation	safe
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline	0%	URL Reputation	safe
http://www.remobjects.com/ps	0%	URL Reputation	safe
http://www.idpf.org/2007/opf	0%	Avira URL Cloud	safe
http://www.epubforwindows.com/.	0%	Avira URL Cloud	safe
http://www.epubforwindows.com/	0%	Avira URL Cloud	safe
http://www.epubforwindows.com	0%	Avira URL Cloud	safe
http://www.epubforwindows.com/buynow.htmU	0%	Avira URL Cloud	safe
http://www.luckhan.com/	0%	Avira URL Cloud	safe
http://www.epubforwindows.com/buynow.htm	0%	Avira URL Cloud	safe
http://www.daisy.org/z3986/2005/ncx/	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.idpf.org/2007/opf	SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2465220778.0000000006020000.00000004.00001000.00020000.00000000.sdmp, TXT to ePub converter.exe, 00000005.00000000.2463906666.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-IAGUC.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://www.innosetup.com/	SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-736GC.tmp.1.dr, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp.0.dr	false	URL Reputation: safe	unknown
http://www.remobjects.com/psU	SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2066259101.0000000002094000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2066126533.0000000002340000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-736GC.tmp.1.dr, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp.0.dr	false	URL Reputation: safe	unknown
http://www.epubforwindows.com/.	SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2468314414.0000000002081000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2065845650.0000000002081000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2067802930.0000000002218000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2466398394.0000000002218000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe	false	URL Reputation: safe	unknown
http://www.epubforwindows.com/	SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2468314414.0000000002081000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2065845650.0000000002081000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2065760061.0000000002340000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2067802930.0000000002218000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2466398394.0000000002218000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2067734484.0000000003100000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.epubforwindows.com/buynow.htmU	SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2465220778.0000000006020000.00000004.00001000.00020000.00000000.sdmp, TXT to ePub converter.exe, 00000005.00000000.2463906666.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-IAGUC.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline	SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe	false	URL Reputation: safe	unknown
http://www.epubforwindows.com	is-IAGUC.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://www.remobjects.com/ps	SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2066259101.0000000002094000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2066126533.0000000002340000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-736GC.tmp.1.dr, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp.0.dr	false	URL Reputation: safe	unknown
http://www.luckhan.com/	SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2468314414.0000000002081000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2065845650.0000000002081000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2065760061.0000000002340000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2465905142.0000000000823000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2067802930.0000000002218000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000002.2467674961.000000000083B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2466398394.0000000002218000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2067734484.0000000003100000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2465974307.000000000083A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.epubforwindows.com/buynow.htm	SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2465220778.0000000006020000.00000004.00001000.00020000.00000000.sdmp, TXT to ePub converter.exe, 00000005.00000000.2463906666.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-IAGUC.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://www.daisy.org/z3986/2005/ncx/	SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2465220778.0000000006020000.00000004.00001000.00020000.00000000.sdmp, TXT to ePub converter.exe, 00000005.00000000.2463906666.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-IAGUC.tmp.1.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1446070
Start date and time:	2024-05-22 22:12:29 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe
Detection:	CLEAN
Classification:	clean4.winEXE@5/18@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 170 Number of non-executed functions: 156
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\is-4PPEK.tmp\_isetup\_setup64.tmp	http://adlvanced-ip-scanner.com	Get hash	malicious	Unknown	Browse
	L1QnAwXT7U.exe	Get hash	malicious	Socks5Systemz	Browse
	SecuriteInfo.com.FileRepMalware.9294.28999.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, Socks5Systemz, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, SmokeLoader, Socks5Systemz, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, SmokeLoader, Stealc, Vidar	Browse
	CtEeMS3H62.exe	Get hash	malicious	Amadey, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Stealc, Vidar	Browse
	LIRR4A0xzv.exe	Get hash	malicious	Amadey, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse
	6BE4950D9A919F5D0150D19552B340E9B5EF1959A18FD.exe	Get hash	malicious	LummaC, GCleaner, Mars Stealer, PrivateLoader, PureLog Stealer, RedLine, RisePro Stealer	Browse
	5i7hafPPeN.exe	Get hash	malicious	Socks5Systemz	Browse

Created / dropped Files

C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, AIN 2.x self-extracting archive
Category:	dropped
Size (bytes):	1288192
Entropy (8bit):	6.900542618562313
Encrypted:	false
SSDEEP:	24576:2t2J7qP5toteIxHqK8TxWmAy63/VSUATjn8TikJM8cMpv:XJkIxawUbToTXm8cMpv
MD5:	8612893894937FCDBAF1EDCEEE250C18
SHA1:	07B597BF936A2757C33D21D72240F059D06C34F8
SHA-256:	E04A28AF82BE76162805E07A15793B9E4EE48D83C911B38BEC8084B38680B430
SHA-512:	7D4822A0D94D5ADFEDAF4C85199FA42089E60B4DE857F98ACDAEA9B286BF09A981ED5705AD466E0C1EDF1F99BA2B56CCF4A2AF87D23D11B3FAB10DEFD54FDFC0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 7%
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B..........................................@..............................................@...............................(.......L.........................................................................................................CODE....(........................... ..`DATA...............................@...BSS.....!............r...................idata...(..........r..............@....tls.....................................rdata..............................@..P.reloc.............................@..P.rsrc....L.......L...\..............@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\txt to epub converter\config.ini (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp
File Type:	Microsoft HTML Help Project
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.377336696990888
Encrypted:	false
SSDEEP:	3:SDomuR/W8SU8Ov:5ms9
MD5:	D62C9D88ABA1C680A83D2F976B937A5A
SHA1:	D2AB3BEA3953F22E4926311016647B6790A4EE11
SHA-256:	B156911C9828468C582EEAE8FB7F47E690E7AF86C8ACA09367220CE606CF0F65
SHA-512:	F37DB5C3178A5A4F1A8CB08EF8D80763EFE157B721FDB135AE1BF6BE65311AED7816FBC172B4B17348E0B3072266717E63A3E6A39426A96E4BB94D0E750DF711
Malicious:	false
Reputation:	low
Preview:	;Options..[Options]..SavePath =D:\output..

C:\Program Files (x86)\txt to epub converter\epubfiles\CCS\is-FSN7P.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4165
Entropy (8bit):	4.959238267754904
Encrypted:	false
SSDEEP:	96:QbQvVEG3q3uyI/A4tCQRif6LFoWVEQjQ3QBQhB+XklOGSFNZrG:QxGUX4tFRifiyaaB+XaOGSFNZrG
MD5:	0F87FBCAE173289578DF48D56DA6084E
SHA1:	9C9A3A11BBD971BDBD9F88F9FBA8C7F5879B2252
SHA-256:	D8604FB1B40D28B63A266EB04E32BBA838A55D70B3EAABD5238F5D2B4E6941A6
SHA-512:	3FE779B2247D4C3EF297063C4A7DB8DF8DDF37B55384DB4FF71D9264803C7FC11985E26B7554293DB4F55C018D829A07295F5832C8B0336F86E42BD0BE7F819B
Malicious:	false
Reputation:	low
Preview:	../* coverpage /..#coverpage {...vertical-align: middle;...text-align: center;...background-color: white;...margin: 0em;..}.....coverimage {...height: 100%;...margin: 0em;..}....../ title page /..#titlepage {...text-align: center;...margin-top: 10%;..}.....booktitle {...text-align: center;...padding-bottom: 1em;...letter-spacing: .08em;...font-size: 2em;..}.....subtitle {...padding-bottom: 1em;...text-align: center;...font-style: normal;...font-weight: normal;...font-size: 1.5em;..}....p.embellish {...text-align: center;...text-indent: 0px;..}.....author {...padding-top: 1em;...text-align: center;...font-style: italic;...font-weight: normal;...font-size: 1.5em;..}.....illustrator {...padding-top: 1.2em;...text-align: center;...font-style: normal;...font-weight: normal;...font-size: 1.2em;..}....../ copyright */...copyright {...padding-top: 10%;...text-align:center;..}.....copyrightText {...font-size: 1em;...font-weight: normal;..}.....publisher {...font-weight: bold;...line-height:

C:\Program Files (x86)\txt to epub converter\epubfiles\CCS\stylesheet.css (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4165
Entropy (8bit):	4.959238267754904
Encrypted:	false
SSDEEP:	96:QbQvVEG3q3uyI/A4tCQRif6LFoWVEQjQ3QBQhB+XklOGSFNZrG:QxGUX4tFRifiyaaB+XaOGSFNZrG
MD5:	0F87FBCAE173289578DF48D56DA6084E
SHA1:	9C9A3A11BBD971BDBD9F88F9FBA8C7F5879B2252
SHA-256:	D8604FB1B40D28B63A266EB04E32BBA838A55D70B3EAABD5238F5D2B4E6941A6
SHA-512:	3FE779B2247D4C3EF297063C4A7DB8DF8DDF37B55384DB4FF71D9264803C7FC11985E26B7554293DB4F55C018D829A07295F5832C8B0336F86E42BD0BE7F819B
Malicious:	false
Reputation:	low
Preview:	../* coverpage /..#coverpage {...vertical-align: middle;...text-align: center;...background-color: white;...margin: 0em;..}.....coverimage {...height: 100%;...margin: 0em;..}....../ title page /..#titlepage {...text-align: center;...margin-top: 10%;..}.....booktitle {...text-align: center;...padding-bottom: 1em;...letter-spacing: .08em;...font-size: 2em;..}.....subtitle {...padding-bottom: 1em;...text-align: center;...font-style: normal;...font-weight: normal;...font-size: 1.5em;..}....p.embellish {...text-align: center;...text-indent: 0px;..}.....author {...padding-top: 1em;...text-align: center;...font-style: italic;...font-weight: normal;...font-size: 1.5em;..}.....illustrator {...padding-top: 1.2em;...text-align: center;...font-style: normal;...font-weight: normal;...font-size: 1.2em;..}....../ copyright */...copyright {...padding-top: 10%;...text-align:center;..}.....copyrightText {...font-size: 1em;...font-weight: normal;..}.....publisher {...font-weight: bold;...line-height:

C:\Program Files (x86)\txt to epub converter\epubfiles\META-INF\container.xml (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp
File Type:	XML 1.0 document, ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	257
Entropy (8bit):	4.9797456858335245
Encrypted:	false
SSDEEP:	6:TMVBdYDoZz9UD7OSJtvL3GhJ0qbOMemM2:TMHdYsH2OSvvzMe6
MD5:	85CC6CFA75A188C686848BE2C2A70FE5
SHA1:	207DE5CF7201EE4F3E7C6623590BB51BA6BCFB31
SHA-256:	67EDC11AFE98BC64A773426F957D48EB4D0DE5062EB111A3A45FE1A20563BB06
SHA-512:	BD366559786CD12100EC90E4A2F9FEDCB15E33F4D7BEA4E5BF88AE0245A320C9117752196B779E591AF33FC442F69ADFB3863190D9144B0872CAA8CF15AE24D3
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" ?>..<container version="1.0" xmlns="urn:oasis:names:tc:opendocument:xmlns:container">.. <rootfiles>.. <rootfile full-path="OEBPS/fb.opf" media-type="application/oebps-package+xml"/>.. </rootfiles>..</container>.

C:\Program Files (x86)\txt to epub converter\epubfiles\META-INF\is-OU0ID.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp
File Type:	XML 1.0 document, ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	257
Entropy (8bit):	4.9797456858335245
Encrypted:	false
SSDEEP:	6:TMVBdYDoZz9UD7OSJtvL3GhJ0qbOMemM2:TMHdYsH2OSvvzMe6
MD5:	85CC6CFA75A188C686848BE2C2A70FE5
SHA1:	207DE5CF7201EE4F3E7C6623590BB51BA6BCFB31
SHA-256:	67EDC11AFE98BC64A773426F957D48EB4D0DE5062EB111A3A45FE1A20563BB06
SHA-512:	BD366559786CD12100EC90E4A2F9FEDCB15E33F4D7BEA4E5BF88AE0245A320C9117752196B779E591AF33FC442F69ADFB3863190D9144B0872CAA8CF15AE24D3
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" ?>..<container version="1.0" xmlns="urn:oasis:names:tc:opendocument:xmlns:container">.. <rootfiles>.. <rootfile full-path="OEBPS/fb.opf" media-type="application/oebps-package+xml"/>.. </rootfiles>..</container>.

C:\Program Files (x86)\txt to epub converter\epubfiles\is-4I22N.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	22
Entropy (8bit):	3.788754913993502
Encrypted:	false
SSDEEP:	3:8VCdMQb6uRn:8wh6+n
MD5:	9A6039993ECE3708230913E507AE8BE4
SHA1:	AD88ED02C92C171812B309E951C0E83300AEDC1E
SHA-256:	338312C1AE3989057348595A23872534EB07A22F6F4B26A4F1DDA2EE74754FF3
SHA-512:	265A01E0FBD1753094D9285F470013B20C18C4FEBB40052EBB25047611C7810FDA633F694931E01F446EA3FC32B019079BDD5F26F2FB412EF0B6D1E1BE5D54B9
Malicious:	false
Reputation:	low
Preview:	application/epub+zip..

C:\Program Files (x86)\txt to epub converter\epubfiles\mimetype (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	22
Entropy (8bit):	3.788754913993502
Encrypted:	false
SSDEEP:	3:8VCdMQb6uRn:8wh6+n
MD5:	9A6039993ECE3708230913E507AE8BE4
SHA1:	AD88ED02C92C171812B309E951C0E83300AEDC1E
SHA-256:	338312C1AE3989057348595A23872534EB07A22F6F4B26A4F1DDA2EE74754FF3
SHA-512:	265A01E0FBD1753094D9285F470013B20C18C4FEBB40052EBB25047611C7810FDA633F694931E01F446EA3FC32B019079BDD5F26F2FB412EF0B6D1E1BE5D54B9
Malicious:	false
Reputation:	low
Preview:	application/epub+zip..

C:\Program Files (x86)\txt to epub converter\is-736GC.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	717985
Entropy (8bit):	6.514882897353911
Encrypted:	false
SSDEEP:	12288:6TPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+1Iq5MRxyFc:SPcYn5c/rPx37/zHBA6pFptZ1CEQqMRd
MD5:	A29F3D032533D29FC32FF63E13779C39
SHA1:	434A947C3E62C0632A522A4431F2E0005B9AA26C
SHA-256:	FD34D4C6C4F2BFE142191FE92DFC6040492A6D37F1FA19EF0216E993FB400C27
SHA-512:	A7D14D0EE73C545F366A9D45D7E27E6FC32EFE5BF22AD89349EDA62A9E8B617534319F63BD54ADB74E47B82C88EE347E2083C89D623CE8D1A09A2E4F5AFA4ECE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 7%
Reputation:	low
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................

C:\Program Files (x86)\txt to epub converter\is-BLQUI.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp
File Type:	Microsoft HTML Help Project
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.377336696990888
Encrypted:	false
SSDEEP:	3:SDomuR/W8SU8Ov:5ms9
MD5:	D62C9D88ABA1C680A83D2F976B937A5A
SHA1:	D2AB3BEA3953F22E4926311016647B6790A4EE11
SHA-256:	B156911C9828468C582EEAE8FB7F47E690E7AF86C8ACA09367220CE606CF0F65
SHA-512:	F37DB5C3178A5A4F1A8CB08EF8D80763EFE157B721FDB135AE1BF6BE65311AED7816FBC172B4B17348E0B3072266717E63A3E6A39426A96E4BB94D0E750DF711
Malicious:	false
Reputation:	low
Preview:	;Options..[Options]..SavePath =D:\output..

C:\Program Files (x86)\txt to epub converter\is-IAGUC.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, AIN 2.x self-extracting archive
Category:	dropped
Size (bytes):	1288192
Entropy (8bit):	6.900542618562313
Encrypted:	false
SSDEEP:	24576:2t2J7qP5toteIxHqK8TxWmAy63/VSUATjn8TikJM8cMpv:XJkIxawUbToTXm8cMpv
MD5:	8612893894937FCDBAF1EDCEEE250C18
SHA1:	07B597BF936A2757C33D21D72240F059D06C34F8
SHA-256:	E04A28AF82BE76162805E07A15793B9E4EE48D83C911B38BEC8084B38680B430
SHA-512:	7D4822A0D94D5ADFEDAF4C85199FA42089E60B4DE857F98ACDAEA9B286BF09A981ED5705AD466E0C1EDF1F99BA2B56CCF4A2AF87D23D11B3FAB10DEFD54FDFC0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 7%
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B..........................................@..............................................@...............................(.......L.........................................................................................................CODE....(........................... ..`DATA...............................@...BSS.....!............r...................idata...(..........r..............@....tls.....................................rdata..............................@..P.reloc.............................@..P.rsrc....L.......L...\..............@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\txt to epub converter\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp
File Type:	InnoSetup Log TXT to ePub Converter {BFBA7F3A-1F10-4754-ADEC-A8CFBB4F925B}, version 0x30, 2204 bytes, 301389\user, "C:\Program Files (x86)\txt to epub converter"
Category:	dropped
Size (bytes):	2204
Entropy (8bit):	4.839749398159925
Encrypted:	false
SSDEEP:	48:cCU0VIxSua1CaEa2aBa1aZaJnbaoDhH1phH1AJHvHNGa:cOCi1PRb0g8JWolH1HH1AJHvHNGa
MD5:	250F62EE085EC89B200A822A8D242027
SHA1:	4D9D8B20A26866B495BEDCB48FFC8A36EC60A086
SHA-256:	A7E874FCA355DE5E6CF2101C4B9CB1811EACE09C6F38CC4B29372825295F68DD
SHA-512:	6108DCD937FA8FAB37D46C988FED11B0963C88093776A2C20EE902FCFEEFA8BEF37F5DFB9ACDC8C4F63A591F437487761324D65F07C38F56E08227539DEC4639
Malicious:	false
Reputation:	low
Preview:	Inno Setup Uninstall Log (b)....................................{BFBA7F3A-1F10-4754-ADEC-A8CFBB4F925B}..........................................................................................TXT to ePub Converter...........................................................................................................0...........%......................................................................................................................./......q......O....301389.user,C:\Program Files (x86)\txt to epub converter.............0.... .......... ................................,C:\Program Files (x86)\txt to epub converterJC:\ProgramData\Microsoft\Windows\Start Menu\Programs\txt to epub converter.txt to epub converter.english............,C:\Program Files (x86)\txt to epub converter.......L...FC:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe...........=...7C:\Program Files (x86)\txt to epub converter\config.ini...........8...6C:\Program Files (x86)\txt to e

C:\Program Files (x86)\txt to epub converter\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	717985
Entropy (8bit):	6.514882897353911
Encrypted:	false
SSDEEP:	12288:6TPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+1Iq5MRxyFc:SPcYn5c/rPx37/zHBA6pFptZ1CEQqMRd
MD5:	A29F3D032533D29FC32FF63E13779C39
SHA1:	434A947C3E62C0632A522A4431F2E0005B9AA26C
SHA-256:	FD34D4C6C4F2BFE142191FE92DFC6040492A6D37F1FA19EF0216E993FB400C27
SHA-512:	A7D14D0EE73C545F366A9D45D7E27E6FC32EFE5BF22AD89349EDA62A9E8B617534319F63BD54ADB74E47B82C88EE347E2083C89D623CE8D1A09A2E4F5AFA4ECE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 7%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\txt to epub converter\TXT to ePub Converter.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed May 22 19:13:48 2024, mtime=Wed May 22 19:13:48 2024, atime=Fri Oct 18 00:01:10 2013, length=1288192, window=hide
Category:	dropped
Size (bytes):	1254
Entropy (8bit):	4.592977747787203
Encrypted:	false
SSDEEP:	24:8mNrxQqHYSEHkdOE0EIDUAJhE1udtEyQdtEBUUTG3qygm:8mNikYFHkdOdJa1udkdnU5yg
MD5:	49696B77901939A4DDC4C1399D3628CB
SHA1:	A5E0B598AD23BC014636B5DE767AB9FF8546009D
SHA-256:	0FEB318F4B4417EEC6ABB9A6DE1E064DC677D8EE6ED9D690794E65560CA02EF2
SHA-512:	51A6084E52059F73737793FFF2272D153EB961C712B974AF0DF614426B31C3BEB6FA719B6FF1F55323960AA2FA2BA7A0DE504FF79E59E60402E182F2D9E93C0D
Malicious:	false
Preview:	L..................F.... ....IJ......pQ.......u..................................P.O. .:i.....+00.../C:\.....................1......X....PROGRA~2.........O.I.X......................V.....6...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....t.1......X....TXTTOE~1..\......X...X......{........................t.x.t. .t.o. .e.p.u.b. .c.o.n.v.e.r.t.e.r.......2.....RC%. .TXTTOE~1.EXE..d......X...X................................T.X.T. .t.o. .e.P.u.b. .c.o.n.v.e.r.t.e.r...e.x.e.......u...............-.......t.............h.....C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe..U.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.t.x.t. .t.o. .e.p.u.b. .c.o.n.v.e.r.t.e.r.\.T.X.T. .t.o. .e.P.u.b. .c.o.n.v.e.r.t.e.r...e.x.e.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.t.x.t. .t.o. .e.p.u.b. .c.o.n.v.e.r.t.e.r.........*................@Z\|...K.J.........`.......X.......301389...........hT..CrF.f4... .G...Jc..

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\txt to epub converter\Uninstall TXT to ePub Converter.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed May 22 19:13:48 2024, mtime=Wed May 22 19:13:48 2024, atime=Wed May 22 19:13:13 2024, length=717985, window=hide
Category:	dropped
Size (bytes):	1189
Entropy (8bit):	4.636522673400601
Encrypted:	false
SSDEEP:	24:8m4/SEUdOE0E5PkAMhERdtENBdtEBUUTGOLkLBqygm:8m4/FUdO+PzMaRdcBdnUDLkL4yg
MD5:	E7629929ACFB59642056C16219818DB3
SHA1:	34801B6E0F8D9391B2FCCDDB6D730E41ED876B76
SHA-256:	D370F1970B588F25FCED91303D9D05ACA4AF78307B89015D7CF0465B4C38B034
SHA-512:	777909F808F8D5C7120789C0DE063710E2A3E71D35F32A81DDC8196DF38127A1CDB81BDB9FDC6FBB3789ABB0BBBB9ABF7E97F2BCEDF1DA8FD75E46204F920114
Malicious:	false
Preview:	L..................F.... ....E......E........y.................................P.O. .:i.....+00.../C:\.....................1......X....PROGRA~2.........O.I.X......................V........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....t.1......X....TXTTOE~1..\......X...X......{........................t.x.t. .t.o. .e.p.u.b. .c.o.n.v.e.r.t.e.r.....f.2......X.. .unins000.exe..J......X...X............................s&2.u.n.i.n.s.0.0.0...e.x.e.......h...............-.......g.............h.....C:\Program Files (x86)\txt to epub converter\unins000.exe..H.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.t.x.t. .t.o. .e.p.u.b. .c.o.n.v.e.r.t.e.r.\.u.n.i.n.s.0.0.0...e.x.e.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.t.x.t. .t.o. .e.p.u.b. .c.o.n.v.e.r.t.e.r.........*................@Z\|...K.J.........`.......X.......301389...........hT..CrF.f4... .I...Jc...-...-$..hT..CrF.f4... .I...Jc...-...-$.............1SPS.XF.L8C.

C:\Users\user\AppData\Local\Temp\is-4PPEK.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.289297026665552
Encrypted:	false
SSDEEP:	48:Sv1LfWvPcXegCPUo1vlZQrAxoONfHFZONfH3d1xCWMBFNL2pGSS4k+bkg6j0KHc:wfkcXegaJ/ZAYNzcld1xaX12pfSKvkc
MD5:	C8871EFD8AF2CF4D9D42D1FF8FADBF89
SHA1:	D0EACD5322C036554D509C7566F0BCC7607209BD
SHA-256:	E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
SHA-512:	2735BB610060F749E26ACD86F2DF2B8A05F2BDD3DCCF3E4B2946EBB21BA0805FB492C474B1EEB2C5B8BF1A421F7C1B8728245F649C644F4A9ECC5BD8770A16F6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: L1QnAwXT7U.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.FileRepMalware.9294.28999.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: CtEeMS3H62.exe, Detection: malicious, Browse Filename: LIRR4A0xzv.exe, Detection: malicious, Browse Filename: 6BE4950D9A919F5D0150D19552B340E9B5EF1959A18FD.exe, Detection: malicious, Browse Filename: 5i7hafPPeN.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....HP..........#............................@.............................`..............................................................<!.......P.......@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-4PPEK.tmp\_isetup\_shfoldr.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	706560
Entropy (8bit):	6.506360176420555
Encrypted:	false
SSDEEP:	12288:yTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+1Iq5MRxyF:6PcYn5c/rPx37/zHBA6pFptZ1CEQqMRU
MD5:	A2C4D52C66B4B399FACADB8CC8386745
SHA1:	C326304C56A52A3E5BFBDCE2FEF54604A0C653E0
SHA-256:	6C0465CE64C07E729C399A338705941D77727C7D089430957DF3E91A416E9D2A
SHA-512:	2A66256FF8535E2B300AA0CA27B76E85D42422B0AAF5E7E6D055F7ABB9E338929C979E185C6BE8918D920FB134B7F28A76B714579CACB8ACE09000C046DD34D6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.968213290885379
TrID:	Win32 Executable (generic) a (10002005/4) 98.73% Inno Setup installer (109748/4) 1.08% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe
File size:	752'353 bytes
MD5:	4a47cddaecb9c32a7dda070fa85534ee
SHA1:	5f0794d9906e046fbd7d6aebcf8320bf63717bf8
SHA256:	6091ebc6ab4572afe5fb8f16ddff0d6395abf68e19baf572442940e4344f977b
SHA512:	928b60098813edf7c65acf91292d029756ebb6ffafbb17307404f32036bcf1b952104e60d81784a667568df079502e90186d5b4aa00999e2fc8c0e20db15aec6
SSDEEP:	12288:CQiGdBc03ibM4Bxay2yBehc8AttDK3PQzYpHGhU5sI+Rl7q3C8pJth:CQige03IvnwcPBzYp75snl7uh
TLSH:	45F423136388C8B6C55055704A6AD1471A3BBA1B3CBD34A572EC5BDEAF372D6800A3F7
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x40a5f8
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	884310b1928934402ea6fec1dbd3cf5e

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFC4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-24h], eax
call 00007FD5B0B18F43h
call 00007FD5B0B1A14Ah
call 00007FD5B0B1A3D9h
call 00007FD5B0B1A47Ch
call 00007FD5B0B1C41Bh
call 00007FD5B0B1ED86h
call 00007FD5B0B1EEEDh
xor eax, eax
push ebp
push 0040ACC9h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 0040AC92h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [0040C014h]
call 00007FD5B0B1F99Bh
call 00007FD5B0B1F586h
cmp byte ptr [0040B234h], 00000000h
je 00007FD5B0B2047Eh
call 00007FD5B0B1FA98h
xor eax, eax
call 00007FD5B0B19C39h
lea edx, dword ptr [ebp-10h]
xor eax, eax
call 00007FD5B0B1CA2Bh
mov edx, dword ptr [ebp-10h]
mov eax, 0040CE28h
call 00007FD5B0B18FDAh
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [0040CE28h]
mov dl, 01h
mov eax, 0040738Ch
call 00007FD5B0B1D2BAh
mov dword ptr [0040CE2Ch], eax
xor edx, edx
push ebp
push 0040AC4Ah
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007FD5B0B1F9F6h
mov dword ptr [0040CE34h], eax
mov eax, dword ptr [0040CE34h]
cmp dword ptr [eax+0Ch], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd000	0x950	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11000	0x2c00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xf000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x9d30	0x9e00	c3bd95c4b1a8e5199981e0d9b45fd18c	False	0.6052709651898734	data	6.631765876950794	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0xb000	0x250	0x400	1ee71d84f1c77af85f1f5c278f880572	False	0.306640625	data	2.751820662285145	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xc000	0xe8c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xd000	0x950	0xa00	bb5485bf968b970e5ea81292af2acdba	False	0.414453125	data	4.430733069799036	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xe000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xf000	0x18	0x200	9ba824905bf9c7922b6fc87a38b74366	False	0.052734375	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x10000	0x8c4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x11000	0x2c00	0x2c00	c518b903db0551be9b702311a5caff88	False	0.32776988636363635	data	4.501905603198757	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x11354	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Dutch	Netherlands	0.5675675675675675
RT_ICON	0x1147c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	Dutch	Netherlands	0.4486994219653179
RT_ICON	0x119e4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Dutch	Netherlands	0.4637096774193548
RT_ICON	0x11ccc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	Dutch	Netherlands	0.3935018050541516
RT_STRING	0x12574	0x2f2	data			0.35543766578249336
RT_STRING	0x12868	0x30c	data			0.3871794871794872
RT_STRING	0x12b74	0x2ce	data			0.42618384401114207
RT_STRING	0x12e44	0x68	data			0.75
RT_STRING	0x12eac	0xb4	data			0.6277777777777778
RT_STRING	0x12f60	0xae	data			0.5344827586206896
RT_RCDATA	0x13010	0x2c	data			1.1818181818181819
RT_GROUP_ICON	0x1303c	0x3e	data	English	United States	0.8387096774193549
RT_VERSION	0x1307c	0x4f4	data	English	United States	0.278391167192429
RT_MANIFEST	0x13570	0x5a4	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.42590027700831024

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll	MessageBoxA
oleaut32.dll	VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
kernel32.dll	WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
user32.dll	TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
comctl32.dll	InitCommonControls
advapi32.dll	AdjustTokenPrivileges

Possible Origin

Language of compilation system	Country where language is spoken	Map
Dutch	Netherlands
English	United States

Target ID:	0
Start time:	16:13:13
Start date:	22/05/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe"
Imagebase:	0x400000
File size:	752'353 bytes
MD5 hash:	4A47CDDAECB9C32A7DDA070FA85534EE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:13:13
Start date:	22/05/2024
Path:	C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp" /SL5="$203F2,492927,56832,C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe"
Imagebase:	0x400000
File size:	706'560 bytes
MD5 hash:	A2C4D52C66B4B399FACADB8CC8386745
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:13:53
Start date:	22/05/2024
Path:	C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\txt to epub converter\TXT to epub converter.exe"
Imagebase:	0x400000
File size:	1'288'192 bytes
MD5 hash:	8612893894937FCDBAF1EDCEEE250C18
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	23.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.4%
Total number of Nodes:	1471
Total number of Limit Nodes:	21

Executed Functions

Function 00409B78 Relevance: 7.6, APIs: 5, Instructions: 78
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?), ref: 00409B8A
VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B95
VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BD6
VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409C08
VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409C18

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$ProtectQuery$InfoSystem
String ID:
API String ID: 2441996862-0
Opcode ID: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
Instruction ID: 4a1d84bb43d4a47cf168f169447d483ed62c711ee8ccb48f5bfbfd053dbeaed9
Opcode Fuzzy Hash: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
Instruction Fuzzy Hash: D421A1B16043006BDA309AA99C85E57B7E8AF45360F144C2BFA99E72C3D239FC40C669

Function 0040520C Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
Instruction ID: 1248db9972fbf410c55bf070b604c98f5d62b90992f8f49b6b6440a9954d2c50
Opcode Fuzzy Hash: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
Instruction Fuzzy Hash: E2E0927170021427D710A9A99C86AEB725CEB58310F0002BFB904E73C6EDB49E804AED

Function 0040457C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0040A618), ref: 00404582
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,0040A618), ref: 004045C6

Strings

SetProcessDEPPolicy, xrefs: 004045B5
SetDllDirectoryW, xrefs: 00404589
kernel32.dll, xrefs: 0040457D
SetSearchPathMode, xrefs: 0040459F

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleModulePolicyProcess
String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
API String ID: 3256987805-3653653586
Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E

Function 0040AAB4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetLastError.KERNEL32 ref: 0040AAC1

Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,02072128), ref: 0040966C

CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
SetWindowLongA.USER32(000203F2,000000FC,00409960), ref: 0040AB15
RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
DestroyWindow.USER32(000203F2,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15

Strings

InnoSetupLdrWindow, xrefs: 0040AAF2
/SL5="$%x,%d,%d,, xrefs: 0040AB55
STATIC, xrefs: 0040AAF7

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$ErrorLast$CreateDestroyDirectoryLongRemove
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 3757039580-3001827809
Opcode ID: 7bc9c0c8e9dfd2478b94306391eafe1fb51b7566d8199cdbb2b2653dcbc3d95c
Instruction ID: 81987b3bab642c92fe87a7372e0454594c4b8fe140ce311e0f93b1eeebf6ab37
Opcode Fuzzy Hash: 7bc9c0c8e9dfd2478b94306391eafe1fb51b7566d8199cdbb2b2653dcbc3d95c
Instruction Fuzzy Hash: 25412E70604204DBDB10EBA9EE89B9E37A5EB44304F10467FF510B72E2D7B89855CB9D

Function 004090A4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090C4
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090DE
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4

Strings

Wow64DisableWow64FsRedirection, xrefs: 004090BA
kernel32.dll, xrefs: 004090BF, 004090D9
Wow64RevertWow64FsRedirection, xrefs: 004090D4
shell32.dll, xrefs: 00409110

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
Instruction ID: 214dda5481ef482ebe311b1329301f35405b1013d97e3062c17ffb2c8286d57d
Opcode Fuzzy Hash: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
Instruction Fuzzy Hash: 21017C70748342AEFB00BB76DD4AB163A68E785704F60457BF640BA2D3DABD4C04D66E

Function 0040AAA2 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
SetWindowLongA.USER32(000203F2,000000FC,00409960), ref: 0040AB15

Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040AB86,?), ref: 00406B94

Part of subcall function 004099EC: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02072128,00409AD8,00000000,00409ABF), ref: 00409A5C
Part of subcall function 004099EC: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02072128,00409AD8,00000000), ref: 00409A70
Part of subcall function 004099EC: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
Part of subcall function 004099EC: GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
Part of subcall function 004099EC: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02072128,00409AD8), ref: 00409AA4

RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
DestroyWindow.USER32(000203F2,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15

Strings

InnoSetupLdrWindow, xrefs: 0040AAF2
/SL5="$%x,%d,%d,, xrefs: 0040AB55
STATIC, xrefs: 0040AAF7

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 3586484885-3001827809
Opcode ID: c367800830601d7b7bb1e4b9cc729c69669d466ec6c890b8506752b9ad64910a
Instruction ID: d3376fcde1141b4290a3dca450fc2844fa47922897975e075ebf06e3b6db64eb
Opcode Fuzzy Hash: c367800830601d7b7bb1e4b9cc729c69669d466ec6c890b8506752b9ad64910a
Instruction Fuzzy Hash: 77411A71604204DFD714EBA9EE85B5A37B5EB48304F20427BF500BB2E1D7B8A855CB9D

Function 004099EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02072128,00409AD8,00000000,00409ABF), ref: 00409A5C
CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02072128,00409AD8,00000000), ref: 00409A70
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02072128,00409AD8), ref: 00409AA4

Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,02072128), ref: 0040966C

Strings

D, xrefs: 00409A36

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
String ID: D
API String ID: 3356880605-2746444292
Opcode ID: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
Instruction ID: b58d0f6e2b8975977e6c7b71aada5392bea55c03070ce9fad3dcef5aa6d4018a
Opcode Fuzzy Hash: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
Instruction Fuzzy Hash: EE1142B16402486EDB00EBE6CC42F9EB7ACEF49714F50013BB604F72C6DA785D048A69

Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
LocalFree.KERNEL32(00000000,00000000,00401AB4), ref: 00401A1B
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401AB4), ref: 00401A3A
LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401AB4), ref: 00401A79
RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: 2760f6fc436d2282df077fa3fe2c561b0ff429e9c23b98cc44d100e589fe962f
Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
Opcode Fuzzy Hash: 2760f6fc436d2282df077fa3fe2c561b0ff429e9c23b98cc44d100e589fe962f
Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D

