Edit tour

Windows Analysis Report
ALC700V1.0.0.7a.exe

Overview

General Information

Sample name:	ALC700V1.0.0.7a.exe
Analysis ID:	1447844
MD5:	44a0ff24ec7706b11ad67c11c0afc666
SHA1:	70c7ececcf65c4cc292f4e3afbc3e8e4d2ff2d4f
SHA256:	8051763b55989582af9a7918644077623332b3f6298c4ae2399f4c2f1430d8ae
Infos:

Detection

Score:	6
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Checks for available system drives (often done to infect USB drives)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Execution From GUID Like Folder Names

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

ALC700V1.0.0.7a.exe (PID: 7572 cmdline: "C:\Users\user\Desktop\ALC700V1.0.0.7a.exe" MD5: 44A0FF24EC7706B11AD67C11C0AFC666)

msiexec.exe (PID: 7668 cmdline: MSIEXEC.EXE /i "C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\ALC700.msi" TRANSFORMS="C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\1033.MST" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="ALC700V1.0.0.7a.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 7704 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 6676 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding AE1C5CB6EAA2F7204ACFFD8FF0580D22 MD5: 9D09DC1EDA745A5F87553048E57620CF)

ISBEW64.exe (PID: 7204 cmdline: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{ECFD35B4-EE7C-4A3E-8C20-772B5E9C8DE7} MD5: 2A276BA2B7782476302C59D0F760F4BC)

cleanup

Sigma Signatures

Sigma detected: Suspicious Execution From GUID Like Folder Names

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: MSIEXEC.EXE /i "C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\ALC700.msi" TRANSFORMS="C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\1033.MST" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="ALC700V1.0.0.7a.exe", CommandLine: MSIEXEC.EXE /i "C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\ALC700.msi" TRANSFORMS="C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\1033.MST" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="ALC700V1.0.0.7a.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msiexec.exe, NewProcessName: C:\Windows\SysWOW64\msiexec.exe, OriginalFileName: C:\Windows\SysWOW64\msiexec.exe, ParentCommandLine: "C:\Users\user\Desktop\ALC700V1.0.0.7a.exe", ParentImage: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe, ParentProcessId: 7572, ParentProcessName: ALC700V1.0.0.7a.exe, ProcessCommandLine: MSIEXEC.EXE /i "C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\ALC700.msi" TRANSFORMS="C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\1033.MST" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="ALC700V1.0.0.7a.exe", ProcessId: 7668, ProcessName: msiexec.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: ALC700V1.0.0.7a.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: ALC700.pdb source: MSI8386.tmp.2.dr
Source:	Binary string: \V1.0.0.2\ALC700\obj\Debug\ALC700.pdb source: ALC700V1.0.0.2.exe.2.dr
Source:	Binary string: C:\CodeBases\isdev\Redist\Language Independent\x64\ISBEW64.pdb source: ISBEW64.exe, 0000000A.00000000.1942394263.0000000140012000.00000002.00000001.01000000.00000006.sdmp, ISBEW64.exe, 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmp, ISBEW64.exe.9.dr
Source:	Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\_IsRes2k\0009-English\Debug\_IsRes.pdb source: _isres.dll.9.dr
Source:	Binary string: E:\VS WS\ALC700\ALC700\obj\Debug\ALC700.pdb source: ALC700.exe.2.dr
Source:	Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\_IsRes2k\0009-English\Debug\_IsRes.pdb0 source: _isres.dll.9.dr
Source:	Binary string: \V1.0.0.3\ALC700\obj\Debug\ALC700.pdb source: ALC700V1.0.0.3.exe.2.dr
Source:	Binary string: ALC700.pdb@@@ source: MSI8386.tmp.2.dr
Source:	Binary string: alc700.pdb source: MSI8386.tmp.2.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Code function: 0_2_0043CACF __EH_prolog,GetProcAddress,SearchPathW,GetModuleFileNameW,FindFirstFileW,VirtualProtect,VirtualQuery,VirtualProtect,VirtualProtect,FindClose,FindClose,		0_2_0043CACF
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Code function: 0_2_0041768E __EH_prolog,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,FindClose,		0_2_0041768E

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe	Code function: 4x nop then or byte ptr [rax-01h], 00000008h		10_2_000000014000E8A0
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe	Code function: 4x nop then movsxd rbx, qword ptr [r14+10h]		10_2_0000000140008E40

Source: MSI8386.tmp.2.dr	String found in binary or memory: http://www.SmartGen.com
Source: _isres.dll.9.dr, ISBEW64.exe.9.dr, ISRT.dll.9.dr	String found in binary or memory: http://www.acresso.com0
Source: ALC700V1.0.0.3.exe.2.dr, ALC700.exe.2.dr, ALC700V1.0.0.2.exe.2.dr	String found in binary or memory: http://www.smartgen.com.cn/soft/shuomingshu/ALC700
Source: ALC700V1.0.0.3.exe.2.dr, ALC700.exe.2.dr, ALC700V1.0.0.2.exe.2.dr	String found in binary or memory: http://www.smartgen.com.cn/ziliao.html

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe

Code function: 0_2_0042DA98 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,

0_2_0042DA98

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4280a8.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4280a9.mst	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{5D00ED55-C696-4760-A65D-39DCD0EDE479}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8386.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEPRO32_f0.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_STDOLE_f1.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEAUT32_f3.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ARPPRODUCTICON.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ALC700.exe_7A1B2C9513F744CFB0D29EC2A28A035D.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\UNINST_Uninstall_A_EA7F3D3DD29C46D9BED64B9B56BFF9AD.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ALC700.exe1_2075C35845C24B1A973EEF051A490E77.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4280ab.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4280ab.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\1033.MST	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9182.tmp	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\4280ab.msi

Jump to behavior

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Code function: 0_2_00416379	0_2_00416379
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Code function: 0_2_00444030	0_2_00444030
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Code function: 0_2_00440540	0_2_00440540
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Code function: 0_2_0043A7F9	0_2_0043A7F9
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Code function: 0_2_00444920	0_2_00444920
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Code function: 0_2_00440C54	0_2_00440C54
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Code function: 0_2_00442D40	0_2_00442D40
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Code function: 0_2_00440EC2	0_2_00440EC2
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Code function: 0_2_00434E80	0_2_00434E80
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Code function: 0_2_004432C0	0_2_004432C0
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Code function: 0_2_004438B0	0_2_004438B0
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Code function: 0_2_00443BA0	0_2_00443BA0
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Code function: 0_2_00441E10	0_2_00441E10
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe	Code function: 10_2_0000000140001C90	10_2_0000000140001C90
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe	Code function: 10_2_0000000140004930	10_2_0000000140004930
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe	Code function: 10_2_0000000140004210	10_2_0000000140004210
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe	Code function: 10_2_000000014000A630	10_2_000000014000A630
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe	Code function: 10_2_0000000140005230	10_2_0000000140005230

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Code function: String function: 004312B8 appears 322 times
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Code function: String function: 00408512 appears 83 times
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Code function: String function: 00407C06 appears 37 times
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Code function: String function: 00401504 appears 72 times

Source: ALC700V1.0.0.7a.exe, 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSetup.exe vs ALC700V1.0.0.7a.exe
Source: ALC700V1.0.0.7a.exe	Binary or memory string: OriginalFilenameSetup.exe vs ALC700V1.0.0.7a.exe

Source: ALC700V1.0.0.7a.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: clean6.winEXE@8/80@0/0

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe

Code function: 0_2_0042DA98 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,

0_2_0042DA98

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe

Code function: 0_2_0042CE90 LoadLibraryW,GetProcAddress,lstrcpyW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,FreeLibrary,

0_2_0042CE90

Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe

Code function: 10_2_0000000140005F00 CoCreateInstance,

10_2_0000000140005F00

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe

Code function: 0_2_0040B42F FindResourceW,SizeofResource,LoadResource,LockResource,

0_2_0040B42F

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\SmartGen

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\Public\Desktop\ALC700V1.0.0.7.exe.lnk

Jump to behavior

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe

File created: C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\

Jump to behavior

Source: ALC700V1.0.0.7a.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe

File read: C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\Setup.INI

Jump to behavior

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe

File read: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe "C:\Users\user\Desktop\ALC700V1.0.0.7a.exe"
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i "C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\ALC700.msi" TRANSFORMS="C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\1033.MST" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="ALC700V1.0.0.7a.exe"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding AE1C5CB6EAA2F7204ACFFD8FF0580D22
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{ECFD35B4-EE7C-4A3E-8C20-772B5E9C8DE7}
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i "C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\ALC700.msi" TRANSFORMS="C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\1033.MST" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="ALC700V1.0.0.7a.exe"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding AE1C5CB6EAA2F7204ACFFD8FF0580D22	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{ECFD35B4-EE7C-4A3E-8C20-772B5E9C8DE7}	Jump to behavior

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe

File written: C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\Setup.INI

Jump to behavior

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Automated click: OK
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Install

Source: C:\Windows\SysWOW64\msiexec.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: ALC700V1.0.0.7a.exe

Static file information: File size 17546140 > 1048576

Source:	Binary string: ALC700.pdb source: MSI8386.tmp.2.dr
Source:	Binary string: \V1.0.0.2\ALC700\obj\Debug\ALC700.pdb source: ALC700V1.0.0.2.exe.2.dr
Source:	Binary string: C:\CodeBases\isdev\Redist\Language Independent\x64\ISBEW64.pdb source: ISBEW64.exe, 0000000A.00000000.1942394263.0000000140012000.00000002.00000001.01000000.00000006.sdmp, ISBEW64.exe, 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmp, ISBEW64.exe.9.dr
Source:	Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\_IsRes2k\0009-English\Debug\_IsRes.pdb source: _isres.dll.9.dr
Source:	Binary string: E:\VS WS\ALC700\ALC700\obj\Debug\ALC700.pdb source: ALC700.exe.2.dr
Source:	Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\_IsRes2k\0009-English\Debug\_IsRes.pdb0 source: _isres.dll.9.dr
Source:	Binary string: \V1.0.0.3\ALC700\obj\Debug\ALC700.pdb source: ALC700V1.0.0.3.exe.2.dr
Source:	Binary string: ALC700.pdb@@@ source: MSI8386.tmp.2.dr
Source:	Binary string: alc700.pdb source: MSI8386.tmp.2.dr

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe

Code function: 0_2_0042CE90 LoadLibraryW,GetProcAddress,lstrcpyW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,FreeLibrary,

0_2_0042CE90

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Code function: 0_2_004312B8 push eax; ret		0_2_004312D6
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Code function: 0_2_00431980 push eax; ret		0_2_004319AE

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.6.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEAUT32_f3.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\zh-CN\ALC700.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_STDOLE_f1.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\Interop.TeeChart.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ALC700.exe_7A1B2C9513F744CFB0D29EC2A28A035D.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.2.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\_isres.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9182.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\UNINST_Uninstall_A_EA7F3D3DD29C46D9BED64B9B56BFF9AD.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEPRO32_f0.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\stdole.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\TeeChart5.ocx	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.4.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.3.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ALC700.exe1_2075C35845C24B1A973EEF051A490E77.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.5.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISRT.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\en-US\ALC700.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\AxInterop.TeeChart.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEAUT32_f3.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ALC700.exe1_2075C35845C24B1A973EEF051A490E77.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_STDOLE_f1.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ALC700.exe_7A1B2C9513F744CFB0D29EC2A28A035D.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9182.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\UNINST_Uninstall_A_EA7F3D3DD29C46D9BED64B9B56BFF9AD.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEPRO32_f0.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEPRO32_f0.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_STDOLE_f1.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEAUT32_f3.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SmartGen	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SmartGen\ALC700	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SmartGen\ALC700\ALC700V1.0.0.7.exe.lnk	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SmartGen\ALC700\Uninstall ALC700V1.0.0.7.lnk	Jump to behavior

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe

Code function: 0_2_0043C8C3 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0043C8C3

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\stdole.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.6.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\TeeChart5.ocx	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEAUT32_f3.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.4.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.3.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\zh-CN\ALC700.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ALC700.exe1_2075C35845C24B1A973EEF051A490E77.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_STDOLE_f1.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ALC700.exe_7A1B2C9513F744CFB0D29EC2A28A035D.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\Interop.TeeChart.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.2.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.5.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\_isres.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISRT.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\en-US\ALC700.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9182.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\UNINST_Uninstall_A_EA7F3D3DD29C46D9BED64B9B56BFF9AD.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\AxInterop.TeeChart.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEPRO32_f0.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_10-6748
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_10-6780

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Code function: 0_2_0043CACF __EH_prolog,GetProcAddress,SearchPathW,GetModuleFileNameW,FindFirstFileW,VirtualProtect,VirtualQuery,VirtualProtect,VirtualProtect,FindClose,FindClose,		0_2_0043CACF
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Code function: 0_2_0041768E __EH_prolog,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,FindClose,		0_2_0041768E

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe

Code function: 0_2_00423496 GetVersionExW,GetSystemInfo,

0_2_00423496

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe

API call chain: ExitProcess graph end node

graph_10-6749

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe

Code function: 10_2_0000000140007C20 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

10_2_0000000140007C20

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe

Code function: 0_2_0042CE90 LoadLibraryW,GetProcAddress,lstrcpyW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,FreeLibrary,

0_2_0042CE90

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe

Code function: 0_2_00403D56 GetFileSize,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,ReadFile,lstrlenA,MultiByteToWideChar,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,ReadFile,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00403D56

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Code function: 0_2_004369A3 SetUnhandledExceptionFilter,	0_2_004369A3
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Code function: 0_2_004369B5 SetUnhandledExceptionFilter,	0_2_004369B5
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe	Code function: 10_2_0000000140007C20 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_0000000140007C20
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe	Code function: 10_2_000000014000ADF0 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_000000014000ADF0
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe	Code function: 10_2_000000014000B200 SetUnhandledExceptionFilter,	10_2_000000014000B200
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe	Code function: 10_2_000000014000AE90 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_000000014000AE90
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe	Code function: 10_2_000000014000AFA0 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_000000014000AFA0

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i "c:\users\user\appdata\local\temp\{7ee72123-8fb4-413b-85f2-4624f9eae8c0}\alc700.msi" transforms="c:\users\user\appdata\local\temp\{7ee72123-8fb4-413b-85f2-4624f9eae8c0}\1033.mst" setupexedir="c:\users\user\desktop" setupexename="alc700v1.0.0.7a.exe"
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i "c:\users\user\appdata\local\temp\{7ee72123-8fb4-413b-85f2-4624f9eae8c0}\alc700.msi" transforms="c:\users\user\appdata\local\temp\{7ee72123-8fb4-413b-85f2-4624f9eae8c0}\1033.mst" setupexedir="c:\users\user\desktop" setupexename="alc700v1.0.0.7a.exe"			Jump to behavior

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe

Code function: 0_2_004292D3 __EH_prolog,InitializeSecurityDescriptor,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,SetSecurityDescriptorDacl,CoInitializeSecurity,LocalFree,LocalFree,

0_2_004292D3

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe

Code function: 0_2_0042DB6D GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,

0_2_0042DB6D

Source: MSI9182.tmp.2.dr	Binary or memory string: ?OPTYPE_PROGMAN_FIELDSWWW
Source: ALC700V1.0.0.7a.exe	Binary or memory string: Shell_TrayWnd
Source: ALC700V1.0.0.7a.exe	Binary or memory string: %sSetupLogFileNameSoftware\InstallShield\ISWI\7.0\SetupExeLog /z/verbose %IS_V%verboseISSetupSoftware\Microsoft\Windows\CurrentVersion\Run/uninstuninst%IS_T%tempdisk1folder/SMS/sSMS/rremoveasmajorupgraderebootrunfromtemprunas/removeonlyremoveonly/noscript_uninstnoscript_uninst/m1/m2/m/jdefaultinstance=hide_splashhide_progress/f2/fSoftware\Microsoft\Windows\CurrentVersion%IS_E%}embed{/ddebuglog/a/autoauto%s%dkeyLanguagescountShell_TrayWndSplashTimeTahomaCancel%x,ALLCANCELDescriptionTitleMSlovenianBasque%#04x0x0409.iniNoSuppressRebootKeyDotNetOptionalInstallIfSilentDotNetOptionalSETUPEXENAMESETUPEXEDIRCertKeyCacheFolderCacheRootLocationTypeSuppressWrongOSSuppressReboot\""dotnetredistSp3.exevjredist20-LP.exevjredist-LP.exelangpack20.exelangpack.exedotnetfxsp1.exe0Microsoft(R) .NET FrameworkJ#CmdLine/jscmd:\"""/q:a /c:\" /redistui:F /redistui:SJ#Version/jsharpver:DotNetLangPacks /langs: /coreui:DotNetLangPackCmd /langcmd:"/q:a /c:\"""DotNetFxCmd" /c:"/redistui:F/redistui:S /ver: /q:a /l /q:a /c:"install /q"vjredist20.exevjredist.exedotnetfx20.exeDotNetCoreSetupUILang1033dotnetredist.exedotnetfx.exeisnetfx.exeInstallerLocationSoftware\Microsoft\Windows\CurrentVersion\InstallerSystem is Win9x or reboot is not being suppressed, reboot will be immediateReboot will be deferredRedist return value (%d) indicates a reboot is required, DotNetDelayReboot is %xC:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\msiaction.cppDotNetDelayReboot3.03.0.0.02.0.0.0J#OptionalJ#InstallOptionIfSilentReboot needed: %snoyesDelaying redist reboot...Reboot not suppressed, SuppressReboot set to NReboot not suppressed, SuppressReboot not set and MSI installedSuppressReboot set to Yes or MSI not being installed, suppressing rebootInstallSourceGot file '%s' for MSI engine installinstmsi30.exeAttempting to get MSI 3.0 redist insteadFailed to get fileAttempting to get file '%s' for MSI engine installWindowsInstaller-KB893803-x86.exeMSI 3.1 to be installed, was not installed with redist packageWindows Installer 4.5 or newer is required to run this installation but is not present on the machine. Setup will now exit.4.05.0.0Msi.DLLScriptDriven*.mst TRANSFORMS="\.mst.mst"TRANSFORMS=TRANSFORMS="Failed to locate ISSetup.dll (%s)MsiAction::InstallMsi - calling Reboot%s /a "%s"%s%s /f%s "%s" %s%s /j%s "%s" %s%s /x "%s" %s/p"%s" %s%s /p "%s" %s%s /i "%s" %s%s="%s" %s="%s"ISSCRIPTCMDLINE="ISSCRIPTCMDLINE%dMsiAction::Reboot command line %s\0001 /debuglog""%s" %s /l%d /t"%s" /e"%s" /v"%s" %s"%s" /k %s /l%d /t"%s" /e"%s" /w /v"%s" %s/c/x/p AFTERREBOOT=1Software\Microsoft\Windows\CurrentVersion\RunOnceSoftware\Microsoft\Windows\CurrentVersion\RunOnceExSOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries" /%SupportOSSupportOSMsi12SupportOSMsi30/c:"msiinst /delayrebootq""%s" /c:"msiinst /delayrebootq"/quiet /norestart"%s" /quiet /norestart/q"%s" /q2.0.2600.0Installing MSI engine %sInstall does not use scriptInstall is script driven (ISMSI)Install is basic with InstallScript custom acti

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Code function: GetLocaleInfoW,	0_2_0042DCF0
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe	Code function: GetLocaleInfoW,TranslateCharsetInfo,	0_2_0042DC93
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe	Code function: GetLocaleInfoA,	10_2_0000000140010B70
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	10_2_0000000140006FA0

Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe

Code function: 0_2_00417A58 __EH_prolog,lstrlenW,wsprintfW,GetSystemTimeAsFileTime,

0_2_00417A58

Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe

Code function: 0_2_0041946E __EH_prolog,GetVersionExW,GetTempPathW,GetWindowsDirectoryW,

0_2_0041946E

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	32 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	2 Process Injection	1 Access Token Manipulation	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	2 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	4 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	26 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ALC700V1.0.0.7a.exe	0%	Virustotal		Browse
ALC700V1.0.0.7a.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Link
C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\AxInterop.TeeChart.dll	0%	ReversingLabs
C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\Interop.TeeChart.dll	0%	Virustotal	Browse
C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\TeeChart5.ocx	0%	ReversingLabs
C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\TeeChart5.ocx	0%	Virustotal	Browse
C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\stdole.dll	0%	ReversingLabs
C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\stdole.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISRT.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISRT.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\_isres.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\_isres.dll	0%	Virustotal	Browse
C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	0%	ReversingLabs
C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	0%	Virustotal	Browse
C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEAUT32_f3.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	0%	ReversingLabs
C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEPRO32_f0.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	0%	ReversingLabs
C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_STDOLE_f1.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	0%	ReversingLabs
C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ALC700.exe1_2075C35845C24B1A973EEF051A490E77.exe	0%	ReversingLabs
C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ALC700.exe_7A1B2C9513F744CFB0D29EC2A28A035D.exe	0%	ReversingLabs
C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ARPPRODUCTICON.exe	0%	ReversingLabs
C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\UNINST_Uninstall_A_EA7F3D3DD29C46D9BED64B9B56BFF9AD.exe	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://www.smartgen.com.cn/soft/shuomingshu/ALC700	0%	Virustotal		Browse
http://www.SmartGen.com	0%	Avira URL Cloud	safe
http://www.SmartGen.com	0%	Virustotal		Browse
http://www.smartgen.com.cn/ziliao.html	0%	Avira URL Cloud	safe
http://www.smartgen.com.cn/soft/shuomingshu/ALC700	0%	Avira URL Cloud	safe
http://www.acresso.com0	0%	Avira URL Cloud	safe
http://www.smartgen.com.cn/ziliao.html	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.smartgen.com.cn/soft/shuomingshu/ALC700	ALC700V1.0.0.3.exe.2.dr, ALC700.exe.2.dr, ALC700V1.0.0.2.exe.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.acresso.com0	_isres.dll.9.dr, ISBEW64.exe.9.dr, ISRT.dll.9.dr	false	Avira URL Cloud: safe	unknown
http://www.smartgen.com.cn/ziliao.html	ALC700V1.0.0.3.exe.2.dr, ALC700.exe.2.dr, ALC700V1.0.0.2.exe.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.SmartGen.com	MSI8386.tmp.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447844
Start date and time:	2024-05-27 09:04:16 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ALC700V1.0.0.7a.exe
Detection:	CLEAN
Classification:	clean6.winEXE@8/80@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 118 Number of non-executed functions: 232
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, MoUsoCoreWorker.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	173862
Entropy (8bit):	5.201146859738381
Encrypted:	false
SSDEEP:	3072:SK3k2ReaS9DF3f5Q4wZhTaC6zbV80c1NH+menPpAoDKyR1:W
MD5:	6CA637AEE23B1A8FD0535FD0A2CE16A3
SHA1:	3BCC83930B4B9656B52625382F9C7C73AE601598
SHA-256:	8B003D9BEBC877ACC16476F1B1B72E91895A99A2EFE33E929C336155AEE26E3F
SHA-512:	306AB89CD25B014B2B51292EB495C856A73090323CD4C4F56C7610B938F3281B0BC4BDC54C209A068A1CC0E7A4F4CF134873C5882FFD34539EB20D4381BAF239
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@...X.@.....@.....@.....@.....@.....@......&.{5D00ED55-C696-4760-A65D-39DCD0EDE479}..ALC700..ALC700.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{7973D285-7AA2-4EDE-87C5-CA3773168D3B}.....@.....@.....@.....@.......@.....@.....@.......@......ALC700......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{43E17A22-E4F0-4F20-BB7B-03C0074D0BB7}&.{5D00ED55-C696-4760-A65D-39DCD0EDE479}.@......&.{F5A447FF-5CA5-4162-98A3-D68DA1224A71}&.{5D00ED55-C696-4760-A65D-39DCD0EDE479}.@......&.{024AC572-ECAA-4063-9908-1860695C9F95}&.{5D00ED55-C696-4760-A65D-39DCD0EDE479}.@......&.{9CE638ED-3BFB-44A7-A289-1CBCB8B565EF}&.{5D00ED55-C696-4760-A65D-39DCD0EDE479}.@......&.{36B93333-1BBC-40A5-A331-4B17B5C96369}&.{5D00ED55-C696-4760-A65D-39DCD0EDE479}.@......&.{DAD3E665-CC41-4A97-8579-3A0AC703B7D0}&.{5D00ED55-C696-4760-A65D-39DCD0EDE479}.@......&.{364E13EE-77FB-4D78-8379-AE45BF6EBABF}&.{5D00ED55-C696

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700.application

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (550), with CRLF line terminators
Category:	dropped
Size (bytes):	1615
Entropy (8bit):	5.21396893258866
Encrypted:	false
SSDEEP:	48:3B9oLwOw8jZcTa8gaopEb5l35gXn6N0kkQdWoITw:xWLwO9ZcTzQEb5l3kSks
MD5:	1AA1B35AEB311EEFF9E531A31A394DA6
SHA1:	319CA557EE7D5E176599EF23E7D96DBE6996B3B5
SHA-256:	72B23437583F734AFEBF82C80B651A093E33FB05BFD40E2396E3963007273D7C
SHA-512:	23788ECC7158902218C9494F49BC9EEF363DC71DACF39172255F00BC9B7D78D17CEFC48EDA941F37B8C4F28C10BE81377A9D409D6C61C6137D8B72B324C7CD8C
Malicious:	false
Reputation:	low
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <assemblyIdentity name="ALC700.application" version="1.0.0.6" publicKeyToken="0000000000000000" language="neutral" processorArchitecture="x86" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <description asmv2:publisher="Sky123.Org" asmv2:product="ALC700" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <deployment install="true" mapFileExtensions="true" />.. <dependency>.. <dependentAssembly depend

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3449856
Entropy (8bit):	6.296871784624912
Encrypted:	false
SSDEEP:	49152:OFdPlh9Ygh2aGRGdcVMOTNKcMu6SieavOvYvmv7G4gHmAXJ6nyGWGdGpGdGqG7Gr:O/D91
MD5:	EAA39D4C21A2C7B0AA9D5CCB376E9E34
SHA1:	033B8D58ADCF2C3D7C584AC12AD546089CDE32EA
SHA-256:	8181AAFFD18D35B53F31469CE00CCBFFC30D03BEC50E6475DAABBBE3655387CF
SHA-512:	D55CABA972C220491A74A06DD4240B3C0AB8219A24B08177F63FB9F7ACD54D19144D8B9508B6BF344BFC89A2EEB26A55510C91ADCCB9CBAF3EBB81B9FFC14B97
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O[na..................4..........4.. ....4...@.. ....................... 5...........@.................................\|.4.O.....4.......................5.......4.............................................. ............... ..H............text....4.. ....4................. ..`.sdata..`.....4.......4.............@....rsrc.........4.......4.............@..@.reloc........5.......4.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700.exe.manifest

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (504), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	7375
Entropy (8bit):	5.351823984193044
Encrypted:	false
SSDEEP:	96:xWLwOhoyTKvYR2Mi5tl9Jvyqik7kZukbkmkmzkK7k4tk61k7D:oRfRpi5tPzLwZPQ3PKw4u6G7D
MD5:	63A5910B6C777C48C904B28940643E0C
SHA1:	451762F0F0C821D4B4C8FCA77A4D7FADCFC1CD0A
SHA-256:	5C99A7D3EA673BFA722F60F951FE93D9E68FE1E2A4BC7C322A6855F89EA14E09
SHA-512:	3F716758B3EE84296C57C89880A40AE91C223F19D057B6308DD2FC594BCC8C9449C9B4E91C1E634604B8152039D0FC2753E4F798D774B787580182E03FCBC50A
Malicious:	false
Reputation:	low
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <asmv1:assemblyIdentity name="ALC700.exe" version="1.0.0.6" publicKeyToken="0000000000000000" language="neutral" processorArchitecture="x86" type="win32" />.. <description asmv2:iconFile="ZZE.ico" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <application />.. <entryPoint>.. <assemblyIdentity name="ALC700" version="1.0.0.7" language="neutral" processorArchitecture="x86" />.. <commandLine file="ALC700.exe" parameters="" />.. </entryPoin

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700.pdb

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MSVC program database ver 7.00, 512*1167 bytes
Category:	dropped
Size (bytes):	597504
Entropy (8bit):	4.441356575186531
Encrypted:	false
SSDEEP:	6144:iuWgs+bjkj4yhnWlIyvSK7+ykGFxHAOrRX0VxRDOxXca6w0zq76/kuVkWmR9RUJf:iaJXF6irJ
MD5:	A51174B31566A9518C9E19D29D7F499A
SHA1:	6E29AA7D96BD1E69A6C3C27AB50CC0B83079CF61
SHA-256:	28F4C9A4AA3F8DDE1F8CE2B9B3C270C06AEFCF30016997B6153B080EAF9C8F55
SHA-512:	1FFD4993909BF695875D23EFBB908039CE1D824E3B73253C3D27D113FF75D3AE4CEE09F6788D63BFE99CE8175A7A2585188776FF4DBAA82D18C58A7CE0EACB23
Malicious:	false
Reputation:	low
Preview:	Microsoft C/C++ MSF 7.00...DS...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700.xml

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2098
Entropy (8bit):	5.815594719587708
Encrypted:	false
SSDEEP:	24:8oyl02VWBZDDKvl0231ZvKpKtyy6R9kF7AE6Ktyy6Mwm91Ktyy6WLXgZuFBVmH/U:Wl0IWCvl0hpOfADOD91Oc2qHmb
MD5:	9B651C80942135AF9660A17169353ECF
SHA1:	508999B7CF998F6D8BB020C1A4A0DFDB65BF6472
SHA-256:	B5F99A5586591A793C53E5B7650033868D7622D8F05C26A4DAC3C8A90AC707F7
SHA-512:	453FE41CB3097F7BC5CD81F2B00F4BCB4DA09F3FD71115C3E1DD05D2CDC46CBD9965134878BBEC0AF6C3F65D72D94B3B97B464F4C9F79477CA877AA58B8C6CD6
Malicious:	false
Reputation:	low
Preview:	.<?xml version="1.0"?>..<doc>..<assembly>..<name>..ALC700..</name>..</assembly>..<members>..<member name="M:ALC700.Common.changeLanguage(System.String,System.Windows.Forms.Form)">...<summary> .. ...........................MDI... .. </summary>...<param name="languageName"></param>...<remarks></remarks>..</member><member name="M:ALC700.LanguageHelper.SetLanguage(System.String,System.Windows.Forms.Form)">...<summary> .. ............. .. </summary>...<param name="languageName">....</param>...<param name="frm">Form..</param>...<returns></returns>...<remarks></remarks>..</member><member name="M:ALC700.LanguageHelper.ApplyResouce(System.Windows.Forms.Control,System.ComponentModel.ComponentResourceManager)">...<summary> .. ............... .. </summary>...<param name="control">......</param>...<param name="res">.......</param>..<

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.2.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3197440
Entropy (8bit):	6.324158410758386
Encrypted:	false
SSDEEP:	24576:uL94+yWQOpsUHbbbZavgRGAyuHz3D/L+RLpt8OfvMxMleDBe:uLW+yWQOuUHgvgRHyXLptvMxMleDB
MD5:	85430446212BE29CBEC16555318C20EE
SHA1:	BC6C7604B69AF3F21FD4F98D666C51A0BBA92990
SHA-256:	4B3EF03DBE8BF50D523EC95AB668A49CCAC83B46FE7D5D3FF845E96D47210DF8
SHA-512:	9E707BF123E4CD01F60CC9345D5EB3DBCE4A6AABEC5104F0137DD1315E5A6E505FE89E5432703AF264F5BDBFD6F18B14B71AC3B9AB8BA86C78CEAC6C7D0E0A22
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Q..................0...........0.. ....0...@.. .......................@1...........@...................................0.W.....1...................... 1.......0.............................................. ............... ..H............text...$.0.. ....0................. ..`.sdata..s.....0.......0.............@....rsrc.........1.......0.............@..@.reloc....... 1.......0.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.3.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3373056
Entropy (8bit):	6.288485377725002
Encrypted:	false
SSDEEP:	24576:OAXyLh4+yWQOpsUHbbbZigKs1GBjnLvMxpleDuU:/XyLa+yWQOuUHkgKeefvMxpleDu
MD5:	E3B12B2F149176B0F146DCFA0CC4C2B3
SHA1:	6B336E084D58374BB83662516B6EF8FDC953509F
SHA-256:	340EC9B4FDA2F91C099C2E07A3C6A3A8F6634ADCED2F9B48CD673DB986D5C77D
SHA-512:	EDF804BCE9293C7817773F55A178DC9ABAE4039D19CE1B062ABA51816DAA3C6EFA43C282A0B1C6F47C0D554E347748096B028F7545A86DB51D218BD81C21B664
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......R.................h3...........3.. ....3...@.. ........................4...........@...................................3.K.....3.......................3.......3.............................................. ............... ..H............text...4f3.. ...h3................. ..`.sdata..s.....3......l3.............@....rsrc.........3......n3.............@..@.reloc........3......v3.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.4.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3394560
Entropy (8bit):	6.2881345765522
Encrypted:	false
SSDEEP:	24576:tgEnAVL94+yWQOpsUHbbbZwcIoz+D6Fa7vMxpleDuW:tgEAVLW+yWQOuUHepVvMxpleDu
MD5:	3473FF1773D2E2E74926838467D24188
SHA1:	0BA5FD718BE469A0AC6703B177545187683F9AD5
SHA-256:	0D7FD069AC2437664D54F792A05A6DE287E45842EB19B8305F011DB579D73F8D
SHA-512:	8875B6EC4F52F3C07F1412E3B8ADB6CC3ED2146828995896813914494E0393AABFF9B899104A62BE759B6C875B4FB12B362E57C8C082BCE9399BC8DBAC24DD4A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....w.S..................3...........3.. ....3...@.. .......................@4...........@.................................8.3.S.....4...................... 4.......3.............................................. ............... ..H............text.....3.. ....3................. ..`.sdata..s.....3.......3.............@....rsrc.........4.......3.............@..@.reloc....... 4.......3.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.5.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3423232
Entropy (8bit):	6.301775254593338
Encrypted:	false
SSDEEP:	24576:UEgZmiFdBn9lZjCej/y1En4lGWvMxpleDfH:3gAiFdPlh9Gu49vMxpleDf
MD5:	7BB55AC8B156B3617E10DFFF05D39B4D
SHA1:	3825927C725577D4E628306E2DD82EBA69876598
SHA-256:	E159C8B84B3F33C85254D7A4BC15C91852BB669FD31190FE6B6E931F5D66018A
SHA-512:	A5CFFCC01D716DE778EA8C37BC45C891BDCEB5B9E9BD5FF764CC9288531D5CC3D3869D33388A055113E8CCF3F8299794A95EA54E1ABF03A8DD38E95C073B0318
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...dZpS.................,4..........J4.. ...`4...@.. ........................4...........@.................................<J4.O.....4.......................4......`4.............................................. ............... ..H............text....*4.. ...,4................. ..`.sdata..s....`4......04.............@....rsrc.........4......24.............@..@.reloc........4......:4.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.6.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3454976
Entropy (8bit):	6.298296921260487
Encrypted:	false
SSDEEP:	24576:9guFdBn9lZjCejNTM1xbtbnnvMxpleDG/:9guFdPlh9p45bnvMxpleDG
MD5:	3084445359A521FA0E863536D39F504F
SHA1:	1329C74C171322ED4C9C092822E00BA9EC412AA3
SHA-256:	B4E27613EB1D0A40AF5C4792091ABBD43A219EBF83BB5AFABCF0C9151708B9C5
SHA-512:	D2BDAAE68C83C5DE4A9E2AE94CFFBF24D99BBDA952AAEB22277457CE0FF414A793F2829670AF8BCAB31AFCC5D0C8982AEE05587C146AE772C38A99F8F08A5019
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....vT..................4...........4.. ....4...@.. .......................@5...........@...................................4.W.....5...................... 5.......4.............................................. ............... ..H............text.....4.. ....4................. ..`.sdata..s.....4.......4.............@....rsrc.........5.......4.............@..@.reloc....... 5.......4.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\AxInterop.TeeChart.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	4.778867082655252
Encrypted:	false
SSDEEP:	1536:orVdP/NyoZzi7d+MAyCEA0sC7EJw04okomeRgoDWa9vn/pEwcraGWjievOPiyDds:orVRNyo1iGvnRE1mGWjiGQ4G8
MD5:	6AF442D9D639E0D876E56F879999EAAF
SHA1:	AD4C9ABFB7818941BA135739E8CB02294F6B7B70
SHA-256:	E0B2292A28C4DE1168FD14A6CA9B093D033F97E2B5C9FE7E8A1CE799F731E1E2
SHA-512:	A7EE0442289908E1D89F7FCE8E81160B6D1F0166031C97AF68C65D0A4FD010EC8544948387B3CAC5835D65E981D263AFC404D3B10AD5D794C4600FEFF89D8032
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......;...........!......... ........... ... ....@.. .......................`..................................................K.... ..`....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...`.... ......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\Help_CN.chm

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	1110096
Entropy (8bit):	7.9910251258340335
Encrypted:	true
SSDEEP:	24576:pdF2QZ9zeSKzYRuaXoRtf5Ml07gJe6h4ws+ZT458Y:XIQ/zGzYRua+jMlmX6s4PY
MD5:	8AEB7FBBCAAFDC01EEF42E45B2AB8229
SHA1:	C3DBA1D427B5E02E35BDCBD57A15643543EED61D
SHA-256:	61E7D22FC05A97A36E189E8D801C202DAB2339B6D5FC30A40375C89B4371C0DC
SHA-512:	EA7D6B2B52D5F413B7E40B87DB0753C3BF8CB1CEE243DD6CE8E5062CA05C490269F0B27D4C3ED5CB11D0F1A367C2DAB976D45568BF33855910B8DF551A060034
Malicious:	false
Preview:	ITSF....`.......\..........\|.{.......".....\|.{......."..`...............x.......T0.......0..............P...............ITSP....T...........................................j..].!......."..T...............PMGL................./..../#IDXHDR..._.../#ITBITS..../#STRINGS....../#SYSTEM..F.../#TOPICS.._.`./#URLSTR..g.#./#URLTBL..?.(./#WINDOWS...3.L./$FIftiMain..."..=./$OBJINST......./$WWAssociativeLinks/..../$WWAssociativeLinks/Property....../$WWKeywordLinks/..../$WWKeywordLinks/Property....../1.htm..1..<./10.htm......./11.htm...#.H./12.htm...k.../13.htm...x.H./14.htm...@.../15.htm...N.:./16.htm......P./17.htm...X..L./18.htm...$..}./19.htm...!.5./2.htm...w.../20.htm...V.../21.htm...u.../22.htm...u.../3.htm...z.../4.htm......./5.htm...".>./6.htm...`.../7.htm...a.../8.htm...w.T./9.htm...K.S./CHM.hhc...m.Y./CHM.hhk...F.1./Help_CN2.files/..../Help_CN2.files/image007.jpg......4./Help_CN2.files/image008.jpg...;..../Help_CN2.files/image009.jpg...M.q./Help_CN2.files/image010.jpg...>.o./Help_CN2.f

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\Help_US.chm

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	3117198
Entropy (8bit):	7.997742544226403
Encrypted:	true
SSDEEP:	49152:gGHQv1hYy8yG2IefKGYA4+czmhchoOsjm/Y9QiPUSCgEtuffy5dTBGnLIjG/n6/x:gkA5QA4tKqmAJfucTBGnMKCJ
MD5:	D168E7C65D50F2109DF9AF07D0C964ED
SHA1:	21D6535CCD65EB0E71510D192687D06B1663447C
SHA-256:	8844685D10FF72067D2B6D8E86F786FDF1C6F27B07CEE2D9822CB3FAAA06A517
SHA-512:	37FEBED1B1DB9A8A4B9E738295D59144555719D38537DBC791F86BA241C11951DA37E00569AEBDA4D248FFAFC94C31E9763264A8821E37DD7CAE50D4E9D1404D
Malicious:	false
Preview:	ITSF....`.......W..........\|.{.......".....\|.{......."..`...............x.......T........................./.............ITSP....T...........................................j..].!......."..T...............PMGLE................/..../#IDXHDR...s.../#ITBITS..../#STRINGS....f.../#SYSTEM..^.../#TOPICS...s.p./#URLSTR....W.../#URLTBL....c.t./1.html....f./2.1.1.html..f.a./2.1.2.html..G.E./2.1.html....../2.html..).N./3.html..w.../4.html....<./5.1.html..R..Z./5.2.html...,..,./5.3.html...U.../5.html...X..}./6.1.html...U.."./6.2.1.html...k.b./6.2.2.html...M.V./6.2.3.html...#.K./6.2.html...w.../6.3.html.....+./6.4.html...3.../6.5.1.html...n.7./6.5.2.html...%.=./6.5.html...F.@./6.6.html.....$./6.html...*.t./7.1.html......./7.1_clip_image002.jpg....R.g./7.1_clip_image004.jpg....9.../7.1_clip_image006.jpg....I.`./7.1_clip_image008.jpg....).d./7.1_clip_image010.jpg......w./7.1_clip_image012.jpg......3./7.1_clip_image014.jpg....7.E./7.1_clip_image014_0000.jpg....\|.E./7.1_clip_image016.jpg....A.2./7.1_c

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\Init.ini

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	161
Entropy (8bit):	5.129513093885892
Encrypted:	false
SSDEEP:	3:Q4aRn4usqvYysA3wgEovWxMGyKylv1uGylOa/Bv/hYi:Q4S41ByDwPovwMv1lylvRd
MD5:	BC2F5B62E98F31CEDF69E544BF53CD79
SHA1:	E17C124CBA81A11A50597E1A74450A274B494446
SHA-256:	12DACCF8049F9E08A4AA157182325B4FAC25499A17BA4C13C25D95FDF157FBCC
SHA-512:	D04FA1FA179E6EE2EDFE291296D58AC4A55D5BA9B93E59D854C1AE6FAB0681FF82C8EBEF6FCACA38DF81EB56F279FF544F1F9BE49F8825AD24D8CA15AF02E0E0
Malicious:	false
Preview:	...=ALC704......=0.....=USB........=9600.......1=.......2=0.......=..........=...............=116..........=23.........=-9..........=54.........=80..

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\Interop.TeeChart.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	253952
Entropy (8bit):	5.706427679675376
Encrypted:	false
SSDEEP:	6144:PI3qFgTuBEfCNIbGJsH6VQj+R0vSd4rWZcXKljAB2vMdyrD1Nff8SWHQI5MAbwgh:g3qFgTuBEfCNIbGJsH6VQj+R0vSd4rWG
MD5:	4B870FDC576848D4F7CF137E1199D793
SHA1:	C7E5C399AB3E3370F19EDC035C212CA007F20148
SHA-256:	F3803F6F1E85685B0C17D22331E11E9C9BB2C6DFE93C8710A2228B50C8E80CDB
SHA-512:	BB67D63A474544740D6C5F7869B276485C2E51744BA37C301EA473CAB482BABE640AC052C5CD7E91CEFE3F4BC710ECAF9B9182FD200C7ABF02A6EC0D42972066
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K[na...........!......... ........... ........@.. ....................... ............@.................................X...S.......@............................................................................ ............... ..H............text........ ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\PrintConfigTemp.hgm

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	68878
Entropy (8bit):	6.023326180038263
Encrypted:	false
SSDEEP:	768:kdYxYdmZZt7WjK9rEsJ2rIFyXnwlW78pWWDsLF6HcpHcpy3w9illYLuxU3KKtw/7:i+o
MD5:	31471970D3B970C326EC24DD84DD5EA3
SHA1:	CD5C2E0232152E488BA55625E6075B47DABBB324
SHA-256:	BB556FDE8808516E2056C4E4B604AEF8DD4095578EC57718A5375A6C62C52480
SHA-512:	79EA497A0F34AA8C99BCBC8EA5B5975A855A70B43820F9AF5559D98D0AA493424392D4266B589F45392014BEE5E9DD827129885237EC71085BF5B19934A21C06
Malicious:	false
Preview:	.........=HMC9000.........(s)=1........(s)=1........(s)=0.......(s)=8..........(s)=10............(s)=10.............(s)=0............(s)=10............(s)=10............(s)=0...........(s)=20............(s)=0........(s)=5........(s)=5........(s)=5..ECU...=.................=00 .........SPN......=1............=118.............(r/min)=1500............(%)=90.........(kPa)=200........=3...........=.............(%)=25..............(kPa)=80................=.........5...............(%)=85............(s)=1...............(%)=90...............((%)=92................(%)=115.............(s)=1................(%)=110................(%)=106..............(s)=1..............=1..................(%)=160.........(V)=24.0.....................(%)=125.....................(%)=75.....................(%)=125.....................(%)=75..................(%)

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\TeeChart5.ocx

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2602496
Entropy (8bit):	6.685673667359496
Encrypted:	false
SSDEEP:	24576:TFXf8Gj8pJZcM6mFTrQt3A/tUQ07oigDGHxVzDOVlhfK71SVr5rEACGl5CHHsPXb:TbmJG3ZeDGHx1+q+3TCHHsPX
MD5:	25BAD502690E6C772AC1262EB9270EBC
SHA1:	46F415A2ED1FAC2F129DA48B09DA2DE4BFB67500
SHA-256:	A0379A3E4B31AABB5C9EF530A000FE2F10809BE396E1FC431A230DF391F01756
SHA-512:	139A6589ED98B903B561625A5616AC3094D508DAA7D1BFB05450CE57B0587F74EF46DA076327E18521A818F3E218CEA10349F2E675F3A6186DFF0EB1306A11D9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..................... ......X.............BP.........................0(......................................P....... ..2/...........................p...-...........`......................................................................CODE....p........................... ..`DATA.....:.......<..................@...BSS.....e"...............................idata..2/... ...0..................@....edata.......P......................@..P.rdata.......`......................@..P.reloc...-...p......................@..P.rsrc................4..............@..P.............0(.......'.............@..P........................................................................................................................................

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\en-US\ALC700.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	368640
Entropy (8bit):	6.012829694053447
Encrypted:	false
SSDEEP:	3072:OFARt6E7eLKYNIcseAsUJejOCz1LaZPW5g1w9I8l9iRNMnO9DsXqRIb+YORW4t8L:0x5KWPPQp6BLL/nA
MD5:	7A9D9BF0217540D195E7DC2D904D98AB
SHA1:	1CD5ADBBD450055D82E34A980F8E4BBAC9ED52AA
SHA-256:	1C9219E34E6AA03AE4AAF8D04E5A90CD6AD8BC5158B74266C07ACDA399AA7B27
SHA-512:	F852EAAA474FE6ED5D755083EC37BAF0045648D66CC7BFBB0C9C9D41C598B16E1AEF5ED80717DC8C8360A46126A2A4BF47B20C08C4E91056559BA3F8A88BD754
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O[na...........!.....p... .......... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....e... ...p.................. ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\fonts.h

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	6.251928355735754
Encrypted:	false
SSDEEP:	12:scG/Aw2tJyLCZSyl+resU17LD1vZNExFojZFpmtSf2LdJp6Wd:gYtJJsyl+CsUZn68jZFn4Lp6Wd
MD5:	99FBD729BA76550E00510BB9F284E434
SHA1:	400ACD1F6AA5E639D1371B50E3F22C9CFA3EF858
SHA-256:	4B7F070D6765FCB9234BAB4E7F71D6F075DAACC9D45CF126FC16438D117A0304
SHA-512:	E29E1BE1C1D412D336FD83A49160BF32CBAAA2FF18850C8A8017ED624EB8AC604A947BB4E5827A619ECFCE7627355C78FDB9FAC9276EB0B4CB48F0946E218AEC
Malicious:	false
Preview:	../........................................................................................................................................................................................................................................................................................................................................................................................H........................................................................../..

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\fonts.h.bak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	563
Entropy (8bit):	6.237101513627401
Encrypted:	false
SSDEEP:	12:scG/Aw2tJyLCZSyl+resU17LD1vZNExFojZFpmtSf2Ls:gYtJJsyl+CsUZn68jZFn4s
MD5:	A2C1CC2556B3AE240C2DA4CE595633E9
SHA1:	3505D2E404F5F8068EDB9EE3E10C9A851D7947E2
SHA-256:	F3A547F395B567A4B7C6FE4D0A1DAF8E118876705D81155C53DCC44F332B1991
SHA-512:	A0D4816DE79D3C96464C0479A339215CF50C2D35913D6436FE72F99B182EA8A136E4292B07763E7FBE6C4B62F569375E27284A7F2BCDFC73245EB0518245065C
Malicious:	false
Preview:	../........................................................................................................................................................................................................................................................................................................................................................................................H....................................................../..

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\stdole.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	25592
Entropy (8bit):	6.259091793464019
Encrypted:	false
SSDEEP:	384:PxrmnjOXjWQCEKxeiQCR3xbLslvpNj45+WFWWQnELKt8Cu1jk:Jmnj8jWteByhQfNj4bNU8Cu1jk
MD5:	3063029568589FB9B0A420E7F7FC514C
SHA1:	636CC773C585873605CE96C29C5F75ED5096EA63
SHA-256:	0C6E331B6BBD8CC3807720AE097A5C7DFA3EE71CA03FA2EEAFCE041E49690AEF
SHA-512:	C393CED120E916A08DEF9F86C08256432BFE2E9C6338AA992CFC621E0BF557483B8EC483A9A67C77987169C68767EE76CECF6D859197F63BE844735668885C56
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a].F...........!.....8...........V... ...`.....k. .............................."d....@.................................LV..O....`..@............@...#........................................................... ............... ..H............text....6... ...8.................. ..`.rsrc...@....`.......:..............@..@.reloc...............>..............@..B.................V......H.......`%...0...................$.......................................................................................................................................................................................................0.."...........{....9........{........og...*...0.."...........(........ ....}.........}.......0............ ........... .... ...... .... ...... .... ...... .... N..... .... ...... .... ...... .... ...... .... ...... .... ...... .... F..... ....

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\zh-CN\ALC700.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	135168
Entropy (8bit):	5.354935533267553
Encrypted:	false
SSDEEP:	3072:mITtIIgvuYw1MW7A0RIC5mYw1uFOCSYwF+aXAs9ALcMAHNV9N:m/vS+
MD5:	6D4338ACA4AD3C9AFA08C1D4BF1F8AFE
SHA1:	00297D6F7532D9F72EDCB39231AA682952B70B35
SHA-256:	0A65F5FCF25BE42A43A9CBE007E09C5BF160716B5FAF20E707AAA7D2B16356C2
SHA-512:	A9B1C72B66D44E511A7388E0D2503C20DEEBBA19FC88B000E070C3396BBDCD24BD00886B105CDDCB866C2AD1F01F2910224937D5214971C0E4AE89A03BC4E3CF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O[na...........!......... ......N.... ........@.. .......................@............@.....................................W............................ ....................................................... ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SmartGen\ALC700\ALC700V1.0.0.7.exe.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Icon number=0, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	2771
Entropy (8bit):	2.7900478298134055
Encrypted:	false
SSDEEP:	48:87n7i7x7XhFmcdEj5FmfCMSH4vSOUWFm:877i7x7XhFmVj5FmfDUWFm
MD5:	1521A8AD7E0F5E2A82DC17A3236D935B
SHA1:	D61F1C939C077AAE6ADB4CF037112696A2E468A2
SHA-256:	49F80F26C0D77F059AEF55D202CA4EBC282E9C361FAC19BDAEB7E47488D81616
SHA-512:	4A0788B414F91BF595A4DA05626407AC1659A00EEC60CC5152F51F8426D8A5EE52FA8D66068AB4C46F5151522B0985CAC2266B153A93C677D8F3BFF97B216D11
Malicious:	false
Preview:	L..................F.P......................................................#....P.O. .:i.....+00.../C:\...................V.1.....DWO`..Windows.@......OwH.X.8....3.....................!...W.i.n.d.o.w.s.....\.1......X.8..Installer.D......O.I.X.8..........................@...I.n.s.t.a.l.l.e.r.......1......X.8..{5D00E~1..~......X.8.X.8....d+.....................v..{.5.D.0.0.E.D.5.5.-.C.6.9.6.-.4.7.6.0.-.A.6.5.D.-.3.9.D.C.D.0.E.D.E.4.7.9.}.......2......X.8!.ALC700~1.EXE.........X.8.X.8.....2....................@...A.L.C.7.0.0...e.x.e._.7.A.1.B.2.C.9.5.1.3.F.7.4.4.C.F.B.0.D.2.9.E.C.2.A.2.8.A.0.3.5.D...e.x.e.......}.....\.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.5.D.0.0.E.D.5.5.-.C.6.9.6.-.4.7.6.0.-.A.6.5.D.-.3.9.D.C.D.0.E.D.E.4.7.9.}.\.A.L.C.7.0.0...e.x.e._.7.A.1.B.2.C.9.5.1.3.F.7.4.4.C.F.B.0.D.2.9.E.C.2.A.2.8.A.0.3.5.D...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.S.m.a.r.t.G.e.n.\.A.L.C.7.0.0.\.V.1...0...0...7.\.k.C.:.\.W.i.n.d.o.w.s.\.I

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SmartGen\ALC700\Uninstall ALC700V1.0.0.7.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Sat Dec 7 08:10:02 2019, mtime=Mon May 27 06:05:15 2024, atime=Sat Dec 7 08:10:02 2019, length=59904, window=hide
Category:	dropped
Size (bytes):	1959
Entropy (8bit):	3.8632883357063372
Encrypted:	false
SSDEEP:	24:8WIWJRjyb9dACwS+sxhDu+MFhDrIK+S0g4WFhDrIKYcUjaLyfm:8WIWzeb9W4x05FJl+SeWFJl9+
MD5:	F6153D2AAED83FBDF95FC7F58A711501
SHA1:	AC80593AEAE56492E88FF62404BDC9D9990B98C0
SHA-256:	DF24B9A279FEA00209C99CDC2579BAEF7D75289236DDC027CA479ECA5ED0A49B
SHA-512:	0473410EA7B0F4BDCFBFB8582FB2C94D85A3CFD80ED5CD78FCB94F262F1E0FCDBC61DDDC1D98DDCACDE631257F93225B3842280DBEB9B28B5BEDEFCE130BD340
Malicious:	false
Preview:	L..................F.@.. ...25.......9....25.............................A....P.O. .:i.....+00.../C:\...................V.1.....DWO`..Windows.@......OwH.X.8....3.....................!...W.i.n.d.o.w.s.....Z.1......X.8..SysWOW64..B......O.I.X.8....Y.......................x.S.y.s.W.O.W.6.4.....b.2......OBI .msiexec.exe.H......OBI.X.8................\|.............m.s.i.e.x.e.c...e.x.e.......N...............-.......M...........g.hP.....C:\Windows\SysWOW64\msiexec.exe..1.....\.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.m.s.i.e.x.e.c...e.x.e.)./.x. .{.5.D.0.0.E.D.5.5.-.C.6.9.6.-.4.7.6.0.-.A.6.5.D.-.3.9.D.C.D.0.E.D.E.4.7.9.}.s.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.5.D.0.0.E.D.5.5.-.C.6.9.6.-.4.7.6.0.-.A.6.5.D.-.3.9.D.C.D.0.E.D.E.4.7.9.}.\.U.N.I.N.S.T._.U.n.i.n.s.t.a.l.l._.A._.E.A.7.F.3.D.3.D.D.2.9.C.4.6.D.9.B.E.D.6.4.B.9.B.5.6.B.F.F.9.A.D...e.x.e.........%SystemRoot%\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\UNINST_Uninstall_A_EA7F3D3DD29C46D9BE

C:\Users\Public\Desktop\ALC700V1.0.0.7.exe.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Icon number=0, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	2753
Entropy (8bit):	2.777253306309835
Encrypted:	false
SSDEEP:	48:8hn7ixepsFnp4dEs5FnpzCMSH4vSeWFnp:8h7ixepsFnpxs5FnpzxWFnp
MD5:	A4ABEE566AD14D7E3DB8D8C2A9B66A3C
SHA1:	F9643AA520C7A9D540E2C45EACC19EB1D0AF05DE
SHA-256:	4E7D3771223182505702AF61B771821B3295D50A3D7CAC8F2AE8E98133D00FAD
SHA-512:	DC37587D382041424DFDEA214FACD62F7AD07803126ABB98B00F14CC3CDD8A7813F800E8B2BDEAF8B133495D18A1D2906CBE64E6F78022C00A0A8544B38542C5
Malicious:	false
Preview:	L..................F.P......................................................%....P.O. .:i.....+00.../C:\...................V.1.....DWO`..Windows.@......OwH.X.8....3.....................!...W.i.n.d.o.w.s.....\.1......X.8..Installer.D......O.I.X.8..........................@...I.n.s.t.a.l.l.e.r.......1......X.8..{5D00E~1..~......X.8.X.8....d+.....................v..{.5.D.0.0.E.D.5.5.-.C.6.9.6.-.4.7.6.0.-.A.6.5.D.-.3.9.D.C.D.0.E.D.E.4.7.9.}.......2......X.8!.ALC700~2.EXE.........X.8.X.8.....4.....................v..A.L.C.7.0.0...e.x.e.1._.2.0.7.5.C.3.5.8.4.5.C.2.4.B.1.A.9.7.3.E.E.F.0.5.1.A.4.9.0.E.7.7...e.x.e.......r.....\.....\.....\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.5.D.0.0.E.D.5.5.-.C.6.9.6.-.4.7.6.0.-.A.6.5.D.-.3.9.D.C.D.0.E.D.E.4.7.9.}.\.A.L.C.7.0.0...e.x.e.1._.2.0.7.5.C.3.5.8.4.5.C.2.4.B.1.A.9.7.3.E.E.F.0.5.1.A.4.9.0.E.7.7...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.S.m.a.r.t.G.e.n.\.A.L.C.7.0.0.\.V.1...0...0...7.\.l.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{

C:\Users\user\AppData\Local\Temp\_is2598.tmp

Download File

Process:	C:\Users\user\Desktop\ALC700V1.0.0.7a.exe
File Type:	zlib compressed data
Category:	dropped
Size (bytes):	1146
Entropy (8bit):	7.814747730128128
Encrypted:	false
SSDEEP:	24:0RZDvq/794FX6XBEwkk2RkQvk9M674gGuIi7gL75Y0:0RZm78X6xE02f89OnBa0
MD5:	09AE52A3F90B7D7438ACCFEF73E7C1EC
SHA1:	CA34AE1AD1885E37EB7EA078F44FE3625F5CE0BB
SHA-256:	410007F62C45A5A1602555F129151F4C2E66265A50741A808F81C56A76ACF352
SHA-512:	81222751FC252B258588694715675D39D3E4E32310BE0C558FC915BD512C896D31538A1B6441714308DEDAE19A626030E591D8B2D1313DF1B5F84265FE2B8AE7
Malicious:	false
Preview:	x..VY..H.~^$...g..\|.KQ=.f..S.l.Byh..z1.m.3Y.o..`..Nv...].._]..Z..F\|m6..@a8]....L..`.u..z...t..ID.C...gZ..[.$=P.i.k.^..l...,?"l......l...(i.~..og!...H.c.H.@9.5......m[...f.c.6.d..$.p.......O.$1...X....I....NH..@..w..wP`9V.T.w......q.e...]..D{..ELJ^...fc..:..x.l..c.].4O.T....a<..p.....h._v....[}.wZ...[]..Z......t\....U...^.k!.B9.y...03...6}.g.K...Z...-..5[.T...>..\.2./.z?..MRV)....tT.A).2..ejk......b.X;&$..yH5\|j.p..m..g.}...W-..N8..q.i..i..9..#.....O.:.a.^.....bUZ.Qe!...kH].B.T...9....SHU...N./..e=!..D/gI<......t..+0.50......}.e...5<.....;.%.2q..a..g..2.@...b...p....m9..st.o...i..-~.v.....JL.._.7..W..M./.....P.....#..>.-.....;!R......m..u... ./...p6..&4.lG...(j0...U.C..(.F.C!....&..4..6....F...e.@.j6JS`...Kw..'.T.c..h.k.o...9.NSZ.0.+.E.]H.i.E*q3..I....<.....8..G.+.....)x.n..W0..%a'.ks...@o.x6...hWQ....3...A.=S.......c....?.Fz...r%..!q....^...\|.>Py \.+.O....$.....#]Kz.H..s~...!...zf.:.1DLa.E.l.0....:0..D..`O..$.%m......I.b.y..$.Y%..........]l.a..g

C:\Users\user\AppData\Local\Temp\_is2599.tmp

Download File

Process:	C:\Users\user\Desktop\ALC700V1.0.0.7a.exe
File Type:	zlib compressed data
Category:	dropped
Size (bytes):	3017
Entropy (8bit):	7.898427159402465
Encrypted:	false
SSDEEP:	48:NGY9Bv1k0kkWAYhE6v7bvuLdewZCgwI4W1Y5C2UIct5o1jwdJmMibcQ7jq4g4zX:Nf9NGkrYmuvuLdRZCaTy5C2Te0EIMjQl
MD5:	AE10F061AF304517F6E3F3157795A5B7
SHA1:	F80822A26461DBCAF29ED0DE91FD41C2BB370C44
SHA-256:	C1C419BE1398ADDBD82F88BE6C3FF810ED04B8C970AB7349B07EC11B07368043
SHA-512:	E7FDD3D5311F521733B8DD076AA18FE6716D91407C9539FEBD42FFE509D48F6E05182FCE548EF9066A12CFE6E3DBE9BD9599962538F9DF1B9686488F24F2F7D9
Malicious:	false
Preview:	x..[.o....... P(....H.z...X..X....E.8.'..E2.c..o;......HV.(.J.qwv...kW.....?.S.+.z..7.4..9..ya..s323.)LnZ.~.fi....dfj..SF.s.<.9.4.=Qx.:o.....&......F.6.(..%....cZ.E......../...............{.Ug....{..{..-qv.N..y.9?(.p.......8_.2....;......7.r4.?...tJ.y..U.0o......d..Y...7....r..I.4>..kz..J/<..OA..z~.1c.......4.. V`.D.l.d.W..# @.).+<...3.....bm.....IF...#....".B.cpd9..2........y..N.....{......'.:.o.h.c...>..k...oQa..2.uXK..].CC.....o..4U+Z....@B.Y.....5q...s......'...}............;.>.7D.Wzrh....w.n.~...a./....g@.o.n~A./....M.X..I.O.#O$....s.4.W[4.1.3.>..h.8V.Yl...._a..4.SA.Md-.N.O.;......d...L]..9......L.}..}..)....K..=._i.<j./Mtw@7...-G...Nh...A#..W...Y..i...P.......s/0....X...h[4z.Ag. .)..k(.x..}.O.@\..q(...^..wj{.Zf...T..g.......p..aCk...=..3..qD.S.@F.....-)~dA2M..A.ZB...h....$.9v<...%i.!d.h.I...\\|o.C...{.....j..3....;...,...h..B...4.....3x..l1.oL..D.%., w.../[...cc.]........#.h.jQRlcc.%......b..R.ZY.s....'..b...[.d..=........V...Z+.*

C:\Users\user\AppData\Local\Temp\_is25A9.tmp

Download File

Process:	C:\Users\user\Desktop\ALC700V1.0.0.7a.exe
File Type:	zlib compressed data
Category:	dropped
Size (bytes):	2776
Entropy (8bit):	7.922598384686625
Encrypted:	false
SSDEEP:	48:05wiKDQV6uEwkpxo7Chvcg29tYOtf0WfiXt5OqVVHifkNdPIbJj1pP:056uexl2fW/XtEqWfkNdPIl5x
MD5:	7FAD844BB39CAC256A39B6C4BD1023E6
SHA1:	C211BC12DB1DF7061E5091AC4B40B4A4A338CDA6
SHA-256:	46AB629A346792DACC46D5500AB0176D03D91B692CCBA8516592FA428F43F383
SHA-512:	D2B79FAD8D7FA3EC1821A77E91CF1DECA2124C39F86FF2F6552894B8C08B53572F99732254101E3F9E12FF7C46C490BA19A28176EEA86C477A5E67EE13907030
Malicious:	false
Preview:	x..YklT.......&..0E\. ..xw..(..h..g.w.~........b.`.Ip7. ...."!.U..R.V.UR.D.. P...].....2..l.7s..m.[U.V6..f.o.93..:..g!.d=...~.Y..,...g'.....O.#<..\|,.w.>...g?.....l3.W.{.'.k<.3x..C..8<..R}.Nx..{.yx.BD.Y..*.+g....`.X;}...4v.....cF~`.?...>y./.....#.^.k,.v.W3.....6c.....,Zq.c....V....l\...[..$.fU`.[...s... ...7.XI..J+(..l`....Z9.W.J.....a..p..\|....Y.1v.g.<..J..M...G'M.Y..-...m}...A.F8:2fl.T..NH..7........9.._.i......N.[..=.zI.E...V'a..}...-..... ......X.g.h.a.H..V.Q..E.'}...X.R.H_\|z<....c.J........r.....h$w....PZ....F...n..'...#....xV.b.\..X@...Rk"r.....l.\.Q..6.....X....F)2..O...,N.L.........<...g.t...cg..,n#N.....`.......h..R.......{E).}.u...?....u(..>O.g...].e&../.....R.9.RN.C..\KcktZ.........>...5{k^j.`.>.W.'..O.........i.rG4....z....5x.$~KO......j..a.2n...gq..y.)..B,.+7..&t'...l...c.7}.?a?.Eb'....C....:.sy.;.A...>B..w.1^..G.5rYzd.a1.m.{.w)-6O"..g.6\k..9.7"...M...bQ.0.?=.33...v8.\|.NcF....n.....n..r..h....Q..D.).w..s;....}..U~wr...{.:

C:\Users\user\AppData\Local\Temp\_is39FE.tmp

Download File

Process:	C:\Users\user\Desktop\ALC700V1.0.0.7a.exe
File Type:	zlib compressed data
Category:	dropped
Size (bytes):	1146
Entropy (8bit):	7.814747730128128
Encrypted:	false
SSDEEP:	24:0RZDvq/794FX6XBEwkk2RkQvk9M674gGuIi7gL75Y0:0RZm78X6xE02f89OnBa0
MD5:	09AE52A3F90B7D7438ACCFEF73E7C1EC
SHA1:	CA34AE1AD1885E37EB7EA078F44FE3625F5CE0BB
SHA-256:	410007F62C45A5A1602555F129151F4C2E66265A50741A808F81C56A76ACF352
SHA-512:	81222751FC252B258588694715675D39D3E4E32310BE0C558FC915BD512C896D31538A1B6441714308DEDAE19A626030E591D8B2D1313DF1B5F84265FE2B8AE7
Malicious:	false
Preview:	x..VY..H.~^$...g..\|.KQ=.f..S.l.Byh..z1.m.3Y.o..`..Nv...].._]..Z..F\|m6..@a8]....L..`.u..z...t..ID.C...gZ..[.$=P.i.k.^..l...,?"l......l...(i.~..og!...H.c.H.@9.5......m[...f.c.6.d..$.p.......O.$1...X....I....NH..@..w..wP`9V.T.w......q.e...]..D{..ELJ^...fc..:..x.l..c.].4O.T....a<..p.....h._v....[}.wZ...[]..Z......t\....U...^.k!.B9.y...03...6}.g.K...Z...-..5[.T...>..\.2./.z?..MRV)....tT.A).2..ejk......b.X;&$..yH5\|j.p..m..g.}...W-..N8..q.i..i..9..#.....O.:.a.^.....bUZ.Qe!...kH].B.T...9....SHU...N./..e=!..D/gI<......t..+0.50......}.e...5<.....;.%.2q..a..g..2.@...b...p....m9..st.o...i..-~.v.....JL.._.7..W..M./.....P.....#..>.-.....;!R......m..u... ./...p6..&4.lG...(j0...U.C..(.F.C!....&..4..6....F...e.@.j6JS`...Kw..'.T.c..h.k.o...9.NSZ.0.+.E.]H.i.E*q3..I....<.....8..G.+.....)x.n..W0..%a'.ks...@o.x6...hWQ....3...A.=S.......c....?.Fz...r%..!q....^...\|.>Py \.+.O....$.....#]Kz.H..s~...!...zf.:.1DLa.E.l.0....:0..D..`O..$.%m......I.b.y..$.Y%..........]l.a..g

C:\Users\user\AppData\Local\Temp\_is39FF.tmp

Download File

Process:	C:\Users\user\Desktop\ALC700V1.0.0.7a.exe
File Type:	zlib compressed data
Category:	dropped
Size (bytes):	23787
Entropy (8bit):	7.9821120715734555
Encrypted:	false
SSDEEP:	384:Fr+QBsI1LuhVm1tTHf3qkOb2xZNBJmsGAWoq1uZpPuVoNrJE7GfpR5p1AMIXSBoI:QZILxp/ak1/s1A+EpPxKqf35cMzOcxJH
MD5:	91E8F2D48BD7CDDBF922E1E7A49747E6
SHA1:	E0D1D55ABD431402451F5245DFEC1E61DCBAF36E
SHA-256:	7328D5DD826154736A7B3F663BDA372A97E1892C4E0FA39BFE7161025CF4F752
SHA-512:	306087C9866CF2CB33A0C870C03390CCDF389ABE554A96EF8CC793F1805DC76822BCEF23D7FB8FF285FF696D1547D261D5B1AA94B868214F099CE15623EA62DA
Malicious:	false
Preview:	x..}.x......4Sl.1..d....&c.,.@..lC..V.#i.jg.b[8NL.I..4RH%...{!=......J.J..K..i..-.....F......s.=..s.\|.k...U...V........B.m.7]g[.....G.yD=~d.......k.....k.....k........./.....I....'.k.S.^...p....p....p/..,.T...?WB.....k.....k.....k.....k.....,..r.c.[).3.....['.=....ig.A.?.w.q.....}...R.q)?.aw.eSk.m..?..Ms..bk..e............_...o.u"..Nd..:.Es(...X..g....}m..>.....M.6.o?E..f..Z...JG......K.-p..R.wC.7.`.\|.[.d...X....e-+[........;.Z.-.?m..#..b.._q..>^.~k....bM.._..=.v..w...b.1+....s....e.o.Y..'V...\|.?....lE..5..1.}.....#f.I.....4y.:..1.....9..D....../......./............t:..2.a.^j...3....b..pb.t..r....f....6;...hp..P..g\...../...........q..\l .fwzI.....rA{R.w.....F...y...gs;.T,....#.\|._f...d.;.^..qS9...r.......%1.zc.P.V?=JM.(Y'.;.a.I...~.S.....s~.....v...x@..Y.W.=....P.D,.J.Q.{....G..L...... .D..j....^v......S....=.~.#:.m..%Z.:D..t.......w<...+.bV...TI.@F. ...[..,.c..3.4.....9.f..CUT.j?.sSY.<..^..:f(}WGW{yR\|FU..Z.T.1.?.V}mf.^g....H.