Function 00403D02 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
ExitProcess.KERNEL32 ref: 00403DE5

Strings

Error, xrefs: 00403D91
Runtime error at 00000000, xrefs: 00403D96, 00403DA9

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000
API String ID: 1220098344-2970929446
Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E

Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
Opcode Fuzzy Hash: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D

Function 0040A814 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878

Strings

y@, xrefs: 0040A981
.tmp, xrefs: 0040A8BE

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message
String ID: .tmp$y@
API String ID: 2030045667-2396523267
Opcode ID: 55a53fbd7ad7285035f8ab2cde1915fb146aa3dc543cd9b52406218d685c1c98
Instruction ID: 5e9257013af3d55ef2b6e359c41f87f67318ae2a4e6dbf07461b5d8c6de74657
Opcode Fuzzy Hash: 55a53fbd7ad7285035f8ab2cde1915fb146aa3dc543cd9b52406218d685c1c98
Instruction Fuzzy Hash: 3B41C030704200CFD311EF25DED1A1A77A5EB49304B214A3AF804B73E1CAB9AC11CBAD

Function 0040A82F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878

Strings

y@, xrefs: 0040A981
.tmp, xrefs: 0040A8BE

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message
String ID: .tmp$y@
API String ID: 2030045667-2396523267
Opcode ID: 4e131503fe38447772e4e2294cf5373b7e2007f9fac8d76d0a71823c743fc64d
Instruction ID: 95bba075cf9db07042691c1556ef0613dbe482a65a3614fff4d0ead14828e6f7
Opcode Fuzzy Hash: 4e131503fe38447772e4e2294cf5373b7e2007f9fac8d76d0a71823c743fc64d
Instruction Fuzzy Hash: E341BE30700200DFC711EF65DED2A1A77A5EB49304B104A3AF804B73E2CAB9AC01CBAD

Function 00409330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F

Strings

.tmp, xrefs: 0040935F

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
Instruction ID: b240cf9bc22f775501a2d99da134be40bb2f76fb21a7d6e050461713caae6e8b
Opcode Fuzzy Hash: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
Instruction Fuzzy Hash: 9E216774A00208ABDB05EFA1C8429DFB7B8EF88304F50457BE901B73C2DA3C9E058A65

Function 004094D8 Relevance: 5.0, APIs: 4, Instructions: 45
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 004094F7
Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409507
GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 0040951A
GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409524

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
Opcode Fuzzy Hash: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

Function 00407749 Relevance: 3.3, APIs: 2, Instructions: 284
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
Instruction ID: 20d0a63744b7af467993d3e8aec565234b7be2d060ba20bf9fd199bb98bd5a4e
Opcode Fuzzy Hash: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
Instruction Fuzzy Hash: 8251D12294D2910FC7126B7849685A53FE0FE5331132E92FBC5C1AB1A3D27CA847D35B

Function 00401FD4 Relevance: 3.1, APIs: 2, Instructions: 122COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00402148), ref: 00402017

Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
String ID:
API String ID: 296031713-0
Opcode ID: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
Instruction ID: b272be6629c35a549fc4f1c5a19e6e0df2414f51bb24a7fd7fb800939d1160d0
Opcode Fuzzy Hash: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
Instruction Fuzzy Hash: D4419CB2A40711DFDB108F69DEC562A77A0FB58314B25837AD984B73E1D378A842CB48

Function 00408FBC Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,00000000,00409019,?,0000000D,00000000), ref: 00408FF3
GetLastError.KERNEL32(00000000,00000000,00409019,?,0000000D,00000000), ref: 00408FFB

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: 51b14d3c2f7fde5c1a6bb776c84878c326085b2b0be15ffc15f9635c9f9f5f18
Instruction ID: 1f0403e6899a51d1d5356f81b6020870d4ad1054c4e625117792cee712869c3b
Opcode Fuzzy Hash: 51b14d3c2f7fde5c1a6bb776c84878c326085b2b0be15ffc15f9635c9f9f5f18
Instruction Fuzzy Hash: 16F0C871A04704ABCB01DF759D4159DB3E8DB8831475045BBF814F3682EA385E108599

Function 0040AC4F Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
DestroyWindow.USER32(000203F2,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15

Part of subcall function 004094D8: Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 004094F7
Part of subcall function 004094D8: GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 0040951A
Part of subcall function 004094D8: GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409524

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$DestroyDirectoryRemoveSleepWindow
String ID:
API String ID: 2192421792-0
Opcode ID: 2c973cdf999bbb1192929a8364406a109d64bb88cfdea17aa602a860d5632052
Instruction ID: be585450a05658aa0cbbe96fcd01bcdb7ec8c3c433658d061b63fb0e61c88a9e
Opcode Fuzzy Hash: 2c973cdf999bbb1192929a8364406a109d64bb88cfdea17aa602a860d5632052
Instruction Fuzzy Hash: 24F03170244200DBD724EB69EEC9B1632A5A784305F10423BF500B72F1C7FC98A1CB9D

Function 00406FA0 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000), ref: 00406FAA
LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568

Function 0040766C Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693

Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020703AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776

Function 0040762C Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB

Function 004075C4 Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7

Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020703AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766

Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: efc6f27fa4c1f0416fcf42a0cb9c981ca4ea103f0f96f52908972bf4ed8d2b74
Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
Opcode Fuzzy Hash: efc6f27fa4c1f0416fcf42a0cb9c981ca4ea103f0f96f52908972bf4ed8d2b74
Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9

Function 00405280 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,004053B6), ref: 0040529F

Part of subcall function 00404CDC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CF9

Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
Instruction ID: b95c725f163960c8622ba1b0af82130980b93a97e76f79286a035b518bc8de08
Opcode Fuzzy Hash: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
Instruction Fuzzy Hash: 90314F75E01509ABCB00DF95C8C19EEB379FF84304F158577E815BB286E739AE068B98

Function 00407576 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8

Function 00407578 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8

Function 004069DC Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428

Function 004076C8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF

Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020703AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676

Function 00407284 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
Opcode Fuzzy Hash: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F

Function 004076AC Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(?,02094000,0040AA59,00000000), ref: 004076B3

Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020703AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666

Function 00406FFB Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,00407019), ref: 0040700C

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519

Function 00407017 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,00407019), ref: 0040700C

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B

Function 00406970 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
Instruction Fuzzy Hash:

Function 00407F10 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
Instruction ID: 1e7236936b067224bcb0a7c190bcfb18a105a15b1652d3161176e1d0ad605fa4
Opcode Fuzzy Hash: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
Instruction Fuzzy Hash: 43116371A042059BDB00EF19C881B5B7794AF44359F05807AF958AB2C6DB38E800CBAA

Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(00000000,00000000,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: a2f32dd8ef58eb042d1926e7c5d87192c2fb778a874e681f692e1318d4ea2181
Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
Opcode Fuzzy Hash: a2f32dd8ef58eb042d1926e7c5d87192c2fb778a874e681f692e1318d4ea2181
Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8

Function 00407548 Relevance: 1.3, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00407558

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D

Function 00407EB8 Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654

Non-executed Functions

Function 00409448 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 00409457
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 0040949D
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 004094A2
ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3

Strings

SeShutdownPrivilege, xrefs: 0040946F

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F

Function 00409C34 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409C3E
SizeofResource.KERNEL32(00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 00409C51
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000), ref: 00409C63
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92), ref: 00409C74

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
Instruction ID: 5c2a5118689e511edc0a9dde7e1b9e77d0383d271af581b44440e1e73e890ea9
Opcode Fuzzy Hash: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
Instruction Fuzzy Hash: B0E07E80B8874726FA6576FB08C7B6B008C4BA570EF00003BB700792C3DDBC8C04462E

Function 00405258 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
Instruction ID: 1db3d1c1bb6fab5f91442dea8a08a829cd161d84d3a7e1f0c2fe21aaaafd944f
Opcode Fuzzy Hash: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
Instruction Fuzzy Hash: 9ED02EA230E2006AE210808B2C84EBB4A9CCEC53A0F00007FF648C3242D2208C029B76

Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 004026CE

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: SystemTime
String ID:
API String ID: 2656138-0
Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748

Function 00405CF4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,004065F0,00000000,004065FE,?,?,?,?,?,0040A622), ref: 00405D02

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
Instruction ID: 4c33b40dd65743d8d98a5ffd827b1eb297e5dd4f71424004bfe2d5ab9b26ea54
Opcode Fuzzy Hash: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
Instruction Fuzzy Hash: 00C0126040070186D7109B31DC02B1672D4AB44310F4405396DA4963C2E73C80018A6E

Function 0040840C Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
Opcode Fuzzy Hash: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55

Function 00407024 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 0040704D
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 004070A1

Strings

GetUserDefaultUILanguage, xrefs: 00407043
kernel32.dll, xrefs: 00407048
.DEFAULT\Control Panel\International, xrefs: 00407078
Control Panel\Desktop\ResourceLocale, xrefs: 004070B0
Locale, xrefs: 00407090

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
Opcode Fuzzy Hash: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E

Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
GetLastError.KERNEL32(000000F5), ref: 00403C1E

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D

Function 004053C4 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,0040560C,?,?,?,?,00000000,00000000,00000000,?,004065EB,00000000,004065FE), ref: 004053DE

Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A

Part of subcall function 00405258: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B

Strings

mmmm d, yyyy, xrefs: 004054CF
:mm, xrefs: 004055C0
AMPM, xrefs: 004055A9
m/d/yy, xrefs: 004054AD
:mm:ss, xrefs: 004055DA

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
Instruction ID: cc137df54ae1fcbb63b87987e69a719e9c27c4b31815d0debc5c9b1d2781c89a
Opcode Fuzzy Hash: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
Instruction Fuzzy Hash: F8515374B00548ABDB00EBA59891A5F7769DB88304F50D5BBB515BB3C6CA3DCA058F1C

Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
Opcode Fuzzy Hash: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD

Function 004030DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,0040A60E), ref: 004030E3
GetCommandLineA.KERNEL32(00000000,0040A60E), ref: 004030EE

Strings

U1hd.@, xrefs: 00403103
`(F, xrefs: 004030F3

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CommandHandleLineModule
String ID: U1hd.@$`(F
API String ID: 2123368496-1518423589
Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD

Function 00406E10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,00409918,00000000), ref: 00406E4C
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC

Strings

)q@, xrefs: 00406F3F, 00406E98, 00406EA8, 00406F04, 00406F28, 00406F18, 00406EEF

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: QueryValue
String ID: )q@
API String ID: 3660427363-2284170586
Opcode ID: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
Instruction ID: 22a93fbabe645b78fd14ced98f65bd4bcb22fe3fd6f8222f7fa8e6a3c98f8dfc
Opcode Fuzzy Hash: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
Instruction Fuzzy Hash: E6415E31D0021AAFDB21DF95C881BAFB7B8EB04704F56447AE901F7280D738AF108B99

Function 00409C88 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,00000000,Setup,00000010), ref: 00409CBD

Strings

The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si, xrefs: 00409CA1
Setup, xrefs: 00409CAD

Memory Dump Source

Source File: 00000000.00000002.2468391767.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2468379403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468405728.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2468417644.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message
String ID: Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si
API String ID: 2030045667-3271211647
Opcode ID: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
Instruction ID: b8b600ed6bdfe48e96a015bdf4867c85bc36f5512d0f27a60c0f94c744360238
Opcode Fuzzy Hash: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
Instruction Fuzzy Hash: 8EE0E5302482087EE311EA528C13F6A7BACE789B04F600477F900B15C3D6786E00A068

Analysis Process: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmpPID: 612, Parent PID: 2156COMMON

Execution Graph

Execution Coverage:	14%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	80

Executed Functions

Function 004706A8 Relevance: 78.0, APIs: 4, Strings: 40, Instructions: 965COMMON

Download Yara Rule

Strings

Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 00470CC4
Dest filename: %s, xrefs: 00470894
Couldn't read time stamp. Skipping., xrefs: 00470D35
Existing file's SHA-1 hash matches our file. Skipping., xrefs: 00470CB5
Same version. Skipping., xrefs: 00470CE5
Time stamp of existing file: %s, xrefs: 00470A2B
, xrefs: 00470BCF, 00470DA0, 00470E1E
User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 00470E96
Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 00470CD0
Existing file is protected by Windows File Protection. Skipping., xrefs: 00470DEC
Will register the file (a DLL/OCX) later., xrefs: 0047151F
Non-default bitness: 64-bit, xrefs: 004708AF
Version of existing file: %u.%u.%u.%u, xrefs: 00470B7C
User opted not to overwrite the existing file. Skipping., xrefs: 00470E4D
-- File entry --, xrefs: 004706FB
Dest file exists., xrefs: 004709BB
Version of our file: (none), xrefs: 00470AFC
Same time stamp. Skipping., xrefs: 00470D55
Failed to strip read-only attribute., xrefs: 00470ED3
InUn, xrefs: 0047115F
Incrementing shared file count (32-bit)., xrefs: 004715A5
Uninstaller requires administrator: %s, xrefs: 0047118F
Version of existing file: (none), xrefs: 00470CFA
Non-default bitness: 32-bit, xrefs: 004708BB
Incrementing shared file count (64-bit)., xrefs: 0047158C
Installing the file., xrefs: 00470F09
Time stamp of our file: %s, xrefs: 0047099B
Time stamp of our file: (failed to read), xrefs: 004709A7
@, xrefs: 004707B0
Skipping due to "onlyifdoesntexist" flag., xrefs: 004709CE
Skipping due to "onlyifdestfileexists" flag., xrefs: 00470EFA
Version of our file: %u.%u.%u.%u, xrefs: 00470AF0
Existing file is a newer version. Skipping., xrefs: 00470C02
Dest file is protected by Windows File Protection., xrefs: 004708ED
Existing file has a later time stamp. Skipping., xrefs: 00470DCF
Installing into GAC, xrefs: 00471714
.tmp, xrefs: 00470FB7
Stripped read-only attribute., xrefs: 00470EC7
Will register the file (a type library) later., xrefs: 00471513
Time stamp of existing file: (failed to read), xrefs: 00470A37

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
API String ID: 0-4021121268
Opcode ID: a27af26e7e39879e55e12172b3fa09cc2b88a96f453993cfd7508716b919e6cb
Instruction ID: 04e5041402f80353ef90c659d92e8d378e84d4fed116f8838aecbbc27e5febe3
Opcode Fuzzy Hash: a27af26e7e39879e55e12172b3fa09cc2b88a96f453993cfd7508716b919e6cb
Instruction Fuzzy Hash: 31927574A0424CDFDB21DFA9C445BDDBBB5AF05304F1480ABE848A7392D7789E49CB19

Function 0042E09C Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 178
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0D6
GetVersion.KERNEL32(00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0F3
GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E10C
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E112
CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E127
FreeSid.ADVAPI32(00000000,0042E287,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E27A

Strings

CheckTokenMembership, xrefs: 0042E102
advapi32.dll, xrefs: 0042E107

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
String ID: CheckTokenMembership$advapi32.dll
API String ID: 2252812187-1888249752
Opcode ID: ddfde2249367763e4ec650b3d771d1987385f17006922e03e7cb49a40b8ec1f8
Instruction ID: e5677345bf142a8b1d9111380f95962c8bb8cf61ba8e960ca5c3fd0f127139eb
Opcode Fuzzy Hash: ddfde2249367763e4ec650b3d771d1987385f17006922e03e7cb49a40b8ec1f8
Instruction Fuzzy Hash: E351A271B44215EEEB10EAE69C42BBF77ACEB09704F9404BBB901F7281D57C99018B79

Function 004502C0 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 45
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00480B52), ref: 004502D3
LoadLibraryA.KERNEL32(Rstrtmgr.dll,00480B52), ref: 004502EB
GetProcAddress.KERNEL32(00000000,RmStartSession), ref: 00450309
GetProcAddress.KERNEL32(00000000,RmRegisterResources), ref: 0045031E
GetProcAddress.KERNEL32(00000000,RmGetList), ref: 00450333
GetProcAddress.KERNEL32(00000000,RmShutdown), ref: 00450348
GetProcAddress.KERNEL32(00000000,RmRestart), ref: 0045035D
GetProcAddress.KERNEL32(00000000,RmEndSession), ref: 00450372

Strings

RmShutdown, xrefs: 0045033D
RmGetList, xrefs: 00450328
RmStartSession, xrefs: 004502FE
RmRestart, xrefs: 00450352
RmRegisterResources, xrefs: 00450313
RmEndSession, xrefs: 00450367
Rstrtmgr.dll, xrefs: 004502E6

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$LibraryLoadVersion
String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
API String ID: 1968650500-3419246398
Opcode ID: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
Instruction ID: c77cef2ad5653e61b65a4477cbb73d0d56cf7b8a9d174f96be3e9b6947252677
Opcode Fuzzy Hash: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
Instruction Fuzzy Hash: B211F7B4510301DBD710FB61BF45A2E36E9E728315B08063FE804961A2CB7C4844CF8C

Function 00423C0C Relevance: 21.4, APIs: 14, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f88a0fad56de9c729f2995427ba7f602706c1c2dd85511d5f0d29e6fe2ee61
Instruction ID: afb4f91cf4018cf9acc1c9974f14325182323c15c0e0405bd0f9b005e596376e
Opcode Fuzzy Hash: a8f88a0fad56de9c729f2995427ba7f602706c1c2dd85511d5f0d29e6fe2ee61
Instruction Fuzzy Hash: 03E1AE31700124EFDB04DF69E989AADB7B5FB54300FA440AAE5559B352C73CEE81DB09

Function 0042285C Relevance: 18.3, APIs: 12, Instructions: 255
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 004229F4
ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BBE), ref: 00422A04

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSendShowWindow
String ID:
API String ID: 1631623395-0
Opcode ID: 3fc7cefd77d309d2013a8afda780c24615e088d2c333d8c3c434309d64232e3f
Instruction ID: 9e9026b6a08d43f4c34b0c014f83afec13b9727198b5f0eb67f7172f0d04fbcb
Opcode Fuzzy Hash: 3fc7cefd77d309d2013a8afda780c24615e088d2c333d8c3c434309d64232e3f
Instruction Fuzzy Hash: 90915171B04214BFDB11EFA9DA86F9D77F4AB04304F5500BAF504AB392CB78AE419B58

Function 004673A4 Relevance: 15.6, APIs: 4, Strings: 4, Instructions: 1649windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004958CC: GetWindowRect.USER32(00000000), ref: 004958E2

LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00467773

Part of subcall function 0041D6B0: GetObjectA.GDI32(?,00000018,0046778D), ref: 0041D6DB

Part of subcall function 00467180: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467223
Part of subcall function 00467180: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467249
Part of subcall function 00467180: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004672A0

Part of subcall function 00466B40: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467828,00000000,00000000,00000000,0000000C,00000000), ref: 00466B58

Part of subcall function 00495B50: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00495B5A

Part of subcall function 0042ED38: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
Part of subcall function 0042ED38: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5

Part of subcall function 0049581C: GetDC.USER32(00000000), ref: 0049583E
Part of subcall function 0049581C: SelectObject.GDI32(?,00000000), ref: 00495864
Part of subcall function 0049581C: ReleaseDC.USER32(00000000,?), ref: 004958B5

Part of subcall function 00495B40: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00495B4A

GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,00000000,?), ref: 004683FD
AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0046840E
AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00468426

Part of subcall function 0042A05C: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A072

Strings

, xrefs: 00467835
(Default), xrefs: 00468A0F
%H, xrefs: 0046766D, 00467681
STOPIMAGE, xrefs: 00467768

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Menu$AppendExtractIconObject$AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectReleaseSelectSendSystemUserWindow
String ID: $(Default)$STOPIMAGE$%H
API String ID: 3231140908-2624782221
Opcode ID: 061c577f146de6d102eda1e26f425fafce425150d5b53e721a6d527fc500dab5
Instruction ID: 1a3196d4b4984e68f3522cc8585b165e0004af585c118fa25862355e2bbb38c0
Opcode Fuzzy Hash: 061c577f146de6d102eda1e26f425fafce425150d5b53e721a6d527fc500dab5
Instruction Fuzzy Hash: 95F2C6346005248FCB00EF69D9D9F9973F1BF49304F1582BAE5049B36ADB74AC46CB9A

Function 00455E0C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455F4B), ref: 00455E3C
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00455E42
GetDiskFreeSpaceExA.KERNELBASE(00000000,?,?,00000000,00000000,00455F29,?,00000000,kernel32.dll,GetDiskFreeSpaceExA,00000000,00455F4B), ref: 00455E98

Strings

GetDiskFreeSpaceExA, xrefs: 00455E32
kernel32.dll, xrefs: 00455E37

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressDiskFreeHandleModuleProcSpace
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1197914913-3712701948
Opcode ID: 409835b603e199d4170178d82c1615a1651ba94ec2cafac24c158ef3a131e909
Instruction ID: d81c9a8c7c52065d28d66f53e81ce4f313aa74f068c2efe820cb9bfc493487ae
Opcode Fuzzy Hash: 409835b603e199d4170178d82c1615a1651ba94ec2cafac24c158ef3a131e909
Instruction Fuzzy Hash: B0418671A04649AFCF01EFA5C8929EEB7B8EF48305F504567F804F7292D67C5E098B68

Function 00474F88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 00474FE1
FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 004750BE
FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 004750CC

Strings

unins, xrefs: 00475034
unins???.*, xrefs: 00474FCB

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: unins$unins???.*
API String ID: 3541575487-1009660736
Opcode ID: 77a1736b55a15cdfeb079fd35295a2b37346dc69cd938272e48e3e7d747c03bd
Instruction ID: 191fa049ef1442540897bd6b232d6b1da598bf4afdbbee48782243349675ce5a
Opcode Fuzzy Hash: 77a1736b55a15cdfeb079fd35295a2b37346dc69cd938272e48e3e7d747c03bd
Instruction Fuzzy Hash: 95315074A00548ABCB10EB65CD81BDEB7A9DF45304F50C0B6E40CAB3A2DB789F418B59

Function 00452A60 Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452A9D
GetLastError.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452AA5

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: 77a4f9a42a9b182eca9a30cb1eee9c943385d3d0e7805387745d9337962f8593
Instruction ID: 3e58272229af866f17ac5928e9872a720c3be2d4903e778e839a846eb7d55d53
Opcode Fuzzy Hash: 77a4f9a42a9b182eca9a30cb1eee9c943385d3d0e7805387745d9337962f8593
Instruction Fuzzy Hash: 94F0F971A04604AB8B10EF669D4149EF7ACEB8672571046BBFC14E3282DAB84E0485A8

Function 00408568 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
Instruction ID: 8daab3ef8e56b0da8b8c23f45c5b5388ad46b50bd825570c2d348c61856efc62
Opcode Fuzzy Hash: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
Instruction Fuzzy Hash: BFE0223170021466C311AA2A9C86AEAB34C9758310F00427FB904E73C2EDB89E4042A8

Function 00423B84 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424151,?,00000000,0042415C), ref: 00423BAE

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 88ecfa13f3ee270e805d5ccef1650ee506ec8760b8390f8b6ad1d401d880426f
Instruction ID: a748582893d7571d6ac8bdbe819d0a8fbf5f36db2d3505b6f19a51c7a0bbae16
Opcode Fuzzy Hash: 88ecfa13f3ee270e805d5ccef1650ee506ec8760b8390f8b6ad1d401d880426f
Instruction Fuzzy Hash: 47F0B979205608AF8B40DF99C588D4ABBE8AB4C260B058195B988CB321C234ED808F90

Function 0045559C Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?), ref: 004555B2

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
Instruction ID: 9f318ec9847dd9a6abcb639c8bc611599857aea0b867fcad4bfaeec6bdb042bf
Opcode Fuzzy Hash: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
Instruction Fuzzy Hash: 8FD0C27230470473CB00AA689C825AA35CD8B84305F00483E3CC5DA2C3FABDDA485756

Function 0046F058 Relevance: 72.2, APIs: 1, Strings: 40, Instructions: 500
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0046EE44: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,0047620E,?,0049C1E0,?,0046F15B,?,00000000,0046F6F6,?,_is1), ref: 0046EE67

Part of subcall function 0046EEB4: RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F532,?,?,00000000,0046F6F6,?,_is1,?), ref: 0046EEC7

RegCloseKey.ADVAPI32(?,0046F6FD,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046F748,?,?,0049C1E0,00000000), ref: 0046F6F0

Strings

Readme, xrefs: 0046F4B2
Inno Setup: User Info: Serial, xrefs: 0046F2D0
Inno Setup: User Info: Organization, xrefs: 0046F2BB
Inno Setup: No Icons, xrefs: 0046F1CB
Inno Setup: App Path, xrefs: 0046F17E
DisplayIcon, xrefs: 0046F373
UninstallString, xrefs: 0046F3AD
Inno Setup: Selected Tasks, xrefs: 0046F26F
RegisterPreviousData, xrefs: 0046F6A6
Inno Setup: Icon Group, xrefs: 0046F1AD
DisplayName, xrefs: 0046F356
Comments, xrefs: 0046F4EC
ModifyPath, xrefs: 0046F50C
Inno Setup: Selected Components, xrefs: 0046F228
HelpTelephone, xrefs: 0046F45B
5.5.3 (a), xrefs: 0046F14E
Inno Setup: Deselected Components, xrefs: 0046F247
MinorVersion, xrefs: 0046F591
Inno Setup: User, xrefs: 0046F1EA
" /SILENT, xrefs: 0046F3DA
NoRepair, xrefs: 0046F534
Inno Setup: Deselected Tasks, xrefs: 0046F28E
MajorVersion, xrefs: 0046F57F
EstimatedSize, xrefs: 0046F66D
NoModify, xrefs: 0046F520
Inno Setup: Setup Version, xrefs: 0046F149
Inno Setup: User Info: Name, xrefs: 0046F2A6
Software\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 0046F0AE
Inno Setup: Language, xrefs: 0046F2F7
Publisher, xrefs: 0046F421
QuietUninstallString, xrefs: 0046F3E7
InstallLocation, xrefs: 0046F19E
DisplayVersion, xrefs: 0046F404
URLUpdateInfo, xrefs: 0046F495
Contact, xrefs: 0046F4CF
InstallDate, xrefs: 0046F553
Inno Setup: Setup Type, xrefs: 0046F209
HelpLink, xrefs: 0046F478
URLInfoAbout, xrefs: 0046F43E
_is1, xrefs: 0046F0B4

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Value$Close
String ID: " /SILENT$5.5.3 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
API String ID: 3391052094-3342197833
Opcode ID: 20177b5e09bda3d39b0f5a3b3099d0b20d53ab700288e26487c926a63f738ffb
Instruction ID: 0d1426ff9ce9a688a4d167ea33859b9e50b28094dc6fe7db73e07d6bdcf854ec
Opcode Fuzzy Hash: 20177b5e09bda3d39b0f5a3b3099d0b20d53ab700288e26487c926a63f738ffb
Instruction Fuzzy Hash: D1125935A001089BDB04EF95E881ADE73F5EB48304F24817BE8506B366EB79AD45CF5E

Function 00456638 Relevance: 26.6, APIs: 4, Strings: 11, Instructions: 310
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

7715E550.OLE32(00499A74,00000000,00000001,00499774,?,00000000,004569E3), ref: 0045667E
7715E550.OLE32(00499764,00000000,00000001,00499774,?,00000000,004569E3), ref: 004566A4
SysFreeString.OLEAUT32(00000000), ref: 0045685B

Strings

%ProgramFiles(x86)%\, xrefs: 0045672E
IPersistFile::Save, xrefs: 00456962
IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 004567BD
IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 00456892
IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption), xrefs: 004568CA
IShellLink::QueryInterface(IID_IPersistFile), xrefs: 00456904
IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 00456840
IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 004567F1
{pf32}\, xrefs: 0045671E
CoCreateInstance, xrefs: 004566AF
IPropertyStore::Commit, xrefs: 004568E3

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: 7715E550$FreeString
String ID: %ProgramFiles(x86)%\$CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)${pf32}\
API String ID: 3367576848-2363233914
Opcode ID: 26ac11ebc8d2bbba6934e2b7da4071208c956f88b3f37f3572524cf0602978ca
Instruction ID: 2d3acbfbfe5134b3b68b6dcde43dfe431d970b0eaffbfac770a5f5266a6492d0
Opcode Fuzzy Hash: 26ac11ebc8d2bbba6934e2b7da4071208c956f88b3f37f3572524cf0602978ca
Instruction Fuzzy Hash: 39B13170A00104AFDB50DFA9C845B9E7BF8AF09706F5540AAF804E7362DB78DD48CB69

Function 00483A7C Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483A8D
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483A9A
GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483AA8
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483AB0
GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483ABC
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483ADD
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483AF0
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483AF6
GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483B0D

Strings

advapi32.dll, xrefs: 00483AEB
kernel32.dll, xrefs: 00483A88
GetNativeSystemInfo, xrefs: 00483A94
GetSystemWow64DirectoryA, xrefs: 00483AD7
IsWow64Process, xrefs: 00483AAA
RegDeleteKeyExA, xrefs: 00483AE6

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
API String ID: 2230631259-2623177817
Opcode ID: 7dca9948a1095c4364ab55fa8ed369d502b26d1142efbcbd424e95be4cda74f5
Instruction ID: d1db678d6bd555fecb25ccca0b477ef677e73c145b16f55f8d8b06b946339d0c
Opcode Fuzzy Hash: 7dca9948a1095c4364ab55fa8ed369d502b26d1142efbcbd424e95be4cda74f5
Instruction Fuzzy Hash: 7F1181C0204741A4DA00BFB94D45B6F65889B11F2AF040C7B6840AA287EABCEF44A76E

Function 00468D88 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38

RegCloseKey.ADVAPI32(?,00468FA2,?,?,00000001,00000000,00000000,00468FBD,?,00000000,00000000,?), ref: 00468F8B

Strings

Inno Setup: User Info: Organization, xrefs: 00468F5A
Inno Setup: Setup Type, xrefs: 00468E9A
Inno Setup: Selected Components, xrefs: 00468EAA
Inno Setup: App Path, xrefs: 00468E4A
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00468DE7
%s\%s_is1, xrefs: 00468E05
Inno Setup: User Info: Name, xrefs: 00468F47
Inno Setup: User Info: Serial, xrefs: 00468F6D
Inno Setup: Icon Group, xrefs: 00468E66
Inno Setup: Selected Tasks, xrefs: 00468EF7
Inno Setup: Deselected Tasks, xrefs: 00468F19
Inno Setup: Deselected Components, xrefs: 00468ECC
Inno Setup: No Icons, xrefs: 00468E73

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpen
String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-1093091907
Opcode ID: b9928a5b5c0cf6c1dc91f6627cbb06318d05b30c5d76f15ccadbaf9fdfcb7506
Instruction ID: 069c4cdb4b1287edb5c1b702bebeb6c44c7684ad2aa17a57d1fdfe9a2539746b
Opcode Fuzzy Hash: b9928a5b5c0cf6c1dc91f6627cbb06318d05b30c5d76f15ccadbaf9fdfcb7506
Instruction Fuzzy Hash: 6B51A330A006449BCB15DB65D881BDEB7F5EB48304F50857EE840AB391EB79AF01CB59

Function 0047C66C Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0042D898: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00453DB4,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5), ref: 0042D8AB

Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7

Part of subcall function 0042D8F0: GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
Part of subcall function 0042D8F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910

SHGetKnownFolderPath.SHELL32(00499D30,00008000,00000000,?,00000000,0047C942), ref: 0047C846
771883B0.OLE32(?,0047C88B), ref: 0047C87E

Part of subcall function 0042D208: GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000000,?,?,00000000,0042DA3E,00000000,0042DAD0,?,?,?,0049B628,00000000,00000000), ref: 0042D233

Strings

CommonFilesDir, xrefs: 0047C76E, 0047C7EA
cmd.exe, xrefs: 0047C8FC
Failed to get path of 64-bit Program Files directory, xrefs: 0047C7DD
\Program Files, xrefs: 0047C75B
Failed to get path of 64-bit Common Files directory, xrefs: 0047C80C
COMMAND.COM, xrefs: 0047C91D
Common Files, xrefs: 0047C7A5
ProgramFilesDir, xrefs: 0047C734, 0047C7BB
SystemDrive, xrefs: 0047C6D3

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Directory$771883AddressEnvironmentFolderHandleKnownModulePathProcSystemVariableWindows
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 3587502637-544719455
Opcode ID: 23963da8b4b34a95ffd58041a931adf40c150fbdd8371ea61f0364dbdea36cdf
Instruction ID: 88e29a10730232d74bbdb0c5b7d00c3ea12cf2700f44d19641833b453bfd909d
Opcode Fuzzy Hash: 23963da8b4b34a95ffd58041a931adf40c150fbdd8371ea61f0364dbdea36cdf
Instruction Fuzzy Hash: 1461CF74A00204AFDB10EBA5D8C2A9E7B69EB44319F90C47FE404A7392DB3C9A44CF5D

Function 00472B48 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00472D00
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00472E07
SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00472E1D
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00472E42

Strings

.url, xrefs: 00472C1A
.lnk, xrefs: 00472BD4
Desktop.ini, xrefs: 00472EC3
Filename: %s, xrefs: 00472CA2
target.lnk, xrefs: 00472E8C
.pif, xrefs: 00472BF7, 00472D8B
{group}\, xrefs: 00472BA2

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
API String ID: 971782779-3668018701
Opcode ID: 7a5ae740bf12d7c0914506075995ef9616c65b722964304fe64b2cd854615d78
Instruction ID: 7edda302242157afef40b0e7c7e05039b068dedd9e36cd510e855ba872eb221a
Opcode Fuzzy Hash: 7a5ae740bf12d7c0914506075995ef9616c65b722964304fe64b2cd854615d78
Instruction Fuzzy Hash: D0D14574A001489FDB11EFA9D981BDDBBF4AF08304F50816AF904B7392C778AE45CB69

Function 00423874 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041F3C4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2

GetClassInfoA.USER32(00400000,0042367C), ref: 0042389F
RegisterClassA.USER32(00499630), ref: 004238B7
GetSystemMetrics.USER32(00000000), ref: 004238D9
GetSystemMetrics.USER32(00000001), ref: 004238E8
SetWindowLongA.USER32(00410460,000000FC,0042368C), ref: 00423944
SendMessageA.USER32(00410460,00000080,00000001,00000000), ref: 00423965
GetSystemMenu.USER32(00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 00423970
DeleteMenu.USER32(00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 0042397F
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042398C
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239A2

Strings

|6B, xrefs: 00423893, 00423914

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
String ID: |6B
API String ID: 183575631-3009739247
Opcode ID: 4cae07da4ecbd82a5ef2c5022e230c145e19d211ee6ce0cd027d67cd6f27acc7
Instruction ID: 5979ac727d64f3fe5c9a0a43452729076f54e0f9e4c251b9a4c28f9d6bed272f
Opcode Fuzzy Hash: 4cae07da4ecbd82a5ef2c5022e230c145e19d211ee6ce0cd027d67cd6f27acc7
Instruction Fuzzy Hash: E63152B17402006AEB10AF69DC82F6A37989B14709F60017BFA44EF2D7C6BDED40876D

Function 0047CE78 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,SHGetFolderPathA), ref: 0047CF7A

Strings

Failed to get address of SHGetFolderPath function, xrefs: 0047CF8B
_isetup\_shfoldr.dll, xrefs: 0047CEAA
SHFOLDERDLL, xrefs: 0047CEB7
shfolder.dll, xrefs: 0047CEDD, 0047CF16
Failed to get version numbers of _shfoldr.dll, xrefs: 0047CED0
shell32.dll, xrefs: 0047CF25
Failed to load DLL "%s", xrefs: 0047CF5D
]xI, xrefs: 0047CF58
SHGetFolderPathA, xrefs: 0047CF6F