C:\Users\user\AppData\Local\Temp\_is3A8D.tmp

Download File

Process:	C:\Users\user\Desktop\ALC700V1.0.0.7a.exe
File Type:	zlib compressed data
Category:	dropped
Size (bytes):	13590995
Entropy (8bit):	7.998988462325129
Encrypted:	true
SSDEEP:	196608:AQP96+GOIrtM3k4vyzfh3Hlf17Sb9c24wRHDzrMVdmUL1K/zWKCkcOw8ui+Kjsj7:onrOU4vyDhtKcr63QJLc7Wdkc38yKj2
MD5:	31F47D57CD12A349725B7951922B78B0
SHA1:	7523F84651C2FF529EE49A361D6F90C8B7A21719
SHA-256:	23DB8DF68478C4F9A705DF8CE35E316A8F7A4A76752ACA229079BE40A141C994
SHA-512:	4F9AC39732B49C0614B0323E1B207AA21F48D2F96D47E10BE236B217B3D02EF02B3B4E34A5CC462F7B0E48F29D3BD65750D2E25E01FD15E4580A790AF6B2F4E3
Malicious:	false
Preview:	x..}.`..h..G>$.e.#@.......e..&.bF.!..fZ...2.ma..+!.....eYc.e.!.2.0!...s..0..K.BB.......WGw.h$.(.....Ru..^.z.......\|y....H..V.M._....ua..'.#......%.-.".D.c.....B..\|p.I4...........0.\|p.<......'...Nh...p............!p...........>......,..\e......W9.\|p.c..W9.\|p....Wy...'...r"..'....~..Ud..UN..\..\|p.S..W9.\|p....WY.>......,..\e......\....U...W....b..\e9..6..U....8..Wq......\..>.w.....:...!m.$..?t..A.M 0.........8E.....U...@N.H)... .....t..M...@..H%.Y. .....4..E...@..t....@...........TW...PM..(...P5..%.........lp+....yp..}...................\'...}.\.....n.{...;..9.........[.n......_..7......}.\......4..7..bp..2.....\......<.qp..W.W.W.W....fp[.M....Vp........w..=....q..-AY.....8...dx...V..-..../x.y..D?.L..@.2.j.(..c..0`T !%....w.k)..C.........?.....~.x%...p.....$by.....;....t`y.3..x...x./p.gv.>.....5\|.........9.37G...V..^>K.7.....`[Q.......0.qHK......[.....7xB..../....,..e3.)..Q~{.}>'._iT..d6?"g...rfS2..Jr)/...........r...Y...*.....]@.)[Jr.T...q%........)e.

C:\Users\user\AppData\Local\Temp\_is923C.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	zlib compressed data
Category:	dropped
Size (bytes):	166609
Entropy (8bit):	7.99726551243173
Encrypted:	true
SSDEEP:	3072:YENZ9G6CU4rU2eF2zA6OmzXx9MsnrObLmBhDwJSTPl:YEN3KHw2C2zA6FXx9F9z0JSTd
MD5:	3ED6492A74FE8718E34C735C70BFC359
SHA1:	FB7784B0C38408F1FC7FD06222BEBC4F04735C4A
SHA-256:	343B5A345B89D1538D6188C7FA6D323108BBA86D82D78E08712883B5CDF6246D
SHA-512:	6D9EFE10F0A222DFCB46DE17AF19DECD7A4B2F4CD7E21003CAAE3F8E47120ED7F902860BDABD983065E0267DEB404394273D4C7EFFC45DDC3A2179B789E396A4
Malicious:	false
Preview:	x.\\|qX..6....l.....7.@..h...6Z..U.V...Q..Rc.k....?C.c........P..k.....X...).h....-Z.`...?.I.....9..s.....W^.oln...>..E..`.$...].../......n...R.i^..e.M.U......wa..7g....\...&7R.%%T....jqI;9.......A...G l.m.W~....-..sb`...?E......"<<b...........voO?...Rh....9.P...%...P...W...J....tFN....Q#..8?.............P.).......K..(.I..cD\....Y...+s.........,..FP;.`}....Y..{..{n.........O.\..-)').d.\...gX..+.......".VM.p8a1c.fzUEm..;+......^.1..M.Mk..U......C<...h2z.:..Y(.:.Kf......H......z;..rI$....m..\......67'wX.{..8..L..J..9.\..dR......+...t..wGG.....P6..H-.z..u...MMC.........H.T..N.M>.D$........../......br8....X.DUoF.F.7".;.!.L.%Z...../.coQ...R)..o...{.v.0.U3.V.05......i!..........q...q..............V....w......`Xh.....d.N..0.......TuL...a3.2j./^.=.k.<.N.{XN+i,_.#..@.b.I..r....q.6zt..q.4?.S..n...tt.;..S#....+b...d\8.....^......\|....x.w....Y.@......uxMo.@[bL.7..>..9<..`.H.J.....-=..[...A'>..\|..d8.2E-..Z..h..=>..!.....3..N...x?....".....8v.6..u.t4V..K.

C:\Users\user\AppData\Local\Temp\_is927C.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	zlib compressed data
Category:	dropped
Size (bytes):	214995
Entropy (8bit):	7.990173265325712
Encrypted:	true
SSDEEP:	6144:szmt3Ri7PbF9EOOzjiY+TpuxY/tJiFV8CPSC:szmthWHEVHiLcKsWkSC
MD5:	F08A594E3F0D8C9C91C39C1B1B1DA7A4
SHA1:	C94DB981A14C3714DFAED7BFCBA34F0E708C2330
SHA-256:	A21509DFE5F83A0DDDCA4A3BEB3045E16497E23F0FF72EA7FEB4CE882F3FA69A
SHA-512:	7C0C1615ED4DCCA3849297E7ADFE8431133A2A399836DA312D3760B3808A87E9409645A1738955C79D24B78416DAA3F3F5ECF20A2D7E89CFB848F1A9046E0037
Malicious:	false
Preview:	x..UP....;..........,...;. ..[. ....ww.......$.k..~...U...9...oU.g.z...^.k.........?.......#0..^.@.......9...T.g....;.~.q.p...pr..NoiM...Do.D/..M...5/.....kP.o.0...........4A...P.64w.."3.sM...c.)H......I....r..a)cj..k..J........@..5....Q.........5........m.,J.....c...........{T.0........Y......s...@..;M....$.O....@ ..@....,0.....c.0.w......'.........x........\........$..O.9......j...........G-..................?...@........ ....t.;..+..)...7..Gp..;i.....g...R...^..<..../......P[d.td...=.N.X..(.m....g..;\|n=......K..Y.f0.V6...w1...%..O..P~X...D.\..1....}......L.g.w.L...-......y...."Q.._...(....FL.n.h.\|.V...a.HJX.T.g.....,.U\J.V........J9g... .\|.+.h,0...)..V.......2..].B..!......(.A.o.+-.G/V;4(j.."...f.z]...#..$..].....,....,..t...y.G$N..u...v.Qzd.R?.d.`.B0.....B1.h.Sg.U....3T..B"2..G...2.......;..:,X...6p....t.`.:....8.........)Y[9.\|\..4;....D.'.{@e...6.2..s..4i.C`l.....D...........}j.\.+.K...S8..l9^....R.aL.@..L9F..bu5..Q....n..T.ex.~....D..

C:\Users\user\AppData\Local\Temp\_is92BB.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	zlib compressed data
Category:	dropped
Size (bytes):	108
Entropy (8bit):	5.919342771075246
Encrypted:	false
SSDEEP:	3:qposzmMFzFYL5BUYvTxfaRoQOg/oUkspAT1:q7r6JTJaRoPgSspA5
MD5:	99D467399AAA7E038BAD6B31D291BC64
SHA1:	B8490C2255B097126514EDDAC2947B941828C530
SHA-256:	DAF3E22AE5DA6EFF6F466E1A58FE48A390A4AC9C5B342C63D1DE156050A88E83
SHA-512:	2ED581C2690E90582AE4FEFB8CC9AC0C1914D2AA2BDB416481338D3A5E2F1D57ADE6250F2B6EE146462EA104F60454E481BCCBD62B74992C2BEABBDB79E5D340
Malicious:	false
Preview:	x...N-)-pIMK,.))....I.K.t.5205...(.O)M.q.OI..6u10pu15.u6.4.5173.u43u.5.tqv....[..rE....q+.K.......1y......

C:\Users\user\AppData\Local\Temp\_is92BC.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	zlib compressed data
Category:	dropped
Size (bytes):	119603
Entropy (8bit):	7.9942374435843515
Encrypted:	true
SSDEEP:	3072:CezvWebTFAn2ZGJpkrw24Y4ZNT9AJ5JiaH6Um:CezFbJsWGJmL4YUNT2J54WZm
MD5:	6F264C8A2FA53BB3292B04A9A768C145
SHA1:	0FB683DD436A5F53996B98C132C6FACC6275186E
SHA-256:	AB0E716BBC0BCB05C05814DB56727AAEF5AD31301F52C7B5D991AFABF87BD6C3
SHA-512:	01C143A063A0ED1C753A81FAA506216C4C78691345D93AC75EAE9F8F588A5D3DD1ADEFD15DF2C2F7A186E6CBB5E61FEEB4E02459898C582B667F3C11BFBD73C2
Malicious:	false
Preview:	x..}\|T.0\|.#pH&..f B.Q..A..-8..h.L;...~."...^...D...99L.^s_.k[r...>.^.r.h...n..S.5...m.x.:m..80.Zk.3sf&..y....?...9.c..^{...^{o..... .f.d2..W`.K.O.....^.,....{.+^.xe.....}....{.........._....5.._s...-..........F.....^9!.}......_-...n..R.............k&.....?..(}.._.`~.n^. .0L...bN....&_\.a.v#..P......~.g3....D...qQ0.,......4.s."&..lp.aQ.u...vO...F..o......$l5..??x.. .v.....XP1Ap...../x. ..bu.@..7...g.......x/..O.=.........t...[..+.L8...N..-J.t.....:$\|h.@...y..t..c..O.>.....O.>.....O.>.....?._?..'hO.~9.N,....-...s.......9.=w.!..].-<....b.F^...co......&[.A.z. ...#..u.q..taL."..@......ZOb.T.,.8..hr`....\|.9h. ...f.........T..,_....@..R..)#...+...TD...1...D.....!tKx....-.....Ab.K.0<T....9..p15-.sF..%..k.n.$.:.3Y.o. ..nu.j...Pi...n.,.G.....^w.C..6^..Y?.5.'..1..^b...A..ye..'.....%w:...v}.r..L...B...h..C.Ai...,...\..X%..Z.mM...H...U...P..\.tI......p.Y..-6....!49...C....e..U.,$..2..o.m.v.!.?}-.;!...@....O.m....I...C.0.!.c!.1W~....x.[r.....(.;N

C:\Users\user\AppData\Local\Temp\_is9463.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	zlib compressed data
Category:	dropped
Size (bytes):	24765
Entropy (8bit):	7.9612786015649535
Encrypted:	false
SSDEEP:	768:fZbWozjcn4dEB4yp+D0SsGuZf3ExDA553:fZbWozjc4d8CYNGWek5x
MD5:	3B61F9D15B562E1A5084712E170FE80A
SHA1:	4875B453F6864885DF3F33EAFA96816DB6A7104B
SHA-256:	91CCE2E533CE45DC2D469E89258DC261B14F62E9E4AE5D1C0ECD3FF0EC8766CB
SHA-512:	DBC1ED1BDB58786D07C6ADCF862FBDF88531985B03768747890BEB15689FE194B7F5E4F6E5BD92715F024D1A59D5EFBB6FEFA8A256D63AB4A231A10637BBF329
Malicious:	false
Preview:	x..}.S\G.`.\|..?t...v.....Yv.!ds..#....G.-.54,...\|....Uf....~...<.PH.........;....5..94;......w..}.l.#se....o..L..5..<o...y..\|h..h.f..f.<3l>.l....o.......M3.a3...~.kf;j~.....c.\|..fa{.<.o....an.....f.cs.@60......u..6j.3.f.s...k........0....`.v.I....~.....Cxf..#.6.M.?8............y.U..U.......u......4...T..^..V......uo...O.......s]..8......`.k....\|.p.\|j..k~.L...)..\|.?M.D...]........f....i..s.@...\|...{.p.c..3....{....A....c.\|J..6.K.nO.~.\i.s...]G\|.\|~...1.o......f.]l...}`...7w.LZj..@5n..F...r.z......mO.1.]K.K.X.m..[.'..>...Y..w....}t...O.v.s./n.f._......}......F.k...d..).c.9....f...i.r.Y.K.{.3.....;....O...<m...+.l....y._.?v...iR..[..,z.7.;.z.l.{...m./~..>.q..P.8/.Ey.g.3g.r....,o{...O.7.p/...x....m.....;.......w.....=r.4ie.....F..\|...{..y...i.f.:.As..s...o..Q.;.#.J....Fc...AYG).y.?..+..y.....8.=...=...V7.x..<.C4....j.Z.$..4..>..I.............p...HR......1.@.!;.......a).o...uI>.'Q?3.=C?5./@.:s.Xl.w..3.7...;..t............x....>.QC..0&.

C:\Users\user\AppData\Local\Temp\_is9658.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	zlib compressed data
Category:	dropped
Size (bytes):	54993
Entropy (8bit):	7.991110895412911
Encrypted:	true
SSDEEP:	1536:YBZ6lmEZVjBJ0wwviWdSVgps9DTXIezY6Xp:ygmwciWUfNXp
MD5:	A087317D9128F28C4994E7BBE546EAF9
SHA1:	B394F7B9D20D5E3991F81359C5CC734F9C0F4894
SHA-256:	F0412DF61A14A2C2421D0939A37B24720E09B492745730A2BF8B060AA7A9A89F
SHA-512:	8C6D0B39DD0E1DEB61DD120BBE99064F9534FA5B57C45FDD51123BC31600A14A34AFD5362B3B50166982439C7CDBF28C6B3959DE710CB0D90079497C4F0BF642
Malicious:	false
Preview:	x..{\|...8>.J6!a.a5.....4..5.K60.......M].Z.dW. .&Q.."m..k[..j.V-.\|4!@.....(".2......=..}.h...~..??>dg..}.{..s.g.Z&..A0...B................N..!M...!Sg?P.S...5...Q}...?.t.{..&......S.?z...]......'.2z..7...........ea.\.<.f....-.Iy__.gz......!.7.....>P=..K...\.~.E.'o....0....V. .........A..\|......O\Sf...B....[.=. ..7{..{.... ...u.A(.'..4.......9.B.......W....3.. .95.C......=.{...y..l...R....<..].?..}......\|......}...ui.....T.=..^-..........w..E.m....IaC.c.XK.......%.@..r...A(.^..K...lo0Gb.. Mjl.9.Tg......J7........2.R....Kh.rK..N..~.)I.R./pN..Clx.rx....p.c9N...........^e.T.G\.$....; Qb.....Y....,..3]J.......n?k.05+........7.I..&.1.....\|.T.^.5x...t.....5K.......P. ...!.k.=w{f.B.........l..}.VV..5.L...T...;`.o..tKm^g.Y....9.;%1..Y.\.c...y........`...?:..w..G\)..s...A........(.&.../...B..n..f.$.k.X.R.sW.{...`A8...c."...Ov.#......z"...mQ..X.b&....#f..pp....T4..]&.L.%:...p..[.\|..;.{-..a.....b...../..4PEl..?.......[......(/..G..:..a.......

C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\0x0409.ini

Download File

Process:	C:\Users\user\Desktop\ALC700V1.0.0.7a.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	13660
Entropy (8bit):	3.486384074808718
Encrypted:	false
SSDEEP:	192:4QGTmyunVn//BTelD/SQI1xVwCtH8LXAd2k9Kf61Ua:PGTmyuV//BTED/9Ad77Ga
MD5:	758747727E96A23C7C5A5BBB011656E4
SHA1:	51CC637E7EB3451D6DFA9465D949D6DFB2CD65C9
SHA-256:	BAD3B2E854149DF9413F06E6C1C7B7C875545393877F59B59907F6B083CE5825
SHA-512:	21FF9D365BEB1B7809B89D540F41BF330515F05F6211C8327BE43BAF1F050E46ECC1654B0696E7C82A2A803267E38D780FFD83DEA7448861F6E3B84838685627
Malicious:	false
Preview:	......[.0.x.0.4.0.9.].....T.I.T.L.E.=.C.h.o.o.s.e. .S.e.t.u.p. .L.a.n.g.u.a.g.e.....D.E.S.C.R.I.P.T.I.O.N.=.S.e.l.e.c.t. .t.h.e. .l.a.n.g.u.a.g.e. .f.o.r. .t.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. .f.r.o.m. .t.h.e. .c.h.o.i.c.e.s. .b.e.l.o.w.......R.E.B.O.O.T.M.E.S.S.A.G.E.=.T.h.e. .i.n.s.t.a.l.l.e.r. .m.u.s.t. .r.e.s.t.a.r.t. .y.o.u.r. .s.y.s.t.e.m. .t.o. .c.o.m.p.l.e.t.e. .c.o.n.f.i.g.u.r.i.n.g. .t.h.e. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .s.e.r.v.i.c.e... . .C.l.i.c.k. .Y.e.s. .t.o. .r.e.s.t.a.r.t. .n.o.w. .o.r. .N.o. .i.f. .y.o.u. .p.l.a.n. .t.o. .r.e.s.t.a.r.t. .l.a.t.e.r.......O.N.U.P.G.R.A.D.E.=.T.h.i.s. .s.e.t.u.p. .w.i.l.l. .p.e.r.f.o.r.m. .a.n. .u.p.g.r.a.d.e. .o.f. .'.%.s.'... .D.o. .y.o.u. .w.a.n.t. .t.o. .c.o.n.t.i.n.u.e.?.....L.A.T.E.R.V.E.R.S.I.O.N.I.N.S.T.A.L.L.E.D.=.A. .l.a.t.e.r. .v.e.r.s.i.o.n. .o.f. .'.%.s.'. .i.s. .a.l.r.e.a.d.y. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .m.a.c.h.i.n.e... .T.h.e. .s.e.t.u.p. .c.a.n.n.o.t. .c.o.n.t.i.n.u.e.......O.K.=.O.K.....C.a.n.c.e.l.=.C.a.

C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\0x0804.ini

Download File

Process:	C:\Users\user\Desktop\ALC700V1.0.0.7a.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6776
Entropy (8bit):	5.6817339728402665
Encrypted:	false
SSDEEP:	192:MGvP/jTZCt1WNJQYRqljRpRzPKHDJCL/PD:MG7TxmP/PD
MD5:	D79173462CB9377187D61EC9CAF58344
SHA1:	ED853089C38246EB3C8D06004B4EF0DC4C0D4A91
SHA-256:	E99A2F085D31FA583A54804F5784AC6CA3E1FBB505C8A26251532C7287EA2CD4
SHA-512:	C0A182EDDF7972C7824B3DBF0502056A025C831C392C945780626968E458CF55A6DB893A108A70A676FBAA5FDAE6D27577BCC2377FFD8462532AC24F410D453A
Malicious:	false
Preview:	......[.0.x.0.8.0.4.].....T.I.T.L.E.=....b.[..z.^.v.......D.E.S.C.R.I.P.T.I.O.N.=..N.N.N..y.-N...bdk.[..z.^.v....0....R.E.B.O.O.T.M.E.S.S.A.G.E.=.I.n.s.t.a.l.l.e.r. .._{...e/T.R.`.v.\|.~..Mb...[.b .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ..g.R.vM.n..0US.Q"./f"..S.zsS..e/T.R..US.Q".&T"..R.S(W.N.T/T.R.0....O.N.U.P.G.R.A.D.E.=..[..z.^.\.[.b .'.%.s.'. ..f.e.0/f&T.~.~......L.A.T.E.R.V.E.R.S.I.O.N.I.N.S.T.A.L.L.E.D.=.dk:ghV.].[....eHr .'.%.s.'..0.[..e.l.~.~.0....O.K.=.nx.[....C.a.n.c.e.l.=..S.m....P.a.s.s.w.o.r.d.=..[.x......I.n.s.t.a.l.l.=..[.....N.e.x.t.=..N.Nek(.&.N.). .>.....1.1.0.0.=..[..z.^.R.Y.S.......1.1.0.1.=.%.s.....1.1.0.2.=.%.1. ..[..z.^ck(W.Q.Y .%.2....[.\._.[.`.[.biRYO.v.[...z.0...z.P.0....1.1.0.3.=.ck(W.h.g.d\O.\|.~Hr,g....1.1.0.4.=.ck(W.h.g .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .Hr,g....1.1.0.5.=.ck(WM.n. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.ck(WM.n. .%.s.....1.1.0.7.=..[..z.^.](W.`.v.\|.~-N.[.b.N .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ..vM.n..0 ......

C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\1033.MST

Download File

Process:	C:\Users\user\Desktop\ALC700V1.0.0.7a.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Installation Database, Subject: ALC700, Author: SmartGen, Keywords: Installer,MSI,Database, Comments: Contact: Your local administrator, Create Time/Date: Tue Oct 19 14:50:06 2021, Name of Creating Application: InstallShield 2009 - Premier Edition 15, Security: 1, Template: Intel;0,1033,2052, Last Saved By: Intel;1033, Revision Number: {5D00ED55-C696-4760-A65D-39DCD0EDE479}1.0.0.7;{5D00ED55-C696-4760-A65D-39DCD0EDE479}1.0.0.7;{CED3D40B-A811-4F96-A74E-332E4E6679FE}, Number of Pages: 200, Number of Characters: 1
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	4.992073369219857
Encrypted:	false
SSDEEP:	1536:pzz3jVueCA1PPRG4rZ+4ulvTYhm0DITjybvq7vB:pz7jHR7+flvTYhm0DI2vq7vB
MD5:	38CC80C36628B9A229939867909C9A11
SHA1:	201C0DE0CC2B516BFD0CB93136080C022294135E
SHA-256:	0C04F5F65AF9454B670C60983ABBCA9228192583139A4505C0BA81D324C73391
SHA-512:	6A91018020F4C08F12DE4A219FDD9B5C5E443790D50C22B73C67A1A9CE2B14A1A3A482D9AE36B1F1D48666B158997F261CBB250CDBE632CB695BADF97E838096
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\ALC700.msi

Download File

Process:	C:\Users\user\Desktop\ALC700V1.0.0.7a.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: ALC700, Author: SmartGen, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2009 - Premier Edition 15, Last Saved Time/Date: Tue Oct 19 14:50:05 2021, Create Time/Date: Tue Oct 19 14:50:05 2021, Last Printed: Tue Oct 19 14:50:05 2021, Revision Number: {7973D285-7AA2-4EDE-87C5-CA3773168D3B}, Code page: 0, Template: Intel;0,1033,2052
Category:	dropped
Size (bytes):	14210560
Entropy (8bit):	7.95333840963524
Encrypted:	false
SSDEEP:	196608:+g/Ml+/YHPGQiSU4WxfKUbo8TgbNlg3eX6UfKPYjcfnN7oi6hcpz:7QHPGN4Wxy3NuO6Uf2Yi7oZhc
MD5:	26927F97F38D9603B7D43FA44228B1F9
SHA1:	9ED98A121864B276492359A8B4FF7C42D914345E
SHA-256:	6961DCACA749D37CF5D5573A281C2FA72A30E13504A2C090BF86586774EB30F7
SHA-512:	62CE2A5F4CC4EB9731EE4872F98F05D93D00938B1FB1E7207FCE24F3776F1B6C66CA7A3368BE26CD836B8B41BD780087E02371F356561BC0E9686094C82A3923
Malicious:	false
Preview:	......................>...................................8........6..........................................\|................................................................................................................................................................................................................................ ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...).........+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5..........;........................... ......................................................................................."...!...(...#...$...%...&...'.......)...2...+...,...-......./...0...1...6...3...4...5...>...7...e...K...:...<.......=.......?...@...A...B...C...D...E...F...G...H...\...J...L...g...M...N...O...X...Q...R...S...T...U...V...W...I.......Z...[.......]...^..._...`...a...b...c...d...g...f.......h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\Setup.INI

Download File

Process:	C:\Users\user\Desktop\ALC700V1.0.0.7a.exe
File Type:	Generic INItialization configuration [Startup]
Category:	dropped
Size (bytes):	2769
Entropy (8bit):	5.431759673042422
Encrypted:	false
SSDEEP:	48:HP3NZo5zlkVZLrGUWhXvCm6mJGCN6FTaRUTc2gQJioega:HP/o1lkLrGxhXvCm6wGCZUTcyJTega
MD5:	403ADCEB9F6F5FC051CE53F0D3AA18B2
SHA1:	39B918D0345193B9F327919C946F4C157A56A7B0
SHA-256:	076D5EC785CE6ACCB7CC1C5E8246EE7694131E68E0A1A37E835D99F153ADDA64
SHA-512:	BA5405D0CDC235A019718DEFDC61CAFF4930F8A56EEEF061B7E9FE0B520FA0BD7B2EDD0B7F4F734D5E0E8A5E8BBE23BD9F3451080AE2965053C24ED473AB8654
Malicious:	false
Preview:	[Info]..Name=INTL..Version=1.00.000..DiskSpace=8000.;DiskSpace requirement in KB....[Startup]..CmdLine=..SuppressWrongOS=Y..ScriptDriven=2..ScriptVer=15.0.0.533..DotNetOptionalInstallIfSilent=N..OnUpgrade=1..RequireExactLangMatch=0404,0804..RTLLangs=0401,040d..Product=ALC700..PackageName=ALC700.msi..EnableLangDlg=Y..LogResults=N..DoMaintenance=N..ProductCode={5D00ED55-C696-4760-A65D-39DCD0EDE479}..ProductVersion=1.0.0.7..SuppressReboot=Y..LauncherName=setup.exe..PackageCode={7973D285-7AA2-4EDE-87C5-CA3773168D3B}....[MsiVersion]..2.0.2600.0=SupportOS....[SupportOSMsi11] ;Supported platforms for MSI 1.1..Win95=1..Win98=1..WinNT4SP3=1....[SupportOSMsi12] ;Supported platforms for MSI 1.2..Win95=1..Win98=1..WinME=1..WinNT4SP3=1....[SupportOS] ;Supported platforms for MSI 2.0..Win95=1..Win98=1..WinME=1..WinNT4SP6=1..Win2K=1....[SupportOSMsi30] ;Supported platforms for MSI 3.0..Win2KSP3=1..WinXP=1..Win2003Server=1....[Win95]..MajorVer=4..MinorVer=0..MinorVerMax=1..BuildNo=950..PlatformId=1...

C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\_ISMSIDEL.INI

Download File

Process:	C:\Users\user\Desktop\ALC700V1.0.0.7a.exe
File Type:	data
Category:	dropped
Size (bytes):	22
Entropy (8bit):	2.5478976275004666
Encrypted:	false
SSDEEP:	3:fJ4l4w:f2l4w
MD5:	8FEF5F010ED3AAAF74D3214334BE4088
SHA1:	FA90E59E675DE66D246D697A868EDCA1562F9D30
SHA-256:	55FA3D1388E8F2DA8E7A35A2E809CA5924077A3C40EAEE561C1E3686809F63C2
SHA-512:	C2A5BA5C311C016779A3024AE9600B29E718AFE2B01103206BEC72719B5E0E47BB1096CBD3B389B00A0705C565800A740A7003E4F8705E00FBFE0F2E2D3318D2
Malicious:	false
Preview:	[.F.i.l.e.s.].........

C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	117560
Entropy (8bit):	5.979168905735194
Encrypted:	false
SSDEEP:	3072:AQboO98B8qDO2EyOLHbLu1YuhpCDZ39FLkZhNbW:hMO98HDO9yg21YQ0Cz
MD5:	2A276BA2B7782476302C59D0F760F4BC
SHA1:	43BBB884A7B65534C417AE5A3F3F17F7E80E2F7D
SHA-256:	D3294CC8C750C4BD63016E87E9D2C53A501C173567F4EDB9A3C6F1BD9836064A
SHA-512:	6BED8D3291ED422AED187637838BFB957EA59C772BE3BC52C12242474712F411E174AFE55ED6955B910A8CE3635F1552260063CF6DB428A4E34BC76A4E3E01F6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a..-%.~%.~%.~..~-.~..~o.~..~..~Sq.~$.~Sq.~.~%.~..~..~&.~..~$.~.*.~$.~Rich%.~................PE..d...a.%H..........#............................@.....................................C......................................................@{..................t.......8...........P$............................................... ...............................text...j........................... ..`.rdata...g... ...h..................@..@.data....+...........t..............@....pdata..t...........................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISRT.dll

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
Category:	dropped
Size (bytes):	223024
Entropy (8bit):	7.939392741304293
Encrypted:	false
SSDEEP:	6144:Kmt35i7PbF9OMOzjiYYTpMxo/j5AWeumDOy/:KmtpWHOXHiHmm9AaJE
MD5:	0F68D760FB480A1B039CA7D6B877D24C
SHA1:	259D101A49646C3ABE17114111FF9AA7DF1B8FC2
SHA-256:	5974CE20A780D384383CFC24AF4DC62BC22CA67CE1D76EA9981C42631480AB63
SHA-512:	D551553CECA5B9BA86F7422893DF78CE71167096CBEAE65319C344ABF57601E8E6C8F9779A9A45ED28CE32C3E1C477B843D8AD4437E0643C0FABF56AB7F586D1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`..]...]...]...&...Y.......}...2........#..^...["..^...2...R...."..^...n#.._...."..H...]...>...["..........\....!..\...Rich]...........................PE..L.....%H...........!.....0...........d.......@.......................................................................D.......a.......@...............R..0....p.......................................................................................text....0..............PEC2.O......`....rsrc....0...@.......".............. ....reloc.......p.......P..............@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\IsConfig.ini

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Generic INItialization configuration [f1]
Category:	dropped
Size (bytes):	109
Entropy (8bit):	5.137020945565563
Encrypted:	false
SSDEEP:	3:sYRvqLCA+CydKmxKxmbQTzPlgCy+I/KBEv:sWCV+CPmxKIsTzdPBBEv
MD5:	3EDB29DC6293709BA986256465DB2A34
SHA1:	5B73A7F7BACD9EC3812B4817DE4974E22BFB5C1D
SHA-256:	439AACB89657F128161C0B04C61EDFDE1D8C7B2B5CB1F114A2DE5BE7182228D2
SHA-512:	76924798FCF163256AD72FA13A18B0B80D5822CCF9CBEC2CD7B2FB18191B2F543AAB06F1016A67B112BF0FAC03FBA14ED2EBE60B1F429ED88F0E5A429841FEAF
Malicious:	false
Preview:	[SetupDefaults]..LangID=2052..ProductCode={5D00ED55-C696-4760-A65D-39DCD0EDE479}..[f1]..Function=MyFunction..

C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\String1033.txt

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (332), with CRLF line terminators
Category:	dropped
Size (bytes):	173260
Entropy (8bit):	3.646661743917228
Encrypted:	false
SSDEEP:	1536:9rOLR6/K410BrChTHB8zP2hWA/z+wKZUNrPsHnQvvOuyMJice1VOL27pU:9aLu1XTh8cW9qoeB
MD5:	3741973BD762239E45777082CB31A03A
SHA1:	DCAD4AEBF5B1EAB7A569592726EE359E174B0484
SHA-256:	D30BB7EF43B9A4D6D9D64A5E87C70F3FCFAE62607755C8F5F036E40E933171AF
SHA-512:	55C9AAB8544439DDAD25EF92135A33D6B20887F4DA34FC23D98369AC47A2E5C2A34AEB6DD52599BAE2ABCD64EEBBAF13C3614E40EE12D62A3B0764AAE2635868
Malicious:	false
Preview:	..C.O.M.P.A.N.Y._.N.A.M.E.=.S.m.a.r.t.G.e.n.....D.N._.A.l.w.a.y.s.I.n.s.t.a.l.l.=.A.l.w.a.y.s. .I.n.s.t.a.l.l.....I.D.P.R.O.P._.E.X.P.R.E.S.S._.L.A.U.N.C.H._.C.O.N.D.I.T.I.O.N._.C.O.L.O.R.=.T.h.e. .c.o.l.o.r. .s.e.t.t.i.n.g.s. .o.f. .y.o.u.r. .s.y.s.t.e.m. .a.r.e. .n.o.t. .a.d.e.q.u.a.t.e. .f.o.r. .r.u.n.n.i.n.g. .[.P.r.o.d.u.c.t.N.a.m.e.].......I.D.P.R.O.P._.E.X.P.R.E.S.S._.L.A.U.N.C.H._.C.O.N.D.I.T.I.O.N._.O.S.=.T.h.e. .o.p.e.r.a.t.i.n.g. .s.y.s.t.e.m. .i.s. .n.o.t. .a.d.e.q.u.a.t.e. .f.o.r. .r.u.n.n.i.n.g. .[.P.r.o.d.u.c.t.N.a.m.e.].......I.D.P.R.O.P._.E.X.P.R.E.S.S._.L.A.U.N.C.H._.C.O.N.D.I.T.I.O.N._.P.R.O.C.E.S.S.O.R.=.T.h.e. .p.r.o.c.e.s.s.o.r. .i.s. .n.o.t. .a.d.e.q.u.a.t.e. .f.o.r. .r.u.n.n.i.n.g. .[.P.r.o.d.u.c.t.N.a.m.e.].......I.D.P.R.O.P._.E.X.P.R.E.S.S._.L.A.U.N.C.H._.C.O.N.D.I.T.I.O.N._.R.A.M.=.T.h.e. .a.m.o.u.n.t. .o.f. .R.A.M. .i.s. .n.o.t. .a.d.e.q.u.a.t.e. .f.o.r. .r.u.n.n.i.n.g. .[.P.r.o.d.u.c.t.N.a.m.e.].......I.D.P.R.O.P._.E.X.P.R.E.S.S._.L.A.U.N.C.H._.C.O.N.D.I.T.

C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\_isres.dll

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	558488
Entropy (8bit):	4.8363062271852275
Encrypted:	false
SSDEEP:	6144:ihs4dodcOaOdFGkd+4skkkkknffCp5CrRKluaqkHVPKH:Ys4dodfaOdI5GqHVu
MD5:	936570437CDD944172B100E677603523
SHA1:	97E56B29733846D4FFEF7791830F3E9AE355783A
SHA-256:	682E00F308BE80C69172B0E7D76F2ED555B7838BE7B7F61774687AA1CDF1CE8B
SHA-512:	D357C39570079E2CE64C0AFFB0C33B46033C41244DF9812E69B7BFF7CC75287EA103BBE27DC7AE775B41D4A2DC0FE1088AD04369B6B435DBDB5EF70145AB9DF4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$Lh&`-.u`-.u`-.u.2.ua-.u.1.ut-.u.2.u0-.u`-.u-.u...uc-.uf..ub-.u.+.ua-.uRich`-.u........PE..L...l%H...........!.........................................................................................................@..(....P..3...........hp..0....p.......................................................A...............................text............................... ..`.rdata........... ..................@..@.data....f.......P..................@....idata.......@....... ..............@....rsrc...3....P... ...0..............@..@.reloc..m....p... ...P..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\setup.inx

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	255634
Entropy (8bit):	7.333024427238974
Encrypted:	false
SSDEEP:	6144:joHNBocHWsV7MHFbH7H8B8+Swpi5VSXa36:jorocHWmGT8yvgqq
MD5:	BFAB1FC3171D4EA8BDB2BB801E5C0B71
SHA1:	683830D04E5724CEF375BCA3A9C2F89D2D5A6C94
SHA-256:	04FD995C9250FFC15DA2799564B7455C0080769051D9440357BEF7DE1BC26B0D
SHA-512:	E24B712EF958511BAB99FA84432E67098CF1ABB0BCDA5A34BC225BDADF8F6955737ECE8248EF3FE2F23DE8C34F216C1F2CFE7FFF90D5E7B4140999316DD72B0E
Malicious:	false
Preview:	t.,....(... <$.M. .=..........l.............o.c...gWSl..SW..WS[//d.d l$.XX%.......................q.y}aB=mQ.Y]A..M1..)!.)........................................}...m..q]}aeMmYU=]EE-M)5.=.%.-...........\|...........s.......\|...1.]....q...maaMi......c..)==.%{o..Gk3CK.....3'.T$HP.....D.\|....$.@.......<L..}yyYa....c.MII.1.W.,c_gC.{.K3.....o...L(0,.Dl......8.............q..mu.X...]]]-Eg..sW...kO.....ww.k'S+._`=....<..L.4.. .......\..`...myyEa........{{)55.=..[.._C[K.......oo.T.l.....H.\.,...............<...i}}Ye..H...5II.1.{..o.c.G.GO.....K?.K.d`(8(........$............y..Qu.DT8...MAA!I.s ..oS......o{/.C{'+.....h.. ..D......,. ..t......y..i..4.....-UMAA.I.s.c{..W[.GKGg.??g#....@4.\(Xl\....$L..$..a..t.....l.....YQQ.Y..0s..g.{{.{..C....._3.3.G/'HHl4.....(.....$.........q..Aq.H.....s.w911.9w,.{....k._;c;/.O....0.dH..,....... .,p$...u..0...L..mee.m........<.....c_._3.S.....3.gK..h$.0.....D.H..88$......0...MAu..,.....cwIM..9kK.gcg.S..kCc.k'.3........

C:\Users\user\AppData\Local\Temp\~39FD.tmp

Download File

Process:	C:\Users\user\Desktop\ALC700V1.0.0.7a.exe
File Type:	Generic INItialization configuration [Startup]
Category:	dropped
Size (bytes):	2769
Entropy (8bit):	5.431759673042422
Encrypted:	false
SSDEEP:	48:HP3NZo5zlkVZLrGUWhXvCm6mJGCN6FTaRUTc2gQJioega:HP/o1lkLrGxhXvCm6wGCZUTcyJTega
MD5:	403ADCEB9F6F5FC051CE53F0D3AA18B2
SHA1:	39B918D0345193B9F327919C946F4C157A56A7B0
SHA-256:	076D5EC785CE6ACCB7CC1C5E8246EE7694131E68E0A1A37E835D99F153ADDA64
SHA-512:	BA5405D0CDC235A019718DEFDC61CAFF4930F8A56EEEF061B7E9FE0B520FA0BD7B2EDD0B7F4F734D5E0E8A5E8BBE23BD9F3451080AE2965053C24ED473AB8654
Malicious:	false
Preview:	[Info]..Name=INTL..Version=1.00.000..DiskSpace=8000.;DiskSpace requirement in KB....[Startup]..CmdLine=..SuppressWrongOS=Y..ScriptDriven=2..ScriptVer=15.0.0.533..DotNetOptionalInstallIfSilent=N..OnUpgrade=1..RequireExactLangMatch=0404,0804..RTLLangs=0401,040d..Product=ALC700..PackageName=ALC700.msi..EnableLangDlg=Y..LogResults=N..DoMaintenance=N..ProductCode={5D00ED55-C696-4760-A65D-39DCD0EDE479}..ProductVersion=1.0.0.7..SuppressReboot=Y..LauncherName=setup.exe..PackageCode={7973D285-7AA2-4EDE-87C5-CA3773168D3B}....[MsiVersion]..2.0.2600.0=SupportOS....[SupportOSMsi11] ;Supported platforms for MSI 1.1..Win95=1..Win98=1..WinNT4SP3=1....[SupportOSMsi12] ;Supported platforms for MSI 1.2..Win95=1..Win98=1..WinME=1..WinNT4SP3=1....[SupportOS] ;Supported platforms for MSI 2.0..Win95=1..Win98=1..WinME=1..WinNT4SP6=1..Win2K=1....[SupportOSMsi30] ;Supported platforms for MSI 3.0..Win2KSP3=1..WinXP=1..Win2003Server=1....[Win95]..MajorVer=4..MinorVer=0..MinorVerMax=1..BuildNo=950..PlatformId=1...

C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	147728
Entropy (8bit):	5.909287934496192
Encrypted:	false
SSDEEP:	3072:h+qD1Cd/Oa5kXFlqkFGr3CAP7LCyInPEggen5Ez:hlCd/OaaFEjCAPKyOE6na
MD5:	C89E401800DE62E5702E085D898EED20
SHA1:	72FB4F088C6AC02097B55FB267C76FBF5E0FA1F7
SHA-256:	DE83C9D9203050B40C098E4143EF8F577AA90016C7A64D4F2931B57A4C43E566
SHA-512:	70006D70DCB47361FF43E4F7C458655AD2474B70CB917873AA77D2CC06465A68D375D36C494D154A03DBBFF891DF7DD6CAB3D2C7B08E8650B9FF170E30838070
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............ru..ru..ru..mf..ru..ru..su.Rich.ru.........................PE..L....!.6...........#..................... ........<e.........................`... ..^q..................................n.......d....0.......................@..0...P!............................................... ..L............................text...n.... ....... .............. ..`.data....d.......P..................@....rsrc........0......................@..@.reloc..v....@... ... ..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEAUT32_f3.8C0C59A0_7DC8_11D2_B95D_006097C4DE24

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	598288
Entropy (8bit):	6.644743270512807
Encrypted:	false
SSDEEP:	12288:HCKynQWKglDhrUtrvT/NInIk4NDXsR6lMlpGz:HGXqB8V6lMlMz
MD5:	7B156D230278B8C914EF3F4169FEC1CC
SHA1:	6B58E20B2538CB308091DA838710F6AAD933A301
SHA-256:	BAEB2F7C1B8BE56738D34E1D1DDF8E0EEBD3A633215DC1575E14656BE38B939D
SHA-512:	E4EC2BC714069E0A6B56D89B52AABAD92E5BA741DC6F26D2FC2D72AA9AD2EC465DEA523CCCD810331AB78B5FB8A1244B2B521303418EAD5BD6BE5A58B43794C5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ibW.-.9.-.9.-.9...7.(.9.{.*.,.9.-.9...9.Rich-.9.................PE..L....#.6...........#..... ...................p....4e......................... ......+................................6..%$.......................................g...................................................................................text............ ... .............. ..`.data....a...0...`...@..............@....rsrc...............................@..@.reloc...g.......p..................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEPRO32_f0.8C0C59A0_7DC8_11D2_B95D_006097C4DE24

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	164112
Entropy (8bit):	5.8462943829831575
Encrypted:	false
SSDEEP:	3072:+VrhrwLXcA2Ha/joWklbo/Acjwm4AaW7zozn/zgOh0Z76:fklbsqmyWnoz/P
MD5:	CE0155405EA902797E88B92A78443AEB
SHA1:	8ADFF69050D14A57D7F553CA8978439AF188C192
SHA-256:	789C3C45EDA1749BD939F4A96616E1E9EF1B7DCC62A2889F65088954C64D0938
SHA-512:	3FDE09067F9CA8D315DE07C8DB972F99723EA4C3F997DC58210F9D6565CAA9935C79F13E8B2D20ADC5609919A381E4C2A90A0B3123A35947997229D7C615E162
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.'r!.I!!.I!!.I!w.Z!*.I!!.I!\.I!Rich!.I!........PE..L....!.6...........#.................)... ........0_............................. ..>................................................0...3...................p...... #............................................... ...............................text...q.... ....... .............. ..`.data....X.......P..................@....rsrc....3...0...@... ..............@..@.reloc.......p... ...`..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_STDOLE_f1.8C0C59A0_7DC8_11D2_B95D_006097C4DE24

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	4.083884450202126
Encrypted:	false
SSDEEP:	384:cogoEvM/uFrR+X6QNn1pcJIrWocDGWct:cogoEvM0rgqQNn3
MD5:	1B02577F0ADDEA32EB02A50D4A4CDD1E
SHA1:	36F701CCEC78A5D218FEA23FD05351890F14CF7D
SHA-256:	6EA525BFACE5467C1045C3708F339A4B92A3A273F70656E061C7F7322C56D667
SHA-512:	87FD4AA5158D09EB97B6131E651DB2A4761546907A960AF7792F8E95947C0A825E84F88ECCF42EC896FF5BB2BBC461488B898D5F1BD853847317493C44B330C9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......eU!.!4O.!4O.!4O.!4O. 4O.Rich!4O.................PE..L....!.6...........!.........D...............................................p...........................................................@...................`.......................................................................................rsrc....@.......B..................@..@.reloc.......`.......D..............@..B.............!.6............ .......8........!.6............P........!.6............h........!.6.....................!.6....................@:...........J................T.Y.P.E.L.I.B.MSFT................A...........*................................... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...............h...........................................L...P.......

C:\Windows\Installer\4280a8.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: ALC700, Author: SmartGen, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2009 - Premier Edition 15, Last Saved Time/Date: Tue Oct 19 14:50:05 2021, Create Time/Date: Tue Oct 19 14:50:05 2021, Last Printed: Tue Oct 19 14:50:05 2021, Revision Number: {7973D285-7AA2-4EDE-87C5-CA3773168D3B}, Code page: 0, Template: Intel;0,1033,2052
Category:	dropped
Size (bytes):	14210560
Entropy (8bit):	7.95333840963524
Encrypted:	false
SSDEEP:	196608:+g/Ml+/YHPGQiSU4WxfKUbo8TgbNlg3eX6UfKPYjcfnN7oi6hcpz:7QHPGN4Wxy3NuO6Uf2Yi7oZhc
MD5:	26927F97F38D9603B7D43FA44228B1F9
SHA1:	9ED98A121864B276492359A8B4FF7C42D914345E
SHA-256:	6961DCACA749D37CF5D5573A281C2FA72A30E13504A2C090BF86586774EB30F7
SHA-512:	62CE2A5F4CC4EB9731EE4872F98F05D93D00938B1FB1E7207FCE24F3776F1B6C66CA7A3368BE26CD836B8B41BD780087E02371F356561BC0E9686094C82A3923
Malicious:	false
Preview:	......................>...................................8........6..........................................\|................................................................................................................................................................................................................................ ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...).........+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5..........;........................... ......................................................................................."...!...(...#...$...%...&...'.......)...2...+...,...-......./...0...1...6...3...4...5...>...7...e...K...:...<.......=.......?...@...A...B...C...D...E...F...G...H...\...J...L...g...M...N...O...X...Q...R...S...T...U...V...W...I.......Z...[.......]...^..._...`...a...b...c...d...g...f.......h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\4280a9.mst

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Installation Database, Subject: ALC700, Author: SmartGen, Keywords: Installer,MSI,Database, Comments: Contact: Your local administrator, Create Time/Date: Tue Oct 19 14:50:06 2021, Name of Creating Application: InstallShield 2009 - Premier Edition 15, Security: 1, Template: Intel;0,1033,2052, Last Saved By: Intel;1033, Revision Number: {5D00ED55-C696-4760-A65D-39DCD0EDE479}1.0.0.7;{5D00ED55-C696-4760-A65D-39DCD0EDE479}1.0.0.7;{CED3D40B-A811-4F96-A74E-332E4E6679FE}, Number of Pages: 200, Number of Characters: 1
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	4.992073369219857
Encrypted:	false
SSDEEP:	1536:pzz3jVueCA1PPRG4rZ+4ulvTYhm0DITjybvq7vB:pz7jHR7+flvTYhm0DI2vq7vB
MD5:	38CC80C36628B9A229939867909C9A11
SHA1:	201C0DE0CC2B516BFD0CB93136080C022294135E
SHA-256:	0C04F5F65AF9454B670C60983ABBCA9228192583139A4505C0BA81D324C73391
SHA-512:	6A91018020F4C08F12DE4A219FDD9B5C5E443790D50C22B73C67A1A9CE2B14A1A3A482D9AE36B1F1D48666B158997F261CBB250CDBE632CB695BADF97E838096
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\4280ab.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: ALC700, Author: SmartGen, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2009 - Premier Edition 15, Last Saved Time/Date: Tue Oct 19 14:50:05 2021, Create Time/Date: Tue Oct 19 14:50:05 2021, Last Printed: Tue Oct 19 14:50:05 2021, Revision Number: {7973D285-7AA2-4EDE-87C5-CA3773168D3B}, Code page: 0, Template: Intel;0,1033,2052
Category:	dropped
Size (bytes):	14210560
Entropy (8bit):	7.95333840963524
Encrypted:	false
SSDEEP:	196608:+g/Ml+/YHPGQiSU4WxfKUbo8TgbNlg3eX6UfKPYjcfnN7oi6hcpz:7QHPGN4Wxy3NuO6Uf2Yi7oZhc
MD5:	26927F97F38D9603B7D43FA44228B1F9
SHA1:	9ED98A121864B276492359A8B4FF7C42D914345E
SHA-256:	6961DCACA749D37CF5D5573A281C2FA72A30E13504A2C090BF86586774EB30F7
SHA-512:	62CE2A5F4CC4EB9731EE4872F98F05D93D00938B1FB1E7207FCE24F3776F1B6C66CA7A3368BE26CD836B8B41BD780087E02371F356561BC0E9686094C82A3923
Malicious:	false
Preview:	......................>...................................8........6..........................................\|................................................................................................................................................................................................................................ ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...).........+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5..........;........................... ......................................................................................."...!...(...#...$...%...&...'.......)...2...+...,...-......./...0...1...6...3...4...5...>...7...e...K...:...<.......=.......?...@...A...B...C...D...E...F...G...H...\...J...L...g...M...N...O...X...Q...R...S...T...U...V...W...I.......Z...[.......]...^..._...`...a...b...c...d...g...f.......h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI8386.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	326667
Entropy (8bit):	5.09986430303119
Encrypted:	false
SSDEEP:	3072:n3Ejc4KjcofjcjKSjcoaaRbM9EjpXa0FEtTdNJeMw3vT3wGvWtGIsrGxBXGSZ2GL:3oH5z7lva
MD5:	4BE0153C839789AD9D1EA24AB6AED2C4
SHA1:	4F3443AF4556BF5B16C3BE3BF7FC381C47D3CB35
SHA-256:	034FA91F1F98309AFA1FFB3A8D56D54AAA6A007676AEB169A86B808089727462
SHA-512:	AD1D536195C069E24D9F59B3E0F0C53606643C8ADA855D600935C373A40FA9BD2D4AEAD78A039C78A4C80407C8EB54E21D8009014EB0C97A99B9CD007864EAC4
Malicious:	false
Preview:	...@IXOS.@.....@...X.@.....@.....@.....@.....@.....@......&.{5D00ED55-C696-4760-A65D-39DCD0EDE479}..ALC700..ALC700.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{7973D285-7AA2-4EDE-87C5-CA3773168D3B}.....@.....@.....@.....@.......@.....@.....@.......@......ALC700......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{43E17A22-E4F0-4F20-BB7B-03C0074D0BB7}0.C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\.@.......@.....@.....@......&.{F5A447FF-5CA5-4162-98A3-D68DA1224A71}:.C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700.exe.@.......@.....@.....@......&.{024AC572-ECAA-4063-9908-1860695C9F95}B.C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.2.exe.@.......@.....@.....@......&.{9CE638ED-3BFB-44A7-A289-1CBCB8B565EF}B.C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.3.exe.@.......@.....@.....@......&.{36B93333-1BBC-40A5-A331-4B1

C:\Windows\Installer\MSI9182.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
Category:	modified
Size (bytes):	1365597
Entropy (8bit):	7.885049843621344
Encrypted:	false
SSDEEP:	24576:ToxaiP/4ZkJ9saZ1QLngiOtU33zuspl4y1VI862IwE:4rwaMgiHnas3PIx/
MD5:	E05B79CCC661E7A6009332D9EABED382
SHA1:	F0E2C8C541F3074C6CE01728CDECBE2A037D7F0F
SHA-256:	1CE46E7CD66D98DFDE0F9B718D983A81E5EED366C59A782478465C13897788CA
SHA-512:	E94F8DA21EF200A7D1BEB4CE043644F923350D787174C2CF5A0068E00562AAA5CC27B903C5957504F53001259E65B6A8EFB40C920388A626ABC0FA37C8CAE341
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........u...&...&...&.&...&...&...&...&...&...&...&..&...&...&...&...&...&C..&...&c..&...&...&i..&.O.&...&...&...&^..&...&f..&...&Rich...&........................PE..L.....ZH...........!.........................................................0..........................................[;................................... .......................................................................................text...................PEC2.O......`....rsrc....P.......J.................. ....reloc....... ......................@...........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{5D00ED55-C696-4760-A65D-39DCD0EDE479}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.163212679870779
Encrypted:	false
SSDEEP:	12:JSbX72Fj2iAGiLIlHVRpth/7777777777777777777777777vDHFq9UP8JpSl0i5:J3QI5p49UaF
MD5:	6CE3413EC5F6AAF48537DDB17FA0A259
SHA1:	4E0DEDC1EF392FF14F1C754890937F10FB99CE75
SHA-256:	3F37460F964E5E1477D2FDC5070658194EE9D985B7B46D6DDD110D972E8B737E
SHA-512:	CDB2F28B29B4F4888D9567600EF248A6A8D4188501B8717A8B1EE82EF4B493F1CB514BFA1B54D7A3094D27D050BCD22FDED7A9983A180BC5A0AB7A3E36482827
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	1.860418098730165
Encrypted:	false
SSDEEP:	48:QE8Ph5uRc06WX4YnT5E9UEX9UcdmdVS8qOd4KUdEgdEOXdpAdEyrsOj6AdhoyE8I:yh51onT6Mnt5Cygybq/t5Cyl
MD5:	42A522C274CD6DD0CA72AA32F3E028FB
SHA1:	C127BF31D5B27C80452E5A13F875E0B8925BACF0
SHA-256:	19E91CA694C80E234B57B36894EAD054606FC803D112B7AB2EA30328FAD7F2DA
SHA-512:	9ACDC9F45967F14000FF49466BC5639C620779E2F0B02CF365CA13ABD21611DF8D78B9ADA92FF7C766925D393F4C26807AF6B1C0BA3ECA0321148C904FA45EA2
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\1033.MST

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Installation Database, Subject: ALC700, Author: SmartGen, Keywords: Installer,MSI,Database, Comments: Contact: Your local administrator, Create Time/Date: Tue Oct 19 14:50:06 2021, Name of Creating Application: InstallShield 2009 - Premier Edition 15, Security: 1, Template: Intel;0,1033,2052, Last Saved By: Intel;1033, Revision Number: {5D00ED55-C696-4760-A65D-39DCD0EDE479}1.0.0.7;{5D00ED55-C696-4760-A65D-39DCD0EDE479}1.0.0.7;{CED3D40B-A811-4F96-A74E-332E4E6679FE}, Number of Pages: 200, Number of Characters: 1
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	4.992073369219857
Encrypted:	false
SSDEEP:	1536:pzz3jVueCA1PPRG4rZ+4ulvTYhm0DITjybvq7vB:pz7jHR7+flvTYhm0DI2vq7vB
MD5:	38CC80C36628B9A229939867909C9A11
SHA1:	201C0DE0CC2B516BFD0CB93136080C022294135E
SHA-256:	0C04F5F65AF9454B670C60983ABBCA9228192583139A4505C0BA81D324C73391
SHA-512:	6A91018020F4C08F12DE4A219FDD9B5C5E443790D50C22B73C67A1A9CE2B14A1A3A482D9AE36B1F1D48666B158997F261CBB250CDBE632CB695BADF97E838096
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ALC700.exe1_2075C35845C24B1A973EEF051A490E77.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	3.966422917137232
Encrypted:	false
SSDEEP:	384:ivFMAyDlOdTdFCxfrwntajXjDWLi9Y+C5vy/Q1nDcZqmx:AMAyAdTmPJbgqcnDcomx
MD5:	C02C7033E930D6E022313782604E5447
SHA1:	6BA0653AD89D403953039E83C08B5B009AAC71D6
SHA-256:	8E37C1FB8EAABBFB51434B57989D5C1ED3C2414D27F183DB7D2AC214B7213456
SHA-512:	B02BCBAD7F5CD406A8FCF46598B88284DE1F6FAF8084E030FE5BD524D8134EAFB9FA8B5CEBB8E42359E1D951BC37AC5A68FFA6152C6D2256A93DB168A4F586B6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........t.'.'.'...'.'...'.'q..'...'.'..'...'.'...'...'5..'.'Rich.'........PE..L....'%H.................@...P...............P....@.........................................................................4T..(.......d............................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...d...........................@..@........................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ALC700.exe_7A1B2C9513F744CFB0D29EC2A28A035D.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	3.966422917137232
Encrypted:	false
SSDEEP:	384:ivFMAyDlOdTdFCxfrwntajXjDWLi9Y+C5vy/Q1nDcZqmx:AMAyAdTmPJbgqcnDcomx
MD5:	C02C7033E930D6E022313782604E5447
SHA1:	6BA0653AD89D403953039E83C08B5B009AAC71D6
SHA-256:	8E37C1FB8EAABBFB51434B57989D5C1ED3C2414D27F183DB7D2AC214B7213456
SHA-512:	B02BCBAD7F5CD406A8FCF46598B88284DE1F6FAF8084E030FE5BD524D8134EAFB9FA8B5CEBB8E42359E1D951BC37AC5A68FFA6152C6D2256A93DB168A4F586B6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........t.'.'.'...'.'...'.'q..'...'.'..'...'.'...'...'5..'.'Rich.'........PE..L....'%H.................@...P...............P....@.........................................................................4T..(.......d............................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...d...........................@..@........................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ARPPRODUCTICON.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53248
Entropy (8bit):	4.354031598312116
Encrypted:	false
SSDEEP:	384:+vFMAyDlOdTdFCxfrwntajXjDWLi9Y+C5vy/Q1nDcZWNeLNek+vDFNe+fmh:cMAyAdTmPJbgqcnDc4mh
MD5:	906F5592CD68267E58456B6260F07320
SHA1:	A2674D68C8DEA3C09EFA749BA56968DA1665A21E
SHA-256:	B9E3BC7E23FABD4D4E662650E7D9AAEA36C882985A39DEE43223469ABC4115C9
SHA-512:	C42029DA45EB1745FD8F185CAA13980F63B688AF2E3079D057AA659E437EC63C3DE7FE49A0D722A4BE7105769E8D38607053040BC1D197922ABBDF894938F08A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........t.'.'.'...'.'...'.'q..'...'.'..'...'.'...'...'5..'.'Rich.'........PE..L....'%H.................@...................P....@.........................................................................4T..(........0...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....0.......@..................@..@........................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\UNINST_Uninstall_A_EA7F3D3DD29C46D9BED64B9B56BFF9AD.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	4.309919843293857
Encrypted:	false
SSDEEP:	384:CvFMAyDlOdTdFCxfrwntajXjDWLi9Y+C5vy/Q1nDcZCwQE3vGYksuektm6yysZMG:gMAyAdTmPJbgqcnDcswQE/RkHRRmB
MD5:	BB4AD1CE37EF839C56FCAC7EB5BEB077
SHA1:	C1E8FAB90007262729E08438625A73E0CE76298D
SHA-256:	A62B27A9DC4B32E5086D4BC74C0F8C287A4D2B2A2ED3081838EEDB17B291CA7B
SHA-512:	8F0C317C7C80309A74EA7D609FDE4F6AB3F5E2715A573A5958109456E332EA7684237281EB1EEAAFA37FC785873F25B8820195918AF415FB1D5AF66085F1893B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........t.'.'.'...'.'...'.'q..'...'.'..'...'.'...'...'5..'.'Rich.'........PE..L....'%H.................@...p...............P....@.........................................................................4T..(........+...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....+.......0..................@..@........................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	432221
Entropy (8bit):	5.375170005559992
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauj:zTtbmkExhMJCIpErC
MD5:	9272BE25BB068D49A17DA13D6393D39A
SHA1:	7C1EBC4707CC86EE2E83D34755EF8C6EDE9E9C4F
SHA-256:	1CEF081674FDD543D2F892B91AEC87EC0DFC24EE23C29D425A31A2D5E51427C1
SHA-512:	F8D274F73937A7D1396ED84CC14565AE2FBBC3906A60658702C592615EB9AC75437E9A340D7F3B360ACF11162AF311678A18AE80129646CEC0F33B51989B728C
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF0A03C8DBDD894B57.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.31385104289721305
Encrypted:	false
SSDEEP:	48:mIzdmdVSB29UJqOd4KUdEgdEOXdpAdEyr19UcdmdVS8qOd4KUdEgdEOXdpAdEyru:mPq/t5Cy2nt5Cygy1
MD5:	629040F1A5C9C6C1E572D9F108A4AC2D
SHA1:	0B8294E5168B6EEA98D2A2059015F5B928E48EA9
SHA-256:	A74DF41CBA8ECCAC8C26057B5F036C0DE270015B16AA70133465DD8F164C63EA
SHA-512:	E61E2EBADC61BE7925DAFF798FCF1532242754D1BC68C688003DCEC823BC9ACF1848B89E4C650F882FD146BA23E8C2F496188A8CE21E915B9FEA0D3C59498A0C
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF1977DAE82FAA2FEE.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	1.860418098730165
Encrypted:	false
SSDEEP:	48:QE8Ph5uRc06WX4YnT5E9UEX9UcdmdVS8qOd4KUdEgdEOXdpAdEyrsOj6AdhoyE8I:yh51onT6Mnt5Cygybq/t5Cyl
MD5:	42A522C274CD6DD0CA72AA32F3E028FB
SHA1:	C127BF31D5B27C80452E5A13F875E0B8925BACF0
SHA-256:	19E91CA694C80E234B57B36894EAD054606FC803D112B7AB2EA30328FAD7F2DA
SHA-512:	9ACDC9F45967F14000FF49466BC5639C620779E2F0B02CF365CA13ABD21611DF8D78B9ADA92FF7C766925D393F4C26807AF6B1C0BA3ECA0321148C904FA45EA2
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF1D53A54144DF13F6.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.06997672544907434
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOq9bwPekQVky6lS:2F0i8n0itFzDHFq9UPpS
MD5:	714771D13BD9E345F6AB8FB938D8C5D3
SHA1:	3D8B5E556199F2C6ECE5871054F8FB52024AAC03
SHA-256:	C1B68AA7E1649673C7E8B55B23F7E6B2DFC9980D038A328C5C62E5F49A79980D
SHA-512:	C4CCCE57C03C10D5F50C4B7CCE9C58FAA721B5FC2F518F7770CD2D53B2D58011B6294C791029000C8DBB8698F063E9BBF59E6329A7DDB67F66CD3DB149DFF02D
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF30F00352CB7F7E14.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF52B9ED4F7A4B2B4D.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	1.860418098730165
Encrypted:	false
SSDEEP:	48:QE8Ph5uRc06WX4YnT5E9UEX9UcdmdVS8qOd4KUdEgdEOXdpAdEyrsOj6AdhoyE8I:yh51onT6Mnt5Cygybq/t5Cyl
MD5:	42A522C274CD6DD0CA72AA32F3E028FB
SHA1:	C127BF31D5B27C80452E5A13F875E0B8925BACF0
SHA-256:	19E91CA694C80E234B57B36894EAD054606FC803D112B7AB2EA30328FAD7F2DA
SHA-512:	9ACDC9F45967F14000FF49466BC5639C620779E2F0B02CF365CA13ABD21611DF8D78B9ADA92FF7C766925D393F4C26807AF6B1C0BA3ECA0321148C904FA45EA2
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF94BDC4D5941909B3.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	1.2169581157005103
Encrypted:	false
SSDEEP:	48:OEBu0vhPIFX4/T53Usy09UEX9UcdmdVS8qOd4KUdEgdEOXdpAdEyrsOj6AdhoyEB:TBTIcT5lnMnt5Cygybq/t5Cyl
MD5:	17A5AA457B9EEFE17E2EEC212455BF57
SHA1:	F8482A2D8C0BB4A40DE53DCED43EEF70B0699165
SHA-256:	1C4B45CD3BB7EDF78F0D1C4FC06B954BFBFF2707E96BA7C4C5FC06C2CE3AEB11
SHA-512:	44947749EF495549618EA4F5E80A93EDFD9EAFCD45332375854711426C44E754962BECDEB990A880153FF426B82E479ED7DABFCB43E4F3EED20613E7EC1FEF9D
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9D9F112D9FDF7BF3.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA2E90CB6B7A60683.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	1.2169581157005103
Encrypted:	false
SSDEEP:	48:OEBu0vhPIFX4/T53Usy09UEX9UcdmdVS8qOd4KUdEgdEOXdpAdEyrsOj6AdhoyEB:TBTIcT5lnMnt5Cygybq/t5Cyl
MD5:	17A5AA457B9EEFE17E2EEC212455BF57
SHA1:	F8482A2D8C0BB4A40DE53DCED43EEF70B0699165
SHA-256:	1C4B45CD3BB7EDF78F0D1C4FC06B954BFBFF2707E96BA7C4C5FC06C2CE3AEB11
SHA-512:	44947749EF495549618EA4F5E80A93EDFD9EAFCD45332375854711426C44E754962BECDEB990A880153FF426B82E479ED7DABFCB43E4F3EED20613E7EC1FEF9D
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFBCB122F4AFD23E5B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFBDE20FD5B199383A.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	1.2169581157005103
Encrypted:	false
SSDEEP:	48:OEBu0vhPIFX4/T53Usy09UEX9UcdmdVS8qOd4KUdEgdEOXdpAdEyrsOj6AdhoyEB:TBTIcT5lnMnt5Cygybq/t5Cyl
MD5:	17A5AA457B9EEFE17E2EEC212455BF57
SHA1:	F8482A2D8C0BB4A40DE53DCED43EEF70B0699165
SHA-256:	1C4B45CD3BB7EDF78F0D1C4FC06B954BFBFF2707E96BA7C4C5FC06C2CE3AEB11
SHA-512:	44947749EF495549618EA4F5E80A93EDFD9EAFCD45332375854711426C44E754962BECDEB990A880153FF426B82E479ED7DABFCB43E4F3EED20613E7EC1FEF9D
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC290CCCBE57CD37A.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD1C911DFE2E432B6.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.99583115077937
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ALC700V1.0.0.7a.exe
File size:	17'546'140 bytes
MD5:	44a0ff24ec7706b11ad67c11c0afc666
SHA1:	70c7ececcf65c4cc292f4e3afbc3e8e4d2ff2d4f
SHA256:	8051763b55989582af9a7918644077623332b3f6298c4ae2399f4c2f1430d8ae
SHA512:	34478178f5c508c9334d1ad27817a4d5d0180a25a3dd5527bf57439495743e62d8a960de51f792f9c10717bb0c1788fb6c89bd2d4e78c785f49503b8c5e4ee9f
SSDEEP:	393216:f4zK0JZjamzcwqfbfqT16Pf3VAYnrZMEQUMDlbPYCk:6K0JtBzcwqjfwIVLFDQll0Ck
TLSH:	09073342B661C1BAE5924470A72E57B6DCB3ADB16D71850BA3F8DC2D3971883C43272F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(.i.l...l...l...j...f.......n.......r...............\|..._.".n.......n.......o...l...8...........j..._.......m...Richl..........

File Icon


Icon Hash:	55497933cc61714d

Static PE Info

General

Entrypoint:	0x432dde
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x485B01FF [Fri Jun 20 01:03:59 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	971c5d714683978d6473b9586f0c81c5

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0044A0B0h
push 0043584Ch
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [00449164h]
xor edx, edx
mov dl, ah
mov dword ptr [00462434h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [00462430h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [0046242Ch], ecx
shr eax, 10h
mov dword ptr [00462428h], eax
push 00000001h
call 00007F5184DE349Bh
pop ecx
test eax, eax
jne 00007F5184DE1D0Ah
push 0000001Ch
call 00007F5184DE1DC7h
pop ecx
call 00007F5184DE2DA3h
test eax, eax
jne 00007F5184DE1D0Ah
push 00000010h
call 00007F5184DE1DB6h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007F5184DE6BC6h
call 00007F5184DE6B20h
mov dword ptr [00463E10h], eax
call 00007F5184DE69A9h
mov dword ptr [0046246Ch], eax
call 00007F5184DE6776h
call 00007F5184DE66B9h
call 00007F5184DE156Eh
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [00449248h]
call 00007F5184DE665Dh
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F5184DE1D08h
movzx eax, word ptr [ebp-2Ch]

Rich Headers

Programming Language:

[C++] VS98 (6.0) build 8168
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x53ad8	0xdc	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0x13a18	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x49000	0x4a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x53a68	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x47e20	0x48000	ef5da74e1a225c36f5ae791f46469744	False	0.5400763617621528	data	6.607156377905683	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x49000	0xc3ea	0xd000	c8ede1d40e2aec043c9ae64b3fd9f962	False	0.4679424579326923	data	5.278262037372818	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x56000	0xde24	0x8000	98bbf13118c5feb76f524760aa88055b	False	0.228546142578125	data	2.9066616142632156	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0x13a18	0x14000	e5fd74dcedc3b4e7ee128fff0a740eb1	False	0.74010009765625	data	7.4433247496028665	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
GIF	0x6459c	0x5731	GIF image data, version 89a, 175 x 312			1.0007168137628242
GIF	0x69cd0	0x6592	GIF image data, version 89a, 175 x 312	English	United States	0.9916544881162987
RT_CURSOR	0x70264	0x134	data	English	United States	0.37012987012987014
RT_ICON	0x70398	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0	English	United States	0.21341463414634146
RT_ICON	0x70a00	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	United States	0.34139784946236557
RT_ICON	0x70ce8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.5202702702702703
RT_ICON	0x70e10	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States	0.47334754797441364
RT_ICON	0x71cb8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.6101083032490975
RT_ICON	0x72560	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.596820809248555
RT_ICON	0x72ac8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.2932572614107884
RT_ICON	0x75070	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.4343339587242026
RT_ICON	0x76118	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.7198581560283688
RT_DIALOG	0x76580	0x168	data	English	United States	0.5416666666666666
RT_DIALOG	0x766e8	0x1ea	data	English	United States	0.5122448979591837
RT_DIALOG	0x768d4	0x116	data	English	United States	0.6079136690647482
RT_DIALOG	0x769ec	0xee	data	English	United States	0.6176470588235294
RT_DIALOG	0x76adc	0x114	data	English	United States	0.6195652173913043
RT_DIALOG	0x76bf0	0x1ec	data	English	United States	0.5142276422764228
RT_STRING	0x76ddc	0x7c	data	English	United States	0.6612903225806451
RT_STRING	0x76e58	0x6e	data	English	United States	0.6
RT_STRING	0x76ec8	0xcc	data	English	United States	0.5392156862745098
RT_GROUP_CURSOR	0x76f94	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x76fa8	0x84	data	English	United States	0.6363636363636364
RT_VERSION	0x7702c	0x674	data	English	United States	0.2929782082324455
RT_MANIFEST	0x776a0	0x378	XML 1.0 document, ASCII text, with CRLF line terminators			0.46959459459459457

Imports

DLL	Import
VERSION.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
SHELL32.dll	SHGetPathFromIDListW, SHBrowseForFolderW, ShellExecuteW, CommandLineToArgvW, SHGetMalloc
COMCTL32.dll
KERNEL32.dll	lstrcpyW, GetWindowsDirectoryW, SetErrorMode, GetTempPathW, ExpandEnvironmentStringsW, LockResource, SizeofResource, LoadResource, FindResourceW, GetTickCount, GetExitCodeThread, CreateThread, CopyFileW, InterlockedIncrement, InterlockedDecrement, QueryPerformanceFrequency, CreateEventW, lstrcatW, GetTempFileNameW, CompareStringA, CompareStringW, GetVersionExW, LoadLibraryW, FreeLibrary, GetProcAddress, lstrcmpW, lstrcmpiW, GetSystemDefaultLCID, GlobalHandle, VerLanguageNameW, MoveFileW, SetCurrentDirectoryW, FindClose, FindNextFileW, CompareFileTime, FindFirstFileW, GetSystemTimeAsFileTime, SetFileAttributesW, LocalFree, FormatMessageW, GetSystemInfo, MulDiv, IsValidCodePage, GetVersion, GetModuleHandleW, GetCommandLineW, GetFileAttributesW, IsBadReadPtr, VirtualQuery, lstrcmpiA, FlushFileBuffers, GetDiskFreeSpaceW, GetDriveTypeW, CreateDirectoryW, GetExitCodeProcess, GetCurrentThread, GetLocaleInfoW, QueryPerformanceCounter, SetEvent, ResetEvent, VirtualProtect, CreateProcessW, MultiByteToWideChar, lstrlenW, GetOEMCP, GetACP, SetStdHandle, LoadLibraryA, GetCPInfo, GetStringTypeW, GetStringTypeA, IsBadCodePtr, GetStartupInfoA, GetFileType, GetStdHandle, SetHandleCount, GetCommandLineA, GetEnvironmentStrings, GetEnvironmentStringsW, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, LCMapStringW, LCMapStringA, IsBadWritePtr, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, GetVersionExA, GetEnvironmentVariableA, GetModuleFileNameA, TlsGetValue, GetDateFormatA, TlsAlloc, TlsSetValue, GetCurrentThreadId, HeapSize, HeapReAlloc, GetStartupInfoW, GetModuleHandleA, TerminateProcess, RaiseException, RtlUnwind, LeaveCriticalSection, DeleteCriticalSection, InterlockedExchange, InitializeCriticalSection, EnterCriticalSection, lstrcmpA, GetTimeFormatA, CreateFileA, WaitForSingleObject, ExitProcess, GetCurrentProcess, DuplicateHandle, GetThreadContext, VirtualProtectEx, WriteProcessMemory, FlushInstructionCache, SetThreadContext, ResumeThread, DeleteFileW, Sleep, RemoveDirectoryW, SetFilePointer, GetProcessHeap, HeapAlloc, HeapFree, WriteFile, lstrcpynW, GetModuleFileNameW, GetLastError, SetLastError, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, lstrlenA, CreateFileW, GetFileSize, GlobalAlloc, CloseHandle, GlobalLock, ReadFile, GlobalUnlock, GlobalFree, SearchPathW, WideCharToMultiByte, SystemTimeToFileTime, LocalAlloc
USER32.dll	GetClassInfoW, UpdateWindow, SetCursor, GetWindow, GetDlgItemTextW, SetFocus, EnableWindow, GetParent, GetWindowTextLengthW, GetWindowTextW, MoveWindow, SetWindowTextW, GetWindowPlacement, DestroyIcon, GetDlgCtrlID, FillRect, GetSysColor, GetSysColorBrush, IsDialogMessageW, SendMessageW, GetWindowRect, GetSystemMetrics, SetRect, FindWindowW, IntersectRect, SubtractRect, IsWindow, DestroyWindow, wvsprintfW, WaitForInputIdle, GetWindowLongW, BeginPaint, EndPaint, SetWindowLongW, GetClientRect, ClientToScreen, SetWindowPos, GetWindowDC, EndDialog, GetDlgItem, ShowWindow, GetDesktopWindow, wsprintfW, MsgWaitForMultipleObjects, PeekMessageW, MessageBoxW, CreateDialogIndirectParamW, CreateDialogParamW, DialogBoxIndirectParamW, DialogBoxParamW, DefWindowProcW, PostMessageW, KillTimer, PostQuitMessage, SetTimer, LoadIconW, LoadCursorW, RegisterClassW, CreateWindowExW, GetMessageW, TranslateMessage, DispatchMessageW, GetDC, ReleaseDC, LoadStringW, CharPrevW, ExitWindowsEx, SendDlgItemMessageW, CharNextW, CharUpperW, DrawIcon
GDI32.dll	CreateFontW, GetTextExtentPoint32W, SetBkMode, SetTextColor, GetObjectW, CreateFontIndirectW, CreateSolidBrush, CreateCompatibleDC, SelectObject, BitBlt, DeleteDC, DeleteObject, GetStockObject, GetSystemPaletteEntries, CreatePalette, GetDeviceCaps, SelectPalette, RealizePalette, CreateDIBitmap, TranslateCharsetInfo
ADVAPI32.dll	RegOpenKeyW, RegQueryValueExA, RegOpenKeyExA, OpenThreadToken, GetTokenInformation, AllocateAndInitializeSid, EqualSid, FreeSid, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, InitializeSecurityDescriptor, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, SetSecurityDescriptorDacl, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegOpenKeyExW, RegQueryValueExW, RegCloseKey
ole32.dll	CLSIDFromProgID, CoInitializeSecurity, CoUninitialize, CoInitialize
OLEAUT32.dll	VariantChangeType, VariantClear, SysAllocString, SysStringLen, SysReAllocStringLen, GetErrorInfo, SysFreeString, SysAllocStringLen
RPCRT4.dll	RpcStringFreeW, UuidToStringW, UuidCreate

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	03:05:03
Start date:	27/05/2024
Path:	C:\Users\user\Desktop\ALC700V1.0.0.7a.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ALC700V1.0.0.7a.exe"
Imagebase:	0x400000
File size:	17'546'140 bytes
MD5 hash:	44A0FF24EC7706B11AD67C11C0AFC666
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:05:14
Start date:	27/05/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	MSIEXEC.EXE /i "C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\ALC700.msi" TRANSFORMS="C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\1033.MST" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="ALC700V1.0.0.7a.exe"
Imagebase:	0x1e0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:05:14
Start date:	27/05/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff7d1bd0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	03:05:31
Start date:	27/05/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding AE1C5CB6EAA2F7204ACFFD8FF0580D22
Imagebase:	0x1e0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:05:33
Start date:	27/05/2024
Path:	C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{ECFD35B4-EE7C-4A3E-8C20-772B5E9C8DE7}
Imagebase:	0x140000000
File size:	117'560 bytes
MD5 hash:	2A276BA2B7782476302C59D0F760F4BC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	41

Executed Functions

Function 00416379 Relevance: 44.8, APIs: 4, Strings: 21, Instructions: 1067windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,00000000,00000001), ref: 00416598

Part of subcall function 00401CCE: __EH_prolog.LIBCMT ref: 00401CD3
Part of subcall function 00401CCE: GetLastError.KERNEL32(004494FC,004494C0,?,0042AC33,?,004494C0,?,?,00000000,?,?,?,00000000,004494C4,004494BC,00000000), ref: 00401CF6
Part of subcall function 00401CCE: SysFreeString.OLEAUT32(?), ref: 00401D14
Part of subcall function 00401CCE: SetLastError.KERNEL32(?,00000001,?,0042AC33,?,004494C0,?,?,00000000,?,?,?,00000000,004494C4,004494BC,00000000), ref: 00401D34

Strings

Attempting to get MSI 3.0 redist instead, xrefs: 004166FB, 00416722
MSI 3.1 to be installed, was not installed with redist package, xrefs: 004163E5, 0041640F
2, xrefs: 004169D8
<cE, xrefs: 00416EC4, 00416F5F
Attempting to get file '%s' for MSI engine install, xrefs: 004165DD
Delaying redist reboot..., xrefs: 004171CC, 004171F3
Startup, xrefs: 00416EE2, 00416F7C
Ph|uE, xrefs: 004163D7
C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\msiaction.cpp, xrefs: 004163D8, 004165B3, 004165BA, 00416652, 004166EF, 00416807, 00416FF1, 004171BC
Failed to get file, xrefs: 0041665E, 00416688
PackageName, xrefs: 00416B3B
Got file '%s' for MSI engine install, xrefs: 0041682E
Ph|uE, xrefs: 00416FF0
instmsi30.exe, xrefs: 0041675F, 0041676F
Ph|uE, xrefs: 004171BB
PackageCode, xrefs: 00416A22
), xrefs: 004172F0
toE, xrefs: 00416E91, 00416F2B
SuppressReboot set to Yes or MSI not being installed, suppressing reboot, xrefs: 00417001, 00417021
WindowsInstaller-KB893803-x86.exe, xrefs: 00416521
InstallSource, xrefs: 00416BA5

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorLast$FreeH_prologMessageSendString
String ID: )$2$<cE$Attempting to get MSI 3.0 redist instead$Attempting to get file '%s' for MSI engine install$C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\msiaction.cpp$Delaying redist reboot...$Failed to get file$Got file '%s' for MSI engine install$InstallSource$MSI 3.1 to be installed, was not installed with redist package$PackageCode$PackageName$Ph|uE$Ph|uE$Ph|uE$Startup$SuppressReboot set to Yes or MSI not being installed, suppressing reboot$WindowsInstaller-KB893803-x86.exe$instmsi30.exe$toE
API String ID: 825797918-1259720571
Opcode ID: f1ccbee24ba9cefc957b7f8053c437dacdb8be8320a63eda37f4245e49b2ad0c
Instruction ID: cb5dc112a0bb332364fb31fdab362bf53fcacc235cb4a243ee22d397783af591
Opcode Fuzzy Hash: f1ccbee24ba9cefc957b7f8053c437dacdb8be8320a63eda37f4245e49b2ad0c
Instruction Fuzzy Hash: A692E570E04248AEDF25DBA5C955BEE77B8AF04304F1040AEF405B7292DB789E84DF59

Function 00417A58 Relevance: 39.3, APIs: 4, Strings: 18, Instructions: 781stringtimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00417A5D

Part of subcall function 004026FA: __EH_prolog.LIBCMT ref: 004026FF
Part of subcall function 004026FA: GetLastError.KERNEL32(004494FC,0000002D,00000000,?,00429CCE,?,00000000,removeasmajorupgrade,00000000,00000000,00000001,?,?,00000000,reboot,00000000), ref: 00402728
Part of subcall function 004026FA: SetLastError.KERNEL32(?,00000000,?,00429CCE,?,00000000,removeasmajorupgrade,00000000,00000000,00000001,?,?,00000000,reboot,00000000,00000000), ref: 00402756

Part of subcall function 00407AFA: __EH_prolog.LIBCMT ref: 00407AFF

Part of subcall function 004282A3: __EH_prolog.LIBCMT ref: 004282A8

lstrlenW.KERNEL32(?,00000000,?,00000000), ref: 00417BD2
wsprintfW.USER32 ref: 00417D29

Part of subcall function 00401CCE: __EH_prolog.LIBCMT ref: 00401CD3
Part of subcall function 00401CCE: GetLastError.KERNEL32(004494FC,004494C0,?,0042AC33,?,004494C0,?,?,00000000,?,?,?,00000000,004494C4,004494BC,00000000), ref: 00401CF6
Part of subcall function 00401CCE: SysFreeString.OLEAUT32(?), ref: 00401D14
Part of subcall function 00401CCE: SetLastError.KERNEL32(?,00000001,?,0042AC33,?,004494C0,?,?,00000000,?,?,?,00000000,004494C4,004494BC,00000000), ref: 00401D34

GetSystemTimeAsFileTime.KERNEL32(?), ref: 0041840E

Strings

%s /j%s "%s" %s, xrefs: 00417F67
ISSCRIPTCMDLINE, xrefs: 00417BFE, 00417C03, 00417C0D
<cE, xrefs: 00418214
%s="%s" %s="%s", xrefs: 00417D23
ISSCRIPTCMDLINE=", xrefs: 00417C70
C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\msiaction.cpp, xrefs: 0041805B, 0041812A
Startup, xrefs: 00418238
%s /p "%s" %s, xrefs: 00417E5B
Failed to locate ISSetup.dll (%s), xrefs: 0041814E
\, xrefs: 00417BD8
`bE, xrefs: 004181E0
ProductCode, xrefs: 00418201
%s /f%s "%s" %s, xrefs: 00417FD7
%s /i "%s" %s, xrefs: 00417E21
MsiAction::InstallMsi - calling Reboot, xrefs: 00418068, 0041808F
%s /x "%s" %s, xrefs: 00417F0A
/p"%s" %s, xrefs: 00417EA3
%s /a "%s"%s, xrefs: 00418024

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog$ErrorLast$Time$FileFreeStringSystemlstrlenwsprintf
String ID: %s /a "%s"%s$%s /f%s "%s" %s$%s /i "%s" %s$%s /j%s "%s" %s$%s /p "%s" %s$%s /x "%s" %s$%s="%s" %s="%s"$/p"%s" %s$<cE$C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\msiaction.cpp$Failed to locate ISSetup.dll (%s)$ISSCRIPTCMDLINE$ISSCRIPTCMDLINE="$MsiAction::InstallMsi - calling Reboot$ProductCode$Startup$\$`bE
API String ID: 1081951222-2661428944
Opcode ID: 367698356f1981f95aa786e84b82fed1c918400829474ac363123ba57f278da2
Instruction ID: 0cc62542e4f18558e70b52558c2b5d0aee065dbf3e006b1320eadfefd9ed4d03
Opcode Fuzzy Hash: 367698356f1981f95aa786e84b82fed1c918400829474ac363123ba57f278da2
Instruction Fuzzy Hash: FE62D871E042189BDF24DB65CC45BEFB7B8AF14304F1441AFE905A3292EB789E85CB58

Function 004292D3 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 248
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 004292D8
InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 00429381
GetModuleHandleW.KERNEL32(Advapi32,CreateWellKnownSid), ref: 0042939F
GetProcAddress.KERNEL32(00000000), ref: 004293A2
GetModuleHandleW.KERNEL32(advapi32,SetEntriesInAclW), ref: 00429520
GetProcAddress.KERNEL32(00000000), ref: 00429523
SetSecurityDescriptorOwner.ADVAPI32(?,?,00000000), ref: 00429564
SetSecurityDescriptorGroup.ADVAPI32(?,?,00000000), ref: 0042957A
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0042958E
CoInitializeSecurity.OLE32(?,000000FF,00000000,00000000,00000006,00000002,00000000,00002000,00000000), ref: 004295AA

Strings

CreateWellKnownSid, xrefs: 00429395
SetEntriesInAclW, xrefs: 0042948C
Advapi32, xrefs: 0042939A
advapi32, xrefs: 00429491

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Security$Descriptor$AddressHandleInitializeModuleProc$DaclGroupH_prologOwner
String ID: Advapi32$CreateWellKnownSid$SetEntriesInAclW$advapi32
API String ID: 2282191576-1508711180
Opcode ID: e1b37f634010a70a87fde01dd2e22f622a981e8f2e478a18f7742409377c3abd
Instruction ID: 9ae581a2949c636bb824146f9b2761033c12138eb34236adfb67cd5e6331b165
Opcode Fuzzy Hash: e1b37f634010a70a87fde01dd2e22f622a981e8f2e478a18f7742409377c3abd
Instruction Fuzzy Hash: 82A1CAB1E01229AFDF21CF99DC85ADEBBB9BB48700F5045AAE109E6240D7705E84CF65

Function 00403D56 Relevance: 19.6, APIs: 13, Instructions: 113
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileSize.KERNEL32(?,00000000,004494FC,?,00000000,?,?,0040308F,000000FF,?,?,00000000,000000FF,?,004494FC,?), ref: 00403D66
GetProcessHeap.KERNEL32(00000008,00000001,?,0040308F,000000FF,?,?,00000000,000000FF,?,004494FC,?,00000000), ref: 00403D8C
RtlAllocateHeap.NTDLL(00000000,?,0040308F,000000FF,?,?,00000000,000000FF,?,004494FC,?,00000000), ref: 00403D8F
ReadFile.KERNELBASE(?,004494FC,00000000,00000000,00000000,?,0040308F,000000FF,?,?,00000000,000000FF,?,004494FC,?,00000000), ref: 00403DB2
lstrlenA.KERNEL32(004494FC,?,0040308F,000000FF,?,?,00000000,000000FF,?,004494FC,?,00000000), ref: 00403DC3
MultiByteToWideChar.KERNEL32(00000000,00000000,004494FC,000000FF,?,00000001,?,0040308F,000000FF,?,?,00000000,000000FF,?,004494FC,?), ref: 00403DEA
GetProcessHeap.KERNEL32(00000008,00000003,?,0040308F,000000FF,?,?,00000000,000000FF,?,004494FC,?,00000000), ref: 00403E16
RtlAllocateHeap.NTDLL(00000000,?,0040308F,000000FF,?,?,00000000,000000FF,?,004494FC,?,00000000), ref: 00403E19
ReadFile.KERNELBASE(?,004494FC,00000000,00000000,00000000,?,0040308F,000000FF,?,?,00000000,000000FF,?,004494FC,?,00000000), ref: 00403E38
GetProcessHeap.KERNEL32(00000000,004494FC,004494FC,00000000,?,0040308F,000000FF,?,?,00000000,000000FF,?,004494FC,?,00000000), ref: 00403E5B
HeapFree.KERNEL32(00000000,?,0040308F,000000FF,?,?,00000000,000000FF,?,004494FC,?,00000000), ref: 00403E5E
GetProcessHeap.KERNEL32(00000000,004494FC,?,0040308F,000000FF,?,?,00000000,000000FF,?,004494FC,?,00000000), ref: 00403E69
HeapFree.KERNEL32(00000000,?,0040308F,000000FF,?,?,00000000,000000FF,?,004494FC,?,00000000), ref: 00403E6C

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Heap$Process$File$AllocateFreeRead$ByteCharMultiSizeWidelstrlen
String ID:
API String ID: 2139962152-0
Opcode ID: 7aa33fd9d13ac01566d945fea194c7ae640ba9809c6c067bc374bc69ff7aaabb
Instruction ID: 29dc9bbd437a8ef762931ff7d52bb814acb0f48cdadbe7be556535590b9fb2a4
Opcode Fuzzy Hash: 7aa33fd9d13ac01566d945fea194c7ae640ba9809c6c067bc374bc69ff7aaabb
Instruction Fuzzy Hash: 8E3138B5500109BBDB009FA5DC88DAB7BACFF49364B00896AF919D72A0C7349E04DB68

Function 0041946E Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 251
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00419473

Part of subcall function 0042CCC0: lstrcpyW.KERNEL32(00000000,0045D464), ref: 0042CCE0
Part of subcall function 0042CCC0: lstrcpyW.KERNEL32(?,0045D464), ref: 0042CCE6
Part of subcall function 0042CCC0: GetFileVersionInfoSizeW.VERSION(004494FC,?), ref: 0042CCEF
Part of subcall function 0042CCC0: GetFileVersionInfoW.VERSION(004494FC,00000000,00000000,004494FC,?,?,004494FC,?), ref: 0042CD1A
Part of subcall function 0042CCC0: VerQueryValueW.VERSION(004494FC,00457BB8,004494FC,00449504,00000000,00000000,004494FC,?,?,004494FC,?), ref: 0042CD4F
Part of subcall function 0042CCC0: wsprintfW.USER32 ref: 0042CD79
Part of subcall function 0042CCC0: VerQueryValueW.VERSION(004494FC,\VarFileInfo\Translation,004494FC,00449504,00457BB8,004494FC,00449504,00000000,00000000,004494FC,?,?,004494FC,?), ref: 0042CDA3

Part of subcall function 0042D5F7: lstrcpyW.KERNEL32(?,004494C4), ref: 0042D626
Part of subcall function 0042D5F7: lstrcpyW.KERNEL32(?,?), ref: 0042D632

Part of subcall function 00427BCA: __EH_prolog.LIBCMT ref: 00427BCF

GetVersionExW.KERNEL32(?,?,?,00000000,004494FC,00449504), ref: 0041953A
GetTempPathW.KERNEL32(00000400,?,?,?,00000000,004494FC,00449504), ref: 004195CA
GetWindowsDirectoryW.KERNEL32(?,00000400,?,?,00000000,004494FC,00449504), ref: 004195EF

Part of subcall function 0042C78E: __EH_prolog.LIBCMT ref: 0042C793

Part of subcall function 00401929: GetLastError.KERNEL32(00000000,?,00408695,?,00000000,?,00000001), ref: 0040193F
Part of subcall function 00401929: SysFreeString.OLEAUT32(?), ref: 0040195D
Part of subcall function 00401929: SetLastError.KERNEL32(?,00000001,?,00408695,?,00000000,?,00000001), ref: 0040197D

Strings

SupportOSMsi30, xrefs: 0041954E
<cE, xrefs: 0041966B
Startup, xrefs: 0041968A
SupportOS, xrefs: 00419565, 0041956B
ToE, xrefs: 0041963F
Msi.DLL, xrefs: 004194C2
SupportOSMsi12, xrefs: 0041955E

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: lstrcpy$H_prologVersion$ErrorFileInfoLastQueryValue$DirectoryFreePathSizeStringTempWindowswsprintf
String ID: <cE$Msi.DLL$Startup$SupportOS$SupportOSMsi12$SupportOSMsi30$ToE
API String ID: 1016612653-1824477295
Opcode ID: 78121ca67bf9d4b317e7f4c7a5bf41ebc6c23534173f05348ba980863d2000af
Instruction ID: 2513bb9a3cd71393e1dca1aeadbc4acb24c7b5f4288843936bfc91aab9877638
Opcode Fuzzy Hash: 78121ca67bf9d4b317e7f4c7a5bf41ebc6c23534173f05348ba980863d2000af
Instruction Fuzzy Hash: 1291E571900219AADF20DB65CC55BEFB7B8AF51318F1040BFE409A3291DB789EC5CB59

Function 0042CE90 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 89librarystringloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(KERNEL32,00000000,00000000,?,0042CE79,?,?,?,0042D0A7,00000000,?,?,?,?,00406BBB,00000003), ref: 0042CEAE
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExW), ref: 0042CEC6
lstrcpyW.KERNEL32(?,?), ref: 0042CEDC

Part of subcall function 0042D3E9: CharNextW.USER32(00000000,0042D416,74E2F860,74E2F860,00000000,00424A83,?,74E2F860,00000000), ref: 0042D3F4

GetDiskFreeSpaceExW.KERNELBASE(?,Oj@,00000400,00000000,?,?,?,0042CE79,?,?,?,0042D0A7,00000000,?), ref: 0042CF11

Part of subcall function 0042D1B1: CharNextW.USER32(?,004494FC,00000104,00000000,0042D365,?,?,?,00401E06,?,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0},?,?,?,00000104), ref: 0042D1C7
Part of subcall function 0042D1B1: CharPrevW.USER32(?,?,004494FC,00000104,00000000,0042D365,?,?,?,00401E06,?,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0},?,?,?,00000104), ref: 0042D1D1
Part of subcall function 0042D1B1: CharNextW.USER32(00000000,?,?,?,00401E06,?,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0},?,?,?,00000104,?,0042A071,00000000,?,00000104), ref: 0042D1EA
Part of subcall function 0042D1B1: CharNextW.USER32(00000000,?,?,00401E06,?,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0},?,?,?,00000104,?,0042A071,00000000,?,00000104), ref: 0042D1F2

GetDiskFreeSpaceW.KERNEL32(?,?,?,?,0000044F,?,?,0042CE79,?,?,?,0042D0A7,00000000,?), ref: 0042CF73
FreeLibrary.KERNEL32(00000000,?,?,0042CE79,?,?,?,0042D0A7,00000000,?,?,?,?,00406BBB,00000003,00000000), ref: 0042CF97

Strings

Oj@, xrefs: 0042CF06, 0042CF09
KERNEL32, xrefs: 0042CEA4
GetDiskFreeSpaceExW, xrefs: 0042CEC0

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Char$Next$Free$DiskLibrarySpace$AddressLoadPrevProclstrcpy
String ID: GetDiskFreeSpaceExW$KERNEL32$Oj@
API String ID: 711836960-433467056
Opcode ID: b4363bd918ab4e5331a3156ecad98befe9a0a6dd8c0cf5671c7edcd1e5fa001d
Instruction ID: 2dc1e359d9ae575559be0742e28b99559eef3bd8efdd228cea8c9ec57e62f75a
Opcode Fuzzy Hash: b4363bd918ab4e5331a3156ecad98befe9a0a6dd8c0cf5671c7edcd1e5fa001d
Instruction Fuzzy Hash: F13106B5E00219EACF10DFA5D9849DEB7FCEF48310F108096E455E3250EB74DA84CBA9

Function 0040B42F Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,?), ref: 0040B440
SizeofResource.KERNEL32(?,00000000), ref: 0040B44C
LoadResource.KERNEL32(?,00000000), ref: 0040B458
LockResource.KERNEL32(00000000), ref: 0040B45F

Part of subcall function 0040B2D1: __EH_prolog.LIBCMT ref: 0040B2D6
Part of subcall function 0040B2D1: GetWindowDC.USER32(00000000,?,?,00000000,00000000), ref: 0040B3B6
Part of subcall function 0040B2D1: CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0040B3D1

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Resource$BitmapCreateFindH_prologLoadLockSizeofWindow
String ID:
API String ID: 3578310943-0
Opcode ID: 058dfc93c314bbc60b845a6aa8a8f5e396f2098ae250160391ef635dbd8200fd
Instruction ID: b7ab9d5804bd26e38a9fba174602842cc1bdd1db64a2e493fd4047c640a90050
Opcode Fuzzy Hash: 058dfc93c314bbc60b845a6aa8a8f5e396f2098ae250160391ef635dbd8200fd
Instruction Fuzzy Hash: 6FE0ED36101118BFDB012F95EC48CAF7F6DEF4A2A17044136FA0986120CB724C62ABA4

Function 00423496 Relevance: 3.1, APIs: 2, Instructions: 67COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?,?,?), ref: 004234C3
GetSystemInfo.KERNELBASE(?), ref: 00423503

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: InfoSystemVersion
String ID:
API String ID: 1934062620-0
Opcode ID: 6b72a27e59edcebaafb3446c15b52503e5aef01418b47b544aef58e1fa491afe
Instruction ID: 54bd907f773ba7683f48e5dc4a48a34c660f67c041b5d76e70a4fa99ad0d4535
Opcode Fuzzy Hash: 6b72a27e59edcebaafb3446c15b52503e5aef01418b47b544aef58e1fa491afe
Instruction Fuzzy Hash: 5E211DB4E00229EBCF14DF95E8457EEBBB4FB44716F90005BA509A6390D77C8B80CB95

Function 00429928 Relevance: 78.2, APIs: 17, Strings: 27, Instructions: 1169COMMON

Download Yara Rule

APIs

Part of subcall function 0042AB4B: __EH_prolog.LIBCMT ref: 0042AB50
Part of subcall function 0042AB4B: SysAllocString.OLEAUT32(?), ref: 0042AC4A
Part of subcall function 0042AB4B: SysStringLen.OLEAUT32(00000000), ref: 0042AC5D
Part of subcall function 0042AB4B: SysFreeString.OLEAUT32(00000000), ref: 0042AC68

wsprintfW.USER32 ref: 00429AE0
CoUninitialize.OLE32(?,00000001), ref: 0042A8C9

Part of subcall function 00401586: __EH_prolog.LIBCMT ref: 0040158B
Part of subcall function 00401586: GetLastError.KERNEL32(004494C4,004494BC,00000000,?,00429698,?,00000000,?,?,00000000), ref: 004015B4
Part of subcall function 00401586: SetLastError.KERNEL32(?,00000000,?,00429698,?,00000000,?,?,00000000), ref: 004015E2

Part of subcall function 004085AE: SysStringLen.OLEAUT32(?), ref: 004085BC
Part of subcall function 004085AE: SysReAllocStringLen.OLEAUT32(?,?,?), ref: 004085D8

Part of subcall function 0042AB4B: SysFreeString.OLEAUT32(00000000), ref: 0042AC9F

CoUninitialize.OLE32(?,00000001,00000001,?,?,?), ref: 0042AAAA

Strings

Relaunching setup from temp, xrefs: 0042A797, 0042A7BE
PhHmE, xrefs: 0042A43B
count, xrefs: 0042A43C
V0, xrefs: 0042A80B
Startup, xrefs: 0042A31C
ISSetup.dll, xrefs: 0042A1B5
%s /q"%s" /tempdisk1folder"%s" %s, xrefs: 0042A72A
=, xrefs: 0042AA51
gB, xrefs: 0042A321
Running as remove major upgrade, xrefs: 004299D7, 004299FC
_&, xrefs: 0042A941
C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}, xrefs: 00429E3A, 0042A68D, 0042A6A8
removeasmajorupgrade, xrefs: 00429985
tempdisk1folder, xrefs: 00429CFA
%s%s, xrefs: 00429B60
Languages, xrefs: 0042A441, 0042A48C
setup.isn, xrefs: 0042A343
Skin, xrefs: 0042A317
key%d, xrefs: 0042A474
Setup returning %d, xrefs: 0042AA3D
%s\%04x.mst, xrefs: 0042A57D, 0042A5A4
ISSetup.dll, xrefs: 0042A207, 0042A226
C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup.cpp, xrefs: 004299C7, 0042A787, 0042AA0A
=, xrefs: 0042A9E5
BA, xrefs: 0042A446
%s %s, xrefs: 00429ADA
%s\0x%04x.ini, xrefs: 0042A4C9, 0042A4F0

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: String$AllocErrorFreeH_prologLastUninitialize$wsprintf
String ID: %s %s$%s /q"%s" /tempdisk1folder"%s" %s$%s%s$%s\%04x.mst$%s\0x%04x.ini$=$=$C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup.cpp$C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}$ISSetup.dll$ISSetup.dll$Languages$PhHmE$Relaunching setup from temp$Running as remove major upgrade$Setup returning %d$Skin$Startup$V0$count$key%d$removeasmajorupgrade$setup.isn$tempdisk1folder$BA$_&$gB
API String ID: 2878480724-1082440967
Opcode ID: b6b55c25a0483c15b753fa5e733fdaad513588fe598aa349af44ca63030c0061
Instruction ID: 853fde3b754f06eb2960b8793ed040eec479946b84e5395bf2f72db35bde8a47
Opcode Fuzzy Hash: b6b55c25a0483c15b753fa5e733fdaad513588fe598aa349af44ca63030c0061
Instruction Fuzzy Hash: B4B2A170900158EEDF15EBA5C995BEEBBB8AF14308F5040EAE40573292DB785F88DF25

Function 00411BFC Relevance: 73.8, APIs: 40, Strings: 2, Instructions: 333
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetBkMode.GDI32(?,00000001), ref: 00411C67
GetDlgCtrlID.USER32(?), ref: 00411C70
GetStockObject.GDI32(00000005), ref: 00411C86
SendMessageW.USER32(00000405,00000000,00000000), ref: 00411CC7
PostMessageW.USER32(00000000,00008032,00000000,00000000), ref: 00411D1E
LoadCursorW.USER32(00000000,00000068), ref: 00411D42
SetTimer.USER32(?,000003E9,000000FA,00000000), ref: 00411D9A
GetDlgItem.USER32(?,000003E9), ref: 00411DA8
GetDlgItem.USER32(?,000003EB), ref: 00411DB3
GetDlgItem.USER32(?,000003EA), ref: 00411DBE
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00411DCF
GetDlgItem.USER32(?,000003EE), ref: 00411E22
SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00411E2E
GetObjectW.GDI32(00000000,0000005C,?), ref: 00411E43
GetDC.USER32(?), ref: 00411E4C
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00411E58
ReleaseDC.USER32(?,?), ref: 00411E73
GetDlgItem.USER32(?,00000409), ref: 00411FB8
GetClientRect.USER32(00000000,?), ref: 00411FC9
GetClientRect.USER32(?,?), ref: 00411FD2
GetStockObject.GDI32(00000000), ref: 00411FEA
FillRect.USER32(?,?,00000000), ref: 00411FFE
GetSysColor.USER32(0000000F), ref: 00412002
GetSysColorBrush.USER32(00000000), ref: 0041200C
CreateSolidBrush.GDI32(?), ref: 0041201B
FillRect.USER32(?,?,00000000), ref: 00412040
DeleteObject.GDI32(00000000), ref: 00412043
DeleteObject.GDI32 ref: 0041205A
DeleteObject.GDI32 ref: 0041206B
DeleteObject.GDI32 ref: 00412073
DeleteObject.GDI32 ref: 0041207B

Strings

Tahoma, xrefs: 00411E7C, 00411EEE
Cancel, xrefs: 00411DEC

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Object$DeleteItem$MessageRect$Send$BrushClientColorFillStock$CapsCreateCtrlCursorDeviceLoadModePostReleaseSolidTimer
String ID: Cancel$Tahoma
API String ID: 1022440210-1246164628
Opcode ID: dad586574ed19e26b07653bb15c5f5da5d021e84eab0981ae31345bbdf9e218d
Instruction ID: 9c148316c7854dbdc92ae4024129896ea139c99c0bb0e6f88c1405913f0032b6
Opcode Fuzzy Hash: dad586574ed19e26b07653bb15c5f5da5d021e84eab0981ae31345bbdf9e218d
Instruction Fuzzy Hash: 2AC16E71940318BFDB11AF70ED49F9B3B68BB09302F10453AF605E61A2E7B88994DB19

Function 0043F320 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 233
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 0043F3AD
CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 0043F3E2
GetLastError.KERNEL32 ref: 0043F3F1
GetFileSize.KERNEL32(00000000,00000000), ref: 0043F41A
ReadFile.KERNELBASE(00000000,?,00004000,?,00000000), ref: 0043F439
WriteFile.KERNELBASE ref: 0043F4BD

Strings

1.2.3, xrefs: 0043F34B

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: File$Create$ErrorLastReadSizeWrite
String ID: 1.2.3
API String ID: 3252571261-2310465506
Opcode ID: 180f88bde8277e93bcdab7b9c5df601788a6bea4f2762e2a102b96368ec0f3e8
Instruction ID: 784f271207ed2d8541ac9bb70d0669b97ae7a83115fa57db9f56f42234dc5e93
Opcode Fuzzy Hash: 180f88bde8277e93bcdab7b9c5df601788a6bea4f2762e2a102b96368ec0f3e8
Instruction Fuzzy Hash: BD81AD71A04341ABD320DF25DC80F6BB7E8BB98710F144A2EF95597291D778ED08CB9A

Function 0042B818 Relevance: 25.7, APIs: 17, Instructions: 217
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0042B81D
CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?), ref: 0042B851
CreateFileMappingW.KERNELBASE(000000FF,00000000,00000002,00000000,00000000,00000000,?,?), ref: 0042B872
GetSystemInfo.KERNELBASE(?,?,?), ref: 0042B8BB
MapViewOfFile.KERNELBASE(?,00000004,00000000,00000000,?,?,?), ref: 0042B8CF
IsBadReadPtr.KERNEL32(?,000000F8,?,?), ref: 0042B90E
UnmapViewOfFile.KERNEL32(?,?,?), ref: 0042B93A
MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?), ref: 0042B946
UnmapViewOfFile.KERNEL32(?,?,?), ref: 0042B95E
CloseHandle.KERNEL32(000000FF,?,?), ref: 0042B982
IsBadReadPtr.KERNEL32(?,000000F8,?,?), ref: 0042B9A1
CloseHandle.KERNEL32(000000FF,?,?), ref: 0042B9C6
UnmapViewOfFile.KERNEL32(?,?,?), ref: 0042B9D8
CloseHandle.KERNEL32(?,?,?), ref: 0042B9E9
FindCloseChangeNotification.KERNELBASE(000000FF,?,?), ref: 0042BA1A
UnmapViewOfFile.KERNEL32(?,?,?), ref: 0042BA2C
CloseHandle.KERNEL32(?,?,?), ref: 0042BA3D

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: File$View$Close$HandleUnmap$CreateRead$ChangeFindH_prologInfoMappingNotificationSystem
String ID:
API String ID: 3525415348-0
Opcode ID: 42eed16ff7cfc72b7566a3600ef2ea5e0b595f3a0e1f22993e9591d264c567a3
Instruction ID: 06371aac16bb75a0747d9e4cd3d8436ef9f55c461369d9daaceeb16c031414c2
Opcode Fuzzy Hash: 42eed16ff7cfc72b7566a3600ef2ea5e0b595f3a0e1f22993e9591d264c567a3
Instruction Fuzzy Hash: 7C812D71E0026AAFCF20AF94DC856BFBBB5FB04310F54456AE611B22A0C7745E80DBD9

Function 00412A22 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 162
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0042E42C: __EH_prolog.LIBCMT ref: 0042E431
Part of subcall function 0042E42C: lstrcpyW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\Setup.INI), ref: 0042E455
Part of subcall function 0042E42C: lstrcpyW.KERNEL32(?,0x0409), ref: 0042E460
Part of subcall function 0042E42C: wsprintfW.USER32 ref: 0042E490
Part of subcall function 0042E42C: lstrlenW.KERNEL32(?,?,?,0045D464,?,?,?), ref: 0042E4D4

lstrcmpiW.KERNEL32(?,?,?,00000000,?), ref: 00412AD5
VerLanguageNameW.KERNEL32(?,?,000000FF,?,00000000,?), ref: 00412AFD
lstrcmpiW.KERNEL32(?,?,?,00000000,?), ref: 00412B10
lstrcpyW.KERNEL32(?,?), ref: 00412B35
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00412B4D
SendMessageW.USER32(00000000,00000151,00000000,00000000), ref: 00412B6A
lstrcpyW.KERNEL32(?,Slovenian), ref: 00412BA2
lstrcpyW.KERNEL32(?,?), ref: 00412BC3
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00412BDA
SendMessageW.USER32(00000000,00000151,00000000,00000000), ref: 00412BF3
SendMessageW.USER32(00000000,0000014C,00000000,?), ref: 00412C1D
SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00412C31

Strings

Basque, xrefs: 00412B8F
Slovenian, xrefs: 00412B96

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: MessageSend$lstrcpy$lstrcmpi$H_prologLanguageNamelstrlenwsprintf
String ID: Basque$Slovenian
API String ID: 834212799-3822051040
Opcode ID: 0649445a6b58fba7235f7bbbb460694b86441e2d90fe7b41d3af3e65c2034207
Instruction ID: 5187decce322ea57020b21bcffb3814abdb5e76744f3b38da91dcf033bb494af
Opcode Fuzzy Hash: 0649445a6b58fba7235f7bbbb460694b86441e2d90fe7b41d3af3e65c2034207
Instruction Fuzzy Hash: A7519EB090011DABEB25CF64CD45BFA77B8FB08310F0006A6F624D21A0E3B49E998B58

Function 00429623 Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004292D3: __EH_prolog.LIBCMT ref: 004292D8
Part of subcall function 004292D3: InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 00429381
Part of subcall function 004292D3: GetModuleHandleW.KERNEL32(Advapi32,CreateWellKnownSid), ref: 0042939F
Part of subcall function 004292D3: GetProcAddress.KERNEL32(00000000), ref: 004293A2

GetCommandLineW.KERNEL32(?,?,00000000), ref: 00429650
CommandLineToArgvW.SHELL32(00000000,?,00000000), ref: 00429657

Part of subcall function 0042AAC3: __EH_prolog.LIBCMT ref: 0042AAC8
Part of subcall function 0042AAC3: SysAllocString.OLEAUT32(?), ref: 0042AAD7

Part of subcall function 00401586: __EH_prolog.LIBCMT ref: 0040158B
Part of subcall function 00401586: GetLastError.KERNEL32(004494C4,004494BC,00000000,?,00429698,?,00000000,?,?,00000000), ref: 004015B4
Part of subcall function 00401586: SetLastError.KERNEL32(?,00000000,?,00429698,?,00000000,?,?,00000000), ref: 004015E2

Part of subcall function 004085AE: SysStringLen.OLEAUT32(?), ref: 004085BC
Part of subcall function 004085AE: SysReAllocStringLen.OLEAUT32(?,?,?), ref: 004085D8

Part of subcall function 0042AB4B: __EH_prolog.LIBCMT ref: 0042AB50
Part of subcall function 0042AB4B: SysAllocString.OLEAUT32(?), ref: 0042AC4A
Part of subcall function 0042AB4B: SysStringLen.OLEAUT32(00000000), ref: 0042AC5D
Part of subcall function 0042AB4B: SysFreeString.OLEAUT32(00000000), ref: 0042AC68

CoUninitialize.OLE32(?,00000001,00000001,?,?,?), ref: 0042AAAA

Part of subcall function 00401929: GetLastError.KERNEL32(00000000,?,00408695,?,00000000,?,00000001), ref: 0040193F
Part of subcall function 00401929: SysFreeString.OLEAUT32(?), ref: 0040195D
Part of subcall function 00401929: SetLastError.KERNEL32(?,00000001,?,00408695,?,00000000,?,00000001), ref: 0040197D

Part of subcall function 0040D5D0: __EH_prolog.LIBCMT ref: 0040D5D5
Part of subcall function 0040D5D0: GetLastError.KERNEL32(74DEE010,?,004494BC,?,0043F04D), ref: 0040D5FD
Part of subcall function 0040D5D0: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,0043F04D), ref: 0040D64A

Part of subcall function 0043EDB0: GetLastError.KERNEL32(?,00000000,00000001), ref: 0043EEA6
Part of subcall function 0043EDB0: SysFreeString.OLEAUT32(?), ref: 0043EED1
Part of subcall function 0043EDB0: SetLastError.KERNEL32(?,?,?,00000000,00000001), ref: 0043EF16

Strings

Running after reboot, xrefs: 00429830, 00429855
runfromtemp, xrefs: 004297D8
C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}, xrefs: 00429631
SSPhlE, xrefs: 004296BA
C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup.cpp, xrefs: 00429777, 00429820
SSSh<kE, xrefs: 004297E8
debuglog, xrefs: 004296BD
reboot, xrefs: 004297EB
InstallShield setup.exe (Unicode) started, cmdline: %s, xrefs: 004297A7
ShLkE, xrefs: 004297D7

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorLastString$H_prolog$AllocFree$CommandLine$AddressArgvDescriptorHandleInitializeModuleProcSecurityUninitialize
String ID: C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup.cpp$C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}$InstallShield setup.exe (Unicode) started, cmdline: %s$Running after reboot$SSPhlE$SSSh<kE$ShLkE$debuglog$reboot$runfromtemp
API String ID: 280105152-1036724376
Opcode ID: 23ce56feb024e3e40eabc36ab266add3d62b144b1dc4537be53ec2491dae47bc
Instruction ID: 00f673e7f079d02b3f1ffc5aca0ce39552a06b85be7be26362d492dd0b0f3467
Opcode Fuzzy Hash: 23ce56feb024e3e40eabc36ab266add3d62b144b1dc4537be53ec2491dae47bc
Instruction Fuzzy Hash: 45915074900258EEDF11EB65DC45BEDBB78AF14308F5440AFE409A3292DB785F88CB69

Function 0042CCC0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 141
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyW.KERNEL32(00000000,0045D464), ref: 0042CCE0
lstrcpyW.KERNEL32(?,0045D464), ref: 0042CCE6
GetFileVersionInfoSizeW.VERSION(004494FC,?), ref: 0042CCEF
GetFileVersionInfoW.VERSION(004494FC,00000000,00000000,004494FC,?,?,004494FC,?), ref: 0042CD1A
VerQueryValueW.VERSION(004494FC,00457BB8,004494FC,00449504,00000000,00000000,004494FC,?,?,004494FC,?), ref: 0042CD4F
wsprintfW.USER32 ref: 0042CD79
VerQueryValueW.VERSION(004494FC,\VarFileInfo\Translation,004494FC,00449504,00457BB8,004494FC,00449504,00000000,00000000,004494FC,?,?,004494FC,?), ref: 0042CDA3
wsprintfW.USER32 ref: 0042CE0A
wsprintfW.USER32 ref: 0042CE24
lstrcpyW.KERNEL32(?,?), ref: 0042CE37

Strings

%s,%u, xrefs: 0042CE1E
%u.%u.%u.%u, xrefs: 0042CD71
\VarFileInfo\Translation, xrefs: 0042CD9B

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: lstrcpywsprintf$FileInfoQueryValueVersion$Size
String ID: %s,%u$%u.%u.%u.%u$\VarFileInfo\Translation
API String ID: 2127022127-1385173819
Opcode ID: 1c28e33246afccca70606a546fc654cbfece3bb0ad44efab6ca000d2ad8b23d3
Instruction ID: fd6238f49471dce4f271f1799d556efb9df43a6d1b9dc5c37f438150b8eafefe
Opcode Fuzzy Hash: 1c28e33246afccca70606a546fc654cbfece3bb0ad44efab6ca000d2ad8b23d3
Instruction Fuzzy Hash: 0F41AE71900218BBCF11AF55DC45EEF7BB8EF44354F40406AFD08A6252E739AE15DB98

Function 0040B511 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 0040B53C
GetWindowLongW.USER32(?,000000EB), ref: 0040B555
BeginPaint.USER32(?,?), ref: 0040B565
EndPaint.USER32(?,?), ref: 0040B584
GetWindowLongW.USER32(?,000000EB), ref: 0040B594
ctype.LIBCPMT ref: 0040B5A6
SetWindowLongW.USER32(?,000000EB,00000000), ref: 0040B5CB
GetClientRect.USER32(?,?), ref: 0040B5DB
ClientToScreen.USER32(?,?), ref: 0040B5E8
__ftol.LIBCMT ref: 0040B608
__ftol.LIBCMT ref: 0040B617
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000256), ref: 0040B628

Strings

GIF, xrefs: 0040B62E

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Window$Long$ClientPaint__ftol$BeginProcRectScreenctype
String ID: GIF
API String ID: 1302359729-881873598
Opcode ID: 080e4dee396e1c10163f3419fd558b01c11d4a6737d98aa16dab28858a67e03e
Instruction ID: b8f16b766e960c2e192a78396caea932f0e4301ba39c1a23e569fc87c8b0ea5a
Opcode Fuzzy Hash: 080e4dee396e1c10163f3419fd558b01c11d4a6737d98aa16dab28858a67e03e
Instruction Fuzzy Hash: 20317E36504209BBDF015FA5DC09EAF3B75EB4A724F108626FA21A51E0CB359D01EB9D

Function 0041264D Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 111
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowTextW.USER32(?,?), ref: 0041269D

Part of subcall function 0042DD3D: SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0042DD53
Part of subcall function 0042DD3D: GetObjectW.GDI32(00000000,0000005C,?), ref: 0042DD5C
Part of subcall function 0042DD3D: CreateFontIndirectW.GDI32(?), ref: 0042DD72
Part of subcall function 0042DD3D: SendMessageW.USER32(?,00000030,00000000,00000000), ref: 0042DD85

Part of subcall function 004130C3: lstrcpyW.KERNEL32(?,004605C8), ref: 00413104

Part of subcall function 00412809: GetDlgItem.USER32(?,000003EE), ref: 00412823
Part of subcall function 00412809: GetWindowTextLengthW.USER32(00000000), ref: 00412839
Part of subcall function 00412809: GetWindowTextW.USER32(00000000,?,000000FF), ref: 00412851
Part of subcall function 00412809: GetDlgItem.USER32(?,000003EF), ref: 0041285B
Part of subcall function 00412809: GetWindowTextLengthW.USER32(00000000), ref: 0041286B
Part of subcall function 00412809: GetWindowTextW.USER32(00000000,?,000000FF), ref: 0041287F
Part of subcall function 00412809: GetDC.USER32(?), ref: 00412884
Part of subcall function 00412809: lstrlenW.KERNEL32(?,?,?), ref: 0041289B
Part of subcall function 00412809: ReleaseDC.USER32(?,00000000), ref: 004128C5
Part of subcall function 00412809: GetWindowRect.USER32(00000000,004564C4), ref: 004128F1

GetDlgItem.USER32(?,00004E21), ref: 0041270B
GetWindowPlacement.USER32(00000000,?), ref: 0041271F
DestroyWindow.USER32(00000000), ref: 00412736

Part of subcall function 0041299B: GetWindowRect.USER32(004127A3,?), ref: 004129AB
Part of subcall function 0041299B: GetParent.USER32(004127A3), ref: 004129C0
Part of subcall function 0041299B: GetSystemMetrics.USER32(00000000), ref: 004129CB
Part of subcall function 0041299B: GetSystemMetrics.USER32(00000001), ref: 004129DC
Part of subcall function 0041299B: MoveWindow.USER32(004127A3,?,?,?,?,00000000,?,?,?,004127A3,?), ref: 00412A14

GetDlgItem.USER32(?,000003ED), ref: 00412742
EndDialog.USER32(?,000000FD), ref: 00412767
SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 0041277B
EndDialog.USER32(?,00000001), ref: 00412795

Strings

Title, xrefs: 00412664
,, xrefs: 00412716
Description, xrefs: 004126BA
CANCEL, xrefs: 004126E6

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Window$Text$Item$MessageSend$DialogLengthMetricsRectSystem$CreateDestroyFontIndirectMoveObjectParentPlacementReleaselstrcpylstrlen
String ID: ,$CANCEL$Description$Title
API String ID: 2357140150-3913340754
Opcode ID: 216ff989b6531e076b914f125a4abce23f761d173c1115c27ce4853acde7714c
Instruction ID: 2483c473fe02d2f3e650bc516e02c0908032d22b772de22aa615a1c1489aefd6
Opcode Fuzzy Hash: 216ff989b6531e076b914f125a4abce23f761d173c1115c27ce4853acde7714c
Instruction Fuzzy Hash: 7231B471601211BBE711AB65ED45FEF37ACAB0A705F10002BF901E21E1E7F84A559F6E

Function 00424FE5 Relevance: 19.7, APIs: 1, Strings: 10, Instructions: 486
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00424FEA

Part of subcall function 004282A3: __EH_prolog.LIBCMT ref: 004282A8

Strings

LATERVERSIONINSTALLED, xrefs: 0042557D
Upgrade check: checking product code %s, xrefs: 0042505D
ONUPGRADE, xrefs: 004254A1
Upgrade check: obtained package code %s from machine, current package code is %s, xrefs: 004251DA
Upgrade check: later product version already installed, xrefs: 00425354, 0042537F
VersionString, xrefs: 004252BA
InstalledProductName, xrefs: 0042544B
PackageCode, xrefs: 00425116
~, xrefs: 0042565B
C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\session.cpp, xrefs: 00425036, 004251AC, 00425344

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog
String ID: C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\session.cpp$InstalledProductName$LATERVERSIONINSTALLED$ONUPGRADE$PackageCode$Upgrade check: checking product code %s$Upgrade check: later product version already installed$Upgrade check: obtained package code %s from machine, current package code is %s$VersionString$~
API String ID: 3519838083-871820473
Opcode ID: 17dadcdf453cb57e148766a433061e64b456c35c57a33e14a30ab530698d7a8d
Instruction ID: 09356d78c6d94c83f1c4cc1b3d42c27dd885e66c2a0f2fe833cae861ac518017
Opcode Fuzzy Hash: 17dadcdf453cb57e148766a433061e64b456c35c57a33e14a30ab530698d7a8d
Instruction Fuzzy Hash: 4F120771E00258EEEF14DBA5D945BEEBBB4AF14304F54409FE405B7282DBB89E48CB19

Function 00426671 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00426676
wsprintfW.USER32 ref: 004267E1
wsprintfW.USER32 ref: 0042682B

Strings

C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}, xrefs: 0042673B, 00426741, 00426774
key, xrefs: 004267D6
Extracting setup.ini..., xrefs: 004266AD, 004266D5
count, xrefs: 004267AB
Languages, xrefs: 004267A6, 004267B0, 004267FE
%s%d, xrefs: 004267DB
C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\session.cpp, xrefs: 0042669D
%#04x.ini, xrefs: 00426825

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: wsprintf$H_prolog
String ID: %#04x.ini$%s%d$C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\session.cpp$C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}$Extracting setup.ini...$Languages$count$key
API String ID: 3352209545-703221853
Opcode ID: 33b28bf5103f5010b696aa99509beb26d3be2ec967eb7e54a48c9a1c394602d4
Instruction ID: 1bd64d6a44f4b35f4bf12d93a81d0ecfcba1f87eeef049d600d29a97e1546615
Opcode Fuzzy Hash: 33b28bf5103f5010b696aa99509beb26d3be2ec967eb7e54a48c9a1c394602d4
Instruction Fuzzy Hash: F461B671A00228AADF10DBA5DD45FEEB778EF04304F40416BE509B31C2DBB85E49CB59

Function 00419210 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 123
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00419215

Part of subcall function 00411238: RegOpenKeyExW.KERNELBASE(?,?,00000000,00000000,00000000,00000000,?,?,0042ED95,80000002,System\CurrentControlSet\Control\Windows,00020019,?,?,00000000,0000000A), ref: 00411252
Part of subcall function 00411238: RegCloseKey.ADVAPI32(?,?,0042ED95,80000002,System\CurrentControlSet\Control\Windows,00020019,?,?,00000000,0000000A,?,?,00000000,00459868,?,00000000), ref: 00411263

RegCloseKey.ADVAPI32(?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries,000F003F,0044952C,?,?), ref: 00419256
RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,00000000,00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries,000F003F,0044952C,?,?), ref: 0041929D
RegCloseKey.ADVAPI32(?,80000002,Software\Microsoft\Windows\CurrentVersion\RunOnceEx,000F003F,80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,000F003F), ref: 00419323
RegEnumValueW.ADVAPI32(?,00000001,?,00000208,00000000,?,00000000,00000000,80000002,Software\Microsoft\Windows\CurrentVersion\RunOnceEx,000F003F,80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,000F003F), ref: 00419341
RegCloseKey.ADVAPI32(?), ref: 00419357
RegCloseKey.ADVAPI32(?,80000002,Software\Microsoft\Windows\CurrentVersion\RunOnceEx,000F003F,80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,000F003F), ref: 00419374
RegCloseKey.ADVAPI32(?,80000002,Software\Microsoft\Windows\CurrentVersion\RunOnceEx,000F003F,80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,000F003F), ref: 00419381

Strings

Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 004192B9
Software\Microsoft\Windows\CurrentVersion\RunOnceEx, xrefs: 004192EF
SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries, xrefs: 00419235

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Close$EnumValue$H_prologOpen
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries$Software\Microsoft\Windows\CurrentVersion\RunOnce$Software\Microsoft\Windows\CurrentVersion\RunOnceEx
API String ID: 2958348514-2087105512
Opcode ID: 3729191662c7b9766eb703fb6a93f55773ded2306aacb27d4dc786c94b3d6562
Instruction ID: 91ea7994ade2da4a2edef66e2f358257390b43a00482f3d8641506292df462ea
Opcode Fuzzy Hash: 3729191662c7b9766eb703fb6a93f55773ded2306aacb27d4dc786c94b3d6562
Instruction Fuzzy Hash: 694139B290021EAADF10DB91CD90AFFB77CEF48345F10056AEA11B2291D7785E44CB69

Function 0042E42C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 77
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0042E431
lstrcpyW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\Setup.INI), ref: 0042E455
lstrcpyW.KERNEL32(?,0x0409), ref: 0042E460
lstrcpyW.KERNEL32(?,Languages), ref: 0042E47D
wsprintfW.USER32 ref: 0042E490
lstrlenW.KERNEL32(?,?,?,0045D464,?,?,?), ref: 0042E4D4
VerLanguageNameW.KERNEL32(?,?,?), ref: 0042E4F5

Strings

C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\Setup.INI, xrefs: 0042E44F
0x0409, xrefs: 0042E45A
Languages, xrefs: 0042E477
%#04x, xrefs: 0042E48A

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: lstrcpy$H_prologLanguageNamelstrlenwsprintf
String ID: %#04x$0x0409$C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\Setup.INI$Languages
API String ID: 4009380564-23613841
Opcode ID: afa9126b0349a4420dae21e4f70f9c12f25b547133b8505c2c75920b782e52d0
Instruction ID: 726505bdaa310d2e10a5ee5f29fe3ccb60b923769a3d7cf7868b69c613d6be6b
Opcode Fuzzy Hash: afa9126b0349a4420dae21e4f70f9c12f25b547133b8505c2c75920b782e52d0
Instruction Fuzzy Hash: 38212C72900118ABDF21EFE1DD49BDE7778AB08304F60816BF915A3191DB799A08DB58

Function 004121C5 Relevance: 18.1, APIs: 12, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00412D83: __EH_prolog.LIBCMT ref: 00412D88

Part of subcall function 00412CEE: __EH_prolog.LIBCMT ref: 00412CF3

GlobalAlloc.KERNELBASE(00000042,00000002,?,?,00000000,?,?,00412162,?,00000000,?,?,?,?,?), ref: 0041223B
GlobalLock.KERNEL32(00000000,?,?,00412162,?,00000000,?,?,?,?,?), ref: 00412242

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: GlobalH_prolog$AllocLock
String ID:
API String ID: 861400310-0
Opcode ID: 3b0fd49aab480e0cbe078d06cc7295db3c1c2bda860118234805afa7edfd31c5
Instruction ID: 9962fa2e3d097dd23ea1690d2ea19f6b7a8770d7c0c169fea75122caa9b9751c
Opcode Fuzzy Hash: 3b0fd49aab480e0cbe078d06cc7295db3c1c2bda860118234805afa7edfd31c5
Instruction Fuzzy Hash: 2541A2F5600216AFEB009F65EE489AB3BA9EB453147100576FD10D32A1E7F88CA1DF5D

Function 004444D6 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 187librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 0044457C
GetLastError.KERNEL32 ref: 00444588
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 004445BB
InterlockedExchange.KERNEL32(?,00000000), ref: 004445CD
LocalAlloc.KERNEL32(00000040,00000008), ref: 004445E1
FreeLibrary.KERNEL32(00000000), ref: 004445FE
GetProcAddress.KERNEL32(?,?), ref: 0044465F
GetLastError.KERNEL32 ref: 0044466B
RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 0044469D