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$]xI$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
API String ID: 190572456-256906917
Opcode ID: c4b8d3d93c7f37bb14fa31bc5bbe574b3393d33fbabbe9beac26f258e91ad005
Instruction ID: ec9c61b31d03a4d18d2fa5da2167344019e511a33ceb5cf80618cf604467b355
Opcode Fuzzy Hash: c4b8d3d93c7f37bb14fa31bc5bbe574b3393d33fbabbe9beac26f258e91ad005
Instruction Fuzzy Hash: 20311D30E001499BCB10EFA5D5D1ADEB7B5EF44308F50847BE504E7281D778AE458B6D

Function 0040631C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00498BC0), ref: 00406322
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498BC0), ref: 00406366

Strings

SetSearchPathMode, xrefs: 0040633F
kernel32.dll, xrefs: 0040631D
SetDllDirectoryW, xrefs: 00406329
SetProcessDEPPolicy, xrefs: 00406355

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleModulePolicyProcess
String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
API String ID: 3256987805-3653653586
Opcode ID: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
Instruction ID: 935c6a5f7b98c90e27654dc67135d8c1f882d2ad5d8c1b9d0efaf55941893a49
Opcode Fuzzy Hash: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
Instruction Fuzzy Hash: 97E02D90380702ACEA1032B20D82F3B144C9B54B69B26543B7D56B51C7D9BDDD7059BD

Function 0041321B Relevance: 14.6, APIs: 6, Strings: 2, Instructions: 633COMMON

Download Yara Rule

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
GetWindowLongA.USER32(?,000000F0), ref: 0041366F
GetWindowLongA.USER32(?,000000F4), ref: 00413681
SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
SetPropA.USER32(?,00000000,00000000), ref: 004136AB
SetPropA.USER32(?,00000000,00000000), ref: 004136C2

Strings

3A, xrefs: 0041343D
yA, xrefs: 004132DE

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: LongWindow$Prop
String ID: 3A$yA
API String ID: 3887896539-3278460822
Opcode ID: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
Instruction ID: bcb4e109f9bb3244d1d15a250a8b19338fc20a7c4ef9bfc7c396c8b3ff51cb63
Opcode Fuzzy Hash: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
Instruction Fuzzy Hash: 8C22D06508E3C05FE31B9B74896A5D57FA0EE13325B1D45DFC4C28B1A3D21E8A8BC71A

Function 00481854 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 175windowCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000), ref: 00481A11
FreeLibrary.KERNEL32(00000000), ref: 00481A25
SendNotifyMessageA.USER32(000203F2,00000496,00002710,00000000), ref: 00481A97

Strings

GetCustomSetupExitCode, xrefs: 004818B1
Deinitializing Setup., xrefs: 00481872
Not restarting Windows because Setup is being run from the debugger., xrefs: 00481A46
DeinitializeSetup, xrefs: 0048190D
Restarting Windows., xrefs: 00481A72

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FreeLibrary$MessageNotifySend
String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
API String ID: 3817813901-1884538726
Opcode ID: 050724d5784164bcc6f320fb88d14c1ed674207e07551f10b43b093d89fd870c
Instruction ID: b122ee3e0244d1cffd13458a0655c780be2d4a3cdc4850abd58d30bc7702deed
Opcode Fuzzy Hash: 050724d5784164bcc6f320fb88d14c1ed674207e07551f10b43b093d89fd870c
Instruction Fuzzy Hash: C651BF347042409FD715EB69E9A5B6E7BE8EB19314F10887BE800C72B2DB389C46CB5D

Function 00467180 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467223
ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467249

Part of subcall function 004670C0: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00467158
Part of subcall function 004670C0: DestroyCursor.USER32(00000000), ref: 0046716E

ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004672A0
SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00467301
ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467327

Strings

c:\directory, xrefs: 0046721E
shell32.dll, xrefs: 00467284
%H, xrefs: 0046718B

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Icon$Extract$FileInfo$CursorDestroyDraw
String ID: c:\directory$shell32.dll$%H
API String ID: 3376378930-166502273
Opcode ID: d7a251f7ede599729126a20c6e5bc656e487c76ea0efebb03c6af550fa195c4c
Instruction ID: 732e1a1751fb8a235258c93266195bfa595ebd68417bad8a6af0601d960a2915
Opcode Fuzzy Hash: d7a251f7ede599729126a20c6e5bc656e487c76ea0efebb03c6af550fa195c4c
Instruction Fuzzy Hash: 8A516070604244AFD710DF65CD8AFDFB7A8EB48308F1081A6F80897351D6789E81DA59

Function 0042F560 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90windowregistryCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0042F58F
GetFocus.USER32 ref: 0042F597
RegisterClassA.USER32(004997AC), ref: 0042F5B8
CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F68C,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F5F6
CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F63C
ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F64D
SetFocus.USER32(00000000,00000000,0042F66F,?,?,?,00000001,00000000,?,00458352,00000000,0049B628), ref: 0042F654

Strings

TWindowDisabler-Window, xrefs: 0042F5EF, 0042F635

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CreateFocus$ActiveClassRegisterShow
String ID: TWindowDisabler-Window
API String ID: 3167913817-1824977358
Opcode ID: 6457ecc35c2f1d364d6e716b0d71ec85e57c583cde0b886464f42e17a697c21b
Instruction ID: c3989f54cd535b42bfd745bd8d6279a550c1ea008e6f4be51b2d228796931bcd
Opcode Fuzzy Hash: 6457ecc35c2f1d364d6e716b0d71ec85e57c583cde0b886464f42e17a697c21b
Instruction Fuzzy Hash: B021A170740710BAE310EF66AD43F1A76B8EB04B44F91853BF604AB2E1D7B86D0586AD

Function 004729F8 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 67COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000,?,00472D15,?,?,00000000,00472F84), ref: 00472A1C

Part of subcall function 0042CD94: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CE0A

Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B

SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000,?,00472D15), ref: 00472A93
RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000), ref: 00472A99

Strings

.ShellClassInfo, xrefs: 00472A4B
desktop.ini, xrefs: 00472A30
CLSID2, xrefs: 00472A46
{0AFACED1-E828-11D1-9187-B532F1E9575D}, xrefs: 00472A55
target.lnk, xrefs: 00472A71

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
API String ID: 884541143-1710247218
Opcode ID: d8d5a0be0440fc7cb79ca7a1d8c05833802e09f0bac54326b854a3cb5eabaf25
Instruction ID: 1765d5ebfc4e6887f49e3816ac39c9d5a3c16910e93b0aec031ce55b1572895b
Opcode Fuzzy Hash: d8d5a0be0440fc7cb79ca7a1d8c05833802e09f0bac54326b854a3cb5eabaf25
Instruction Fuzzy Hash: 6711B2707005147BD721EAAA8D82B9F73ACDB49714F61C17BB404B72C2DBBCAE01861C

Function 004531F0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 00453210
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 0045322A
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230

Strings

Wow64RevertWow64FsRedirection, xrefs: 00453220
shell32.dll, xrefs: 0045325C
Wow64DisableWow64FsRedirection, xrefs: 00453206
kernel32.dll, xrefs: 0045320B, 00453225

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: d7661fd9f0913dad122060e2c1ded37189c483bc636f4dff06c0b7ded89dfa78
Instruction ID: a781b9bdaab79611976bfea65fa4e072d6e85bd62b4b6e26dfe65079d72397a7
Opcode Fuzzy Hash: d7661fd9f0913dad122060e2c1ded37189c483bc636f4dff06c0b7ded89dfa78
Instruction Fuzzy Hash: EA01D470240B00FED301AF63AD12F663A58D7557ABF6044BBFC14965C2C77C4A088E6D

Function 00430940 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430948
RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430957
GetCurrentThreadId.KERNEL32 ref: 00430971
GlobalAddAtomA.KERNEL32(00000000), ref: 00430992

Strings

commdlg_FindReplace, xrefs: 00430952
WndProcPtr%.8X%.8X, xrefs: 00430983
commdlg_help, xrefs: 00430943

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
API String ID: 4130936913-2943970505
Opcode ID: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
Instruction ID: 0bd92e6c8c1c5a5b8444157758b44b4e11dae02c37acc47d2edddbd1fb793b69
Opcode Fuzzy Hash: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
Instruction Fuzzy Hash: 22F012B0458340DEE300EB65994271E7BD0EF58718F50467FF498A6392D7795904CB5F

Function 00422E50 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00422EA4
GetCapture.USER32 ref: 00422EB3
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EB9
ReleaseCapture.USER32 ref: 00422EBE
GetActiveWindow.USER32 ref: 00422ECD
SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F4C
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FB0
GetActiveWindow.USER32 ref: 00422FBF

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: b1a57ae8c862de22bc82aa702dd5f84040ee9f6a0804fcde46ad074f7f3e30fe
Instruction ID: c6261992695b47722d84ffa44129b55dc5b2a4dad2f70b0012283783c1c7b094
Opcode Fuzzy Hash: b1a57ae8c862de22bc82aa702dd5f84040ee9f6a0804fcde46ad074f7f3e30fe
Instruction Fuzzy Hash: 24417230B00245AFDB10EB69DA86B9E77F1EF44304F5540BAF404AB2A2D778AE40DB49

Function 00476C50 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 200windowCOMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00476CA9
SetWindowLongW.USER32(00000000,000000FC,00476C04), ref: 00476CD0
GetACP.KERNEL32(00000000,00476EE8,?,00000000,00476F12), ref: 00476D0D
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00476D53

Strings

Inno Setup: Language, xrefs: 00476DDB
COMBOBOX, xrefs: 00476CA2

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClassInfoLongMessageSendWindow
String ID: COMBOBOX$Inno Setup: Language
API String ID: 3391662889-4234151509
Opcode ID: 1db359e320ab2741222256d54ad499686456584f5ec697b8868a090b3fdd66eb
Instruction ID: b13fa11fcbd9abdf7db93726dac51e4442bd67f198c8610d2c1064f44be53319
Opcode Fuzzy Hash: 1db359e320ab2741222256d54ad499686456584f5ec697b8868a090b3fdd66eb
Instruction Fuzzy Hash: 46812C346006059FDB10DF69D985AEAB7F2FB09304F15C1BAE808EB762D778AD41CB58

Function 00455010 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 154COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C,00000000), ref: 004551BA
CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C), ref: 004551C7

Part of subcall function 00454F7C: WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
Part of subcall function 00454F7C: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
Part of subcall function 00454F7C: GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
Part of subcall function 00454F7C: CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9

Strings

cmd.exe" /C ", xrefs: 004550ED
D, xrefs: 00455158
COMMAND.COM" /C , xrefs: 00455124
.bat, xrefs: 004550A0
.cmd, xrefs: 004550BB

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
API String ID: 854858120-615399546
Opcode ID: 33a21594b2f272348ca173e1bf8fbb29317a3fdaed0398a7107b4f02c3bab763
Instruction ID: 058baa7e90e176347c833b132b7c272bf8058e823d6e061bdbf2f6311869cd9e
Opcode Fuzzy Hash: 33a21594b2f272348ca173e1bf8fbb29317a3fdaed0398a7107b4f02c3bab763
Instruction Fuzzy Hash: 41516D34B0074DABCF10EFA5D852BDEBBB9AF44305F50447BB804B7292D7789A098B59

Function 0042368C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON

Download Yara Rule

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
OemToCharA.USER32(?,?), ref: 0042375C
CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C

Strings

MAINICON, xrefs: 00423711
2, xrefs: 004236EA

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Char$FileIconLoadLowerModuleName
String ID: 2$MAINICON
API String ID: 3935243913-3181700818
Opcode ID: cdc8d4d12959e52a4e35ddab44250c7989461c9b781fe211d3ab07d5faa44346
Instruction ID: 339a64ebbf2375270c19ef2cfa2d714624ee8dcb7e06b01b5ae6522dc3b50067
Opcode Fuzzy Hash: cdc8d4d12959e52a4e35ddab44250c7989461c9b781fe211d3ab07d5faa44346
Instruction Fuzzy Hash: 243181B0A042549ADF10EF29D8C57C67BA8AF14308F4441BAE844DB393D7BED988CB59

Function 00418F38 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000), ref: 00418F3D
GlobalAddAtomA.KERNEL32(00000000), ref: 00418F5E
GetCurrentThreadId.KERNEL32 ref: 00418F79
GlobalAddAtomA.KERNEL32(00000000), ref: 00418F9A

Part of subcall function 004230C8: GetDC.USER32(00000000), ref: 0042311E
Part of subcall function 004230C8: EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
Part of subcall function 004230C8: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
Part of subcall function 004230C8: ReleaseDC.USER32(00000000,00000000), ref: 00423144

Part of subcall function 0042368C: LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
Part of subcall function 0042368C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
Part of subcall function 0042368C: OemToCharA.USER32(?,?), ref: 0042375C
Part of subcall function 0042368C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C

Part of subcall function 0041F118: GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
Part of subcall function 0041F118: SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
Part of subcall function 0041F118: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
Part of subcall function 0041F118: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D

Strings

ControlOfs%.8X%.8X, xrefs: 00418F8B
Delphi%.8X, xrefs: 00418F4F

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$CapsDeviceEnumFileFontsIconLibraryLowerModuleNameProcessReleaseThreadVersion
String ID: ControlOfs%.8X%.8X$Delphi%.8X
API String ID: 316262546-2767913252
Opcode ID: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
Instruction ID: d883a59e21ed3b4d0722d018b4a025de81f9e45e1fd093e44b5ebaba0e30331f
Opcode Fuzzy Hash: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
Instruction Fuzzy Hash: AC115E706142419AD740FF76A94235A7BE1DF64308F40943FF448A7391DB3DA9448B5F

Function 0041363C Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
GetWindowLongA.USER32(?,000000F0), ref: 0041366F
GetWindowLongA.USER32(?,000000F4), ref: 00413681
SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
SetPropA.USER32(?,00000000,00000000), ref: 004136AB
SetPropA.USER32(?,00000000,00000000), ref: 004136C2

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
Instruction ID: 06abc153636d574f2b9d5b42ed2ef1d3d1989bf2b09c04f5b7aa0ee96fd2bcf7
Opcode Fuzzy Hash: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
Instruction Fuzzy Hash: 1011C975100244BFEF00DF9DDC84EDA37E8EB19364F144666B958DB2A2D738DD908B68

Function 00401A90 Relevance: 9.1, APIs: 6, Instructions: 59COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0049B420,00000000,00401B68), ref: 00401ABD
LocalFree.KERNEL32(00000000,00000000,00401B68), ref: 00401ACF
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401B68), ref: 00401AEE
LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401B68), ref: 00401B2D
RtlLeaveCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B58
RtlDeleteCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B62

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
Instruction ID: 79795942c165c44483fb09e1962e32eaca51f8de38df00e9c029d8aa05623ce8
Opcode Fuzzy Hash: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
Instruction Fuzzy Hash: 3B118E30A003405AEB15AB65BE85B263BA5D761B08F44407BF80067BF3D77C5850E7AE

Function 004556D8 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045586F,?,00000000,004558AF), ref: 004557B5

Strings

PendingFileRenameOperations, xrefs: 00455754
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455738
PendingFileRenameOperations2, xrefs: 00455784
WININIT.INI, xrefs: 004557E4

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
API String ID: 47109696-2199428270
Opcode ID: 430bb035026106b65f85e2b07525b73901b650abba9068f13605831850c1f819
Instruction ID: 0fa1da25f67206326559771d92c7e47b52ca8d856d575cc5f046ac455f5bab2a
Opcode Fuzzy Hash: 430bb035026106b65f85e2b07525b73901b650abba9068f13605831850c1f819
Instruction Fuzzy Hash: FF51A974E006089FDB10EF61DC51AEEB7B9EF44305F50857BEC04A7292DB78AE49CA58

Function 0047CB94 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047CCEA,?,?,00000000,0049B628,00000000,00000000,?,00498539,00000000,004986E2,?,00000000), ref: 0047CC27
GetLastError.KERNEL32(00000000,00000000,00000000,0047CCEA,?,?,00000000,0049B628,00000000,00000000,?,00498539,00000000,004986E2,?,00000000), ref: 0047CC30

Strings

_isetup, xrefs: 0047CC12
\_setup64.tmp, xrefs: 0047CCA2
Created temporary directory: , xrefs: 0047CBC9

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: Created temporary directory: $\_setup64.tmp$_isetup
API String ID: 1375471231-2952887711
Opcode ID: 15246a7260a354d37efc87005b8c751c01ee3b74e4206f1c0260e9ccc9d04e3e
Instruction ID: e6577b7b61f0e0a35e690824fc442bae28cfcbc8f9cba78cd8161ab2dbd6b5d1
Opcode Fuzzy Hash: 15246a7260a354d37efc87005b8c751c01ee3b74e4206f1c0260e9ccc9d04e3e
Instruction Fuzzy Hash: E6412834A001099BDB11EFA5D882ADEB7B5EF45309F50843BE81577392DA38AE05CF68

Function 00423A84 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00423A1C), ref: 00423AA8
GetWindow.USER32(?,00000003), ref: 00423ABD
GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02

Strings

\AB, xrefs: 00423AF2, 00423AF6

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$EnumLongWindows
String ID: \AB
API String ID: 4191631535-3948367934
Opcode ID: 1f387ac1e946b45dcea70a74dde1e3cf145931a60cd8f654a7309261af8d74ee
Instruction ID: 3ad81c14f5822e14e615a382c86082b2427cd388a5bf15486a3129e996868218
Opcode Fuzzy Hash: 1f387ac1e946b45dcea70a74dde1e3cf145931a60cd8f654a7309261af8d74ee
Instruction Fuzzy Hash: D6115E70700610ABDB109F28E885F5677E8EB08715F10026AF994AB2E3C378ED41CB59

Function 0042DE44 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DE50
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DFEB,00000000,0042E003,?,?,?,?,00000006,?,00000000,0049785D), ref: 0042DE6B
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DE71

Strings

RegDeleteKeyExA, xrefs: 0042DE61
advapi32.dll, xrefs: 0042DE66

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressDeleteHandleModuleProc
String ID: RegDeleteKeyExA$advapi32.dll
API String ID: 588496660-1846899949
Opcode ID: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
Instruction ID: e7246de0df94fba710dd2820c0ca51643d5dd29c3ac0bea476bad59fd0e01b91
Opcode Fuzzy Hash: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
Instruction Fuzzy Hash: 73E06DF1B41B30AAD72022657C8ABA33729DB75365F658437F105AD19183FC2C50CE9D

Function 0046BB10 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 320COMMON

Download Yara Rule

Strings

PrepareToInstall failed: %s, xrefs: 0046BE6E
Need to restart Windows? %s, xrefs: 0046BE95
NextButtonClick, xrefs: 0046BC4C

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
API String ID: 0-2329492092
Opcode ID: 5d17874146d60b75ad460dbe0a65a057f1b706e416996ea922dce04c170435bc
Instruction ID: 9de4db1b3e70fdebeced0fe060001c857bcfdee1b2562a0b259a97201065334e
Opcode Fuzzy Hash: 5d17874146d60b75ad460dbe0a65a057f1b706e416996ea922dce04c170435bc
Instruction Fuzzy Hash: 46D12F34A00108DFCB14EB99D985AED77F5EF49304F5440BAE404EB362D778AE85CB9A

Function 00483084 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?,?,00000000,004833D5), ref: 004831A8
SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00483246

Strings

Need to restart Windows? %s, xrefs: 00483283
, xrefs: 00483303

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ActiveChangeNotifyWindow
String ID: $Need to restart Windows? %s
API String ID: 1160245247-4200181552
Opcode ID: f3164b8d1c7f9ae2aabe4aebf04c2bbf0d3651d11bf05fff97eb65ef8f772e24
Instruction ID: 855c298393525188f16043e43c8caa20abfdb27870bda8f6eb76b0fac02994d3
Opcode Fuzzy Hash: f3164b8d1c7f9ae2aabe4aebf04c2bbf0d3651d11bf05fff97eb65ef8f772e24
Instruction Fuzzy Hash: 7E918F34A042449FDB10EF69D8C6BAD77E0AF55708F5484BBE8009B362DB78AE05CB5D

Function 0046FADC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828

GetLastError.KERNEL32(00000000,0046FCD9,?,?,0049C1E0,00000000), ref: 0046FBB6
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046FC30
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046FC55

Strings

Creating directory: %s, xrefs: 0046FB9E

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ChangeNotify$ErrorFullLastNamePath
String ID: Creating directory: %s
API String ID: 2451617938-483064649
Opcode ID: b081b5451f9253bf7df266bab53e6145b6a86aabad9903036a0d0a35cf4a9b86
Instruction ID: a145aa70eb484b5d007d33f2831cd5d1f219efd535f83afbcf26a903565c5eea
Opcode Fuzzy Hash: b081b5451f9253bf7df266bab53e6145b6a86aabad9903036a0d0a35cf4a9b86
Instruction Fuzzy Hash: 7D512F74E00248ABDB01DBA5D982ADEBBF4AF49304F50847AEC50B7382D7795E08CB59

Function 00454DD4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 00454E82
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454F48), ref: 00454EEC

Strings

SfcIsFileProtected, xrefs: 00454E7C
sfc.dll, xrefs: 00454E44

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressByteCharMultiProcWide
String ID: SfcIsFileProtected$sfc.dll
API String ID: 2508298434-591603554
Opcode ID: bb559eb6b427547f50ac361efa45694dce53a5facbc0d321e4ca2111cb35c873
Instruction ID: 709c5f55a6f5f8285c9c61fd8393730e8027effee09c5548c71846991cac34f0
Opcode Fuzzy Hash: bb559eb6b427547f50ac361efa45694dce53a5facbc0d321e4ca2111cb35c873
Instruction Fuzzy Hash: E8419671A04318DBEB20EF59DC85B9DB7B8AB4430DF5041B7A908A7293D7785F88CA1C

Function 00452510 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

751C1520.VERSION(00000000,?,?,?,00497900), ref: 00452530
751C1500.VERSION(00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,00497900), ref: 0045255D
751C1540.VERSION(?,004525D4,?,?,00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,00497900), ref: 00452577

Strings

%E, xrefs: 004525BB, 00452583

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: C1500C1520C1540
String ID: %E
API String ID: 1315064709-175436132
Opcode ID: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
Instruction ID: f5dca5bfdad9659449235e2d7a4f424f1fde127461be4d93bb02e754cc996b3f
Opcode Fuzzy Hash: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
Instruction Fuzzy Hash: D2218331A00608BFDB01DAA989519AFB7FCEB4A300F554477F800E7242E6B9AE04C765

Function 0044B38C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0044B401
SelectObject.GDI32(?,00000000), ref: 0044B424
ReleaseDC.USER32(00000000,?), ref: 0044B457

Strings

%H, xrefs: 0044B394

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ObjectReleaseSelect
String ID: %H
API String ID: 1831053106-1959103961
Opcode ID: 613a86eb96bd964688756472f8397141eb38d2c4caf6b0936a0a8cf616000036
Instruction ID: 242bcfed98594cbdcf51f2854abe94a1ec69c13560e3a72339b9f4254961cc58
Opcode Fuzzy Hash: 613a86eb96bd964688756472f8397141eb38d2c4caf6b0936a0a8cf616000036
Instruction Fuzzy Hash: 62216570A04248AFEB15DFA6C841B9F7BB9DB49304F11806AF904A7682D778D940CB59

Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
ExitProcess.KERNEL32 ref: 00404E0D

Strings

Error, xrefs: 00404DB9
Runtime error at 00000000, xrefs: 00404DBE, 00404DD1

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000
API String ID: 1220098344-2970929446
Opcode ID: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
Instruction ID: e2df0dcbf1ce8e07228a8ae3c957e3f7be2bf5582065763199918d440bd3f461
Opcode Fuzzy Hash: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
Instruction Fuzzy Hash: 8E219560A442414ADB11A779BA8571B3B91D7E5348F04817BE710A73E3C77C8C4487ED

Function 0044B0C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B14C,?,%H,?,?), ref: 0044B11E
DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B131
DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B165

Strings

%H, xrefs: 0044B0C8

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DrawText$ByteCharMultiWide
String ID: %H
API String ID: 65125430-1959103961
Opcode ID: b9978a40832644be7eb99ff61e6ae739c3599586bb389d309c0d7579617ef2e1
Instruction ID: fec6fabf6d030a51aab30bc406273ff78954f96defe81b00f374268ef7e1f253
Opcode Fuzzy Hash: b9978a40832644be7eb99ff61e6ae739c3599586bb389d309c0d7579617ef2e1
Instruction Fuzzy Hash: 2A11CBB27046047FEB00DB6A9C91D6F77ECDB49750F10817BF504D72D0D6399E018669

Function 0042ED38 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55libraryloaderCOMMON

Download Yara Rule

APIs

SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5

Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7

Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD

GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8

Strings

SHAutoComplete, xrefs: 0042EDA2
shlwapi.dll, xrefs: 0042ED73

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
String ID: SHAutoComplete$shlwapi.dll
API String ID: 395431579-1506664499
Opcode ID: 42f9dcb05abbf77f41298dba7160eccf52289638d4fdae2cac913a0c4d077c72
Instruction ID: e807f919b0f5f47641bb36d66eaae5ab4e0d2818c3cb02d7dc2bc8906116ae4e
Opcode Fuzzy Hash: 42f9dcb05abbf77f41298dba7160eccf52289638d4fdae2cac913a0c4d077c72
Instruction Fuzzy Hash: 3311A330B00319BBD711EB62FD85B8E7BA8DB55704F90447BF40066291DBB8AE05C65D

Function 00455A10 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38

RegCloseKey.ADVAPI32(?,00455A7B,?,00000001,00000000), ref: 00455A6E

Strings

SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455A1C
PendingFileRenameOperations, xrefs: 00455A40
PendingFileRenameOperations2, xrefs: 00455A4F

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 47109696-2115312317
Opcode ID: 336a8554af3216e9fad4f98949cc8fac3f30a8fbf7097481dd1a9e766711aba3
Instruction ID: e9356c19d9a7d2c1b22529064790e486fb2be540b5bf165494b3782c633fa2c0
Opcode Fuzzy Hash: 336a8554af3216e9fad4f98949cc8fac3f30a8fbf7097481dd1a9e766711aba3
Instruction Fuzzy Hash: A3F0F671304A08BFDB04D661DC62A3B739CE744725FB08167F800CB682EA7CBD04915C

Function 00472154 Relevance: 6.3, APIs: 4, Instructions: 272fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,00472325,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1), ref: 00472301
FindClose.KERNEL32(000000FF,0047232C,00472325,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1,?), ref: 0047231F
FindNextFileA.KERNEL32(000000FF,?,00000000,00472447,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1), ref: 00472423
FindClose.KERNEL32(000000FF,0047244E,00472447,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1,?), ref: 00472441

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: d369753856367b0287cffb73039cd8ab1db66acb1aaed6d6e6c358537efe0372
Instruction ID: ff38abb04fb96460afd2c3532f2e87b2ffc4f25b99c166b2ff4046d92e8ebf4f
Opcode Fuzzy Hash: d369753856367b0287cffb73039cd8ab1db66acb1aaed6d6e6c358537efe0372
Instruction Fuzzy Hash: 3EC14C3490424D9FCF11DFA5C981ADEBBB8FF49304F5080AAE808B3251D7789A46CF58

Function 0047FCF8 Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?,?,00000000), ref: 0047FD9E
FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?,?), ref: 0047FDAB
FindNextFileA.KERNEL32(000000FF,?,00000000,0047FEC4,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147), ref: 0047FEA0
FindClose.KERNEL32(000000FF,0047FECB,0047FEC4,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?), ref: 0047FEBE

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: f2453ac968e711b17f020bfe82841346ecffcf769e40057e5c798d9b2b4654c8
Instruction ID: 5570db9595827249690d4c596f970be035a6cb65fb6c4bc3b070d2a6e7e06d26
Opcode Fuzzy Hash: f2453ac968e711b17f020bfe82841346ecffcf769e40057e5c798d9b2b4654c8
Instruction Fuzzy Hash: 34512D71A006499FCB21DF65CC45ADEB7B8EB88319F1084BAA818A7351D7389F89CF54

Function 00421274 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 00421361
SetMenu.USER32(00000000,00000000), ref: 0042137E
SetMenu.USER32(00000000,00000000), ref: 004213B3
SetMenu.USER32(00000000,00000000), ref: 004213CF

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Menu
String ID:
API String ID: 3711407533-0
Opcode ID: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
Instruction ID: 68e231870b0c3442489bede8fdcf2aa1db34e154331db007d9f14f65c1163b63
Opcode Fuzzy Hash: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
Instruction Fuzzy Hash: 4641AE3070425447EB20EA3AA9857AB36925B20308F4841BFFC40DF7A3CA7CDD45839D

Function 00416B42 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,?,?), ref: 00416B84
SetTextColor.GDI32(?,00000000), ref: 00416B9E
SetBkColor.GDI32(?,00000000), ref: 00416BB8
CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BE0

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Color$CallMessageProcSendTextWindow
String ID:
API String ID: 601730667-0
Opcode ID: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
Instruction ID: 4ea48ea5c9b96bae81565ca4ce64eb356f32bd46963e120bc97d04dec40f2685
Opcode Fuzzy Hash: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
Instruction Fuzzy Hash: BC115171705604AFD710EE6ECC84E8777ECEF49310715887EB959CB612C638F8418B69

Function 00454F7C Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
String ID:
API String ID: 4071923889-0
Opcode ID: e6feda7d3358a80d2693463bb1cb51aaf78648cef31b4280cf5022ab190105ae
Instruction ID: ea90b2abd28d60bbe0c33bbe6d7a83e36ef454db8471bda6b5c19e9a906557d9
Opcode Fuzzy Hash: e6feda7d3358a80d2693463bb1cb51aaf78648cef31b4280cf5022ab190105ae
Instruction Fuzzy Hash: B9012D31A006097FEB1097AA8C02F6FBBECDF49764F610127F904D72C2C5788D409A78

Function 004230C8 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0042311E
EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
ReleaseDC.USER32(00000000,00000000), ref: 00423144

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CapsDeviceEnumFontsRelease
String ID:
API String ID: 2698912916-0
Opcode ID: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
Instruction ID: a9d24610abdaa6694e735d00c6d38f20457f2ac5f1468c421a1b182fb2ef8db9
Opcode Fuzzy Hash: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
Instruction Fuzzy Hash: 8D01CC716042102AE700BF6A5C82B9B3AA49F01319F40027BF808AA3C6DA7E980547AE

Function 004019CC Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0223E240,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0223E240,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0223E240,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0223E240,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 46a689739c098c0829933ff4921327776432a14e69d4c62b65241a59cfc7f4a2
Instruction ID: 91310e2de28581c92a9b529d79901d52005bdf0b1253609ef7109df0d78d257f
Opcode Fuzzy Hash: 46a689739c098c0829933ff4921327776432a14e69d4c62b65241a59cfc7f4a2
Instruction Fuzzy Hash: D001A1706482409EE719AB69BA467253FD4D795B48F11803BF840A6BF3C77C4440EBAD

Function 0047CD48 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0047CD69
GetLastError.KERNEL32 ref: 0047CD73
GetTickCount.KERNEL32 ref: 0047CD7D
Sleep.KERNEL32(00000032), ref: 0047CD8D

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CountSleepTick
String ID:
API String ID: 2227064392-0
Opcode ID: 81c97dbf5948de899416f6368447fdcf0451c727da6d5f131c1a33ac7977f59e
Instruction ID: 56d8cd0ebf6ab4a4d31aad6ab38b951dee0ff9c0bbbb70c30f4e079d31b44593
Opcode Fuzzy Hash: 81c97dbf5948de899416f6368447fdcf0451c727da6d5f131c1a33ac7977f59e
Instruction Fuzzy Hash: C6E0ED6A30921149863131AE98CA6AF4D48CBC2324B28853FE08CE6283C89C4C0A867E

Function 0045C264 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933

FlushFileBuffers.KERNEL32(?), ref: 0045C499

Strings

EndOffset range exceeded, xrefs: 0045C3CD
NumRecs range exceeded, xrefs: 0045C396

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$BuffersFlush
String ID: EndOffset range exceeded$NumRecs range exceeded
API String ID: 3593489403-659731555
Opcode ID: a46ebc0c75e38cfc1d47e83880391ac29e35d2e9842f1f48ebdcfee3728b7fb6
Instruction ID: 69b4fe9c868b7cadc716880164946defc5db249b4b2908964217ac1dcc813941
Opcode Fuzzy Hash: a46ebc0c75e38cfc1d47e83880391ac29e35d2e9842f1f48ebdcfee3728b7fb6
Instruction Fuzzy Hash: 4F617334A002588FDB25DF25C891AD9B7B5AF49305F0084DAED88AB353D674AEC8CF54

Function 0048358C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00483716,?,00000000,00483757,?,?,?,?,00000000,00000000,00000000,?,0046BD99), ref: 004835C5
SetActiveWindow.USER32(?,00000000,00483716,?,00000000,00483757,?,?,?,?,00000000,00000000,00000000,?,0046BD99), ref: 004835D7

Strings

Will not restart Windows automatically., xrefs: 004836F6

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$ActiveForeground
String ID: Will not restart Windows automatically.
API String ID: 307657957-4169339592
Opcode ID: fd09d5a5f6cccbb829e281a43361b03d1ada35bfa693f2951a58170467c6de9f
Instruction ID: 4bdce942002d158aae482430f0c171f92fa141a3e9c551c877f01fd154286bbb
Opcode Fuzzy Hash: fd09d5a5f6cccbb829e281a43361b03d1ada35bfa693f2951a58170467c6de9f
Instruction Fuzzy Hash: 7F414870648240BFD321FF68DC92B6D3BE49718B09F6448B7E440573A2E37D9A059B1D

Function 00498BA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,00498BB6), ref: 0040334B
Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,00498BB6), ref: 00403356

Part of subcall function 0040631C: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498BC0), ref: 00406322
Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
Part of subcall function 0040631C: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498BC0), ref: 00406366

Part of subcall function 004063C4: 6F9E1CD0.COMCTL32(00498BC5), ref: 004063C4

Part of subcall function 00410764: GetCurrentThreadId.KERNEL32 ref: 004107B2

Part of subcall function 00419040: GetVersion.KERNEL32(00498BDE), ref: 00419040

Part of subcall function 0044F744: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498BF2), ref: 0044F77F
Part of subcall function 0044F744: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785

Part of subcall function 0044FC10: GetVersionExA.KERNEL32(0049B790,00498BF7), ref: 0044FC1F

Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 00453210
Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 0045322A
Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230

Part of subcall function 004570B4: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004570D8

Part of subcall function 004645F4: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498C1A), ref: 00464603
Part of subcall function 004645F4: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464609

Part of subcall function 0046CDF0: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CE05

Part of subcall function 00478C20: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498C24), ref: 00478C26
Part of subcall function 00478C20: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478C33
Part of subcall function 00478C20: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478C43

Part of subcall function 00483F88: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00484077

Part of subcall function 00495BB4: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 00495BCD

SetErrorMode.KERNEL32(00000001,00000000,00498C6C), ref: 00498C3E

Part of subcall function 00498968: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498C48,00000001,00000000,00498C6C), ref: 00498972
Part of subcall function 00498968: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498978

Part of subcall function 004244D4: SendMessageA.USER32(?,0000B020,00000000,?), ref: 004244F3

Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC

ShowWindow.USER32(?,00000005,00000000,00498C6C), ref: 00498C9F

Part of subcall function 004825C8: SetActiveWindow.USER32(?), ref: 00482676

Strings

Setup, xrefs: 00498C85

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorFormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
String ID: Setup
API String ID: 504348408-3839654196
Opcode ID: b35466028edd7e3a1b236c6640422c08041f3fa3d34e6d3560873e5a4108b4d0
Instruction ID: b535e719d7157e93998cc10f536158ae488692691c8c4e2dacdcbf5c7207fd3e
Opcode Fuzzy Hash: b35466028edd7e3a1b236c6640422c08041f3fa3d34e6d3560873e5a4108b4d0
Instruction Fuzzy Hash: 873104312446409FD601BBBBFD5392D3B94EF8A728B91447FF80496693DE3C68508A7E

Function 0042DC00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DC3C
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DCAC