Strings

$, xrefs: 004444F2

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorExceptionLastLibraryRaise$AddressAllocExchangeFreeInterlockedLoadLocalProc
String ID: $
API String ID: 991255547-3993045852
Opcode ID: 02c2791e497a657de292b4bd5e1423ff42a16de99390a71498e44c5e95f0589b
Instruction ID: f37ec5f03772b3ba9e574be0a7516d52ef362f31e82a48200473c37ec033f8bb
Opcode Fuzzy Hash: 02c2791e497a657de292b4bd5e1423ff42a16de99390a71498e44c5e95f0589b
Instruction Fuzzy Hash: EC617375A00605AFEB24CF98D984BAA77F4FB99700F11406EE515D7390D7B8ED04CB18

Function 0042BF22 Relevance: 16.8, APIs: 11, Instructions: 332fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042BF27

Part of subcall function 0042BD36: __EH_prolog.LIBCMT ref: 0042BD3B
Part of subcall function 0042BD36: GetTempPathW.KERNEL32(00000104,00000000,?,00000104,?,00000000,?,00000000,?,?,00000000), ref: 0042BDA5
Part of subcall function 0042BD36: GetTempFileNameW.KERNELBASE(?,_is,00000000,?,?,00000104,?,00000000), ref: 0042BDE9

CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,004613A8), ref: 0042BF86
GetLastError.KERNEL32 ref: 0042BF90
CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000000,00000000), ref: 0042BFDF
GetLastError.KERNEL32 ref: 0042BFE9
CloseHandle.KERNEL32(?), ref: 0042BFF8

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: File$CreateErrorH_prologLastTemp$CloseHandleNamePath
String ID:
API String ID: 3661940180-0
Opcode ID: 2283b4a2f09fc414b324cef3e1b15f0f66061ccc200d46c0795bf92c4a142d4a
Instruction ID: 707a1075748f19b96b57598783fa7fe63a325814fbdecafb47b5059a38f24046
Opcode Fuzzy Hash: 2283b4a2f09fc414b324cef3e1b15f0f66061ccc200d46c0795bf92c4a142d4a
Instruction Fuzzy Hash: 0CD16B71A00258EBDF11DFA4DC84AEEBBB5BF05304F5480AAF409B7291DB385E44DB65

Function 0042D703 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 168processwindowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042D708
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,?,?,?,?,C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\utils.cpp,?,00000001,?), ref: 0042D812
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 0042D83B
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0042D852
GetExitCodeProcess.KERNELBASE(?,?), ref: 0042D871
FindCloseChangeNotification.KERNELBASE(?), ref: 0042D882

Strings

Launch result %d, exit code %d, xrefs: 0042D8BA
C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\utils.cpp, xrefs: 0042D798, 0042D79E, 0042D890
Attempting to launch: %s, xrefs: 0042D7BE

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Process$ChangeCloseCodeCreateExitFindH_prologMessageMultipleNotificationObjectsPeekWait
String ID: Attempting to launch: %s$C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\utils.cpp$Launch result %d, exit code %d
API String ID: 810901882-2150883082
Opcode ID: f900852e734ab8164577f088584bff816c93cb77385ec3eca9ca852af26d54ae
Instruction ID: f2a150a90f5886917ac193b79f52dc527058d6fb35ef33dee016585d5a7cf65e
Opcode Fuzzy Hash: f900852e734ab8164577f088584bff816c93cb77385ec3eca9ca852af26d54ae
Instruction Fuzzy Hash: 49519FB5D00219EFEF10EFA4DC85EEEB778EB04304F50806AE515A7292D7785E48CB64

Function 00401E26 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 78windowregistryCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(0040FEF9,?), ref: 00401E54
LoadCursorW.USER32(00000000,00007F00), ref: 00401E63
GetStockObject.GDI32(00000004), ref: 00401E6E
RegisterClassW.USER32(00000003), ref: 00401E86
CreateWindowExW.USER32(00000000,80000000,00000000,00000000,00000000,00000000,00000000,00000000,0040FEF9,?), ref: 00401EAB
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401EC6
TranslateMessage.USER32(?), ref: 00401ED0
DispatchMessageW.USER32(?), ref: 00401EDA

Strings

<aE, xrefs: 00401E77

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Message$Load$ClassCreateCursorDispatchIconObjectRegisterStockTranslateWindow
String ID: <aE
API String ID: 1812404604-2824874527
Opcode ID: 99d58e6021a4b20c2c65473debbbcb1552e022cfb7f07e9a826b05b365e9094c
Instruction ID: 19a6defa71d0ead6edab3c70ba5b02eee1d58c5f813ff5d2a563d1ffbb8f005e
Opcode Fuzzy Hash: 99d58e6021a4b20c2c65473debbbcb1552e022cfb7f07e9a826b05b365e9094c
Instruction Fuzzy Hash: 94214FB6D04219ABCB108FE5EC48DDFBBBCEF0A355B104026F605E2250D7749906DBA8

Function 00425F18 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 396COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00425F1D

Part of subcall function 00424FE5: __EH_prolog.LIBCMT ref: 00424FEA

Part of subcall function 00425B41: __EH_prolog.LIBCMT ref: 00425B46

Part of subcall function 0042DCF0: GetLocaleInfoW.KERNEL32(?,00001004,?,00000014), ref: 0042DD04

Part of subcall function 00401504: __EH_prolog.LIBCMT ref: 00401509
Part of subcall function 00401504: SetLastError.KERNEL32(?,?,00000000,004494BC,?,00429787,C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup.cpp,?,00000001,?,?,00000000,debuglog,00000000,00000000,00000000), ref: 0040156F

IsValidCodePage.KERNEL32(00000000,?,00000001), ref: 00425FB4

Part of subcall function 00432B24: MultiByteToWideChar.KERNEL32(00000000,00000001,?,000000FF,?,00000014), ref: 00432B4B

Part of subcall function 00407AFA: __EH_prolog.LIBCMT ref: 00407AFF

Strings

Default language: %d, got code page %d, xrefs: 00425F97
C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}, xrefs: 00426168
/LangTransform, xrefs: 004261B5, 00426295
Language transforms in stream, xrefs: 004260D0, 004260F7
Using language transforms from setup.exe location, xrefs: 004263AB, 004263D8
C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\session.cpp, xrefs: 00425F62, 004260C3, 0042639B

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog$ByteCharCodeErrorInfoLastLocaleMultiPageValidWide
String ID: /LangTransform$C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\session.cpp$C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}$Default language: %d, got code page %d$Language transforms in stream$Using language transforms from setup.exe location
API String ID: 2122249853-3700785369
Opcode ID: 3f2e40f553b009a38f8743dec44ddd8efe151b5ee38baa98fdf348aee88b078a
Instruction ID: abfd1d64d75d009272f2a2f2e416ff2047362e93b91d45d09bece8e9fbc2bd1c
Opcode Fuzzy Hash: 3f2e40f553b009a38f8743dec44ddd8efe151b5ee38baa98fdf348aee88b078a
Instruction Fuzzy Hash: 53F1A570A00218AFDF14EB95DD45BEEB7B8AF04308F5041AFE505A72D2EB785E49CB19

Function 00426C43 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 258COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00426C48
LoadCursorW.USER32(00000000,00007F02), ref: 00426C85
SetCursor.USER32(00000000), ref: 00426C8C

Part of subcall function 00401504: __EH_prolog.LIBCMT ref: 00401509
Part of subcall function 00401504: SetLastError.KERNEL32(?,?,00000000,004494BC,?,00429787,C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup.cpp,?,00000001,?,?,00000000,debuglog,00000000,00000000,00000000), ref: 0040156F

SetCursor.USER32(?,?,?,?,00000001,?,?,00000001,?,?,00000000), ref: 00426F42

Strings

C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}, xrefs: 00426CC1
Extraction of '%s' failed, xrefs: 00426F07
C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\session.cpp, xrefs: 00426E07, 00426E0D, 00426EE7
Extracting '%s' to %s, xrefs: 00426E37

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Cursor$H_prolog$ErrorLastLoad
String ID: C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\session.cpp$C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}$Extracting '%s' to %s$Extraction of '%s' failed
API String ID: 3430186874-196505235
Opcode ID: 8006536aea09c5d4f63b9cb9fcb1fbe438a94e92f1e243f511ce2d3481c23e96
Instruction ID: da2a860da81134cfe59eeb823512a49bcde11110de1a2933a86a68e775e297aa
Opcode Fuzzy Hash: 8006536aea09c5d4f63b9cb9fcb1fbe438a94e92f1e243f511ce2d3481c23e96
Instruction Fuzzy Hash: FCA1C371A0021DEEEF11DBA5DC45BEEB7B8AF14304F1040ABE405A7292EB789F48DB55

Function 00402C74 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 302fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402C79
CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000002,00000080,00000000,004494FC,?,00000000), ref: 00402CA8
WriteFile.KERNELBASE(?,00449518,00000000,?,00000000,00000001,00000001,00000001,00000001,00000000,00000000,00000000,00000000,?,00000000), ref: 00402E25

Part of subcall function 004062F9: __EH_prolog.LIBCMT ref: 004062FE

WriteFile.KERNELBASE(?,00449518,00000000,?,00000000,00000001,00000001,00000001,00000001,00000001,00000000,00000000), ref: 00402F6F
WriteFile.KERNELBASE(?,00449518,00000000,?,00000000,004561B8,00000000,?,?,00000000), ref: 00402FCB
FindCloseChangeNotification.KERNELBASE(000000FF,00000001,?,00000000,?,00000000,?,00000000), ref: 0040301F

Strings

], xrefs: 00402D1D, 00402D29

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: File$Write$H_prolog$ChangeCloseCreateFindNotification
String ID: ]
API String ID: 2749126053-3462329250
Opcode ID: c730fe5b393cad879a541c332639a6c5829b17a64b0960a4b5ea3c4938b581e5
Instruction ID: 9d3af7bffb0a7c105d8cd27adae087398dc05b25d0bbeb4288205612c5bbe369
Opcode Fuzzy Hash: c730fe5b393cad879a541c332639a6c5829b17a64b0960a4b5ea3c4938b581e5
Instruction Fuzzy Hash: 99C17DB1C00249AEDF15DBA4CD85AEEBB78BF14308F14416EE411B72D2DBB85A48CB65

Function 0042E58D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 133filestringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042E592
GetModuleFileNameW.KERNEL32(?,00000104,004494FC,00000104,00000000), ref: 0042E5CE

Part of subcall function 0042B656: __EH_prolog.LIBCMT ref: 0042B65B
Part of subcall function 0042B656: lstrcpyW.KERNEL32(?,?), ref: 0042B6B9
Part of subcall function 0042B656: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0042B6E2
Part of subcall function 0042B656: GetLastError.KERNEL32 ref: 0042B6F3

Part of subcall function 004016F5: lstrlenW.KERNEL32(004494DC,004494C4,00000000,004494BC,?,?,0043E97D), ref: 00401748
Part of subcall function 004016F5: WideCharToMultiByte.KERNEL32(00000000,00000000,004494DC,000000FF,?,00000002,00000000,00000000,?,?,0043E97D), ref: 00401770

GetTempPathW.KERNEL32(00000104,00000000,?), ref: 0042E643
GetTempFileNameW.KERNELBASE(00000000,00459B3C,00000000,?), ref: 0042E65E
lstrcpyW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\Setup.INI), ref: 0042E69F
DeleteFileW.KERNELBASE(?,?,?,?,?,?,00000000,?,?,?,?), ref: 0042E72B

Strings

C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\Setup.INI, xrefs: 0042E682, 0042E68D, 0042E697

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: File$H_prologNameTemplstrcpy$ByteCharCreateDeleteErrorLastModuleMultiPathWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\Setup.INI
API String ID: 959423117-3296403769
Opcode ID: fcd961a9a9432aa5986a01ba2b8a31d64c79d9ac7e102b77a20f0dc03012f9ea
Instruction ID: 5d4db82b385141692be69daeb635b55a6acfaebc82323679794654cb8c324431
Opcode Fuzzy Hash: fcd961a9a9432aa5986a01ba2b8a31d64c79d9ac7e102b77a20f0dc03012f9ea
Instruction Fuzzy Hash: 55515271A00229AADF10EBA1DC58BDEB778BF04304F5041AAF509A7191DB799F88CB59

Function 0042764B Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 119COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00427650

Part of subcall function 00413367: __EH_prolog.LIBCMT ref: 0041336C
Part of subcall function 00413367: lstrcmpW.KERNEL32(?,0045D464,?,?,0045D464,?,?,Languages,00000000,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0},?,004267B9,Languages,count,00000000,?), ref: 0041339B

wsprintfW.USER32 ref: 004276AF
CharNextW.USER32(?), ref: 004276C2
CharNextW.USER32(00000000), ref: 004276C5

Part of subcall function 004024B5: __EH_prolog.LIBCMT ref: 004024BA

Strings

C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}, xrefs: 00427760
C:\Users\user\Desktop, xrefs: 0042777C, 0042779C
%#x, xrefs: 004276A9

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog$CharNext$lstrcmpwsprintf
String ID: %#x$C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}$C:\Users\user\Desktop
API String ID: 750383770-1221655934
Opcode ID: 09a81b512d512154a2131bf35a39b764ee5b57695ff4e11191e550abfb91cfe0
Instruction ID: ef6cfe5630c93982d933445d29a4f58f60238e7aed0fd9c18e92ca1639a54160
Opcode Fuzzy Hash: 09a81b512d512154a2131bf35a39b764ee5b57695ff4e11191e550abfb91cfe0
Instruction Fuzzy Hash: 8E417F71E0022CAADB14DFA6ED81EEF77B8EB44304F50406AF945E2291DB796E058B58

Function 0043BF86 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 235fileCOMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,_is,00000000,?,?,00000104,?,00000000), ref: 0043C0F7
GetTempPathW.KERNELBASE(00000104,00000000,?,00000104,004494FC,00000104), ref: 0043BFCE

Part of subcall function 004021F4: __EH_prolog.LIBCMT ref: 004021F9
Part of subcall function 004021F4: GetLastError.KERNEL32(004494FC,00000104), ref: 00402225
Part of subcall function 004021F4: SetLastError.KERNEL32(00000000,?,00000000,?,00000001), ref: 0040225A

__EH_prolog.LIBCMT ref: 0043BF8B

Part of subcall function 0040276F: SysStringLen.OLEAUT32(?), ref: 0040277D
Part of subcall function 0040276F: SysReAllocStringLen.OLEAUT32(0000001C,?,?), ref: 00402799

DeleteFileW.KERNEL32(?), ref: 0043C11C

Strings

_is, xrefs: 0043C0F1
.tmp, xrefs: 0043C144

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorFileH_prologLastStringTemp$AllocDeleteNamePath
String ID: .tmp$_is
API String ID: 4195121471-3921807090
Opcode ID: 88e592d9abc6eee6ceb53cb814bc98fa9ad954de5103e3a68fb86d22b5ad0b9a
Instruction ID: 0698e7ade805730eaa163a496bc60a26a73c0b625a31609e3402f68544893d1a
Opcode Fuzzy Hash: 88e592d9abc6eee6ceb53cb814bc98fa9ad954de5103e3a68fb86d22b5ad0b9a
Instruction Fuzzy Hash: E0A1B071900248EEDF05EFA5C885BDEBBB8AF19308F10409EF50577282DB786B49DB65

Function 0042588B Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 195stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00425890

Part of subcall function 00423496: GetVersionExW.KERNEL32(?,?,?), ref: 004234C3
Part of subcall function 00423496: GetSystemInfo.KERNELBASE(?), ref: 00423503

Part of subcall function 004069BA: __EH_prolog.LIBCMT ref: 004069BF

Part of subcall function 00413367: __EH_prolog.LIBCMT ref: 0041336C
Part of subcall function 00413367: lstrcmpW.KERNEL32(?,0045D464,?,?,0045D464,?,?,Languages,00000000,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0},?,004267B9,Languages,count,00000000,?), ref: 0041339B

lstrlenW.KERNEL32(?), ref: 004259D2

Part of subcall function 004120E4: lstrcpyW.KERNEL32(C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0},?), ref: 004120FA
Part of subcall function 004120E4: lstrcpyW.KERNEL32(0404,?), ref: 0041211E

Part of subcall function 004236A0: wsprintfW.USER32 ref: 004236C4
Part of subcall function 004236A0: lstrcmpW.KERNEL32(?), ref: 004236D8

Strings

PASSWORD, xrefs: 004259B9
Startup, xrefs: 00425910
Source, xrefs: 0042590B
KEY, xrefs: 004259BE

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog$lstrcmplstrcpy$InfoSystemVersionlstrlenwsprintf
String ID: KEY$PASSWORD$Source$Startup
API String ID: 2384415829-3958804870
Opcode ID: 7cf13031e1a5120391a0da14e0bc24800b4d7d3427d008d6ece33eb3988fdb73
Instruction ID: 674f07553005354412a8e4172cbd1e64669b24a003d82dc44a53388b4f5e6100
Opcode Fuzzy Hash: 7cf13031e1a5120391a0da14e0bc24800b4d7d3427d008d6ece33eb3988fdb73
Instruction Fuzzy Hash: FA710A70B00764AADF20EB61DD56BEE7BB49F14308F80015FE546A31C2DBBC6A85C729

Function 0043E260 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE ref: 0043E282
RegQueryValueExA.ADVAPI32(004494BC,DoVerboseLogging,00000000), ref: 0043E2B7
RegCloseKey.ADVAPI32(004494BC,?), ref: 0043E2D1
RegCloseKey.ADVAPI32(004494BC), ref: 0043E2E4

Strings

DoVerboseLogging, xrefs: 0043E2A9
SOFTWARE\InstallShield\15.0\Professional, xrefs: 0043E270

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID: DoVerboseLogging$SOFTWARE\InstallShield\15.0\Professional
API String ID: 1607946009-3118108426
Opcode ID: b1f6d5c512e0c0d33992933da650301b4e69b9105e9341701eedafb80c85c935
Instruction ID: 45b62369db151c6f8e06bc4638a02f8b8f8c71fff34f6156de88b9dbe51f507a
Opcode Fuzzy Hash: b1f6d5c512e0c0d33992933da650301b4e69b9105e9341701eedafb80c85c935
Instruction Fuzzy Hash: 8401B575505321BFE310DF10DC54BEB7BD8EF89B09F40445EFA4996291E3748908879A

Function 0042B656 Relevance: 9.1, APIs: 6, Instructions: 131filestringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042B65B
lstrcpyW.KERNEL32(?,?), ref: 0042B6B9

Part of subcall function 0042B818: __EH_prolog.LIBCMT ref: 0042B81D
Part of subcall function 0042B818: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?), ref: 0042B851
Part of subcall function 0042B818: CreateFileMappingW.KERNELBASE(000000FF,00000000,00000002,00000000,00000000,00000000,?,?), ref: 0042B872

CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0042B6E2
GetLastError.KERNEL32 ref: 0042B6F3
ReadFile.KERNELBASE(?,?,0000002E,?,00000000,?,?,00000000,00000000), ref: 0042B757
ReadFile.KERNEL32(?,?,0000002E,?,00000000,?,?,00000000,00000000), ref: 0042B7CE

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: File$Create$H_prologRead$ErrorLastMappinglstrcpy
String ID:
API String ID: 386350339-0
Opcode ID: 4428dc2b11fed735918946fcfc3b3d4373c618c1554cb83eacfe1ac246860aee
Instruction ID: b8f5fa431771d879aea189f0c52399253cb75000428742a873765a5a9f7abc82
Opcode Fuzzy Hash: 4428dc2b11fed735918946fcfc3b3d4373c618c1554cb83eacfe1ac246860aee
Instruction Fuzzy Hash: 5B41C774640B15EAD730AF25E888BDBFBF9EF84704F50491FE46AD22A1C7745940CBA8

Function 0040FF1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\InstallShield\ISWI\7.0\SetupExeLog,00000000,00000001,00000000,?,?,?,0040F807,0044952C,0044952C,00000000), ref: 0040FF36
RegQueryValueExW.ADVAPI32(00000000,SetupLogFileName,00000000,00000000,0045D570,0044952C,?,?,?,0040F807,0044952C), ref: 0040FF5C
RegCloseKey.ADVAPI32(00000000,?,?,?,0040F807,0044952C), ref: 0040FF70

Strings

Software\InstallShield\ISWI\7.0\SetupExeLog, xrefs: 0040FF2C
SetupLogFileName, xrefs: 0040FF54

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: SetupLogFileName$Software\InstallShield\ISWI\7.0\SetupExeLog
API String ID: 3677997916-622478307
Opcode ID: 55b86e483752ae0168c112d49614b5b03f241620e87f2f97e2b6071fa1600137
Instruction ID: 14d91fe8579573bbaf73374dc78fc10236b41ffe72b909cfabc9cb7ec96b7b3a
Opcode Fuzzy Hash: 55b86e483752ae0168c112d49614b5b03f241620e87f2f97e2b6071fa1600137
Instruction Fuzzy Hash: A9F037B0640309FAEB118B60DC46F9E7A789B01B49F200175B500B11D1E3F56A48961C

Function 00401EF3 Relevance: 7.5, APIs: 5, Instructions: 46windowtimeCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00401F12
PostMessageW.USER32(?,00000002,00000000,00000000), ref: 00401F45
KillTimer.USER32(?,000005DC), ref: 00401F5C
PostQuitMessage.USER32(00000000), ref: 00401F64
SetTimer.USER32(?,000005DC,000003E8,00000000), ref: 00401F85

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: MessagePostTimer$KillProcQuitWindow
String ID:
API String ID: 707289242-0
Opcode ID: f50e8e7eb90a13d859fd72bc75c9bae18f626a461b5c0350096c1c8b2739b030
Instruction ID: 74abb02421bfdf41e5872058f4377e9b73eae860d8084365606efba9c460f33b
Opcode Fuzzy Hash: f50e8e7eb90a13d859fd72bc75c9bae18f626a461b5c0350096c1c8b2739b030
Instruction Fuzzy Hash: A211E93564430AABDB219F60DC09B5A3B70BB05702F408032FA06AA2F1CB75D955EF5D

Function 0043C29D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043C2A2

Part of subcall function 0040293E: __EH_prolog.LIBCMT ref: 00402943

Part of subcall function 00401CCE: __EH_prolog.LIBCMT ref: 00401CD3
Part of subcall function 00401CCE: GetLastError.KERNEL32(004494FC,004494C0,?,0042AC33,?,004494C0,?,?,00000000,?,?,?,00000000,004494C4,004494BC,00000000), ref: 00401CF6
Part of subcall function 00401CCE: SysFreeString.OLEAUT32(?), ref: 00401D14
Part of subcall function 00401CCE: SetLastError.KERNEL32(?,00000001,?,0042AC33,?,004494C0,?,?,00000000,?,?,?,00000000,004494C4,004494BC,00000000), ref: 00401D34

Part of subcall function 004026FA: __EH_prolog.LIBCMT ref: 004026FF
Part of subcall function 004026FA: GetLastError.KERNEL32(004494FC,0000002D,00000000,?,00429CCE,?,00000000,removeasmajorupgrade,00000000,00000000,00000001,?,?,00000000,reboot,00000000), ref: 00402728
Part of subcall function 004026FA: SetLastError.KERNEL32(?,00000000,?,00429CCE,?,00000000,removeasmajorupgrade,00000000,00000000,00000001,?,?,00000000,reboot,00000000,00000000), ref: 00402756

CreateDirectoryW.KERNELBASE(?,00000000,?,00000000,00457BB8,?,00000000,00000001,?,00000000,00000001,?,00000000,?,00000000,?), ref: 0043C3BC
GetLastError.KERNEL32 ref: 0043C3C6

Strings

\, xrefs: 0043C330

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorLast$H_prolog$CreateDirectoryFreeString
String ID: \
API String ID: 2554313312-2967466578
Opcode ID: a5ce81e4ece5714b601beeeeb4ade05edd3aef9985cfc7c33810ee3d7dfd302e
Instruction ID: 2219eda27ef914b226abe2e0c823761bd91dc8aaf9058b6e78af322099310e20
Opcode Fuzzy Hash: a5ce81e4ece5714b601beeeeb4ade05edd3aef9985cfc7c33810ee3d7dfd302e
Instruction Fuzzy Hash: 1751B371C00248EADF00EFA5C9859EEBB78AF15344F10816AE815B72C1DB389B05DB55

Function 00412F72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412F77

Part of subcall function 004026FA: __EH_prolog.LIBCMT ref: 004026FF
Part of subcall function 004026FA: GetLastError.KERNEL32(004494FC,0000002D,00000000,?,00429CCE,?,00000000,removeasmajorupgrade,00000000,00000000,00000001,?,?,00000000,reboot,00000000), ref: 00402728
Part of subcall function 004026FA: SetLastError.KERNEL32(?,00000000,?,00429CCE,?,00000000,removeasmajorupgrade,00000000,00000000,00000001,?,?,00000000,reboot,00000000,00000000), ref: 00402756

Strings

C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\Setup.INI, xrefs: 00412FAC, 00412FBE
.ini, xrefs: 00413005
C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}, xrefs: 00412FC9, 00412FDB

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorH_prologLast
String ID: .ini$C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}$C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\Setup.INI
API String ID: 1057991267-3363952622
Opcode ID: 917795322fd064b0d859e3d36a52f729583fba837ac1d0818cacd5ab3368b093
Instruction ID: 07be2161ee9003449a8a86b4068522aebab3c3b96ac2b462a00eca41608ce874
Opcode Fuzzy Hash: 917795322fd064b0d859e3d36a52f729583fba837ac1d0818cacd5ab3368b093
Instruction Fuzzy Hash: 25417F71A00248AADF11EF99C891BEEBB78AF14308F00416EF406B72C2DB785F49DB55

Function 0042BD36 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042BD3B

Part of subcall function 004026FA: __EH_prolog.LIBCMT ref: 004026FF
Part of subcall function 004026FA: GetLastError.KERNEL32(004494FC,0000002D,00000000,?,00429CCE,?,00000000,removeasmajorupgrade,00000000,00000000,00000001,?,?,00000000,reboot,00000000), ref: 00402728
Part of subcall function 004026FA: SetLastError.KERNEL32(?,00000000,?,00429CCE,?,00000000,removeasmajorupgrade,00000000,00000000,00000001,?,?,00000000,reboot,00000000,00000000), ref: 00402756

Part of subcall function 0040276F: SysStringLen.OLEAUT32(?), ref: 0040277D
Part of subcall function 0040276F: SysReAllocStringLen.OLEAUT32(0000001C,?,?), ref: 00402799

GetTempPathW.KERNEL32(00000104,00000000,?,00000104,?,00000000,?,00000000,?,?,00000000), ref: 0042BDA5

Part of subcall function 004021F4: __EH_prolog.LIBCMT ref: 004021F9
Part of subcall function 004021F4: GetLastError.KERNEL32(004494FC,00000104), ref: 00402225
Part of subcall function 004021F4: SetLastError.KERNEL32(00000000,?,00000000,?,00000001), ref: 0040225A

GetTempFileNameW.KERNELBASE(?,_is,00000000,?,?,00000104,?,00000000), ref: 0042BDE9

Strings

_is, xrefs: 0042BDE3

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorLast$H_prolog$StringTemp$AllocFileNamePath
String ID: _is
API String ID: 1212494501-3851567351
Opcode ID: 98f0a74e4167638da9cc1b12dc472156b9df42f3319397e20726b404f7d3c06e
Instruction ID: dd66c68abbf03ee1cd929382cc79f92efc77bfde2696a90aa3b445af4423cfd2
Opcode Fuzzy Hash: 98f0a74e4167638da9cc1b12dc472156b9df42f3319397e20726b404f7d3c06e
Instruction Fuzzy Hash: 3821B431900248AFDB05EBA5C948BDEBF78BF19308F1440AEE505B72D2CBB85A04DB65

Function 0043273F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,0043272A,00000000,00000000,00000000,00427024), ref: 00432754
TerminateProcess.KERNEL32(00000000), ref: 0043275B
ExitProcess.KERNEL32 ref: 004327DC

Strings

*'C, xrefs: 00432767

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID: *'C
API String ID: 1703294689-4287346795
Opcode ID: b1b2b12232cdb55ff1d31f606cfc194af72c805da625abf7fc60e3cbb8b6f361
Instruction ID: 7bb92c13f64ea865589b7f2268591d40b066869c9441bd3c5fa1aedf4040d8e8
Opcode Fuzzy Hash: b1b2b12232cdb55ff1d31f606cfc194af72c805da625abf7fc60e3cbb8b6f361
Instruction Fuzzy Hash: 0801C435604700ABDA20AF19FE85A1A77A4BB88361F10143FF840932A2DBF95C40DA2E

Function 00412F00 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00412F12

Part of subcall function 00412F72: __EH_prolog.LIBCMT ref: 00412F77

CharNextW.USER32(?), ref: 00412F3C
CharNextW.USER32(00000000), ref: 00412F3F

Strings

%#04x, xrefs: 00412F0C

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: CharNext$H_prologwsprintf
String ID: %#04x
API String ID: 1310451597-3155933392
Opcode ID: 0a1d974fec30a572d167f9cc4feb1cd9193ee9811aa9a96913e9cbbac3bdf50e
Instruction ID: e09a2e4d7471f2f0e9c66f4f61ae5bd0efae35ab165b3d675ee6f438f0000062
Opcode Fuzzy Hash: 0a1d974fec30a572d167f9cc4feb1cd9193ee9811aa9a96913e9cbbac3bdf50e
Instruction Fuzzy Hash: 0AF0177680010DBBCF016FA1CC05CDB3F7DEB18254F044412FD08E2021E675DAA6ABA4

Function 004120E4 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0},?), ref: 004120FA

Part of subcall function 00407AFA: __EH_prolog.LIBCMT ref: 00407AFF

lstrcpyW.KERNEL32(0404,?), ref: 0041211E

Part of subcall function 00412342: __EH_prolog.LIBCMT ref: 00412347
Part of subcall function 00412342: GlobalAlloc.KERNEL32(00000042,00000002,?), ref: 00412381
Part of subcall function 00412342: GlobalLock.KERNEL32(00000000), ref: 00412388

Strings

0404, xrefs: 00412119
C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}, xrefs: 004120F5

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: GlobalH_prologlstrcpy$AllocLock
String ID: 0404$C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}
API String ID: 1837333587-3521829406
Opcode ID: bd94fec3daa7b9c5e2fd6ec8f029e8489c1556474516be07a76f269a6e3c9670
Instruction ID: 5b640fe2e4d1db96e1cf91babf5aee6ec137d9e8233a955a2ccbd3454e206e73
Opcode Fuzzy Hash: bd94fec3daa7b9c5e2fd6ec8f029e8489c1556474516be07a76f269a6e3c9670
Instruction Fuzzy Hash: 2F11C63660010977DF01AF959D01DEF3B69DF99304F04001BFE04B2152E6A8D9B29BAA

Function 00406B49 Relevance: 6.1, APIs: 4, Instructions: 59stringCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000001,00000000,00000000,00000000,?,00406A4F,?,00000400,00000000,00000000,00000001,0000044F,00000000,?,?,00000000), ref: 00406B68
SetErrorMode.KERNELBASE(00008003,?,00406A4F,?,00000400,00000000,00000000,00000001,0000044F,00000000,?,?,00000000), ref: 00406B77
GetWindowsDirectoryW.KERNEL32(00000000,0000044F,?,00406A4F,?,00000400,00000000,00000000,00000001,0000044F,00000000,?,?,00000000), ref: 00406B8F
lstrcpyW.KERNEL32(00000000,0045D464), ref: 00406BAC

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: DirectoryErrorModePathTempWindowslstrcpy
String ID:
API String ID: 3576100887-0
Opcode ID: 16e4a73ec1e1eed93796309af11c743b4debfb2f0466f5d017c7af7394d1b444
Instruction ID: 274644722b61605ef31c3bdeb0230b46f035fb0af207d9d8992de5c82daf46c8
Opcode Fuzzy Hash: 16e4a73ec1e1eed93796309af11c743b4debfb2f0466f5d017c7af7394d1b444
Instruction Fuzzy Hash: D501B56170023126D7202B732D09F2B7ABCAF92798F01043EB90BE61D2F678DC15C279

Function 00426FA6 Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMON

Download Yara Rule

APIs

IsWindow.USER32(0044952C), ref: 00426FB2

Part of subcall function 0042CA25: wsprintfW.USER32 ref: 0042CA37
Part of subcall function 0042CA25: LoadStringW.USER32(?,0044952C,00426FD4), ref: 0042CA62

lstrlenW.KERNEL32(?), ref: 00426FE7
wsprintfW.USER32 ref: 00427043
SetWindowTextW.USER32(0044952C,?), ref: 00427056

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Windowwsprintf$LoadStringTextlstrlen
String ID:
API String ID: 1776808806-0
Opcode ID: c6a0b7e4ca6ab17fd1227d10d5e43655d8b19a116195a18ee341bdff46bffe99
Instruction ID: e7be468a4472d588f57b75a0a586db33219ee5f561f99632109a4569c6e3a707
Opcode Fuzzy Hash: c6a0b7e4ca6ab17fd1227d10d5e43655d8b19a116195a18ee341bdff46bffe99
Instruction Fuzzy Hash: 1A117072A00119BADF10EFB1FC49B9E376CEB08354F508077F904D2191EBB8DA898B59

Function 00411A5D Relevance: 6.0, APIs: 4, Instructions: 39windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411A87
IsDialogMessageW.USER32(?), ref: 00411A9B
TranslateMessage.USER32(?), ref: 00411AA9
DispatchMessageW.USER32(?), ref: 00411AB3

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 064d0a11721fa6d13dcfb98ebaa268b8162df375934dbfb28e147c30ffa03b1b
Instruction ID: a828afc4b3be58d97f8739b529fe2d8d091f4d9c00d52942f4e93f6d08e53b32
Opcode Fuzzy Hash: 064d0a11721fa6d13dcfb98ebaa268b8162df375934dbfb28e147c30ffa03b1b
Instruction Fuzzy Hash: CAF03C31901259ABCB219FA0DC08AEB7BBCEF057917404433FA05D2161F7689985DBAD

Function 0042D55D Relevance: 6.0, APIs: 4, Instructions: 35fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0042D4E9: GetFileAttributesW.KERNELBASE(00000000,00427E1A,?,00000000,?,?,?,00000000,00000000,?,?,00000000,00000000,?,00000000,Startup), ref: 0042D4ED

SetErrorMode.KERNELBASE(00008001,00000000,?,00000400,?,?,00401BEE,?,?,?,00000400,?,?,?), ref: 0042D58A
SetFileAttributesW.KERNELBASE(?,00000080), ref: 0042D592
DeleteFileW.KERNELBASE(?), ref: 0042D599
SetErrorMode.KERNELBASE(00000000), ref: 0042D5A8

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: File$AttributesErrorMode$Delete
String ID:
API String ID: 3807840792-0
Opcode ID: 9432e7105dec171f0939f880cba97f1cd1dca0800131a839219df7e4a4376196
Instruction ID: b5da2edb0fe569f7710c47e12de6b298de9e2dfaedf1ea720eaf0bef8ca5961a
Opcode Fuzzy Hash: 9432e7105dec171f0939f880cba97f1cd1dca0800131a839219df7e4a4376196
Instruction Fuzzy Hash: 25F0E532B022313EF7203B627C41F9B624CAF82758F00442BF201D5180C6D89D8186BD

Function 004119A5 Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(0040960A), ref: 004119AB
GetDlgItem.USER32(000003EA), ref: 004119C5
SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 004119DB

Part of subcall function 00411A5D: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411A87
Part of subcall function 00411A5D: IsDialogMessageW.USER32(?), ref: 00411A9B
Part of subcall function 00411A5D: TranslateMessage.USER32(?), ref: 00411AA9
Part of subcall function 00411A5D: DispatchMessageW.USER32(?), ref: 00411AB3

SendMessageW.USER32(00000000,00000402,?,00000000), ref: 004119F6

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekTranslateWindow
String ID:
API String ID: 4202329498-0
Opcode ID: 6ae1ec280b3b2f723f77998c9f7da41b146ed13c185379c77ace3888719d9517
Instruction ID: db44ae57adf68b5aadadf56398797a94e6d49a1692550a7eaad1877559c8be4d
Opcode Fuzzy Hash: 6ae1ec280b3b2f723f77998c9f7da41b146ed13c185379c77ace3888719d9517
Instruction Fuzzy Hash: F4F0A7713003157FDB015F659D85E2B7BA8FB89B42F000439F700961A2D7648C05D669

Function 0042D5B2 Relevance: 6.0, APIs: 4, Instructions: 24fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008001,?,0042D57A,?,00000400,?,?,00401BEE,?,?,?,00000400,?,?,?), ref: 0042D5BE
CreateFileW.KERNELBASE(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 0042D5D6
SetErrorMode.KERNEL32(00000000), ref: 0042D5E3
FindCloseChangeNotification.KERNELBASE(00000000), ref: 0042D5EB

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorMode$ChangeCloseCreateFileFindNotification
String ID:
API String ID: 2956594108-0
Opcode ID: e8cc79b855a8a52398ea2ec60d6445131ad87539189a1290d2a3791e63f7beb8
Instruction ID: 278d478e96daf30a69a6d597fec14b1f8fe58e45f7751a7ca4477fa92771bd75
Opcode Fuzzy Hash: e8cc79b855a8a52398ea2ec60d6445131ad87539189a1290d2a3791e63f7beb8
Instruction Fuzzy Hash: 9EE01231B943217AFA702770BC4AF473A54BB15B35F600A12F355FD0E0C9E46980EA9D

Function 00411837 Relevance: 6.0, APIs: 4, Instructions: 15timeCOMMON

Download Yara Rule

APIs

IsWindow.USER32(0042C718), ref: 0041183D
KillTimer.USER32(000003E9,004494BC), ref: 00411853
KiUserCallbackDispatcher.NTDLL ref: 00411865
DestroyWindow.USER32 ref: 0041186D

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Window$CallbackDestroyDispatcherKillTimerUser
String ID:
API String ID: 2023473011-0
Opcode ID: 8712ce7d535f93484299a89600d8e3e0c20fd22ba624eb663017bd62835f2993
Instruction ID: d2dea7907e5b4b7bdd373e8fd8da54c3c2faebc4612cef9cbfaa043a58d216d4
Opcode Fuzzy Hash: 8712ce7d535f93484299a89600d8e3e0c20fd22ba624eb663017bd62835f2993
Instruction Fuzzy Hash: 76D09E39501218BFCB122F71FD099463F65FB0A7927544432F900911B3EA219C55EF8D

Function 00403034 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 420COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00403039

Part of subcall function 0040D7F5: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000001,00000000,004494FC,?,00000000,00403060,000000FF,?,004494FC,?,00000000), ref: 0040D816

FindCloseChangeNotification.KERNELBASE(000000FF,00000001,00000001,00000001,00000001,00000001,?,00000000,?,00000000,00000000,00000000,00000000,004561B8,FFFFFFFF,00000000), ref: 00403556

Strings

, xrefs: 004031A5, 004031FD, 00403208, 0040348F, 00403497

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ChangeCloseCreateFileFindH_prologNotification
String ID:
API String ID: 416742417-410699589
Opcode ID: cb66d893701f7515263528528dfe0167d58c6943e8e80bf149c8588f28880257
Instruction ID: 3b3aad5a0a5815f65b6cc6e3259e60de7d06868b36f34217566264a6610124d6
Opcode Fuzzy Hash: cb66d893701f7515263528528dfe0167d58c6943e8e80bf149c8588f28880257
Instruction Fuzzy Hash: 2CF1B171D0418DAEEF11EBA4C891EEEBB7C9F55308F1440AEE545732C2DA781B49CB29

Function 00425C8E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 187COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00425C93

Part of subcall function 00413367: __EH_prolog.LIBCMT ref: 0041336C
Part of subcall function 00413367: lstrcmpW.KERNEL32(?,0045D464,?,?,0045D464,?,?,Languages,00000000,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0},?,004267B9,Languages,count,00000000,?), ref: 0041339B

Strings

Creating setup dialog..., xrefs: 00425D33, 00425D59
C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\session.cpp, xrefs: 00425D29

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog$lstrcmp
String ID: C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\session.cpp$Creating setup dialog...
API String ID: 4174983478-4148024137
Opcode ID: f97b0361d7e452c598faa9b023dcda21b623165765450068617037267b540740
Instruction ID: 265370e7b30dcde9817706f4bb33202a18266ea976c48add71dd0d6c48c9f2b6
Opcode Fuzzy Hash: f97b0361d7e452c598faa9b023dcda21b623165765450068617037267b540740
Instruction Fuzzy Hash: 7871C571900218AFDF24DBA5DC85BEEB7B8AF04304F50416FE10AA3291DB785F49CB19

Function 00411AC8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00411AE1
GetTickCount.KERNEL32 ref: 00411AF2

Part of subcall function 00411A5D: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411A87
Part of subcall function 00411A5D: IsDialogMessageW.USER32(?), ref: 00411A9B
Part of subcall function 00411A5D: TranslateMessage.USER32(?), ref: 00411AA9
Part of subcall function 00411A5D: DispatchMessageW.USER32(?), ref: 00411AB3

Strings

#F, xrefs: 00411AC8

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Message$CountTick$DialogDispatchPeekTranslate
String ID: #F
API String ID: 2347478412-3307669336
Opcode ID: b14676fb2d83f888efbcdc6e9b206ce152a0654ab08f3d0c2c27b6917e2abd7a
Instruction ID: d7edd0a3af3c56358057b7fc4ba25a02ec69fd29862ef3716022a799dc38a0e0
Opcode Fuzzy Hash: b14676fb2d83f888efbcdc6e9b206ce152a0654ab08f3d0c2c27b6917e2abd7a
Instruction Fuzzy Hash: 4BE0DF3210A254ABCB409B61FC4029E7B94AF913A1F294837E500D3271E3FC9CC5DA9B

Function 00432DDE Relevance: 4.6, APIs: 3, Instructions: 60COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 00432E04

Part of subcall function 004345D2: HeapCreate.KERNELBASE(00000000,00001000,00000000,00432E3C,00000001), ref: 004345E3
Part of subcall function 004345D2: HeapDestroy.KERNEL32 ref: 00434622

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Heap$CreateDestroyVersion
String ID:
API String ID: 3731775651-0
Opcode ID: 45016d50c321d32cdc7ac18fbcd56aa1c2918e5a52ccd64482b5ba4e7eda76e9
Instruction ID: 6615f94dfc3657c7f2c4e3250c8d8875e98f63fce01e0580cdf6f121ed7647cb
Opcode Fuzzy Hash: 45016d50c321d32cdc7ac18fbcd56aa1c2918e5a52ccd64482b5ba4e7eda76e9
Instruction Fuzzy Hash: 411193B1900B457ADB14AFB6DD0AB5E7AA8EF09714F10112EF90096291EBBC4900CB9D

Function 0042CFF2 Relevance: 4.5, APIs: 3, Instructions: 32fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0042D321: lstrlenW.KERNEL32(00000104,?,?,00401E06,?,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0},?,?,?,00000104,?,0042A071,00000000,?,00000104), ref: 0042D329
Part of subcall function 0042D321: lstrcpynW.KERNEL32(?,00000102,-00000001,?,?,00401E06,?,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0},?,?,?,00000104,?,0042A071,00000000,?), ref: 0042D34B
Part of subcall function 0042D321: lstrcatW.KERNEL32(?,?), ref: 0042D36B

CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?), ref: 0042D028
CloseHandle.KERNEL32(00000000), ref: 0042D038
DeleteFileW.KERNELBASE(?), ref: 0042D045

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: File$CloseCreateDeleteHandlelstrcatlstrcpynlstrlen
String ID:
API String ID: 4178870998-0
Opcode ID: ab93777b185ed1337c03933f8c70ced631ebcd83a4faafc88eadc14374c1b1d6
Instruction ID: 86e4f439d680285a589d34c2c3b16e0e047402cf208acb0aa9294194010ff038
Opcode Fuzzy Hash: ab93777b185ed1337c03933f8c70ced631ebcd83a4faafc88eadc14374c1b1d6
Instruction Fuzzy Hash: 87F030769002097ADF506BB0AC49FA737ACBB00318F508AA1B641D60D0DEB4ED485F98

Function 0042D523 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0042D506: GetFileAttributesW.KERNELBASE(?,0042D52F,?,00000000,00401C56,?,?,?,00000400,?,?,?), ref: 0042D50A

SetErrorMode.KERNELBASE(00008001,?,?,00000000,00401C56,?,?,?,00000400,?,?,?), ref: 0042D53F
RemoveDirectoryW.KERNELBASE(?), ref: 0042D545
SetErrorMode.KERNELBASE(00000000), ref: 0042D554

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorMode$AttributesDirectoryFileRemove
String ID:
API String ID: 2449359760-0
Opcode ID: 0c4d6d013dd370212cb0bf06c93cc4fc611a7a55a825359424081bbeda26509f
Instruction ID: 6adef3121481364d3017631bbeb368d3d0de639e1261927fdb2403a5c5d76611
Opcode Fuzzy Hash: 0c4d6d013dd370212cb0bf06c93cc4fc611a7a55a825359424081bbeda26509f
Instruction Fuzzy Hash: 38E0C2327002203ADB201B2BBC04F0B3FA9BBC07A1F44803BB604C61A0CAE18C81CB64

Function 00411871 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

IsWindow.USER32(00418400), ref: 00411877
ShowWindow.USER32(00000000), ref: 00411890
ShowWindow.USER32(00000000), ref: 0041189A

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Window$Show
String ID:
API String ID: 990937876-0
Opcode ID: 7c93fce810bd00400c59ebbed4ac8a06eef80bb04ab1f709eb41ca525a3adbff
Instruction ID: 734512e46b0dd7b6afc7b920293277d5a9bdc2efd0942e0eb1724b01a47d237f
Opcode Fuzzy Hash: 7c93fce810bd00400c59ebbed4ac8a06eef80bb04ab1f709eb41ca525a3adbff
Instruction Fuzzy Hash: 9BD0C935600228BBDB122F61FD05F463E65AB09792F204472AA00A21B3E6619C15AF8D

Function 00411872 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

IsWindow.USER32(00418400), ref: 00411877
ShowWindow.USER32(00000000), ref: 00411890
ShowWindow.USER32(00000000), ref: 0041189A

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Window$Show
String ID:
API String ID: 990937876-0
Opcode ID: 187e3fd03123e82d4fe0790f81cb25b4d928b2ba105f8a19541674a86a4bef8a
Instruction ID: 9b1815ee3f54facd81b4f5e3528dd77372a53e85410b48b88a1af462cb3e3e43
Opcode Fuzzy Hash: 187e3fd03123e82d4fe0790f81cb25b4d928b2ba105f8a19541674a86a4bef8a
Instruction Fuzzy Hash: 70D012356002297BDB112FA1FC05F463E54EB09792F214473BA00E21B3E6549C159F9D

Function 0040F7E2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 142COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040F7E7

Part of subcall function 0040FF1F: RegOpenKeyExW.KERNELBASE(80000001,Software\InstallShield\ISWI\7.0\SetupExeLog,00000000,00000001,00000000,?,?,?,0040F807,0044952C,0044952C,00000000), ref: 0040FF36
Part of subcall function 0040FF1F: RegQueryValueExW.ADVAPI32(00000000,SetupLogFileName,00000000,00000000,0045D570,0044952C,?,?,?,0040F807,0044952C), ref: 0040FF5C
Part of subcall function 0040FF1F: RegCloseKey.ADVAPI32(00000000,?,?,?,0040F807,0044952C), ref: 0040FF70

Part of subcall function 00424640: __EH_prolog.LIBCMT ref: 00424645
Part of subcall function 00424640: GetModuleFileNameW.KERNEL32(00000000,?,00000400,0045D464,?,00000000,?,00000000,?,00000000,0044952C,?,00000000), ref: 004247BF

Part of subcall function 0040FA0A: __EH_prolog.LIBCMT ref: 0040FA0F

Strings

/f1, xrefs: 0040F978

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog$CloseFileModuleNameOpenQueryValue
String ID: /f1
API String ID: 2986767852-2921927892
Opcode ID: df939b2506a09e58c42fe20552c6ed8f790f3cf146b7c073ebe6a32506e82b9f
Instruction ID: a9c706cae67ec2514783e73bd91c0808f4e0930d2f81d32d5202a9248a162b85
Opcode Fuzzy Hash: df939b2506a09e58c42fe20552c6ed8f790f3cf146b7c073ebe6a32506e82b9f
Instruction Fuzzy Hash: 5B51E471900208EEDB10EFA5C985A9EBBB8EF04308F10807FE445736D1DB78AE09CB59

Function 00426A32 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00426A37

Part of subcall function 00401586: __EH_prolog.LIBCMT ref: 0040158B
Part of subcall function 00401586: GetLastError.KERNEL32(004494C4,004494BC,00000000,?,00429698,?,00000000,?,?,00000000), ref: 004015B4
Part of subcall function 00401586: SetLastError.KERNEL32(?,00000000,?,00429698,?,00000000,?,?,00000000), ref: 004015E2

Part of subcall function 00401504: __EH_prolog.LIBCMT ref: 00401509
Part of subcall function 00401504: SetLastError.KERNEL32(?,?,00000000,004494BC,?,00429787,C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup.cpp,?,00000001,?,?,00000000,debuglog,00000000,00000000,00000000), ref: 0040156F

Strings

%s: %s, xrefs: 00426AC4, 00426B48

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorH_prologLast
String ID: %s: %s
API String ID: 1057991267-3740598653
Opcode ID: 5fb582075eb93f8e07aad0b54a1696b691e3938a055cb6e74f49ed80d9efcac5
Instruction ID: 4c92ce85718bfe785d22626081ce0af9e9205110cc5a7fa2521ea63d2587b2f4
Opcode Fuzzy Hash: 5fb582075eb93f8e07aad0b54a1696b691e3938a055cb6e74f49ed80d9efcac5
Instruction Fuzzy Hash: 1B41B671E00258EADF11DB95D881ADEBBB8AF14304F5480AFF505E7291DB389F48CB65

Function 00420452 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00420457

Part of subcall function 004207AB: __EH_prolog.LIBCMT ref: 004207B0

Strings

InstanceId, xrefs: 0042049A, 004204C6

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog
String ID: InstanceId
API String ID: 3519838083-3325913497
Opcode ID: f859a29bd7a78c9d41a35652747c86adcc2de9cd76a9c6baff93492a92ac83b5
Instruction ID: baa653b968a38a838b4e268385c6fcfcc4fcaf8c1ac3d8d4ee16489db6f9bff1
Opcode Fuzzy Hash: f859a29bd7a78c9d41a35652747c86adcc2de9cd76a9c6baff93492a92ac83b5
Instruction Fuzzy Hash: 7A31C571E001099FCF14DBE8D9819EEB7F8AF15314F64421EE122A72D2DB386E09CB54

Function 00425B41 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00425B46

Part of subcall function 0042764B: __EH_prolog.LIBCMT ref: 00427650
Part of subcall function 0042764B: wsprintfW.USER32 ref: 004276AF
Part of subcall function 0042764B: CharNextW.USER32(?), ref: 004276C2
Part of subcall function 0042764B: CharNextW.USER32(00000000), ref: 004276C5

Strings

C:\Users\user\Desktop, xrefs: 00425C52

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: CharH_prologNext$wsprintf
String ID: C:\Users\user\Desktop
API String ID: 2806261523-224404859
Opcode ID: dc9d6446cafda8941a5912a5e780382c724458d7612683a5101e89f942c3be19
Instruction ID: 3be2fd6ac2b879bdbf454edfd265d89ee49d393d775c0c01d988e5d44ba51bbb
Opcode Fuzzy Hash: dc9d6446cafda8941a5912a5e780382c724458d7612683a5101e89f942c3be19
Instruction Fuzzy Hash: 4831B670B00629AADF30EB66DC909EFB6ACEB44354F40417FE445E2251FB789D848B58

Function 0041AA7A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041AA7F

Part of subcall function 004086AA: lstrlenW.KERNEL32(0044952C,?,004494FC,00000000,?,?,0042C27A), ref: 004086FD
Part of subcall function 004086AA: WideCharToMultiByte.KERNEL32(00000000,00000000,0044952C,000000FF,?,00000002,00000000,00000000,?,0042C27A), ref: 00408725

Part of subcall function 00426C43: __EH_prolog.LIBCMT ref: 00426C48

Strings

C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}, xrefs: 0041AAB6, 0041AAD9

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog$ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}
API String ID: 2210268250-3076254100
Opcode ID: d6d4751a0d4ac0a34b161e2045b5f8aff378d263cc18c7bd2d4e92e9a8c3fc0d
Instruction ID: 0712cd6b0b7ed14bc70bd20250542c0b420c33b587e5dd2da5e41c9816a9c1e3
Opcode Fuzzy Hash: d6d4751a0d4ac0a34b161e2045b5f8aff378d263cc18c7bd2d4e92e9a8c3fc0d
Instruction Fuzzy Hash: 6E21F571A04248ABDF14EFA5C8909EE7B69DB00358F00442FF505E7281DB7CAD84C759

Function 004117B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 0040B4E1: RegisterClassW.USER32(00000000), ref: 0040B508

Part of subcall function 00409462: __EH_prolog.LIBCMT ref: 00409467
Part of subcall function 00409462: CreateDialogIndirectParamW.USER32(?,00000000,000003E9,00000000,?), ref: 004094AC

GetTickCount.KERNEL32 ref: 00411826

Part of subcall function 0041189E: GetWindowRect.USER32(?), ref: 004118B7
Part of subcall function 0041189E: GetWindowRect.USER32(00000000,?), ref: 004118C0
Part of subcall function 0041189E: GetSystemMetrics.USER32(00000001), ref: 004118CA
Part of subcall function 0041189E: GetSystemMetrics.USER32(00000000), ref: 004118CE
Part of subcall function 0041189E: SetRect.USER32(?,00000000,00000000,00000000), ref: 004118D7
Part of subcall function 0041189E: FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0041190E
Part of subcall function 0041189E: IsWindow.USER32(00000000), ref: 00411917
Part of subcall function 0041189E: GetWindowRect.USER32(00000000,?), ref: 0041192D
Part of subcall function 0041189E: IntersectRect.USER32(?,?,?), ref: 0041193B
Part of subcall function 0041189E: SubtractRect.USER32(?,?,?), ref: 00411957
Part of subcall function 0041189E: SetWindowPos.USER32(00000000,?,0041181A,0000001E,00000000,00000000,00000005,0000001E,?,?,00000000), ref: 00411997

Strings

X:B, xrefs: 0041182C

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: RectWindow$MetricsSystem$ClassCountCreateDialogFindH_prologIndirectIntersectParamRegisterSubtractTick
String ID: X:B
API String ID: 656350481-546658527
Opcode ID: caf444680923e2bb439a16b41063c758701c2d87d016336a46306b96658a1a25
Instruction ID: 548a77458d5dca3b6327516a59756f057fc1c71717858360d92b200f33b0c46a
Opcode Fuzzy Hash: caf444680923e2bb439a16b41063c758701c2d87d016336a46306b96658a1a25
Instruction Fuzzy Hash: B0014471805319AFDB10AF71AD408AB7768F704756714843BF94092262E778DD84DB5E

Function 0040446B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00404470

Part of subcall function 0040511B: __EH_prolog.LIBCMT ref: 00405120

Strings

, xrefs: 0040447B

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-410699589
Opcode ID: a0ba31438cce60d7a54c06fe480a84e5ef42ad78874f4724c231cfd092af0530
Instruction ID: 45da57b310b4f882ca865c4ae6953464137e489681b855514236e1f4e17b1e34
Opcode Fuzzy Hash: a0ba31438cce60d7a54c06fe480a84e5ef42ad78874f4724c231cfd092af0530
Instruction Fuzzy Hash: 84016272900148AADB04FB94CA52BDEB7B49F18304F50406BE101B71C2DBB95F08CB65

Function 00424640 Relevance: 3.2, APIs: 2, Instructions: 152COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00424645

Part of subcall function 0040226E: __EH_prolog.LIBCMT ref: 00402273

Part of subcall function 00401586: __EH_prolog.LIBCMT ref: 0040158B
Part of subcall function 00401586: GetLastError.KERNEL32(004494C4,004494BC,00000000,?,00429698,?,00000000,?,?,00000000), ref: 004015B4
Part of subcall function 00401586: SetLastError.KERNEL32(?,00000000,?,00429698,?,00000000,?,?,00000000), ref: 004015E2

Part of subcall function 00408512: __EH_prolog.LIBCMT ref: 00408517
Part of subcall function 00408512: GetLastError.KERNEL32(004494C4,004494BC,00000000,?,00429759,?,?,00000000,debuglog,00000000,00000000,00000000,?,?,00000000,?), ref: 00408540
Part of subcall function 00408512: SetLastError.KERNEL32(?,?,00000000,00000000,?,00429759,?,?,00000000,debuglog,00000000,00000000,00000000,?,?,00000000), ref: 00408595

GetModuleFileNameW.KERNEL32(00000000,?,00000400,0045D464,?,00000000,?,00000000,?,00000000,0044952C,?,00000000), ref: 004247BF

Part of subcall function 0042B656: __EH_prolog.LIBCMT ref: 0042B65B
Part of subcall function 0042B656: lstrcpyW.KERNEL32(?,?), ref: 0042B6B9
Part of subcall function 0042B656: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0042B6E2
Part of subcall function 0042B656: GetLastError.KERNEL32 ref: 0042B6F3

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorH_prologLast$File$CreateModuleNamelstrcpy
String ID:
API String ID: 3433113430-0
Opcode ID: 11ae0a00babde3167addd5cfb2e9dec3ed3f0f2d58d666103488ad4b69262188
Instruction ID: 2221e6a49389a00daf93383ec0b65206f2f4d01b31add9446b1e31c1db1f8c1a
Opcode Fuzzy Hash: 11ae0a00babde3167addd5cfb2e9dec3ed3f0f2d58d666103488ad4b69262188
Instruction Fuzzy Hash: 146190B0905784DEC721DF79C484ADBBFE4BF19308F5489AFD0AA97282C7786609CB15

Function 0043BD41 Relevance: 3.1, APIs: 2, Instructions: 98COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043BD46

Part of subcall function 00401CCE: __EH_prolog.LIBCMT ref: 00401CD3
Part of subcall function 00401CCE: GetLastError.KERNEL32(004494FC,004494C0,?,0042AC33,?,004494C0,?,?,00000000,?,?,?,00000000,004494C4,004494BC,00000000), ref: 00401CF6
Part of subcall function 00401CCE: SysFreeString.OLEAUT32(?), ref: 00401D14
Part of subcall function 00401CCE: SetLastError.KERNEL32(?,00000001,?,0042AC33,?,004494C0,?,?,00000000,?,?,?,00000000,004494C4,004494BC,00000000), ref: 00401D34

Part of subcall function 0040293E: __EH_prolog.LIBCMT ref: 00402943

SearchPathW.KERNELBASE(0044952C,?,00000000,00000104,00449504,00000000,?,?,00000104,?,00000000,?,00000000,00000000,?,00449504), ref: 0043BE1F

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog$ErrorLast$FreePathSearchString
String ID:
API String ID: 3114274418-0
Opcode ID: e5c5a45a8c99a4cce338872c46e6a5f265498f5c77f1cd6a9df584f7a7063a93
Instruction ID: 4bce4b28244181a90b23a5097c18af1672a269ac2aeeddc8017d3c8714150b25
Opcode Fuzzy Hash: e5c5a45a8c99a4cce338872c46e6a5f265498f5c77f1cd6a9df584f7a7063a93
Instruction Fuzzy Hash: 90418F71900148AEDF14EFA1C595AEEBB78EF05308F10806EF40677292DB389F08CB65

Function 00432E41 Relevance: 3.0, APIs: 2, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00432F0A: ExitProcess.KERNEL32 ref: 00432F27

Part of subcall function 00433EEC: TlsAlloc.KERNEL32(?,00432E4E), ref: 00433EF2
Part of subcall function 00433EEC: TlsSetValue.KERNEL32(00000000,?,00432E4E), ref: 00433F1A
Part of subcall function 00433EEC: GetCurrentThreadId.KERNEL32 ref: 00433F2B

GetStartupInfoW.KERNEL32(?), ref: 00432E8E
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00432EB1

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: AllocCurrentExitHandleInfoModuleProcessStartupThreadValue
String ID:
API String ID: 2682494680-0
Opcode ID: 52aa06c139cef88c2fc79a7510573128f520b1878f009ee8a04352cb04bf182d
Instruction ID: ef60296dc8d937bae00402d89e0bfed749eca3ad5f0b2b4cb175865e4c0c41c5
Opcode Fuzzy Hash: 52aa06c139cef88c2fc79a7510573128f520b1878f009ee8a04352cb04bf182d
Instruction Fuzzy Hash: E2016DB1904354AADB14FFB6D90BAAE7678BF08308F10241FF541AB251DBBC8940DB2D

Function 00404AAE Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00000400,?,00000000), ref: 00404AD6
SetFilePointer.KERNELBASE(?,00000000,00000000,00000000), ref: 00404B23

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: ee686e22c21dd1a424640cc3d30b6c46f3a73123b57c6375947179bd37537722
Instruction ID: 5ecfb8d3e660f3aa9c8f870ac3a97922002732a77e6fa6d21cd70c0bb479d1c3
Opcode Fuzzy Hash: ee686e22c21dd1a424640cc3d30b6c46f3a73123b57c6375947179bd37537722
Instruction Fuzzy Hash: 4E0192F080819CBEDF11DBB098847EEBE78AB41315F1045F6E391B21D0C235AE86DB28

Function 0042CB18 Relevance: 3.0, APIs: 2, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042CB1D

Part of subcall function 0042CC55: wsprintfW.USER32 ref: 0042CC6D
Part of subcall function 0042CC55: lstrcatW.KERNEL32(?,.ini), ref: 0042CCA5
Part of subcall function 0042CC55: lstrcpyW.KERNEL32(00000000,?), ref: 0042CCB8

Part of subcall function 0040226E: __EH_prolog.LIBCMT ref: 00402273

Part of subcall function 004024B5: __EH_prolog.LIBCMT ref: 004024BA

lstrlenW.KERNEL32(?,?,?,0045D464,?,0000012C,?,?), ref: 0042CB75

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog$lstrcatlstrcpylstrlenwsprintf
String ID:
API String ID: 2127946560-0
Opcode ID: 66c3ce99e2d3d67f895b385aa25c21e6f83bde612c00fa49ce9ceaa1bbef3644
Instruction ID: 21ef3e0cbaca0216cc738c707eabe918765abc73fe3f19684e2e819605113dfe
Opcode Fuzzy Hash: 66c3ce99e2d3d67f895b385aa25c21e6f83bde612c00fa49ce9ceaa1bbef3644
Instruction Fuzzy Hash: 22016932C00108AADF10EBE4D959AEDB778EF08318F10C16AE916B20D1DB785B08CB94

Function 004093D6 Relevance: 3.0, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004093DB

Part of subcall function 00409536: FindResourceW.KERNEL32(?,?,?,?,?,00000000,?,00409407,?,?,00000005,?,?,?,00000000), ref: 00409547
Part of subcall function 00409536: LoadResource.KERNEL32(?,00000000,?,00409407,?,?,00000005,?,?,?,00000000,?,?,?,00000000), ref: 00409560
Part of subcall function 00409536: SizeofResource.KERNEL32(?,00000000,?,00409407,?,?,00000005,?,?,?,00000000,?,?,?,00000000), ref: 00409578
Part of subcall function 00409536: GlobalAlloc.KERNEL32(00000040,00000000,?,00409407,?,?,00000005,?,?,?,00000000,?,?,?,00000000), ref: 0040958E
Part of subcall function 00409536: LockResource.KERNEL32(?,00000000,?,00409407,?,?,00000005,?,?,?,00000000,?,?,?,00000000), ref: 004095A5

DialogBoxIndirectParamW.USER32(?,00000000,?,?,?), ref: 00409420

Part of subcall function 004095D1: GlobalFree.KERNEL32(00000000), ref: 004095D8

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Resource$Global$AllocDialogFindFreeH_prologIndirectLoadLockParamSizeof
String ID:
API String ID: 4217892729-0
Opcode ID: c97d984f6b8af74cc9a3e13d1e7e370a2bd6e3ab78c327f4cc0ddcfb5da3bc6f
Instruction ID: 2e45f2c97bdf4adce37c3e8960bdb225723a26defee3d90247f27eb0e10e7a6c
Opcode Fuzzy Hash: c97d984f6b8af74cc9a3e13d1e7e370a2bd6e3ab78c327f4cc0ddcfb5da3bc6f
Instruction Fuzzy Hash: 43016D32904108FFDF02AF96DC01BEEBB75EF04354F00806AF815A2192C7B94E21DB95

Function 00409462 Relevance: 3.0, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409467

Part of subcall function 00409536: FindResourceW.KERNEL32(?,?,?,?,?,00000000,?,00409407,?,?,00000005,?,?,?,00000000), ref: 00409547
Part of subcall function 00409536: LoadResource.KERNEL32(?,00000000,?,00409407,?,?,00000005,?,?,?,00000000,?,?,?,00000000), ref: 00409560
Part of subcall function 00409536: SizeofResource.KERNEL32(?,00000000,?,00409407,?,?,00000005,?,?,?,00000000,?,?,?,00000000), ref: 00409578
Part of subcall function 00409536: GlobalAlloc.KERNEL32(00000040,00000000,?,00409407,?,?,00000005,?,?,?,00000000,?,?,?,00000000), ref: 0040958E
Part of subcall function 00409536: LockResource.KERNEL32(?,00000000,?,00409407,?,?,00000005,?,?,?,00000000,?,?,?,00000000), ref: 004095A5

CreateDialogIndirectParamW.USER32(?,00000000,000003E9,00000000,?), ref: 004094AC

Part of subcall function 004095D1: GlobalFree.KERNEL32(00000000), ref: 004095D8

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Resource$Global$AllocCreateDialogFindFreeH_prologIndirectLoadLockParamSizeof
String ID:
API String ID: 3887831743-0
Opcode ID: e9cea0184a61443494fe7ed0ded7a7296290e50a122800ff43119a5227231307
Instruction ID: 357d6e5119e46b5756b1ecae57e2eb7124b935a3d553d0edb4c313eb377415db
Opcode Fuzzy Hash: e9cea0184a61443494fe7ed0ded7a7296290e50a122800ff43119a5227231307
Instruction Fuzzy Hash: 51016D32904109FFDF02AF96DC06BEEBB75EF04354F04806AF905A6192C7B94E25DB95