Strings

$=H, xrefs: 0042DD2F, 0042DC88, 0042DC98, 0042DCF4, 0042DD18, 0042DD08, 0042DCDF

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: QueryValue
String ID: $=H
API String ID: 3660427363-3538597426
Opcode ID: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
Instruction ID: 5bd1c55a509b6dee259ffcee94d68868fe84ce326e73fb4cf6662c4527ef549e
Opcode Fuzzy Hash: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
Instruction Fuzzy Hash: 9D414171E00529ABDB11DF95D881BAFB7B8EB04704F918466E810F7241D778AE00CBA5

Function 00478E98 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38

RegCloseKey.ADVAPI32(?,00478F7E,?,?,00000001,00000000,00000000,00478F99), ref: 00478F67

Strings

%s\%s_is1, xrefs: 00478F10
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00478EF2

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpen
String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-1598650737
Opcode ID: 4390143081fa1cbfc05a77ab89ffad6b83c856e6c2d55465ffb8b64579313e9f
Instruction ID: 4b2a563bf9abf46f4fe3d7c32e0d4fce195dfbf5fea183d3e913b06dd9c9918d
Opcode Fuzzy Hash: 4390143081fa1cbfc05a77ab89ffad6b83c856e6c2d55465ffb8b64579313e9f
Instruction Fuzzy Hash: EC218070B44244AFDB11DBA9CC45A9EBBF9EB8D704F90847BE408E7381DB789D018B58

Function 00453A24 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A6A
GetLastError.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A73

Strings

.tmp, xrefs: 00453A53

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: ad15d04db016d8ec48b224cf88302df48740c9a9b896926c32662353b3187fec
Instruction ID: 2c169793aa1d4e8b0ae54453200dd0eeecd34c8d921a2c5b894f13e1de3ec917
Opcode Fuzzy Hash: ad15d04db016d8ec48b224cf88302df48740c9a9b896926c32662353b3187fec
Instruction Fuzzy Hash: BD213575A002089BDB01EFA5C8429DEB7B8EF49305F50457BE801B7343DA3CAF058B69

Function 00483F88 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00483A7C: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483A8D
Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483A9A
Part of subcall function 00483A7C: GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483AA8
Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483AB0
Part of subcall function 00483A7C: GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483ABC
Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483ADD
Part of subcall function 00483A7C: GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483AF0
Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483AF6

Part of subcall function 00483DA8: GetVersionExA.KERNEL32(?,00483FBA,00000000,0048408F,?,?,?,?,?,00498C29), ref: 00483DB6
Part of subcall function 00483DA8: GetVersionExA.KERNEL32(0000009C,?,00483FBA,00000000,0048408F,?,?,?,?,?,00498C29), ref: 00483E08

Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD

GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00484077

Strings

shell32.dll, xrefs: 0048406C
SHGetKnownFolderPath, xrefs: 00484062

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleModuleVersion$CurrentErrorInfoLibraryLoadModeNativeProcessSystem
String ID: SHGetKnownFolderPath$shell32.dll
API String ID: 3869789854-2936008475
Opcode ID: 24bfbd8baf235fcbd7404033d7799f009542697b8823181e059981251f96c700
Instruction ID: 8066e8dcbdf9c94243579ba2519058cd674f052446347c20ec70bbddfecd8a90
Opcode Fuzzy Hash: 24bfbd8baf235fcbd7404033d7799f009542697b8823181e059981251f96c700
Instruction Fuzzy Hash: 1021F1B06103116AC700BFBE599611B3BA5EB9570C380893FF904DB391D77E68149B6E

Function 00452908 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 0045293F
GetLastError.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 00452947

Strings

T$H, xrefs: 00452975

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID: T$H
API String ID: 2018770650-488339322
Opcode ID: fbcc140a81a3acb9c96393828f2cc587f034b3ec3a8bc9b7824854e1d547cdb8
Instruction ID: a1d21d86fbcf93c7076efe682877c1f84c37cf58088428800e153654eea74c02
Opcode Fuzzy Hash: fbcc140a81a3acb9c96393828f2cc587f034b3ec3a8bc9b7824854e1d547cdb8
Instruction Fuzzy Hash: 05F0C2B2B04608ABDB01EFB59D414AEB7E8EB4E315B6045B7FC04E3742E6B85E148598

Function 00452E10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RemoveDirectoryA.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E47
GetLastError.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E4F

Strings

T$H, xrefs: 00452E7D

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID: T$H
API String ID: 377330604-488339322
Opcode ID: 8769a646033274a50feaa89106c60670f2dbad91017c501587ea10a2b48d2d14
Instruction ID: a8b2bafe79397aca91686f8656b478e2385adfe3b855dfce5f6cc0b9ba314abc
Opcode Fuzzy Hash: 8769a646033274a50feaa89106c60670f2dbad91017c501587ea10a2b48d2d14
Instruction Fuzzy Hash: 70F0FC71A04708AFCF01EF759D4249EB7E8DB4E31575049B7FC14E3642E7785E048598

Function 0047C5D8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047C92C,00000000,0047C942), ref: 0047C63A

Strings

RegisteredOwner, xrefs: 0047C617
RegisteredOrganization, xrefs: 0047C629

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Close
String ID: RegisteredOrganization$RegisteredOwner
API String ID: 3535843008-1113070880
Opcode ID: fe32ea5757c181cea0fad4739291adb7fe5cb56e5df920aee23c3361bee12acf
Instruction ID: 97ba07fcc0924f8d698b93a4c32f8f7a3ceb81663af41ec066a5e596666b9838
Opcode Fuzzy Hash: fe32ea5757c181cea0fad4739291adb7fe5cb56e5df920aee23c3361bee12acf
Instruction Fuzzy Hash: F5F09060700204ABEB00D6A8ACD2BAA3769D750304F60907FA1058F382C679EE019B5C

Function 0047524C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00475483), ref: 00475271
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00475483), ref: 00475288

Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F

Strings

CreateFile, xrefs: 0047527D

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: CreateFile
API String ID: 2528220319-823142352
Opcode ID: 2c7b4fae504844472e6a07c4f0bcfda842c0d735d71c8af9ff6e211e096a353b
Instruction ID: b0794b45f16520e4762b2717541816a935241bfc2e667b83be7f23d95be3de9d
Opcode Fuzzy Hash: 2c7b4fae504844472e6a07c4f0bcfda842c0d735d71c8af9ff6e211e096a353b
Instruction Fuzzy Hash: 99E06D702403447FEA10FA69CCC6F4A77989B04728F10C152BA48AF3E3C5B9FC808A58

Function 0042DE1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38

Strings

System\CurrentControlSet\Control\Windows, xrefs: 0042DE36
;H, xrefs: 0042DE32, 0042DE35

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Open
String ID: System\CurrentControlSet\Control\Windows$;H
API String ID: 71445658-2565060666
Opcode ID: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
Instruction ID: 60e43675bb36a9eef4a15598a1848ca3f705ecc445ee8c9fe52fc6b05f1352bb
Opcode Fuzzy Hash: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
Instruction Fuzzy Hash: 29D09E72950128BB9B009A89DC41DFB775DDB15760F45441BF9049B141C5B4AC5197E4

Function 004570B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00457044: CoInitialize.OLE32(00000000), ref: 0045704A

Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD

GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004570D8

Strings

shell32.dll, xrefs: 004570CD
SHCreateItemFromParsingName, xrefs: 004570C3

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressErrorInitializeLibraryLoadModeProc
String ID: SHCreateItemFromParsingName$shell32.dll
API String ID: 2906209438-2320870614
Opcode ID: 9d30f7af3022304e39d9007edb753d7b8512de14ad0f58a0e87bb64db50414c6
Instruction ID: 7fba65882f7194314ab185764ebfac318737a269d5660949bdaf7135ffc1064c
Opcode Fuzzy Hash: 9d30f7af3022304e39d9007edb753d7b8512de14ad0f58a0e87bb64db50414c6
Instruction Fuzzy Hash: ECC08CA074860093CB40B3FA344320E1841AB8071FB10C07F7A04A66C7DE3C88088B2E

Function 0046CDF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD

GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CE05

Strings

shell32.dll, xrefs: 0046CDFA
SHPathPrepareForWriteA, xrefs: 0046CDF0

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressErrorLibraryLoadModeProc
String ID: SHPathPrepareForWriteA$shell32.dll
API String ID: 2492108670-2683653824
Opcode ID: 4f35c33f472421c4948a2ce6cac4f72f28d005e98571f32e7a9733a845a9f857
Instruction ID: c0603f0a452a360a01ce82207306765f02b8a986224f2e77b24b084cc810d505
Opcode Fuzzy Hash: 4f35c33f472421c4948a2ce6cac4f72f28d005e98571f32e7a9733a845a9f857
Instruction Fuzzy Hash: 44B092A060074086DB40B7A298D262B28269740319B20843BB0CC9BA95EB3E88240B9F

Function 00481C7C Relevance: 4.6, APIs: 3, Instructions: 98windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000,00000000,00481DB4), ref: 00481D4C
AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00481D5D
AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00481D75

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Menu$Append$System
String ID:
API String ID: 1489644407-0
Opcode ID: 85f8085dd59925224ce994ed4abb72c3226e4b8b9fa082300e4d7a64be9e7d0b
Instruction ID: 44f8b16540ed1c6eecf525242fd074403e334eda66194076213ef08da8c10300
Opcode Fuzzy Hash: 85f8085dd59925224ce994ed4abb72c3226e4b8b9fa082300e4d7a64be9e7d0b
Instruction Fuzzy Hash: 3431D4307043441AD721FB769C82BAE3A989F15318F54483FF901AB2E3CA7CAD09879D

Function 004243FC Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424412
TranslateMessage.USER32(?), ref: 0042448F
DispatchMessageA.USER32(?), ref: 00424499

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
Instruction ID: 8eae6dca0d2455523dd27ca57e4683f6da326f6f2f90499d04ddbfd693f83f9d
Opcode Fuzzy Hash: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
Instruction Fuzzy Hash: E3116D303043205AEB20FA24A941B9F73D4DFC5758F80481EFC99972C2D77D9D49879A

Function 00416644 Relevance: 4.5, APIs: 3, Instructions: 39COMMON

Download Yara Rule

APIs

SetPropA.USER32(00000000,00000000), ref: 0041666A
SetPropA.USER32(00000000,00000000), ref: 0041667F
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004166A6

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Prop$Window
String ID:
API String ID: 3363284559-0
Opcode ID: 953367bc10487f5f00132df45b9f4bdc07709d3a3f88142737615a1cc8063318
Instruction ID: 6913c5f2d07602d921388148e43cadd8ab2d6729f30613f48e4cae6714e3bc13
Opcode Fuzzy Hash: 953367bc10487f5f00132df45b9f4bdc07709d3a3f88142737615a1cc8063318
Instruction Fuzzy Hash: ACF01271701210ABDB10AB599C85FA732DCAB09714F16057AB905EF286C778DC40C7A8

Function 0041EE54 Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0041EE64
IsWindowEnabled.USER32(?), ref: 0041EE6E
EnableWindow.USER32(?,00000000), ref: 0041EE94

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$EnableEnabledVisible
String ID:
API String ID: 3234591441-0
Opcode ID: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
Instruction ID: 3b4cb379701a2ac24b7d0c87bf9454d2e26b3d0fb89a85d5a5a22e513a73856b
Opcode Fuzzy Hash: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
Instruction Fuzzy Hash: EAE06DB5100301AAE301AB2BDC81B5B7A9CAB54350F05843BA9089B292D63ADC408B7C

Function 0048341C Relevance: 4.5, APIs: 3, Instructions: 25threadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,?,?,00483481,?,00483566,?,?,00000000), ref: 00483422
GetWindowThreadProcessId.USER32(00000000,?), ref: 00483434
GetCurrentProcessId.KERNEL32(00000000,?,00000000,00000000,?,?,00483481,?,00483566,?,?,00000000), ref: 0048343D

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProcessWindow$CurrentForegroundThread
String ID:
API String ID: 3477312055-0
Opcode ID: 30efa22169b90dc38136f66a6467a27c26b4f04e2e52f09e67eefe2d80cac6ea
Instruction ID: beb4f515369edaf5f7f8104bbb2c2e6743f65f25389461d3c194e507fd2f85f2
Opcode Fuzzy Hash: 30efa22169b90dc38136f66a6467a27c26b4f04e2e52f09e67eefe2d80cac6ea
Instruction Fuzzy Hash: 8AD01233506A2A7E6611F9E59D828AFB35CD900B58754057BF904A3241D72D9E0446BE

Function 00469F1C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 0046A02D

Strings

PrepareToInstall, xrefs: 00469FD7, 0046A07E

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ActiveWindow
String ID: PrepareToInstall
API String ID: 2558294473-1101760603
Opcode ID: ce905d11a8887108f3ad14969444655d730b3b5d2faccfdd66681012e3d11b0c
Instruction ID: c614f106b7f0b4f176116dff63491c2ec041d81708a05a15fd0d1780f22877a3
Opcode Fuzzy Hash: ce905d11a8887108f3ad14969444655d730b3b5d2faccfdd66681012e3d11b0c
Instruction Fuzzy Hash: 97A14934A00109DFCB00EF99D986EDEB7F5AF48304F5540B6E404AB362D738AE45CB9A

Function 0046C4BC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 209COMMON

Download Yara Rule

Strings

/:*?"<>|, xrefs: 0046C658, 0046C66F

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: /:*?"<>|
API String ID: 0-4078764451
Opcode ID: e5c60157bcf2278da473a52dbfa3e40327efacf8e8b2ac4b78b74c9d89147c88
Instruction ID: 6c3526c54916fe71946563460b5bd12015a165326d65a32731909bc5939f884d
Opcode Fuzzy Hash: e5c60157bcf2278da473a52dbfa3e40327efacf8e8b2ac4b78b74c9d89147c88
Instruction Fuzzy Hash: CF71C370A40215BADB10E766DCD2FEE7BA19F05308F148067F580BB292E779AD458B4E

Function 004825C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 00482676

Strings

InitializeWizard, xrefs: 0048260F

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ActiveWindow
String ID: InitializeWizard
API String ID: 2558294473-2356795471
Opcode ID: 610dba628312dcddd63cee716be368e1ad8af3103a0d365a4a52240be508be69
Instruction ID: 0fabbc08dbff6a0894d12042e1c617afa12541eacf44f0b659f2bb150b55c2ae
Opcode Fuzzy Hash: 610dba628312dcddd63cee716be368e1ad8af3103a0d365a4a52240be508be69
Instruction Fuzzy Hash: 8311C130204200AFD700EB69EED6B1A37E4E764328F60057BE404D72A1EA796C41CB5E

Function 0047CD9C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0047CDE6

Strings

Failed to remove temporary directory: , xrefs: 0047CDFF

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTick
String ID: Failed to remove temporary directory:
API String ID: 536389180-3544197614
Opcode ID: 45da43fd3ae20599d6e25ac9ed9d33e8d604a7859b1119de6f2a098991fc0130
Instruction ID: ec3213607a6b09ae82705bdd380353c192e2de6e0dbfdfb704aaf67811413441
Opcode Fuzzy Hash: 45da43fd3ae20599d6e25ac9ed9d33e8d604a7859b1119de6f2a098991fc0130
Instruction Fuzzy Hash: 0F01B930644604BADB21EB72ED87BDA7798DB45709F60847FB804A7192EA7CA904C95C

Function 0047C4F4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047C740,00000000,0047C942), ref: 0047C539

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0047C509

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Windows\CurrentVersion
API String ID: 47109696-1019749484
Opcode ID: 058bbab7ea9ec86a0dd33160b35f36364f977485e0abef3b7f9f2bc760079b92
Instruction ID: acdf9366f140fa0c09696ff4b806567a5b27613a006b44f2785fa8682630d216
Opcode Fuzzy Hash: 058bbab7ea9ec86a0dd33160b35f36364f977485e0abef3b7f9f2bc760079b92
Instruction Fuzzy Hash: 6CF0823170052477DA00A65E6C82B9FA79D8B84758F60403FF508DB242EABAEE0243EC

Function 0046EE44 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,0047620E,?,0049C1E0,?,0046F15B,?,00000000,0046F6F6,?,_is1), ref: 0046EE67

Strings

Inno Setup: Setup Version, xrefs: 0046EE65

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Value
String ID: Inno Setup: Setup Version
API String ID: 3702945584-4166306022
Opcode ID: 80676ca53bf8d59feef104d4bc7cb567c816a54b460bafb4a4ed583678a3f251
Instruction ID: 37dbbd71146fd60ed96ba35b84ff74d599aeccd68d0f9eb37ee109455dfe34ad
Opcode Fuzzy Hash: 80676ca53bf8d59feef104d4bc7cb567c816a54b460bafb4a4ed583678a3f251
Instruction Fuzzy Hash: B1E06D753012043FE710AA2B9C85F5BBADCDF88365F10403AB908DB392D578DD0181A9

Function 0046EEB4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F532,?,?,00000000,0046F6F6,?,_is1,?), ref: 0046EEC7

Strings

NoModify, xrefs: 0046EEC5

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Value
String ID: NoModify
API String ID: 3702945584-1699962838
Opcode ID: f40bfeae81701b53243146576d0ffb0e6a468f93b3df03c8cd4f9f1e738a44cb
Instruction ID: 84621f748531697c6bb4a8e0450a59e651a2caf9945441e4ffcb8bd5fa838dfd
Opcode Fuzzy Hash: f40bfeae81701b53243146576d0ffb0e6a468f93b3df03c8cd4f9f1e738a44cb
Instruction Fuzzy Hash: F6E04FB4640308BFEB04DB55CD4AF6B77ECDB48714F10405ABA049B281E674FE00C669

Function 00454100 Relevance: 3.2, APIs: 2, Instructions: 200fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,00454346,?,00000000,004543BA,?,?,-00000001,00000000,?,0047CDFB,00000000,0047CD48,00000000), ref: 00454322
FindClose.KERNEL32(000000FF,0045434D,00454346,?,00000000,004543BA,?,?,-00000001,00000000,?,0047CDFB,00000000,0047CD48,00000000,00000000), ref: 00454340

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 45376c9c9c7299f2ca5a0f926fcd92763639dc1ad46c037637ac30030cc39b69
Instruction ID: 54d7d993b90550b5414970fc4389b15b7902a372ed294bc13edf2f45dfba5a61
Opcode Fuzzy Hash: 45376c9c9c7299f2ca5a0f926fcd92763639dc1ad46c037637ac30030cc39b69
Instruction Fuzzy Hash: BE817430A0424D9FCF11DFA5C8457EFBB74AF49309F1440A6EC546B3A2D3399A8ACB58

Function 0047E474 Relevance: 3.2, APIs: 2, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,?,00000001,00000000,0047E753,?,-0000001A,00480609,-00000010,?,00000004,0000001B,00000000,00480956,?,0045DB68), ref: 0047E4EA

Part of subcall function 0042E31C: GetDC.USER32(00000000), ref: 0042E32B
Part of subcall function 0042E31C: EnumFontsA.GDI32(?,00000000,0042E308,00000000,00000000,0042E374,?,00000000,00000000,004809BD,?,?,00000001,00000000,00000002,00000000), ref: 0042E356
Part of subcall function 0042E31C: ReleaseDC.USER32(00000000,?), ref: 0042E36E

SendNotifyMessageA.USER32(000203F2,00000496,00002711,-00000001), ref: 0047E6BA

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: EnumFontsMessageNotifyReleaseSend
String ID:
API String ID: 2649214853-0
Opcode ID: 7f479caed6d506e1fedd37a3e9b8fbc918d7d672324c4412b746d2e8a14c4527
Instruction ID: a62c935d52da393e7312112ce75ddb0898731394ffd2a16b1d4fc3e518f8127d
Opcode Fuzzy Hash: 7f479caed6d506e1fedd37a3e9b8fbc918d7d672324c4412b746d2e8a14c4527
Instruction Fuzzy Hash: 5B5195746001049BC710FF67E98169A37E5EB58308B90C67BA8049B3A6DB3CED45CB9D

Function 0047DD98 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 157COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047DF83,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0047DF3D

Part of subcall function 0042CA00: GetSystemMetrics.USER32(0000002A), ref: 0042CA12

Strings

/G, xrefs: 0047DF6D, 0047DEE0, 0047DEF1, 0047DDD7, 0047DDE2, 0047DE01, 0047DE10

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMetricsMultiSystemWide
String ID: /G
API String ID: 224039744-2088674125
Opcode ID: 9f8ad520ff63b3f089cafa147e7d8bbd1691bb3a433f158030b0d1014876a4d7
Instruction ID: 84c81a41a939c89cd5cf89585cf0d961f9543ff151f38a86aad590f5673b43e0
Opcode Fuzzy Hash: 9f8ad520ff63b3f089cafa147e7d8bbd1691bb3a433f158030b0d1014876a4d7
Instruction Fuzzy Hash: 53518070A04215AFDB21DF55D8C4FAA7BB8EF64318F118077E404AB3A1C778AE45CB99

Function 00402088 Relevance: 3.1, APIs: 2, Instructions: 122COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0049B420,00000000,004021FC), ref: 004020CB

Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0223E240,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0223E240,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0223E240,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0223E240,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
String ID:
API String ID: 296031713-0
Opcode ID: ab3545b22e3440e815b1719652ff5d854977479bd1b850cbba673e5eb4522dee
Instruction ID: 30adadd309813d1a6846ca6b4958dbaac508113c784b73a5bb8d11bfdb372a30
Opcode Fuzzy Hash: ab3545b22e3440e815b1719652ff5d854977479bd1b850cbba673e5eb4522dee
Instruction Fuzzy Hash: 3941E3B2E00304DFDB10CF69EE8521A77A4F7A8324B15417FD854A77E2D3789801DB88

Function 0042DEC0 Relevance: 3.1, APIs: 2, Instructions: 111registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DF6C
RegCloseKey.ADVAPI32(?,0042DFDD,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DFD0

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseEnum
String ID:
API String ID: 2818636725-0
Opcode ID: 54e2847b2ed8cbec0c232d6556bf46b22f1e93997a90c035dd6b8310f6c19c74
Instruction ID: d62689c7b7995b9893119ef97773413105dd68debc8ff02f2d4f9d8a28cc91ff
Opcode Fuzzy Hash: 54e2847b2ed8cbec0c232d6556bf46b22f1e93997a90c035dd6b8310f6c19c74
Instruction Fuzzy Hash: DD31B270F04258AEDB11DFA6DD42BAEBBB9EB49304F91407BE501E6280D6785E01CA2D

Function 004527E8 Relevance: 3.1, APIs: 2, Instructions: 60processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,?,?,00458278,00000000,00458260,?,?,?,00000000,00452862,?,?,?,00000001), ref: 0045283C
GetLastError.KERNEL32(00000000,00000000,?,?,00458278,00000000,00458260,?,?,?,00000000,00452862,?,?,?,00000001), ref: 00452844

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateErrorLastProcess
String ID:
API String ID: 2919029540-0
Opcode ID: c95f5f81879e10580f0beb684fbefc560c00cfbc54ddd80bc382dcc14dc7984f
Instruction ID: fcc055d8c1a696a2a0db1e32a085008d871673fec5534948229a16d4440eefa6
Opcode Fuzzy Hash: c95f5f81879e10580f0beb684fbefc560c00cfbc54ddd80bc382dcc14dc7984f
Instruction Fuzzy Hash: A2113C72600208AF8B40DEA9DD41D9F77ECEB4E310B114567FD18D3241D678EE148B68

Function 0040ADD8 Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040ADF2
FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040AF4F,00000000,0040AF67,?,?,?,00000000), ref: 0040AE03

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Resource$FindFree
String ID:
API String ID: 4097029671-0
Opcode ID: 07387713778517d694c210176a4718dd0562bb365b6db4bb8115bda04798bcb6
Instruction ID: 3d7a77417cef7b3885e8747e4544195f2de945da78ee84bb1155330bb8f828e3
Opcode Fuzzy Hash: 07387713778517d694c210176a4718dd0562bb365b6db4bb8115bda04798bcb6
Instruction Fuzzy Hash: 0301F771300700AFD700FF69EC52E1B77EDDB46714710807AF500AB3D1D639AC10966A

Function 0041EEA4 Relevance: 3.0, APIs: 2, Instructions: 49threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0041EEF3
EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Thread$CurrentEnumWindows
String ID:
API String ID: 2396873506-0
Opcode ID: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
Instruction ID: bcaa23655132f8f2785c0a842f21b48ac99b37e3223c43442b01e3940dbd0cdf
Opcode Fuzzy Hash: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
Instruction Fuzzy Hash: 31015B76A04604BFD706CF6BEC1199ABBE8E789720B22887BEC04D3690E7355C10DF18

Function 00452C80 Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(00000000,00000000), ref: 00452CC2
GetLastError.KERNEL32(00000000,00000000,00000000,00452CE8), ref: 00452CCA

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileLastMove
String ID:
API String ID: 55378915-0
Opcode ID: bd02338dff925e1bcf0a80027825a402961c9c10eaaecac7b210e684feb30c76
Instruction ID: 1f9035ddd188b097fe3d15476f32cd7793c58c8f4df07880d9fc6ba60e4ff235
Opcode Fuzzy Hash: bd02338dff925e1bcf0a80027825a402961c9c10eaaecac7b210e684feb30c76
Instruction Fuzzy Hash: 9401D671A04208AB8712EB799D4149EB7ECEB8A32575045BBFC04E3243EA785E048558

Function 00452770 Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527A9
GetLastError.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527B1

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 903dc6f46ae0353656b5ef1fe2250cc8cd8775a19ac3db80fd29e7e5856ea863
Instruction ID: e3b373b60118a844676bb749001e6832c3b26a50706decb61b3ae2e0e224b701
Opcode Fuzzy Hash: 903dc6f46ae0353656b5ef1fe2250cc8cd8775a19ac3db80fd29e7e5856ea863
Instruction Fuzzy Hash: 40F02871A00308BBCB01EF759D4259EB7E8EB4E311B2045B7FC04E3642E6B94E04859C

Function 0042323C Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 00423249
LoadCursorA.USER32(00000000,00000000), ref: 00423273

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CursorLoad
String ID:
API String ID: 3238433803-0
Opcode ID: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
Instruction ID: 5e34cf6406f075c2c63d733b1f02ef4b9a88184ee1572dc0f3c8875cc615d59b
Opcode Fuzzy Hash: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
Instruction Fuzzy Hash: 9EF0A711B04254AADA109E7E6CC0D6B72A8DF82735B61037BFA3EC72D1C62E1D414569

Function 0042E394 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000), ref: 0042E39E
LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
Instruction ID: 14c2566281f292fbf4bc3f3871eddb8f7eb4f11f4d1149329263d7d1c8790498
Opcode Fuzzy Hash: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
Instruction Fuzzy Hash: 02F08970B147447FDB119F779CA241BBBECDB49B1175249B6F800A3591E53C4910C928

Function 00476C04 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(6F9A27E0,?,?,?,?), ref: 00476C31
CallWindowProcW.USER32(FFFF0429,?,?,?,?), ref: 00476C42

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 346703960cce2f9af075a41cf2183f1073599ecc9318cb7bb591473e17ab3077
Instruction ID: f2bf2b0b1abe5bd87c33c6b7c80241fb96b27bc6aca7ec08f51a493da5dc8bb7
Opcode Fuzzy Hash: 346703960cce2f9af075a41cf2183f1073599ecc9318cb7bb591473e17ab3077
Instruction Fuzzy Hash: EDF030B6111718BFDA04DAA9DD89CB77B6DDF19360B008627BD58932A4D174AC0086B4

Function 0046E0E4 Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,0046E17A), ref: 0046E0EE
7715E550.OLE32(00499B98,00000000,00000001,00499BA8,?,?,0046E17A), ref: 0046E10A

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: 7715E550Version
String ID:
API String ID: 1030236662-0
Opcode ID: 323ef6e325584454da74969db5385277b15969f7569c16a340aaa36caeb4eadb
Instruction ID: e32462cabb755f907f5de1887460af807d545ab7c9798ff14e002636b2035e3f
Opcode Fuzzy Hash: 323ef6e325584454da74969db5385277b15969f7569c16a340aaa36caeb4eadb
Instruction Fuzzy Hash: 90F0A7352812009FEB10975ADC86B8937C47B22315F50007BE04497292D2BD94C0471F

Function 0047C88B Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32(00499D40,00008000,00000000,?), ref: 0047C89B
771883B0.OLE32(?,0047C8DE), ref: 0047C8D1

Strings

CommonFilesDir, xrefs: 0047C76E, 0047C7EA
cmd.exe, xrefs: 0047C8FC
Failed to get path of 64-bit Program Files directory, xrefs: 0047C7DD
\Program Files, xrefs: 0047C75B
Failed to get path of 64-bit Common Files directory, xrefs: 0047C80C
COMMAND.COM, xrefs: 0047C91D
Common Files, xrefs: 0047C7A5
ProgramFilesDir, xrefs: 0047C734, 0047C7BB
SystemDrive, xrefs: 0047C6D3

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: 771883FolderKnownPath
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 1848010826-544719455
Opcode ID: c380859d91d2530b1710b7ab5da91f48806622674321ef44444f1ad2bc0d7433
Instruction ID: f48ec61de784b6bea0373c7a91bc006da4a0813e938d35ae17fa89473a65de5f
Opcode Fuzzy Hash: c380859d91d2530b1710b7ab5da91f48806622674321ef44444f1ad2bc0d7433
Instruction Fuzzy Hash: 22E09230340604BFEB15EB61DC92F6977A8EB48B01B72847BF504E2680D67CAD00DB1C

Function 004508F8 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,00470149,?,00000000), ref: 0045090E
GetLastError.KERNEL32(?,00000000,?,00000002,?,?,00470149,?,00000000), ref: 00450916

Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,00497E2C,00000001,00000000,00000002,00000000,00497F8D,?,?,00000005,00000000,00497FC1), ref: 004506B7

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: da9b101d890a5785f8a9e71de1b90467d9f3c90ee8d89fa87e0c2c0eb401b44d
Instruction ID: 32d43412562f4d6ab64aa8be608e77008e370c57458e4df53f7444e76f76d0cb
Opcode Fuzzy Hash: da9b101d890a5785f8a9e71de1b90467d9f3c90ee8d89fa87e0c2c0eb401b44d
Instruction Fuzzy Hash: 0EE012E93042015BF700EA6599C1B2F22DCDB44315F00446ABD44CA28BE678CC048B29

Function 00483450 Relevance: 3.0, APIs: 2, Instructions: 17COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0048345A
GetTickCount.KERNEL32 ref: 00483451

Part of subcall function 0048341C: GetForegroundWindow.USER32(00000000,00000000,?,?,00483481,?,00483566,?,?,00000000), ref: 00483422
Part of subcall function 0048341C: GetWindowThreadProcessId.USER32(00000000,?), ref: 00483434
Part of subcall function 0048341C: GetCurrentProcessId.KERNEL32(00000000,?,00000000,00000000,?,?,00483481,?,00483566,?,?,00000000), ref: 0048343D

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountProcessTickWindow$CurrentForegroundThread
String ID:
API String ID: 711787588-0
Opcode ID: 9d6382f4410c0cf8a4c80b06530e5f0b551ab039682d9658fc9d01bb6d2efe45
Instruction ID: 3b4ff2fc5ab93e416a174b14f81b6e436b7efe9d21b952af33b17f0fc18b5d19
Opcode Fuzzy Hash: 9d6382f4410c0cf8a4c80b06530e5f0b551ab039682d9658fc9d01bb6d2efe45
Instruction Fuzzy Hash: 59D0C94060065155DD033EFB668222D0108AB56F2EB501D7FB08A99183CD5C8A46133F

Function 0041EFF4 Relevance: 3.0, APIs: 2, Instructions: 16threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0041F00E
EnumThreadWindows.USER32(00000000,0041EF90,00000000), ref: 0041F014

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Thread$CurrentEnumWindows
String ID:
API String ID: 2396873506-0
Opcode ID: 28faba8d13260114aebe4435219a546304dde162066a62bc81d999aa95987238
Instruction ID: 1bd0ab66c6aeceffdc4f5e21b8af03a27ec20acb013402289ac5ff21683637d0
Opcode Fuzzy Hash: 28faba8d13260114aebe4435219a546304dde162066a62bc81d999aa95987238
Instruction Fuzzy Hash: EBE02676600200AEDB12DF7AAD4575B37D0A394314F12483FA904D61A1D2745C84DB19

Function 004014E4 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
Instruction ID: 119661fe7174a079321c86e78af40791ac039b5eb8373b45468023a5ba433726
Opcode Fuzzy Hash: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
Instruction Fuzzy Hash: F7F08272A0063067EB60596A4C81B5359859BC5B94F154076FD09FF3E9D6B58C0142A9

Function 004085DC Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00408712), ref: 004085FB

Part of subcall function 00406DEC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E09

Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
Instruction ID: 9026c6f0acc6bf601755118861b832b1e3c4c92574a9a05948c89544872af2a3
Opcode Fuzzy Hash: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
Instruction Fuzzy Hash: 47314E35E00109ABCB00EB55CC819EEB779EF84314F558577E815BB286EB38AA018B98

Function 0041FB9C Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC39

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InfoScroll
String ID:
API String ID: 629608716-0
Opcode ID: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
Instruction ID: 6365c2cd079840e4170b7c9ce409c3d873e807bce8729d2e10e5c00059922083
Opcode Fuzzy Hash: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
Instruction Fuzzy Hash: D8214FB1608746AFC351DF3984407A6BBE4BB48344F14893EE498C3741E778E99ACBD6

Function 0046C450 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9

SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046C4AE,?,00000000,?,?,0046C6C0,?,00000000,0046C734), ref: 0046C492

Part of subcall function 0041EF58: IsWindow.USER32(?), ref: 0041EF66
Part of subcall function 0041EF58: EnableWindow.USER32(?,00000001), ref: 0041EF75

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ThreadWindow$CurrentEnableEnumPathPrepareWindowsWrite
String ID:
API String ID: 3319771486-0
Opcode ID: 0af19ab3550c8734ef4e1cf2f84aef4c41dad365f35295dd8d2c2646a272cfa9
Instruction ID: eef1953176fed27c4f60a3b97998f4e8fb1447464a393d6256780c84e8a913cd
Opcode Fuzzy Hash: 0af19ab3550c8734ef4e1cf2f84aef4c41dad365f35295dd8d2c2646a272cfa9
Instruction Fuzzy Hash: 5AF0B471248300BFE705DF62ECA6B35B6E8D748714F61047BF40886590E97D5844D51E

Function 00416550 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416585

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
Instruction ID: 158b8484bb218b41c698b3aa21f26e2dd86497bc01e640ef524e7c8f4c0ee3c6
Opcode Fuzzy Hash: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
Instruction Fuzzy Hash: 4BF019B2200510AFDB84DE9CD9C0F9773ECEB0C210B0481A6FA08CB21AD220EC108BB0

Function 004149B4 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149EF

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91

Function 004507C4 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00450804

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
Instruction ID: 52eb814c7c241dc182afdc6c3e242d4e4c9a4e6d94000e289351c80ae23ff87c
Opcode Fuzzy Hash: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
Instruction Fuzzy Hash: 53E012B53541483EE780EEAD6C42F9777DC971A714F008037B998D7341D461DD158BA8

Function 0042CCCC Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,0042CD14,?,00000001,?,?,00000000,?,0042CD66,00000000,00452A25,00000000,00452A46,?,00000000), ref: 0042CCF7

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 93d9079c03dc8f32fd5285902e105fc94467d2f9586780870fbde36cd9cf365c
Instruction ID: d3c11148bbbe1678040d416a6bc301cfea82702c80b798926358c5e84281cc0e
Opcode Fuzzy Hash: 93d9079c03dc8f32fd5285902e105fc94467d2f9586780870fbde36cd9cf365c
Instruction Fuzzy Hash: 80E065B1304304BFD701EB66EC92A5EBAACDB49754BA14876B50097592D5B86E008468

Function 0042E8C8 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
Instruction ID: fbc307da5c1359fbfbc351051067b699ae1438aedf6613c80dda169529e76e7e
Opcode Fuzzy Hash: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
Instruction Fuzzy Hash: BCE0206278431116F2353416AC47B77150E43C0708F944027BB90DF3D3D6AF9945D25E

Function 004062E8 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000000,0042367C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00406311

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
Instruction ID: 53e57476791a39574122dfc8a3f58f2f78c4a621b5a82e38d1c80b15216a1e52
Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
Instruction Fuzzy Hash: EEE0FEB2214209BBDB00DE8ADCC1DABB7ACFB4C654F808105BB1C972428275AC608B71

Function 0042DDE4 Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
Instruction ID: 68673b5cf84413dff1d7ecec16939cb2303f89f305828e6cd22260af4b89741b
Opcode Fuzzy Hash: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
Instruction Fuzzy Hash: EDE07EB2610119AF9B40DE8CDC81EEB37ADAB1D350F404016FA08E7200C2B4EC519BB4

Function 00454BF8 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindClose.KERNEL32(00000000,000000FF,0047096C,00000000,00471782,?,00000000,004717CB,?,00000000,00471904,?,00000000,?,00000000), ref: 00454C0E

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 88d2105ec3fd8a59a595d8a01c36b656b09b6eed00d95942a14a255e30e6dd7e
Instruction ID: 5c2dbd3a099336849a47a332199978da45cb785deb8a29a76394180ab3bc5383
Opcode Fuzzy Hash: 88d2105ec3fd8a59a595d8a01c36b656b09b6eed00d95942a14a255e30e6dd7e
Instruction Fuzzy Hash: A1E09BB09097004BC715DF39858031A76D19FC9325F05C96AEC99CF3D7E77D84454617

Function 0041467C Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(004959E6,?,00495A08,?,?,00000000,004959E6,?,?), ref: 0041469B

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0

Function 00406F10 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F24

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
Instruction ID: adeaf4ebd0e6cd94d64be6b3cb299443ba394f13a0b1cd3d8337db6b6af80796
Opcode Fuzzy Hash: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
Instruction Fuzzy Hash: 53D012722091506AD220965A6C44EAB6BDCCBC5770F11063AB558C2181D7209C01C675

Function 0042364C Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 004235F8: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042360D

ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667

Part of subcall function 00423628: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423644

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InfoParametersSystem$ShowWindow
String ID:
API String ID: 3202724764-0
Opcode ID: 5ea0717b5a237d90ae3b60c45d238232e42852dd61880cea7560cbd7bb09fbd7
Instruction ID: 3e39ddd90fb628193caaea160b6f4ed5bf244f394cc2da11a07db6b12dca8b82
Opcode Fuzzy Hash: 5ea0717b5a237d90ae3b60c45d238232e42852dd61880cea7560cbd7bb09fbd7
Instruction Fuzzy Hash: 34D05E123821703142307ABB280699B46EC8D822EB389043BB5449B312ED5DCE01116C

Function 004242C4 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(?,00000000), ref: 004242DC

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
Instruction ID: e359d8c046b4275bb87a72ac3440150ee0889cd0e7de0465f76ccf46c1161c2e
Opcode Fuzzy Hash: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
Instruction Fuzzy Hash: 81D05EE27011602BCB01BAED54C4AC667CC9B8D25AB1840BBF904EF257D638CE40C398

Function 0042CD6C Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,00452C55,00000000,00452C6E,?,-00000001,00000000), ref: 0042CD77

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: abded0c002ebc78192aa504463f5e40d8ea57a748cef45cf468d0a982b541a78
Instruction ID: 2eab32a2699244162946c929296992ee32eb3599f5fc22494aed3d9886f7b4af
Opcode Fuzzy Hash: abded0c002ebc78192aa504463f5e40d8ea57a748cef45cf468d0a982b541a78
Instruction Fuzzy Hash: 51D012D036121015DF1455BD28C535F05884B65375BA82F37B66DE62E2D23D8857281C

Function 00466B40 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467828,00000000,00000000,00000000,0000000C,00000000), ref: 00466B58

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0

Function 0042CD24 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,004515CB,00000000), ref: 0042CD2F

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a2c5bb09e392fd69b508e639abd752817b5c1d67cf81785bd365d6d583db0f26
Instruction ID: 53db4a1afaa3b7bebcc80daf879f764776582c58df104e6651e2d127eece83ed
Opcode Fuzzy Hash: a2c5bb09e392fd69b508e639abd752817b5c1d67cf81785bd365d6d583db0f26
Instruction Fuzzy Hash: 48C08CE03222001A9E60A6BD2CC551F06CC891423A3A41E3BB129EB2E2D23D88162818

Function 00406EC0 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A6D4,0040CC80,?,00000000,?), ref: 00406EDD

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
Opcode Fuzzy Hash: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C

Function 0041F39C Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,00000000), ref: 0041F3B0

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: aa2ab5d04534ce78fd06398472ac87fc8e200d4b6eb1d54961e47d4e7a3c3f50
Instruction ID: 48f25c4fc7afed193c39a16cc91a0304f94a1296cd048c63733264e3b5f0309e
Opcode Fuzzy Hash: aa2ab5d04534ce78fd06398472ac87fc8e200d4b6eb1d54961e47d4e7a3c3f50
Instruction Fuzzy Hash: D2D0C932100108AFDB018E94AC018677B69EB48210B148815FD0485221D633E831AA91

Function 0045092C Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933

Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,00497E2C,00000001,00000000,00000002,00000000,00497F8D,?,?,00000005,00000000,00497FC1), ref: 004506B7

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
Instruction ID: 9573b676cf6dd5fef234c73c81a1a5d02d78d5ca05287b50762f3c98dcfac2da
Opcode Fuzzy Hash: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
Instruction Fuzzy Hash: 1AC04CA5700211479F10A6BA85C1A0662D86A5D3157144066BD08CF207D668D8148A18

Function 00406F50 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 974406c8209f5f2baf9aa7f60898e2c16b4dbb69ce3e1bfb04616041c36a0a4c
Instruction ID: 1cff4f98fe1f8e2c1d524c72e998173d896329315b0501cca3ecf0a0fad01fcd
Opcode Fuzzy Hash: 974406c8209f5f2baf9aa7f60898e2c16b4dbb69ce3e1bfb04616041c36a0a4c
Instruction Fuzzy Hash: E4B012E13D224A26CB0079FE4CC1D1A00CC4A293063406A3A3006F72C3D83CC8180014

Function 004072A8 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

SetCurrentDirectoryA.KERNEL32(00000000,?,00497DBA,00000000,00497F8D,?,?,00000005,00000000,00497FC1,?,?,00000000), ref: 004072B3

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
Instruction ID: 2ee9fcf0c2ecb8048618371478a38130c752a95b947e2a8aefd026f579ab26ad
Opcode Fuzzy Hash: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
Instruction Fuzzy Hash: 33B012E03D120A2BCA0079FE4CC192A00CC46292163401B3B3006EB1C3D83DC8180824

Function 0044FE04 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,00450010,00000000,?,004683E0,0000000C,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?), ref: 0044FE22

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 737efbd1d05e8daf9b2f5d4ad47827039e352d1058cf7efe3c38226c1680fcb2
Instruction ID: 66f3cd114cd8849fa0b5cd02f95834ec0ce5bd652375c405162ae2aedd08d897
Opcode Fuzzy Hash: 737efbd1d05e8daf9b2f5d4ad47827039e352d1058cf7efe3c38226c1680fcb2
Instruction Fuzzy Hash: A1D0C9B05022448EDB50EB69FA8472233E4E328346F18503FE500CA26AF33A8C44CF9C

Function 0042E3EF Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,0042E40D), ref: 0042E400

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
Instruction ID: 426ac138898b17598b25982f2c454791bd479401c65f9a69ae9baa170422678e
Opcode Fuzzy Hash: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
Instruction Fuzzy Hash: CDB09B7670C6105EE709D6D5B45552D63D4D7C57207E14477F010D2581D57D58054E18

Function 0047D0CC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,00481A2F), ref: 0047D0E2

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 798a4a0ef963ce7c9d3a16661f4bde20b6947b212f410e13b3a4d6eab8997eff
Instruction ID: 195a0cc7c2ab23ef077b9fe4dc52bf4a0a1d122fd989c5672d6e5019e3023c1d
Opcode Fuzzy Hash: 798a4a0ef963ce7c9d3a16661f4bde20b6947b212f410e13b3a4d6eab8997eff
Instruction Fuzzy Hash: D2C00271B902018FC754EB759DD4B6536E49715305F1144775424EB164D6746484CF29

Function 00481C6C Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(00000000,00000012,00000000,00000000), ref: 00481C74

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1bc723d2fafea9f50f28bdb772eb68fb7ee591a9533dee5a29c72c4421e393ba
Instruction ID: fbd2fd99f2342ae97ce2e912f06b4f6775a0193fa59faa32ac81747571f1ea96
Opcode Fuzzy Hash: 1bc723d2fafea9f50f28bdb772eb68fb7ee591a9533dee5a29c72c4421e393ba
Instruction Fuzzy Hash: E2A002343C430430F47462511D03F4400441744F05EE1909573053C0C704D82520201E

Function 004165EC Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 004165F3

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DestroyWindow
String ID:
API String ID: 3375834691-0
Opcode ID: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
Instruction ID: 4f6e5339ba6c71e81ef5aec1f6829bfe42d3c8de95bc03762545e97b2cddf6f9
Opcode Fuzzy Hash: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
Instruction Fuzzy Hash: 1AA00275501500AADA00E7B5D849F7E2298BB44204FD905F9714897056C57C99008B55

Function 0041F3C4 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
Instruction ID: 3312bc658de40493dbbbdb628fa1ac862c14c743cb2aabe02eeb7d71ec829e14
Opcode Fuzzy Hash: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
Instruction Fuzzy Hash: D5115A752007059BCB20DF19D880B82FBE5EF98390F10C53BE9688B385D3B4E8458BA9

Function 00452FC4 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0045302D), ref: 0045300F

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 9b36e42861a8e97045d3d1c2d68090febbf4b925d95e27d87fd5eab6f39d8911
Instruction ID: b902f5f71593d0acd8113edc39c0d5725662cc955bae9521e0e34912f41e4d76
Opcode Fuzzy Hash: 9b36e42861a8e97045d3d1c2d68090febbf4b925d95e27d87fd5eab6f39d8911
Instruction Fuzzy Hash: 850170356042486FC701DF699C008EEFBE8EB4D76171082B7FC24C3382D7345E059664

Function 0040170C Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(00000000,00000000,00004000,?,?,?,?,?,00401973), ref: 00401766

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
Instruction ID: fd45504e6079eb3c344fd15592bdf3984e08e9418c18d248e8b2091ea2ac4f2a
Opcode Fuzzy Hash: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
Instruction Fuzzy Hash: A10120766443148FC3109F29EDC0E2677E8D794378F15453EDA85673A1D37A6C0187D8

Non-executed Functions

Function 0041F118 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
FreeLibrary.KERNEL32(00000001,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F26F

Strings

Ctl3DColorChange, xrefs: 0041F23D
Ctl3dSubclassDlgEx, xrefs: 0041F1D4
Ctl3dDlgFramePaint, xrefs: 0041F1E9
Ctl3dRegister, xrefs: 0041F181
Ctl3dSubclassCtl, xrefs: 0041F1BF
Ctl3dAutoSubclass, xrefs: 0041F213
Ctl3dUnAutoSubclass, xrefs: 0041F228
BtnWndProc3d, xrefs: 0041F252
Ctl3dCtlColorEx, xrefs: 0041F1FE
CTL3D32.DLL, xrefs: 0041F149
Ctl3dUnregister, xrefs: 0041F1AA

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
API String ID: 2323315520-3614243559
Opcode ID: 671fdaa251972b62047104a2fe9ad863bdd7b53d79a33238f475940deae409a8
Instruction ID: e724c2aa341d6685c6ab1c4031cb88844a897dd828fe35f3324890dc483947ec
Opcode Fuzzy Hash: 671fdaa251972b62047104a2fe9ad863bdd7b53d79a33238f475940deae409a8
Instruction Fuzzy Hash: 8E314FB2640700ABEB01EBB9AC46A6B3794F328724741093FB508D7192D77C5C55CF5C

Function 004585C8 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0045862F
QueryPerformanceCounter.KERNEL32(00000000,00000000,004588C2,?,?,00000000,00000000,?,00458FBE,?,00000000,00000000), ref: 00458638
GetSystemTimeAsFileTime.KERNEL32(00000000,00000000), ref: 00458642
GetCurrentProcessId.KERNEL32(?,00000000,00000000,004588C2,?,?,00000000,00000000,?,00458FBE,?,00000000,00000000), ref: 0045864B
CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 004586C1
GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,00000000,00000000), ref: 004586CF
CreateFileA.KERNEL32(00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,0045887E), ref: 00458717
SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,0045886D,?,00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,0045887E), ref: 00458750

Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7

CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 004587F9
CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0045882F
CloseHandle.KERNEL32(000000FF,00458874,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458867

Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F

Strings

CreateNamedPipe, xrefs: 004586DF
helper %d 0x%x, xrefs: 004587D8
Starting 64-bit helper process., xrefs: 004585FD
D, xrefs: 00458772
Cannot utilize 64-bit features on this version of Windows, xrefs: 00458610
SetNamedPipeHandleState, xrefs: 00458759
Helper process PID: %u, xrefs: 0045884C
CreateFile, xrefs: 00458725
64-bit helper EXE wasn't extracted, xrefs: 00458623
i, xrefs: 004587AC
CreateProcess, xrefs: 00458802
\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x, xrefs: 00458697

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
API String ID: 770386003-3271284199
Opcode ID: be3e2aad74af535179bad2a73bbdbce7deeedee64d3617dbf3cbed6bd2dfb7d8
Instruction ID: 54c9584e853abf465b9d0f30fdd509929e5717807e8393d963d4681616065440
Opcode Fuzzy Hash: be3e2aad74af535179bad2a73bbdbce7deeedee64d3617dbf3cbed6bd2dfb7d8
Instruction Fuzzy Hash: 19710470A003449EDB11EB65CC45B9E77F4EB05705F1085BAF904FB282DB7899488F69

Function 00478504 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00478370: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02202C30,?,?,?,02202C30,00478534,00000000,00478652,?,?,-00000010,?), ref: 00478389
Part of subcall function 00478370: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047838F
Part of subcall function 00478370: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02202C30,?,?,?,02202C30,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783A2
Part of subcall function 00478370: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02202C30,?,?,?,02202C30), ref: 004783CC
Part of subcall function 00478370: CloseHandle.KERNEL32(00000000,?,?,?,02202C30,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783EA

Part of subcall function 00478448: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,004784DA,?,?,?,02202C30,?,0047853C,00000000,00478652,?,?,-00000010,?), ref: 00478478

ShellExecuteEx.SHELL32(0000003C), ref: 0047858C
GetLastError.KERNEL32(00000000,00478652,?,?,-00000010,?), ref: 00478595
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004785E2
GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00478606
CloseHandle.KERNEL32(00000000,00478637,00000000,00000000,000000FF,000000FF,00000000,00478630,?,00000000,00478652,?,?,-00000010,?), ref: 0047862A

Strings

runas, xrefs: 00478559
GetExitCodeProcess, xrefs: 0047860F
MsgWaitForMultipleObjects, xrefs: 004785EF
ShellExecuteEx returned hProcess=0, xrefs: 004785B6
<, xrefs: 0047854B
ShellExecuteEx, xrefs: 004785A6

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
API String ID: 883996979-221126205
Opcode ID: 79d3e53d443c3b79e7afe342da530abadc549f51104da72aa591649ec2f08439
Instruction ID: b05a94d88e1d9ee0fbafe330a65326fe691daae9ca7e583bddfe233bc85c86e1
Opcode Fuzzy Hash: 79d3e53d443c3b79e7afe342da530abadc549f51104da72aa591649ec2f08439
Instruction Fuzzy Hash: 0E314470A40208BEDB11EFE6C859ADEB7B8EB45718F50843FF508E7281DA7C99058B5D

Function 00418384 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00418393
GetWindowPlacement.USER32(?,0000002C), ref: 004183B0
GetWindowRect.USER32(?), ref: 004183CC
GetWindowLongA.USER32(?,000000F0), ref: 004183DA
GetWindowLongA.USER32(?,000000F8), ref: 004183EF
ScreenToClient.USER32(00000000), ref: 004183F8
ScreenToClient.USER32(00000000,?), ref: 00418403

Strings

,, xrefs: 0041839C

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
Instruction ID: 8875a2d430ef8be2c5346fa25315cde737655516302bc4d2344e38a88124d083
Opcode Fuzzy Hash: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
Instruction Fuzzy Hash: 2B112B71505201ABEB00DF69C885F9B77E8AF48314F04067EFD58DB296D738D900CB65

Function 004555E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 004555F3
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555F9
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00455612
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455639
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0045563E
ExitWindowsEx.USER32(00000002,00000000), ref: 0045564F

Strings

SeShutdownPrivilege, xrefs: 0045560B

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: df5f2c4a541694cd1c04f8324160b67a3be1538f30066156bb5e3b01538ef1f2
Instruction ID: 23182b732e3c774e917f784577cc733395bd6f0e504c2650860deaf78f25ff04
Opcode Fuzzy Hash: df5f2c4a541694cd1c04f8324160b67a3be1538f30066156bb5e3b01538ef1f2
Instruction Fuzzy Hash: CBF0C870294B41B9EA10A6718C17F3B21C89B40709F80083ABD05E90D3D7BDD40C4A2E

Function 004980A4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000,004983C0,?,?,00000000,0049B628), ref: 004980FB
SetFileAttributesA.KERNEL32(00000000,00000010), ref: 0049817E
FindNextFileA.KERNEL32(000000FF,?,00000000,004981BA,?,00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000), ref: 00498196
FindClose.KERNEL32(000000FF,004981C1,004981BA,?,00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000,004983C0), ref: 004981B4

Strings

isRS-, xrefs: 0049811B
isRS-???.tmp, xrefs: 004980E5

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstNext
String ID: isRS-$isRS-???.tmp
API String ID: 134685335-3422211394
Opcode ID: 2cb7e2670026ff323e8dee1ec3b8b1f3f25956717e63939b2755f6d65d425c3e
Instruction ID: fc6fb5a4e2302b333323d0d019d05182e8323e6fc1a1653111c694b95695a562
Opcode Fuzzy Hash: 2cb7e2670026ff323e8dee1ec3b8b1f3f25956717e63939b2755f6d65d425c3e
Instruction Fuzzy Hash: E1316A719016186FCF10EF69CC42ADEBBBCDB45314F5044BBA808E3291DA3C9F458E58

Function 00457594 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 241windownativeCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457611
PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457638
SetForegroundWindow.USER32(?), ref: 00457649
NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00457921,?,00000000,0045795D), ref: 0045790C

Strings

Cannot evaluate variable because [Code] isn't running yet, xrefs: 0045778C

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessagePostWindow$ForegroundNtdllProc_
String ID: Cannot evaluate variable because [Code] isn't running yet
API String ID: 2236967946-3182603685
Opcode ID: 07d9476e03c8d7360a343fdd7a71a2d4d0b169a7e8f0ef14eb54f7c401357684
Instruction ID: 8776962154e21e4b1c8854f5ca4bcfaa90dd950cda3ad59ac2e2fede597431d6
Opcode Fuzzy Hash: 07d9476e03c8d7360a343fdd7a71a2d4d0b169a7e8f0ef14eb54f7c401357684
Instruction Fuzzy Hash: 2B91D334608204DFEB15CF55E991F5ABBF5EB89704F2184BAE80497792C638AE04DB68

Function 00417CD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00417D0F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A

Strings

,, xrefs: 00417D51

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: b31359e3e3f4af84bc1879df8bb30ee95a40fb82c66b770674b351632ff57231
Instruction ID: e85585575f8c5a3e7823c55acc6b28d6d187d41511fbfc80546af44b70413e2d
Opcode Fuzzy Hash: b31359e3e3f4af84bc1879df8bb30ee95a40fb82c66b770674b351632ff57231
Instruction Fuzzy Hash: 4C2112716042089BDF10EF69D8C1AEA77B8AF48314F05456AFD18DF346D678DD84CBA8

Function 00464158 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,00000000,0046433F), ref: 004641CD
FindFirstFileA.KERNEL32(00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 00464213
FindNextFileA.KERNEL32(000000FF,?,00000000,004642EC,?,00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 004642C8
FindClose.KERNEL32(000000FF,004642F3,004642EC,?,00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 004642E6

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: 5158f659c4e1215f99186bd7ba8854c88035ca64dff55ff97fa9415a11482c3d
Instruction ID: 9d9184480f8630aada0b530c6bd54f2fc26159d28d851f3c8c43bf9f92f270d6
Opcode Fuzzy Hash: 5158f659c4e1215f99186bd7ba8854c88035ca64dff55ff97fa9415a11482c3d
Instruction Fuzzy Hash: 77418370A00A18DBCF10EFA5DC959DEB7B8EB88305F5044AAF804A7341E7789E448E59

Function 00463CDC Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,00000000,00463E99), ref: 00463D0D
FindFirstFileA.KERNEL32(00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463D9C
FindNextFileA.KERNEL32(000000FF,?,00000000,00463E4E,?,00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463E2E
FindClose.KERNEL32(000000FF,00463E55,00463E4E,?,00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463E48

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: abeb1b2530df01007ba7b3f2f5985a83fe19df2c1382cd7cab5931380c1d4a65
Instruction ID: 85e7d80bc36d7b3e80fea797042c039a90a2821ca6a16b1e557570abf42aa49f
Opcode Fuzzy Hash: abeb1b2530df01007ba7b3f2f5985a83fe19df2c1382cd7cab5931380c1d4a65
Instruction Fuzzy Hash: 3A41B770A00A589FCB11EF65CC45ADEB7B8EB88705F4044BAF404A7381E67D9F48CE59

Function 0042E934 Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E956
DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E981
GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E98E
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E996
SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E99C

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CloseControlCreateDeviceFileHandle
String ID:
API String ID: 1177325624-0
Opcode ID: ca7e64f53124eee773614f4530e241cea0742e07ac6524e5167bff1d6a405f94
Instruction ID: 661b18b1de4eb1238568a50ab540e77c3175952f9b14320adb6d96c9b056064d
Opcode Fuzzy Hash: ca7e64f53124eee773614f4530e241cea0742e07ac6524e5167bff1d6a405f94
Instruction Fuzzy Hash: 80F090B23A17207AF620B57A5C86F7F418CCB89B68F10423BBA04FF1D1D9A85D0555AD

Function 0048393C Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0048397A
GetWindowLongA.USER32(00000000,000000F0), ref: 00483998
ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049C0A8,00482E56,00482E8A,00000000,00482EAA,?,?,?,0049C0A8), ref: 004839BA
ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049C0A8,00482E56,00482E8A,00000000,00482EAA,?,?,?,0049C0A8), ref: 004839CE

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Show$IconicLong
String ID:
API String ID: 2754861897-0
Opcode ID: eced40890854bebd7317fa2d6d43d84d766b7a93c8695781d913d3e5347b8eed
Instruction ID: 3cea9153c2b451a1fdc95e78a984a36fb28f479a74ffefb17a89e5a976076ef3
Opcode Fuzzy Hash: eced40890854bebd7317fa2d6d43d84d766b7a93c8695781d913d3e5347b8eed
Instruction Fuzzy Hash: 160156B0705200ABEA00BF659CCBB5F22C55714745F44093BF4459B292CAADDA859B5C

Function 00462750 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00462824), ref: 004627A8
FindNextFileA.KERNEL32(000000FF,?,00000000,00462804,?,00000000,?,00000000,00462824), ref: 004627E4
FindClose.KERNEL32(000000FF,0046280B,00462804,?,00000000,?,00000000,00462824), ref: 004627FE

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 5abcc9c321325ced0386872c73161ee21156d1b576f74443c312b00ff4da3d0e
Instruction ID: e6acefadc91213b77ea930f6be1f86c6134c8588622ee3d3acab995ed1c325b6
Opcode Fuzzy Hash: 5abcc9c321325ced0386872c73161ee21156d1b576f74443c312b00ff4da3d0e
Instruction Fuzzy Hash: 87210831904B08BECB11EB65CC41ACEB7ACDB49304F5084B7E808E32A1F6789E44CE69

Function 004241DC Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004241E4
SetActiveWindow.USER32(?,?,?,0046CD53), ref: 004241F1

Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667

Part of subcall function 00423B14: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,022025AC,0042420A,?,?,?,0046CD53), ref: 00423B4F

SetFocus.USER32(00000000,?,?,?,0046CD53), ref: 0042421E

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$ActiveFocusIconicShow
String ID:
API String ID: 649377781-0
Opcode ID: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
Instruction ID: c953833529836f01456b8f788e47b4b7c36f7a841d6c6df07f57e62630513da6
Opcode Fuzzy Hash: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
Instruction Fuzzy Hash: 8CF030B170012097CB10BFAAA8C5B9676A8AB48344F5500BBBD05DF357CA7CDC018778

Function 00417CCE Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00417D0F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID:
API String ID: 568898626-0
Opcode ID: 19084698f29920acc68274fefc6d1be37826273bcf8ca1bc36e8902df026f6c2
Instruction ID: d9358ea7cd183770b33139a8ac7b7a0a70302bd2c01e5fc8313c3e2814ac7f2c
Opcode Fuzzy Hash: 19084698f29920acc68274fefc6d1be37826273bcf8ca1bc36e8902df026f6c2
Instruction Fuzzy Hash: 33012C71204108ABDB10EE59D8C1EF673A8AF45724F154566FD19DF242D639ED8087A8

Function 00417598 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004175C3
GetCapture.USER32 ref: 004175CC

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: c8f0edb1377470e81cbec4a2b95b5efcfd9f911131a56f14dd142127f01798ba
Instruction ID: 6cb7601519473143bf4e876ebf6758ccc8fc4fa751d6c6e0357a6193460a6b05
Opcode Fuzzy Hash: c8f0edb1377470e81cbec4a2b95b5efcfd9f911131a56f14dd142127f01798ba
Instruction Fuzzy Hash: 0AF0A4723056425BD730AB2EC984AB762F69F84314B14403BE419CBFA1EB3CDCC08798

Function 00424194 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0042419B

Part of subcall function 00423A84: EnumWindows.USER32(00423A1C), ref: 00423AA8
Part of subcall function 00423A84: GetWindow.USER32(?,00000003), ref: 00423ABD
Part of subcall function 00423A84: GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
Part of subcall function 00423A84: SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02

SetActiveWindow.USER32(?,?,?,00423D73,00000000,0042415C), ref: 004241AF

Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$ActiveEnumIconicLongShowWindows
String ID:
API String ID: 2671590913-0
Opcode ID: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
Instruction ID: ce5d4440ec1c13bcfda566247f28ea27228b22b89c70f7a48f218b5e8bc86154
Opcode Fuzzy Hash: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
Instruction Fuzzy Hash: 55E01AA070011087DB10AFAADCC8B9632A9BB48304F55017ABD49CF35BD63CC8608724

Function 004125D8 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127D5), ref: 004127C3

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 52e37b400ef70ce07d55a0833d187e2ce83493dd1eac51222033d67a41acb98e
Instruction ID: 2c049f03cfb376e3baa0368465928f91904f6d03483072bf0e6cb5f6a46bccc5
Opcode Fuzzy Hash: 52e37b400ef70ce07d55a0833d187e2ce83493dd1eac51222033d67a41acb98e
Instruction Fuzzy Hash: 4A5102357082048FD710DB6ADA80A9BF3E5EF98314B2082BBD814C77A1D7B8AD91C75D

Function 00478AC0 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00478C0E

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 844696e8b897343bdf835c25a6a000e65cc716b27902cfddd3917abf911a0a20
Instruction ID: 8fc52e73ba06cc46e730b07d7f7f94568764801a7b8f51cd1014d1f63996c257
Opcode Fuzzy Hash: 844696e8b897343bdf835c25a6a000e65cc716b27902cfddd3917abf911a0a20
Instruction Fuzzy Hash: EC4148B5A44104DFCB10CF99C6888AAB7F5FB49310B64C99AF848DB701D738EE45DB58

Function 0042F520 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F53C

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 84fa915654b0e9cabe4af8b3610e56d273e883bd018482bfacacc2813b1fcd3b
Instruction ID: 7ca9c19e24a5def9c493c34941f9da96f9ca037215ec7a65a90973bf7a04e639
Opcode Fuzzy Hash: 84fa915654b0e9cabe4af8b3610e56d273e883bd018482bfacacc2813b1fcd3b
Instruction Fuzzy Hash: FCD09E7120011D7B9B00DE99E840D6B33AD9B88710B909925F945D7642D634ED9197A5

Function 0044B658 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B604: GetVersionExA.KERNEL32(00000094), ref: 0044B621

LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498BF2), ref: 0044B67F
GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B7C9
GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B7DB
GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B7ED
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B7FF
GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B811
GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B823
GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B835
GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B847
GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B859
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B86B
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B87D
GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B88F
GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B8A1
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B8B3
GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B8C5
GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B8D7
GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B8E9
GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B8FB
GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B90D
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B91F
GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B931
GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B943
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B955
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B967
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B979
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B98B
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B99D
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B9AF
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B9C1
GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B9D3

Strings

GetThemeTextExtent, xrefs: 0044B70D
GetThemeBackgroundRegion, xrefs: 0044B731
IsThemeDialogTextureEnabled, xrefs: 0044B95F
GetThemeMargins, xrefs: 0044B83F
GetThemePosition, xrefs: 0044B809
GetThemeAppProperties, xrefs: 0044B971
DrawThemeIcon, xrefs: 0044B767
SetWindowTheme, xrefs: 0044B875
GetThemeSysBool, xrefs: 0044B8BD
GetCurrentThemeName, xrefs: 0044B995
GetThemeEnumValue, xrefs: 0044B7F7
GetThemeSysString, xrefs: 0044B8F3
IsAppThemed, xrefs: 0044B929
GetThemeRect, xrefs: 0044B82D
IsThemeActive, xrefs: 0044B917
GetThemeFilename, xrefs: 0044B887
GetThemeIntList, xrefs: 0044B851
HitTestThemeBackground, xrefs: 0044B743
GetThemeSysColor, xrefs: 0044B899
EnableTheming, xrefs: 0044B9CB
GetThemeInt, xrefs: 0044B7E5
EnableThemeDialogTexture, xrefs: 0044B94D
CloseThemeData, xrefs: 0044B6A1
GetThemePropertyOrigin, xrefs: 0044B863
OpenThemeData, xrefs: 0044B68F
GetThemeFont, xrefs: 0044B81B
SetThemeAppProperties, xrefs: 0044B983
DrawThemeText, xrefs: 0044B6C5
GetThemeSysSize, xrefs: 0044B8CF
GetThemeTextMetrics, xrefs: 0044B71F
GetThemeBackgroundContentRect, xrefs: 0044B6D7, 0044B6E9
DrawThemeBackground, xrefs: 0044B6B3
GetThemeColor, xrefs: 0044B79D
GetThemeSysInt, xrefs: 0044B905
GetThemeBool, xrefs: 0044B7D3
uxtheme.dll, xrefs: 0044B67A
GetWindowTheme, xrefs: 0044B93B
GetThemeMetric, xrefs: 0044B7AF
GetThemeSysColorBrush, xrefs: 0044B8AB
GetThemePartSize, xrefs: 0044B6FB
IsThemeBackgroundPartiallyTransparent, xrefs: 0044B78B
DrawThemeParentBackground, xrefs: 0044B9B9
GetThemeDocumentationProperty, xrefs: 0044B9A7
GetThemeSysFont, xrefs: 0044B8E1
GetThemeString, xrefs: 0044B7C1
DrawThemeEdge, xrefs: 0044B755
IsThemePartDefined, xrefs: 0044B779

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$LibraryLoadVersion
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 1968650500-2910565190
Opcode ID: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
Instruction ID: e93aa9000a3b975727f71862fff1c9a8a52c50bca2d3d110ef64c9f3a3b13d35
Opcode Fuzzy Hash: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
Instruction Fuzzy Hash: D391A8F0A40B11ABEB00EFB5AD96A2A3BA8EB15714310067BB454DF295D778DC108FDD

Function 00492848 Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,00000000,00492D3D,?,?,?,?,00000000,00000000,00000000), ref: 00492888
FindWindowA.USER32(00000000,00000000), ref: 004928B9

Strings

REGISTERWINDOWMESSAGE, xrefs: 00492A1B
CREATEMUTEX, xrefs: 00492C69
SENDNOTIFYMESSAGE, xrefs: 004929BF
SENDBROADCASTMESSAGE, xrefs: 00492A55
OEMTOCHARBUFF, xrefs: 00492C9B
SLEEP, xrefs: 00492872
POSTMESSAGE, xrefs: 00492963
CALLDLLPROC, xrefs: 00492BAD
SENDMESSAGE, xrefs: 0049290D
SENDBROADCASTNOTIFYMESSAGE, xrefs: 00492AF7
FREEDLL, xrefs: 00492C34
POSTBROADCASTMESSAGE, xrefs: 00492AA3
FINDWINDOWBYCLASSNAME, xrefs: 00492895
FINDWINDOWBYWINDOWNAME, xrefs: 004928D1
CHARTOOEMBUFF, xrefs: 00492CDE
LOADDLL, xrefs: 00492B4B

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FindSleepWindow
String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
API String ID: 3078808852-3310373309
Opcode ID: fe0993328b1714d090c62d4b65a95ce68cbab2884a00f13d32d38987ffe254b3
Instruction ID: 092cd3663c6e49ee7eb77a287a3c2ed341282e51176ce6ebc4a466309821376d
Opcode Fuzzy Hash: fe0993328b1714d090c62d4b65a95ce68cbab2884a00f13d32d38987ffe254b3
Instruction Fuzzy Hash: D9C182A0B042003BDB14BF3E9D4551F59A99F95708B119A3FB446EB78BCE7CEC0A4359

Function 0041CA0C Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0041CA40
CreateCompatibleDC.GDI32(?), ref: 0041CA4C
CreateBitmap.GDI32(0041A944,?,00000001,00000001,00000000), ref: 0041CA70
CreateCompatibleBitmap.GDI32(?,0041A944,?), ref: 0041CA80
SelectObject.GDI32(0041CE3C,00000000), ref: 0041CA9B
FillRect.USER32(0041CE3C,?,?), ref: 0041CAD6
SetTextColor.GDI32(0041CE3C,00000000), ref: 0041CAEB
SetBkColor.GDI32(0041CE3C,00000000), ref: 0041CB02
PatBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00FF0062), ref: 0041CB18
CreateCompatibleDC.GDI32(?), ref: 0041CB2B
SelectObject.GDI32(00000000,00000000), ref: 0041CB5C
SelectPalette.GDI32(00000000,00000000,00000001), ref: 0041CB74
RealizePalette.GDI32(00000000), ref: 0041CB7D
SelectPalette.GDI32(0041CE3C,00000000,00000001), ref: 0041CB8C
RealizePalette.GDI32(0041CE3C), ref: 0041CB95
SetTextColor.GDI32(00000000,00000000), ref: 0041CBAE
SetBkColor.GDI32(00000000,00000000), ref: 0041CBC5
BitBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00000000,00000000,00000000,00CC0020), ref: 0041CBE1
SelectObject.GDI32(00000000,?), ref: 0041CBEE
DeleteDC.GDI32(00000000), ref: 0041CC04

Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ColorSelect$CreatePalette$CompatibleObject$BitmapRealizeText$DeleteFillRect
String ID:
API String ID: 269503290-0
Opcode ID: 8288b1a004c19d08e53adfd80f36b756ff19622159534b91a17c952f52f31838
Instruction ID: 91afdf38925dfcc0a19aef53af63d8b93a06df8cfedaf367688fa0d34ebdb442
Opcode Fuzzy Hash: 8288b1a004c19d08e53adfd80f36b756ff19622159534b91a17c952f52f31838
Instruction Fuzzy Hash: 01610071A44648AFDF10EBE9DC86FDFB7B8EB48704F10446AB504E7281D67CA940CB68