Function 0042D2BB Relevance: 3.0, APIs: 2, Instructions: 33stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,?), ref: 0042D2F4
GetDriveTypeW.KERNELBASE(00000000), ref: 0042D306

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: DriveTypelstrlen
String ID:
API String ID: 1700768220-0
Opcode ID: 7e32bedd8cabfc24ced01c15e913a9189f32017a6eb5e8236d6e409116bf2c90
Instruction ID: 499d61106bbc994949c5538cb8c0302f399152bdf72560e242eb5d8ac0a70295
Opcode Fuzzy Hash: 7e32bedd8cabfc24ced01c15e913a9189f32017a6eb5e8236d6e409116bf2c90
Instruction Fuzzy Hash: ACF02E32E00318A6DF60D764EC4CBCB737C9B49300F5009B3E511D3061DB78D9C08A25

Function 0042DE44 Relevance: 3.0, APIs: 2, Instructions: 32stringwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042CB18: __EH_prolog.LIBCMT ref: 0042CB1D
Part of subcall function 0042CB18: lstrlenW.KERNEL32(?,?,?,0045D464,?,0000012C,?,?), ref: 0042CB75

lstrcpyW.KERNEL32(00000000,0040AD7A), ref: 0042DE8D
SendDlgItemMessageW.USER32(00000001,?,0000000C,00000000,00000000), ref: 0042DEA4

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prologItemMessageSendlstrcpylstrlen
String ID:
API String ID: 3462262938-0
Opcode ID: c0fedd1543f721cc6c05919bc67364396b4fe7b21c5f6c051e60a2220dc72b66
Instruction ID: d945ce5f196ac673186457f1a4bf3d9d43d498b88e3a83af48841c7bc82af237
Opcode Fuzzy Hash: c0fedd1543f721cc6c05919bc67364396b4fe7b21c5f6c051e60a2220dc72b66
Instruction Fuzzy Hash: F7F0547590031DBBEF519F54DC49FDB7B79FB04304F0001B1BA54A60B1EA719A959B44

Function 004345D2 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00432E3C,00000001), ref: 004345E3

Part of subcall function 0043448A: GetVersionExA.KERNEL32 ref: 004344A9

HeapDestroy.KERNEL32 ref: 00434622

Part of subcall function 0043462F: HeapAlloc.KERNEL32(00000000,00000140,0043460B,000003F8), ref: 0043463C

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 5a056c7e5b85612a081055033e3871e4d562b80e2e2bd01fda39eaef9e8c9c46
Instruction ID: 349950dc86b01783b70e0490662bec4ff59a8aed31a3b3be31d2684a2f8ad3af
Opcode Fuzzy Hash: 5a056c7e5b85612a081055033e3871e4d562b80e2e2bd01fda39eaef9e8c9c46
Instruction Fuzzy Hash: 4EF0E530955301AADF106F709D037AB3A95E789743F10683BF000C45A0FBED9990AA5E

Function 004127C4 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000002), ref: 004127DE
GetDlgItem.USER32(?,000003ED), ref: 004127F0

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: CallbackDispatcherItemUser
String ID:
API String ID: 4250310104-0
Opcode ID: d495ebdd3777f5c0edfcd6ad9d5975dd2d302e065f11ac8f47733b1005b90a5d
Instruction ID: fb59340b22dd11f3f22a75a5f8680195bd7a29579b99c883e4e7653c2c620c78
Opcode Fuzzy Hash: d495ebdd3777f5c0edfcd6ad9d5975dd2d302e065f11ac8f47733b1005b90a5d
Instruction Fuzzy Hash: CDE06D34204209EBDF241F20DE95AEB7659EB00715F00402BF825D5AD1DAB8CDE18568

Function 00411238 Relevance: 3.0, APIs: 2, Instructions: 26registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,00000000,00000000,00000000,?,?,0042ED95,80000002,System\CurrentControlSet\Control\Windows,00020019,?,?,00000000,0000000A), ref: 00411252
RegCloseKey.ADVAPI32(?,?,0042ED95,80000002,System\CurrentControlSet\Control\Windows,00020019,?,?,00000000,0000000A,?,?,00000000,00459868,?,00000000), ref: 00411263

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: CloseOpen
String ID:
API String ID: 47109696-0
Opcode ID: f7c80a032885773ecbbde2e902e672b0d563a46465fc2d43bd466e371a25d14c
Instruction ID: 6055bb1ec1d1954b0f185758e35c99f9dde78b1d36e2fb7f8970094595e3ea65
Opcode Fuzzy Hash: f7c80a032885773ecbbde2e902e672b0d563a46465fc2d43bd466e371a25d14c
Instruction Fuzzy Hash: C4F0397A100209EBDF249F41CC05BEB7BA9EF11351F20406DE942A6260E779AE50DB58

Function 0042CA25 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 0042CA37

Part of subcall function 0042CB18: __EH_prolog.LIBCMT ref: 0042CB1D
Part of subcall function 0042CB18: lstrlenW.KERNEL32(?,?,?,0045D464,?,0000012C,?,?), ref: 0042CB75

LoadStringW.USER32(?,0044952C,00426FD4), ref: 0042CA62

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prologLoadStringlstrlenwsprintf
String ID:
API String ID: 1702443186-0
Opcode ID: 60751eb9ebb0724a5aab89fe4d46f04055d26400e3665af44a7e57b9b590aa99
Instruction ID: a32e0929718f5e593865b769811982907ff787c8b366185c17bf0e6869e5d73f
Opcode Fuzzy Hash: 60751eb9ebb0724a5aab89fe4d46f04055d26400e3665af44a7e57b9b590aa99
Instruction Fuzzy Hash: 14E0ED7550020EBBCF015FA0DD46DCE3F79BF18346F004015FE04A1021E676D569AB94

Function 0042C4E1 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?,00000000,?,0042B73C,?,?,00000000,00000000), ref: 0042C4F5
GetLastError.KERNEL32(?,0042B73C,?,?,00000000,00000000), ref: 0042C4FD

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: bd875096038cdcc97c052297b5a2de724e7679784f0c2d893cccdd9d497ce0ef
Instruction ID: a51442dac53ab7ff4d485fdb4ef15913658c8c82313ccf0bcc0150a8e8a0d519
Opcode Fuzzy Hash: bd875096038cdcc97c052297b5a2de724e7679784f0c2d893cccdd9d497ce0ef
Instruction Fuzzy Hash: C0E048366042216BC7118F25AC0C44F7ED2EBD53B0F510D25F551831B1D774DC95EBA5

Function 00411AC7 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00411AE1
GetTickCount.KERNEL32 ref: 00411AF2

Part of subcall function 00411A5D: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411A87
Part of subcall function 00411A5D: IsDialogMessageW.USER32(?), ref: 00411A9B
Part of subcall function 00411A5D: TranslateMessage.USER32(?), ref: 00411AA9
Part of subcall function 00411A5D: DispatchMessageW.USER32(?), ref: 00411AB3

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Message$CountTick$DialogDispatchPeekTranslate
String ID:
API String ID: 2347478412-0
Opcode ID: eb042c3192753acef64ee28a84c101f071f8adee7123f14800a05379ff1bb749
Instruction ID: f6b354af44e1ae1256d6c84f3ffd07725928111f3fb11f6c49094d330d1e8518
Opcode Fuzzy Hash: eb042c3192753acef64ee28a84c101f071f8adee7123f14800a05379ff1bb749
Instruction Fuzzy Hash: C7E08C3140A2549ECB509761DC003AABAA86F523A2F155937D54092270E7FC5CC5DA9F

Function 0042661D Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00426626
SetWindowTextW.USER32(?,00000000), ref: 00426636

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Window$Text
String ID:
API String ID: 848690642-0
Opcode ID: 2346bd9590db0ff617bf630f43fec90a242ed84cd461c73a6b1bebd1a77eeb37
Instruction ID: 849048e8c61f365d2dda544d583f0c792bdeb263aadee8d22395893f28466489
Opcode Fuzzy Hash: 2346bd9590db0ff617bf630f43fec90a242ed84cd461c73a6b1bebd1a77eeb37
Instruction Fuzzy Hash: A0D0C97A100011DBDB112F50EC08A87BBA5FF5A740B154839B98591075C7334C62EB58

Function 004069BA Relevance: 1.6, APIs: 1, Instructions: 127COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004069BF

Part of subcall function 00423496: GetVersionExW.KERNEL32(?,?,?), ref: 004234C3
Part of subcall function 00423496: GetSystemInfo.KERNELBASE(?), ref: 00423503

Part of subcall function 00424A20: lstrlenW.KERNEL32(?,00000000,00000000,?,00406A2D,00000000,00000001,0000044F,00000000,?,?,00000000), ref: 00424A2A
Part of subcall function 00424A20: lstrcpyW.KERNEL32(00000000,?), ref: 00424A49
Part of subcall function 00424A20: lstrcpyW.KERNEL32(C:\Users\user\Desktop,?), ref: 00424A51

Part of subcall function 00406B49: GetTempPathW.KERNEL32(00000001,00000000,00000000,00000000,?,00406A4F,?,00000400,00000000,00000000,00000001,0000044F,00000000,?,?,00000000), ref: 00406B68
Part of subcall function 00406B49: SetErrorMode.KERNELBASE(00008003,?,00406A4F,?,00000400,00000000,00000000,00000001,0000044F,00000000,?,?,00000000), ref: 00406B77
Part of subcall function 00406B49: GetWindowsDirectoryW.KERNEL32(00000000,0000044F,?,00406A4F,?,00000400,00000000,00000000,00000001,0000044F,00000000,?,?,00000000), ref: 00406B8F
Part of subcall function 00406B49: lstrcpyW.KERNEL32(00000000,0045D464), ref: 00406BAC

Part of subcall function 00426671: __EH_prolog.LIBCMT ref: 00426676

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: lstrcpy$H_prolog$DirectoryErrorInfoModePathSystemTempVersionWindowslstrlen
String ID:
API String ID: 2810238083-0
Opcode ID: 6b1fb78ce2766f8f8762f350ec47457c59247503e398d4a94a5b85fca0be4d4e
Instruction ID: 99eac06e63ee7f9ee7d8ffae2821ab3ecd6a14502dd151577d153e73c3c02698
Opcode Fuzzy Hash: 6b1fb78ce2766f8f8762f350ec47457c59247503e398d4a94a5b85fca0be4d4e
Instruction Fuzzy Hash: 0931BFA0B002215BDB14B7726D9277E25AA8B8074CF51043FA503FB2D2EF7C9D42865D

Function 00431875 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0043195C

Part of subcall function 004343E7: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00438173,00000009,00000000,00000000,00000001,00433F78,00000001,00000074,?,?,00000000,00000001), ref: 00434424
Part of subcall function 004343E7: EnterCriticalSection.KERNEL32(?,?,?,00438173,00000009,00000000,00000000,00000001,00433F78,00000001,00000074,?,?,00000000,00000001), ref: 0043443F

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: 819842a2710f24ebcde8c9af493453a1b8d3abd4f1467bb72ffb77baba0c280d
Instruction ID: 79c599bd6fb09ad3681b3962c486a34cc8f9b67e9832bcb2a02ea0d0808b7216
Opcode Fuzzy Hash: 819842a2710f24ebcde8c9af493453a1b8d3abd4f1467bb72ffb77baba0c280d
Instruction Fuzzy Hash: 3E219572A00245ABDB10EF65DC42B9E77A4EF08724F24511BF411EB2E1D77CA941CA5D

Function 0043174E Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,00438173,00000009,00000000,00000000,00000001,00433F78,00000001,00000074), ref: 00431822

Part of subcall function 004343E7: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00438173,00000009,00000000,00000000,00000001,00433F78,00000001,00000074,?,?,00000000,00000001), ref: 00434424
Part of subcall function 004343E7: EnterCriticalSection.KERNEL32(?,?,?,00438173,00000009,00000000,00000000,00000001,00433F78,00000001,00000074,?,?,00000000,00000001), ref: 0043443F

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapInitialize
String ID:
API String ID: 641406236-0
Opcode ID: d94bfe40fe2b7402333c48f76044bb3a4cc27a818097ef849436d5a69bb96bf8
Instruction ID: a50a2f4e1b74f6edd134b9317844868a0323b7b02c6b67cf3ff9031aa2eb78da
Opcode Fuzzy Hash: d94bfe40fe2b7402333c48f76044bb3a4cc27a818097ef849436d5a69bb96bf8
Instruction Fuzzy Hash: 7421F932D01604ABDF14AF55DC02BDE7BB8EB09735F24152BF411B22E0D77D99408AAD

Function 0042CA6A Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042CA6F

Part of subcall function 00401586: __EH_prolog.LIBCMT ref: 0040158B
Part of subcall function 00401586: GetLastError.KERNEL32(004494C4,004494BC,00000000,?,00429698,?,00000000,?,?,00000000), ref: 004015B4
Part of subcall function 00401586: SetLastError.KERNEL32(?,00000000,?,00429698,?,00000000,?,?,00000000), ref: 004015E2

Part of subcall function 004085AE: SysStringLen.OLEAUT32(?), ref: 004085BC
Part of subcall function 004085AE: SysReAllocStringLen.OLEAUT32(?,?,?), ref: 004085D8

Part of subcall function 0042CA25: wsprintfW.USER32 ref: 0042CA37
Part of subcall function 0042CA25: LoadStringW.USER32(?,0044952C,00426FD4), ref: 0042CA62

Part of subcall function 00408630: __EH_prolog.LIBCMT ref: 00408635
Part of subcall function 00408630: GetLastError.KERNEL32(?,004494BC), ref: 00408661
Part of subcall function 00408630: SetLastError.KERNEL32(00000000,?,00000000,?,00000001), ref: 00408696

Part of subcall function 0040D5D0: __EH_prolog.LIBCMT ref: 0040D5D5
Part of subcall function 0040D5D0: GetLastError.KERNEL32(74DEE010,?,004494BC,?,0043F04D), ref: 0040D5FD
Part of subcall function 0040D5D0: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,0043F04D), ref: 0040D64A

Part of subcall function 00401929: GetLastError.KERNEL32(00000000,?,00408695,?,00000000,?,00000001), ref: 0040193F
Part of subcall function 00401929: SysFreeString.OLEAUT32(?), ref: 0040195D
Part of subcall function 00401929: SetLastError.KERNEL32(?,00000001,?,00408695,?,00000000,?,00000001), ref: 0040197D

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorLast$H_prologString$AllocFreeLoadwsprintf
String ID:
API String ID: 993766652-0
Opcode ID: ee57e0b1121675cb45f6945214b95a14f10ef969a6270b72ee3568aba9871357
Instruction ID: 54eade0d7799b712d88e5dd17b435f682c9d88448914c30ee7316afb3118d0c3
Opcode Fuzzy Hash: ee57e0b1121675cb45f6945214b95a14f10ef969a6270b72ee3568aba9871357
Instruction Fuzzy Hash: 17115E71D00118AFDB10EF95C985BDEBBB8AF58318F14406EE845B7281DB785A09CBA5

Function 00401857 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,00000002), ref: 00401876

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 151b4ba421dde6d53032ba35893b6dff62d8dbdb29503e458d7b09762252618c
Instruction ID: dfc0165312e9aa5e419468a289336d6721334a64aa7663ae3cdc8500832ec823
Opcode Fuzzy Hash: 151b4ba421dde6d53032ba35893b6dff62d8dbdb29503e458d7b09762252618c
Instruction Fuzzy Hash: 5011E332A007059BD720EF55C08065BBBE9EF88754F15C03FE859CB3A0D774E9418B84

Function 0042C3DF Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000000,00000138,00000000,00000000), ref: 0042C41A

Part of subcall function 0042C4E1: SetFilePointer.KERNELBASE(?,?,?,?,00000000,?,0042B73C,?,?,00000000,00000000), ref: 0042C4F5
Part of subcall function 0042C4E1: GetLastError.KERNEL32(?,0042B73C,?,?,00000000,00000000), ref: 0042C4FD

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: File$ErrorLastPointerRead
String ID:
API String ID: 64821003-0
Opcode ID: ac380c357aa1e7307a5c472c82d7a0bd7c9df343e9cf41a825dfb5ad65df9575
Instruction ID: d23154b9ba37cddcfc22eb62e9c13428bf70da309de4fc7fd14786a27f112f21
Opcode Fuzzy Hash: ac380c357aa1e7307a5c472c82d7a0bd7c9df343e9cf41a825dfb5ad65df9575
Instruction Fuzzy Hash: 87012831300214BBEB14AB51ECC5FEFBB6CEF14388F600166B905A5192C7B8AE40C6A8

Function 0040D7F5 Relevance: 1.5, APIs: 1, Instructions: 45fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000001,00000000,004494FC,?,00000000,00403060,000000FF,?,004494FC,?,00000000), ref: 0040D816

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: afceaa4d5db772a33d694058e7a3d5ee18d45847373f904b810b2433bc804dba
Instruction ID: d14221daae9ce5bdc8e334f0aa9eece2804f716dec360d8d00637e8c599cf329
Opcode Fuzzy Hash: afceaa4d5db772a33d694058e7a3d5ee18d45847373f904b810b2433bc804dba
Instruction Fuzzy Hash: A601D632B01301A7DA24AE688C85F5773986B51320F204A3EF5B0F73D0C374AC45C718

Function 004207AB Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004207B0

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 0aacf078fed52b09825620db9d913b47992d28783d87375536328dbec5b47fc9
Instruction ID: 5a37298b785287a88bade441b1dd3b9882cdf54fdb555332a29a75e1d8a6071a
Opcode Fuzzy Hash: 0aacf078fed52b09825620db9d913b47992d28783d87375536328dbec5b47fc9
Instruction Fuzzy Hash: B8012831600114EBCB14DF55D480AEFBBF8EF44314F50451FF01293682D738A949CB54

Function 00426BD5 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00426BDA

Part of subcall function 00407AFA: __EH_prolog.LIBCMT ref: 00407AFF

Part of subcall function 0041DF97: __EH_prolog.LIBCMT ref: 0041DF9C

Part of subcall function 004086AA: lstrlenW.KERNEL32(0044952C,?,004494FC,00000000,?,?,0042C27A), ref: 004086FD
Part of subcall function 004086AA: WideCharToMultiByte.KERNEL32(00000000,00000000,0044952C,000000FF,?,00000002,00000000,00000000,?,0042C27A), ref: 00408725

Part of subcall function 00426C43: __EH_prolog.LIBCMT ref: 00426C48

Part of subcall function 00401CCE: __EH_prolog.LIBCMT ref: 00401CD3
Part of subcall function 00401CCE: GetLastError.KERNEL32(004494FC,004494C0,?,0042AC33,?,004494C0,?,?,00000000,?,?,?,00000000,004494C4,004494BC,00000000), ref: 00401CF6
Part of subcall function 00401CCE: SysFreeString.OLEAUT32(?), ref: 00401D14
Part of subcall function 00401CCE: SetLastError.KERNEL32(?,00000001,?,0042AC33,?,004494C0,?,?,00000000,?,?,?,00000000,004494C4,004494BC,00000000), ref: 00401D34

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog$ErrorLast$ByteCharFreeMultiStringWidelstrlen
String ID:
API String ID: 1967678652-0
Opcode ID: 9b2278b740cd464b0c2fb323b6fe6e5ac416f7d7e0cdb004cbe2952bbbcd110d
Instruction ID: 1ea2d4a6c89a59fe9fce0aae5d1320d6591b38d6d6093469a32ad65306416f73
Opcode Fuzzy Hash: 9b2278b740cd464b0c2fb323b6fe6e5ac416f7d7e0cdb004cbe2952bbbcd110d
Instruction Fuzzy Hash: 72F0FF31F14254AAEB08E3E4D802BDCB7A49B00708F10426EB502F72C1DBB85F00C748

Function 0042861A Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042861F

Part of subcall function 004207AB: __EH_prolog.LIBCMT ref: 004207B0

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 3a568f80469fdedfae4d4738d2a041f6175dc1621ae14a44d0b11e3ec89b2e4f
Instruction ID: ee574c98fde45c66d2cd5530c7bf2199bc890cc53d3a9247c780dc4bef52d67e
Opcode Fuzzy Hash: 3a568f80469fdedfae4d4738d2a041f6175dc1621ae14a44d0b11e3ec89b2e4f
Instruction Fuzzy Hash: 69F0B431B03524AACB15F765A9457ED77E49B04318F50415FA052A3281CF3C5E05C768

Function 0041FA44 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041FA49

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 63061ae9c3d918a55c8b2bd8b713ebd4583a1e55586e5d1a8b7c095aa970026c
Instruction ID: 616a0ae941ce8a68f5e3bdf8c158bd327ccfd80e6fad105f956cd4531a92db87
Opcode Fuzzy Hash: 63061ae9c3d918a55c8b2bd8b713ebd4583a1e55586e5d1a8b7c095aa970026c
Instruction Fuzzy Hash: 01F031755197D49AC712DF6880107DABFF05F1A214F08858EE8E986743C3B49249C7A5

Function 0042DEAC Relevance: 1.5, APIs: 1, Instructions: 26windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042CA25: wsprintfW.USER32 ref: 0042CA37
Part of subcall function 0042CA25: LoadStringW.USER32(?,0044952C,00426FD4), ref: 0042CA62

SendDlgItemMessageW.USER32(00000066,?,0000000C,00000000,00000000), ref: 0042DEF7

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ItemLoadMessageSendStringwsprintf
String ID:
API String ID: 382885213-0
Opcode ID: 3aa78956bd1c9e12c30033349390095b1951466041b6c31f74824fc24d3d0460
Instruction ID: ec4bc1620459814f7d6e8ee72077a5e8ba77f21a1cbb74f585ff84050b60718c
Opcode Fuzzy Hash: 3aa78956bd1c9e12c30033349390095b1951466041b6c31f74824fc24d3d0460
Instruction Fuzzy Hash: B4E09276A0031CBBEF609B54DC49FDB7BB8BB44704F0001B1BA55A50F1EAB19E958B84

Function 004044E1 Relevance: 1.5, APIs: 1, Instructions: 17COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004044E6

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ceab418fb096f64e4d10b4a59e5c920c562783f6a7ae20348bf8c53e112d1f40
Instruction ID: 2e1cd3aa86238456d13102fff4b857236ecd4380e28dbf80b310cd4a663b23df
Opcode Fuzzy Hash: ceab418fb096f64e4d10b4a59e5c920c562783f6a7ae20348bf8c53e112d1f40
Instruction Fuzzy Hash: 32D0127191462497E714EB55D401BDDB264EB44719F00466FA412B25C1CBF85A048694

Function 0042E095 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,?), ref: 0042E0AF

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 22c5bcea5819c372ffdf850b725801c465d465a14e5ffea8722e19fd47a8056e
Instruction ID: 4e8e41b86b9d467a3a7bc68352501da5c8fbf4b2b9d972ababd14438af09fa3c
Opcode Fuzzy Hash: 22c5bcea5819c372ffdf850b725801c465d465a14e5ffea8722e19fd47a8056e
Instruction Fuzzy Hash: 40D0C97190010CAEEB04ABA5E84AAE9776CEB08218F408026F915A5091EAE0E94986A5

Function 0042BE18 Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,0042C347,?,?,?,004613A8), ref: 0042BE28

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 982a21f521cb2e5fb05b860d111edd53222665d6aa8a2a386671a4d52f9b4977
Instruction ID: 941b3081418221ad439259dc576ffd0c350ced6e868b2ab1f8d47378890c001c
Opcode Fuzzy Hash: 982a21f521cb2e5fb05b860d111edd53222665d6aa8a2a386671a4d52f9b4977
Instruction Fuzzy Hash: 2AC08C36304521179B142B29B90489B27DC9F0930430104ABF401D7712CB68CC409A8D

Function 0042D4E9 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000,00427E1A,?,00000000,?,?,?,00000000,00000000,?,?,00000000,00000000,?,00000000,Startup), ref: 0042D4ED

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 06631295707e2bd0bc2f6d679a14d3a3424e9eeb5b15d3442225fa4068637f5a
Instruction ID: c05dad6b5451be6f93ccd2d8b123326076d8727fa21cf421dc86147518092fc7
Opcode Fuzzy Hash: 06631295707e2bd0bc2f6d679a14d3a3424e9eeb5b15d3442225fa4068637f5a
Instruction Fuzzy Hash: 7EC08C30A1421179EA100E346D4DB1722015B1937EFE04E23F0A3C01E0C3A64CD3A00A

Function 0042D506 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0042D52F,?,00000000,00401C56,?,?,?,00000400,?,?,?), ref: 0042D50A

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 6ce9c2893a34eaf55710305b12434bb07d719f64da8dbc113f2e201e7042770a
Instruction ID: f0dec63ebc147249f64997001c1392bd048bca80b378f22ca51e6341f0143c5d
Opcode Fuzzy Hash: 6ce9c2893a34eaf55710305b12434bb07d719f64da8dbc113f2e201e7042770a
Instruction Fuzzy Hash: 92C08C306012117AE2100B386E0E62722015B0573CFE04E23F062C00F0E7F48CD3A008

Function 0042DF00 Relevance: 1.5, APIs: 1, Instructions: 7windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(?,?,0000000C,00000000,?), ref: 0042DF10

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ItemMessageSend
String ID:
API String ID: 3015471070-0
Opcode ID: 32c4cbfcb029f27c9dd53ea93056b64bf3c9ae2e545268d4d438535a7ee50bfb
Instruction ID: d05a02d9dad26ca2abdf9b0c4650be97606b03d4bf7ad93bf9f22940d8df942f
Opcode Fuzzy Hash: 32c4cbfcb029f27c9dd53ea93056b64bf3c9ae2e545268d4d438535a7ee50bfb
Instruction Fuzzy Hash: 53C09235148301FBEE129FA0CD05F0BBFB2BB94B40F100858B281140F2C2728866FB46

Function 0042DD8A Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000030,00000030,?,00000000), ref: 0042DD96

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a88e788fa7a59c76b88ba9cb5da836912a8909d74a7d515f59f9d2becfff4e6a
Instruction ID: 703b4cc51347e6f7d0d582823f220d4d29440d95ce36a722847bf9b8d17edca0
Opcode Fuzzy Hash: a88e788fa7a59c76b88ba9cb5da836912a8909d74a7d515f59f9d2becfff4e6a
Instruction Fuzzy Hash: C6B01234154340BFDE138F40CC05F0A7B61BB86700F104814B250140F4C3715410EB09

Function 0042660A Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,?), ref: 00426614

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 532dbb5d6bcbc89b051a058225f362e1213c33a890bd35561c6ae00e384365db
Instruction ID: 243f9a54129d71cc381509fad73f28e69b665222fbe47bf486ace8715e24da10
Opcode Fuzzy Hash: 532dbb5d6bcbc89b051a058225f362e1213c33a890bd35561c6ae00e384365db
Instruction Fuzzy Hash: C1B001BA404100ABCA029F50DE09A4BBA62BBAA709F258479B64D4947587334C22FB19

Function 0042E0B7 Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0042CA25: wsprintfW.USER32 ref: 0042CA37
Part of subcall function 0042CA25: LoadStringW.USER32(?,0044952C,00426FD4), ref: 0042CA62

lstrlenW.KERNEL32(00000000), ref: 0042E0FA

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: LoadStringlstrlenwsprintf
String ID:
API String ID: 1577088699-0
Opcode ID: 4155e2a5bf20d29b0fe22d5255fe926c454eae52edfa233b47e5a016efc2d3c9
Instruction ID: b4f0d46eb778c77cf8962a1802615054e7cac5f9245ee5895a355fa91e63bdd3
Opcode Fuzzy Hash: 4155e2a5bf20d29b0fe22d5255fe926c454eae52edfa233b47e5a016efc2d3c9
Instruction Fuzzy Hash: 73F0E932F003186BEB51D7A5EC927EF73AC5B40B04F4006B69608D20C0EEB4EB444558

Function 004130C3 Relevance: 1.3, APIs: 1, Instructions: 33stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,004605C8), ref: 00413104

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: acea2dc4f93cf276282e3ad9ad978331717a71ac31e89116c726735382a91650
Instruction ID: 13018f13b89cca4c07d87da416530d72795a3e14d93910b2f970b36de807db88
Opcode Fuzzy Hash: acea2dc4f93cf276282e3ad9ad978331717a71ac31e89116c726735382a91650
Instruction Fuzzy Hash: 41F0967680410EBBCF126F61EC01BDA3F79BB08305F044066F90991021E776D6B59F5D

Function 0042BD04 Relevance: 1.3, APIs: 1, Instructions: 7stringCOMMON

Download Yara Rule

APIs

lstrcmpiA.KERNEL32(?,0042B778), ref: 0042BD10

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 5c55e6ccac0095363a263be09a8865dc10e404adbfe383f19ba845b29fdea681
Instruction ID: 7fc87d087bfc6479523ec299b728a9d1710fcc96327ad4ac325906348445d21f
Opcode Fuzzy Hash: 5c55e6ccac0095363a263be09a8865dc10e404adbfe383f19ba845b29fdea681
Instruction Fuzzy Hash: AFB092321A00429ACE012B70EC0D8943AA1E74F207B1001B0A012C4171C6238812AA04

Non-executed Functions

Function 0043C8C3 Relevance: 94.6, APIs: 27, Strings: 27, Instructions: 122libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wininet.dll,?,0043DF51), ref: 0043C8D8
GetProcAddress.KERNEL32(00000000,InternetOpenW), ref: 0043C8F8
GetProcAddress.KERNEL32(InternetOpenUrlW), ref: 0043C90A
GetProcAddress.KERNEL32(InternetConnectW), ref: 0043C91C
GetProcAddress.KERNEL32(InternetCrackUrlW), ref: 0043C92E
GetProcAddress.KERNEL32(InternetCreateUrlW), ref: 0043C940
GetProcAddress.KERNEL32(InternetGetLastResponseInfoW), ref: 0043C952
GetProcAddress.KERNEL32(InternetSetOptionW), ref: 0043C964
GetProcAddress.KERNEL32(HttpQueryInfoW), ref: 0043C976
GetProcAddress.KERNEL32(HttpOpenRequestW), ref: 0043C988
GetProcAddress.KERNEL32(HttpSendRequestW), ref: 0043C99A
GetProcAddress.KERNEL32(HttpSendRequestExW), ref: 0043C9AC
GetProcAddress.KERNEL32(HttpEndRequestW), ref: 0043C9BE
GetProcAddress.KERNEL32(InternetQueryOptionW), ref: 0043C9D0
GetProcAddress.KERNEL32(InternetCanonicalizeUrlW), ref: 0043C9E2
GetProcAddress.KERNEL32(InternetGetCookieW), ref: 0043C9F4
GetProcAddress.KERNEL32(InternetSetCookieW), ref: 0043CA06
GetProcAddress.KERNEL32(InternetFindNextFileW), ref: 0043CA18
GetProcAddress.KERNEL32(FtpFindFirstFileA), ref: 0043CA2A
GetProcAddress.KERNEL32(InternetSetStatusCallbackW), ref: 0043CA3C
GetProcAddress.KERNEL32(InternetSetStatusCallback), ref: 0043CA52
GetProcAddress.KERNEL32(InternetCloseHandle), ref: 0043CA64
GetProcAddress.KERNEL32(InternetReadFile), ref: 0043CA76
GetProcAddress.KERNEL32(InternetGetConnectedState), ref: 0043CA88
GetProcAddress.KERNEL32(InternetAutodial), ref: 0043CA9A
GetProcAddress.KERNEL32(InternetErrorDlg), ref: 0043CAAC
GetProcAddress.KERNEL32(InternetQueryDataAvailable), ref: 0043CABE

Strings

InternetAutodial, xrefs: 0043CA8A
InternetGetConnectedState, xrefs: 0043CA78
InternetOpenUrlW, xrefs: 0043C8FA
InternetSetOptionW, xrefs: 0043C954
InternetGetLastResponseInfoW, xrefs: 0043C942
InternetConnectW, xrefs: 0043C90C
InternetQueryOptionW, xrefs: 0043C9C0
InternetGetCookieW, xrefs: 0043C9E4
InternetCanonicalizeUrlW, xrefs: 0043C9D2
InternetQueryDataAvailable, xrefs: 0043CAAE
HttpOpenRequestW, xrefs: 0043C978
InternetCloseHandle, xrefs: 0043CA59
HttpQueryInfoW, xrefs: 0043C966
HttpEndRequestW, xrefs: 0043C9AE
InternetErrorDlg, xrefs: 0043CA9C
InternetFindNextFileW, xrefs: 0043CA08
InternetSetCookieW, xrefs: 0043C9F6
InternetCreateUrlW, xrefs: 0043C930
InternetSetStatusCallbackW, xrefs: 0043CA2C
HttpSendRequestExW, xrefs: 0043C99C
HttpSendRequestW, xrefs: 0043C98A
wininet.dll, xrefs: 0043C8D3
InternetOpenW, xrefs: 0043C8F2
InternetCrackUrlW, xrefs: 0043C91E
InternetReadFile, xrefs: 0043CA66
FtpFindFirstFileA, xrefs: 0043CA1A
InternetSetStatusCallback, xrefs: 0043CA47

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: FtpFindFirstFileA$HttpEndRequestW$HttpOpenRequestW$HttpQueryInfoW$HttpSendRequestExW$HttpSendRequestW$InternetAutodial$InternetCanonicalizeUrlW$InternetCloseHandle$InternetConnectW$InternetCrackUrlW$InternetCreateUrlW$InternetErrorDlg$InternetFindNextFileW$InternetGetConnectedState$InternetGetCookieW$InternetGetLastResponseInfoW$InternetOpenUrlW$InternetOpenW$InternetQueryDataAvailable$InternetQueryOptionW$InternetReadFile$InternetSetCookieW$InternetSetOptionW$InternetSetStatusCallback$InternetSetStatusCallbackW$wininet.dll
API String ID: 2238633743-1703109126
Opcode ID: a3648f9bedc2fca326e7f38abeae40a0cb6128df697e375367af4610c1c2d287
Instruction ID: 02c44a69666db4426d6941d925f51555880dead5b828a3094f8f06dbe9427dd8
Opcode Fuzzy Hash: a3648f9bedc2fca326e7f38abeae40a0cb6128df697e375367af4610c1c2d287
Instruction Fuzzy Hash: 95414DB0B43B14BED7199B21AF46A2A3EA1EBC4751B142037E80499171EAF5081CDF8E

Function 0043A7F9 Relevance: 26.7, Strings: 21, Instructions: 417COMMON

Download Yara Rule

Strings

+, xrefs: 0043A9EE
9, xrefs: 0043A8BA
C, xrefs: 0043A8DA
-, xrefs: 0043A8D0
1, xrefs: 0043AA3E
0, xrefs: 0043AA98
9, xrefs: 0043A868
0, xrefs: 0043A99A
E, xrefs: 0043A8E3
c, xrefs: 0043A8E8
0, xrefs: 0043AA67
9, xrefs: 0043A90E
e, xrefs: 0043A8F1
9, xrefs: 0043AA46
-, xrefs: 0043A9F7
9, xrefs: 0043AA7A
0, xrefs: 0043A923
0, xrefs: 0043A8D5
+, xrefs: 0043A8CB
1, xrefs: 0043AA71
9, xrefs: 0043AA8A

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID:
String ID: +$+$-$-$0$0$0$0$0$1$1$9$9$9$9$9$9$C$E$c$e
API String ID: 0-1157002505
Opcode ID: 459740c64b5ce4e23bb149cecde3b2c03d4f6a3d8825df970906966116c2ee7b
Instruction ID: 6d0924f4799b5c2f4fceb875cf7e9d47a54251fa1cca1ac8b614d7762d529f5c
Opcode Fuzzy Hash: 459740c64b5ce4e23bb149cecde3b2c03d4f6a3d8825df970906966116c2ee7b
Instruction Fuzzy Hash: 60E1D171DD4209CEEB25DE54C9457FEB7B1AB0C305F28202BD481A6292D37D99A2CB1B

Function 0042DB6D Relevance: 18.1, APIs: 12, Instructions: 119threadmemoryCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0042DB92
OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00419589,?,?,00000000,004494FC,00449504), ref: 0042DB99
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00419589,?,?,00000000,004494FC,00449504), ref: 0042DBA9
GetCurrentProcess.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,00419589,?,?,00000000,004494FC,00449504), ref: 0042DBB8
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00419589,?,?,00000000,004494FC,00449504), ref: 0042DBBF
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00419589,?,?,00000000,004494FC,00449504), ref: 0042DBC5
GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,00419589,?,?,?,?,?,?,?,?,00419589), ref: 0042DBE1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00419589,?,?,00000000,004494FC,00449504), ref: 0042DBE7
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,00419589,00419589,?,?,?,?,?,?,?,?,00419589), ref: 0042DC0C
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0042DC29
EqualSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00419589,?,?,00000000,004494FC,00449504), ref: 0042DC5A
FreeSid.ADVAPI32(?,?,?,?,?,?,?,?,?,00419589,?,?,00000000,004494FC,00449504), ref: 0042DC79

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Token$ErrorLast$CurrentInformationOpenProcessThread$AllocateEqualFreeInitialize
String ID:
API String ID: 884311744-0
Opcode ID: 4d7ad6a401eccffa4808071521d9f2656e8a5d5fea126efed938a0e83231248e
Instruction ID: 9cc35f89f997ea7e9247d7f27303ac2ca9243470d89c78aafe5eff1352451d9b
Opcode Fuzzy Hash: 4d7ad6a401eccffa4808071521d9f2656e8a5d5fea126efed938a0e83231248e
Instruction Fuzzy Hash: C731B172E0026DAFEB11DBA5AC44AEFBBB8EF05344F50446AE540E2250D6788E44DB69

Function 0043CACF Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 124memoryfileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043CAD4
SearchPathW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,74DEF550), ref: 0043CAFC
GetModuleFileNameW.KERNEL32(?,00000208), ref: 0043CB1C
FindFirstFileW.KERNEL32(?,?), ref: 0043CB3B
VirtualQuery.KERNEL32(00000000,?,0000001C), ref: 0043CB77
VirtualProtect.KERNEL32(00000000,00000001,00000004,?), ref: 0043CBC9
VirtualProtect.KERNEL32(00000000,00000001,?,?), ref: 0043CBDE

Strings

RPAWINET.DLL, xrefs: 0043CAE5

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Virtual$FileProtect$FindFirstH_prologModuleNamePathQuerySearch
String ID: RPAWINET.DLL
API String ID: 2313386994-274221676
Opcode ID: fc67255ebaa05e3046c77afc617dc899501300c8fff1f48821b2407ec8c90a9e
Instruction ID: ce5ac074073dc2b9e1817622895d6a2256822d56bb3287ae87a1ab6280b8b75c
Opcode Fuzzy Hash: fc67255ebaa05e3046c77afc617dc899501300c8fff1f48821b2407ec8c90a9e
Instruction Fuzzy Hash: 97416D31A0021AAADF20CB94DD85FEFB7B8EF49350F001066E904F6290D774AE45DBA9

Function 0041768E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 138filetimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00417693
GetTempPathW.KERNEL32(00000400,?,0044952C,?,?), ref: 004176C7
FindFirstFileW.KERNEL32(?,?,?,*.mst,?,00000000,?,?,00000000), ref: 0041775A
CompareFileTime.KERNEL32(?,?), ref: 00417779
DeleteFileW.KERNEL32(?,?,?,?,00000000,?,?,00000000), ref: 00417812
FindNextFileW.KERNEL32(?,?), ref: 0041782E

Part of subcall function 00401929: GetLastError.KERNEL32(00000000,?,00408695,?,00000000,?,00000001), ref: 0040193F
Part of subcall function 00401929: SysFreeString.OLEAUT32(?), ref: 0040195D
Part of subcall function 00401929: SetLastError.KERNEL32(?,00000001,?,00408695,?,00000000,?,00000001), ref: 0040197D

Strings

*.mst, xrefs: 00417700, 0041771E

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: File$ErrorFindLast$CompareDeleteFirstFreeH_prologNextPathStringTempTime
String ID: *.mst
API String ID: 3250897778-516677590
Opcode ID: e43615b042da9a5fac4049e880749f37fd82acb92d8546f32b72f324efce5dd5
Instruction ID: 3ee520cdc9e1d0d5a599f577ee510d71d74d6b2be2b6d48292a68a9bbadf70d6
Opcode Fuzzy Hash: e43615b042da9a5fac4049e880749f37fd82acb92d8546f32b72f324efce5dd5
Instruction Fuzzy Hash: 27517D71D04259AEDF14DBA5DC84AEEB778FF14304F0041AAE41AA3291DB385F49CB14

Function 0042DA98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DB3F: GetVersionExW.KERNEL32(?), ref: 0042DB59

GetCurrentProcess.KERNEL32(?,?,?,00424C6A,0044952C,0044952C,00000000), ref: 0042DAA7
OpenProcessToken.ADVAPI32(00000000,00000028,00000000,?,?,?,00424C6A,0044952C,0044952C,00000000), ref: 0042DAB4
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,0044952C), ref: 0042DACB
AdjustTokenPrivileges.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000), ref: 0042DAF6
ExitWindowsEx.USER32(00000002,0000FFFF), ref: 0042DB04

Strings

SeShutdownPrivilege, xrefs: 0042DAC5

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentExitLookupOpenPrivilegePrivilegesValueVersionWindows
String ID: SeShutdownPrivilege
API String ID: 337752880-3733053543
Opcode ID: df8edbee8cfb0e2842218611a2373283bc8a6f374ab4976b5545c66682a683df
Instruction ID: f281973b0ca3562c6ee39052da8a58b30d9ef990b4e731433467f679e6cdced4
Opcode Fuzzy Hash: df8edbee8cfb0e2842218611a2373283bc8a6f374ab4976b5545c66682a683df
Instruction Fuzzy Hash: CC011A75E00229ABDB109BA5DC09EEFBEBCEF09311F000165A905E2180D6B49A04DBA4

Function 0042DC93 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,00001004,?,00000014), ref: 0042DCBA
TranslateCharsetInfo.GDI32(00000000,?,00000002), ref: 0042DCD5

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Info$CharsetLocaleTranslate
String ID:
API String ID: 641124110-0
Opcode ID: 00d1587edc192609e0a73410ea80b1e8c47fc7dc8622a5b5d2e8308df5566fb1
Instruction ID: 4fc2359d3641f9accdca24b3a03306f04c945ee13de77821212c8bfba9e492d3
Opcode Fuzzy Hash: 00d1587edc192609e0a73410ea80b1e8c47fc7dc8622a5b5d2e8308df5566fb1
Instruction Fuzzy Hash: EFF030B0A0031D9ADB10EF66EC45EEE37ACBB05715F80052AF611E62D1E7B8DC41CB58

Function 00440C54 Relevance: 2.7, Strings: 2, Instructions: 175COMMON

Download Yara Rule

Strings

, xrefs: 00440C54
, xrefs: 00440C74

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: c27e8f1453639d69be105a0cb342b7fbcb244135e1622864e7aa60b4dcea6484
Instruction ID: 01e7c55b0828f6aa3bb7effd0542a853fb45cdbec9f4e4ed1f437016c0e3a64d
Opcode Fuzzy Hash: c27e8f1453639d69be105a0cb342b7fbcb244135e1622864e7aa60b4dcea6484
Instruction Fuzzy Hash: E851A2B16043058BEB18CF68D88132ABBE1FFC5314F14896FE4558B355E779D846CB86

Function 00444030 Relevance: 1.6, Strings: 1, Instructions: 373COMMON

Download Yara Rule

Strings

@, xrefs: 0044441B

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 55e8b233b082d05b331f2b04382b6ae215ba9eddac3615c091099ac44f6b389f
Instruction ID: 4be9eea4d575bdc157094c1d6fc5d2c10631ee6d98b66fea775f5a9c9ac70a7c
Opcode Fuzzy Hash: 55e8b233b082d05b331f2b04382b6ae215ba9eddac3615c091099ac44f6b389f
Instruction Fuzzy Hash: 82E169356083418BE724CF28C4807AFB7E1FFD9700F24492EE98597350D779A94ACB9A

Function 0042DCF0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,00001004,?,00000014), ref: 0042DD04

Part of subcall function 00432223: WideCharToMultiByte.KERNEL32(00000000,00000000,004494BC,000000FF,00408084,00000014,00000000,00000000,00408084,?,004494C4,004494BC,00000000), ref: 0043223A

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ByteCharInfoLocaleMultiWide
String ID:
API String ID: 1196101659-0
Opcode ID: ec5e64fa823c7c8ede9974eeadf004d7ef989aaf90e8d487989e29e63616a106
Instruction ID: 9dfdf0dd8526d94416e44c512a504e26775c84f45eb55726d094034f6691e2ba
Opcode Fuzzy Hash: ec5e64fa823c7c8ede9974eeadf004d7ef989aaf90e8d487989e29e63616a106
Instruction Fuzzy Hash: C9E086316002086AEB019FA0EC46ECA3BA89B08718F400465F705E91D1DAB1D9819794

Function 004369A3 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0003695D), ref: 004369A8

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9d19e2c2f0c7804b8bcba8c863892ec4eb695891ef5457696b9f92722ced7aeb
Instruction ID: 4bd718798c3367edeb8cd93b926533c6502f18664287d1ea7ee1e38f911df5ef
Opcode Fuzzy Hash: 9d19e2c2f0c7804b8bcba8c863892ec4eb695891ef5457696b9f92722ced7aeb
Instruction Fuzzy Hash: 36A002F8582702BF9B145F60AE1D7053E61BA4A70EB1164B6E61291264EBF40604FE6F

Function 004369B5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 004369BA

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 85bfb79dd74dc8a73d94fe5f4effce5cb07743469f9ad9b9285ecb97c3e4e2ea
Instruction ID: 7a9f702e3e5c5720ccbc8379268f1b4fe238b8cc7399bd66a9372702e327decc
Opcode Fuzzy Hash: 85bfb79dd74dc8a73d94fe5f4effce5cb07743469f9ad9b9285ecb97c3e4e2ea
Instruction Fuzzy Hash:

Function 00440EC2 Relevance: .9, Instructions: 859COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941111cc1a968de308ffd51cb054228c03f42990cc46747b500b202872239b00
Instruction ID: 02553bd734b4147250f48b391382d36c227f0197fd289bd90a1b58b2682810a1
Opcode Fuzzy Hash: 941111cc1a968de308ffd51cb054228c03f42990cc46747b500b202872239b00
Instruction Fuzzy Hash: 5B72A0716087018BDB1CCF18C4D066ABBE2FFD9304F14866EE8468B759E775D886CB86

Function 00440540 Relevance: .7, Instructions: 707COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d22be0591d72e8ecde899a6c39522240f2f2b8d4179d6bb6eaff819da7ba74fb
Instruction ID: 7b2f895ff8c8e71e45f84f322956ee77d46fd49376d05321034b3c65078e2a53
Opcode Fuzzy Hash: d22be0591d72e8ecde899a6c39522240f2f2b8d4179d6bb6eaff819da7ba74fb
Instruction Fuzzy Hash: 4F427BB06043018BEB18CF19C490B2BBBE2FFC5304F14895EE9958B356D779E955CB8A

Function 00443BA0 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab921efdf3ad7f6cb9f364653ad5d8bd22cd9fbbf10609e01f0b540cc4f331d3
Instruction ID: 1fe1c3616846877b881aedd4986c05056fcc3684d84c2e9b1a86b62f2abb15c9
Opcode Fuzzy Hash: ab921efdf3ad7f6cb9f364653ad5d8bd22cd9fbbf10609e01f0b540cc4f331d3
Instruction Fuzzy Hash: F3E1AD316083458FD718CF2CC89066ABBE1EF99304F14496EF8D6C7342D679E94ACB4A

Function 00442D40 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c324fae35605e0318178e989c7bf8fd9c7c74e6d59fe310db041826096156942
Instruction ID: dadf8ebd757150416fa6b191a3f1e72612c2b7248dfafabb1b0f48f17f1db303
Opcode Fuzzy Hash: c324fae35605e0318178e989c7bf8fd9c7c74e6d59fe310db041826096156942
Instruction Fuzzy Hash: 68F1BFB65092408FD309CF18D4989E2BBE5FFA8714B1F42FEC4499B362D3729981CB95

Function 004432C0 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b444d520b8659bc565af25132037ca0dda94cc07a72d30ad2ab78477e6e39e81
Instruction ID: 7a4f1754fb795b24a23d7db2310a603f8605689be740dbf17289dc60be1cb879
Opcode Fuzzy Hash: b444d520b8659bc565af25132037ca0dda94cc07a72d30ad2ab78477e6e39e81
Instruction Fuzzy Hash: CAD16AB56092518FC319CF28D4D88E27BE5BF98700B1E82F9C9498B323D7729A85CB55

Function 00434E80 Relevance: .3, Instructions: 259COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: d8f3117acc4d5bae1a77fb49f5150a81f4d975ecfb1c55a657f7da1ae5161d45
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: 88B17E35A00606DFDB19CF04C5D0AA9BBB1BF58318F28C19ED85A5B342C736EE46CB94

Function 00441E10 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca000b2f6927503bda9435cdfa2d38ec8c2434b44ad82a88198043659fe7c76
Instruction ID: bceac8e8a29e119a5fa4ba3b1f3c4cdc79589153ddb51d03488b95b7660db798
Opcode Fuzzy Hash: dca000b2f6927503bda9435cdfa2d38ec8c2434b44ad82a88198043659fe7c76
Instruction Fuzzy Hash: 1571703775598207FB2CCE3E8C602BBAAD34FC522432EC87E94DAC7716EC6D94165204

Function 004438B0 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6620c8dc2844602fd511b746224f8affa9f2975d57629bfc0a99ab9f02aba2b5
Instruction ID: 3934cac9ecff119c65f170cf77e7def421c2b07d0bc3b36f1f8f9567b705cc44
Opcode Fuzzy Hash: 6620c8dc2844602fd511b746224f8affa9f2975d57629bfc0a99ab9f02aba2b5
Instruction Fuzzy Hash: 4281A23A7152824BE719CF29ECD052BB7E3EB8E300B59843DD645C7356CA34F9158B88

Function 00444920 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65a41849ba1dff17564a555de7faa284a3be694d3db7f60d411abc468340149
Instruction ID: 4e897352398f4d0c85c38943a533acd4655444f93430ac13dde11f5e8345face
Opcode Fuzzy Hash: e65a41849ba1dff17564a555de7faa284a3be694d3db7f60d411abc468340149
Instruction Fuzzy Hash: AC110DE724419283FB55CA3AD4B43BBE395EBC6320B2D427BD0818B798D7299945F60C

Function 00410333 Relevance: 44.1, APIs: 14, Strings: 11, Instructions: 376stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00410338
lstrcmpiW.KERNEL32(?,auto,?,?,00000000), ref: 00410396

Part of subcall function 00427168: __EH_prolog.LIBCMT ref: 0042716D

Part of subcall function 00401CCE: __EH_prolog.LIBCMT ref: 00401CD3
Part of subcall function 00401CCE: GetLastError.KERNEL32(004494FC,004494C0,?,0042AC33,?,004494C0,?,?,00000000,?,?,?,00000000,004494C4,004494BC,00000000), ref: 00401CF6
Part of subcall function 00401CCE: SysFreeString.OLEAUT32(?), ref: 00401D14
Part of subcall function 00401CCE: SetLastError.KERNEL32(?,00000001,?,0042AC33,?,004494C0,?,?,00000000,?,?,?,00000000,004494C4,004494BC,00000000), ref: 00401D34

Strings

<cE, xrefs: 0041075C
PackageName, xrefs: 00410750
C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\Setup.INI, xrefs: 004106F8
C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}, xrefs: 00410624, 0041062A, 0041069E, 004106A4, 004106D8, 004106F7
embed{, xrefs: 00410524, 00410545
debuglog, xrefs: 0041049E, 004104BF
Software\Microsoft\Windows\CurrentVersion, xrefs: 0041063E
/auto, xrefs: 004103AC
Startup, xrefs: 0041077D
auto, xrefs: 0041038E
%IS_E%, xrefs: 00410614

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog$ErrorLast$FreeStringlstrcmpi
String ID: %IS_E%$/auto$<cE$C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}$C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\Setup.INI$PackageName$Software\Microsoft\Windows\CurrentVersion$Startup$auto$debuglog$embed{
API String ID: 593169342-1398701144
Opcode ID: ce28be52073e4b8e12c381949f1b4ba8554947686f1a2b217ca0f0214333e624
Instruction ID: 165e16f101906d619fb27a50ea10244d7c8bbed8721c0dfe8a6ae26b2ed66ba4
Opcode Fuzzy Hash: ce28be52073e4b8e12c381949f1b4ba8554947686f1a2b217ca0f0214333e624
Instruction Fuzzy Hash: 71E1A170A00258ABDB10DF51CC45BEEBB78AF45304F1081ABF509A72A1DB789F88DF59

Function 0042E124 Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 242windowlibraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042E129
LoadLibraryW.KERNEL32(Shell32.dll,00000000,75C0FB50,00000000), ref: 0042E140
GetProcAddress.KERNEL32(00000000,ShellExecuteExW), ref: 0042E153
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 0042E386
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0042E39C
TranslateMessage.USER32(?), ref: 0042E3C0
DispatchMessageW.USER32(?), ref: 0042E3CA
WaitForSingleObject.KERNEL32(?,00000000), ref: 0042E3D4
GetExitCodeProcess.KERNEL32(?,CCCCCCCC), ref: 0042E3E7
CloseHandle.KERNEL32(?), ref: 0042E403
CloseHandle.KERNEL32(?), ref: 0042E408
FreeLibrary.KERNEL32(?), ref: 0042E415

Strings

ShellExecuteExW, xrefs: 0042E14D
@, xrefs: 0042E1D8
Shell32.dll, xrefs: 0042E137
"%s" %s, xrefs: 0042E2DE
<, xrefs: 0042E19E

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Message$CloseHandleLibraryWait$AddressCodeDispatchExitFreeH_prologLoadMultipleObjectObjectsPeekProcProcessSingleTranslate
String ID: "%s" %s$<$@$Shell32.dll$ShellExecuteExW
API String ID: 1278435167-3477205983
Opcode ID: 90f30af299cc89a1e42a111a266b04fccd5a8b1b041a6fcb3c19ed16a36cb438
Instruction ID: f019ce9201cd3b9142ea233848ea4dc10b1653a10afb3309bb26968c9ddba2d0
Opcode Fuzzy Hash: 90f30af299cc89a1e42a111a266b04fccd5a8b1b041a6fcb3c19ed16a36cb438
Instruction Fuzzy Hash: 099147B1D00229ABDF20DFA5DC85AEEBBB8FB08304F5045AAE509A3241D7749E44DF65

Function 004197BE Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 191registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004197C3
wsprintfW.USER32 ref: 004198D7

Part of subcall function 00427BCA: __EH_prolog.LIBCMT ref: 00427BCF

wsprintfW.USER32 ref: 0041990D
wsprintfW.USER32 ref: 00419929
RegQueryValueExW.ADVAPI32(?,InstallerLocation,00000000,?,?,00000104,80000002,Software\Microsoft\Windows\CurrentVersion\Installer,00020019,?,00000001), ref: 004199FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00419A07
RegCloseKey.ADVAPI32(?,80000002,Software\Microsoft\Windows\CurrentVersion\Installer,00020019,?,00000001), ref: 00419A15

Strings

/quiet /norestart, xrefs: 00419916, 00419955
"%s" /q, xrefs: 004198D1
/c:"msiinst /delayrebootq", xrefs: 00419932
Software\Microsoft\Windows\CurrentVersion\Installer, xrefs: 004199A7
"%s" /quiet /norestart, xrefs: 00419907
InstallerLocation, xrefs: 004199F2
C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\msiaction.cpp, xrefs: 00419835
2.0.2600.0, xrefs: 004198AA
"%s" /c:"msiinst /delayrebootq", xrefs: 00419923
Installing MSI engine %s, xrefs: 00419856

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: wsprintf$H_prolog$CloseCurrentDirectoryQueryValue
String ID: "%s" /c:"msiinst /delayrebootq"$"%s" /q$"%s" /quiet /norestart$/c:"msiinst /delayrebootq"$/quiet /norestart$2.0.2600.0$C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\msiaction.cpp$InstallerLocation$Installing MSI engine %s$Software\Microsoft\Windows\CurrentVersion\Installer
API String ID: 2511075342-3556553878
Opcode ID: 95d84500ce0dcb765adaea7fb466e52db07b75af659a799a7b1dfed192bd7699
Instruction ID: b6d20de08b7b8f19bc339cd3f0cb1d21963f93b9354895a04b919c44989969d3
Opcode Fuzzy Hash: 95d84500ce0dcb765adaea7fb466e52db07b75af659a799a7b1dfed192bd7699
Instruction Fuzzy Hash: A161A271A04218ABDF10DFA4C895ADE7778AF05344F10807FE909B7292DB785E89CB59

Function 00409DA2 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 326COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409DA7
wsprintfW.USER32 ref: 00409E3D
GetLastError.KERNEL32(?,?,80400100), ref: 00409EF6
GetLastError.KERNEL32 ref: 00409EFC

Strings

http://, xrefs: 00409DFF
ftp://, xrefs: 00409E16, 00409E1E, 00409E47
Referer: %s, xrefs: 00409E37
dwplayer, xrefs: 00409E7F, 00409EBC

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorLast$H_prologwsprintf
String ID: Referer: %s$dwplayer$ftp://$http://
API String ID: 3576247870-3801330208
Opcode ID: e2c09364a3f0855ccc2bcdfc991ef2c182c38a4b2795813ab088306b32d1cc83
Instruction ID: 25a67b1b14a06cb532ae1f912b459d0d14cc7295e40cd0da15a23289556e2d55
Opcode Fuzzy Hash: e2c09364a3f0855ccc2bcdfc991ef2c182c38a4b2795813ab088306b32d1cc83
Instruction Fuzzy Hash: 2DC1CF71D00249EFCB10DFA8C8809EEBBB4AF44314F24817AE455B72D2D7389E45CB6A

Function 00406590 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 232threadinjectionprocessCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00406595

Part of subcall function 004026FA: __EH_prolog.LIBCMT ref: 004026FF
Part of subcall function 004026FA: GetLastError.KERNEL32(004494FC,0000002D,00000000,?,00429CCE,?,00000000,removeasmajorupgrade,00000000,00000000,00000001,?,?,00000000,reboot,00000000), ref: 00402728
Part of subcall function 004026FA: SetLastError.KERNEL32(?,00000000,?,00429CCE,?,00000000,removeasmajorupgrade,00000000,00000000,00000001,?,?,00000000,reboot,00000000,00000000), ref: 00402756

Part of subcall function 0040276F: SysStringLen.OLEAUT32(?), ref: 0040277D
Part of subcall function 0040276F: SysReAllocStringLen.OLEAUT32(0000001C,?,?), ref: 00402799

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000104,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0},00000400,00401AFD,00000001,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0},?,?,?), ref: 004065F2

Part of subcall function 004021F4: __EH_prolog.LIBCMT ref: 004021F9
Part of subcall function 004021F4: GetLastError.KERNEL32(004494FC,00000104), ref: 00402225
Part of subcall function 004021F4: SetLastError.KERNEL32(00000000,?,00000000,?,00000001), ref: 0040225A

Part of subcall function 0040293E: __EH_prolog.LIBCMT ref: 00402943

Part of subcall function 0040387F: __EH_prolog.LIBCMT ref: 00403884
Part of subcall function 0040387F: GetLastError.KERNEL32(004494FC,00449504,00000000,?,0041E645,00449504,00000000,00000022,00449504,00000104,00449504,?,0041E0E0,?), ref: 004038AC
Part of subcall function 0040387F: SetLastError.KERNEL32(?,004494FC,00000000,00000000,?,0041E645,00449504,00000000,00000022,00449504,00000104,00449504,?,0041E0E0,?), ref: 004038F9

Part of subcall function 0043BD41: __EH_prolog.LIBCMT ref: 0043BD46
Part of subcall function 0043BD41: SearchPathW.KERNELBASE(0044952C,?,00000000,00000104,00449504,00000000,?,?,00000104,?,00000000,?,00000000,00000000,?,00449504), ref: 0043BE1F

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000044,00000000,00000000,?,?), ref: 004066BE
GetCurrentProcess.KERNEL32(?,?,00000000,00000000,00000000), ref: 00406786
GetCurrentProcess.KERNEL32(00000000), ref: 00406789
DuplicateHandle.KERNEL32(00000000), ref: 0040678C
GetThreadContext.KERNEL32(?,?), ref: 004067CF
VirtualProtectEx.KERNEL32(?,?,00000C35,00000040,?), ref: 0040680C
WriteProcessMemory.KERNEL32(?,?,?,00000C35,00000000), ref: 0040681F
FlushInstructionCache.KERNEL32(?,?,00000C35), ref: 0040682A
SetThreadContext.KERNEL32(?,00010003), ref: 0040683A
ResumeThread.KERNEL32(?), ref: 00406843
CloseHandle.KERNEL32(?), ref: 00406852
CloseHandle.KERNEL32(?), ref: 00406857

Strings

C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}, xrefs: 004065A5
explorer.exe, xrefs: 00406670

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorH_prologLast$Process$HandleThread$CloseContextCurrentString$AllocCacheCreateDuplicateFileFlushInstructionMemoryModuleNamePathProtectResumeSearchVirtualWrite
String ID: C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}$explorer.exe
API String ID: 3749810042-2402864089
Opcode ID: 5dfba92642edd8cc1d60abc55b650a87ca6715fbf8b19ebd58fbff60061981ea
Instruction ID: cc869bf7d51fc6f129611a70ee6c3ae202f1894771c1c3bcb653eb22fbde7dc7
Opcode Fuzzy Hash: 5dfba92642edd8cc1d60abc55b650a87ca6715fbf8b19ebd58fbff60061981ea
Instruction Fuzzy Hash: 6C918AB6D01218AFEB11DFA5DC84ADEBBB8FB09304F0041AAF909A72A1D7745E44CF54

Function 00410E6D Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 187registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00411238: RegOpenKeyExW.KERNELBASE(?,?,00000000,00000000,00000000,00000000,?,?,0042ED95,80000002,System\CurrentControlSet\Control\Windows,00020019,?,?,00000000,0000000A), ref: 00411252
Part of subcall function 00411238: RegCloseKey.ADVAPI32(?,?,0042ED95,80000002,System\CurrentControlSet\Control\Windows,00020019,?,?,00000000,0000000A,?,?,00000000,00459868,?,00000000), ref: 00411263

RegDeleteValueW.ADVAPI32(?,ISSetup,80000002,Software\Microsoft\Windows\CurrentVersion\Run,000F003F), ref: 00410E97
RegCloseKey.ADVAPI32(?), ref: 00410EA5
CharNextW.USER32(?), ref: 00410ECB
lstrcmpW.KERNEL32(00000000,%IS_V%), ref: 00410EDA
RegQueryValueExW.ADVAPI32(000F003F,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00410FD3
RegDeleteValueW.ADVAPI32(000F003F,?,?,?,?,?,?,?,?,?,?,80000002,Software\Microsoft\Windows\CurrentVersion\Run,000F003F), ref: 00410FDF
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,80000002,Software\Microsoft\Windows\CurrentVersion\Run,000F003F), ref: 00410FEE
RegCloseKey.ADVAPI32(000F003F,80000002,Software\Microsoft\Windows\CurrentVersion,000F003F), ref: 0041107C
lstrcpyW.KERNEL32(0045D570,?), ref: 004110B1
RegCloseKey.ADVAPI32(00000000,/verbose,?), ref: 004110C0

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00410E75
%IS_V%, xrefs: 00410ED1
/verbose, xrefs: 00411093
verbose, xrefs: 00410EB0
Software\Microsoft\Windows\CurrentVersion, xrefs: 00410F81
ISSetup, xrefs: 00410E8F

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Close$Value$Delete$CharNextOpenQuerylstrcmplstrcpy
String ID: %IS_V%$/verbose$ISSetup$Software\Microsoft\Windows\CurrentVersion$Software\Microsoft\Windows\CurrentVersion\Run$verbose
API String ID: 3053685545-2584127249
Opcode ID: 2ca57533e63db4b2480b9f15b43c4363ea4b9d6777b6fb979e2c7bfa12732efd
Instruction ID: a6f2fb9da77a578db37a009d5072ed3accdb68bfaec8a6b8d5a9ccf27edc55fa
Opcode Fuzzy Hash: 2ca57533e63db4b2480b9f15b43c4363ea4b9d6777b6fb979e2c7bfa12732efd
Instruction Fuzzy Hash: DE716C30900219EEDF11DF95CC45BEEBBB4BF05305F10816AE915B62A1DBB85A88DF58

Function 00412809 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003EE), ref: 00412823
GetWindowTextLengthW.USER32(00000000), ref: 00412839
GetWindowTextW.USER32(00000000,?,000000FF), ref: 00412851
GetDlgItem.USER32(?,000003EF), ref: 0041285B
GetWindowTextLengthW.USER32(00000000), ref: 0041286B
GetWindowTextW.USER32(00000000,?,000000FF), ref: 0041287F
GetDC.USER32(?), ref: 00412884
lstrlenW.KERNEL32(?,?,?), ref: 0041289B
ReleaseDC.USER32(?,00000000), ref: 004128C5
GetWindowRect.USER32(00000000,004564C4), ref: 004128F1
GetWindowPlacement.USER32(004605C8,?,?,?), ref: 00412950
MoveWindow.USER32(004605C8,000003EF,?,?,?,00000001,?,?), ref: 0041296B
GetWindowPlacement.USER32(00000000,0000002C,?,?), ref: 0041297B
MoveWindow.USER32(00000000,000003EF,?,?,?,00000001,?,?), ref: 00412994

Strings

,, xrefs: 00412970

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Window$Text$ItemLengthMovePlacement$RectReleaselstrlen
String ID: ,
API String ID: 164573090-3772416878
Opcode ID: b153873a1d84a3a8c3f049ae7dd0a9c0657264ce59ef24b9b5ee6a141f7aa19f
Instruction ID: 4519546a1884879f7d90bd5294b747479f04ed448cbe9bfca36577962a710926
Opcode Fuzzy Hash: b153873a1d84a3a8c3f049ae7dd0a9c0657264ce59ef24b9b5ee6a141f7aa19f
Instruction Fuzzy Hash: 97416872D00129BFDF119FA8CD84AEEBBBAFF48310F10016AE904A7254D7B59E41DB94