Function 004983D0 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 251synchronizationCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000,?,00498B1F,00000000,00498B29,?,00000000), ref: 00498453
CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000,?,00498B1F,00000000), ref: 00498466
ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000), ref: 00498476
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00498497
ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000), ref: 004984A7

Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481

Strings

Setup, xrefs: 0049843F
/REG, xrefs: 00498405
/REGU, xrefs: 00498429
Inno-Setup-RegSvr-Mutex, xrefs: 0049845D
.lst, xrefs: 004984E4
.msg, xrefs: 004984CA

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
API String ID: 2000705611-3672972446
Opcode ID: 6acfce5c0d266c00f3cb08664922df7ad17872da4bad7acadb5bfb626d6c80a7
Instruction ID: 1a66146e65e487955493167600903b91e60bc3637ed1504a34615a6495e02ea1
Opcode Fuzzy Hash: 6acfce5c0d266c00f3cb08664922df7ad17872da4bad7acadb5bfb626d6c80a7
Instruction Fuzzy Hash: 5191A434A042049FDF11EBA9DC52BAE7BE5EF4A304F5144BBF500AB692DE7C9C05CA19

Function 0045A6D8 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 209COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0045A994,?,?,?,?,?,00000006,?,00000000,0049785D,?,00000000,00497900), ref: 0045A846

Strings

Failed to delete the file; it may be in use (%d)., xrefs: 0045A935
.chw, xrefs: 0045A78D
.lnk, xrefs: 0045A7B3
The file appears to be in use (%d). Will delete on restart., xrefs: 0045A88F
.gid, xrefs: 0045A728
Stripped read-only attribute., xrefs: 0045A81F
.chm, xrefs: 0045A774
.hlp, xrefs: 0045A70F
Deleting file: %s, xrefs: 0045A7E5
.fts, xrefs: 0045A74C
Failed to strip read-only attribute., xrefs: 0045A82B

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast
String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
API String ID: 1452528299-3112430753
Opcode ID: 43171a4fcbad40929b381a5514e069f0f32426cb02f36866d449381604384e36
Instruction ID: 43962401d403c06de7b31dde6fd87328655f81364e16ca473e433d379c6e1912
Opcode Fuzzy Hash: 43171a4fcbad40929b381a5514e069f0f32426cb02f36866d449381604384e36
Instruction Fuzzy Hash: EC719070B002545BCB00EB6998417AE77A49F4931AF91896BFC01AB383DB7C9E1DC75E

Function 0045CBC0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0045CBDA
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045CBFA
GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045CC07
GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045CC14
GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045CC22

Part of subcall function 0045CAC8: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045CB67,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045CB41

AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CE15,?,?,00000000), ref: 0045CCDB
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CE15,?,?,00000000), ref: 0045CCE4

Strings

advapi32.dll, xrefs: 0045CBF5
SetEntriesInAclW, xrefs: 0045CC1C
SetNamedSecurityInfoW, xrefs: 0045CC0E
W, xrefs: 0045CCF2
GetNamedSecurityInfoW, xrefs: 0045CC01

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
API String ID: 59345061-4263478283
Opcode ID: 428efc784f41d3aa7d264c2f262ec685fe65e126583ce7bbd5579cd36a3925cf
Instruction ID: 99773ef8a3d0261052733c4904a47669a242c0659fe16ead1f438c4abb71ff4e
Opcode Fuzzy Hash: 428efc784f41d3aa7d264c2f262ec685fe65e126583ce7bbd5579cd36a3925cf
Instruction Fuzzy Hash: BD518471900308EFDB10DF99C881BEEBBB8EB48711F14806AF904E7241C678A945CFA9

Function 0041B3AC Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 0041B3C3
CreateCompatibleDC.GDI32(00000000), ref: 0041B3CD
GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3DF
CreateBitmap.GDI32(0000000B,?,00000001,00000001,00000000), ref: 0041B3F6
GetDC.USER32(00000000), ref: 0041B402
CreateCompatibleBitmap.GDI32(00000000,0000000B,?), ref: 0041B42F
ReleaseDC.USER32(00000000,00000000), ref: 0041B455
SelectObject.GDI32(00000000,?), ref: 0041B470
SelectObject.GDI32(?,00000000), ref: 0041B47F
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
SelectObject.GDI32(?,00000000), ref: 0041B4C7
DeleteDC.GDI32(00000000), ref: 0041B4D0
DeleteDC.GDI32(?), ref: 0041B4D9

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
String ID:
API String ID: 644427674-0
Opcode ID: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
Instruction ID: 0f3e5998203d07172116f12fa3fedaa120d09cd030f2870c51d139f455c41937
Opcode Fuzzy Hash: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
Instruction Fuzzy Hash: E941AD71E44619AFDB10DAE9C846FEFB7BCEB08704F104466B614F7281D6786D408BA8

Function 00454874 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38

RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,?,00000000,?,00000000,00454B0D,?,0045AB6A,00000003,00000000,00000000,00454B44), ref: 0045498D

Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7

RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,0045AB6A,00000000,00000000,?,00000000,?,00000000), ref: 00454A11
RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,0045AB6A,00000000,00000000,?,00000000,?,00000000), ref: 00454A40

Strings

, xrefs: 004548FE
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548E4
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548AB
RegOpenKeyEx, xrefs: 00454910

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: QueryValue$FormatMessageOpen
String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2812809588-1577016196
Opcode ID: 742d62a6869efcab47093dbd07b67c32618791e42156db71d55ecd28429abb8c
Instruction ID: 3b35aed17da8244e85d272d2923899a44a2159637523a8fd9e70e85f8d21f96a
Opcode Fuzzy Hash: 742d62a6869efcab47093dbd07b67c32618791e42156db71d55ecd28429abb8c
Instruction Fuzzy Hash: 23914871E44148ABDB10DF95C842BDEB7FCEB49309F50406BF900FB282D6789E458B69

Function 00459458 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 165registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00459364: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004594A1,00000000,00459659,?,00000000,00000000,00000000), ref: 004593B1

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 004594FF
RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 00459569

Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 004595D0

Strings

v2.0.50727, xrefs: 0045955B
v1.1.4322, xrefs: 004595C2
.NET Framework version %s not found, xrefs: 00459609
SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 0045951C
.NET Framework not found, xrefs: 0045961D
SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 004594B2
SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00459583
v4.0.30319, xrefs: 004594F1

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Close$Open
String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
API String ID: 2976201327-446240816
Opcode ID: 06cdcde3b802fa8939e5b925d5f0cc04c3aa7329a2dd441772a6abba54712f42
Instruction ID: e7879d346446e6db82ad1067b50e8ffdd52b59a139ce3e0e88c8f748029a0227
Opcode Fuzzy Hash: 06cdcde3b802fa8939e5b925d5f0cc04c3aa7329a2dd441772a6abba54712f42
Instruction Fuzzy Hash: EB51A331A04148EBCB01DFA8C8A1BEE77A5DB59305F54447BA801DB353EA3D9E1ECB19

Function 00458A44 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00458A7B
TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00458A97
WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00458AA5
GetExitCodeProcess.KERNEL32(?), ref: 00458AB6
CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458AFD
Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458B19

Strings

Stopping 64-bit helper process. (PID: %u), xrefs: 00458A6D
Helper isn't responding; killing it., xrefs: 00458A87
Helper process exited with failure code: 0x%x, xrefs: 00458AE3
Helper process exited., xrefs: 00458AC5
Helper process exited, but failed to get exit code., xrefs: 00458AEF

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
API String ID: 3355656108-1243109208
Opcode ID: 8d11a9d6b8ebfffa9e94c3bd241da5180e5b7166b03f76cd8ec90a905d120898
Instruction ID: 3f2324d87e707cedf1d5c4e10b6e93e7b0b52df74c864805f1ac214018e434b5
Opcode Fuzzy Hash: 8d11a9d6b8ebfffa9e94c3bd241da5180e5b7166b03f76cd8ec90a905d120898
Instruction Fuzzy Hash: 2F2130706087409AD720E779C44575BB6D49F08345F04CC2FF99AEB283DF78E8488B2A

Function 00454528 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DDE4: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045464F
RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045478B

Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7

Strings

Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454597
RegCreateKeyEx, xrefs: 004545C3
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454567
, xrefs: 004545B1

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateFormatMessageQueryValue
String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2481121983-1280779767
Opcode ID: 1658ad98f5d652d8ab18f870bc50976d397f5a9f15be4283fc870004d2c294f4
Instruction ID: 93c55a0ab54dbcba353dd8d7ef9dbdddde8d62e860aeeeeaccb8ee2ace91ec52
Opcode Fuzzy Hash: 1658ad98f5d652d8ab18f870bc50976d397f5a9f15be4283fc870004d2c294f4
Instruction Fuzzy Hash: 49810F75A00209AFDB00DFD5C981BDEB7B8EB49309F10452AF900FB282D7789E45CB69

Function 00496C50 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004538BC: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539AB
Part of subcall function 004538BC: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539BB

CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00496CCD
SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00496E21), ref: 00496CEE
CreateWindowExA.USER32(00000000,STATIC,00496E30,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00496D15
SetWindowLongA.USER32(?,000000FC,004964A8), ref: 00496D28
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000,STATIC,00496E30), ref: 00496D58
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00496DCC
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000), ref: 00496DD8

Part of subcall function 00453D30: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17

DestroyWindow.USER32(?,00496DFB,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000,STATIC), ref: 00496DEE

Strings

/SECONDPHASE="%s" /FIRSTPHASEWND=$%x , xrefs: 00496D87
STATIC, xrefs: 00496D0E

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$File$CloseCreateHandle$AttributesCopyDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
API String ID: 1549857992-2312673372
Opcode ID: e4b2ecfcfa893ff17553470f1835d2c21342bacfaf5c8ca03e615e843d4af16f
Instruction ID: 18f462a79ff6f3765b6ab1b49dcd34ad23a8ddcce266b6658739bc0f5698dca4
Opcode Fuzzy Hash: e4b2ecfcfa893ff17553470f1835d2c21342bacfaf5c8ca03e615e843d4af16f
Instruction Fuzzy Hash: 61414C70A40208AFDF00EBA5DD42F9E7BB8EB08714F52457AF510F7291D7799E008B68

Function 0042E418 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E6DC,00000000), ref: 0042E441
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E447
RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E6DC,00000000), ref: 0042E495

Strings

Locale, xrefs: 0042E484
kernel32.dll, xrefs: 0042E43C
GetUserDefaultUILanguage, xrefs: 0042E437
.DEFAULT\Control Panel\International, xrefs: 0042E46C
QaE, xrefs: 0042E4D7, 0042E4DF, 0042E4EA, 0042E50C
Control Panel\Desktop\ResourceLocale, xrefs: 0042E4A4

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$QaE$kernel32.dll
API String ID: 4190037839-2312295185
Opcode ID: 6084c433af3ee4d64f0cd9982e7ad42a34d4dd09e5920a5815d9b88696e74604
Instruction ID: f42d7e7755912f49377b3a3c2778cbb45b18f2cdc7334bb7b0fb93ca3fe573dd
Opcode Fuzzy Hash: 6084c433af3ee4d64f0cd9982e7ad42a34d4dd09e5920a5815d9b88696e74604
Instruction Fuzzy Hash: E8213230B10225BBDB10EAE6DC51B9E76B8EB44308F90447BA504E7281E77CDE419B5C

Function 004629F0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 004629FC
GetModuleHandleA.KERNEL32(user32.dll), ref: 00462A10
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462A1D
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462A2A
GetWindowRect.USER32(?,00000000), ref: 00462A76
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 00462AB4

Strings

user32.dll, xrefs: 00462A0B
GetMonitorInfoA, xrefs: 00462A24
MonitorFromWindow, xrefs: 00462A17
(, xrefs: 00462A55

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$AddressProc$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 2610873146-3407710046
Opcode ID: 49e394185691d1c2da29acdf0cb3719649ef4a9244e3d7219ece30713ed86938
Instruction ID: 865a179037155f8fdabe2954c964c2dd38b7d55406d5d1e7c7801a7b23b437f8
Opcode Fuzzy Hash: 49e394185691d1c2da29acdf0cb3719649ef4a9244e3d7219ece30713ed86938
Instruction Fuzzy Hash: B7219575701B057BD610D6A88D85F3B36D8EB84715F094A2AF944DB3C1E6F8EC018B9A

Function 0042F188 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0042F194
GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F1A8
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F1B5
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F1C2
GetWindowRect.USER32(?,00000000), ref: 0042F20E
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F24C

Strings

MonitorFromWindow, xrefs: 0042F1AF
(, xrefs: 0042F1ED
user32.dll, xrefs: 0042F1A3
GetMonitorInfoA, xrefs: 0042F1BC

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$AddressProc$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 2610873146-3407710046
Opcode ID: d786bd72f778b9cca068a569f688e0802e61ee9ccadb1309323c976dabd5d685
Instruction ID: 50a2e38ba83faf67dd7c56e8d7733487d454ef14a416094e89dadcccf0bf0910
Opcode Fuzzy Hash: d786bd72f778b9cca068a569f688e0802e61ee9ccadb1309323c976dabd5d685
Instruction Fuzzy Hash: 3821F279704710ABD300EA68ED41F3B37A9DB89714F88457AF944DB382DA79EC044BA9

Function 00458C1C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00458DFB,?,00000000,00458E5E,?,?,00000000,00000000), ref: 00458C79
TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,00458D90,?,00000000,00000001,00000000,00000000,00000000,00458DFB), ref: 00458CD6
GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,00458D90,?,00000000,00000001,00000000,00000000,00000000,00458DFB), ref: 00458CE3
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00458D2F
GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00458D69,?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,00458D90,?,00000000), ref: 00458D55
GetLastError.KERNEL32(?,?,00000000,00000001,00458D69,?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,00458D90,?,00000000), ref: 00458D5C

Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F

Strings

TransactNamedPipe, xrefs: 00458CEF
CreateEvent, xrefs: 00458C87

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
String ID: CreateEvent$TransactNamedPipe
API String ID: 2182916169-3012584893
Opcode ID: ef16c20a6daf1f887f3bc2a9a4f4fdabf826d35dd2b72c43caf5f800eb3833ff
Instruction ID: 06b5d05a5e38ae799b2edb69ba26f0faef77b18cb4ad173b91f5c3c95d125767
Opcode Fuzzy Hash: ef16c20a6daf1f887f3bc2a9a4f4fdabf826d35dd2b72c43caf5f800eb3833ff
Instruction Fuzzy Hash: EF418E75A00608AFDB15DF95C981F9EB7F8EB48714F1044AAF900F72D2DA789E44CA28

Function 00456D20 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00456E85,?,?,00000031,?), ref: 00456D48
GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00456D4E
LoadTypeLib.OLEAUT32(00000000,?), ref: 00456D9B

Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F

Strings

GetProcAddress, xrefs: 00456D5B
LoadTypeLib, xrefs: 00456DA6
ITypeLib::GetLibAttr, xrefs: 00456DD1
UnRegisterTypeLib, xrefs: 00456E07
OLEAUT32.DLL, xrefs: 00456D43
UnRegisterTypeLib, xrefs: 00456D3E

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressErrorHandleLastLoadModuleProcType
String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
API String ID: 1914119943-2711329623
Opcode ID: e2963ea3afedc97cdb575031c9274042e2bd1e61e6c3a56a36b999a051922bf2
Instruction ID: d1bb8c6bfccdc0522a96f5e3020b18907c52df716e7671809b7eaf465cfb4023
Opcode Fuzzy Hash: e2963ea3afedc97cdb575031c9274042e2bd1e61e6c3a56a36b999a051922bf2
Instruction Fuzzy Hash: 6831A375A00604AFDB41EFAACC12D5BB7BDEB8970675244A6FD04D3352DB38DD08CA28

Function 00416D80 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON

Download Yara Rule

APIs

RectVisible.GDI32(?,?), ref: 00416E13
SaveDC.GDI32(?), ref: 00416E27
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E4A
RestoreDC.GDI32(?,?), ref: 00416E65
CreateSolidBrush.GDI32(00000000), ref: 00416EE5
FrameRect.USER32(?,?,?), ref: 00416F18
DeleteObject.GDI32(?), ref: 00416F22
CreateSolidBrush.GDI32(00000000), ref: 00416F32
FrameRect.USER32(?,?,?), ref: 00416F65
DeleteObject.GDI32(?), ref: 00416F6F

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: 31305b42e63a20fe9f9ee5f73744d5e2f5e6a90e84c308e69de84060d35988a9
Instruction ID: c082a38e55a2621cff38c0036c5e412d4739722926df34ebe37a7eff5f7859fc
Opcode Fuzzy Hash: 31305b42e63a20fe9f9ee5f73744d5e2f5e6a90e84c308e69de84060d35988a9
Instruction Fuzzy Hash: 70515A712086459FDB50EF69C8C4B9B77E8AF48314F15466AFD488B286C738EC81CB99

Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
GetFileType.KERNEL32(?,000000F5), ref: 00404C11
CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
GetLastError.KERNEL32(000000F5), ref: 00404C46

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D

Function 004221E8 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 00422233
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422251
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042225E
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226B
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422278
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422285
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00422292
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0042229F
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222BD
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222D9

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: 794ac4a4d1563d503d4e128f610caca5ba976f2c29ed192f4e654ec8c2abe850
Instruction ID: 662ae76830c3dbb110fd6952920e185112f137d20e740dc0dcce1beff7d7cd05
Opcode Fuzzy Hash: 794ac4a4d1563d503d4e128f610caca5ba976f2c29ed192f4e654ec8c2abe850
Instruction Fuzzy Hash: AF2144703407047AE720E724CD8BF9BBBD89B04708F5451A5BA487F6D3C6F9AB804698

Function 0046168C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 004616C7
GetActiveWindow.USER32 ref: 0046172B
CoInitialize.OLE32(00000000), ref: 0046173F
SHBrowseForFolder.SHELL32(?), ref: 00461756
7712D120.OLE32(00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 0046176B
SetActiveWindow.USER32(?,00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 00461781
SetActiveWindow.USER32(?,?,00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 0046178A

Strings

A, xrefs: 004616FF

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ActiveWindow$7712BrowseD120FolderInitializeMalloc
String ID: A
API String ID: 3129831556-3554254475
Opcode ID: cb3d39f68a826354347aa7a8a61ff080deb010c50648a66159b3978de9eda5bc
Instruction ID: 0f37cca2ee7d5c89cd5c8fe3b5c5f67eac08b275376d6c087401a1ac056189be
Opcode Fuzzy Hash: cb3d39f68a826354347aa7a8a61ff080deb010c50648a66159b3978de9eda5bc
Instruction Fuzzy Hash: C3312F70E00348AFDB10EFA6D885A9EBBF8EB09304F55847AF404E7251E7785A048F59

Function 0045D2B4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045D2BD
GetProcAddress.KERNEL32(00000000,inflate), ref: 0045D2CD
GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045D2DD
GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045D2ED

Strings

inflateInit_, xrefs: 0045D2B7
inflateEnd, xrefs: 0045D2D7
inflateReset, xrefs: 0045D2E7
inflate, xrefs: 0045D2C7

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc
String ID: inflate$inflateEnd$inflateInit_$inflateReset
API String ID: 190572456-3516654456
Opcode ID: 5039b32c95ab4f878aa340bc95ef1656196d0563f790867e571847c0b893819f
Instruction ID: d913f85fec6517a53d2ec7ba369195fd603025f4bffd93910817278a70f0814a
Opcode Fuzzy Hash: 5039b32c95ab4f878aa340bc95ef1656196d0563f790867e571847c0b893819f
Instruction Fuzzy Hash: C20112B0D00701DBE724DFF6ACC672636A5ABA8306F14C03B9D09962A2D77D0459DF2E

Function 0041A8DC Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON

Download Yara Rule

APIs

SetBkColor.GDI32(?,00000000), ref: 0041A9B9
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041A9F3
SetBkColor.GDI32(?,?), ref: 0041AA08
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA52
SetTextColor.GDI32(00000000,00000000), ref: 0041AA5D
SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA6D
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AAAC
SetTextColor.GDI32(00000000,00000000), ref: 0041AAB6
SetBkColor.GDI32(00000000,?), ref: 0041AAC3

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Color$StretchText
String ID:
API String ID: 2984075790-0
Opcode ID: c2c61a06e11fc6ac6c72d0136d8e20986a2ab5507b690e8d84a304c9a27ba9fd
Instruction ID: 4467ea82dd13d464879b0bd0dd0607b47ee3045dce17e21d2c6451b7f26a8ea4
Opcode Fuzzy Hash: c2c61a06e11fc6ac6c72d0136d8e20986a2ab5507b690e8d84a304c9a27ba9fd
Instruction Fuzzy Hash: 8761E5B5A00505AFCB40EFADD985E9AB7F8EF08314B10816AF908DB262C775ED40CF58

Function 004580C4 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7

CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00458278,?, /s ",?,regsvr32.exe",?,00458278), ref: 004581EA

Strings

regsvr32.exe", xrefs: 0045810B
/u, xrefs: 00458126
CreateProcess, xrefs: 004581DC
/s ", xrefs: 00458133
Spawning 32-bit RegSvr32: , xrefs: 00458171
0x%x, xrefs: 0045820D
Spawning 64-bit RegSvr32: , xrefs: 0045814F
D, xrefs: 004581A0

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseDirectoryHandleSystem
String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
API String ID: 2051275411-1862435767
Opcode ID: 4002d2de1ab03b38d977d670fcb0d45de6735b09ab9cf6adf03ef289ce7e4165
Instruction ID: cda81b302c56d3c3b7af3d8ffa4af26d40175ae7a7c1cff7e24eee752c39b11a
Opcode Fuzzy Hash: 4002d2de1ab03b38d977d670fcb0d45de6735b09ab9cf6adf03ef289ce7e4165
Instruction Fuzzy Hash: 21411670A047486BDB10EFD6D842B8DBBF9AF45305F50407FB904BB292DF789A098B19

Function 0044D178 Relevance: 13.6, APIs: 9, Instructions: 90COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 0044D1A9
GetSysColor.USER32(00000014), ref: 0044D1B0
SetTextColor.GDI32(00000000,00000000), ref: 0044D1C8
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D1F1
OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D1FB
GetSysColor.USER32(00000010), ref: 0044D202
SetTextColor.GDI32(00000000,00000000), ref: 0044D21A
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D243
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D26E

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Text$Color$Draw$OffsetRect
String ID:
API String ID: 1005981011-0
Opcode ID: 32856f07fc45aa5b94f1f38070a47e962b22e9d58654105098b1be26c78061dc
Instruction ID: 8406a00effd73db105afccad7da3796984cf264811f0ddac3e5cace4e0ac1d2b
Opcode Fuzzy Hash: 32856f07fc45aa5b94f1f38070a47e962b22e9d58654105098b1be26c78061dc
Instruction Fuzzy Hash: A021BDB42015047FC710FB2ACD8AE8B6BDCDF19319B05457AB958EB292C67CDD404668

Function 0041B66C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041B745
GetDC.USER32(?), ref: 0041B751
SelectPalette.GDI32(00000000,?,00000000), ref: 0041B786
RealizePalette.GDI32(00000000), ref: 0041B792
CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041B7C0
SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041B7F4

Strings

%H, xrefs: 0041B674

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Palette$Select$BitmapCreateFocusRealize
String ID: %H
API String ID: 3275473261-1959103961
Opcode ID: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
Instruction ID: 38bdddf8d72f5571b31e8017bfcff87152bbfcb95d4f6cd7f9962c0a723fddb9
Opcode Fuzzy Hash: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
Instruction Fuzzy Hash: 8A512F70A002099FDF11DFA9C881AEEBBF9FF49704F104066F504A7791D7799981CBA9

Function 0041B93C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041BA17
GetDC.USER32(?), ref: 0041BA23
SelectPalette.GDI32(00000000,?,00000000), ref: 0041BA5D
RealizePalette.GDI32(00000000), ref: 0041BA69
CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BA8D
SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BAC1

Strings

%H, xrefs: 0041B944

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Palette$Select$BitmapCreateFocusRealize
String ID: %H
API String ID: 3275473261-1959103961
Opcode ID: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
Instruction ID: 3fcaffe560058c7771eaec6053d79e0e1924f360d52694d27862de55114c0f48
Opcode Fuzzy Hash: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
Instruction Fuzzy Hash: 9D512A74A002189FDB11DFA9C891AAEBBF9FF49700F154066F904EB751D738AD40CBA4

Function 004964F4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933

Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B

GetWindowThreadProcessId.USER32(00000000,?), ref: 00496585
OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00496599
SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 004965B3
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965BF
CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965C5
Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965D8

Strings

Deleting Uninstall data files., xrefs: 004964FB

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
String ID: Deleting Uninstall data files.
API String ID: 1570157960-2568741658
Opcode ID: 8e8cb50e53c2c3b2038bacabf8c777ac21aad5dfe2dc8a8db11d37eec289bdf4
Instruction ID: caddedc05ae4add9971b90b84c259ce0cd5246952d50e779d54ebc968ffbf915
Opcode Fuzzy Hash: 8e8cb50e53c2c3b2038bacabf8c777ac21aad5dfe2dc8a8db11d37eec289bdf4
Instruction Fuzzy Hash: 73216170204250BFEB10EB6ABC82B2637A8DB54728F53453BB501961D6DA7CAC448A6D

Function 004701FC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004702F9,?,?,?,?,00000000), ref: 00470263
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004702F9), ref: 0047027A
AddFontResourceA.GDI32(00000000), ref: 00470297
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 004702AB

Strings

Failed to open Fonts registry key., xrefs: 00470281
Failed to set value in Fonts registry key., xrefs: 0047026C
AddFontResource, xrefs: 004702B5

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseFontMessageNotifyOpenResourceSendValue
String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
API String ID: 955540645-649663873
Opcode ID: f6cb4db48621d05014dac95341ab5faf08594db0be4636be460d29a68d9f0f75
Instruction ID: 122e39bb1ea2b43e4c2a7da55aa69ddad999e5e54c07bca5f4119535fc7344d3
Opcode Fuzzy Hash: f6cb4db48621d05014dac95341ab5faf08594db0be4636be460d29a68d9f0f75
Instruction Fuzzy Hash: 6921E271741204BBDB10EAA68C46FAE67AC9B14704F208477B904EB3C3DA7C9E01866D

Function 00462E30 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00416410: GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
Part of subcall function 00416410: UnregisterClassA.USER32(?,00400000), ref: 004164AB
Part of subcall function 00416410: RegisterClassA.USER32(?), ref: 004164CE

GetVersion.KERNEL32 ref: 00462E60
SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 00462E9E
SHGetFileInfo.SHELL32(00462F3C,00000000,?,00000160,00004011), ref: 00462EBB
LoadCursorA.USER32(00000000,00007F02), ref: 00462ED9
SetCursor.USER32(00000000,00000000,00007F02,00462F3C,00000000,?,00000160,00004011), ref: 00462EDF
SetCursor.USER32(?,00462F1F,00007F02,00462F3C,00000000,?,00000160,00004011), ref: 00462F12

Strings

Explorer, xrefs: 00462E7A

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
String ID: Explorer
API String ID: 2594429197-512347832
Opcode ID: 271d5cc6534746d744017855cbe3809792a4a5bc456b5a0a77df68c724b1ffee
Instruction ID: b0f6820fd5a5ea072646c086af9eca81c98a3cd1ffd9b7ca0f87214cf94a4ba1
Opcode Fuzzy Hash: 271d5cc6534746d744017855cbe3809792a4a5bc456b5a0a77df68c724b1ffee
Instruction Fuzzy Hash: CD21E7307403047AEB15BB759D47B9A3798DB09708F4004BFFA05EA1C3EEBD9901966D

Function 00478370 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66libraryfileloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02202C30,?,?,?,02202C30,00478534,00000000,00478652,?,?,-00000010,?), ref: 00478389
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047838F
GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02202C30,?,?,?,02202C30,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783A2
CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02202C30,?,?,?,02202C30), ref: 004783CC
CloseHandle.KERNEL32(00000000,?,?,?,02202C30,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783EA

Strings

GetFinalPathNameByHandleA, xrefs: 0047837F
kernel32.dll, xrefs: 00478384

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileHandle$AddressAttributesCloseCreateModuleProc
String ID: GetFinalPathNameByHandleA$kernel32.dll
API String ID: 2704155762-2318956294
Opcode ID: 6bc275baaa87b820f83455aa3780e808e355a1b98666f0b165ca17ab90bcbd73
Instruction ID: 2a72e966618face2f1bd82d2a524167157479a72732682c44667b4342ad9b4bf
Opcode Fuzzy Hash: 6bc275baaa87b820f83455aa3780e808e355a1b98666f0b165ca17ab90bcbd73
Instruction Fuzzy Hash: 370180A07C070536E520316A4C8AFBB654C8B50769F14863FBA1DFA2D3FDED9D06016E

Function 00459E0C Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00459F8E,?,00000000,00000000,00000000,?,00000006,?,00000000,0049785D,?,00000000,00497900), ref: 00459ED2

Part of subcall function 004543F4: FindClose.KERNEL32(000000FF,004544EA), ref: 004544D9

Strings

Deleting directory: %s, xrefs: 00459E5B
Failed to strip read-only attribute., xrefs: 00459EA0
Failed to delete directory (%d). Will retry later., xrefs: 00459EEB
Stripped read-only attribute., xrefs: 00459E94
Failed to delete directory (%d)., xrefs: 00459F68
Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00459F47
Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00459EAC

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseErrorFindLast
String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
API String ID: 754982922-1448842058
Opcode ID: 825b69e71020358a2790d5b66baca682891f253eb20f6d4b4ab0a73fce46c835
Instruction ID: b8d9b7298ea7c3337bda5d500217c07e27fbd6b384233f4239b27a523d6d10d0
Opcode Fuzzy Hash: 825b69e71020358a2790d5b66baca682891f253eb20f6d4b4ab0a73fce46c835
Instruction Fuzzy Hash: 1841A331A04208CACB10EB69C8413AEB6A55F4530AF54897BAC01D73D3CB7C8E0DC75E

Function 0042F290 Relevance: 12.1, APIs: 8, Instructions: 102windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 0042F2BA
GetWindowLongA.USER32(?,000000EC), ref: 0042F2D1
GetActiveWindow.USER32 ref: 0042F2DA
MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F307
SetActiveWindow.USER32(?,0042F437,00000000,?), ref: 0042F328

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$ActiveLong$Message
String ID:
API String ID: 2785966331-0
Opcode ID: 267c9eefe26e23fd4e765c6349420bb8bb9da3d18075eb1d96a464b655a4fe2f
Instruction ID: ac844ef734d24c76dc9aa96f201b13a865b129e9c1b137beabd8cb6517960092
Opcode Fuzzy Hash: 267c9eefe26e23fd4e765c6349420bb8bb9da3d18075eb1d96a464b655a4fe2f
Instruction Fuzzy Hash: F931D271A00254AFEB01EFA5DD52E6EBBB8EB09304F9144BAF804E3291D73C9D10CB58

Function 00429480 Relevance: 12.1, APIs: 8, Instructions: 62COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0042948A
GetTextMetricsA.GDI32(00000000), ref: 00429493

Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7

SelectObject.GDI32(00000000,00000000), ref: 004294A2
GetTextMetricsA.GDI32(00000000,?), ref: 004294AF
SelectObject.GDI32(00000000,00000000), ref: 004294B6
ReleaseDC.USER32(00000000,00000000), ref: 004294BE
GetSystemMetrics.USER32(00000006), ref: 004294E3
GetSystemMetrics.USER32(00000006), ref: 004294FD

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Metrics$ObjectSelectSystemText$CreateFontIndirectRelease
String ID:
API String ID: 1583807278-0
Opcode ID: 960ca5b6b9ec06081429caf0e2ae16fd4423d047ce8cb1d090ce01a2b2c84894
Instruction ID: 8a5b62ad3b2811282b00f4aa11bc4c2c065e9b9ae855548013837f5c18493421
Opcode Fuzzy Hash: 960ca5b6b9ec06081429caf0e2ae16fd4423d047ce8cb1d090ce01a2b2c84894
Instruction Fuzzy Hash: 0F01C4A17087103BE321767A9CC6F6F65C8DB44358F84043BF686D63D3D96C9C41866A

Function 0041DE24 Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0041DE27
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041DE31
ReleaseDC.USER32(00000000,00000000), ref: 0041DE3E
MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE4D
GetStockObject.GDI32(00000007), ref: 0041DE5B
GetStockObject.GDI32(00000005), ref: 0041DE67
GetStockObject.GDI32(0000000D), ref: 0041DE73
LoadIconA.USER32(00000000,00007F00), ref: 0041DE84

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ObjectStock$CapsDeviceIconLoadRelease
String ID:
API String ID: 225703358-0
Opcode ID: cf3de45f10179e040e4bf754cd3e00afbbff0486b0448c288d4be5e1939ebdb6
Instruction ID: 282f56568f1177e4dad385ec7f61a974d29090d827cf1f87eb40c920fa9ca7e8
Opcode Fuzzy Hash: cf3de45f10179e040e4bf754cd3e00afbbff0486b0448c288d4be5e1939ebdb6
Instruction Fuzzy Hash: 4C1142706457015EE340BFA66E52B6A36A4D725708F40413FF609AF3D1D77A2C448B9E

Function 00463240 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F02), ref: 00463344
SetCursor.USER32(00000000,00000000,00007F02,00000000,004633D9), ref: 0046334A
SetCursor.USER32(?,004633C1,00007F02,00000000,004633D9), ref: 004633B4

Strings

Internal error: Item already expanding, xrefs: 004632E1
, xrefs: 004635DA
, xrefs: 004635BF

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Cursor$Load
String ID: $ $Internal error: Item already expanding
API String ID: 1675784387-1948079669
Opcode ID: 040729a671edf880b94918ceea5f8eaec20fdfbf8da854279a56862745118dff
Instruction ID: e4e85f4aa3fa623d7d3a169fbc538aa22306e9421cedfdc69a3031d12d347dae
Opcode Fuzzy Hash: 040729a671edf880b94918ceea5f8eaec20fdfbf8da854279a56862745118dff
Instruction Fuzzy Hash: 4CB18270604284EFDB11DF29C545B9ABBF1BF04305F1484AAE8469B792DB78EE44CB4A

Function 00453D30 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17

Strings

MoveFileEx, xrefs: 00454027
WININIT.INI, xrefs: 00453DC5
.tmp, xrefs: 00453DD3
NUL, xrefs: 00453ED9
[rename], xrefs: 00453E7A, 00453EB6

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
API String ID: 390214022-3304407042
Opcode ID: 262666494607197906d7283235c4c76affd32b2b0fdb9ef9cba9b9ea75353bac
Instruction ID: 4c4b1d7f09994941c57eaafc4db68242d6a3f6c21ecd3f2b5b8f846a746055a2
Opcode Fuzzy Hash: 262666494607197906d7283235c4c76affd32b2b0fdb9ef9cba9b9ea75353bac
Instruction Fuzzy Hash: 40911434E002099BDB01EFA5D842BDEB7F5AF4874AF608466E90077392D7786E49CB58

Function 00408720 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00408968,?,?,?,?,00000000,00000000,00000000,?,0040996F,00000000,00409982), ref: 0040873A

Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586

Part of subcall function 004085B4: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087B6,?,?,?,00000000,00408968), ref: 004085C7

Strings

AMPM, xrefs: 00408905
:mm:ss, xrefs: 00408936
m/d/yy, xrefs: 00408809
mmmm d, yyyy, xrefs: 0040882B
:mm, xrefs: 0040891C

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
Instruction ID: 5c6fde8006682913ecab3173e7335377554a92ac61a87523d81808753b4ec1a9
Opcode Fuzzy Hash: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
Instruction Fuzzy Hash: 7D516C24B00108ABDB01FBA69E4169EB7A9DB94308F50C07FA181BB3C3CE3DDA05975D

Function 004116F4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,004118F9), ref: 0041178C
InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041184A

Part of subcall function 00411AAC: CreatePopupMenu.USER32 ref: 00411AC6

InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118D6

Part of subcall function 00411AAC: CreateMenu.USER32 ref: 00411AD0

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118BD

Strings

?, xrefs: 004117A6
,, xrefs: 0041179F

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Menu$Insert$Create$ItemPopupVersion
String ID: ,$?
API String ID: 2359071979-2308483597
Opcode ID: 4986dcd06abefbee5f666d79fc26290c702fe8a84b14e195092edf3558bd7871
Instruction ID: ecf66c9774bccec907b621c371347452b74b7622051e058d8a4a73451c3e974f
Opcode Fuzzy Hash: 4986dcd06abefbee5f666d79fc26290c702fe8a84b14e195092edf3558bd7871
Instruction Fuzzy Hash: D7510674A00245ABDB10EF6ADC816EA7BF9AF09304B11857BF904E73A6D738DD41CB58

Function 0041BE63 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 0041BF28
GetObjectA.GDI32(?,00000018,?), ref: 0041BF37
GetBitmapBits.GDI32(?,?,?), ref: 0041BF88
GetBitmapBits.GDI32(?,?,?), ref: 0041BF96
DeleteObject.GDI32(?), ref: 0041BF9F
DeleteObject.GDI32(?), ref: 0041BFA8
CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFC5

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$BitmapBitsDelete$CreateIcon
String ID:
API String ID: 1030595962-0
Opcode ID: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
Instruction ID: 74cae3b7aa7aab4ce12a2fbd062d204c5c4082198076ec6df892ad84fd278e80
Opcode Fuzzy Hash: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
Instruction Fuzzy Hash: 6A510671A002199FCB10DFA9C9819EEB7F9EF48314B11416AF914E7395D738AD41CB68

Function 0041CED8 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON

Download Yara Rule

APIs

SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CEFE
GetDeviceCaps.GDI32(00000000,00000026), ref: 0041CF1D
SelectPalette.GDI32(?,?,00000001), ref: 0041CF83
RealizePalette.GDI32(?), ref: 0041CF92
StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041CFFC
StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D03A
SelectPalette.GDI32(?,?,00000001), ref: 0041D05F

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: PaletteStretch$Select$BitsCapsDeviceModeRealize
String ID:
API String ID: 2222416421-0
Opcode ID: 5be0e4e6833feb243a8d388dd1011de92277052336d3d318ec39d49e9b6efc72
Instruction ID: 4b814cf558339e083a7fb5ccd56fb4ffad9fd0a27a4bfdacf16c2dd2476febac
Opcode Fuzzy Hash: 5be0e4e6833feb243a8d388dd1011de92277052336d3d318ec39d49e9b6efc72
Instruction Fuzzy Hash: D2515EB0604200AFDB14DFA8C985F9BBBE9EF08304F10459AB549DB292C778ED81CB58

Function 004572DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,?,?), ref: 0045732E

Part of subcall function 0042427C: GetWindowTextA.USER32(?,?,00000100), ref: 0042429C

Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9

Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00457395
TranslateMessage.USER32(?), ref: 004573B3
DispatchMessageA.USER32(?), ref: 004573BC

Strings

[Paused] , xrefs: 00457364

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$TextThreadWindow$CurrentDispatchEnumSendTranslateWindows
String ID: [Paused]
API String ID: 1007367021-4230553315
Opcode ID: 138259db96aaba9c66cb09bcf6582550d327018b684ee04c4d651f5f89e9d65e
Instruction ID: a72840e20965590be0df7748d4dcd1bfe023db3bc5775872eefead19b10ec59e
Opcode Fuzzy Hash: 138259db96aaba9c66cb09bcf6582550d327018b684ee04c4d651f5f89e9d65e
Instruction Fuzzy Hash: 633175319082449ADB11DBB9EC81B9E7FB8EF49314F5540B7EC00E7292D73C9909DB69

Function 0046B420 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON

Download Yara Rule

APIs

GetCursor.USER32(00000000,0046B55F), ref: 0046B4DC
LoadCursorA.USER32(00000000,00007F02), ref: 0046B4EA
SetCursor.USER32(00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B4F0
Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B4FA
SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B500

Strings

CheckPassword, xrefs: 0046B484

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Cursor$LoadSleep
String ID: CheckPassword
API String ID: 4023313301-1302249611
Opcode ID: a15a8593e9f633b5a85a0686193dd54b7b5146f7df37d6bd0e19c7d70d8febf0
Instruction ID: 9465d4cba05e43c3341d6d018928b45656d3fee3f016636846a90655da25d4f4
Opcode Fuzzy Hash: a15a8593e9f633b5a85a0686193dd54b7b5146f7df37d6bd0e19c7d70d8febf0
Instruction Fuzzy Hash: D0316334740204AFD711EF69C899B9A7BE4EF45308F5580B6F9049B3A2D7789E40CB99

Function 00477C6C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00477B94: GetWindowThreadProcessId.USER32(00000000), ref: 00477B9C
Part of subcall function 00477B94: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477C93,0049C0A8,00000000), ref: 00477BAF
Part of subcall function 00477B94: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477BB5

SendMessageA.USER32(00000000,0000004A,00000000,00478026), ref: 00477CA1
GetTickCount.KERNEL32 ref: 00477CE6
GetTickCount.KERNEL32 ref: 00477CF0
MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00477D45

Strings

CallSpawnServer: Unexpected status: %d, xrefs: 00477D2E
CallSpawnServer: Unexpected response: $%x, xrefs: 00477CD6

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
API String ID: 613034392-3771334282
Opcode ID: a349fc6668a2a279a7709dc0d92d626649643492524c5ed72309cd5f58a9f2ee
Instruction ID: 262cbc5b9954910938d5a1e8e32dc50db46ad6f301169d9d39307b56b522dac3
Opcode Fuzzy Hash: a349fc6668a2a279a7709dc0d92d626649643492524c5ed72309cd5f58a9f2ee
Instruction Fuzzy Hash: 87318474B042159EDB10EBB9C8867EE76A0AF08714F90807AB548EB392D67C9D4187AD

Function 00459784 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 0045983F

Strings

.NET Framework CreateAssemblyCache function failed, xrefs: 00459862
Fusion.dll, xrefs: 004597DF
Failed to load .NET Framework DLL "%s", xrefs: 00459824
CreateAssemblyCache, xrefs: 00459836
Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 0045984A

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc
String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
API String ID: 190572456-3990135632
Opcode ID: 64b7f7115ec2050a4f0e42ab113808549d669c8acfba7d9bf3bad921683fe547
Instruction ID: 9a538673283cb431493768ab67eac729fe35d93f11f945e2dcd414e2b3f175b6
Opcode Fuzzy Hash: 64b7f7115ec2050a4f0e42ab113808549d669c8acfba7d9bf3bad921683fe547
Instruction Fuzzy Hash: A2318B70E10649ABCB10FFA5C88169EB7B8EF45315F50857BE814E7382DB389E08C799

Function 0041C148 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C048: GetObjectA.GDI32(?,00000018), ref: 0041C055

GetFocus.USER32 ref: 0041C168
GetDC.USER32(?), ref: 0041C174
SelectPalette.GDI32(?,?,00000000), ref: 0041C195
RealizePalette.GDI32(?), ref: 0041C1A1
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1B8
SelectPalette.GDI32(?,00000000,00000000), ref: 0041C1E0
ReleaseDC.USER32(?,?), ref: 0041C1ED

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Palette$Select$BitsFocusObjectRealizeRelease
String ID:
API String ID: 3303097818-0
Opcode ID: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
Instruction ID: 25a0b6576c779426e59073023ceed4ef49f3845c1b310514cd4f08ef327de147
Opcode Fuzzy Hash: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
Instruction Fuzzy Hash: 49116D71A44604BFDF10DBE9CC81FAFB7FCEB48700F50486AB518E7281DA7899008B28

Function 00418C54 Relevance: 10.6, APIs: 7, Instructions: 67COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000E), ref: 00418C70
GetSystemMetrics.USER32(0000000D), ref: 00418C78
6F9C2980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C7E

Part of subcall function 004107F8: 6F9BC400.COMCTL32(0049B628,000000FF,00000000,00418CAC,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004107FC

6FA2CB00.COMCTL32(0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CCE
6FA2C740.COMCTL32(00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CD9
6FA2CB00.COMCTL32(0049B628,00000001,?,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000), ref: 00418CEC
6F9C0860.COMCTL32(0049B628,00418D0F,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E), ref: 00418D02

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MetricsSystem$C0860C2980C400C740
String ID:
API String ID: 624341609-0
Opcode ID: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
Instruction ID: f48c8f8e6a400555c090207229051c9eae11b8a9b20c4da93df477ea8fa1a9e8
Opcode Fuzzy Hash: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
Instruction Fuzzy Hash: 6B112475744204BBDB50EBA9EC82FAD73F8DB08704F504066B514EB2C1DAB9AD808759

Function 00483C6C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00483D24), ref: 00483D09

Strings

WinNT, xrefs: 00483CB9
ServerNT, xrefs: 00483CED
System\CurrentControlSet\Control\ProductOptions, xrefs: 00483C90
ProductType, xrefs: 00483CA8
LanmanNT, xrefs: 00483CD3

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpen
String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
API String ID: 47109696-2530820420
Opcode ID: e1bcbbbaaee85d585434023fd650e6813b785c41e8fbc068ac73575afb55ee56
Instruction ID: 212569cff1cfb7858b589fbdbabdc9c693f1f7cc945fcf11155ec0ddb5f1f406
Opcode Fuzzy Hash: e1bcbbbaaee85d585434023fd650e6813b785c41e8fbc068ac73575afb55ee56
Instruction Fuzzy Hash: CC117C30704244AADB10FF65D862B5E7BF9DB45B05F618877A800E7282EB78AE05875C

Function 0041B462 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(00000000,?), ref: 0041B470
SelectObject.GDI32(?,00000000), ref: 0041B47F
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
SelectObject.GDI32(?,00000000), ref: 0041B4C7
DeleteDC.GDI32(00000000), ref: 0041B4D0
DeleteDC.GDI32(?), ref: 0041B4D9

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ObjectSelect$Delete$Stretch
String ID:
API String ID: 1458357782-0
Opcode ID: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
Instruction ID: 052e9154069abc57648b404522aaf552eddfcc6d95cd3388d63b7ef9ce004286
Opcode Fuzzy Hash: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
Instruction Fuzzy Hash: 7B115C72E40619ABDB10DAD9DC86FEFB7BCEF08704F144555B614F7282C678AC418BA8

Function 00495508 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00495519

Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7

SelectObject.GDI32(00000000,00000000), ref: 0049553B
GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00495AB9), ref: 0049554F
GetTextMetricsA.GDI32(00000000,?), ref: 00495571
ReleaseDC.USER32(00000000,00000000), ref: 0049558E

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00495546

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Text$CreateExtentFontIndirectMetricsObjectPointReleaseSelect
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 2948443157-222967699
Opcode ID: a4d12ece59ca6c64cb8c4defcdc73c5f067a9176de86fed221050984d74d5100
Instruction ID: fbfe8d588f566b1ae935688c8d8bbf43f3780a3d17a9f30f48774e54417b88ea
Opcode Fuzzy Hash: a4d12ece59ca6c64cb8c4defcdc73c5f067a9176de86fed221050984d74d5100
Instruction Fuzzy Hash: 98018476A04704BFEB05DBE9CC41E5EB7EDEB48714F614476F604E7281D678AE008B28

Function 00423394 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 004233AF
WindowFromPoint.USER32(?,?), ref: 004233BC
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233CA
GetCurrentThreadId.KERNEL32 ref: 004233D1
SendMessageA.USER32(00000000,00000084,?,?), ref: 004233EA
SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423401
SetCursor.USER32(00000000), ref: 00423413

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
Instruction ID: 22bb490dc700fc35bbf8fe9eba0271ced42fa0644d0760cf779c582944844a3d
Opcode Fuzzy Hash: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
Instruction Fuzzy Hash: BA01D4223046103AD6217B755D82E2F26E8DB85B15F50407FF504BB283DA3D9D11937D

Function 0049532C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll), ref: 0049533C
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00495349
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00495356

Strings

user32.dll, xrefs: 00495337
GetMonitorInfoA, xrefs: 00495350
MonitorFromRect, xrefs: 00495343

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
API String ID: 667068680-2254406584
Opcode ID: 5579b8dc187442e7c517f6558358e9e0fd6dcc5405420102cd7b083255a2d8af
Instruction ID: d6622564654ba01390171a2dbbf88ec7785202fdd48675fe733a6c53722864ad
Opcode Fuzzy Hash: 5579b8dc187442e7c517f6558358e9e0fd6dcc5405420102cd7b083255a2d8af
Instruction Fuzzy Hash: 7EF0F692741F156ADA3121660C41B7F6B8CCB917B1F240137BE44A7382E9ED8C0047ED

Function 0045D188 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,ISCryptGetVersion), ref: 0045D191
GetProcAddress.KERNEL32(00000000,ArcFourInit), ref: 0045D1A1
GetProcAddress.KERNEL32(00000000,ArcFourCrypt), ref: 0045D1B1

Strings

ArcFourInit, xrefs: 0045D19B
ISCryptGetVersion, xrefs: 0045D18B
ArcFourCrypt, xrefs: 0045D1AB

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc
String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
API String ID: 190572456-508647305
Opcode ID: dc81785b55ac876962535e0a2eb36b1dd730d24c9132c457d47d12d4ae2e21c2
Instruction ID: d394b6b565b4a55a8c16e24b867b534ad65140704dc94b035c924c7661ebf9a3
Opcode Fuzzy Hash: dc81785b55ac876962535e0a2eb36b1dd730d24c9132c457d47d12d4ae2e21c2
Instruction Fuzzy Hash: A2F030B0D41700CAD318EFF6AC957263B96EB9830AF14C03BA414C51A2D7794454DF2C

Function 0045D688 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045D691
GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045D6A1
GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045D6B1

Strings

BZ2_bzDecompress, xrefs: 0045D69B
BZ2_bzDecompressEnd, xrefs: 0045D6AB
BZ2_bzDecompressInit, xrefs: 0045D68B

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc
String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
API String ID: 190572456-212574377
Opcode ID: 0c00d940adfee3eed657d73ca32928dd6beaef8d72542be6af97d79d08c28db7
Instruction ID: 26f5c6c79611f6cc0facecefa5b4932716cc5d8e9f8ea2477ead0514974f6e87
Opcode Fuzzy Hash: 0c00d940adfee3eed657d73ca32928dd6beaef8d72542be6af97d79d08c28db7
Instruction Fuzzy Hash: 0EF01DB0D00705DFD724EFB6ACC672736D5AB6831AF50813B990E95262D778045ACF2C

Function 0042EA1C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderwindowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,004812C8), ref: 0042EA35
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EA3B
InterlockedExchange.KERNEL32(0049B668,00000001), ref: 0042EA4C

Part of subcall function 0042E9AC: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
Part of subcall function 0042E9AC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
Part of subcall function 0042E9AC: InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9

ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042EA60

Strings

user32.dll, xrefs: 0042EA30
ChangeWindowMessageFilterEx, xrefs: 0042EA2B

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
String ID: ChangeWindowMessageFilterEx$user32.dll
API String ID: 142928637-2676053874
Opcode ID: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
Instruction ID: 20967f7a279d57b19857f2ad39d34e10c6be6de8430a8d3efc5b40b14e24a4c3
Opcode Fuzzy Hash: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
Instruction Fuzzy Hash: 99E092A1741B20EAEA10B7B67C86FAA2658EB1076DF500037F100A51F1C3BD1C80CE9E

Function 0044C7DC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleacc.dll,?,0044F089), ref: 0044C7EB
GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C7FC
GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C80C

Strings

CreateStdAccessibleObject, xrefs: 0044C806
LresultFromObject, xrefs: 0044C7F6
oleacc.dll, xrefs: 0044C7E6

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
API String ID: 2238633743-1050967733
Opcode ID: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
Instruction ID: d6497c9818d993b67a5702c7731996643d684f189bbd4b702b1f6e54e13363b7
Opcode Fuzzy Hash: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
Instruction Fuzzy Hash: 50F0DA70282305CAE750BBB5FDD57263694E3A470AF18277BE841551A2C7B94844CB8C

Function 00478C20 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00498C24), ref: 00478C26
GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478C33
GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478C43

Strings

VerifyVersionInfoW, xrefs: 00478C3D
VerSetConditionMask, xrefs: 00478C2D
kernel32.dll, xrefs: 00478C21

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
API String ID: 667068680-222143506
Opcode ID: 81267d710db967c56e7e702a34d1e8b60bf08845a808e06a5f27e56110be3c01
Instruction ID: 32a0137ea675787c0bb1f7a77b9c903aea73f6d33f3aa717a8ad139b0a70eb03
Opcode Fuzzy Hash: 81267d710db967c56e7e702a34d1e8b60bf08845a808e06a5f27e56110be3c01
Instruction Fuzzy Hash: 4DC0C9F02C1700EEAA01B7B11DCAA7A255CC500728320843F7049BA182D97C0C104F3C

Function 0041B508 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041B57E
GetDC.USER32(?), ref: 0041B58A
GetDeviceCaps.GDI32(?,00000068), ref: 0041B5A6
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5C3
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5DA
ReleaseDC.USER32(?,?), ref: 0041B626

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: EntriesPaletteSystem$CapsDeviceFocusRelease
String ID:
API String ID: 2502006586-0
Opcode ID: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
Instruction ID: 1753bd22f5710d4f749a3cf2d8329d0f84e6490acb09e3fae29671003709e3a5
Opcode Fuzzy Hash: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
Instruction Fuzzy Hash: D0410631A04258AFDF10DFA9C885AAFBBB4EF59704F1484AAF500EB351D3389D51CBA5

Function 0045D04C Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000057,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0B7
SetLastError.KERNEL32(00000000,00000002,?,?,?,0045D184,?,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0F6

Strings

CURRENT_USER, xrefs: 0045D08B
USERS, xrefs: 0045D0A9
MACHINE, xrefs: 0045D09A
CLASSES_ROOT, xrefs: 0045D07C

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast
String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
API String ID: 1452528299-1580325520
Opcode ID: 44daac30ba6290961f85a10f910adeebe56024b8db7d764ffa7b36a0de599fb3
Instruction ID: 81e1e27ad3ae8d1ea1d6b81b4c13ff0be47bc54c17845d393ef4ad8e2f10c1e8
Opcode Fuzzy Hash: 44daac30ba6290961f85a10f910adeebe56024b8db7d764ffa7b36a0de599fb3
Instruction Fuzzy Hash: 2C117535A04608AFD731DA91C942B9EB6ADDF4470AF6040776D00572C3D67C5F0B992E

Function 0041BD8C Relevance: 9.1, APIs: 6, Instructions: 71COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 0041BDD5
GetSystemMetrics.USER32(0000000C), ref: 0041BDDF
GetDC.USER32(00000000), ref: 0041BDE9
GetDeviceCaps.GDI32(00000000,0000000E), ref: 0041BE10
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041BE1D
ReleaseDC.USER32(00000000,00000000), ref: 0041BE56

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CapsDeviceMetricsSystem$Release
String ID:
API String ID: 447804332-0
Opcode ID: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
Instruction ID: d5b995c8e3894394b735eabd433659eae54025482fea58e306a85006fdca5b97
Opcode Fuzzy Hash: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
Instruction Fuzzy Hash: E5212A74E04648AFEB00EFA9C941BEEB7B4EB48714F10846AF514B7690D7785940CB69

Function 0047E758 Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0047E766
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046CD49), ref: 0047E78C
GetWindowLongA.USER32(?,000000EC), ref: 0047E79C
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047E7BD
ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047E7D1
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047E7ED

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Long$Show
String ID:
API String ID: 3609083571-0
Opcode ID: 761baba5ea275c4f8ba8f3b2538ab5f77c1d2b06cda4c3ad0feadca871259e14
Instruction ID: 463a5c2536fff799c7bf7cf61cbf8045bc8b98cac2b0bb45a0840e8ed8c25010
Opcode Fuzzy Hash: 761baba5ea275c4f8ba8f3b2538ab5f77c1d2b06cda4c3ad0feadca871259e14
Instruction Fuzzy Hash: 53010CB5641210ABEA00D769DE81F6637D8AB1C320F0943A6B959DF3E3C738EC408B49

Function 0041B270 Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0041A6E0: CreateBrushIndirect.GDI32 ref: 0041A74B

UnrealizeObject.GDI32(00000000), ref: 0041B27C
SelectObject.GDI32(?,00000000), ref: 0041B28E
SetBkColor.GDI32(?,00000000), ref: 0041B2B1
SetBkMode.GDI32(?,00000002), ref: 0041B2BC
SetBkColor.GDI32(?,00000000), ref: 0041B2D7
SetBkMode.GDI32(?,00000001), ref: 0041B2E2

Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
Instruction ID: d03b18a2b949c207061bd18b8e5d47ed8ce294e6be165222704fda36eef26a4f
Opcode Fuzzy Hash: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
Instruction Fuzzy Hash: 56F0CD756015009BDE00FFAAD9CBE4B3B989F043097048496B908DF187CA3CD8649B3A

Function 004538BC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539AB
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539BB

Strings

_iu, xrefs: 0045394D
!nI, xrefs: 004538EC, 004538F7, 00453952, 0045395C, 0045392C, 00453936
.tmp, xrefs: 0045395F

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: !nI$.tmp$_iu
API String ID: 3498533004-584216493
Opcode ID: 1dee75e2bfc2da78c26475f080e8b0a4db6a1a73d39b0bf1d20dabbe4352c150
Instruction ID: 7da7e9bbb2667b7856572ae533a3071efe8e017fb0344d9459fa270775feb22d
Opcode Fuzzy Hash: 1dee75e2bfc2da78c26475f080e8b0a4db6a1a73d39b0bf1d20dabbe4352c150
Instruction Fuzzy Hash: 1831C5B0A00249ABCB11EF95D842B9EBBB4AF44345F20453AF810B73C2D7785F058B69

Function 00497D5C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC

ShowWindow.USER32(?,00000005,00000000,00497FC1,?,?,00000000), ref: 00497D92

Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7

Part of subcall function 004072A8: SetCurrentDirectoryA.KERNEL32(00000000,?,00497DBA,00000000,00497F8D,?,?,00000005,00000000,00497FC1,?,?,00000000), ref: 004072B3

Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481

Strings

.dat, xrefs: 00497DD9
Uninstall, xrefs: 00497D78
.msg, xrefs: 00497DF8
IMsg, xrefs: 00497E66

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
String ID: .dat$.msg$IMsg$Uninstall
API String ID: 3312786188-1660910688
Opcode ID: d050b8c65b09966d21fe0fc985d660f82682418f1ef04ac2b8f2793e44e24393
Instruction ID: abb28459e614be91aca1b68aa70fad33032f6e559e3bf784a216f74f74fa669e
Opcode Fuzzy Hash: d050b8c65b09966d21fe0fc985d660f82682418f1ef04ac2b8f2793e44e24393
Instruction Fuzzy Hash: 89314F34A14114AFCB00EF65DD9296E7BB5EF89314F91857AF800AB395DB38BD01CB68

Function 0042EAA8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EADA
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EAE0
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EB09

Strings

user32.dll, xrefs: 0042EAD5
ShutdownBlockReasonCreate, xrefs: 0042EAD0

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressByteCharHandleModuleMultiProcWide
String ID: ShutdownBlockReasonCreate$user32.dll
API String ID: 828529508-2866557904
Opcode ID: eb577c3347fbf9fd6a249885fcfc34f4074b2fa1c1d8d6afc25abb851ecf655c
Instruction ID: 7e091cf0cf0c4dae12ae48626bdfb721f4796128e550bb25d34418d77cfbcdd5
Opcode Fuzzy Hash: eb577c3347fbf9fd6a249885fcfc34f4074b2fa1c1d8d6afc25abb851ecf655c
Instruction Fuzzy Hash: 70F0C8D034061136E620B57F5C82F7B598C8F94759F140436B109E62C2D96CA905426E

Function 00457FF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00458028
GetExitCodeProcess.KERNEL32(?,?), ref: 00458049
CloseHandle.KERNEL32(?,0045807C), ref: 0045806F

Strings

GetExitCodeProcess, xrefs: 00458052
MsgWaitForMultipleObjects, xrefs: 00458035

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCodeExitHandleMultipleObjectsProcessWait
String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
API String ID: 2573145106-3235461205
Opcode ID: 0165f3f1031fc1aa6e60b3a9799ba1014783226e14f241c311df118ccfede771
Instruction ID: 2f0632834368beac7d1c7250186d6a5b4d0e74160b608b18ba1b2b0c741dc3d5
Opcode Fuzzy Hash: 0165f3f1031fc1aa6e60b3a9799ba1014783226e14f241c311df118ccfede771
Instruction Fuzzy Hash: 8101A231600204AFD710EBA98C02A5A73A8EB49B25F51407BFC10E73D3DE399E08965D

Function 0042E9AC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9

Strings

user32.dll, xrefs: 0042E9BD
ChangeWindowMessageFilter, xrefs: 0042E9B8

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressExchangeHandleInterlockedModuleProc
String ID: ChangeWindowMessageFilter$user32.dll
API String ID: 3478007392-2498399450
Opcode ID: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
Instruction ID: c922fa4e85abb1c6873f36dcd01b6443d81c66d6c3501223796626af46e79b09
Opcode Fuzzy Hash: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
Instruction Fuzzy Hash: 5CE0ECB2740324EADA103B627E8AF663558E724B19F50043BF001751F1C7FD1C80CA9E

Function 00477B94 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 00477B9C
GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477C93,0049C0A8,00000000), ref: 00477BAF
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477BB5

Strings

AllowSetForegroundWindow, xrefs: 00477BA5
user32.dll, xrefs: 00477BAA

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProcProcessThreadWindow
String ID: AllowSetForegroundWindow$user32.dll
API String ID: 1782028327-3855017861
Opcode ID: 0c48b0152dcd94fde7082f0574e48419f86d5c04df14efc0ca492c8631bf730a
Instruction ID: d51ed2a8d8be4cb67b0f2e6afaff03014389f5b4c9f6752a27b175deb1fe6994
Opcode Fuzzy Hash: 0c48b0152dcd94fde7082f0574e48419f86d5c04df14efc0ca492c8631bf730a
Instruction Fuzzy Hash: D7D0C790248701B9D910B3F64D46E9F3A5D894471CB50C47BB418E61C5DA7CFD04893D

Function 00416C2C Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?), ref: 00416C52
SaveDC.GDI32(?), ref: 00416C83
ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D45), ref: 00416CE4
RestoreDC.GDI32(?,?), ref: 00416D0B
EndPaint.USER32(00000000,?,00416D4C,00000000,00416D45), ref: 00416D3F

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
Instruction ID: 8164e3b37c2b38cc39b91ef4074089abf19b8963c3e0e5cbd12a4ce3d65b1abe
Opcode Fuzzy Hash: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
Instruction Fuzzy Hash: A1415070A002049FCB14DBA9C585FAA77F9FF48304F1540AEE8459B362D778DD81CB58

Function 00414800 Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,?), ref: 00414836
MulDiv.KERNEL32(?,?,?), ref: 00414850
MulDiv.KERNEL32(?,?,?), ref: 00414879
MulDiv.KERNEL32(?,?,?), ref: 004148A4
MulDiv.KERNEL32(00000000,?,00000000), ref: 004148EC

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
Instruction ID: a833d86c80f2fb81cba799e3b93fc1891ddf3ebdd98a67124a25423b7ab76754
Opcode Fuzzy Hash: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
Instruction Fuzzy Hash: 563132746057809FC320EF69C984B9BB7E8AF89354F04491EF9D5C3752C638E8818F19

Function 004297CC Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429808
SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429837
SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429853
SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042987E
SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 0042989C

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
Instruction ID: 8b65b0e689063cc909dba6714575951256d1ad54ff8cece17fd29570ea6901c2
Opcode Fuzzy Hash: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
Instruction Fuzzy Hash: 6E219D707107057BEB10AB62DC82F5B7AECAB41708F54443EB501AB2D2DFB8AE418228

Function 0041BBB8 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 0041BBCA
GetSystemMetrics.USER32(0000000C), ref: 0041BBD4
GetDC.USER32(00000000), ref: 0041BC12
CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BC59
DeleteObject.GDI32(00000000), ref: 0041BC9A

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MetricsSystem$BitmapCreateDeleteObject
String ID:
API String ID: 1095203571-0
Opcode ID: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
Instruction ID: 2a907a32995036c4e239f44386a828d3a2f1e7d44945ead90e55d18394f4d4ff
Opcode Fuzzy Hash: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
Instruction Fuzzy Hash: 5D315C70E00208EFDB04DFA5C941AAEB7F5EB48700F2084AAF514AB781D7789E40DB98

Function 004735D8 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0045D04C: SetLastError.KERNEL32(00000057,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0B7

GetLastError.KERNEL32(00000000,00000000,00000000,004736AC,?,?,0049C1E0,00000000), ref: 00473665
GetLastError.KERNEL32(00000000,00000000,00000000,004736AC,?,?,0049C1E0,00000000), ref: 0047367B

Strings

Could not set permissions on the registry key because it currently does not exist., xrefs: 0047366F
Setting permissions on registry key: %s\%s, xrefs: 0047362A
Failed to set permissions on registry key (%d)., xrefs: 0047368C

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast
String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
API String ID: 1452528299-4018462623
Opcode ID: f83a2768d3c65ea5df61b415147cb4a980a2a4da2a2eeea125c2e66a17c72d68
Instruction ID: ad6b00cc897a6d1501f3fc6a2a631de3da5dc8c6e7b4eccdfad28332e4495c63
Opcode Fuzzy Hash: f83a2768d3c65ea5df61b415147cb4a980a2a4da2a2eeea125c2e66a17c72d68
Instruction Fuzzy Hash: A121C870A046445FCB10DFA9C8826EEBBE4DF49319F50817BE408E7392D7785E098B6D

Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
Opcode Fuzzy Hash: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D

Function 004143E0 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SelectPalette.GDI32(00000000,00000000,00000000), ref: 00414419
RealizePalette.GDI32(00000000), ref: 00414421
SelectPalette.GDI32(00000000,00000000,00000001), ref: 00414435
RealizePalette.GDI32(00000000), ref: 0041443B
ReleaseDC.USER32(00000000,00000000), ref: 00414446

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Palette$RealizeSelect$Release
String ID:
API String ID: 2261976640-0
Opcode ID: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
Instruction ID: 3cc421e061c7a323c9855e33cbe13bf4890882f9e8533d15179bd5f7679f66d2
Opcode Fuzzy Hash: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
Instruction Fuzzy Hash: A2018F7520C3806AE600A63D8C85A9F6BED9FCA718F15446EF495DB282DA7AC8018765

Function 00424CE0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 190COMMON

Download Yara Rule

APIs

Part of subcall function 0041F074: GetActiveWindow.USER32 ref: 0041F077
Part of subcall function 0041F074: GetCurrentThreadId.KERNEL32 ref: 0041F08C
Part of subcall function 0041F074: EnumThreadWindows.USER32(00000000,Function_0001F050), ref: 0041F092

Part of subcall function 004231A8: GetSystemMetrics.USER32(00000000), ref: 004231AA

OffsetRect.USER32(?,?,?), ref: 00424DC9
DrawTextA.USER32(00000000,00000000,000000FF,?,00000C10), ref: 00424E8C
OffsetRect.USER32(?,?,?), ref: 00424E9D

Part of subcall function 00423564: GetCurrentThreadId.KERNEL32 ref: 00423579
Part of subcall function 00423564: SetWindowsHookExA.USER32(00000003,00423520,00000000,00000000), ref: 00423589
Part of subcall function 00423564: CreateThread.KERNEL32(00000000,000003E8,004234D0,00000000,00000000), ref: 004235AD

Part of subcall function 00424B2C: SetTimer.USER32(00000000,00000001,?,004234B4), ref: 00424B47

Strings

vLB, xrefs: 00424CF3, 00424DD1

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Thread$CurrentOffsetRectWindows$ActiveCreateDrawEnumHookMetricsSystemTextTimerWindow
String ID: vLB
API String ID: 1477829881-1797516613
Opcode ID: b071e8f690a675b1b5ec03376c9d1dc0568a9cea913d7d114b2f1dd6f13c8b48
Instruction ID: 1a85cd152e58b5c2614c87f396891e2b5808bef0cf689969089b0637ec596c27
Opcode Fuzzy Hash: b071e8f690a675b1b5ec03376c9d1dc0568a9cea913d7d114b2f1dd6f13c8b48
Instruction Fuzzy Hash: C5812675A003188FCB14DFA8D880ADEBBF4FF88314F50416AE905AB296E738AD45CF44

Function 00406FA4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON

Download Yara Rule

APIs

WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00407003
WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040707D
WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070D5

Strings

Z, xrefs: 0040703C

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Enum$NameOpenResourceUniversal
String ID: Z
API String ID: 3604996873-1505515367
Opcode ID: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
Instruction ID: 78f4b6eea80f90a9c0d6dbacb1000d6f5057f9b0a0312f2c839bfa0eabc808a5
Opcode Fuzzy Hash: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
Instruction Fuzzy Hash: 14516470E04208AFDB11DF95C951AAFBBB9EF09304F1045BAE500BB3D1D778AE458B5A

Function 0044CFC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 0044D04E
DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D079
DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D101

Strings

, xrefs: 0044D033

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DrawText$EmptyRect
String ID:
API String ID: 182455014-2867612384
Opcode ID: 9cefa38d4a8adbc35dceb9fbd70f94003a2f7c245499b58eac7a7a86e34dc042
Instruction ID: ac611c4ae9e9b4e435f74cd3b872a097dcdbbef8ea8fa2dc8c743a2ef399c877
Opcode Fuzzy Hash: 9cefa38d4a8adbc35dceb9fbd70f94003a2f7c245499b58eac7a7a86e34dc042
Instruction Fuzzy Hash: 18517171E00248AFDB11DFA5C885BDEBBF8BF48308F18447AE845EB252D7789945CB64

Function 0042EF74 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0042EF9E

Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7

SelectObject.GDI32(?,00000000), ref: 0042EFC1
ReleaseDC.USER32(00000000,?), ref: 0042F0A0

Strings

...\, xrefs: 0042F052

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateFontIndirectObjectReleaseSelect
String ID: ...\
API String ID: 3133960002-983595016
Opcode ID: 174dea87e3c77845355dc2bffde9c2636390ac865bcfddee608935e642ca7c05
Instruction ID: de545d42c11d103cbad381cc3223c2b5efa9fdb4a6e9ae4bb0445229962d8c70
Opcode Fuzzy Hash: 174dea87e3c77845355dc2bffde9c2636390ac865bcfddee608935e642ca7c05
Instruction Fuzzy Hash: 5A316370B00128AFDB11EB96D841BAEB7F8EB09348F90447BE410A7392D7785E49CA59

Function 00416410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
UnregisterClassA.USER32(?,00400000), ref: 004164AB
RegisterClassA.USER32(?), ref: 004164CE

Strings

@, xrefs: 00416429

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Class$InfoRegisterUnregister
String ID: @
API String ID: 3749476976-2766056989
Opcode ID: 5b42dbe956ccb297a4347149b64d01d8291e8cf711d902875b0d5c2af7b22291
Instruction ID: c77080f262680b7bd3c4c6a37e0a11d074b1995aa9dd52ebf92fb76dd285a693
Opcode Fuzzy Hash: 5b42dbe956ccb297a4347149b64d01d8291e8cf711d902875b0d5c2af7b22291
Instruction Fuzzy Hash: B8316D702042409BD720EF69C981B9B77E5AB89308F04457FF949DB392DB39DD44CB6A

Function 00498210 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00498B60,00000000,00498306,?,?,00000000,0049B628), ref: 00498280
SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00498B60,00000000,00498306,?,?,00000000,0049B628), ref: 004982A9
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 004982C2