Function 004277C2 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 117registrystringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,SetupBitmapCls), ref: 004277DA
LoadCursorW.USER32(00000000,00007F00), ref: 0042780B
GetClassInfoW.USER32(?,SetupBitmapCls,?), ref: 0042782E
RegisterClassW.USER32(00000003), ref: 0042783C
GetObjectW.GDI32(00000000,00000018,?), ref: 00427886
GetSystemMetrics.USER32(00000000), ref: 00427893
GetSystemMetrics.USER32(00000001), ref: 004278A2
CreateWindowExW.USER32(00000080,SetupBitmapCls,SetupBitmapWin,86000000,?,?,?,?,00000000,00000000,?,00000000), ref: 004278DB
GetLastError.KERNEL32 ref: 004278E7
SetWindowLongW.USER32(00000000,00000000,00000000), ref: 004278F5
ShowWindow.USER32(00000000,00000005), ref: 00427904
UpdateWindow.USER32(?), ref: 00427910

Strings

SetupBitmapCls, xrefs: 004277CD, 004277D6, 00427821, 004278D1
SetupBitmapWin, xrefs: 004278CC

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Window$ClassMetricsSystem$CreateCursorErrorInfoLastLoadLongObjectRegisterShowUpdatelstrcpy
String ID: SetupBitmapCls$SetupBitmapWin
API String ID: 2500980582-250169166
Opcode ID: e379ed02e6b712b433ab3894bde0252f6fd618bb9253409b9db19167d8690cfd
Instruction ID: 314f32df706ddc92aad10740154a382edef1fa5fa45e89a37dfc2c4782473b34
Opcode Fuzzy Hash: e379ed02e6b712b433ab3894bde0252f6fd618bb9253409b9db19167d8690cfd
Instruction Fuzzy Hash: 1B413E75A04705AFDB109FA4DC89ADFBBB8FB09301F10452AF609E6291D774A940DB54

Function 00401072 Relevance: 24.2, APIs: 16, Instructions: 152filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00401090
GetFileSize.KERNEL32(00000000,?), ref: 004010AA
GlobalAlloc.KERNEL32(00000042,0000000A), ref: 004010B8
CloseHandle.KERNEL32(00000000), ref: 004010C6

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: File$AllocCloseCreateGlobalHandleSize
String ID:
API String ID: 2025735303-0
Opcode ID: dcb112b5de8f2fa2b50a367d3c8ccf8731415d3e98096c0f088561c904a4710d
Instruction ID: 7f5d3cf89889d4c205e2487fe18dc70e7eb525e20303a07da452bb6de9aab3e5
Opcode Fuzzy Hash: dcb112b5de8f2fa2b50a367d3c8ccf8731415d3e98096c0f088561c904a4710d
Instruction Fuzzy Hash: 8151B075500204BFEB215F64DC48B9B7BA8FB09361F10862AF666EA2E0C7789D40DB5C

Function 00415C00 Relevance: 23.0, APIs: 4, Strings: 9, Instructions: 239registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00415C05
RegQueryValueExW.ADVAPI32(?,InstallerLocation,00000000,?,?,00000104,80000002,Software\Microsoft\Windows\CurrentVersion\Installer,00020019,?,?,000001FA,System is Win9x or reboot is not being suppressed, reboot will be immediate,?,00000000,C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\msiaction.cpp), ref: 00415EF7
SetCurrentDirectoryW.KERNEL32(?), ref: 00415F04
RegCloseKey.ADVAPI32(?,?,?,000001FA,System is Win9x or reboot is not being suppressed, reboot will be immediate,?,00000000,C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\msiaction.cpp,?,00000001,00000000), ref: 00415F15

Strings

DotNetDelayReboot, xrefs: 00415C7B, 00415CA4
Software\Microsoft\Windows\CurrentVersion\Installer, xrefs: 00415EA2
<cE, xrefs: 00415CAD
Redist return value (%d) indicates a reboot is required, DotNetDelayReboot is %x, xrefs: 00415D45
InstallerLocation, xrefs: 00415EEF
C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\msiaction.cpp, xrefs: 00415D0E, 00415D14, 00415D96, 00415E22
Startup, xrefs: 00415CC9
System is Win9x or reboot is not being suppressed, reboot will be immediate, xrefs: 00415E2B, 00415E4E
Reboot will be deferred, xrefs: 00415D9F, 00415DC2

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: CloseCurrentDirectoryH_prologQueryValue
String ID: <cE$C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\msiaction.cpp$DotNetDelayReboot$InstallerLocation$Reboot will be deferred$Redist return value (%d) indicates a reboot is required, DotNetDelayReboot is %x$Software\Microsoft\Windows\CurrentVersion\Installer$Startup$System is Win9x or reboot is not being suppressed, reboot will be immediate
API String ID: 455272628-1379283518
Opcode ID: 9bbba5f879288c31b41f533b006acdb2f9823b2270e03b07491a7c78c253cc83
Instruction ID: 50fa4598c8632ad93466da1f12f64ba4a18da1de5c37eb0f57a6b21cb52f84d6
Opcode Fuzzy Hash: 9bbba5f879288c31b41f533b006acdb2f9823b2270e03b07491a7c78c253cc83
Instruction Fuzzy Hash: EC918DB1901219EBDF15DFA4CC94BEE7BB8BF44304F10412FE906A7292D7785A85CB58

Function 0041CFC8 Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 164COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041CFCD
VariantChangeType.OLEAUT32(004494DC,004494DC,00000000,00000002), ref: 0041D00D
VariantClear.OLEAUT32(004494DC), ref: 0041D1D1

Strings

{1C370964-514B-321C-7237-2B4FD86D8568}, xrefs: 0041D14A, 0041D15A
{78705f0d-e8db-4b2d-8193-982bdda15ecd}, xrefs: 0041D066
{9B29D757-088E-E8C9-2535-AA319B92C00A}, xrefs: 0041D05C
Software\Microsoft\Active Setup\Installed Components\%s, xrefs: 0041D18B
{6741C120-01BA-87F9-8734-5FB9DA8A4445}, xrefs: 0041D07F
{F279058C-50B2-4BE4-60C9-369CACF06821}, xrefs: 0041D070
{F1B13231-13BE-1231-5401-486BA763DEB6}, xrefs: 0041D0AE
{021122EA-49DC-4aeb-9D15-DCEAD9BAB1BC}, xrefs: 0041D143
{E7E2C871-090A-C372-F9AE-C3C6A988D260}, xrefs: 0041D0DB
{7E76A8D6-33D1-0032-16C3-4593092861D0}, xrefs: 0041D114

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Variant$ChangeClearH_prologType
String ID: Software\Microsoft\Active Setup\Installed Components\%s${021122EA-49DC-4aeb-9D15-DCEAD9BAB1BC}${1C370964-514B-321C-7237-2B4FD86D8568}${6741C120-01BA-87F9-8734-5FB9DA8A4445}${78705f0d-e8db-4b2d-8193-982bdda15ecd}${7E76A8D6-33D1-0032-16C3-4593092861D0}${9B29D757-088E-E8C9-2535-AA319B92C00A}${E7E2C871-090A-C372-F9AE-C3C6A988D260}${F1B13231-13BE-1231-5401-486BA763DEB6}${F279058C-50B2-4BE4-60C9-369CACF06821}
API String ID: 2549134154-3581822646
Opcode ID: d6d38825ff1e7eed5dcc9f67a44f4487cff5df974d164b27bd6888370d22b9ff
Instruction ID: 7920e60bc6bede8e73d5b1298714ac8af6cae52302251b4d254bb8f2126c5ca9
Opcode Fuzzy Hash: d6d38825ff1e7eed5dcc9f67a44f4487cff5df974d164b27bd6888370d22b9ff
Instruction Fuzzy Hash: 1251A2B1D01108EADB10DB95C955BEEBBB8EF14304F10806FE506B7282DB785F49CB59

Function 0041189E Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?), ref: 004118B7
GetWindowRect.USER32(00000000,?), ref: 004118C0
GetSystemMetrics.USER32(00000001), ref: 004118CA
GetSystemMetrics.USER32(00000000), ref: 004118CE
SetRect.USER32(?,00000000,00000000,00000000), ref: 004118D7
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0041190E
IsWindow.USER32(00000000), ref: 00411917
GetWindowRect.USER32(00000000,?), ref: 0041192D
IntersectRect.USER32(?,?,?), ref: 0041193B
SubtractRect.USER32(?,?,?), ref: 00411957
SetWindowPos.USER32(00000000,?,0041181A,0000001E,00000000,00000000,00000005,0000001E,?,?,00000000), ref: 00411997

Strings

F, xrefs: 00411924
Shell_TrayWnd, xrefs: 00411909

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: RectWindow$MetricsSystem$FindIntersectSubtract
String ID: F$Shell_TrayWnd
API String ID: 301737298-1447713892
Opcode ID: ee53bd97fa27c3c368d17283358bc98679baf50b178257e87b094a3103e8a9ef
Instruction ID: 57b863609c678f2113c01f94ff4d23981666e8e2b37a7e5d6a1a171e6201ddba
Opcode Fuzzy Hash: ee53bd97fa27c3c368d17283358bc98679baf50b178257e87b094a3103e8a9ef
Instruction Fuzzy Hash: 4531F8B6D0020DAFDB10DFE8DD88EEFBBBDEB49700F114026E911A7295D674A905CB64

Function 0040B05B Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 183libraryloaderfileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040B060
LoadLibraryW.KERNEL32(crypt32.dll,74DEF550,00000000,?), ref: 0040B078
GetProcAddress.KERNEL32(00000000,CertCompareCertificate), ref: 0040B099
GetProcAddress.KERNEL32(?,CertAddSerializedElementToStore), ref: 0040B0A6
GetProcAddress.KERNEL32(?,CertFreeCertificateContext), ref: 0040B0B3
CreateFileW.KERNEL32(0000003C,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 0040B11A
GetFileSize.KERNEL32(00000000,00000000), ref: 0040B155
ReadFile.KERNEL32(?,00000000,00000000,?,00000000,?), ref: 0040B17C

Part of subcall function 00401586: __EH_prolog.LIBCMT ref: 0040158B
Part of subcall function 00401586: GetLastError.KERNEL32(004494C4,004494BC,00000000,?,00429698,?,00000000,?,?,00000000), ref: 004015B4
Part of subcall function 00401586: SetLastError.KERNEL32(?,00000000,?,00429698,?,00000000,?,?,00000000), ref: 004015E2

Strings

CertFreeCertificateContext, xrefs: 0040B0A8
crypt32.dll, xrefs: 0040B070
CertCompareCertificate, xrefs: 0040B093
CertAddSerializedElementToStore, xrefs: 0040B09B

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: AddressFileProc$ErrorH_prologLast$CreateLibraryLoadReadSize
String ID: CertAddSerializedElementToStore$CertCompareCertificate$CertFreeCertificateContext$crypt32.dll
API String ID: 521922201-2082943641
Opcode ID: 0f1987ae60592010547276ef221128c6259a6af66481390565fa144df6dc3429
Instruction ID: bcb77afd250b0547eca0dae2499f07fc5488729967ad26799288d948ac730901
Opcode Fuzzy Hash: 0f1987ae60592010547276ef221128c6259a6af66481390565fa144df6dc3429
Instruction Fuzzy Hash: B6616771D0024AABDF11DFA4DC95AAEBBB8EB09344F14447EE101B7291DB384E44DBA8

Function 00427168 Relevance: 19.6, APIs: 3, Strings: 8, Instructions: 383COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042716D
wsprintfW.USER32 ref: 00427283
wsprintfW.USER32 ref: 004272AA

Part of subcall function 00410024: __EH_prolog.LIBCMT ref: 00410029
Part of subcall function 00410024: GetLastError.KERNEL32(004494C4,004494BC,00000000,?,00427389,no_engine,?,00000001,?,00000000,00000000,?,?,00000000,0000000A,Startup), ref: 00410052
Part of subcall function 00410024: SetLastError.KERNEL32(00000003,00000000,?,00427389,no_engine,?,00000001,?,00000000,00000000,?,?,00000000,0000000A,Startup,00000000), ref: 00410089
Part of subcall function 00410024: SetLastError.KERNEL32(?,?,00427389,no_engine,?,00000001,?,00000000,00000000,?,?,00000000,0000000A,Startup,00000000,00000000), ref: 004100C1

Part of subcall function 004291E6: __EH_prolog.LIBCMT ref: 004291EB

Part of subcall function 00401CCE: __EH_prolog.LIBCMT ref: 00401CD3
Part of subcall function 00401CCE: GetLastError.KERNEL32(004494FC,004494C0,?,0042AC33,?,004494C0,?,?,00000000,?,?,?,00000000,004494C4,004494BC,00000000), ref: 00401CF6
Part of subcall function 00401CCE: SysFreeString.OLEAUT32(?), ref: 00401D14
Part of subcall function 00401CCE: SetLastError.KERNEL32(?,00000001,?,0042AC33,?,004494C0,?,?,00000000,?,?,?,00000000,004494C4,004494BC,00000000), ref: 00401D34

Strings

auto, xrefs: 004273DE
ScriptDriven, xrefs: 004272B3, 004272DB
%s"%s", xrefs: 00427296
Startup, xrefs: 00427307
%s, xrefs: 004272A4
<cE, xrefs: 004272E7
no_engine, xrefs: 00427375
%s%s, xrefs: 00427277

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorLast$H_prolog$wsprintf$FreeString
String ID: %s$ %s"%s"$ %s%s$<cE$ScriptDriven$Startup$auto$no_engine
API String ID: 2485261583-2847612702
Opcode ID: 25111aed89a1c526a71c6521480d308dd0d5e01ed9ad10ad9e38483e96784ad7
Instruction ID: 84b56c2eb02f496df1df78f58b31ba682d2e2a0ed5928bac5e1f91c29d8f80a7
Opcode Fuzzy Hash: 25111aed89a1c526a71c6521480d308dd0d5e01ed9ad10ad9e38483e96784ad7
Instruction Fuzzy Hash: C5E1D471D04218EADF11DBA4C951EEEB7B8AF15308F5041AFF506A3282DB385F49CB29

Function 0040D860 Relevance: 19.6, APIs: 13, Instructions: 113memoryfilestringCOMMON

Download Yara Rule

APIs

GetFileSize.KERNEL32(?,00000000), ref: 0040D870
GetProcessHeap.KERNEL32(00000008,00000001), ref: 0040D896
HeapAlloc.KERNEL32(00000000), ref: 0040D899
ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040D8BC
lstrlenA.KERNEL32(?), ref: 0040D8CD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001), ref: 0040D8F4
GetProcessHeap.KERNEL32(00000008,00000003), ref: 0040D920
HeapAlloc.KERNEL32(00000000), ref: 0040D923
ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040D942
GetProcessHeap.KERNEL32(00000000,?,?,00000000), ref: 0040D965
HeapFree.KERNEL32(00000000), ref: 0040D968
GetProcessHeap.KERNEL32(00000000,?), ref: 0040D973
HeapFree.KERNEL32(00000000), ref: 0040D976

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Heap$Process$File$AllocFreeRead$ByteCharMultiSizeWidelstrlen
String ID:
API String ID: 4145069544-0
Opcode ID: 271ac0b9b910060669b2be10965dfbfb74ae5305e77e94bc3f07ac7fd5c6943b
Instruction ID: 09cdc710c3ce73badf7cc07d24b256e576610e976a650309baa38522e5f17643
Opcode Fuzzy Hash: 271ac0b9b910060669b2be10965dfbfb74ae5305e77e94bc3f07ac7fd5c6943b
Instruction Fuzzy Hash: 2231F8B5900109BBDF109FA5DC88DAB7BA9FF49364B00856AF919D72A0C7349E04DB68

Function 0043E330 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 249registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\InstallShield\15.0\Professional,00000000,00020019,?), ref: 0043E3C2
RegQueryValueExA.ADVAPI32(?,VerboseLogPath,00000000,?,00000000,?,?,00000104,?,00000000,?,0000000C), ref: 0043E470
GetLastError.KERNEL32(?,0000000C), ref: 0043E49B
SetLastError.KERNEL32(00000000,?,?,?,00000001,?,0000000C), ref: 0043E4DC

Part of subcall function 004016F5: lstrlenW.KERNEL32(004494DC,004494C4,00000000,004494BC,?,?,0043E97D), ref: 00401748
Part of subcall function 004016F5: WideCharToMultiByte.KERNEL32(00000000,00000000,004494DC,000000FF,?,00000002,00000000,00000000,?,?,0043E97D), ref: 00401770

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000104,?,00000000,?,00000000,?,0000000C), ref: 0043E53E
GetLastError.KERNEL32(?,0000000C), ref: 0043E568
SetLastError.KERNEL32(00000000,?,?,?,00000001,?,0000000C), ref: 0043E5B1
RegCloseKey.ADVAPI32(?,00000002,?,InstallShield.log,?,00000000,?,0000000C), ref: 0043E6B9

Strings

SOFTWARE\InstallShield\15.0\Professional, xrefs: 0043E3B4
InstallShield.log, xrefs: 0043E63B, 0043E65E
VerboseLogPath, xrefs: 0043E462

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorLast$ByteCharCloseFileModuleMultiNameOpenQueryValueWidelstrlen
String ID: InstallShield.log$SOFTWARE\InstallShield\15.0\Professional$VerboseLogPath
API String ID: 2272270023-858269868
Opcode ID: bd623c0b043a5bcb72e2ed614ad65e0770a5efa23d1afd7426beb33e9e918d04
Instruction ID: d41bbee8d5c23323184d62010ccbdb5b2add1493fd40aa1465339ec68e86e548
Opcode Fuzzy Hash: bd623c0b043a5bcb72e2ed614ad65e0770a5efa23d1afd7426beb33e9e918d04
Instruction Fuzzy Hash: 5AA16D75108380AFD320DB65C891B9BB7E5AFD9708F00491EF589973D2EB789809CB5B

Function 00423EC3 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00423EC8

Part of subcall function 00424222: __EH_prolog.LIBCMT ref: 00424227
Part of subcall function 00424222: GetLastError.KERNEL32(?,00000001,?,?,00423EEC,?,00000001,?,?,?), ref: 00424254
Part of subcall function 00424222: SetLastError.KERNEL32(00000000,?,?,00423EEC,?,00000001,?,?,?), ref: 0042428E
Part of subcall function 00424222: SysStringLen.OLEAUT32(00000000), ref: 0042429C
Part of subcall function 00424222: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 004242A9
Part of subcall function 00424222: SetLastError.KERNEL32(00000000,?,?,00423EEC,?,00000001,?,?,?), ref: 004242BB

SysStringLen.OLEAUT32(?), ref: 00423F86

Part of subcall function 0042409C: SysStringLen.OLEAUT32(00000000), ref: 004240B0
Part of subcall function 0042409C: SysFreeString.OLEAUT32(000000FF), ref: 004240FF

SysStringLen.OLEAUT32(?), ref: 00423F65

Part of subcall function 0042409C: SysAllocStringLen.OLEAUT32(00000000,0042ADAD), ref: 004240C3

Part of subcall function 00409BC6: GetLastError.KERNEL32(00000001,753C3F50,?,?,0042405C,?,00000000), ref: 00409BDF
Part of subcall function 00409BC6: SysFreeString.OLEAUT32(?), ref: 00409BED
Part of subcall function 00409BC6: SetLastError.KERNEL32(?,?,?,0042405C,?,00000000), ref: 00409C00
Part of subcall function 00409BC6: GetLastError.KERNEL32(?,?,0042405C,?,00000000), ref: 00409C18
Part of subcall function 00409BC6: SysFreeString.OLEAUT32(?), ref: 00409C39
Part of subcall function 00409BC6: SetLastError.KERNEL32(?,?,?,0042405C,?,00000000), ref: 00409C4D

wsprintfW.USER32 ref: 00423F44

Part of subcall function 00424195: __EH_prolog.LIBCMT ref: 0042419A
Part of subcall function 00424195: GetLastError.KERNEL32(?,00000400,?,00423EB9,?,00000001), ref: 004241C6
Part of subcall function 00424195: SysAllocString.OLEAUT32(?), ref: 004241D5
Part of subcall function 00424195: SetLastError.KERNEL32(?,?,00423EB9,?,00000001,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00424204

wsprintfW.USER32 ref: 00423FC0
SysStringLen.OLEAUT32(?), ref: 00423FE1
SysStringLen.OLEAUT32(?), ref: 00424002
wsprintfW.USER32 ref: 0042401F
SysStringLen.OLEAUT32(?), ref: 00424042
SysStringLen.OLEAUT32(?), ref: 00424060

Strings

%d , xrefs: 00423F3E, 00423FBA, 00424019

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: String$ErrorLast$AllocFreeH_prologwsprintf
String ID: %d
API String ID: 3786065971-4214805362
Opcode ID: f203f7359a2a7d44649326d290f8e3f24e10b9c14a9749dcce41430b315b826f
Instruction ID: e9d10e2af7a75b22937e4413ae1e5733faecc5f30e79bf3a3a4bb521f33647f9
Opcode Fuzzy Hash: f203f7359a2a7d44649326d290f8e3f24e10b9c14a9749dcce41430b315b826f
Instruction Fuzzy Hash: C2510B71E00129EBCF14DFA5DC44EDEBBB9FF54314F00846AA518A7281DB789A44CB94

Function 0041AC4D Relevance: 17.9, APIs: 4, Strings: 6, Instructions: 444windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041AC52
SendMessageW.USER32(00020468,00000401,00000000,00000001), ref: 0041ACA4

Part of subcall function 0042C9AE: wsprintfW.USER32 ref: 0042C9E4
Part of subcall function 0042C9AE: wvsprintfW.USER32(?,?,?), ref: 0042C9FF

Strings

C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}, xrefs: 0041ADC9
DownloadFiles: %s, xrefs: 0041B06B
x, xrefs: 0041B1B9
C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\msiaction.cpp, xrefs: 0041AD4B, 0041B044
DownloadFiles: downloading %s, xrefs: 0041AD72
x, xrefs: 0041B1BD

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prologMessageSendwsprintfwvsprintf
String ID: C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\msiaction.cpp$C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}$DownloadFiles: %s$DownloadFiles: downloading %s$x$x
API String ID: 483945354-2535006805
Opcode ID: d4520056a98a76ac032b7ce93694e05e9c05229c1d8e175f544a21f06367aee4
Instruction ID: ca16b3e0f3f6f88b312db842238345badbd4116995dd89590f73099933ac2909
Opcode Fuzzy Hash: d4520056a98a76ac032b7ce93694e05e9c05229c1d8e175f544a21f06367aee4
Instruction Fuzzy Hash: 9402B3B1E01219AFDF14DBA5CC91AEEB7B4EF14304F1040AEE509B7281D7789E89CB59

Function 0043E910 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 268timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00401586: __EH_prolog.LIBCMT ref: 0040158B
Part of subcall function 00401586: GetLastError.KERNEL32(004494C4,004494BC,00000000,?,00429698,?,00000000,?,?,00000000), ref: 004015B4
Part of subcall function 00401586: SetLastError.KERNEL32(?,00000000,?,00429698,?,00000000,?,?,00000000), ref: 004015E2

Part of subcall function 004016F5: lstrlenW.KERNEL32(004494DC,004494C4,00000000,004494BC,?,?,0043E97D), ref: 00401748
Part of subcall function 004016F5: WideCharToMultiByte.KERNEL32(00000000,00000000,004494DC,000000FF,?,00000002,00000000,00000000,?,?,0043E97D), ref: 00401770

GetDateFormatA.KERNEL32(00000800,00000000,00000000,M-d-yyyy,00000000,00000080), ref: 0043E994
GetLastError.KERNEL32(004494C4), ref: 0043E9CD
SetLastError.KERNEL32(00000000,?,?,?,00000001), ref: 0043EA0E
GetTimeFormatA.KERNEL32(00000800,00000000,00000000,hh':'mm':'ss tt,00000000,00000080,?,00000080,?,00000000,004494C4), ref: 0043EA72
GetLastError.KERNEL32(?), ref: 0043EA9D
SetLastError.KERNEL32(00000000,?,?,?,00000001), ref: 0043EADE

Strings

hh':'mm':'ss tt, xrefs: 0043EA61
%s[%s]: %s, xrefs: 0043ECB8
%s[%s]: %s -- File: %s, Line: %d, xrefs: 0043EC7B
M-d-yyyy, xrefs: 0043E983

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorLast$Format$ByteCharDateH_prologMultiTimeWidelstrlen
String ID: %s[%s]: %s$%s[%s]: %s -- File: %s, Line: %d$M-d-yyyy$hh':'mm':'ss tt
API String ID: 2006859047-1641453432
Opcode ID: 6a2ed5ca448cb0ea3660e98cd9ada0783e16545d709c4b2c17bf57125582e53a
Instruction ID: 5415941b3081036838b5f04c622678d2af85938e4f819a8c0a51ddb0f8188562
Opcode Fuzzy Hash: 6a2ed5ca448cb0ea3660e98cd9ada0783e16545d709c4b2c17bf57125582e53a
Instruction Fuzzy Hash: 14B17075108380AAE330DB66C851FDBB7E4AF99704F04891EF5C9572C2DB789909CB67

Function 004230FE Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 261windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000000), ref: 0042316A
SendMessageW.USER32(00000000), ref: 00423173
GetDlgItem.USER32(?,00000000), ref: 0042319F
SendMessageW.USER32(00000000), ref: 004231A2
GetDlgItem.USER32(?,00000000), ref: 00423204
SendMessageW.USER32(00000000), ref: 0042320B
EndDialog.USER32(?,00000002), ref: 00423258
DeleteObject.GDI32 ref: 00423423

Strings

Next, xrefs: 004232C3
Cancel, xrefs: 004232B1

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ItemMessageSend$DeleteDialogObject
String ID: Cancel$Next
API String ID: 973195655-3345815963
Opcode ID: e66c03ce3a2e0a649d7cb08882dd7cc25318dc51d2696de89cdb679d788e8ad7
Instruction ID: d0b707267a16d9df289dd638cc3f5e17d983b67745eac28c724e84c7bc526af5
Opcode Fuzzy Hash: e66c03ce3a2e0a649d7cb08882dd7cc25318dc51d2696de89cdb679d788e8ad7
Instruction Fuzzy Hash: 7D918C35200261AFC700AF65ED58D6A3BB9FF89705B0440AAF905DB271DBB99D10CB2E

Function 00419A36 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 226COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00419A3B

Strings

ScriptDriven, xrefs: 00419A54, 00419A7E
Install does not use script, xrefs: 00419D00, 00419D22
<cE, xrefs: 00419B62, 00419B66
Install is basic with InstallScript custom actions, xrefs: 00419BDB, 00419C03
Install is script driven MSI 4.5 style embedded UI (ISMSI), xrefs: 00419B3F, 00419B67
<cE, xrefs: 00419A8A
C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\msiaction.cpp, xrefs: 00419B2F, 00419BCB, 00419C6B, 00419CF0
Install is script driven (ISMSI), xrefs: 00419C7B, 00419C9D
Startup, xrefs: 00419AAC

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog
String ID: <cE$<cE$C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\msiaction.cpp$Install does not use script$Install is basic with InstallScript custom actions$Install is script driven (ISMSI)$Install is script driven MSI 4.5 style embedded UI (ISMSI)$ScriptDriven$Startup
API String ID: 3519838083-330695508
Opcode ID: 975910101b0bf396f6bbd426ace277a1967c85889ccb2e653b39a43213323e49
Instruction ID: 3884c57d3f163a074b1df4bbe565841811de756eabc0c5dfc98be92a796e9fc2
Opcode Fuzzy Hash: 975910101b0bf396f6bbd426ace277a1967c85889ccb2e653b39a43213323e49
Instruction Fuzzy Hash: E5919471901258AFDF25DB94DC51BEEBB78BF04304F1041AEE14AA32D1EB785E89CB58

Function 00438211 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,0044A210,00000001,00000000,00000000,74DEE860,00463E0C,?,?,?,00434147,?,?,?,00000000), ref: 00438253
LCMapStringA.KERNEL32(00000000,00000100,0044A20C,00000001,00000000,00000000,?,?,00434147,?,?,?,00000000,00000001), ref: 0043826F
LCMapStringA.KERNEL32(?,?,?,GAC,?,?,74DEE860,00463E0C,?,?,?,00434147,?,?,?,00000000), ref: 004382B8
MultiByteToWideChar.KERNEL32(?,?,?,GAC,00000000,00000000,74DEE860,00463E0C,?,?,?,00434147,?,?,?,00000000), ref: 004382F0
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,?,00434147,?,?,?,00000000,00000001), ref: 00438348
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,00434147,?,?,?,00000000,00000001), ref: 0043835E
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,00434147,?,?,?,00000000,00000001), ref: 00438391
LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,00434147,?,?,?,00000000,00000001), ref: 004383F9

Strings

GAC, xrefs: 004382DB, 0043833D, 004382AC, 0043828C

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID: GAC
API String ID: 352835431-2351115321
Opcode ID: ef1964052034589cd01ba256297acaa72c8ff871d992e95a5c9a03bd454241bd
Instruction ID: a70e3b529ebc888411355f66ba6cbc6f94228451afb68a63ff3e0d94f7dcb85d
Opcode Fuzzy Hash: ef1964052034589cd01ba256297acaa72c8ff871d992e95a5c9a03bd454241bd
Instruction Fuzzy Hash: 37515931500709BBCF228F95CC45AAFBBB9FB49B50F10412AF914A1260D77A8D61EB69

Function 004146EE Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 176stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004146F3

Part of subcall function 0041DC5D: __EH_prolog.LIBCMT ref: 0041DC62

Part of subcall function 004026FA: __EH_prolog.LIBCMT ref: 004026FF
Part of subcall function 004026FA: GetLastError.KERNEL32(004494FC,0000002D,00000000,?,00429CCE,?,00000000,removeasmajorupgrade,00000000,00000000,00000001,?,?,00000000,reboot,00000000), ref: 00402728
Part of subcall function 004026FA: SetLastError.KERNEL32(?,00000000,?,00429CCE,?,00000000,removeasmajorupgrade,00000000,00000000,00000001,?,?,00000000,reboot,00000000,00000000), ref: 00402756

lstrcpyW.KERNEL32(?,?), ref: 00414790
lstrcatW.KERNEL32(?,langpack.exe), ref: 004147B7
lstrcpyW.KERNEL32(?,?), ref: 00414855
lstrcatW.KERNEL32(?,vjredist20-LP.exe), ref: 00414879

Strings

langpack20.exe, xrefs: 004147AB
vjredist-LP.exe, xrefs: 00414860
vjredist20-LP.exe, xrefs: 0041486D
langpack.exe, xrefs: 0041479E
(, xrefs: 004148E0

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog$ErrorLastlstrcatlstrcpy
String ID: ($langpack.exe$langpack20.exe$vjredist-LP.exe$vjredist20-LP.exe
API String ID: 4207419951-3033770342
Opcode ID: f5f2f71e5281b3accf85003a89408882f0fa5dd8bfbd36519e3d4fa59f1bae2e
Instruction ID: 0a7aa967815a420e178b401d28802b216ba4b16a4f407a8831446ba7778bb172
Opcode Fuzzy Hash: f5f2f71e5281b3accf85003a89408882f0fa5dd8bfbd36519e3d4fa59f1bae2e
Instruction Fuzzy Hash: 3F61C375E01218EFCF10DFA4C985ADEBBB8AF45304F20806BE455A7281D7789F89CB55

Function 0043D9FB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 164stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043DA00

Part of subcall function 0043C8C3: LoadLibraryW.KERNEL32(wininet.dll,?,0043DF51), ref: 0043C8D8
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(00000000,InternetOpenW), ref: 0043C8F8
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetOpenUrlW), ref: 0043C90A
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetConnectW), ref: 0043C91C
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetCrackUrlW), ref: 0043C92E
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetCreateUrlW), ref: 0043C940
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetGetLastResponseInfoW), ref: 0043C952
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetSetOptionW), ref: 0043C964
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(HttpQueryInfoW), ref: 0043C976
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(HttpOpenRequestW), ref: 0043C988
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(HttpSendRequestW), ref: 0043C99A
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(HttpSendRequestExW), ref: 0043C9AC
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(HttpEndRequestW), ref: 0043C9BE
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetQueryOptionW), ref: 0043C9D0
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetCanonicalizeUrlW), ref: 0043C9E2
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetGetCookieW), ref: 0043C9F4
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetSetCookieW), ref: 0043CA06
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetFindNextFileW), ref: 0043CA18
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(FtpFindFirstFileA), ref: 0043CA2A
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetSetStatusCallbackW), ref: 0043CA3C
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetSetStatusCallback), ref: 0043CA52
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetCloseHandle), ref: 0043CA64
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetReadFile), ref: 0043CA76

SetLastError.KERNEL32(00002EE6,?,00000000,00000001), ref: 0043DA6E

Part of subcall function 0043CCE6: SetLastError.KERNEL32(0000007F,0043DC85,?,00000000,00000000,0000003C,00000000,10000000,00000000,0043DF7C,?,10000000,00000001), ref: 0043CCFE

lstrcmpiW.KERNEL32(?,?,?,00000000,00000001), ref: 0043DAF5
lstrlenW.KERNEL32(?,?,?,?,00000000,00000001), ref: 0043DB3D
lstrcpyW.KERNEL32(00000000,?), ref: 0043DB54
lstrlenW.KERNEL32(?,?,00000000,00000001), ref: 0043DB59
lstrcpyW.KERNEL32(00000000,?), ref: 0043DB6F
lstrcatW.KERNEL32(00000000,?), ref: 0043DB7C

Part of subcall function 0043CC6A: SetLastError.KERNEL32(0000007F), ref: 0043CC85

Strings

<, xrefs: 0043DA1B
GET, xrefs: 0043DB95

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: AddressProc$ErrorLast$lstrcpylstrlen$H_prologLibraryLoadlstrcatlstrcmpi
String ID: <$GET
API String ID: 2945943887-427699995
Opcode ID: f5de488641024d6b93ef67d65d59564afa0cc78a28990b7dec9eec66fe03d022
Instruction ID: 891df58db90b31206cbcb850cbe4f940bc06d8f8b076bfd8a09afd1fd8c046eb
Opcode Fuzzy Hash: f5de488641024d6b93ef67d65d59564afa0cc78a28990b7dec9eec66fe03d022
Instruction Fuzzy Hash: 90519972C00109AFDF11AFA0DD85EAFBBB9FF08304F14911AF515A22A1D7399E11DB68

Function 0040AE9C Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 152libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040AEA1
GetProcAddress.KERNEL32(00000000,WinVerifyTrust), ref: 0040AECF
GetProcAddress.KERNEL32(?,WTHelperProvDataFromStateData), ref: 0040AFCD
GetProcAddress.KERNEL32(?,WTHelperGetProvSignerFromChain), ref: 0040AFE2
GetProcAddress.KERNEL32(?,WTHelperGetProvCertFromChain), ref: 0040AFFE

Part of subcall function 0040B05B: __EH_prolog.LIBCMT ref: 0040B060
Part of subcall function 0040B05B: LoadLibraryW.KERNEL32(crypt32.dll,74DEF550,00000000,?), ref: 0040B078
Part of subcall function 0040B05B: GetProcAddress.KERNEL32(00000000,CertCompareCertificate), ref: 0040B099
Part of subcall function 0040B05B: GetProcAddress.KERNEL32(?,CertAddSerializedElementToStore), ref: 0040B0A6
Part of subcall function 0040B05B: GetProcAddress.KERNEL32(?,CertFreeCertificateContext), ref: 0040B0B3
Part of subcall function 0040B05B: CreateFileW.KERNEL32(0000003C,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 0040B11A

Strings

WTHelperProvDataFromStateData, xrefs: 0040AFC6
WinVerifyTrust, xrefs: 0040AEC9
<, xrefs: 0040AF9F
WTHelperGetProvCertFromChain, xrefs: 0040AFF7
WTHelperGetProvSignerFromChain, xrefs: 0040AFD8

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: AddressProc$H_prolog$CreateFileLibraryLoad
String ID: <$WTHelperGetProvCertFromChain$WTHelperGetProvSignerFromChain$WTHelperProvDataFromStateData$WinVerifyTrust
API String ID: 1559510547-2103055557
Opcode ID: 8e83f93c765c1802245840caf3781e88a8c6a3e08d13f7440e8ee863872d5afc
Instruction ID: f4410640a0303d8fa660dbd589c61348f28d2bf6aac7c0bd7b8ceb02863ce1be
Opcode Fuzzy Hash: 8e83f93c765c1802245840caf3781e88a8c6a3e08d13f7440e8ee863872d5afc
Instruction Fuzzy Hash: 89516D70901228ABDF11EF95CC85AEEBBB8FF08754F10402BF414F6292D7789A44DB98

Function 00437B17 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,00432E73), ref: 00437B35
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,00432E73), ref: 00437B49
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,00432E73), ref: 00437B6A
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00437BA1
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,00432E73), ref: 00437BC1
MultiByteToWideChar.KERNEL32(00000001,00000000,000000FF,00000000,00000000,?,00000000,?,?,?,00432E73), ref: 00437BDF
FreeEnvironmentStringsA.KERNEL32(00000000,?,00000000,?,?,?,00432E73), ref: 00437C14
MultiByteToWideChar.KERNEL32(00000001,00000000,000000FF,00000000,s.C,?,00000000,?,?,?,00432E73), ref: 00437C44
FreeEnvironmentStringsA.KERNEL32(00000000,?,00000000,?,?,?,00432E73), ref: 00437C7A

Strings

s.C, xrefs: 00437C2B, 00437C37

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID: s.C
API String ID: 158306478-1294210589
Opcode ID: 6c7ab0df24a04ee4c9a150d7ef854d0d0b21b336f9b1157c2bb04ed964bf11c5
Instruction ID: fe78813ad2da09b6fc0fa2d34a94678478e61e882bf3539415fc705324cfd13c
Opcode Fuzzy Hash: 6c7ab0df24a04ee4c9a150d7ef854d0d0b21b336f9b1157c2bb04ed964bf11c5
Instruction Fuzzy Hash: 4D416DB150C2165BD7316F244C44B2BB2A8EF4D768F14253BF991D3350EB68DC41829D

Function 00410BE1 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 103registrystringCOMMON

Download Yara Rule

APIs

CharNextW.USER32(?,tempdisk1folder,?,00000000), ref: 00410C03
lstrcmpW.KERNEL32(00000000,%IS_T%,?,00000000), ref: 00410C11
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,000F003F,?,00000000), ref: 00410C85
RegDeleteValueW.ADVAPI32(?,00000000,?,?,?,00000000), ref: 00410CAA
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00410CBE
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00410CCF

Part of subcall function 00424A20: lstrlenW.KERNEL32(?,00000000,00000000,?,00406A2D,00000000,00000001,0000044F,00000000,?,?,00000000), ref: 00424A2A
Part of subcall function 00424A20: lstrcpyW.KERNEL32(00000000,?), ref: 00424A49
Part of subcall function 00424A20: lstrcpyW.KERNEL32(C:\Users\user\Desktop,?), ref: 00424A51

Part of subcall function 0040FBC8: __EH_prolog.LIBCMT ref: 0040FBCD

RegCloseKey.ADVAPI32(?,80000002,Software\Microsoft\Windows\CurrentVersion,000F003F,?,00000000), ref: 00410CFF

Strings

%IS_T%, xrefs: 00410C0B
tempdisk1folder, xrefs: 00410BE1, 00410BE6, 00410BEF
Software\Microsoft\Windows\CurrentVersion, xrefs: 00410C31

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Close$Valuelstrcpy$CharDeleteH_prologNextQuerylstrcmplstrlen
String ID: %IS_T%$Software\Microsoft\Windows\CurrentVersion$tempdisk1folder
API String ID: 2302879836-2587550752
Opcode ID: a7cf0e46179fff19e1c8e90740b409ad9d3b83e5096c5126d2d4e7602317559d
Instruction ID: 9bf8f369a1ed8fffbdaf83cfef889465a3c42ddc88cf1325a221014c768ff3b2
Opcode Fuzzy Hash: a7cf0e46179fff19e1c8e90740b409ad9d3b83e5096c5126d2d4e7602317559d
Instruction Fuzzy Hash: 9B419A31900118BBCB10DF61DC55AEEBB78EF45325F10816AFA1AA62A1D7788F84DF58

Function 0042AFEB Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 246fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042AFF0

Part of subcall function 0041DC5D: __EH_prolog.LIBCMT ref: 0041DC62

GetFileAttributesW.KERNEL32(?,0000003B,?), ref: 0042B0EF
GetTempPathW.KERNEL32(00000104,00000000,?,00000104,?,00000000), ref: 0042B139
GetTempFileNameW.KERNEL32(?,IS_,00000000,?,?,00000104), ref: 0042B180
GetModuleFileNameW.KERNEL32(?,00000104), ref: 0042B1A0

Part of subcall function 00408512: __EH_prolog.LIBCMT ref: 00408517
Part of subcall function 00408512: GetLastError.KERNEL32(004494C4,004494BC,00000000,?,00429759,?,?,00000000,debuglog,00000000,00000000,00000000,?,?,00000000,?), ref: 00408540
Part of subcall function 00408512: SetLastError.KERNEL32(?,?,00000000,00000000,?,00429759,?,?,00000000,debuglog,00000000,00000000,00000000,?,?,00000000), ref: 00408595

Part of subcall function 00401929: GetLastError.KERNEL32(00000000,?,00408695,?,00000000,?,00000001), ref: 0040193F
Part of subcall function 00401929: SysFreeString.OLEAUT32(?), ref: 0040195D
Part of subcall function 00401929: SetLastError.KERNEL32(?,00000001,?,00408695,?,00000000,?,00000001), ref: 0040197D

SysFreeString.OLEAUT32(?), ref: 0042B1ED

Part of subcall function 0040BFB9: GetProcAddress.KERNEL32(?,RunISMSIMajorUpgradeRemoval), ref: 0040BFC2

DeleteFileW.KERNEL32(?), ref: 0042B297

Strings

IS_, xrefs: 0042B17A
ISSetup.dll, xrefs: 0042B1CA

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorFileLast$H_prolog$FreeNameStringTemp$AddressAttributesDeleteModulePathProc
String ID: ISSetup.dll$IS_
API String ID: 601601113-269610055
Opcode ID: beafa3243951bdeb8f7defddaf8d0b1fd16d384aac6c69658dce7dd7851fbaa1
Instruction ID: 49fa8577c87a577301bdfd6ccf77b2878f591a0e8e75bb5e7129fe4d116df80a
Opcode Fuzzy Hash: beafa3243951bdeb8f7defddaf8d0b1fd16d384aac6c69658dce7dd7851fbaa1
Instruction Fuzzy Hash: 89A1E470D00258EEDF01EBE5D894AEEBB78EF14304F5080AEE515B7291DB785E08CB69

Function 0040B9B0 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 241libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040B9B5
GetProcAddress.KERNEL32(?,RunISMSISetup), ref: 0040BA08
GetModuleFileNameW.KERNEL32(?,00000400,?,00000400,?,00000000), ref: 0040BB11

Part of subcall function 004282A3: __EH_prolog.LIBCMT ref: 004282A8

Part of subcall function 004086AA: lstrlenW.KERNEL32(0044952C,?,004494FC,00000000,?,?,0042C27A), ref: 004086FD
Part of subcall function 004086AA: WideCharToMultiByte.KERNEL32(00000000,00000000,0044952C,000000FF,?,00000002,00000000,00000000,?,0042C27A), ref: 00408725

Part of subcall function 00401CCE: __EH_prolog.LIBCMT ref: 00401CD3
Part of subcall function 00401CCE: GetLastError.KERNEL32(004494FC,004494C0,?,0042AC33,?,004494C0,?,?,00000000,?,?,?,00000000,004494C4,004494BC,00000000), ref: 00401CF6
Part of subcall function 00401CCE: SysFreeString.OLEAUT32(?), ref: 00401D14
Part of subcall function 00401CCE: SetLastError.KERNEL32(?,00000001,?,0042AC33,?,004494C0,?,?,00000000,?,?,?,00000000,004494C4,004494BC,00000000), ref: 00401D34

Strings

RunISMSISetup, xrefs: 0040B9FF
setup.exe, xrefs: 0040BBEA, 0040BC0A
Could not find entry point in ISSetup.dll, xrefs: 0040BA41, 0040BA68
C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\IsMsiHelper.cpp, xrefs: 0040BA31, 0040BB73
u, xrefs: 0040BB9C
Launching InstallScript engine: %s, %s, %d, xrefs: 0040BBA9

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog$ErrorLast$AddressByteCharFileFreeModuleMultiNameProcStringWidelstrlen
String ID: C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\IsMsiHelper.cpp$Could not find entry point in ISSetup.dll$Launching InstallScript engine: %s, %s, %d$RunISMSISetup$setup.exe$u
API String ID: 534426210-584566939
Opcode ID: 13e6086452b7bc5ac88e72e64ff5432f6d201dfe0ac466ad7d254e84c9952ec3
Instruction ID: 10edb69e99c9bbaa154fd063528a1bdc6015c1b144c98573725b6687df9f5ebb
Opcode Fuzzy Hash: 13e6086452b7bc5ac88e72e64ff5432f6d201dfe0ac466ad7d254e84c9952ec3
Instruction Fuzzy Hash: 3BA16F70904258ABDF11DFA4C849BEEBBB4AF04304F14856EE419B7291DBB89E49CB58

Function 004212DE Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 168windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004212E3
SysFreeString.OLEAUT32(?), ref: 00421301
SysFreeString.OLEAUT32(?), ref: 00421329
GetErrorInfo.OLEAUT32(00000000,?,00000000,?,00000000,FFFFFFFF,004494C4,004494BC,?,00000000,?,?,00420D00,8007000E), ref: 0042134D
CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,00420D00,8007000E), ref: 004213F6
FormatMessageW.KERNEL32(00001300,00000000,?,00000000,?,00000000,00000000,?,00000000,?,?,00420D00,8007000E), ref: 00421420
LocalFree.KERNEL32(?,?,?,00000000,?,?,00420D00,8007000E), ref: 00421441
SysFreeString.OLEAUT32(?), ref: 0042146F

Strings

Unknown error, xrefs: 00421449, 00421459

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Free$String$ErrorFormatFromH_prologInfoLocalMessageProg
String ID: Unknown error
API String ID: 3175126575-83687255
Opcode ID: 78ed5cf56811e1288c9ee3fb4d3b106729e8e159cbc45a9a44f1cc571ee65ec1
Instruction ID: 5feed3c2fbcadf69d555043421b4ec6680562c5debcec3d66406bc3d86e6644f
Opcode Fuzzy Hash: 78ed5cf56811e1288c9ee3fb4d3b106729e8e159cbc45a9a44f1cc571ee65ec1
Instruction Fuzzy Hash: EA51AD71A00215AFDB14DFA5D848BAF77B9AF45304F04446EF806EB2A1DB78ED05CB68

Function 0043D89F Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 138stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0043CE6F: SetLastError.KERNEL32(0000007F,0043D8B7,?,00000000,?,?,00002F00,?,?,0043D55D,00000000), ref: 0043CE87

GetLastError.KERNEL32(?,?,00002F00,?,?,0043D55D,00000000), ref: 0043D8D5
wsprintfW.USER32 ref: 0043D907
lstrcatW.KERNEL32(?,?), ref: 0043D91B
ResetEvent.KERNEL32(?,?,?,00002F00,?,?,0043D55D,00000000), ref: 0043D92D
GetLastError.KERNEL32(?,?,00002F00,?,?,0043D55D,00000000), ref: 0043D95F

Part of subcall function 0043CE9C: SetLastError.KERNEL32(0000007F,0043D8CF,?,00000000,?,?,00002F00,?,?,0043D55D,00000000), ref: 0043CEB4

ResetEvent.KERNEL32(?,?,?,00002F00,?,?,0043D55D,00000000), ref: 0043D9B9

Strings

A, xrefs: 0043D8BD
Range: bytes=%d-, xrefs: 0043D8FF
Range: bytes=%d-, xrefs: 0043D8F8

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorLast$EventReset$lstrcatwsprintf
String ID: A$Range: bytes=%d-$Range: bytes=%d-
API String ID: 4195990047-4039695729
Opcode ID: cd7376932a0cd924f3acf8f3dc489da3fddd791e4c4fd3e8ee7004b84d79318b
Instruction ID: f401b021e9f2676cc0212a310ee126081d357a5aa9ebea1637135b676e0d8f24
Opcode Fuzzy Hash: cd7376932a0cd924f3acf8f3dc489da3fddd791e4c4fd3e8ee7004b84d79318b
Instruction Fuzzy Hash: FA41B3B1500605EFDB249F65EC84A2BBBF9EF08314B20992EF58686660D735FC51EB18

Function 0043EDB0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 130COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000001), ref: 0043EEA6
SysFreeString.OLEAUT32(?), ref: 0043EED1
SysFreeString.OLEAUT32(?), ref: 0043EEFF
SetLastError.KERNEL32(?,?,?,00000000,00000001), ref: 0043EF16

Strings

T*F, xrefs: 0043EDFA
T*F, xrefs: 0043EE5C
T*F, xrefs: 0043EE40
T*F, xrefs: 0043EE67
T*F, xrefs: 0043EE2E

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorFreeLastString
String ID: T*F$T*F$T*F$T*F$T*F
API String ID: 3822639702-1426062846
Opcode ID: b8dd6347b6ff603bd34411c85f5d07646298220c1ed6e1fdc0d236867a58f148
Instruction ID: 804ff9388cf4928efad4cf99a1a8ab3bd4fc10ff5dad52a72cd9dcd1b5985e36
Opcode Fuzzy Hash: b8dd6347b6ff603bd34411c85f5d07646298220c1ed6e1fdc0d236867a58f148
Instruction Fuzzy Hash: 4A4126725056429FC720DF5AC88195BB3A1AB89314F149A3FF486973C1D7B8DC46CB8A

Function 00410D0D Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

CharNextW.USER32(?), ref: 00410D16
CharNextW.USER32(?), ref: 00410D6F
CharNextW.USER32(00000000), ref: 00410D72

Part of subcall function 00427168: __EH_prolog.LIBCMT ref: 0042716D

CharNextW.USER32(?), ref: 00410DC9
CharNextW.USER32(00000000), ref: 00410DCC
CharNextW.USER32(?), ref: 00410E1B
CharNextW.USER32(00000000), ref: 00410E1E

Strings

uninst, xrefs: 00410D49
/uninst, xrefs: 00410D62

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: CharNext$H_prolog
String ID: /uninst$uninst
API String ID: 1519345652-947040270
Opcode ID: d116d54b1a16888fdfaf74fe5383dbe2ef99028d4d890781cf23f68078a389ca
Instruction ID: 33a62f665186e21b03b56fc799c3b33be1601746061c26e5db2a8e433b935085
Opcode Fuzzy Hash: d116d54b1a16888fdfaf74fe5383dbe2ef99028d4d890781cf23f68078a389ca
Instruction Fuzzy Hash: E841BE71A4420CAADF25EB54CC85FEEBB78AF05300F1041AAF505A71D1CBB8AEC4DB19

Function 0040FA0A Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 109stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040FA0F
lstrlenW.KERNEL32(This Setup was created with a BETA VERSION of InstallShield,BetaMarker.dat,EvalMarker.dat,?,00000000), ref: 0040FB1E

Part of subcall function 004069BA: __EH_prolog.LIBCMT ref: 004069BF

Strings

Evaluation, xrefs: 0040FADF
B, xrefs: 0040FAAE
Beta, xrefs: 0040FB41
This Setup was created with a BETA VERSION of InstallShield, xrefs: 0040FB18, 0040FB1D, 0040FB46
This Setup was created with an EVALUATION VERSION of InstallShield, xrefs: 0040FA85
EvalMarker.dat, xrefs: 0040FA1B
BetaMarker.dat, xrefs: 0040FB0A

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog$lstrlen
String ID: B$Beta$BetaMarker.dat$EvalMarker.dat$Evaluation$This Setup was created with a BETA VERSION of InstallShield$This Setup was created with an EVALUATION VERSION of InstallShield
API String ID: 3243491680-3345276704
Opcode ID: 29b22daeff63ac511c58a13514680bc11b49669f3c3f4cdf431a6fa0bd6d0433
Instruction ID: aef9a1b06c8cbee75ebb08dc55b4a95a24dda14f69106d7b490a0839620222eb
Opcode Fuzzy Hash: 29b22daeff63ac511c58a13514680bc11b49669f3c3f4cdf431a6fa0bd6d0433
Instruction Fuzzy Hash: 1341A770A00209EEDF24FBA4D991AAE77789B10348F50443FE416B36D2D77C6E49CB19

Function 004236EC Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

GetDlgItemTextW.USER32(?,000003E8,?,00000064), ref: 00423739
GetDlgItem.USER32(?,00000001), ref: 00423748

Part of subcall function 004236A0: wsprintfW.USER32 ref: 004236C4
Part of subcall function 004236A0: lstrcmpW.KERNEL32(?), ref: 004236D8

EnableWindow.USER32(00000000,?), ref: 0042376B
EndDialog.USER32(?,00000002), ref: 00423778
EndDialog.USER32(?,00000002), ref: 0042378E
GetDlgItem.USER32(?,00000001), ref: 004237A7
EnableWindow.USER32(00000000,00000000), ref: 00423800

Strings

Password, xrefs: 004237E6
Cancel, xrefs: 004237C0

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Item$DialogEnableWindow$Textlstrcmpwsprintf
String ID: Cancel$Password
API String ID: 2389365585-713941611
Opcode ID: 9315811f3569b0d3a7362409c94adcfbd3390c09663d5979b3f6ebbf0652f06d
Instruction ID: c357db892acfbc332fceee0babc2351bbf3c77d2c6e2037026da916bf548dd9b
Opcode Fuzzy Hash: 9315811f3569b0d3a7362409c94adcfbd3390c09663d5979b3f6ebbf0652f06d
Instruction Fuzzy Hash: D931E475740224B7DF109F20EC09FAA3774EB49B06F84C266F905A62E1D6BC8E44D75D

Function 0043E6E0 Relevance: 15.2, APIs: 10, Instructions: 198filestringCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000004,00000080,00000000,?,0043ECDC,?,00000000,?,?,0000000C), ref: 0043E755
GetLastError.KERNEL32 ref: 0043E777
SetLastError.KERNEL32(?,00000001), ref: 0043E7B6
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0043E7C3
lstrlenW.KERNEL32(?), ref: 0043E814

Part of subcall function 0043F1E0: WideCharToMultiByte.KERNEL32(?,00000000,00000002,000000FF,00000002,?,00000000,00000000,00000002,0043E836,?,?,00000002,00000000), ref: 0043F200

WriteFile.KERNEL32(00000000,?,0043ECDC,00448CF5,00000000,00000002,00000000), ref: 0043E852
GetLastError.KERNEL32 ref: 0043E87B
SysFreeString.OLEAUT32(00000000), ref: 0043E8A4
SysFreeString.OLEAUT32(-000000DA), ref: 0043E8D2
SetLastError.KERNEL32(004494C4), ref: 0043E8E8

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorLast$File$FreeString$ByteCharCreateMultiPointerWideWritelstrlen
String ID:
API String ID: 2202814731-0
Opcode ID: 2cee09afc3a85d4851e239e4d39a53d079e8ccfbf34246e79245d7477338e13e
Instruction ID: ae377dfa04d84e73fce1e9e1714693ee0e66562a6492c93fe918aef718af4f9d
Opcode Fuzzy Hash: 2cee09afc3a85d4851e239e4d39a53d079e8ccfbf34246e79245d7477338e13e
Instruction Fuzzy Hash: 1B61C275E00209ABDB14DFA5CC85BDEB7B4AF09704F14862DE906A7380DB78AD05CB98

Function 0043D2C1 Relevance: 15.2, APIs: 10, Instructions: 165stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043D2C6

Part of subcall function 0043CE42: SetLastError.KERNEL32(0000007F,0043D2DE,?,Function_0003D216,?,?,?,00409EEC,?,?,80400100), ref: 0043CE5A

lstrlenW.KERNEL32(?,?,00000000,?,?,?,00409EEC,?,?,80400100), ref: 0043D34B
lstrcpyW.KERNEL32(00000000,?), ref: 0043D35D
lstrlenW.KERNEL32(?,?,00000000,?,?,?,00409EEC,?,?,80400100), ref: 0043D364
lstrlenW.KERNEL32(?,?,?,?,00409EEC,?,?,80400100), ref: 0043D377
GetLastError.KERNEL32(?,?,00409EEC,?,?,80400100), ref: 0043D3E3

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: lstrlen$ErrorLast$H_prologlstrcpy
String ID:
API String ID: 2614604073-0
Opcode ID: aa40da79e1c56d16a707e86cc605403e0aa9c527a8ca372ab2e94e9e786c6890
Instruction ID: 30e4160ead4777d9b655eee85d95384c631bd9cf0b842098c9e1b677d7ec42fe
Opcode Fuzzy Hash: aa40da79e1c56d16a707e86cc605403e0aa9c527a8ca372ab2e94e9e786c6890
Instruction Fuzzy Hash: 2A51AC71800604AFCB219F69EC84AABB7F4FF08314F10992BE856972A1D778ED41CB59

Function 00427920 Relevance: 15.1, APIs: 10, Instructions: 97windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,00000000), ref: 0042792F
DefWindowProcW.USER32(?,00000002,?,?), ref: 00427960
GetDC.USER32(?), ref: 0042797E
SelectPalette.GDI32(00000000,?,00000000), ref: 00427988
RealizePalette.GDI32(00000000), ref: 0042798F
ReleaseDC.USER32(00000000,00000000), ref: 004279A2
GetDC.USER32(00000000), ref: 004279AD
ReleaseDC.USER32(00000000,00000000), ref: 004279C9
BeginPaint.USER32(?,?), ref: 004279D9
EndPaint.USER32(?,?), ref: 004279FC

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: PaintPaletteReleaseWindow$BeginLongProcRealizeSelect
String ID:
API String ID: 1992308970-0
Opcode ID: 8a93e66957cabcae51a9aded86c0d26a3bf2646ff1f995af9a5f924d4be81b30
Instruction ID: 4a0dacffe241af9f4cadc553d3be153c5fb6ddaca83197a3e8775edce4c37e2a
Opcode Fuzzy Hash: 8a93e66957cabcae51a9aded86c0d26a3bf2646ff1f995af9a5f924d4be81b30
Instruction Fuzzy Hash: A931CF76104225ABEF225F61EC48EAF7BB9FF49740F44441AF90191160C739CD91EB59

Function 004114C9 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 181COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004114CE
CharNextW.USER32(?,?,?), ref: 004114F3
wsprintfW.USER32 ref: 004115DA
CharNextW.USER32(00000000,?,?), ref: 004116E7

Strings

key, xrefs: 004115CF
count, xrefs: 00411539, 00411557
Languages, xrefs: 00411560, 00411580, 0041164E
%s%d, xrefs: 004115D4

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: CharNext$H_prologwsprintf
String ID: %s%d$Languages$count$key
API String ID: 1310451597-2901919
Opcode ID: 227de4add4065ec34a314f4819a2856d936aa68eba402b9dee76ad42491dcdd9
Instruction ID: 164ad6852c6814ce6ed53704d37300efd42d29d9159660908b2b1e7bcfb1c640
Opcode Fuzzy Hash: 227de4add4065ec34a314f4819a2856d936aa68eba402b9dee76ad42491dcdd9
Instruction Fuzzy Hash: A3715A71D00118ABDB21DBA5CD51BEEBBB8AF14304F5041AFE506B3292DB785E49CF68

Function 00419388 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 74stringregistryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?), ref: 004193D2
lstrcpyW.KERNEL32(?,00000000), ref: 004193FF
lstrcatW.KERNEL32(00000022," /%), ref: 00419417
lstrcatW.KERNEL32(00000022,00000000), ref: 00419435
lstrlenW.KERNEL32(00000022), ref: 0041943E
RegSetValueExW.ADVAPI32(?,?,00000000,00000001,00000022,?), ref: 00419459

Strings

" /%, xrefs: 00419411
", xrefs: 004193E2

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Valuelstrcat$Querylstrcpylstrlen
String ID: "$" /%
API String ID: 3753562477-2760458533
Opcode ID: f2d17d951511bb7646f513e2f864151d3c7f500d6ef28eb8acc34490b3eb078c
Instruction ID: 2c6bc3acc5f283ffaff1a3cb1b6757a0faaff5633d40dd8ef318244b6dfdc154
Opcode Fuzzy Hash: f2d17d951511bb7646f513e2f864151d3c7f500d6ef28eb8acc34490b3eb078c
Instruction Fuzzy Hash: 392124B690021DABDF509BA0DC45FDA77BCEB48714F1040B6A605E3190EE759B858B98

Function 00439E1B Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,0043803E,?,Microsoft Visual C++ Runtime Library,00012010,?,0044A4E4,?,0044A534,?,?,?,Runtime Error!Program: ), ref: 00439E2D
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00439E45
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00439E56
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00439E63

Strings

GetActiveWindow, xrefs: 00439E50
user32.dll, xrefs: 00439E28
GetLastActivePopup, xrefs: 00439E58
MessageBoxA, xrefs: 00439E3F

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 6701e65739b9bd4ed81158e06b3ffab9b06c4ebfe53013108e3755b056bc08d2
Instruction ID: 2c3d4ebf34e434d9088a938173d578a87a2fcba928b494857069f6eda2e1c0de
Opcode Fuzzy Hash: 6701e65739b9bd4ed81158e06b3ffab9b06c4ebfe53013108e3755b056bc08d2
Instruction Fuzzy Hash: 85017135740601BFA710DFF49D85E173AE8EB897A2704143BF100C22A1EBF98C41DB6A

Function 0040121E Relevance: 13.6, APIs: 9, Instructions: 64windowmemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000042,00000418,?,004011A9,00000000), ref: 00401226
GlobalLock.KERNEL32(00000000,?,00000000,00000000,?,004011A9,00000000), ref: 00401238
GetDC.USER32(00000000), ref: 0040126E
GetSystemPaletteEntries.GDI32(00000000,00000000,0000000A,00000004), ref: 00401285
GetSystemPaletteEntries.GDI32(00000000,000000F6,0000000A,000003DC), ref: 00401296
ReleaseDC.USER32(00000000,00000000), ref: 0040129B
CreatePalette.GDI32(00000000), ref: 004012AD
GlobalUnlock.KERNEL32(00000000), ref: 004012B6
GlobalFree.KERNEL32(00000000), ref: 004012BD

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Global$Palette$EntriesSystem$AllocCreateFreeLockReleaseUnlock
String ID:
API String ID: 685945034-0
Opcode ID: de22d9a610835192960910e80439de47f63aef8b848b22777d7b9e3387c45b30
Instruction ID: 97ea2825793543d97b48eb75ed04b225e0ed7c9f44bf0ac83dac7c23eb260f43
Opcode Fuzzy Hash: de22d9a610835192960910e80439de47f63aef8b848b22777d7b9e3387c45b30
Instruction Fuzzy Hash: 6111577A148344AFE3218BA0DC88FA77BACEF5A705F0440ADFB4A97391D5A59C04C735

Function 00427A1C Relevance: 13.6, APIs: 9, Instructions: 63windowCOMMON

Download Yara Rule

APIs

SelectPalette.GDI32(?,?,00000000), ref: 00427A4B
RealizePalette.GDI32(?), ref: 00427A51
CreateCompatibleDC.GDI32(?), ref: 00427A58
GetObjectW.GDI32(?,00000018,?), ref: 00427A6A
SelectObject.GDI32(?,?), ref: 00427A76
BitBlt.GDI32(?,00000000,00000000,00000000,?,?,00000000,00000000,00CC0020), ref: 00427A8F
DeleteDC.GDI32(?), ref: 00427A98
SelectPalette.GDI32(?,?,00000000), ref: 00427AA8
DrawIcon.USER32(?,00000000,00000000,?), ref: 00427AB4

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: PaletteSelect$Object$CompatibleCreateDeleteDrawIconRealize
String ID:
API String ID: 2931627916-0
Opcode ID: e1a46054a62847f62a4edfae567fc76237c368e6db65e9e8da99a623f9e9e20f
Instruction ID: ede1b4bb80f40e2c6ccc70d84e1d4ad235b9c0d3df4bdf6ca1b20e10f7a94f8a
Opcode Fuzzy Hash: e1a46054a62847f62a4edfae567fc76237c368e6db65e9e8da99a623f9e9e20f
Instruction Fuzzy Hash: D111C636501229FBCF219FA1ED489DF7F79FF49762B104026FA06A1121D6358A20EBA5

Function 0041CA55 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 301COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041CA5A
wsprintfW.USER32 ref: 0041CB7C

Strings

1033, xrefs: 0041CDA1
UseDotNetUI, xrefs: 0041CA9B, 0041CABF
<cE, xrefs: 0041CACB
Startup, xrefs: 0041CAE9

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prologwsprintf
String ID: 1033$<cE$Startup$UseDotNetUI
API String ID: 1529278910-1692670545
Opcode ID: aaa6ec8f923ea0572563284f7ab40373ef04f127496f3d22a30143ef45f8ae61
Instruction ID: d4fd9b09c9d463e29791d7e6f40dad5b1a78e406f216be7013f83793611e72f7
Opcode Fuzzy Hash: aaa6ec8f923ea0572563284f7ab40373ef04f127496f3d22a30143ef45f8ae61
Instruction Fuzzy Hash: 25B1D471A40219AFDF14DBA4DD91BEEB7B5AF04304F1041AFE406A72C1EB789E85CB58

Function 0042EB94 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 203registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042EB99
RegQueryValueExW.ADVAPI32(?,CSDVersion,00000000,?,?,?,80000002,System\CurrentControlSet\Control\Windows,00020019,?,?,00000000,0000000A,?,?,00000000), ref: 0042EDBB
RegCloseKey.ADVAPI32(?), ref: 0042EDCE
RegCloseKey.ADVAPI32(?,80000002,System\CurrentControlSet\Control\Windows,00020019,?,?,00000000,0000000A,?,?,00000000,00459868,?,00000000,?,?), ref: 0042EDE0

Strings

1.20.1827.0, xrefs: 0042EC51
System\CurrentControlSet\Control\Windows, xrefs: 0042ED7C
CSDVersion, xrefs: 0042EDA9

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Close$H_prologQueryValue
String ID: 1.20.1827.0$CSDVersion$System\CurrentControlSet\Control\Windows
API String ID: 3628621199-2233653695
Opcode ID: 320b7563c8a65fdcc6b0e79a27286c479b88cb60219e0d4807a1768dedd5f67b
Instruction ID: 48a6bcd447e37bacd302e36584c6bac137b777c27b5e40b84c6754d8be71e1e8
Opcode Fuzzy Hash: 320b7563c8a65fdcc6b0e79a27286c479b88cb60219e0d4807a1768dedd5f67b
Instruction Fuzzy Hash: 3C816D71D00208AFDF14DF95C981AEEB7B8EB05314F50816FF51AA7281D738AE09CB55

Function 0040BCF1 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 193libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040BCF6
GetProcAddress.KERNEL32(?,RunISMSISetup), ref: 0040BD0E
GetModuleFileNameW.KERNEL32(?,00000400,?,00000400,?,00000000), ref: 0040BD7E

Part of subcall function 00401929: GetLastError.KERNEL32(00000000,?,00408695,?,00000000,?,00000001), ref: 0040193F
Part of subcall function 00401929: SysFreeString.OLEAUT32(?), ref: 0040195D
Part of subcall function 00401929: SetLastError.KERNEL32(?,00000001,?,00408695,?,00000000,?,00000001), ref: 0040197D

Strings

setup.ini, xrefs: 0040BD98, 0040BDBF
RunISMSISetup, xrefs: 0040BD08
ProductCode, xrefs: 0040BE89
Startup, xrefs: 0040BE8E

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorLast$AddressFileFreeH_prologModuleNameProcString
String ID: ProductCode$RunISMSISetup$Startup$setup.ini
API String ID: 2162219923-3003089463
Opcode ID: db831aecd88921fe9209c184fe6683a87a42f9b8eb20ae90315b0c4a143b03dd
Instruction ID: 90de2c2e1f567abe5057b9c13464437db0adcc9cf64ca36dfb26e2485fca4e5e
Opcode Fuzzy Hash: db831aecd88921fe9209c184fe6683a87a42f9b8eb20ae90315b0c4a143b03dd
Instruction Fuzzy Hash: CC81A170900248EFDB11DBA4C995BEEBB78AF15308F1041AEE445B32D2DB785F48DB69

Function 00425685 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 135COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042568A

Part of subcall function 004026FA: __EH_prolog.LIBCMT ref: 004026FF
Part of subcall function 004026FA: GetLastError.KERNEL32(004494FC,0000002D,00000000,?,00429CCE,?,00000000,removeasmajorupgrade,00000000,00000000,00000001,?,?,00000000,reboot,00000000), ref: 00402728
Part of subcall function 004026FA: SetLastError.KERNEL32(?,00000000,?,00429CCE,?,00000000,removeasmajorupgrade,00000000,00000000,00000001,?,?,00000000,reboot,00000000,00000000), ref: 00402756

Part of subcall function 00407AFA: __EH_prolog.LIBCMT ref: 00407AFF

Part of subcall function 00401CCE: __EH_prolog.LIBCMT ref: 00401CD3
Part of subcall function 00401CCE: GetLastError.KERNEL32(004494FC,004494C0,?,0042AC33,?,004494C0,?,?,00000000,?,?,?,00000000,004494C4,004494BC,00000000), ref: 00401CF6
Part of subcall function 00401CCE: SysFreeString.OLEAUT32(?), ref: 00401D14
Part of subcall function 00401CCE: SetLastError.KERNEL32(?,00000001,?,0042AC33,?,004494C0,?,?,00000000,?,?,?,00000000,004494C4,004494BC,00000000), ref: 00401D34

Strings

REINSTALL=ALL, xrefs: 0042570C, 00425711, 00425719
REINSTALLMODE=vomus, xrefs: 00425742, 00425747, 0042574F
REINSTALLMODE, xrefs: 00425722, 00425727, 00425731
IS_MINOR_UPGRADE, xrefs: 00425758, 0042575D, 00425767
IS_MINOR_UPGRADE=1, xrefs: 00425778, 0042577D, 00425785
REINSTALL, xrefs: 004256EC, 004256F1, 004256FB

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorH_prologLast$FreeString
String ID: IS_MINOR_UPGRADE=1$ REINSTALL=ALL$ REINSTALLMODE=vomus$IS_MINOR_UPGRADE$REINSTALL$REINSTALLMODE
API String ID: 2373906061-3166201577
Opcode ID: 84993db35cbc3c03de332197bca01a6f1add85fa5f2891033a4978597c9e8c58
Instruction ID: 04ac1060601d7000547c704548460ebf198c9fcde25b5d38699a06fb5d07b3b1
Opcode Fuzzy Hash: 84993db35cbc3c03de332197bca01a6f1add85fa5f2891033a4978597c9e8c58
Instruction Fuzzy Hash: 06417E71D00128AAEB15EB91D855BEEB778AF51314F10406FF806B7291DB781F48CB6D

Function 0042BAD9 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 133fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042BADE
VirtualQuery.KERNEL32(?,?,0000001C,?,?,00000000), ref: 0042BB12
GetSystemInfo.KERNEL32(?), ref: 0042BBB4
MapViewOfFile.KERNEL32(00000000,00000004,00000000,?,?,?,?), ref: 0042BBDA

Part of subcall function 0042BC34: CompareStringA.KERNEL32(00000400,00000001,?,00000008,?,000000FF,?,?,?,0042BB2D,.debug,?), ref: 0042BC59

Strings

.rdata, xrefs: 0042BB4F
.text, xrefs: 0042BB62
.debug, xrefs: 0042BB23

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: CompareFileH_prologInfoQueryStringSystemViewVirtual
String ID: .debug$.rdata$.text
API String ID: 3198522006-733372908
Opcode ID: 66cd0281f9451db4c4e1fbb52de54da80c9f359b4efa8d6bd31383ef956e1e39
Instruction ID: 8d9b6489aba57ec9a58df2a0c6b9584d4ebdee72932238842dfe9e7d76cbb1f2
Opcode Fuzzy Hash: 66cd0281f9451db4c4e1fbb52de54da80c9f359b4efa8d6bd31383ef956e1e39
Instruction Fuzzy Hash: 7D417C71B002169FDB18CF66E840AAFBBB5FF84314F58812BE814A7350DB34E901CA94

Function 0042D8FC Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 127processstringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042D901
lstrcpyW.KERNEL32(?,?), ref: 0042D954
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000001,00000020,00000000,00000000,?,?,?,?,00000000), ref: 0042DA17
WaitForInputIdle.USER32(?,000003E8), ref: 0042DA81

Strings

C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\utils.cpp, xrefs: 0042D9A3, 0042D9A9, 0042DA25
Attempting to launch (no wait): %s, xrefs: 0042D9D5
Launch result %d, xrefs: 0042DA54

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: CreateH_prologIdleInputProcessWaitlstrcpy
String ID: Attempting to launch (no wait): %s$C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\utils.cpp$Launch result %d
API String ID: 1987989598-3351833009
Opcode ID: edd50eb4841fc62afdb2104691fcfbe272ba31ed6a44068d998e873474276ef8
Instruction ID: 634c21c37cb5566a68e52b9cdc926bc02e82f3126b9a5bdc05c857f7d292935f
Opcode Fuzzy Hash: edd50eb4841fc62afdb2104691fcfbe272ba31ed6a44068d998e873474276ef8
Instruction Fuzzy Hash: 59411CB5D00258AEDB10DF95DC85EEEBBBCEB04318F00816BF909A6291D7785E48DF64

Function 00438460 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,0044A210,00000001,?,74DEE860,00463E0C,?,?,00434147,?,?,?,00000000,00000001), ref: 0043849F
GetStringTypeA.KERNEL32(00000000,00000001,0044A20C,00000001,?,?,00434147,?,?,?,00000000,00000001), ref: 004384B9
GetStringTypeA.KERNEL32(?,?,?,?,GAC,74DEE860,00463E0C,?,?,00434147,?,?,?,00000000,00000001), ref: 004384ED
MultiByteToWideChar.KERNEL32(?,00463E0D,?,?,00000000,00000000,74DEE860,00463E0C,?,?,00434147,?,?,?,00000000,00000001), ref: 00438525
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,00434147,?), ref: 0043857B
GetStringTypeW.KERNEL32(?,?,00000000,GAC,?,?,?,?,?,?,00434147,?), ref: 0043858D

Strings

GAC, xrefs: 00438585, 004384E0

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID: GAC
API String ID: 3852931651-2351115321
Opcode ID: 20eaef8ac122a063e5d5f608d6109247e465e00e1511b08614b23488c6887f9b
Instruction ID: 31c3e94860deaff57f74178381ae869b23e20dbf94f1dbd0b64a77994572fc12
Opcode Fuzzy Hash: 20eaef8ac122a063e5d5f608d6109247e465e00e1511b08614b23488c6887f9b
Instruction Fuzzy Hash: 4E418D7150020ABFDF209F94DC89EAF7F79FB09350F14052AFA11D6250D7799920DB99

Function 0042AE7C Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 113stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042AE81
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000104,00459818,?,00000000,00000000,?,00000001,?,004494FC), ref: 0042AF1F
lstrcpyW.KERNEL32(C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\Setup.INI,?), ref: 0042AF5F
lstrcmpiW.KERNEL32(?,004563C4,00000001,?,004494FC), ref: 0042AFB1

Strings

C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\Setup.INI, xrefs: 0042AF48, 0042AF4E, 0042AF59, 0042AF5E, 0042AF6B, 0042AF6C
Startup, xrefs: 0042AF98
CloneSetupExe, xrefs: 0042AF93

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: FileH_prologModuleNamelstrcmpilstrcpy
String ID: C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\Setup.INI$CloneSetupExe$Startup
API String ID: 2980300312-1708687841
Opcode ID: 8b6db826834720de0c1e6b6d6707a7e81ea59415ce95cd98f44df033ec740e5d
Instruction ID: 7134f075fbf73fb5fdf8c1599cd26bc977a05f0617f7f2358d3ac3ac4e30896a
Opcode Fuzzy Hash: 8b6db826834720de0c1e6b6d6707a7e81ea59415ce95cd98f44df033ec740e5d
Instruction Fuzzy Hash: 6441F471A00128AFCB11EB91DC45EEFBB78EF05304F8440A7F905A3152DB785E99CB5A

Function 00437F1A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 00437F87
GetStdHandle.KERNEL32(000000F4,0044A4E4,00000000,00000000,00000000,?), ref: 0043805D
WriteFile.KERNEL32(00000000), ref: 00438064

Strings

..., xrefs: 00437FD9
Runtime Error!Program: , xrefs: 00437FED
<program name unknown>, xrefs: 00437F97
Microsoft Visual C++ Runtime Library, xrefs: 00438033

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: 66b9c1a86bc6138bb8d054b275c27587212590f1202a1e3fa04f3f90ca4b56cb
Instruction ID: 9f9507a503f9be3e38df72b44ddbb5ae1cfe0a178ec342a5e8b50bae8c6895b8
Opcode Fuzzy Hash: 66b9c1a86bc6138bb8d054b275c27587212590f1202a1e3fa04f3f90ca4b56cb
Instruction Fuzzy Hash: 0E31E872640208AFEF20EB65CD46F9E73BCEF49304F6414ABF540E6151DA78DA44CA59

Function 004099CC Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 84stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 004099EE
lstrlenW.KERNEL32(?), ref: 00409A11
wsprintfW.USER32 ref: 00409A8F

Strings

http://, xrefs: 00409A4D, 00409A84
https://, xrefs: 00409A69
%s%s, xrefs: 00409A89
ftp://, xrefs: 00409A36

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: wsprintf$lstrlen
String ID: %s%s$ftp://$http://$https://
API String ID: 217384638-620530764
Opcode ID: e48d3a4ee6a1fff67d357b09ada9ac75f7a7d1afc8567b5a168068b50248ec06
Instruction ID: c1754bb0018ced0035d2f69a64ebe59db00e14a15c2eb889646c31e1102a6813
Opcode Fuzzy Hash: e48d3a4ee6a1fff67d357b09ada9ac75f7a7d1afc8567b5a168068b50248ec06
Instruction Fuzzy Hash: 5F212676A00205BACB10AFE8DC419AB7378BF06715B10442BF901FB2D3E6788D4487AD

Function 00427ABF Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00427AC5
GetWindowLongW.USER32(?,00000000), ref: 00427AD6
DeleteObject.GDI32(00000000), ref: 00427AFE
DestroyIcon.USER32(00000000,?,?,?,00427A0A,?), ref: 00427B06
DeleteObject.GDI32(?), ref: 00427B1F
SetWindowLongW.USER32(zB,00000000,00000000), ref: 00427B2B

Strings

zB, xrefs: 00427B27

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Window$DeleteLongObject$DestroyIcon
String ID: zB
API String ID: 2866036538-3218402564
Opcode ID: 69ecb2581b6907605ed3a05f81056b8145e4908671d7be3a3ca5620dca8f4525
Instruction ID: 8cb6d16a1443e70189259a07d8e537438808cfd50fc4e0a3d3b133f4e70215cc
Opcode Fuzzy Hash: 69ecb2581b6907605ed3a05f81056b8145e4908671d7be3a3ca5620dca8f4525
Instruction Fuzzy Hash: C301D4362082249FC6209F65FC48C9BBFA8EB06369711482EF846D2160C736BC40DA69

Function 0042CFA5 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(COMCTL32,0044952C,?,?,?,0042A946,0044952C,00000001,004494C4,?,00000187,Relaunching setup from temp,?,00000000,C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup.cpp,?), ref: 0042CFB0
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0042CFC2
#17.COMCTL32(?,?,?,0042A946,0044952C,00000001,004494C4,?,00000187,Relaunching setup from temp,?,00000000,C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup.cpp,?,00000001,00000000), ref: 0042CFE2
FreeLibrary.KERNEL32(00000000,?,?,?,0042A946,0044952C,00000001,004494C4,?,00000187,Relaunching setup from temp,?,00000000,C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup.cpp,?,00000001), ref: 0042CFE9

Strings

, xrefs: 0042CFD7
InitCommonControlsEx, xrefs: 0042CFBC
COMCTL32, xrefs: 0042CFAB

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: $COMCTL32$InitCommonControlsEx
API String ID: 145871493-1772614818
Opcode ID: 2e512281ee8beddb0c855f406ffe125628ecfb658d1f0f01218a8179c3e9188a
Instruction ID: 2ebc4863214866c7aeaac353f35d4581c44b68de769a38af491f3d64cdefb8d6
Opcode Fuzzy Hash: 2e512281ee8beddb0c855f406ffe125628ecfb658d1f0f01218a8179c3e9188a
Instruction Fuzzy Hash: 2CE06DB4501225FBD7105B95EC4EE9F7A68AF0A752F510059E802A1281DB789E04D6BD

Function 0043593F Relevance: 12.2, APIs: 8, Instructions: 170COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,0044A210,00000001,00000000,00000000,004494C4,004494BE,00463E0C,?,?,?,00000000,004494C4,004494BC,00000000), ref: 00435981
LCMapStringA.KERNEL32(00000000,00000100,0044A20C,00000001,00000000,00000000), ref: 0043599D
LCMapStringW.KERNEL32(004494BC,004494C4,00000000,?,?,?,004494C4,004494BE,00463E0C,?,?,?,00000000,004494C4,004494BC,00000000), ref: 004359E6
WideCharToMultiByte.KERNEL32(00463E0C,00000220,00000000,?,00000000,00000000,00000000,00000000,004494C4,004494BE,00463E0C,?,?,?,00000000,004494C4), ref: 00435A19
WideCharToMultiByte.KERNEL32(?,00000220,?,?,?,?,00000000,00000000), ref: 00435A70
LCMapStringA.KERNEL32(?,?,?,?,00000000,00000000), ref: 00435A8C
LCMapStringA.KERNEL32(?,?,?,?,?,00000000), ref: 00435AE2

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 8cf804cabf2d6eae356459ba64c9aec5f59e450a6992ecb37c150d6ab95e7b17
Instruction ID: a82ac34fa0904e9c8b980f9bfd723afb5b69dda311ab6dc9ec79c3a583cf36ec
Opcode Fuzzy Hash: 8cf804cabf2d6eae356459ba64c9aec5f59e450a6992ecb37c150d6ab95e7b17
Instruction Fuzzy Hash: E9517771901619BBCF228F90CC49AEFBF79FF09764F100126F910A1260D3799921EBA9

Function 004097A9 Relevance: 12.1, APIs: 8, Instructions: 144windowfilethreadCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004097AE

Part of subcall function 004099A2: lstrlenW.KERNEL32(?,?,?,004097C5,?), ref: 004099AB

CopyFileW.KERNEL32(?,?,00000000,?), ref: 004097D1
CreateThread.KERNEL32(00000000,00000000,Function_00009753,?,00000000,?), ref: 00409888
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004098B1
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004098C4
DispatchMessageW.USER32(?), ref: 004098E6

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Message$CopyCreateDispatchFileH_prologMultipleObjectsPeekThreadWaitlstrlen
String ID:
API String ID: 1469082848-0
Opcode ID: 8b286875a23a3bc680484777f8acb024a55fd2ae16de7dd9a91af2b2470a21ee
Instruction ID: f383f1b317e59635d251be1e55c25ea45216ea2f75679f904f6066787391bcb6
Opcode Fuzzy Hash: 8b286875a23a3bc680484777f8acb024a55fd2ae16de7dd9a91af2b2470a21ee
Instruction Fuzzy Hash: 8A519071510115ABDF10AF61CC85AEF7B68FF05764F10853AF919BA2D2CB388E41DB98

Function 00420120 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00420125

Part of subcall function 00427E7C: __EH_prolog.LIBCMT ref: 00427E81

Part of subcall function 00401929: GetLastError.KERNEL32(00000000,?,00408695,?,00000000,?,00000001), ref: 0040193F
Part of subcall function 00401929: SysFreeString.OLEAUT32(?), ref: 0040195D
Part of subcall function 00401929: SetLastError.KERNEL32(?,00000001,?,00408695,?,00000000,?,00000001), ref: 0040197D

Part of subcall function 004281A7: __EH_prolog.LIBCMT ref: 004281AC

Part of subcall function 0040D5D0: __EH_prolog.LIBCMT ref: 0040D5D5
Part of subcall function 0040D5D0: GetLastError.KERNEL32(74DEE010,?,004494BC,?,0043F04D), ref: 0040D5FD
Part of subcall function 0040D5D0: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,0043F04D), ref: 0040D64A

Strings

key, xrefs: 004201F5, 0042021A
count, xrefs: 00420134, 00420160
Instances, xrefs: 0042016C, 0042018A, 0042027E, 0042029D
(, xrefs: 004203FE
%s%d, xrefs: 00420240

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorH_prologLast$FreeString
String ID: %s%d$($Instances$count$key
API String ID: 2373906061-3513479406
Opcode ID: 11caff11a29f6b200ede417369f95a3048d37da7d8d4f61f6b38155798843f93
Instruction ID: 286dd1de2357f98e0384c9a43542ff142c3cdee7a498658a4a47630217208d93
Opcode Fuzzy Hash: 11caff11a29f6b200ede417369f95a3048d37da7d8d4f61f6b38155798843f93
Instruction Fuzzy Hash: E3A13AB1D01118EFDB25DB95C991AEEB7B8AF18304F5081ABE449B3242DB385F48CF65

Function 00414CEA Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 210fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00403912: __EH_prolog.LIBCMT ref: 00403917
Part of subcall function 00403912: GetLastError.KERNEL32(004494FC,00000104,00000000,?,00429EB2,?,?,00000000,?,00000000), ref: 00403940
Part of subcall function 00403912: SetLastError.KERNEL32(?,?,00000000,00000000,?,00429EB2,?,?,00000000,?,00000000), ref: 00403995

Part of subcall function 00401CCE: __EH_prolog.LIBCMT ref: 00401CD3
Part of subcall function 00401CCE: GetLastError.KERNEL32(004494FC,004494C0,?,0042AC33,?,004494C0,?,?,00000000,?,?,?,00000000,004494C4,004494BC,00000000), ref: 00401CF6
Part of subcall function 00401CCE: SysFreeString.OLEAUT32(?), ref: 00401D14
Part of subcall function 00401CCE: SetLastError.KERNEL32(?,00000001,?,0042AC33,?,004494C0,?,?,00000000,?,?,?,00000000,004494C4,004494BC,00000000), ref: 00401D34

MoveFileW.KERNEL32(?,?), ref: 00414DBC

Strings

P1Z, xrefs: 00415043
vjredist.exe, xrefs: 0041512B, 0041514C
dotnetfx.exe, xrefs: 00414CF2
isnetfx.exe, xrefs: 00414D27, 00414D48
dotnetredist.exe, xrefs: 00414E4C, 00414E6D

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorLast$H_prolog$FileFreeMoveString
String ID: P1Z$dotnetfx.exe$dotnetredist.exe$isnetfx.exe$vjredist.exe
API String ID: 4032280969-3195596644
Opcode ID: 2027f8563af075ad9fdb5df0aa010eaacc86475d74aa0fdc75721bc8aeceddfd
Instruction ID: 19a80d4466c1e137aed4366c1a623bda8094085ffc54ca6401f6545b2fdc7efa
Opcode Fuzzy Hash: 2027f8563af075ad9fdb5df0aa010eaacc86475d74aa0fdc75721bc8aeceddfd
Instruction Fuzzy Hash: BE91E570904288EAEF15DFA4C945BEEBBB4AF15308F14409EE406732C2DB785F89DB19

Function 0041D484 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041D489

Part of subcall function 00408512: __EH_prolog.LIBCMT ref: 00408517
Part of subcall function 00408512: GetLastError.KERNEL32(004494C4,004494BC,00000000,?,00429759,?,?,00000000,debuglog,00000000,00000000,00000000,?,?,00000000,?), ref: 00408540
Part of subcall function 00408512: SetLastError.KERNEL32(?,?,00000000,00000000,?,00429759,?,?,00000000,debuglog,00000000,00000000,00000000,?,?,00000000), ref: 00408595

Part of subcall function 0041D24E: __EH_prolog.LIBCMT ref: 0041D253
Part of subcall function 0041D24E: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020019,?,00000000), ref: 0041D284

Part of subcall function 0041F532: __EH_prolog.LIBCMT ref: 0041F537

Part of subcall function 0041D24E: RegCloseKey.ADVAPI32(?), ref: 0041D3C4

Part of subcall function 00401929: GetLastError.KERNEL32(00000000,?,00408695,?,00000000,?,00000001), ref: 0040193F
Part of subcall function 00401929: SysFreeString.OLEAUT32(?), ref: 0040195D
Part of subcall function 00401929: SetLastError.KERNEL32(?,00000001,?,00408695,?,00000000,?,00000001), ref: 0040197D

Strings

1033, xrefs: 0041D68A
J#Version, xrefs: 0041D4CD, 0041D4E6
<cE, xrefs: 0041D4EF
SOFTWARE\Microsoft\Visual JSharp Setup\Redist, xrefs: 0041D60C, 0041D61D, 0041D659
Startup, xrefs: 0041D511

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorH_prologLast$CloseFreeOpenString
String ID: 1033$<cE$J#Version$SOFTWARE\Microsoft\Visual JSharp Setup\Redist$Startup
API String ID: 840635336-847817455
Opcode ID: cc2a003769a357aa72f56f6bd2ed25ddb8ea6648cab453bef7bf52e5a9d658c9
Instruction ID: 84c3743061d727d7fd19714539cc8d9436f64a07b0d1b4d9cc9af22febdd8e7f
Opcode Fuzzy Hash: cc2a003769a357aa72f56f6bd2ed25ddb8ea6648cab453bef7bf52e5a9d658c9
Instruction Fuzzy Hash: A7716FB1D01219EFDB11DB95C941FEEB7B9AF54304F1041AFE506A3281EB386E45CB68

Function 00417867 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 161COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041786C

Strings

.mst, xrefs: 00417918, 0041791F, 00417928
TRANSFORMS=", xrefs: 0041787C, 00417882, 0041788F
TRANSFORMS=", xrefs: 004179E5
TRANSFORMS=, xrefs: 004178A5, 004178AA, 004178B4
.mst", xrefs: 004178F7, 004178FC, 00417905

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog
String ID: TRANSFORMS="$.mst$.mst"$TRANSFORMS=$TRANSFORMS="
API String ID: 3519838083-3238450747
Opcode ID: e52eb2cff81ce66d2027d02ceb1f3394e966cd704949a890949a7613974eeee3
Instruction ID: 8b6bd3fae0fe5cb6f206465969fa8f2c155b003aeb8fe1afcf52d42e9fd2b52b
Opcode Fuzzy Hash: e52eb2cff81ce66d2027d02ceb1f3394e966cd704949a890949a7613974eeee3
Instruction Fuzzy Hash: FB51D4B1D04214BADB05EB60CC15BEE7BB89F46318F14807FF806A72D2DA785E488768

Function 00437D25 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 00437D83
GetFileType.KERNEL32(?,?,00000000), ref: 00437E2E
GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 00437E91
GetFileType.KERNEL32(00000000,?,00000000), ref: 00437E9F
SetHandleCount.KERNEL32 ref: 00437ED6

Strings

<F, xrefs: 00437DBD

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID: <F
API String ID: 1710529072-142412230
Opcode ID: 6bec9595731c6ffd26aa2b846016bee965f1267372ad5c38bda6dd9b676c0748
Instruction ID: 61ab038272b7955e6e9ade30be6c8adcf4ef7494b56011d08dcfde199907832a
Opcode Fuzzy Hash: 6bec9595731c6ffd26aa2b846016bee965f1267372ad5c38bda6dd9b676c0748
Instruction Fuzzy Hash: 80512AB15082428FD730CF38C8857663BA0AB1A365F2456AED4E2973E1EB78DD05C759

Function 00412E0C Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412E11
wsprintfW.USER32 ref: 00412E40

Part of subcall function 0040226E: __EH_prolog.LIBCMT ref: 00402273

Part of subcall function 004024B5: __EH_prolog.LIBCMT ref: 004024BA

Strings

key, xrefs: 00412E2F
Languages, xrefs: 00412E74
C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\Setup.INI, xrefs: 00412E55
%s%d, xrefs: 00412E3A

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog$wsprintf
String ID: %s%d$C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\Setup.INI$Languages$key
API String ID: 172397338-2941717399
Opcode ID: dbd4b0fb24b8ba7cb96e65f1be03fe599a702115548e9033fdd0f5f6abd86cb1
Instruction ID: ef2843d0b004f662bc75dbdf8682a5714b595a631c64ade50b4d0951eb5a92f9
Opcode Fuzzy Hash: dbd4b0fb24b8ba7cb96e65f1be03fe599a702115548e9033fdd0f5f6abd86cb1
Instruction Fuzzy Hash: A1217F71900218EBCB10EF94CD45AEDFB74FF04715F50066AE815B72C1DBB86A48CB98

Function 0043CFEA Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 70registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings,?), ref: 0043D018
RegQueryValueExW.ADVAPI32(?,ProxyEnable,00000000,00000000,?,?), ref: 0043D042
RegQueryValueExW.ADVAPI32(?,AutoConfigURL,00000000,00000000,?,00000004), ref: 0043D067

Strings

AutoConfigURL, xrefs: 0043D05F
ProxyEnable, xrefs: 0043D033
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 0043D00E

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: QueryValue$Open
String ID: AutoConfigURL$ProxyEnable$Software\Microsoft\Windows\CurrentVersion\Internet Settings
API String ID: 1606891134-3224623278
Opcode ID: 2e7ac5333ea2e6311c6d9043b43f971163efcdf94320d4c04af1487e64a85d6c
Instruction ID: fb804c0915ec41cd61fcc0c02fe81bf9d94a482baed78c9cb3fa509af00c1582
Opcode Fuzzy Hash: 2e7ac5333ea2e6311c6d9043b43f971163efcdf94320d4c04af1487e64a85d6c
Instruction Fuzzy Hash: 8C214AB2900218BFDF119FA0DD819EFBBBDEB05748F10807AE900A2150D7398E55DBA4

Function 0042D1FE Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44stringCOMMON

Download Yara Rule

APIs

CharNextW.USER32(?,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0},75A8EB20), ref: 0042D232
lstrcpyW.KERNEL32(00000000,00000000), ref: 0042D242
CharNextW.USER32(00000000), ref: 0042D255
CharPrevW.USER32(00000000,00000000), ref: 0042D265
lstrcpyW.KERNEL32(?,?), ref: 0042D280

Strings

C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}, xrefs: 0042D228

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Char$Nextlstrcpy$Prev
String ID: C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}
API String ID: 1912086007-3076254100
Opcode ID: 9b537d155e694e1907d8e939360a26115eba56584e175308b89bac0f0a097621
Instruction ID: 84c57dde43060c62aa54a6d79160d55d5f62a3c193d01d2464c266bb228767ad
Opcode Fuzzy Hash: 9b537d155e694e1907d8e939360a26115eba56584e175308b89bac0f0a097621
Instruction Fuzzy Hash: D3015A76D10128AADB61AB94DC00AEB73BCBF55300F0080B2D544A7150DBB8AE898FF4

Function 0042CC55 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 31stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 0042CC6D

Part of subcall function 0042D0C9: lstrcpyW.KERNEL32(?,?), ref: 0042D0F1
Part of subcall function 0042D0C9: CharNextW.USER32(00000000,?,00000000), ref: 0042D10A
Part of subcall function 0042D0C9: lstrcpyW.KERNEL32(00000104,?), ref: 0042D124
Part of subcall function 0042D0C9: lstrcpyW.KERNEL32(?,00000000), ref: 0042D12A

Part of subcall function 0042D321: lstrlenW.KERNEL32(00000104,?,?,00401E06,?,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0},?,?,?,00000104,?,0042A071,00000000,?,00000104), ref: 0042D329
Part of subcall function 0042D321: lstrcpynW.KERNEL32(?,00000102,-00000001,?,?,00401E06,?,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0},?,?,?,00000104,?,0042A071,00000000,?), ref: 0042D34B
Part of subcall function 0042D321: lstrcatW.KERNEL32(?,?), ref: 0042D36B

lstrcatW.KERNEL32(?,.ini), ref: 0042CCA5
lstrcpyW.KERNEL32(00000000,?), ref: 0042CCB8

Strings

C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\Setup.INI, xrefs: 0042CC80
.ini, xrefs: 0042CC9D
%#04x, xrefs: 0042CC67

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: lstrcpy$lstrcat$CharNextlstrcpynlstrlenwsprintf
String ID: %#04x$.ini$C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\Setup.INI
API String ID: 2174921493-3388043349
Opcode ID: ea97ccb01db231f895c76c2c9f873827767b84d0522bdeef50fee4549650628c
Instruction ID: 5f2a754390796d750d841e05c1749405f4bfcc129871267129bf0ac347d0f805
Opcode Fuzzy Hash: ea97ccb01db231f895c76c2c9f873827767b84d0522bdeef50fee4549650628c
Instruction Fuzzy Hash: 51F0F975901108FBCF019F90EC46EDE7BB9EB08315F408022F904A1061DB75DA9D9BA9

Function 00438E00 Relevance: 9.1, APIs: 6, Instructions: 143COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,0044A210,00000001,?,004494C4,004494BE,00463E0C,?,?,?,00000000,004494C4), ref: 00438E3F
GetStringTypeA.KERNEL32(00000000,00000001,0044A20C,00000001,?), ref: 00438E59
GetStringTypeW.KERNEL32(00000100,004494C4,00000000,?,004494C4,004494BE,00463E0C,?,?,?,00000000,004494C4), ref: 00438E80
WideCharToMultiByte.KERNEL32(?,00000220,004494C4,00000000,00000000,00000000,00000000,00000000,004494C4,004494BE,00463E0C,?,?,?,00000000,004494C4), ref: 00438EB3
WideCharToMultiByte.KERNEL32(?,00000220,?,?,00000000,00000000,00000000,00000000), ref: 00438F1C
GetStringTypeA.KERNEL32(?,00000100,?,?), ref: 00438F87

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: 98cb25d8b8835f589015537cb263b78723ef6eb6ef7a2ba5020d6644a8f522dd
Instruction ID: b794ca9a606be131f0c1dd081b23c175fcdc362682b6d8d1cbc0aeda6ad80aed
Opcode Fuzzy Hash: 98cb25d8b8835f589015537cb263b78723ef6eb6ef7a2ba5020d6644a8f522dd
Instruction Fuzzy Hash: B951EC31900309EBDF219F94CC4AEAFBFB5FB89710F20411AF810A2290D7799951DB99

Function 00414358 Relevance: 9.1, APIs: 6, Instructions: 112windowstringCOMMON

Download Yara Rule

APIs

Part of subcall function 0042CA25: wsprintfW.USER32 ref: 0042CA37
Part of subcall function 0042CA25: LoadStringW.USER32(?,0044952C,00426FD4), ref: 0042CA62

Part of subcall function 0042853C: __EH_prolog.LIBCMT ref: 00428541

wsprintfW.USER32 ref: 004143FD
lstrcatW.KERNEL32(?,?), ref: 00414450
SendMessageW.USER32(?,00000401,00000000,00000001), ref: 00414468
GetDlgItem.USER32(?,000003EA), ref: 00414493
SendMessageW.USER32(00000000,0000000F,00000000,00000000), ref: 0041449E
SendMessageW.USER32(?,00000401,00000000,00000000), ref: 004144A6

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: MessageSend$wsprintf$H_prologItemLoadStringlstrcat
String ID:
API String ID: 3934906656-0
Opcode ID: 04195240697bd5df26dd572905f01de8cd7271481d53c918263fb05e3533409b
Instruction ID: 75189ed4839b32817ab0a4ee3615f17c14890d3f157df78577c8d8e466de506a
Opcode Fuzzy Hash: 04195240697bd5df26dd572905f01de8cd7271481d53c918263fb05e3533409b
Instruction Fuzzy Hash: A7414EB1A0011CBBDB109B94DC85EEFB779FB44308F1000AAB605E7161D6759F44CB55

Function 0040AC99 Relevance: 9.1, APIs: 6, Instructions: 86COMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000001), ref: 0040ACCA
GetDlgItem.USER32(?,00000001), ref: 0040AD2A
GetDlgItem.USER32(?,00000066), ref: 0040AD31
ShowWindow.USER32(00000000,00000000), ref: 0040AD45
ShowWindow.USER32(00000000,00000000), ref: 0040AD61

Part of subcall function 0042DA98: GetCurrentProcess.KERNEL32(?,?,?,00424C6A,0044952C,0044952C,00000000), ref: 0042DAA7
Part of subcall function 0042DA98: OpenProcessToken.ADVAPI32(00000000,00000028,00000000,?,?,?,00424C6A,0044952C,0044952C,00000000), ref: 0042DAB4
Part of subcall function 0042DA98: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,0044952C), ref: 0042DACB
Part of subcall function 0042DA98: AdjustTokenPrivileges.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000), ref: 0042DAF6
Part of subcall function 0042DA98: ExitWindowsEx.USER32(00000002,0000FFFF), ref: 0042DB04

DeleteObject.GDI32 ref: 0040AD8B

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ItemProcessShowTokenWindow$AdjustCurrentDeleteDialogExitLookupObjectOpenPrivilegePrivilegesValueWindows
String ID:
API String ID: 1933714880-0
Opcode ID: 32a688ab72c88b2b42e6a4970787c62ca820d6b482b7cd1476e2b51e14d2a79b
Instruction ID: b00f4e29f665c76f728f084bfaf69a631ca055d4ab2fd8120652230df5ada396
Opcode Fuzzy Hash: 32a688ab72c88b2b42e6a4970787c62ca820d6b482b7cd1476e2b51e14d2a79b
Instruction Fuzzy Hash: 1721F831A403047BEB209F65EC45E6B3769EF0670AF00003AF609B61D7C579E851975D

Function 0041017B Relevance: 9.1, APIs: 6, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00410180
GetLastError.KERNEL32(74DEDFA0,?,00000000,?,004100B9,?,00000000,?,00000001,?,00427389,no_engine,?,00000001,?,00000000), ref: 004101A9
SetLastError.KERNEL32(00000004,00000000,?,00000000,?,004100B9,?,00000000,?,00000001,?,00427389,no_engine,?,00000001,?), ref: 004101DC
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000000,?,004100B9,?,00000000,?,00000001,?,00427389), ref: 004101FC
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,00000005,00000000,?,00000000,?,004100B9,?,00000000,?,00000001), ref: 00410225
SetLastError.KERNEL32(?,?,00000000,?,004100B9,?,00000000,?,00000001,?,00427389,no_engine,?,00000001,?,00000000), ref: 00410233

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorLast$ByteCharMultiWide$H_prolog
String ID:
API String ID: 2853668335-0
Opcode ID: d1b753c1cd1a9f7193ce2ff9800f3fb4ad9d2fa8b0aa80196d133a37881a56b2
Instruction ID: 20e41e186585c71a821352df3a7e81365333deccbd685a42f50da7fb574f4e50
Opcode Fuzzy Hash: d1b753c1cd1a9f7193ce2ff9800f3fb4ad9d2fa8b0aa80196d133a37881a56b2
Instruction Fuzzy Hash: BB215A7A600249EFDB118F59D88889ABBBAFF48308B14856EF48A97221C774ED50DF54

Function 00437C84 Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(?,00000000,?,?,00432E69), ref: 00437C9D
GetCommandLineA.KERNEL32(?,00000000,?,?,00432E69), ref: 00437CAF
GetCommandLineW.KERNEL32(?,00000000,?,?,00432E69), ref: 00437CC6
GetCommandLineA.KERNEL32(?,00000000,?,?,00432E69), ref: 00437CCF
MultiByteToWideChar.KERNEL32(00000001,00000000,000000FF,00000000,00000000,?,00000000,?,?,00432E69), ref: 00437CE8
MultiByteToWideChar.KERNEL32(00000001,00000000,000000FF,00000000,00000000,?,00000000,?,?,00432E69), ref: 00437D0D

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: CommandLine$ByteCharMultiWide
String ID:
API String ID: 3068183746-0
Opcode ID: ba7c407c18122122c1f9431784fbc0e112e2f1cf373d6ca15240b5f82b896d92
Instruction ID: 64444e1513fe9f36e88b89489246c8980215743e7912d26d8432c7751ac50c72
Opcode Fuzzy Hash: ba7c407c18122122c1f9431784fbc0e112e2f1cf373d6ca15240b5f82b896d92
Instruction Fuzzy Hash: AF1108B220D50AA6EA306BA59C40F37368CDF8D3A4F342533E550D3290EAD9DC01966D

Function 0041299B Relevance: 9.1, APIs: 6, Instructions: 59COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(004127A3,?), ref: 004129AB
GetParent.USER32(004127A3), ref: 004129C0
GetSystemMetrics.USER32(00000000), ref: 004129CB
GetSystemMetrics.USER32(00000001), ref: 004129DC
GetClientRect.USER32(00000000,?), ref: 004129E9
MoveWindow.USER32(004127A3,?,?,?,?,00000000,?,?,?,004127A3,?), ref: 00412A14

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: MetricsRectSystemWindow$ClientMoveParent
String ID:
API String ID: 3434607708-0
Opcode ID: 5fb4cae89f71720b68541ee359a8fa969bc5c67febc9ed44c50470c1512fb151
Instruction ID: fd33e56cbcb7d866bf7c887adb5d6ad0f50973a7314aabedc6745dc06fc16bc2
Opcode Fuzzy Hash: 5fb4cae89f71720b68541ee359a8fa969bc5c67febc9ed44c50470c1512fb151
Instruction Fuzzy Hash: 10115A76A0010AAFDB009FBCDD4D9EFBFB9EB85341F080664F900E2194D670AD449A64

Function 0042D455 Relevance: 9.1, APIs: 6, Instructions: 56stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,?,?,0000000D,?,0041BBF6,?,0000000D,0000000D,?,?,00000000,004494C4,004494C4,?), ref: 0042D46C
lstrcpyW.KERNEL32(00000000,?), ref: 0042D480
lstrcatW.KERNEL32(00000000,00457BB8), ref: 0042D48C
lstrlenW.KERNEL32(00000000,?,0000000D,?,0041BBF6,?,0000000D,0000000D,?,?,00000000,004494C4,004494C4,?,00456F08,?), ref: 0042D495
CreateDirectoryW.KERNEL32(00000000,00000000,?,0000000D,?,0041BBF6,?,0000000D,0000000D,?,?,00000000,004494C4,004494C4,?,00456F08), ref: 0042D4AC
GetLastError.KERNEL32(?,0000000D,?,0041BBF6,?,0000000D,0000000D,?,?,00000000,004494C4,004494C4,?,00456F08,?,00000000), ref: 0042D4B6

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: lstrlen$CreateDirectoryErrorLastlstrcatlstrcpy
String ID:
API String ID: 4043630017-0
Opcode ID: 0d0d8f4149498e03c22f890b2c398caff86e7469197e5c684b2c711a50c75958
Instruction ID: 7f1ac8b91e3f866cc74259032ae666af243ac558ad20d3946e809411767dfc59
Opcode Fuzzy Hash: 0d0d8f4149498e03c22f890b2c398caff86e7469197e5c684b2c711a50c75958
Instruction Fuzzy Hash: 44012636505225ABD720AF50BC48F6B77D8FF86315F20011AF50582191DBB8980187AE

Function 00424222 Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00424227
GetLastError.KERNEL32(?,00000001,?,?,00423EEC,?,00000001,?,?,?), ref: 00424254
SetLastError.KERNEL32(00000000,?,?,00423EEC,?,00000001,?,?,?), ref: 0042428E
SysStringLen.OLEAUT32(00000000), ref: 0042429C
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 004242A9
SetLastError.KERNEL32(00000000,?,?,00423EEC,?,00000001,?,?,?), ref: 004242BB

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorLast$String$AllocH_prolog
String ID:
API String ID: 1014970518-0
Opcode ID: 1315edcfcca2fdd3a37f728aa8f62660a4eda7dc3af69c5d9ba1e85258abf8be
Instruction ID: 5013da39e750ba2b31e8c17a116aaab2a01b0b63dde5a7bda51b1a1462fa100f
Opcode Fuzzy Hash: 1315edcfcca2fdd3a37f728aa8f62660a4eda7dc3af69c5d9ba1e85258abf8be
Instruction Fuzzy Hash: C8214276200600EFC720CF59E848A8AFBF4FF48319F1089AEE45597660C3B8E904DB14

Function 0040A941 Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040A946
GetLastError.KERNEL32(?,0044957C,00000000,?,00409F9D), ref: 0040A973
SetLastError.KERNEL32(?,?,0044957C,00000000,?,00409F9D), ref: 0040A9AD
SysStringLen.OLEAUT32(00000000), ref: 0040A9BB
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040A9C8
SetLastError.KERNEL32(00000000,?,0044957C,00000000,?,00409F9D), ref: 0040A9DA

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorLast$String$AllocH_prolog
String ID:
API String ID: 1014970518-0
Opcode ID: 01d339e41540352b4e9ff9d859ef5b63a05135efd72f22856e153de39db6c2df
Instruction ID: 7b0e7be44b13d66a77a1dbe24c2d4c3362a9eed0ae21ddf3875a729dff9ab9ed
Opcode Fuzzy Hash: 01d339e41540352b4e9ff9d859ef5b63a05135efd72f22856e153de39db6c2df
Instruction Fuzzy Hash: FA213376100600AFD720CF58D844A4AFBF4FF49719F11C96EE45597661C7B8E904DF54

Function 00409B34 Relevance: 9.1, APIs: 6, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000003,?,74DF2EE0,00000000,0040A81D,?,0044957C,?,00000000,?,00409FA7), ref: 00409B4D
SysFreeString.OLEAUT32(00000001), ref: 00409B5B
SetLastError.KERNEL32(?,?,74DF2EE0,00000000,0040A81D,?,0044957C,?,00000000,?,00409FA7), ref: 00409B6E
GetLastError.KERNEL32(?,74DF2EE0,00000000,0040A81D,?,0044957C,?,00000000,?,00409FA7), ref: 00409B86
SysFreeString.OLEAUT32(?), ref: 00409BA7
SetLastError.KERNEL32(?,?,74DF2EE0,00000000,0040A81D,?,0044957C,?,00000000,?,00409FA7), ref: 00409BBB

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID:
API String ID: 2425351278-0
Opcode ID: 091c99be502207469750ad66ecd0e04fec941090e984bc98233e34c433967fe8
Instruction ID: 2d1782970ba8ce380b3e8f5d45b1365dea4ec8968f127199f4e8b73b9c68a644
Opcode Fuzzy Hash: 091c99be502207469750ad66ecd0e04fec941090e984bc98233e34c433967fe8
Instruction Fuzzy Hash: CA115A3A250616EFC7208F68EC48C56BBF0FF0A3197158A69F886CB260DB75EC04DB44

Function 00409BC6 Relevance: 9.1, APIs: 6, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,753C3F50,?,?,0042405C,?,00000000), ref: 00409BDF
SysFreeString.OLEAUT32(?), ref: 00409BED
SetLastError.KERNEL32(?,?,?,0042405C,?,00000000), ref: 00409C00
GetLastError.KERNEL32(?,?,0042405C,?,00000000), ref: 00409C18
SysFreeString.OLEAUT32(?), ref: 00409C39
SetLastError.KERNEL32(?,?,?,0042405C,?,00000000), ref: 00409C4D

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID:
API String ID: 2425351278-0
Opcode ID: d78655ac5a62e9054b9839fcc6dfb21bd1f97f172ed9b602f76778fbb627688e
Instruction ID: 7358056f24c0e41068f01a7dad43a09d9305a000db95e132cd8aee2c8ed51a58
Opcode Fuzzy Hash: d78655ac5a62e9054b9839fcc6dfb21bd1f97f172ed9b602f76778fbb627688e
Instruction Fuzzy Hash: C8115A3A250616EFC7208F68EC48C56BBF0FF0A3197158A69F886CB260DB75EC04DB44

Function 00422CD0 Relevance: 9.0, APIs: 6, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000000), ref: 00422CF8
EnableWindow.USER32(00000000), ref: 00422CFB
GetDlgItem.USER32(00000000,00000001), ref: 00422D0E
EnableWindow.USER32(00000000), ref: 00422D11
GetDlgItem.USER32(00000000), ref: 00422D1C
SetFocus.USER32(00000000), ref: 00422D1F

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Item$EnableWindow$Focus
String ID:
API String ID: 864471436-0
Opcode ID: adb0fb4b5f6f0791ac0c06dca65584d79d1c46c9bbec271164fd130f1f541a2f
Instruction ID: 365f691f8f65493d39ee3d21bfcbdb5003ef1e230da26a64f1653a9d40ff808e
Opcode Fuzzy Hash: adb0fb4b5f6f0791ac0c06dca65584d79d1c46c9bbec271164fd130f1f541a2f
Instruction Fuzzy Hash: 69F0303151021CFBDF125F51ED08F9B3F69FB49351F040426F904A2170C7B55860EB99

Function 0040FBC8 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 248stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040FBCD

Part of subcall function 004069BA: __EH_prolog.LIBCMT ref: 004069BF

lstrcpyW.KERNEL32(?,00000000), ref: 0040FC3A

Strings

C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}, xrefs: 0040FC24
%s%s%s%s%s%s%s%s, xrefs: 0040FEC4

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog$lstrcpy
String ID: %s%s%s%s%s%s%s%s$C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}
API String ID: 2120869262-3366034753
Opcode ID: f2c9d7f799d09df97f2b6582ece6bd76b50666bf75db5df5c6bda570994eab28
Instruction ID: 136806aaed0351770f8abee5020bc183e33caf3f3a22f3dc63cef433365df659
Opcode Fuzzy Hash: f2c9d7f799d09df97f2b6582ece6bd76b50666bf75db5df5c6bda570994eab28
Instruction Fuzzy Hash: 5A91B372A1162CBADB10DBA1CC51DDEB7B9AF4C314F0041BAF609B3190DA759B848F96

Function 004019CA Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004019CF
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000104,?,00000000,?,00000000), ref: 00401A6E

Strings

C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}, xrefs: 004019E3, 004019F0, 00401AAF, 00401AB8, 00401ACF, 00401AEA, 00401B8D

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: FileH_prologModuleName
String ID: C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}
API String ID: 2929834794-3076254100
Opcode ID: e93ab3d01dc3e0d7fb757fa6ad97cc3b2ad1bd40f2c1061e73b94b6de49b09ea
Instruction ID: c83b06d1f7a2ef0aad859d02159588a48ad04a237e66ca8efca3b17cfc7ea70f
Opcode Fuzzy Hash: e93ab3d01dc3e0d7fb757fa6ad97cc3b2ad1bd40f2c1061e73b94b6de49b09ea
Instruction Fuzzy Hash: 7591A071D00218AADB21EBA1CD49FEFB7B8AF05344F0440AEF505B31D2DB786A45CB69

Function 0043B5C8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 170fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,A(C), ref: 0043B642
GetLastError.KERNEL32 ref: 0043B64C
ReadFile.KERNEL32(?,?,00000001,00000000,00000000), ref: 0043B712
GetLastError.KERNEL32 ref: 0043B71C

Strings

A(C, xrefs: 0043B5D6

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: A(C
API String ID: 1948546556-1016168549
Opcode ID: fa3b22b262fc9bc71338006add3e409e307b31afaaadcce8059167e569d68f40
Instruction ID: 6c7c68f510aad5d0fadb42fbcf39d1bde10c8574abfe856a88756e258be22c59
Opcode Fuzzy Hash: fa3b22b262fc9bc71338006add3e409e307b31afaaadcce8059167e569d68f40
Instruction Fuzzy Hash: CE51F734A04385DFDF218F58C8817AA7BB0FF5A304F14549BEA619B352C378D942CB9A

Function 00427CE9 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 126COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00427CEE

Part of subcall function 004024B5: __EH_prolog.LIBCMT ref: 004024BA

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00427E50

Strings

ClickOncePackage, xrefs: 00427D2C
open, xrefs: 00427E4A
Startup, xrefs: 00427D31

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog$ExecuteShell
String ID: ClickOncePackage$Startup$open
API String ID: 1920959041-1966403724
Opcode ID: 16bebdb7d1a5f8d432831333d620b80a22c6326b6f5163682756fcbf773968bb
Instruction ID: ec455b725536ef6eb78326c94c6f732fba80470ceaec6e8bfdd2a849adb842fe
Opcode Fuzzy Hash: 16bebdb7d1a5f8d432831333d620b80a22c6326b6f5163682756fcbf773968bb
Instruction Fuzzy Hash: 8B41B671A00268AADF15EB95DC91AEEB778BF14308F4041AFF44AB3281DB785E48CB54

Function 0043448A Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 004344A9
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 004344DE
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0043453E

Strings

__GLOBAL_HEAP_SELECTED, xrefs: 00434518
__MSVCRT_HEAP_SELECT, xrefs: 004344D9

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: 768c2b1041a9e0620f9a455f400c56b6a196d006be59056b4055b5dabd33d95f
Instruction ID: 17453c092179586c1f4b59ddbe92c2177cb969076247f9e1aed103569d2110ee
Opcode Fuzzy Hash: 768c2b1041a9e0620f9a455f400c56b6a196d006be59056b4055b5dabd33d95f
Instruction Fuzzy Hash: 53316A72D012887FEB3196706C41BDF77A89B5E304F1424EBE245C5282E63CAE89CB1D

Function 0040B6F8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84libraryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040B6FD

Part of subcall function 0040387F: __EH_prolog.LIBCMT ref: 00403884
Part of subcall function 0040387F: GetLastError.KERNEL32(004494FC,00449504,00000000,?,0041E645,00449504,00000000,00000022,00449504,00000104,00449504,?,0041E0E0,?), ref: 004038AC
Part of subcall function 0040387F: SetLastError.KERNEL32(?,004494FC,00000000,00000000,?,0041E645,00449504,00000000,00000022,00449504,00000104,00449504,?,0041E0E0,?), ref: 004038F9

LoadLibraryW.KERNEL32(?,?,00000000), ref: 0040B736
GetLastError.KERNEL32 ref: 0040B74B

Strings

C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\IsMsiHelper.cpp, xrefs: 0040B76A
Failed to load ISSetup.dll, xrefs: 0040B777, 0040B79E

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorLast$H_prolog$LibraryLoad
String ID: C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\IsMsiHelper.cpp$Failed to load ISSetup.dll
API String ID: 1671792012-324722219
Opcode ID: f043258f18c8b063b4ebbe78132e44e2bb5447c28665bbbaef895d7374e59c14
Instruction ID: f2363c0eede07e334f27323d85b8464b916d0f39223633f11a372910fc756819
Opcode Fuzzy Hash: f043258f18c8b063b4ebbe78132e44e2bb5447c28665bbbaef895d7374e59c14
Instruction Fuzzy Hash: 7831C4B1900244AFDF00EFA5C885A9EBBB8EF54304F10447FE505A7282D7B89E48CB69

Function 00411B0A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00411B0F
GetTickCount.KERNEL32 ref: 00411BBF

Strings

X:B, xrefs: 00411BB6
Startup, xrefs: 00411B6E, 00411B8C
SplashTime, xrefs: 00411B3E, 00411B65

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: CountH_prologTick
String ID: SplashTime$Startup$X:B
API String ID: 2378785137-3330770416
Opcode ID: b7972c5a71c5fc6f5e0b24510f4e8896ad05045636ec83093b9520f27cf0cf77
Instruction ID: 90150c99a731adc1859ded42a011f39e5ea066f75c9150b602de637503340f75
Opcode Fuzzy Hash: b7972c5a71c5fc6f5e0b24510f4e8896ad05045636ec83093b9520f27cf0cf77
Instruction Fuzzy Hash: 3021A671A05218AFCB14DB99DC909DEB774EB04304F00413FF506E72A2EB785D48CB59

Function 0041D3D6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,Install,00000000,00000000,?,00000000,?,00000000,00020019,004494DC,004494BC,00000000,?,?,0041D36D,?), ref: 0041D437
RegQueryValueExW.ADVAPI32(?,00458BC8,00000000,00000000,004494BC,00000004,?,?,0041D36D,?,?,?,00000001,?), ref: 0041D456
RegCloseKey.ADVAPI32(?,?,?,0041D36D,?,?,?,00000001,?), ref: 0041D460
RegCloseKey.ADVAPI32(?,?,00000000,00020019,004494DC,004494BC,00000000,?,?,0041D36D,?,?,?,00000001,?,00000000), ref: 0041D472

Strings

Install, xrefs: 0041D429

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: CloseQueryValue
String ID: Install
API String ID: 3356406503-3765929189
Opcode ID: fade00607a911b06169866a3b0a6d4891c3de3558105eb61bc8125e6b8648ce7
Instruction ID: 235bcfd97cd8a6d0149fc5d2f2d0252a9232becedafda483a66c6e2515426c61
Opcode Fuzzy Hash: fade00607a911b06169866a3b0a6d4891c3de3558105eb61bc8125e6b8648ce7
Instruction Fuzzy Hash: BC2147B680024EAFDF10CF54DC809DB7BA8FF09394B00452AFD05A7210C374AE54DBA4

Function 00412CEE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412CF3

Part of subcall function 0040226E: __EH_prolog.LIBCMT ref: 00402273

Part of subcall function 004024B5: __EH_prolog.LIBCMT ref: 004024BA

Strings

Languages, xrefs: 00412D26
C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\Setup.INI, xrefs: 00412D06
default, xrefs: 00412D21
C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}, xrefs: 00412CFB

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog
String ID: C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}$C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\Setup.INI$Languages$default
API String ID: 3519838083-3758582029
Opcode ID: 4396898eb976fd81332cf3b9053d2e576b817a556bbf67a0b2abd61e6bdba13f
Instruction ID: e9d321135c567ef713fe51d8bbcb344f13c11400fe35786c5372816ad6f786bd
Opcode Fuzzy Hash: 4396898eb976fd81332cf3b9053d2e576b817a556bbf67a0b2abd61e6bdba13f
Instruction Fuzzy Hash: F2014071D40208AACB10EBA5DA46AEDB7349B04719F60C26BE822771D1D7BC1B0DCA48

Function 0043C4E6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,GetNativeSystemInfo,0043C4BD,?,?,?,?,?,?,?,?,0043C49A,00419518,?,?,00000000), ref: 0043C4F0
GetProcAddress.KERNEL32(00000000), ref: 0043C4F7
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,0043C49A,00419518,?,?,00000000,004494FC,00449504), ref: 0043C505

Strings

kernel32, xrefs: 0043C4EB
GetNativeSystemInfo, xrefs: 0043C4E6

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: AddressHandleInfoModuleProcSystem
String ID: GetNativeSystemInfo$kernel32
API String ID: 1167836806-3846845290
Opcode ID: 3efad0f75d6449649e7b713af233d271ee833fd47f5e4767c794f9238d294851
Instruction ID: a5067ae673aaf58385cc0971e0bcc8492f0cbe75eadc25f27b54c13aa8298479
Opcode Fuzzy Hash: 3efad0f75d6449649e7b713af233d271ee833fd47f5e4767c794f9238d294851
Instruction Fuzzy Hash: 75C08074640302BF9E011FF05D4DA8B3728AF46703B0004D1F405D0011DB385C40FB1D

Function 00439A5F Relevance: 7.7, APIs: 5, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9da4f596bdf939752e69942dabf3d4fe4142c5e0159f5ffe6c2c83e86f6f9870
Instruction ID: 78e4294e39adda7859e63c6061877a3d4fe9e094fb47bc1ca432d28672a51fc0
Opcode Fuzzy Hash: 9da4f596bdf939752e69942dabf3d4fe4142c5e0159f5ffe6c2c83e86f6f9870
Instruction Fuzzy Hash: 9051F23150014AFFDF20AF54ACC08BEBB79FB49314F20A17BE55182294D7B5AD81DB59

Function 0042AB4B Relevance: 7.6, APIs: 5, Instructions: 128memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042AB50
SysAllocString.OLEAUT32(?), ref: 0042AC4A
SysStringLen.OLEAUT32(00000000), ref: 0042AC5D
SysFreeString.OLEAUT32(00000000), ref: 0042AC68
SysFreeString.OLEAUT32(00000000), ref: 0042AC9F

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: String$Free$AllocH_prolog
String ID:
API String ID: 1127608971-0
Opcode ID: 2a66193420bf41596e0fdf02925ced73acf871cdbf4e991f6e75fdd81dd0c1d5
Instruction ID: 1254aa371fdb627ca74c60ec7aa7a85713fb4d38b9a4ea24896d6e9cca5d45a0
Opcode Fuzzy Hash: 2a66193420bf41596e0fdf02925ced73acf871cdbf4e991f6e75fdd81dd0c1d5
Instruction Fuzzy Hash: BA41BF75E002199BDF15DFA5C985BEEBBB4EF09300F50402AE906A7291D738AE06CB59

Function 0043168B Relevance: 7.6, APIs: 5, Instructions: 75COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(00463E0C), ref: 004316AF
InterlockedDecrement.KERNEL32(00463E0C), ref: 004316C6
MultiByteToWideChar.KERNEL32(00000009,00000000,000000FF,00000000,00000000,?,00000000,?,?,00401551,00000000,?,00000000,004494BC,?,00429787), ref: 004316EC

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Interlocked$ByteCharDecrementIncrementMultiWide
String ID:
API String ID: 817727928-0
Opcode ID: bd544b54f69cc113dfb783d514ef919a37b377118cf04b36f5014d74ab2fd332
Instruction ID: d7ebf8ec953c6dcc3314bdc9533d78e30f309fce6b35b6b7726cfb28044c18c6
Opcode Fuzzy Hash: bd544b54f69cc113dfb783d514ef919a37b377118cf04b36f5014d74ab2fd332
Instruction Fuzzy Hash: E0212734404215FBDB219F51DC847AB7BA8AB0D7A6F38502FF4011A1F1DB788942E6AE

Function 00409536 Relevance: 7.6, APIs: 5, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,?,?,?,00000000,?,00409407,?,?,00000005,?,?,?,00000000), ref: 00409547
LoadResource.KERNEL32(?,00000000,?,00409407,?,?,00000005,?,?,?,00000000,?,?,?,00000000), ref: 00409560
SizeofResource.KERNEL32(?,00000000,?,00409407,?,?,00000005,?,?,?,00000000,?,?,?,00000000), ref: 00409578
GlobalAlloc.KERNEL32(00000040,00000000,?,00409407,?,?,00000005,?,?,?,00000000,?,?,?,00000000), ref: 0040958E
LockResource.KERNEL32(?,00000000,?,00409407,?,?,00000005,?,?,?,00000000,?,?,?,00000000), ref: 004095A5

Part of subcall function 0043229C: RaiseException.KERNEL32(00430656,?,?,00000000,00000000,string too long,00430656,?,004533A8,?,string too long,00000000,00000000,?), ref: 004322CA

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Resource$AllocExceptionFindGlobalLoadLockRaiseSizeof
String ID:
API String ID: 808658091-0
Opcode ID: c06860fcb12f4cc1f8ceadcd915fdca5dcaf6b2bc2e5e6d6e9d91ae18f67e74e
Instruction ID: bc74b17caa9ba67503aa76f17285ed6250ffba575b859ff2df1454ec63b74189
Opcode Fuzzy Hash: c06860fcb12f4cc1f8ceadcd915fdca5dcaf6b2bc2e5e6d6e9d91ae18f67e74e
Instruction Fuzzy Hash: 690184B6100215BFDF113F66EC89C5F7F7EEB8A398B00183AF50992122DA758D20D768

Function 0042DF76 Relevance: 7.6, APIs: 5, Instructions: 50stringCOMMON

Download Yara Rule

APIs

VerLanguageNameW.KERNEL32(00003CFF,?,00000207), ref: 0042DF94
VerLanguageNameW.KERNEL32(?,?,00000207,00003CFF,?,00000207), ref: 0042DFBE
lstrcmpiW.KERNEL32(?,?,?,?,00000207,00003CFF,?,00000207), ref: 0042DFD1
VerLanguageNameW.KERNEL32(?,?,00000207), ref: 0042DFEE
lstrcpyW.KERNEL32(?,?), ref: 0042DFFD

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: LanguageName$lstrcmpilstrcpy
String ID:
API String ID: 422536988-0
Opcode ID: 6dd6326a9d07dba5f7f68284d5cc38e978c66ae2de02d67fee28ba20289454f6
Instruction ID: e1cdf57a7a51321dc834d4c32dd72194118acdc7053a495bea93c944d9687de2
Opcode Fuzzy Hash: 6dd6326a9d07dba5f7f68284d5cc38e978c66ae2de02d67fee28ba20289454f6
Instruction Fuzzy Hash: 9701A7B6A001386EE710AE92EC48EFB77ACEF44304F404176FA95D2041DAB89E858668

Function 00424986 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,0044952C,?,00000000), ref: 004249C2
lstrcpyW.KERNEL32(00000000,00000000), ref: 004249D2
GetModuleFileNameW.KERNEL32(?,00000000,00000400,0044952C,?,00000000), ref: 004249E8
lstrlenW.KERNEL32(00000000,?,00000000), ref: 004249F5
lstrcpyW.KERNEL32(00000000,00000000), ref: 00424A10

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: lstrcpylstrlen$FileModuleName
String ID:
API String ID: 271103609-0
Opcode ID: 7475e657c201d04007c4720a46b71e0d9b3555bb09f384ee88a8fc4dcb9fe595
Instruction ID: f024bc899d1f9af422d1dcb1f69dbbcb6f00dd4ea53d72df33a2e8f19f58ebfa
Opcode Fuzzy Hash: 7475e657c201d04007c4720a46b71e0d9b3555bb09f384ee88a8fc4dcb9fe595
Instruction Fuzzy Hash: 8F015276900119ABDF50ABA4DC45FEB77ACFB44344F0480BAE604E6060DB74AE898FA4

Function 0040144C Relevance: 7.5, APIs: 5, Instructions: 46fileCOMMON

Download Yara Rule

APIs

GetFileSize.KERNEL32(00000000,00000000,00000000,00000000,?,?,0040143C,00000000,?), ref: 00401458
CreateFileMappingW.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000,?,?,0040143C,00000000,?), ref: 0040146A
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,00000000,?,?,0040143C,00000000,?), ref: 0040147D
UnmapViewOfFile.KERNEL32(00000000,0040143C,00000000,?), ref: 0040149B
CloseHandle.KERNEL32(00000000,?,?,0040143C,00000000,?), ref: 004014A2

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: File$View$CloseCreateHandleMappingSizeUnmap
String ID:
API String ID: 1558290345-0
Opcode ID: d2752d837a79e8dbdfd75b531f173a26fbe8688882a4c34d90922ae847e81589
Instruction ID: 2d04941dd2626d73bcc07e408fb89afd6e75e9b9b15cd0aae75ec50a5ccb8549
Opcode Fuzzy Hash: d2752d837a79e8dbdfd75b531f173a26fbe8688882a4c34d90922ae847e81589
Instruction Fuzzy Hash: 69F04F36502124BBDB211BA6DC8DCDF7E6CEF46BB0B044571F60592160D6B54D00E7E8

Function 0042388A Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00423892
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0042389F
MulDiv.KERNEL32(?,00000000), ref: 004238A9
ReleaseDC.USER32(?,00000000), ref: 004238B7
CreateFontW.GDI32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 004238D5

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: CapsCreateDeviceFontRelease
String ID:
API String ID: 2367478762-0
Opcode ID: a14564888ddffc72fffcc1040ab02d31ece89bb8d430062a3978d925d9b4cf71
Instruction ID: 0f67cd131e9585eb87f66aedf549a58bcbe32585a23a9edb3c126af04573b914
Opcode Fuzzy Hash: a14564888ddffc72fffcc1040ab02d31ece89bb8d430062a3978d925d9b4cf71
Instruction Fuzzy Hash: 00F0B2B6100108BFEB021F91EC08CBB7F6DEB5A662B004021FE05C4060C7368D22ABB5

Function 00433F53 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000103,7FFFFFFF,004340E9,004314B3,00000000,?,?,00000000,00000001), ref: 00433F55
TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 00433F63
SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 00433FAF

Part of subcall function 004380BD: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,00433F78,00000001,00000074,?,?,00000000,00000001), ref: 004381B3

TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 00433F87
GetCurrentThreadId.KERNEL32 ref: 00433F98