Strings

isRS-%.3u.tmp, xrefs: 0049825F

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Attributes$Move
String ID: isRS-%.3u.tmp
API String ID: 3839737484-3657609586
Opcode ID: caa082c947593af69ac399f5aa69a479bfa54a7c4d0fec8f0c1611cec8706775
Instruction ID: fc33356634acd7bce8b4c2965ae56e8bcff63ef6fc68eceab8a95db248f88364
Opcode Fuzzy Hash: caa082c947593af69ac399f5aa69a479bfa54a7c4d0fec8f0c1611cec8706775
Instruction Fuzzy Hash: 0B216471E00609ABCF10EFA9C8819AFBBB8AF45714F10457FB814B72D1DB389E018A59

Function 00456BFC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00456C50
RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00456C7D

Strings

LoadTypeLib, xrefs: 00456C5B
RegisterTypeLib, xrefs: 00456C88

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
String ID: LoadTypeLib$RegisterTypeLib
API String ID: 1312246647-2435364021
Opcode ID: 99adc2ab1761f2fa15f1ac99c5dc87c93e60f5f8f6cafab150dd189b668492eb
Instruction ID: 3ed1135b8019c5f4588910a0035f5c9e1cabb82a18fedb82429c118dce795412
Opcode Fuzzy Hash: 99adc2ab1761f2fa15f1ac99c5dc87c93e60f5f8f6cafab150dd189b668492eb
Instruction Fuzzy Hash: 2911B430B00604AFDB02EFA6CD51A5EB7BDEB89705F5184B6FC44D3752DA389904CA24

Function 00457154 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 0045716E
SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 0045720B

Strings

Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 0045719A
Failed to create DebugClientWnd, xrefs: 004571D4

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
API String ID: 3850602802-3720027226
Opcode ID: 3689ec14d1edae2f57f0a744906126f7255bff4f1947e1d6bbead030c2853570
Instruction ID: a6ca84080c04e90ac639e3db27cd2c1e4b46fe4ea5f20cae781d9f83c3d7e460
Opcode Fuzzy Hash: 3689ec14d1edae2f57f0a744906126f7255bff4f1947e1d6bbead030c2853570
Instruction Fuzzy Hash: 1011E770248240AFD710AB69AC85B5FBBD89B54319F15407AFA849B383D7798C18C7AE

Function 004786EC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC

GetFocus.USER32 ref: 00478757
GetKeyState.USER32(0000007A), ref: 00478769
WaitMessage.USER32(?,00000000,00478790,?,00000000,004787B7,?,?,00000001,00000000,?,?,?,00480402,00000000,004812C8), ref: 00478773

Strings

Wnd=$%x, xrefs: 0047873B

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FocusMessageStateTextWaitWindow
String ID: Wnd=$%x
API String ID: 1381870634-2927251529
Opcode ID: c0ca7a1e78f0957e158d44939737d51478939e9ac1b0c689120181bc9166dade
Instruction ID: f17a5035e7dee30901ec9a03c3a5a372f1d0714b29ccd98a4f066b2945bd060b
Opcode Fuzzy Hash: c0ca7a1e78f0957e158d44939737d51478939e9ac1b0c689120181bc9166dade
Instruction Fuzzy Hash: CE11C634A40244AFD704EF65DC49A9EBBF8EB49314F6184BFF409E7681DB386D00CA69

Function 0046E610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32(?), ref: 0046E618
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046E627

Strings

(invalid), xrefs: 0046E6AA
%.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u, xrefs: 0046E69C

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Time$File$LocalSystem
String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
API String ID: 1748579591-1013271723
Opcode ID: 93d3f9926fe1e9ec47fc0153e923e0389e011619b8f85a7a05f57e02ab74589b
Instruction ID: 5dd65cae4c1adac9d47cc9ad6336eda1851498fedff4a8a979bd050f9c4a6815
Opcode Fuzzy Hash: 93d3f9926fe1e9ec47fc0153e923e0389e011619b8f85a7a05f57e02ab74589b
Instruction Fuzzy Hash: A81136A440C3909ED340DF2AC04432BBAE4AB99704F44892EF8C8C6381E779C848DBB7

Function 00453F76 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00000000,00000020), ref: 00453F83

Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B

MoveFileA.KERNEL32(00000000,00000000), ref: 00453FA8

Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F

Strings

MoveFile, xrefs: 00453FB1
DeleteFile, xrefs: 00453F94

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AttributesDeleteErrorLastMove
String ID: DeleteFile$MoveFile
API String ID: 3024442154-139070271
Opcode ID: ad4ba0b838e9d5317ad6887f6d8cb75152b6b17696a4ed4ee46c007163692804
Instruction ID: b5871bee3d194af1fa843ac656f6d820fc0ba16d57580c91db5694710367c43f
Opcode Fuzzy Hash: ad4ba0b838e9d5317ad6887f6d8cb75152b6b17696a4ed4ee46c007163692804
Instruction Fuzzy Hash: AEF062716142045BD701FBA2D84266EA7ECDB8435EF60443BB900BB6C3DA3C9E094529

Function 00459364 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004594A1,00000000,00459659,?,00000000,00000000,00000000), ref: 004593B1

Strings

.NET Framework not found, xrefs: 004593C0
SOFTWARE\Microsoft\.NETFramework, xrefs: 00459384
InstallRoot, xrefs: 004593A0

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpen
String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
API String ID: 47109696-2631785700
Opcode ID: be4fb59b900ee74e718d87cdc4fcd1eef43a9c564c0a5ec1af3f625bb6e6dd39
Instruction ID: 1950c6f853cc10ed35e504d9d8503a730f6ffd27dc9bba4e9fa27fab35675349
Opcode Fuzzy Hash: be4fb59b900ee74e718d87cdc4fcd1eef43a9c564c0a5ec1af3f625bb6e6dd39
Instruction Fuzzy Hash: 12F0AF31300110DBCB10EB9AD885B6F6299DB9931AF50503BF981DB293E73CCC168629

Function 00483BC4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38

RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483C05
RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483C28

Strings

System\CurrentControlSet\Control\Windows, xrefs: 00483BD2
CSDVersion, xrefs: 00483BFC

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: CSDVersion$System\CurrentControlSet\Control\Windows
API String ID: 3677997916-1910633163
Opcode ID: 33fca6af7241f4b653fe53c350a6e88c669f1de2ef3da1c7a1752152dae0c121
Instruction ID: 1d850e848a14c5c59b8e95f13e5f63a8fb365af486cc5d6c9f9b701d22fca986
Opcode Fuzzy Hash: 33fca6af7241f4b653fe53c350a6e88c669f1de2ef3da1c7a1752152dae0c121
Instruction Fuzzy Hash: 56F03176E40208A6DF10EAD48C45BAFB3BCAB14B05F104967EA10F7280E678AB048B59

Function 0042D8F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910

Strings

GetSystemWow64DirectoryA, xrefs: 0042D900
kernel32.dll, xrefs: 0042D905

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemWow64DirectoryA$kernel32.dll
API String ID: 1646373207-4063490227
Opcode ID: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
Instruction ID: 657275fb9dfacbe144619f02b172540cf2f0c5a6f4252bec6bd03a25d2dd35a2
Opcode Fuzzy Hash: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
Instruction Fuzzy Hash: A5E0DFE0B40B0122D70032BA1C82B6B108D4B84728F90053B3894E62D6DDBCD9840A6D

Function 0042EB54 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EAD0), ref: 0042EB62
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EB68

Strings

user32.dll, xrefs: 0042EB5D
ShutdownBlockReasonDestroy, xrefs: 0042EB58

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ShutdownBlockReasonDestroy$user32.dll
API String ID: 1646373207-260599015
Opcode ID: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
Instruction ID: e1ec077e445c8734ae54db5ffdd633522f5c412f0b7fee52e54de0d29bb4c321
Opcode Fuzzy Hash: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
Instruction Fuzzy Hash: A2D0C793311732665D10B1F73CD1EAB058C891527935404B7F515E5641D55DEC1115AD

Function 0044F744 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498BF2), ref: 0044F77F
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785

Strings

NotifyWinEvent, xrefs: 0044F775
user32.dll, xrefs: 0044F77A

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NotifyWinEvent$user32.dll
API String ID: 1646373207-597752486
Opcode ID: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
Instruction ID: 5e946f17392c81a4f172a46fe169fb9a1f72c9003761a5edf28bd31acc2f1150
Opcode Fuzzy Hash: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
Instruction Fuzzy Hash: 59E012F0E417049AFF00BBB57B86B1A3A90E764719B00057FF414A6292DB7C481C4F9D

Function 00498968 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498C48,00000001,00000000,00498C6C), ref: 00498972
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498978

Strings

user32.dll, xrefs: 0049896D
DisableProcessWindowsGhosting, xrefs: 00498968

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: DisableProcessWindowsGhosting$user32.dll
API String ID: 1646373207-834958232
Opcode ID: 71af8591fbce5d4533a7188bae6238bebf63b2f5996384562a89c67780edd1c3
Instruction ID: 34f838485a85c0df890c3e192e44216071158a5cea444d63bbc0a0b2480586ef
Opcode Fuzzy Hash: 71af8591fbce5d4533a7188bae6238bebf63b2f5996384562a89c67780edd1c3
Instruction Fuzzy Hash: 22B002C0651707589D5032FA0D06B3F48484C5276D728057F3414A51C6DD6C89115D3F

Function 004645F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B658: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498BF2), ref: 0044B67F
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7

LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498C1A), ref: 00464603
GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464609

Strings

SHPathPrepareForWriteA, xrefs: 004645F9
shell32.dll, xrefs: 004645FE

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: SHPathPrepareForWriteA$shell32.dll
API String ID: 2238633743-2683653824
Opcode ID: edc6f8ec64a36a5908760ff58e990ea99ea877eb638915fc896b3384d426fa6b
Instruction ID: ed4894befccbfeda2ad80f7d1b9e1cb4df1a551eae9986247d0c145e26b1cd95
Opcode Fuzzy Hash: edc6f8ec64a36a5908760ff58e990ea99ea877eb638915fc896b3384d426fa6b
Instruction Fuzzy Hash: DDB092D0A82740A4C90077F2985B90F2A4488A271EB10153B710476483EABC84100EAE

Function 0047D67C Relevance: 6.2, APIs: 4, Instructions: 195fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,0047D7F0,?,?,?,?,00000000,0047D945,?,?,?,00000000,?,0047DA54), ref: 0047D7CC
FindClose.KERNEL32(000000FF,0047D7F7,0047D7F0,?,?,?,?,00000000,0047D945,?,?,?,00000000,?,0047DA54,00000000), ref: 0047D7EA

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: a6a6de62ca6c42606125c8bf602dc313b21ff567e24e7e5ea6ef40873b2a201c
Instruction ID: 2ce97de6e4eb512f8d4c2eb376340b964b0e691095a652a34be041e4083b4e02
Opcode Fuzzy Hash: a6a6de62ca6c42606125c8bf602dc313b21ff567e24e7e5ea6ef40873b2a201c
Instruction Fuzzy Hash: 07813A74D0024D9FCF11EFA5CC91ADFBBB8EF49304F5080AAE908A7291D6399A46CF54

Function 004755AC Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 114COMMON

Download Yara Rule

APIs

Part of subcall function 0042EE30: GetTickCount.KERNEL32 ref: 0042EE36

Part of subcall function 0042EC88: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042ECBD

GetLastError.KERNEL32(00000000,00475721,?,?,0049C1E0,00000000), ref: 0047560A

Strings

, xrefs: 00475642, 0047565D
LoggedMsgBox returned an unexpected value. Assuming Cancel., xrefs: 004756DF
MoveFileEx, xrefs: 0047566F

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountErrorFileLastMoveTick
String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
API String ID: 2406187244-2685451598
Opcode ID: a13b4d41162069bde37ca5ba37a3bfc16fb44220c5afb8832f1568bbfa6ce935
Instruction ID: cfe7f312216358cbd0971b398f0cafde252de4893b1317a5ce8d70824cf78b76
Opcode Fuzzy Hash: a13b4d41162069bde37ca5ba37a3bfc16fb44220c5afb8832f1568bbfa6ce935
Instruction Fuzzy Hash: 4D418570A006099BDB10EFA5D882AEF77B5FF48314F508537E408BB395D7789A058BA9

Function 00413CF8 Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00413D46
GetDesktopWindow.USER32 ref: 00413DFE

Part of subcall function 00418EC0: 6FA2C6F0.COMCTL32(?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EDC
Part of subcall function 00418EC0: ShowCursor.USER32(00000001,?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EF9

SetCursor.USER32(00000000,?,?,?,?,00413AF3,00000000,00413B06), ref: 00413E3C

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CursorDesktopWindow$Show
String ID:
API String ID: 2074268717-0
Opcode ID: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
Instruction ID: d0219f8535474b9b7e790bb207accfb6dce16a9ac66decbe361331da1304c66b
Opcode Fuzzy Hash: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
Instruction Fuzzy Hash: 91412C75600210AFC710DF2AFA84B56B7E1EB65329B16817BE405CB365DB38DD81CF98

Function 00408A54 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A75
LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AE4
LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B7F
MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BBE

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: LoadString$FileMessageModuleName
String ID:
API String ID: 704749118-0
Opcode ID: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
Instruction ID: 7d65b0a5aa49ad722f3f3263bbe29e3330acee4661d9e2153cfe083702b22da2
Opcode Fuzzy Hash: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
Instruction Fuzzy Hash: 1F3123716083849AD370EB65C945BDF77D89B85704F40483FB6C8E72D1EB7859048B6B

Function 0044E8C4 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E90D

Part of subcall function 0044CF50: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044CF82

InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E991

Part of subcall function 0042BBB4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBC8

IsRectEmpty.USER32(?), ref: 0044E953
ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E976

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
String ID:
API String ID: 855768636-0
Opcode ID: a4575d285c62c1c56b7686ad69dfdc5ef60a631fed5d3d1fc0705a1474777ead
Instruction ID: f7bad605b8f68185b4e834990bb8ca2287257270a928060092b59a923d315d7c
Opcode Fuzzy Hash: a4575d285c62c1c56b7686ad69dfdc5ef60a631fed5d3d1fc0705a1474777ead
Instruction Fuzzy Hash: E5114A71B0030067E650BA7B8C86B5B76C9AB88748F15083FB545EB387DE7DDD094299

Function 00495924 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,?,00000000), ref: 00495988
OffsetRect.USER32(?,00000000,?), ref: 004959A3
OffsetRect.USER32(?,?,00000000), ref: 004959BD
OffsetRect.USER32(?,00000000,?), ref: 004959D8

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: e6cd63ab1267e2bef36e0ea42f4f89ffcc49fa5b03609306a0fb63f812f5ac90
Instruction ID: 9409249b62c1188f54b5b62e2685c04785358b71117f53a2337039625fc08c68
Opcode Fuzzy Hash: e6cd63ab1267e2bef36e0ea42f4f89ffcc49fa5b03609306a0fb63f812f5ac90
Instruction Fuzzy Hash: 1121AEB6700701AFDB00DE69CD81E5BB7DAEFC4350F248A2AF944C3249D638ED048761

Function 00417218 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00417260
SetCursor.USER32(00000000), ref: 004172A3
GetLastActivePopup.USER32(?), ref: 004172CD
GetForegroundWindow.USER32(?), ref: 004172D4

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Cursor$ActiveForegroundLastPopupWindow
String ID:
API String ID: 1959210111-0
Opcode ID: f57167407fddf9cd78af34a0bec631c5eda0cffb2877c5f098be8ccd36a9b240
Instruction ID: de3f0dc6b436800086b9427ec8ddd2ec86eeedce3a35093462374e80c8eda50e
Opcode Fuzzy Hash: f57167407fddf9cd78af34a0bec631c5eda0cffb2877c5f098be8ccd36a9b240
Instruction Fuzzy Hash: C52183313086118AD720AFA9E945AE733F1EF44754B0544ABF8558B352DB3DDC82CB9E

Function 004955DC Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00000008,?), ref: 004955F1
MulDiv.KERNEL32(?,00000008,?), ref: 00495605
MulDiv.KERNEL32(?,00000008,?), ref: 00495619
MulDiv.KERNEL32(?,00000008,?), ref: 00495637

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
Instruction ID: b77f8f3c6746ea581d036ce488ab013aedd37a602364075716cddbfd1b85439e
Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
Instruction Fuzzy Hash: A5112E72604504ABCB40DEA9D8C4D9B7BECEF8D324B6441AAF908DB242D674ED408B68

Function 0041F480 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,0041F470,?), ref: 0041F4A1
UnregisterClassA.USER32(0041F470,00400000), ref: 0041F4CA
RegisterClassA.USER32(00499598), ref: 0041F4D4
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F50F

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 2789f09181fedf2aa8f29be774d1bfe7920984f559ea6f8e8637ed1726722249
Instruction ID: 7a0dc659497f48f9aad4428a0df7724adcaf244520b53866b591a9b3b5545ee4
Opcode Fuzzy Hash: 2789f09181fedf2aa8f29be774d1bfe7920984f559ea6f8e8637ed1726722249
Instruction Fuzzy Hash: F6011B72240104AADA10EBACED81E9B33999729314B11423BB615E72A2D6399C558BAC

Function 0040D010 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D027
LoadResource.KERNEL32(00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047CB58,0000000A,00000000), ref: 0040D041
SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047CB58), ref: 0040D05B
LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?), ref: 0040D065

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
Instruction ID: ce77ce8360aa458f47a01e9b0563465317cd85cc21d7bcd45488e041df035c61
Opcode Fuzzy Hash: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
Instruction Fuzzy Hash: 49F04F726056046F9B14EE59A881D5B77ECDE88268310013AF908E7286DA38DD018B68

Function 004705A0 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000), ref: 004705F1

Strings

Failed to set NTFS compression state (%d)., xrefs: 00470602
Setting NTFS compression on file: %s, xrefs: 004705BF
Unsetting NTFS compression on file: %s, xrefs: 004705D7

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
API String ID: 1452528299-3038984924
Opcode ID: e534bd073bd99d1ffd8d8a7551bf23dca8ffa9a0f38022b87dc0121eb45f3a98
Instruction ID: 452327faed6fd823952186a677ff1a78a18aba12ee86070aec797b5412e08bdc
Opcode Fuzzy Hash: e534bd073bd99d1ffd8d8a7551bf23dca8ffa9a0f38022b87dc0121eb45f3a98
Instruction Fuzzy Hash: A5018B71D09248A6CB04D7AD94512DDBBE49F4D314F44C5FFE459D7342DB780A088B9E

Function 0046FDF4 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000), ref: 0046FE45

Strings

Setting NTFS compression on directory: %s, xrefs: 0046FE13
Failed to set NTFS compression state (%d)., xrefs: 0046FE56
Unsetting NTFS compression on directory: %s, xrefs: 0046FE2B

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
API String ID: 1452528299-1392080489
Opcode ID: f57c8121f87b7cbe45d24f1443a8c943819022774a47ae68e03ba31a404fe09e
Instruction ID: 6c3eba688a3488f6cff2036d9eec8e6f632fba0cce39d579df3f4bd3b957a0ce
Opcode Fuzzy Hash: f57c8121f87b7cbe45d24f1443a8c943819022774a47ae68e03ba31a404fe09e
Instruction Fuzzy Hash: E5014421E0824856CB04D7ADE44129DBBA49F49304F4485BBA495E7253EB790A09879B

Function 00455D9C Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38

RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045B7AE,?,?,?,?,?,00000000,0045B7D5), ref: 00455DD8
RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045B7AE,?,?,?,?,?,00000000), ref: 00455DE1
RemoveFontResourceA.GDI32(00000000), ref: 00455DEE
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00455E02

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
String ID:
API String ID: 4283692357-0
Opcode ID: 53be27aa0997865f395f34354d63af882f7726c3d4a8d794711f16c86898bbe7
Instruction ID: 71ccc6c4ad223293e5fa71c014565a1ca4f3f808124b73c5b0663eb55104ffd2
Opcode Fuzzy Hash: 53be27aa0997865f395f34354d63af882f7726c3d4a8d794711f16c86898bbe7
Instruction Fuzzy Hash: 57F0BEB174070036EA10B6BAAC4BF2B26CC8F54745F10883ABA00EF2C3D97CDC04962D

Function 00478204 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8,?,?,?,?,?,00498CDB,00000000), ref: 0047820D
OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8,?,?,?,?,?,00498CDB), ref: 00478213
GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8), ref: 00478235
CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8), ref: 00478246

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 89672e1c1dad377db11468aaf314ccfc00159a4e206af17bba33db1213e8e157
Instruction ID: 91f0679cb69370e855683a510bc75a037ced8834772831ea40795c83ba0b1c60
Opcode Fuzzy Hash: 89672e1c1dad377db11468aaf314ccfc00159a4e206af17bba33db1213e8e157
Instruction Fuzzy Hash: D8F037716447007BD600E6B58C81E5B73DCEB44354F04493E7E98C71C1DA78DC089776

Function 00424240 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON

Download Yara Rule

APIs

GetLastActivePopup.USER32(?), ref: 0042424C
IsWindowVisible.USER32(?), ref: 0042425D
IsWindowEnabled.USER32(?), ref: 00424267
SetForegroundWindow.USER32(?), ref: 00424271

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$ActiveEnabledForegroundLastPopupVisible
String ID:
API String ID: 2280970139-0
Opcode ID: d317456c615bf9008b67529b06aff5f9fae4f5f479d94640f2b11ca0dbd6cbb7
Instruction ID: 2c5ff33fc315f6eb6fab431e1453bcb0e66c5aaaa6596e28cc8dc28fd0b03a53
Opcode Fuzzy Hash: d317456c615bf9008b67529b06aff5f9fae4f5f479d94640f2b11ca0dbd6cbb7
Instruction Fuzzy Hash: C7E0EC61B02672D6AE31FA7B2881A9F518C9D45BE434641EBBC04FB38ADB2CDC1141BD

Function 0040626C Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

GlobalHandle.KERNEL32 ref: 0040626F
GlobalUnWire.KERNEL32(00000000), ref: 00406276
GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040627B
GlobalFix.KERNEL32(00000000), ref: 00406281

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$AllocHandleWire
String ID:
API String ID: 2210401237-0
Opcode ID: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
Instruction ID: 5df08fd8dc2b017785a639aa93036e57be915985ffe03f20f856cac12e18577c
Opcode Fuzzy Hash: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
Instruction Fuzzy Hash: 0BB009C4810A01BEEC0473B24C0BE3F245CD88172C3904A6F3448BA183987C9C405A3A

Function 0047A218 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047BB01,?,00000000,00000000,00000001,00000000,0047A4B5,?,00000000), ref: 0047A479

Strings

Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0047A2ED
Failed to parse "reg" constant, xrefs: 0047A480

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Close
String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
API String ID: 3535843008-1938159461
Opcode ID: 05ee6b3b67afee6859f894b9066335fb286a048b1f35c691c8bdca609618c678
Instruction ID: 25f2a786541cb687838a6194ffc4a73185deb9e5551b5ad8c851c0bf1152322b
Opcode Fuzzy Hash: 05ee6b3b67afee6859f894b9066335fb286a048b1f35c691c8bdca609618c678
Instruction Fuzzy Hash: 22817274E00108AFCB10DF95D485ADEBBF9AF88344F50817AE814B7392D739AE05CB99

Function 004763AC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105timeCOMMON

Download Yara Rule

APIs

LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,00000000,004764DF,?,00000000,004764F0,?,00000000,00476539), ref: 004764B0
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,00000000,00000000,004764DF,?,00000000,004764F0,?,00000000,00476539), ref: 004764C4

Strings

Extracting temporary file: , xrefs: 004763EC

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileTime$Local
String ID: Extracting temporary file:
API String ID: 791338737-4171118009
Opcode ID: a80e35328548893b295efc7472ac722154afa94c34651c27e26e6e8334cb8313
Instruction ID: 173659db1c42fed311bbc77dc24fc0b62308bfde4479aaaaa113f8cb774a82d8
Opcode Fuzzy Hash: a80e35328548893b295efc7472ac722154afa94c34651c27e26e6e8334cb8313
Instruction Fuzzy Hash: 9541B670E00649AFCB01DFA5C892AAFBBB9EB09704F51847AF814A7291D7789905CB58

Function 0046CC0C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON

Download Yara Rule

Strings

Failed to proceed to next wizard page; aborting., xrefs: 0046CD24
Failed to proceed to next wizard page; showing wizard., xrefs: 0046CD38

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
API String ID: 0-1974262853
Opcode ID: 7a25e1645a33cbe6e929f5c7beb1038c0aed19b3e354743701339651447d5c4b
Instruction ID: bcb3787111d781b294161d03010f6e791927551fc3c7e501f8e48cd77162cd73
Opcode Fuzzy Hash: 7a25e1645a33cbe6e929f5c7beb1038c0aed19b3e354743701339651447d5c4b
Instruction Fuzzy Hash: A531C430604204DFD711EB59D9C5BA977F5EB06304F5500BBF448AB392D7786E40CB49

Function 00450168 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 004501FD
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0045022E

Strings

open, xrefs: 00450221

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExecuteMessageSendShell
String ID: open
API String ID: 812272486-2758837156
Opcode ID: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
Instruction ID: 7f57506e0c07b49dd0b520b237e7736b759e9f4ed638734fb0c833ac5abbff07
Opcode Fuzzy Hash: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
Instruction Fuzzy Hash: A1216074E00204AFDB10DFA9C896B9EBBF8EB44705F1081BAB404E7292D678DE45CA59

Function 00455290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

ShellExecuteEx.SHELL32(0000003C), ref: 0045532C
GetLastError.KERNEL32(0000003C,00000000,00455375,?,?,?), ref: 0045533D

Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7

Strings

<, xrefs: 004552E6

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DirectoryErrorExecuteLastShellSystem
String ID: <
API String ID: 893404051-4251816714
Opcode ID: 397510d247cb734b7669861417dbfcfbd251f2c0a68ff4605259e86b5c29478d
Instruction ID: 92df0b2f1231c5c49ece4c570041ef31d6ed92e86db86b93cafb864a5026e18c
Opcode Fuzzy Hash: 397510d247cb734b7669861417dbfcfbd251f2c0a68ff4605259e86b5c29478d
Instruction Fuzzy Hash: 172167B0600609ABDB10EF65C8926AE7BE8AF44355F54403AFC44E7291D7789E49CB98

Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0049B420,00000000,)), ref: 004025C7
RtlLeaveCriticalSection.KERNEL32(0049B420,0040263D), ref: 00402630

Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0223E240,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0223E240,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0223E240,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0223E240,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Strings

), xrefs: 004025AE

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID: )
API String ID: 2227675388-1084416617
Opcode ID: e007287126da8fa7f668c9e0dd370e3762efe765c6f58c3167b97aa7cf6c64ab
Instruction ID: 77bd95ba853a3ee3b707a504883d316aad751082ca23ba06a0d8aa2ba3da16af
Opcode Fuzzy Hash: e007287126da8fa7f668c9e0dd370e3762efe765c6f58c3167b97aa7cf6c64ab
Instruction Fuzzy Hash: E11104317042046FEB15AB796F5962B6AD4D795758B24087FF404F33D2DABD8C02929C

Function 00496B2E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00496B69

Strings

@, xrefs: 00496B34
/INITPROCWND=$%x , xrefs: 00496B94

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window
String ID: /INITPROCWND=$%x $@
API String ID: 2353593579-4169826103
Opcode ID: 065ab22c92abacbd348a857e8389b224364e1a84b4d72130b6d36c29b0d142f9
Instruction ID: 88b10d18150c6b9811cea3f3864e76c9cf3cbfb68c265b437af87b1fefc14b87
Opcode Fuzzy Hash: 065ab22c92abacbd348a857e8389b224364e1a84b4d72130b6d36c29b0d142f9
Instruction Fuzzy Hash: A3117231A042489FDF01DBA4E855BAEBFE8EB49314F51847BE504E7292EB3CA905C658

Function 00447414 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

SysFreeString.OLEAUT32(?), ref: 004474C6

Strings

Unknown Method, xrefs: 0044749F
NIL Interface Exception, xrefs: 00447468

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: String$AllocByteCharFreeMultiWide
String ID: NIL Interface Exception$Unknown Method
API String ID: 3952431833-1023667238
Opcode ID: eaaa5532a95bbaa63f0b72a9291e33775e11d622c6162567185e6fee38e986d8
Instruction ID: eb0132878ffe7144b3db707554455947565e11d0cdd4dc78092451a8fec87e99
Opcode Fuzzy Hash: eaaa5532a95bbaa63f0b72a9291e33775e11d622c6162567185e6fee38e986d8
Instruction Fuzzy Hash: 8011B9706082089FEB10DFA58C52A6EBBBCEB09704F91407AF504F7681D77C9D01CB69

Function 004963A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496468,?,0049645C,00000000,00496443), ref: 0049640E
CloseHandle.KERNEL32(004964A8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496468,?,0049645C,00000000), ref: 00496425

Part of subcall function 004962F8: GetLastError.KERNEL32(00000000,00496390,?,?,?,?), ref: 0049631C

Strings

0nI, xrefs: 004963D9, 004963E8

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateErrorHandleLastProcess
String ID: 0nI
API String ID: 3798668922-794067871
Opcode ID: 9f8f3e3bd8d813766f30c87d8e8bb38219208be6823d56de1360ae23e0f090d4
Instruction ID: 4379268ebcebee96409867e54b2437a6ba0b21f89d1dc4ba20584320bf55fb87
Opcode Fuzzy Hash: 9f8f3e3bd8d813766f30c87d8e8bb38219208be6823d56de1360ae23e0f090d4
Instruction Fuzzy Hash: 840182B1644248AFDB00EBD1DC42A9EBBACDF08704F51403AB904E7281D6785E008A2D

Function 0042DD64 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DD78
RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DDB8

Strings

Inno Setup: No Icons, xrefs: 0042DD76

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Value$EnumQuery
String ID: Inno Setup: No Icons
API String ID: 1576479698-2016326496
Opcode ID: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
Instruction ID: 8d080c6700cf8453afd411d185ff7d2dd707f59376968ad674d2e7d16536e1ed
Opcode Fuzzy Hash: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
Instruction Fuzzy Hash: 1B012B33B55B7179FB3045256D01F7B57889B82B60F64013BF942EA2C0D6999C04936E

Function 00452E88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00000000,?,00000000,00452EE9,?,?,-00000001,?), ref: 00452EC3
GetLastError.KERNEL32(00000000,?,00000000,00452EE9,?,?,-00000001,?), ref: 00452ECB

Strings

T$H, xrefs: 00452EF9

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: T$H
API String ID: 1799206407-488339322
Opcode ID: 5d86fcf9b6e052d8a24a57bf4ef79df3c2f35f3d819ce0a4394afd1f6d7b89dc
Instruction ID: d2ab7b9b66ca24062e77e49c95e81f13ab46b8af1b1b2eb811bbb53637dcbd2b
Opcode Fuzzy Hash: 5d86fcf9b6e052d8a24a57bf4ef79df3c2f35f3d819ce0a4394afd1f6d7b89dc
Instruction Fuzzy Hash: 86F0F971A04204AB8B01DB7A9D4249EB7ECEB8A32171045BBFC04E3642E7B84E048558

Function 00498004 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0047D0CC: FreeLibrary.KERNEL32(00000000,00481A2F), ref: 0047D0E2

Part of subcall function 0047CD9C: GetTickCount.KERNEL32 ref: 0047CDE6

Part of subcall function 00457294: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004572B3

GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0049895B), ref: 00498059
TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0049895B), ref: 0049805F

Strings

Detected restart. Removing temporary directory., xrefs: 00498013

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
String ID: Detected restart. Removing temporary directory.
API String ID: 1717587489-3199836293
Opcode ID: 281135f9a0ad5b4e488772808dcd9eaa6bf3b34c39f962a9f46887a4a11e3304
Instruction ID: bb05712aa7eb36d303e19ffab6eef2c78f2a463723ea7eca767f41585c441369
Opcode Fuzzy Hash: 281135f9a0ad5b4e488772808dcd9eaa6bf3b34c39f962a9f46887a4a11e3304
Instruction Fuzzy Hash: BDE0E532208A406DDA1177BABC1396B7F5CDB46768B22487FF50882552D92D481CC53D

Function 00403344 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00498BB6), ref: 0040334B
GetCommandLineA.KERNEL32(00000000,00498BB6), ref: 00403356

Strings

P8}, xrefs: 0040335B

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CommandHandleLineModule
String ID: P8}
API String ID: 2123368496-2866169560
Opcode ID: 48b45b62bccbc2a8e5daf731e4078a894a727d510552ebcfe8024faf6b9ab272
Instruction ID: ff8fa06d391bd0b31f892a344b3e95d40f530220570fde7b1ba7fad45aeb04f1
Opcode Fuzzy Hash: 48b45b62bccbc2a8e5daf731e4078a894a727d510552ebcfe8024faf6b9ab272
Instruction Fuzzy Hash: 45C002609013058AD754AF7579467162A94D751349F80447FF114BA3E1D77C82055BDD

Function 00455674 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?), ref: 00455693
Sleep.KERNEL32(?), ref: 004556A3
GetLastError.KERNEL32 ref: 004556B6
GetLastError.KERNEL32 ref: 004556C0

Memory Dump Source

Source File: 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2467249735.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467318619.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467331713.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467344319.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2467357279.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 124e83ad3764f0425cc9cce0cec047ecc2156a8e27ad070cfe64c44283ad0992
Instruction ID: f31041694d7e6b08a2ea33ec2b58b28b25921f40701f973673b956735a8b67d8
Opcode Fuzzy Hash: 124e83ad3764f0425cc9cce0cec047ecc2156a8e27ad070cfe64c44283ad0992
Instruction Fuzzy Hash: 42F02B32705F58A78B21B56A889157FB2A8DB81366750012BFC0CD7313C878CC058BBC

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe (copy)

C:\Program Files (x86)\txt to epub converter\config.ini (copy)

C:\Program Files (x86)\txt to epub converter\epubfiles\CCS\is-FSN7P.tmp

C:\Program Files (x86)\txt to epub converter\epubfiles\CCS\stylesheet.css (copy)

C:\Program Files (x86)\txt to epub converter\epubfiles\META-INF\container.xml (copy)

C:\Program Files (x86)\txt to epub converter\epubfiles\META-INF\is-OU0ID.tmp

C:\Program Files (x86)\txt to epub converter\epubfiles\is-4I22N.tmp

C:\Program Files (x86)\txt to epub converter\epubfiles\mimetype (copy)

C:\Program Files (x86)\txt to epub converter\is-736GC.tmp

C:\Program Files (x86)\txt to epub converter\is-BLQUI.tmp

C:\Program Files (x86)\txt to epub converter\is-IAGUC.tmp

C:\Program Files (x86)\txt to epub converter\unins000.dat

C:\Program Files (x86)\txt to epub converter\unins000.exe (copy)

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\txt to epub converter\TXT to ePub Converter.lnk

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\txt to epub converter\Uninstall TXT to ePub Converter.lnk

C:\Users\user\AppData\Local\Temp\is-4PPEK.tmp\_isetup\_setup64.tmp

C:\Users\user\AppData\Local\Temp\is-4PPEK.tmp\_isetup\_shfoldr.dll

C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe

Function 00409B78 Relevance: 7.6, APIs: 5, Instructions: 78
memoryCOMMON

Function 0040457C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27
libraryloaderCOMMON

Function 0040AAB4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 109
COMMON

Function 004090A4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46
libraryloaderCOMMON

Function 0040AAA2 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105
COMMON

Function 004099EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59
COMMON

Function 00403D02 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72
windowCOMMON

Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Function 0040A814 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117
windowCOMMON

Function 0040A82F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
windowCOMMON

Function 00409330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
COMMON

Function 004094D8 Relevance: 5.0, APIs: 4, Instructions: 45
sleepCOMMON

Function 00407749 Relevance: 3.3, APIs: 2, Instructions: 284
fileCOMMON