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: 0a2896394c469962eebcca4e619ab4e77eecdd72209f08369a1e2d2884106ae8
Instruction ID: b91eb1ee3eb3dc04091e878d18abb9c618fd5b3d5a27af7b41b33e487da62dec
Opcode Fuzzy Hash: 0a2896394c469962eebcca4e619ab4e77eecdd72209f08369a1e2d2884106ae8
Instruction Fuzzy Hash: 7AF0F639D052116BCA316F31BC09A1B7B70BB097B2F11097AF851972E0CF688C019A99

Function 0041E2AC Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 290COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041E2B1

Strings

I64, xrefs: 0041E387
%*.*f, xrefs: 0041E53B

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog
String ID: %*.*f$I64
API String ID: 3519838083-2444075078
Opcode ID: e2328e4c337417630bb5732b0bc2d5def351752f45d17fcb316a22bc696ebd66
Instruction ID: 8863e43bf3d9ae1d59ee8faa6bd4146eeb4cfb993a0038c9d3ec1cf39d25dd18
Opcode Fuzzy Hash: e2328e4c337417630bb5732b0bc2d5def351752f45d17fcb316a22bc696ebd66
Instruction Fuzzy Hash: 5591957D90021AABDB249FABC9497FE77A0EB04328F148017EC5197281E77C8DC18B5D

Function 00407FE6 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 290COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00407FEB

Strings

I64, xrefs: 004080C1
%*.*f, xrefs: 00408275

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog
String ID: %*.*f$I64
API String ID: 3519838083-2444075078
Opcode ID: 630e14656d2adf9f6b7bdacc24c05c8021c5f43c56fff621fd45dd01a7d7f6c3
Instruction ID: 2401a9b532a1f4ab25cdab269c154247233fa56bf221d45fc4805bf9e7197cd4
Opcode Fuzzy Hash: 630e14656d2adf9f6b7bdacc24c05c8021c5f43c56fff621fd45dd01a7d7f6c3
Instruction Fuzzy Hash: 6391C2758006069BDB209E68CA486BF77A0FF14324F14807FE891BA2D1DF7C8E56CA5D

Function 004215F5 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004215FA
ctype.LIBCPMT ref: 0042186D

Strings

4HB, xrefs: 004216C0, 0042170F, 0042173F, 00421683
4HB, xrefs: 00421607

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prologctype
String ID: 4HB$4HB
API String ID: 3037903784-2889371011
Opcode ID: 4dcff9a236b89fe14cc70ca42220d58b6f2234708f232a5d19a5dbbf626be950
Instruction ID: f40b674956200a872a2b68c627f12ded1100c92200f4a62713891102ba81901a
Opcode Fuzzy Hash: 4dcff9a236b89fe14cc70ca42220d58b6f2234708f232a5d19a5dbbf626be950
Instruction Fuzzy Hash: C5B11574B01611DFC725DF04D29096ABBF2FF98314BA880AED51A8B361D736EC42CB84

Function 00414939 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 189COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041493E
GetVersionExW.KERNEL32(?), ref: 00414960

Strings

dotnetfxsp1.exe, xrefs: 00414A4B, 00414A6C, 00414B33, 00414B4E
(, xrefs: 00414ACE

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prologVersion
String ID: ($dotnetfxsp1.exe
API String ID: 1836448879-2075559237
Opcode ID: 7304f88c4989debf8f66218f3a4fc9bd16dfde64966184f8a4b83b06cd0f056a
Instruction ID: 50f70b294ddbad0153fd32734ceabd1d5d75870601fe394f88eda91b3c520899
Opcode Fuzzy Hash: 7304f88c4989debf8f66218f3a4fc9bd16dfde64966184f8a4b83b06cd0f056a
Instruction Fuzzy Hash: 81719E71D00259AADF14DF95C885BEEBBB8AF55314F1041AFE409B7281DB785F88CB28

Function 0043DF31 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 171stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043DF36

Part of subcall function 0043C8C3: LoadLibraryW.KERNEL32(wininet.dll,?,0043DF51), ref: 0043C8D8
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(00000000,InternetOpenW), ref: 0043C8F8
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetOpenUrlW), ref: 0043C90A
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetConnectW), ref: 0043C91C
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetCrackUrlW), ref: 0043C92E
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetCreateUrlW), ref: 0043C940
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetGetLastResponseInfoW), ref: 0043C952
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetSetOptionW), ref: 0043C964
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(HttpQueryInfoW), ref: 0043C976
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(HttpOpenRequestW), ref: 0043C988
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(HttpSendRequestW), ref: 0043C99A
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(HttpSendRequestExW), ref: 0043C9AC
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(HttpEndRequestW), ref: 0043C9BE
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetQueryOptionW), ref: 0043C9D0
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetCanonicalizeUrlW), ref: 0043C9E2
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetGetCookieW), ref: 0043C9F4
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetSetCookieW), ref: 0043CA06
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetFindNextFileW), ref: 0043CA18
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(FtpFindFirstFileA), ref: 0043CA2A
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetSetStatusCallbackW), ref: 0043CA3C
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetSetStatusCallback), ref: 0043CA52
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetCloseHandle), ref: 0043CA64
Part of subcall function 0043C8C3: GetProcAddress.KERNEL32(InternetReadFile), ref: 0043CA76

Part of subcall function 0043CCE6: SetLastError.KERNEL32(0000007F,0043DC85,?,00000000,00000000,0000003C,00000000,10000000,00000000,0043DF7C,?,10000000,00000001), ref: 0043CCFE

Part of subcall function 0040A351: __EH_prolog.LIBCMT ref: 0040A356
Part of subcall function 0040A351: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,?,0043DFDE,00000001), ref: 0040A376
Part of subcall function 0040A351: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,0043DFDE,00000001), ref: 0040A382

lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,00000001), ref: 0043E036
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 0043E05E

Strings

<, xrefs: 0043DF56

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: AddressProc$CreateEventH_prolog$ByteCharErrorLastLibraryLoadMultiWidelstrlen
String ID: <
API String ID: 2175430876-4251816714
Opcode ID: 27c465d2aec3c7f14129a5b5b2bbdf98b4be4c5f0990d014cbce0643cfeb61f3
Instruction ID: 609de80cc572fde59c82d587db4c4705df8b8bccaa5e1c873a21d89108849243
Opcode Fuzzy Hash: 27c465d2aec3c7f14129a5b5b2bbdf98b4be4c5f0990d014cbce0643cfeb61f3
Instruction Fuzzy Hash: 6351CD71E00219AFDF14DFA5C889EAEBBB9AF09348F14405EF505A7381DB799E00CB65

Function 0041CDEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041CDF3

Part of subcall function 00401586: __EH_prolog.LIBCMT ref: 0040158B
Part of subcall function 00401586: GetLastError.KERNEL32(004494C4,004494BC,00000000,?,00429698,?,00000000,?,?,00000000), ref: 004015B4
Part of subcall function 00401586: SetLastError.KERNEL32(?,00000000,?,00429698,?,00000000,?,?,00000000), ref: 004015E2

Part of subcall function 0041CFC8: __EH_prolog.LIBCMT ref: 0041CFCD
Part of subcall function 0041CFC8: VariantChangeType.OLEAUT32(004494DC,004494DC,00000000,00000002), ref: 0041D00D
Part of subcall function 0041CFC8: VariantClear.OLEAUT32(004494DC), ref: 0041D1D1

RegQueryValueExW.ADVAPI32(?,Version,00000000,00000000,?,?,80000002,?,00020019,?,00000000,?,004494BC,00000000), ref: 0041CEB5
RegCloseKey.ADVAPI32(00000000,?,00000000,80000002,?,00020019,?,00000000,?,004494BC,00000000), ref: 0041CFB1

Strings

Version, xrefs: 0041CEA6

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog$ErrorLastVariant$ChangeClearCloseQueryTypeValue
String ID: Version
API String ID: 1010819254-1889659487
Opcode ID: 260aa963f63c7485f1a0b7773ff12898b275eec7884f1c2009b6a04f40536a69
Instruction ID: f09c21e045eeab9d475130e4525ba0e0a7f1c11aac5966fb33ce2672ada970ee
Opcode Fuzzy Hash: 260aa963f63c7485f1a0b7773ff12898b275eec7884f1c2009b6a04f40536a69
Instruction Fuzzy Hash: B7518E71D00209AFDF10DF95CC85BEEBBB8AF54308F10416EE509B7291DB78AA49CB58

Function 0041D95C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041D961
GetModuleFileNameW.KERNEL32(00000000,?,00000400,?,00000400,?,00000000,00449504,?,00000000,ISSetup.dll,?,00000000,0044952C,00000000,?), ref: 0041DA10

Strings

ISSetup.dll, xrefs: 0041DA52
ISSetup.dll, xrefs: 0041D96F, 0041D997

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: FileH_prologModuleName
String ID: ISSetup.dll$ISSetup.dll
API String ID: 2929834794-1816852773
Opcode ID: 4fcc98fc9c47e4baa9b6c3200237ca362df14bf538369bb754aa28d070a25d7e
Instruction ID: 1f4c97b011636e7164d804eef427c6fe0d2e7059b56c964b0eec23773cf66af6
Opcode Fuzzy Hash: 4fcc98fc9c47e4baa9b6c3200237ca362df14bf538369bb754aa28d070a25d7e
Instruction Fuzzy Hash: 6C41D571901148BEDB14EBA5C955EDEBBB8AF15304F1080AEF506B32D2DB785F09DB14

Function 004208AC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 119COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004208B1

Strings

TRANSFORMS=:InstanceId%d.mst, xrefs: 00420958
/n %s, xrefs: 004209C4
MSINEWINSTANCE=1, xrefs: 004208EB, 00420910

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog
String ID: /n %s$MSINEWINSTANCE=1$TRANSFORMS=:InstanceId%d.mst
API String ID: 3519838083-1310859168
Opcode ID: d0c6acc4186f1e000a01a812ab0c8061deddb874ac9bf47f33c72ce0cb07870b
Instruction ID: c58a48610a1941401ceba73e917a5c5a3da5897d001f5cc7aa07b48d1b251e9e
Opcode Fuzzy Hash: d0c6acc4186f1e000a01a812ab0c8061deddb874ac9bf47f33c72ce0cb07870b
Instruction Fuzzy Hash: 614193B1D00258EEDF11DFA4C8909DEBBB8BF18304F54416EE405B3252DB389A4ADB64

Function 00423D7D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00423E43
lstrcatW.KERNEL32(?,?), ref: 00423E81
wsprintfW.USER32 ref: 00423EA3

Part of subcall function 00424110: __EH_prolog.LIBCMT ref: 00424115
Part of subcall function 00424110: GetLastError.KERNEL32(004494FC,0000002D,?,00429CDF,00000001,?,00000000,removeasmajorupgrade,00000000,00000000,00000001,?,?,00000000,reboot,00000000), ref: 00424141
Part of subcall function 00424110: SetLastError.KERNEL32(?,?,00429CDF,00000001,?,00000000,removeasmajorupgrade,00000000,00000000,00000001,?,?,00000000,reboot,00000000,00000000), ref: 00424177

Strings

%01d.%01d %s%s, xrefs: 00423E3D

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorLastwsprintf$H_prologlstrcat
String ID: %01d.%01d %s%s
API String ID: 3897922275-3724692234
Opcode ID: 5992f8b7c2d224bb2b767f7951a6c2d7d7ed28b864f70fe959a979f74dc89c2b
Instruction ID: 6a09f02f4a8558ef9e61bcfd63ad71762479663bd55d3a6f4428132925efb698
Opcode Fuzzy Hash: 5992f8b7c2d224bb2b767f7951a6c2d7d7ed28b864f70fe959a979f74dc89c2b
Instruction Fuzzy Hash: 673185B6A00128ABDB14DB54DC91FDB73ADEB44305F4040AAB709E7181DA78DE598BA8

Function 0041B44A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,00000000), ref: 0041B49A
wsprintfW.USER32 ref: 0041B4DD

Strings

%s /g %s /g %s, xrefs: 0041B4D1
%s /g %s /g %s /s, xrefs: 0041B4CA

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: lstrcpywsprintf
String ID: %s /g %s /g %s$%s /g %s /g %s /s
API String ID: 2408954437-3131057161
Opcode ID: c73431178a771ed848e6fdea49abb6223d1c3587fc03f1178fffffdebf33a509
Instruction ID: a5a9a9cfc96de22d7e65a9fb9438ccf9a73fcc1d8754c0b1af9744170f3dec90
Opcode Fuzzy Hash: c73431178a771ed848e6fdea49abb6223d1c3587fc03f1178fffffdebf33a509
Instruction Fuzzy Hash: C731A635B0031CBACF109F64DC809DB736AEB48345F1045BBF505E2261EBB99ED58B5A

Function 004268F2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004268F7

Part of subcall function 0042CA25: wsprintfW.USER32 ref: 0042CA37
Part of subcall function 0042CA25: LoadStringW.USER32(?,0044952C,00426FD4), ref: 0042CA62

wsprintfW.USER32 ref: 00426964

Part of subcall function 0042660A: SetWindowTextW.USER32(?,?), ref: 00426614

Part of subcall function 00401504: __EH_prolog.LIBCMT ref: 00401509
Part of subcall function 00401504: SetLastError.KERNEL32(?,?,00000000,004494BC,?,00429787,C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup.cpp,?,00000001,?,?,00000000,debuglog,00000000,00000000,00000000), ref: 0040156F

Strings

C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}, xrefs: 0042699F
%s: %s, xrefs: 0042695E

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prologwsprintf$ErrorLastLoadStringTextWindow
String ID: %s: %s$C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}
API String ID: 176070036-2436742998
Opcode ID: bcea396b3356f1a31f139414efb0199030b138b9d0923735b826ef2fd808fc81
Instruction ID: 6d711b7efceedfd0696818320c289cf56979d12542650bcbbef2e0b9fe3a810d
Opcode Fuzzy Hash: bcea396b3356f1a31f139414efb0199030b138b9d0923735b826ef2fd808fc81
Instruction Fuzzy Hash: 88217F71A00118EADB10EFA4CC51BEEB778BF04314F40856AEA15A61E1DB789B59CB98

Function 004264A3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004264A8

Part of subcall function 00407AFA: __EH_prolog.LIBCMT ref: 00407AFF

wsprintfW.USER32 ref: 00426548

Strings

Location, xrefs: 00426502
%s/%s, xrefs: 00426540

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog$wsprintf
String ID: %s/%s$Location
API String ID: 172397338-42320356
Opcode ID: 773696265696e1f7b55f4f6d7cdb404b5f7a0cc39bd974fe5c7cb044192805f6
Instruction ID: 3275f3e20ef7fab292d32e8b7c72caf6bc7b06a95f93b788e8a07ac722801523
Opcode Fuzzy Hash: 773696265696e1f7b55f4f6d7cdb404b5f7a0cc39bd974fe5c7cb044192805f6
Instruction Fuzzy Hash: E1118272A01118AADB10EB54CD45FDEB7B8EF54704F1081AAB506A7191DBB8AF04CB98

Function 00438325 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,?,00434147,?,?,?,00000000,00000001), ref: 00438348
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,00434147,?,?,?,00000000,00000001), ref: 0043835E
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,00434147,?,?,?,00000000,00000001), ref: 00438391
LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,00434147,?,?,?,00000000,00000001), ref: 004383F9
WideCharToMultiByte.KERNEL32(?,00000220,?,00000000,?,?,00000000,00000000,?,00000000,?,?,00434147,?), ref: 0043841E

Strings

GAC, xrefs: 0043833D

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID: GAC
API String ID: 352835431-2351115321
Opcode ID: 99c4cbcc2b2499c41f1491db2aa4b5e56f98c62eb77f36c92e1fd69bbdcdba3b
Instruction ID: 0b3ff198b14b5593d58888da3a29b4ab2d26cb68d80aa77bec45a9e4a36cb77b
Opcode Fuzzy Hash: 99c4cbcc2b2499c41f1491db2aa4b5e56f98c62eb77f36c92e1fd69bbdcdba3b
Instruction Fuzzy Hash: 65113636900209EBCF228F94CD04ADEBBB6FB8C750F14816AFE2462660D7368D61DB54

Function 0042C933 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001300,00000000,?,00000000,?,00000000,00000000), ref: 0042C94F
wsprintfW.USER32 ref: 0042C984

Part of subcall function 0042C78E: __EH_prolog.LIBCMT ref: 0042C793

LocalFree.KERNEL32(?), ref: 0042C99C

Strings

%s %s, xrefs: 0042C97E

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: FormatFreeH_prologLocalMessagewsprintf
String ID: %s %s
API String ID: 1200432034-2939940506
Opcode ID: 852d6a9014dd114e9894cec2129e4600b93889de516ea361ba1f460f63691310
Instruction ID: 5c6c922665d503af3db729ed12aa98ef47c50c95807d0365c7a0e4a1ba00075c
Opcode Fuzzy Hash: 852d6a9014dd114e9894cec2129e4600b93889de516ea361ba1f460f63691310
Instruction Fuzzy Hash: 9901D176600129BADF205BA1EC08FDB7BACFF05760F008075B909E9190D6749A49DFD8

Function 00412D83 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412D88

Part of subcall function 0040226E: __EH_prolog.LIBCMT ref: 00402273

Part of subcall function 00413367: __EH_prolog.LIBCMT ref: 0041336C
Part of subcall function 00413367: lstrcmpW.KERNEL32(?,0045D464,?,?,0045D464,?,?,Languages,00000000,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0},?,004267B9,Languages,count,00000000,?), ref: 0041339B

Strings

count, xrefs: 00412DBB
Languages, xrefs: 00412DC0
C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\Setup.INI, xrefs: 00412D9E

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog$lstrcmp
String ID: C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\Setup.INI$Languages$count
API String ID: 4174983478-1878885997
Opcode ID: 1e321c507c45194274bf3333499b857772009fc740bd226ad3bc8ccacc3bd34f
Instruction ID: d9a6142409199c54992b15bea377e4e79b985a51795b5d55d4827e8e6faa5865
Opcode Fuzzy Hash: 1e321c507c45194274bf3333499b857772009fc740bd226ad3bc8ccacc3bd34f
Instruction Fuzzy Hash: 9A017171A01114AACB14EBA8D946ADDB774EB04715F20826FE822B61D1DBB85B08CB58

Function 00439A02 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(00463E0C), ref: 00439A0E
InterlockedDecrement.KERNEL32(00463E0C), ref: 00439A25

Part of subcall function 004343E7: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00438173,00000009,00000000,00000000,00000001,00433F78,00000001,00000074,?,?,00000000,00000001), ref: 00434424
Part of subcall function 004343E7: EnterCriticalSection.KERNEL32(?,?,?,00438173,00000009,00000000,00000000,00000001,00433F78,00000001,00000074,?,?,00000000,00000001), ref: 0043443F

InterlockedDecrement.KERNEL32(00463E0C), ref: 00439A55

Strings

A(C, xrefs: 00439A05

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Interlocked$CriticalDecrementSection$EnterIncrementInitialize
String ID: A(C
API String ID: 2038102319-1016168549
Opcode ID: 56c540615965d03b694a4c82ace2665c4eb4785c7ab9ef531f32d6738b8a7855
Instruction ID: 161a3384d85f3e921952af05cd567a4567d3523a4a844bdf90faee0f2bd5e635
Opcode Fuzzy Hash: 56c540615965d03b694a4c82ace2665c4eb4785c7ab9ef531f32d6738b8a7855
Instruction Fuzzy Hash: EBF0B43620029EAFEB007F95AC81DDB3B5CEF89315F14503BFA0009150D7F69E519AA9

Function 00413367 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041336C

Part of subcall function 004024B5: __EH_prolog.LIBCMT ref: 004024BA

lstrcmpW.KERNEL32(?,0045D464,?,?,0045D464,?,?,Languages,00000000,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0},?,004267B9,Languages,count,00000000,?), ref: 0041339B

Part of subcall function 00432223: WideCharToMultiByte.KERNEL32(00000000,00000000,004494BC,000000FF,00408084,00000014,00000000,00000000,00408084,?,004494C4,004494BC,00000000), ref: 0043223A

Strings

C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}, xrefs: 00413372
Languages, xrefs: 00413374

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog$ByteCharMultiWidelstrcmp
String ID: C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}$Languages
API String ID: 3124032524-3529412405
Opcode ID: 6cd71bb506db4b3e2582afca83b74dde998270775c3f95ac04a8873a29777f3d
Instruction ID: 542198138d705b2e4d8b91ff939b4c0f8ffdea7921bbb85594b3d257de6922fd
Opcode Fuzzy Hash: 6cd71bb506db4b3e2582afca83b74dde998270775c3f95ac04a8873a29777f3d
Instruction Fuzzy Hash: A5F06D31900209ABCF129F46DD06ADF7B25EF053A6F00806ABC1566262C7798D24EAA8

Function 0043650E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00432256), ref: 00436513
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00436523

Strings

IsProcessorFeaturePresent, xrefs: 0043651D
KERNEL32, xrefs: 0043650E

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: ccb036facff9c559496e0cf360281e4af6ca7a7d62f901dd59e595ba9c324758
Instruction ID: 1b4aad46e8f2c6abb6018c994abf4e2f12f472e5596cab2cc24622b83d9c6e3c
Opcode Fuzzy Hash: ccb036facff9c559496e0cf360281e4af6ca7a7d62f901dd59e595ba9c324758
Instruction Fuzzy Hash: 06C01220BC57037AEA10ABB92C0BB1B21086B29F02FA9D4E26002D02C4CA9DC900B02E

Function 00433265 Relevance: 6.5, APIs: 5, Instructions: 278COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd5e81985dc0ff94d6505069b8f1f3a6807bcb3fc3e99165b200dbf32e0173ab
Instruction ID: eb0c448aa34f0456842043f465822fb73a92253e5d5fa00a606465740a85c24a
Opcode Fuzzy Hash: dd5e81985dc0ff94d6505069b8f1f3a6807bcb3fc3e99165b200dbf32e0173ab
Instruction Fuzzy Hash: 50912971D00614BBCF21AF69DC41ADF7AB4EB4C765F20662BF815A6290E7398F40876C

Function 00435176 Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,?,?,?,?,00435642,00000000,00000010,00000000,00000009,00000009,?,00431921,00000010,00000000), ref: 00435197
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00435642,00000000,00000010,00000000,00000009,00000009,?,00431921,00000010,00000000), ref: 004351BB
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00435642,00000000,00000010,00000000,00000009,00000009,?,00431921,00000010,00000000), ref: 004351D5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00435642,00000000,00000010,00000000,00000009,00000009,?,00431921,00000010,00000000,?), ref: 00435296
HeapFree.KERNEL32(00000000,00000000,?,?,00435642,00000000,00000010,00000000,00000009,00000009,?,00431921,00000010,00000000,?,00000000), ref: 004352AD

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: 6f4897d54d398a08cec12c56da23a0c5e996c1f2f82f2f9dc8b1059c01b11b2e
Instruction ID: bae2536158706dd91d01b24259c3c1694b84607c93938249cef998f227e1fb49
Opcode Fuzzy Hash: 6f4897d54d398a08cec12c56da23a0c5e996c1f2f82f2f9dc8b1059c01b11b2e
Instruction Fuzzy Hash: FA31E571A40B019FD3308F24EC41B27B7E0FB4975AF104A7AF55697391E7B9A8108B5E

Function 0042EF5A Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 199stringCOMMON

Download Yara Rule

APIs

lstrcmpA.KERNEL32(00000000,GIF87a), ref: 0042EF9E
lstrcmpA.KERNEL32(00000000,GIF89a), ref: 0042EFB6

Strings

GIF87a, xrefs: 0042EF98
GIF89a, xrefs: 0042EFB0

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: lstrcmp
String ID: GIF87a$GIF89a
API String ID: 1534048567-2918331024
Opcode ID: 7f9278133c58dce9da3a5150115f5ae57892822b2d5cf589395b1febef6fe2b1
Instruction ID: c2d21a878d5fe83d57717c67c1c5b1a15ac99456963689b27d960444da13c10a
Opcode Fuzzy Hash: 7f9278133c58dce9da3a5150115f5ae57892822b2d5cf589395b1febef6fe2b1
Instruction Fuzzy Hash: F561FB71600201EFDB109F64E885EA6B7B9FF09348FE0447BE945CA242E379E959CB58

Function 004386E6 Relevance: 6.1, APIs: 4, Instructions: 135fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000002,004494BC,004494BC), ref: 004387AD

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 12dd349334a23840cf39015409670f2c0571f63f53a1434c5c31db49dee2aa92
Instruction ID: 7a2594df62ede6e54ab9efc37e4d37bd96b64fbae8a856e8ce7f448046203343
Opcode Fuzzy Hash: 12dd349334a23840cf39015409670f2c0571f63f53a1434c5c31db49dee2aa92
Instruction Fuzzy Hash: FB51BC75900208EFCB15DF68C884A9EBBB5FF89340F2094AAF9159B251CB74DA40CB69

Function 0040B2D1 Relevance: 6.1, APIs: 4, Instructions: 118windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040B2D6
GetWindowDC.USER32(00000000,?,?,00000000,00000000), ref: 0040B3B6
CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0040B3D1
ReleaseDC.USER32(00000000,?), ref: 0040B3F8

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: BitmapCreateH_prologReleaseWindow
String ID:
API String ID: 245086582-0
Opcode ID: e044958e11f6005425db251ea36914c693edc37204b15c016077304b93ea7cf0
Instruction ID: 52f3583894a11b878cc05bf03f105185f1d950c9f7f2ba46dcccaaae205d3399
Opcode Fuzzy Hash: e044958e11f6005425db251ea36914c693edc37204b15c016077304b93ea7cf0
Instruction Fuzzy Hash: 74417AB1A001199FDB14DFA5DC81EEEBBB9FF48304F10416AE515A72A1D7349A40CB18

Function 0041C8F7 Relevance: 6.1, APIs: 4, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041C8FC
SHBrowseForFolderW.SHELL32(?), ref: 0041C992
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0041C9AE
SHGetMalloc.SHELL32(?), ref: 0041C9B8

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: BrowseFolderFromH_prologListMallocPath
String ID:
API String ID: 2903126782-0
Opcode ID: a785c7c778e659f8e732b554a3869d4ff642186fd3fe8cf855cde1f803c38922
Instruction ID: a417f7945990e0aaa2068ffb640ff4cf8c994188c2ae96b7d70052a3c194ff1f
Opcode Fuzzy Hash: a785c7c778e659f8e732b554a3869d4ff642186fd3fe8cf855cde1f803c38922
Instruction Fuzzy Hash: 4041427190021DAFDB10DFA4DD84ADEBBB8AF09314F1080AAE505F7251DB749E49CF55

Function 00422EA0 Relevance: 6.1, APIs: 4, Instructions: 99windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00422EA5
wsprintfW.USER32 ref: 00422EFD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00422F16
SendMessageW.USER32(?,0000104D,00000000,?), ref: 00422F41

Part of subcall function 0042CA25: wsprintfW.USER32 ref: 0042CA37
Part of subcall function 0042CA25: LoadStringW.USER32(?,0044952C,00426FD4), ref: 0042CA62

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: MessageSendwsprintf$H_prologLoadString
String ID:
API String ID: 3060264081-0
Opcode ID: 1951400e5dd2f28a9c1f8202bb175a739b3f238a0822fa5efef3bf261ac6b027
Instruction ID: a257bc9fb82bc0ed6e13fdb524e5384e682773defb17802f42993000b2cd0f5f
Opcode Fuzzy Hash: 1951400e5dd2f28a9c1f8202bb175a739b3f238a0822fa5efef3bf261ac6b027
Instruction Fuzzy Hash: 65318771A00228BBDF14DFA4DC809EEBBB9FB08314F50816AF519A7290DB749E45DB54

Function 0040AAF2 Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 0040ABA9: GetVersionExW.KERNEL32(?), ref: 0040ABCC

CompareStringW.KERNEL32(00000400,00000000,?,?,?,?,?,?,?,?,0040AA7D,?,?,?), ref: 0040AB14
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,?), ref: 0040AB87
CompareStringA.KERNEL32(00000400,00000001,?,?,00000000,?,?,?,00000000,00000000,?,?,?,?,0040AA7D,?), ref: 0040AB99

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: CompareString$ByteCharMultiVersionWide
String ID:
API String ID: 3684582312-0
Opcode ID: 3f93e71c6dcec958cf6a525b6114fc0e8c243e1d7c2e2d95948c9139e767a95a
Instruction ID: 2fff736d38c3329de775445e11350350ffa7bb9a5684807e24f60d6c784a8c32
Opcode Fuzzy Hash: 3f93e71c6dcec958cf6a525b6114fc0e8c243e1d7c2e2d95948c9139e767a95a
Instruction Fuzzy Hash: 80216DB2101349BFEB019F94CC85DFB7B6DEF19358B00482AFA1586251E375EA20CBB5

Function 004015FB Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401600
lstrlenA.KERNEL32(00000000,00000000,00000000,004494C4,?,00000000,?,00401567,00000000,00000000,?,00000001,?,00000000,004494BC), ref: 0040164F
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000001,?,00000000,?,00401567,00000000,00000000,?,00000001,?,00000000), ref: 0040168A
SetLastError.KERNEL32(?,?,?,00000001,?,00000000,?,00401567,00000000,00000000,?,00000001,?,00000000,004494BC), ref: 004016A2

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ByteCharErrorH_prologLastMultiWidelstrlen
String ID:
API String ID: 1667447809-0
Opcode ID: 3a8008080ec924ec1584490b36973d4161a149674314d27003db8a90d760dffc
Instruction ID: 00205476f3fcc25de7e354f5dc457bd3dc7c74a61d73a6b7b3ac17427f008028
Opcode Fuzzy Hash: 3a8008080ec924ec1584490b36973d4161a149674314d27003db8a90d760dffc
Instruction Fuzzy Hash: DC21EAB1900209ABCB109F19DC449AFBBA8FF85354F14893BF804A72A0C7798D41CBA8

Function 00403AC0 Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00403AC5
lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,004028EB,00000000,00000000,?,00000001,?,00000000), ref: 00403B14
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000001,?,00000000,?,004028EB,00000000,00000000,?,00000001,?,00000000), ref: 00403B4F
SetLastError.KERNEL32(?,?,?,00000001,?,00000000,?,004028EB,00000000,00000000,?,00000001,?,00000000), ref: 00403B67

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ByteCharErrorH_prologLastMultiWidelstrlen
String ID:
API String ID: 1667447809-0
Opcode ID: 3c2bb3a3c5d2daf3785554f8d92b95abfc9f1851aed6113debb1f5c2132e74f4
Instruction ID: 7d6fb5c475267a5e91656b99c2e5f89c64276e0cdb9425d9356ad24556febd49
Opcode Fuzzy Hash: 3c2bb3a3c5d2daf3785554f8d92b95abfc9f1851aed6113debb1f5c2132e74f4
Instruction Fuzzy Hash: 5621ED71900115ABCF109F59D8459AFBFB8FF85359F10453BF801A72A1C7788E01DB98

Function 00410024 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00410029
GetLastError.KERNEL32(004494C4,004494BC,00000000,?,00427389,no_engine,?,00000001,?,00000000,00000000,?,?,00000000,0000000A,Startup), ref: 00410052
SetLastError.KERNEL32(00000003,00000000,?,00427389,no_engine,?,00000001,?,00000000,00000000,?,?,00000000,0000000A,Startup,00000000), ref: 00410089
SetLastError.KERNEL32(?,?,00427389,no_engine,?,00000001,?,00000000,00000000,?,?,00000000,0000000A,Startup,00000000,00000000), ref: 004100C1

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorLast$H_prolog
String ID:
API String ID: 2881783280-0
Opcode ID: 1f1cf6f31c13cd2fbb990697a0cba8da92993e60205ff11cbddf3715906b82ab
Instruction ID: b136014acc71ca1a1b50ddeb7cc23816279d1058da1baabcc7961e4794014fea
Opcode Fuzzy Hash: 1f1cf6f31c13cd2fbb990697a0cba8da92993e60205ff11cbddf3715906b82ab
Instruction Fuzzy Hash: 9C215875500A04EFCB21DF59D880A9AFBF0FF18704B14856EE58A97321C7B9EA45CF88

Function 0040A781 Relevance: 6.1, APIs: 4, Instructions: 60sleepfileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040A786

Part of subcall function 0042B5DC: SysFreeString.OLEAUT32(00000000), ref: 0042B5F1
Part of subcall function 0042B5DC: SysStringLen.OLEAUT32(00000000), ref: 0042B5FA
Part of subcall function 0042B5DC: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0042B604

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,0044957C,?,00000000,?,00409FA7), ref: 0040A7CA
CloseHandle.KERNEL32(00000000,?,0044957C,?,00000000,?,00409FA7), ref: 0040A7E2
Sleep.KERNEL32(000001F4,?,0044957C,?,00000000,?,00409FA7), ref: 0040A7FA

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: String$AllocCloseCreateFileFreeH_prologHandleSleep
String ID:
API String ID: 3588077592-0
Opcode ID: 62a928e88ec87662956dd78d6e68d16e10ce8c88e754086710c9f15cce45337e
Instruction ID: b4072940c4f84a1bb34f8e888f555a40043651e243df103dd10e7580bf84774e
Opcode Fuzzy Hash: 62a928e88ec87662956dd78d6e68d16e10ce8c88e754086710c9f15cce45337e
Instruction Fuzzy Hash: AD118F36200342ABD724DF249C46B5BB7E4FB85339F104B2EF5A1A22D1C7B8D855CB5A

Function 0041252E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 57stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0404,?,004123BC,00000000,004123BC,?,00412507,004123BC,004609F8,004123BC,00000000), ref: 0041253B
lstrcmpiW.KERNEL32(0404,ALL,?,00412507,004123BC,004609F8,004123BC,00000000), ref: 0041254B

Strings

0404, xrefs: 00412534, 0041253A, 0041254A, 0041255B
ALL, xrefs: 00412545

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: lstrcmpilstrlen
String ID: 0404$ALL
API String ID: 3649823140-2444674706
Opcode ID: 48fc0df29e03da88fa33ce4e60cc0b6d53538c8feaa6aa568db8c696c9f5a779
Instruction ID: 9d6d278682757d11f6ab5a8af13e91d202792f82fdc2e75c41c2649daab29040
Opcode Fuzzy Hash: 48fc0df29e03da88fa33ce4e60cc0b6d53538c8feaa6aa568db8c696c9f5a779
Instruction Fuzzy Hash: 9101F732A011117BE618A752ED9AEDB362CDF45325F64042BFC09E2181E798AE4481BD

Function 0043D0F3 Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,?,000000FF), ref: 0043D11C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0043D12C
TranslateMessage.USER32(?), ref: 0043D13A
DispatchMessageW.USER32(?), ref: 0043D144

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Message$DispatchMultipleObjectsPeekTranslateWait
String ID:
API String ID: 2231909638-0
Opcode ID: ba095be6571233313f6bf0eab594bfc6fee25112a49e2c47aae6e88bda958c21
Instruction ID: ec5aa8f204bc3fba9853027cdd42b9f200dbb10b32c60231cc028756ca486a36
Opcode Fuzzy Hash: ba095be6571233313f6bf0eab594bfc6fee25112a49e2c47aae6e88bda958c21
Instruction Fuzzy Hash: 19015A76A00108BFDB009F94EC89EEB776CEB09360F008022B605C7150D278DD459B64

Function 0042D13A Relevance: 6.0, APIs: 4, Instructions: 49stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,?), ref: 0042D156
CharNextW.USER32(00000000), ref: 0042D185
lstrcpyW.KERNEL32(?,?), ref: 0042D19B
lstrcpyW.KERNEL32(?,00000000), ref: 0042D1A1

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: lstrcpy$CharNext
String ID:
API String ID: 3801418090-0
Opcode ID: 1265830a693c1b619792d967cba98b6d8ca6e133da77985320af57a5bf484641
Instruction ID: 7c5a55148aa2fbd918bad43e826b33b4b5fa6ca1736462be19cd6883dafc9832
Opcode Fuzzy Hash: 1265830a693c1b619792d967cba98b6d8ca6e133da77985320af57a5bf484641
Instruction Fuzzy Hash: 1C01DB375001197ADB2067A1EC45FAB37ADFB84361F100477F504D6080DE749D188F94

Function 0042D0C9 Relevance: 6.0, APIs: 4, Instructions: 48stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,?), ref: 0042D0F1
CharNextW.USER32(00000000,?,00000000), ref: 0042D10A
lstrcpyW.KERNEL32(00000104,?), ref: 0042D124
lstrcpyW.KERNEL32(?,00000000), ref: 0042D12A

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: lstrcpy$CharNext
String ID:
API String ID: 3801418090-0
Opcode ID: 64ef819f1196ccc9fa95b8d13ff89874d16e70f8613fcf229634e12379651f2d
Instruction ID: bdbbf79ed39f9beeb26aa294a5391a1990ec8de2a967b5b6eccbd43db0aa8353
Opcode Fuzzy Hash: 64ef819f1196ccc9fa95b8d13ff89874d16e70f8613fcf229634e12379651f2d
Instruction Fuzzy Hash: 52018637A04128ABDB61AFA4EC81EABBBADFB44310F144077F544D3141DA74DD558BA4

Function 00422C56 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00422C72
GetDlgItem.USER32(00000000), ref: 00422C85

Part of subcall function 00422D2B: SendMessageW.USER32(?,0000101E,00000000,000000FE), ref: 00422DB4
Part of subcall function 00422D2B: SendMessageW.USER32(?,00001036,00000000,00000020), ref: 00422DCB
Part of subcall function 00422D2B: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00422DD7

EnableWindow.USER32(00000000,00000000), ref: 00422C9F
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00422CC0

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: MessageSend$Item$EnableWindow
String ID:
API String ID: 1570322866-0
Opcode ID: 6a199f9e0d83f02eff58741be88f2d5a84634c2dc6448f2bf944fc6b6be2a73d
Instruction ID: c5862739d20a2ef9d29c667547b9b0ceb68487635bd59ca344f2d2756abf2c2d
Opcode Fuzzy Hash: 6a199f9e0d83f02eff58741be88f2d5a84634c2dc6448f2bf944fc6b6be2a73d
Instruction Fuzzy Hash: DD01BC71600358BFEF119F61ED09BAF3BA8EB45350F144066F901962A1C7F48D50EBA8

Function 00401CCE Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401CD3
GetLastError.KERNEL32(004494FC,004494C0,?,0042AC33,?,004494C0,?,?,00000000,?,?,?,00000000,004494C4,004494BC,00000000), ref: 00401CF6
SysFreeString.OLEAUT32(?), ref: 00401D14
SetLastError.KERNEL32(?,00000001,?,0042AC33,?,004494C0,?,?,00000000,?,?,?,00000000,004494C4,004494BC,00000000), ref: 00401D34

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorLast$FreeH_prologString
String ID:
API String ID: 1156525562-0
Opcode ID: 956e4d0f0866a5495c3dbec4c2936e9e90e1632c836716575f04700c84d95f3e
Instruction ID: 14a89b9f610c67b7a0908303558224a9bd13b1a0b4366a28004caee3b31da4dd
Opcode Fuzzy Hash: 956e4d0f0866a5495c3dbec4c2936e9e90e1632c836716575f04700c84d95f3e
Instruction Fuzzy Hash: A401717AA40511EFC714DF2CE805A99B7F4FB89314F05876EE846D32A1DB75AD00CB84

Function 00430C73 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00462418,00000001), ref: 00430C9B
InitializeCriticalSection.KERNEL32(00462400,?,00000000,00000000,00404E92,004494FC,?,00000000,?,?,?,00402294,?,?,?,0040208C), ref: 00430CA6
EnterCriticalSection.KERNEL32(00462400,?,00000000,00000000,00404E92,004494FC,?,00000000,?,?,?,00402294,?,?,?,0040208C), ref: 00430CE5

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: CriticalSection$EnterExchangeInitializeInterlocked
String ID:
API String ID: 3643093385-0
Opcode ID: 2eb40adc4fe55f906e2e4a1369b14897f3a6c28c2bbbf7121305026049c4cddf
Instruction ID: f402d0fc3c06e3b5abca84d3a031b6abe33eeea7da846c55bf1f676d448e54da
Opcode Fuzzy Hash: 2eb40adc4fe55f906e2e4a1369b14897f3a6c28c2bbbf7121305026049c4cddf
Instruction Fuzzy Hash: E5F02D30344710BFD6144744AE5C6773658F3487A1F203737F501D2251E9E94C8293AF

Function 0042B54C Relevance: 6.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042B551
GetLastError.KERNEL32(?,?,?,0042B536,?,?,00000001), ref: 0042B57D
SysAllocStringLen.OLEAUT32(?,?), ref: 0042B58F
SetLastError.KERNEL32(?,?,?,?,0042B536,?,?,00000001), ref: 0042B5BE

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorLast$AllocH_prologString
String ID:
API String ID: 1734030179-0
Opcode ID: dbb3679056bca8075f702676e9e8163c82d9019dfe743fd97d621ea2962691f1
Instruction ID: df5313f4b8793af443774d0401c05b9e15f8f3a787f2e257cf125f911078c433
Opcode Fuzzy Hash: dbb3679056bca8075f702676e9e8163c82d9019dfe743fd97d621ea2962691f1
Instruction Fuzzy Hash: 92113575501600EFD7208F54E808B9ABBF0FF05719F10C96EE8969B6A0C7B9E904DB58

Function 00424195 Relevance: 6.0, APIs: 4, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042419A
GetLastError.KERNEL32(?,00000400,?,00423EB9,?,00000001), ref: 004241C6
SysAllocString.OLEAUT32(?), ref: 004241D5
SetLastError.KERNEL32(?,?,00423EB9,?,00000001,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00424204

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorLast$AllocH_prologString
String ID:
API String ID: 1734030179-0
Opcode ID: 9c2d39cf748fc29e746af73a25139374e5b212e930bc5204fa570075b614b853
Instruction ID: d152c772c1b86b4be5d961751fe7ac2e31ba4591d37eed2befb1dd27bf4b8a8e
Opcode Fuzzy Hash: 9c2d39cf748fc29e746af73a25139374e5b212e930bc5204fa570075b614b853
Instruction Fuzzy Hash: 35113575500600EFD7248F54E408B9AFBF0FB49709F10C96EE89697690C7B9E908DF58

Function 00424357 Relevance: 6.0, APIs: 4, Instructions: 40memorystringCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 00424365
lstrlenA.KERNEL32(00000000), ref: 00424378
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000001), ref: 0042439F
SysAllocString.OLEAUT32 ref: 004243A9

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: String$AllocByteCharFreeMultiWidelstrlen
String ID:
API String ID: 90228818-0
Opcode ID: b00738897b41f249a5adce302bba2a02bc727ece31a8ed211caa6bf567292ccd
Instruction ID: 1acc507f3a0a2bad7dc53c4cd9f95d14c29ed5d5cc434146880bb6d428c952d7
Opcode Fuzzy Hash: b00738897b41f249a5adce302bba2a02bc727ece31a8ed211caa6bf567292ccd
Instruction Fuzzy Hash: C6F08136500214BBDB209F55DC09B4BBB78FF86761F100126FC1192290D7B05E15DBD4

Function 00409AA7 Relevance: 6.0, APIs: 4, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409AAC
GetLastError.KERNEL32(00000000,?,?,00409F6F,?), ref: 00409AD8
SysAllocString.OLEAUT32(?), ref: 00409AE7
SetLastError.KERNEL32(?,?,?,00409F6F,?), ref: 00409B16

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorLast$AllocH_prologString
String ID:
API String ID: 1734030179-0
Opcode ID: 8301c869e3cd3047c08f94d1e1d07494eb2920fc073021a1d57937659e531782
Instruction ID: 51e493e158269d92d0c1aba03561ce868bf17f172a1be3271e563f882a18aa55
Opcode Fuzzy Hash: 8301c869e3cd3047c08f94d1e1d07494eb2920fc073021a1d57937659e531782
Instruction Fuzzy Hash: 52113575500600EFE7218F54D404B8ABBF0FB09709F10C96EE8969B691D7B8E908DF58

Function 0042D38A Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

CharNextW.USER32(00000104,00000000,75BFA7D0,0042D382,0042A071,0042D1E5,?,?,?,00401E06,?,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0},?,?,?,00000104), ref: 0042D39D
CharNextW.USER32(00000104,00000000,75BFA7D0,0042D382,0042A071,0042D1E5,?,?,?,00401E06,?,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0},?,?,?,00000104), ref: 0042D3C1
CharNextW.USER32(00000000,?,?,00401E06,?,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0},?,?,?,00000104,?,0042A071,00000000,?,00000104), ref: 0042D3CA
CharNextW.USER32(00000000,?,?,00401E06,?,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0},?,?,?,00000104,?,0042A071,00000000,?,00000104), ref: 0042D3CF

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 907e43d0b06bc2d99950d2d477a9cea51e4b8fe74e3b4e38e3a7928e7e6ff4b8
Instruction ID: a3648007171a9e072c66f3a541c79bd2ae724fcaea76fb16722dc7fb875e871e
Opcode Fuzzy Hash: 907e43d0b06bc2d99950d2d477a9cea51e4b8fe74e3b4e38e3a7928e7e6ff4b8
Instruction Fuzzy Hash: 28F01239F0012599E711A724E88066AA7A5EF96720FE5C027D940572D0D3BC4CC3C6AF

Function 00411A04 Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 00411A0D

Part of subcall function 00411A5D: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411A87
Part of subcall function 00411A5D: IsDialogMessageW.USER32(?), ref: 00411A9B
Part of subcall function 00411A5D: TranslateMessage.USER32(?), ref: 00411AA9
Part of subcall function 00411A5D: DispatchMessageW.USER32(?), ref: 00411AB3

GetDlgItem.USER32(000003EA), ref: 00411A27
SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00411A3F
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00411A57

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekTranslateWindow
String ID:
API String ID: 4202329498-0
Opcode ID: fe062330a27eb7056403fc87d02ffe22d5b3b42af75fd27e0ed581d487156e27
Instruction ID: cb5ded486839cc309425ac1f28f1da8bbb1d545898c11f95afed0a061368e1d8
Opcode Fuzzy Hash: fe062330a27eb7056403fc87d02ffe22d5b3b42af75fd27e0ed581d487156e27
Instruction Fuzzy Hash: 12E0E5712042047FE6015B51EC89D7B2E9CEF8678A7040039FB02E51A1C6649C02E639

Function 00427C7C Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 34stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004024B5: __EH_prolog.LIBCMT ref: 004024BA

lstrlenW.KERNEL32(00000000,Startup,ClickOncePackage,0045D464,00000000,00000400,00000000), ref: 00427CCB

Strings

ClickOncePackage, xrefs: 00427CB2
Startup, xrefs: 00427CB7
, xrefs: 00427CD6

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prologlstrlen
String ID: $ClickOncePackage$Startup
API String ID: 2133942097-1644928050
Opcode ID: 91a6f78483e37f41e3b248ff04b7c2e49cdca0502ca29d4de74a72fbc7ae6fde
Instruction ID: 729c9695c41d0f0b22a86469c3f2d338ddcd4ab0cf726eaa6a4bc3d4def65d1f
Opcode Fuzzy Hash: 91a6f78483e37f41e3b248ff04b7c2e49cdca0502ca29d4de74a72fbc7ae6fde
Instruction Fuzzy Hash: BCF08032B4021466DB519B74DC05756B2F87740708F5045B65545E50D1EBF8DD8DCEC4

Function 0042D1B1 Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,004494FC,00000104,00000000,0042D365,?,?,?,00401E06,?,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0},?,?,?,00000104), ref: 0042D1C7
CharPrevW.USER32(?,?,004494FC,00000104,00000000,0042D365,?,?,?,00401E06,?,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0},?,?,?,00000104), ref: 0042D1D1
CharNextW.USER32(00000000,?,?,?,00401E06,?,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0},?,?,?,00000104,?,0042A071,00000000,?,00000104), ref: 0042D1EA
CharNextW.USER32(00000000,?,?,00401E06,?,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0},?,?,?,00000104,?,0042A071,00000000,?,00000104), ref: 0042D1F2

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Char$Next$Prev
String ID:
API String ID: 589700163-0
Opcode ID: 35452883e55f2787896e469d68d2baf2726d75ba1d44c662a72d0be8f493dec9
Instruction ID: 61fc3842252c0cd92951cba80fe40d4a35cb58aa9200eb11abafddaa373d3659
Opcode Fuzzy Hash: 35452883e55f2787896e469d68d2baf2726d75ba1d44c662a72d0be8f493dec9
Instruction Fuzzy Hash: F0E065A2E003259ED7116B65EC84A7777FCAF5A361B504067E500D3261D7B84C9186B9

Function 0042D321 Relevance: 6.0, APIs: 4, Instructions: 32stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000104,?,?,00401E06,?,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0},?,?,?,00000104,?,0042A071,00000000,?,00000104), ref: 0042D329
lstrcpynW.KERNEL32(?,00000102,-00000001,?,?,00401E06,?,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0},?,?,?,00000104,?,0042A071,00000000,?), ref: 0042D34B
lstrcpyW.KERNEL32(?,00000104), ref: 0042D357
lstrcatW.KERNEL32(?,?), ref: 0042D36B

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: lstrcatlstrcpylstrcpynlstrlen
String ID:
API String ID: 3428934214-0
Opcode ID: 569df9f39aa9da0bcc28a07410f3d8f449f722183d4aa0bec55d5d12c967baf2
Instruction ID: d5c9b4d416f8cea1ea5b9b34f2993a0ebd6f48e174036ad46b59adf0c1f56292
Opcode Fuzzy Hash: 569df9f39aa9da0bcc28a07410f3d8f449f722183d4aa0bec55d5d12c967baf2
Instruction Fuzzy Hash: ABF03036900124FBCF215F80EC0989B3F69EF05390F44C016FD4585020C3754DA1D795

Function 0042DD3D Relevance: 6.0, APIs: 4, Instructions: 32windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0042DD53
GetObjectW.GDI32(00000000,0000005C,?), ref: 0042DD5C

Part of subcall function 0042DC93: GetLocaleInfoW.KERNEL32(?,00001004,?,00000014), ref: 0042DCBA
Part of subcall function 0042DC93: TranslateCharsetInfo.GDI32(00000000,?,00000002), ref: 0042DCD5

CreateFontIndirectW.GDI32(?), ref: 0042DD72
SendMessageW.USER32(?,00000030,00000000,00000000), ref: 0042DD85

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: InfoMessageSend$CharsetCreateFontIndirectLocaleObjectTranslate
String ID:
API String ID: 2681337867-0
Opcode ID: a6e2d94a21ed78e350374dd6ca827acca64c764f8dc0ac1aa7e4575f2431fae5
Instruction ID: c4b15a1d7a1b2178a7355f099883353d72ab9a876f5a44a22a1ae4d1049fe280
Opcode Fuzzy Hash: a6e2d94a21ed78e350374dd6ca827acca64c764f8dc0ac1aa7e4575f2431fae5
Instruction Fuzzy Hash: FDF08272940318BBDF116FE0EC06FDE3B6DAB05750F000015BB01AA1D5D6B0A900DB94

Function 0041087E Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 28stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,hide_progress), ref: 0041088C
lstrcmpiW.KERNEL32(?,hide_splash), ref: 004108A4

Strings

hide_progress, xrefs: 00410884
hide_splash, xrefs: 0041089C

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: lstrcmpi
String ID: hide_progress$hide_splash
API String ID: 1586166983-450596345
Opcode ID: 97b0d03bca1432a849f6124ff64bfceeb8273d4b55fc8efa887a9698afa80d5e
Instruction ID: 5aa8a7068c8f9f3af64f2552f2644bc444a09a8805ea8e822076fe6ad5184bd2
Opcode Fuzzy Hash: 97b0d03bca1432a849f6124ff64bfceeb8273d4b55fc8efa887a9698afa80d5e
Instruction Fuzzy Hash: CCF02731B44145FACF05DB20DC40BC8FF60EB08361F204227EA11B71E0C3B99985CB48

Function 00424A20 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 28stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,00000000,?,00406A2D,00000000,00000001,0000044F,00000000,?,?,00000000), ref: 00424A2A
lstrcpyW.KERNEL32(00000000,?), ref: 00424A49
lstrcpyW.KERNEL32(C:\Users\user\Desktop,?), ref: 00424A51

Part of subcall function 00424A6E: lstrcpyW.KERNEL32(00000062,?), ref: 00424A96

Strings

C:\Users\user\Desktop, xrefs: 00424A4C

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: lstrcpy$lstrlen
String ID: C:\Users\user\Desktop
API String ID: 367037083-224404859
Opcode ID: c25c4d6032001758414d9fb1f7b5498009d74830bfe3356b37a3f137532ea8fd
Instruction ID: 181fc552d945491bd718ea45a5a05d772add5f0983d6ed36bfddcf976b2e8613
Opcode Fuzzy Hash: c25c4d6032001758414d9fb1f7b5498009d74830bfe3356b37a3f137532ea8fd
Instruction Fuzzy Hash: 34E092B66002196ED610A7B6DC8CDABBB9CEBC5268F04442BF109C3151CB789C408779

Function 0041245A Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GlobalHandle.KERNEL32(00000000), ref: 0041246B
GlobalUnlock.KERNEL32(00000000), ref: 0041246E
GlobalHandle.KERNEL32(00000000), ref: 00412476
GlobalFree.KERNEL32(00000000), ref: 00412479

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Global$Handle$FreeUnlock
String ID:
API String ID: 3923883194-0
Opcode ID: 3cc088d81bb945ae5f691148ac4a2c636f8fb41425e9c8c2c58f57341484bf02
Instruction ID: 996e92d45695002baaaf29538ab041af799c91e1aa20992ab596096169312e41
Opcode Fuzzy Hash: 3cc088d81bb945ae5f691148ac4a2c636f8fb41425e9c8c2c58f57341484bf02
Instruction Fuzzy Hash: D0D06276510111A7DB206F69EC0CA8777ACAF893217150869F480D3154C6749C41DA58

Function 00421A41 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 242COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00421A46
ctype.LIBCPMT ref: 00421CB9

Strings

4HB, xrefs: 00421A4E

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prologctype
String ID: 4HB
API String ID: 3037903784-2085712367
Opcode ID: 89d2b99c836a57dc511c5c5cebf684f24247289226b59ef3bec145bd25a99424
Instruction ID: c407f9698f79c51f268ae648b2f0124bbbc69aa719e9aefc963d32c56f7472d6
Opcode Fuzzy Hash: 89d2b99c836a57dc511c5c5cebf684f24247289226b59ef3bec145bd25a99424
Instruction Fuzzy Hash: 92B1F674B00611CFCB19CF05D19096ABBB2FF98314B65C4AED45A9B762D739AC42CF44

Function 00421EE6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 238COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00421EEB

Strings

4HB, xrefs: 00421EF8
4HB, xrefs: 00421FB1, 00422000, 00422030, 00421F74

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog
String ID: 4HB$4HB
API String ID: 3519838083-2889371011
Opcode ID: bb178d1f5cce510bd3b79cf5eb1dd6b6d87d6dd31ca899570978c1fbf3dfda3c
Instruction ID: 96913f0be5ddea3c33da6989d1dc03e27785e0ff6132fdb9809df742986600b6
Opcode Fuzzy Hash: bb178d1f5cce510bd3b79cf5eb1dd6b6d87d6dd31ca899570978c1fbf3dfda3c
Instruction Fuzzy Hash: F0B12670B01611DFCB19CF04E290966BBF2FF98304BA581AEE45A4B362C775ED42CB95

Function 00414104 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 182COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414109

Part of subcall function 00408512: __EH_prolog.LIBCMT ref: 00408517
Part of subcall function 00408512: GetLastError.KERNEL32(004494C4,004494BC,00000000,?,00429759,?,?,00000000,debuglog,00000000,00000000,00000000,?,?,00000000,?), ref: 00408540
Part of subcall function 00408512: SetLastError.KERNEL32(?,?,00000000,00000000,?,00429759,?,?,00000000,debuglog,00000000,00000000,00000000,?,?,00000000), ref: 00408595

Part of subcall function 00401929: GetLastError.KERNEL32(00000000,?,00408695,?,00000000,?,00000001), ref: 0040193F
Part of subcall function 00401929: SysFreeString.OLEAUT32(?), ref: 0040195D
Part of subcall function 00401929: SetLastError.KERNEL32(?,00000001,?,00408695,?,00000000,?,00000001), ref: 0040197D

Part of subcall function 0041F414: __EH_prolog.LIBCMT ref: 0041F419

Strings

<cE, xrefs: 00414147
Startup, xrefs: 00414165

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorLast$H_prolog$FreeString
String ID: <cE$Startup
API String ID: 3800368667-742476724
Opcode ID: 559cfc09513638cb619e3f8dc1156994f3f52fe46dcfa271b6a53265211c121e
Instruction ID: bc0e9a37f353877c829217346b865f48f292f93b93441366a23e6e4a0fb973f8
Opcode Fuzzy Hash: 559cfc09513638cb619e3f8dc1156994f3f52fe46dcfa271b6a53265211c121e
Instruction Fuzzy Hash: D9718271D00218EEDF15DB95CD51BEEB7B8AF15304F1080AEB50AA7292DB385F48CB69

Function 0043BAFF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?), ref: 0043BB13

Strings

, xrefs: 0043BB5C
, xrefs: 0043BB38

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 2558707b08f2de602737c402ff702f290a00d0b3dfb97d992f9cfa14bc633482
Instruction ID: cf8813865fa6b3e99f35d9588c81a81ad3882e937c0f8b3bbd88c3539afc1098
Opcode Fuzzy Hash: 2558707b08f2de602737c402ff702f290a00d0b3dfb97d992f9cfa14bc633482
Instruction Fuzzy Hash: 1A415B310006587EFB358B54CE49BFB7F99DB0A700F1420EAD645C7152DBE94944CBAB

Function 004144B2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004144B7

Strings

<cE, xrefs: 004144FC, 0041459C
Startup, xrefs: 0041451B, 004145BC

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog
String ID: <cE$Startup
API String ID: 3519838083-742476724
Opcode ID: 73253cb1f05844599ebc07cddd09ea16981f0d5ee771ecac0868a5011dfa34de
Instruction ID: c7746c384de65a7716cf6908daf52458ebbc48968103ad4a53f6718d35432123
Opcode Fuzzy Hash: 73253cb1f05844599ebc07cddd09ea16981f0d5ee771ecac0868a5011dfa34de
Instruction Fuzzy Hash: 66418270D00218ABCF21DF95C895AEEBB78FF51308F10416FE049A7292DB385B89CB14

Function 0040B82B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040B830

Part of subcall function 004026FA: __EH_prolog.LIBCMT ref: 004026FF
Part of subcall function 004026FA: GetLastError.KERNEL32(004494FC,0000002D,00000000,?,00429CCE,?,00000000,removeasmajorupgrade,00000000,00000000,00000001,?,?,00000000,reboot,00000000), ref: 00402728
Part of subcall function 004026FA: SetLastError.KERNEL32(?,00000000,?,00429CCE,?,00000000,removeasmajorupgrade,00000000,00000000,00000001,?,?,00000000,reboot,00000000,00000000), ref: 00402756

Part of subcall function 0040276F: SysStringLen.OLEAUT32(?), ref: 0040277D
Part of subcall function 0040276F: SysReAllocStringLen.OLEAUT32(0000001C,?,?), ref: 00402799

GetModuleFileNameW.KERNEL32(?,00000400,?,00000400,?,00000000), ref: 0040B892

Part of subcall function 004021F4: __EH_prolog.LIBCMT ref: 004021F9
Part of subcall function 004021F4: GetLastError.KERNEL32(004494FC,00000104), ref: 00402225
Part of subcall function 004021F4: SetLastError.KERNEL32(00000000,?,00000000,?,00000001), ref: 0040225A

Strings

ISSetup.dll, xrefs: 0040B8A4, 0040B8C1

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorLast$H_prolog$String$AllocFileModuleName
String ID: ISSetup.dll
API String ID: 4293980023-2131771917
Opcode ID: f3c99f17f0ebc98b79c89df204fcda6aec6fd67ab216643946913dc600b9b7fd
Instruction ID: 8b87258a79037f889f281b0f02bfa8247e75ec9dfffdba9111bc32b6681c2544
Opcode Fuzzy Hash: f3c99f17f0ebc98b79c89df204fcda6aec6fd67ab216643946913dc600b9b7fd
Instruction Fuzzy Hash: 90417371D01148EEEB05EBA5C994BDDBBB8AF15308F1081AEF505732D2DBB85B08CB65

Function 0040A48D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040A492

Part of subcall function 0040A5D2: __EH_prolog.LIBCMT ref: 0040A5D7
Part of subcall function 0040A5D2: GetDesktopWindow.USER32 ref: 0040A631
Part of subcall function 0040A5D2: QueryPerformanceFrequency.KERNEL32(00000000), ref: 0040A689

InterlockedIncrement.KERNEL32(004629C0), ref: 0040A53C

Strings

ftp://, xrefs: 0040A49D

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog$DesktopFrequencyIncrementInterlockedPerformanceQueryWindow
String ID: ftp://
API String ID: 1275127157-2553531909
Opcode ID: 22fa3604ca9e11ca64fe903c17e9112b1dfb656c5fabc238b8d789b9bd844076
Instruction ID: 42cfdba64d27135c467e211e55d551f9124d342a238c11b457a1a29b787d24dd
Opcode Fuzzy Hash: 22fa3604ca9e11ca64fe903c17e9112b1dfb656c5fabc238b8d789b9bd844076
Instruction Fuzzy Hash: 0821B471700205AFCF15DF65C880AAEBBA1FB48304F10803FF806A3391D7B89C659B1A

Function 0041D80C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041D811

Strings

C:\Users\user\Desktop, xrefs: 0041D8C7
dotnetredist.exe, xrefs: 0041D82E, 0041D853

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog
String ID: C:\Users\user\Desktop$dotnetredist.exe
API String ID: 3519838083-607027747
Opcode ID: 27034c2c4c03e33df25def19bd3a97d31fe675bb8c5ec58ed64cfa7b976bee16
Instruction ID: d6542f07632a72486e2da3f93af046eaf2be9e2bed3ca9344c5d280b6ff9a66c
Opcode Fuzzy Hash: 27034c2c4c03e33df25def19bd3a97d31fe675bb8c5ec58ed64cfa7b976bee16
Instruction Fuzzy Hash: 3B21B271E00218ABCF24EBA5D849ADEBB79EF44314F00416BF406E7291DB389E85CB48

Function 0041D73C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041D741

Strings

HoE, xrefs: 0041D757
dotnetfx.exe, xrefs: 0041D785, 0041D7A3

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog
String ID: HoE$dotnetfx.exe
API String ID: 3519838083-3509255293
Opcode ID: 17a2828d4f495b75567f4d2fdefeec001288a498c5faebf93f9054060cfec392
Instruction ID: 762d70debe6552e8c008943052c19497ff69f4a92184047ac4c9583e91176ff2
Opcode Fuzzy Hash: 17a2828d4f495b75567f4d2fdefeec001288a498c5faebf93f9054060cfec392
Instruction Fuzzy Hash: FF2160B1E00218ABDB14DB99C8919EEBB78EF44354F00413FE519A7291DB389E45CB68

Function 0040ADDA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040ADDF
GetProcAddress.KERNEL32(00000000,WinVerifyTrust), ref: 0040ADFE

Strings

WinVerifyTrust, xrefs: 0040ADF8

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: AddressH_prologProc
String ID: WinVerifyTrust
API String ID: 3705524523-2766335691
Opcode ID: 920ac44dc843d6efde13f27e303b0b80e84f384931bdbb74543c63941cba3e83
Instruction ID: 2729e064e76c161543cb4d1c8f0fd6ef0896cb3eb9eb115f1859b493da65706b
Opcode Fuzzy Hash: 920ac44dc843d6efde13f27e303b0b80e84f384931bdbb74543c63941cba3e83
Instruction Fuzzy Hash: 7D1190B1D00218ABCB10EBA5C846DEF7BB8EB48755F10442BF805F3241D7398A14CBEA

Function 004381FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00437F1A: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 00437F87

LCMapStringW.KERNEL32(00000000,00000100,0044A210,00000001,00000000,00000000,74DEE860,00463E0C,?,?,?,00434147,?,?,?,00000000), ref: 00438253
LCMapStringA.KERNEL32(00000000,00000100,0044A20C,00000001,00000000,00000000,?,?,00434147,?,?,?,00000000,00000001), ref: 0043826F
LCMapStringA.KERNEL32(?,?,?,GAC,?,?,74DEE860,00463E0C,?,?,?,00434147,?,?,?,00000000), ref: 004382B8
MultiByteToWideChar.KERNEL32(?,?,?,GAC,00000000,00000000,74DEE860,00463E0C,?,?,?,00434147,?,?,?,00000000), ref: 004382F0
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,?,00434147,?,?,?,00000000,00000001), ref: 00438348
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,00434147,?,?,?,00000000,00000001), ref: 0043835E
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,00434147,?,?,?,00000000,00000001), ref: 00438391
LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,00434147,?,?,?,00000000,00000001), ref: 004383F9

Strings

GAC, xrefs: 004382AC, 0043828C

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: String$ByteCharMultiWide$FileModuleName
String ID: GAC
API String ID: 3945848186-2351115321
Opcode ID: 85b70ad13829349a4e9f99a9d590fab2c29404169e8b1481cec8b98e6b242bdc
Instruction ID: 6ca90caa03de938f909af5067d84b205073af518547920d61e45829f8f57f786
Opcode Fuzzy Hash: 85b70ad13829349a4e9f99a9d590fab2c29404169e8b1481cec8b98e6b242bdc
Instruction Fuzzy Hash: 02110032544B09BFDF129F41ED02FAB7B78FB48BA0F20002EF50051190DBB98821DB6A

Function 0043D216 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?), ref: 0043D297
SetEvent.KERNEL32(00000046), ref: 0043D2A6

Strings

d, xrefs: 0043D229

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: Event
String ID: d
API String ID: 4201588131-2564639436
Opcode ID: 9035bb52f4a12d7a85a817d0d67eacfd3614a94a0278ce403264393dd9a2866a
Instruction ID: 063777a1669678755ca2f6baca336c3953a5387930eaa29a6a031ba9985b855c
Opcode Fuzzy Hash: 9035bb52f4a12d7a85a817d0d67eacfd3614a94a0278ce403264393dd9a2866a
Instruction Fuzzy Hash: 6A218631800604CFCB20CF50E848AA7B7F0FF0A311F0085AAE8164B660C778EC65CB89

Function 00410A77 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

CharNextW.USER32(?), ref: 00410A99

Part of subcall function 00427168: __EH_prolog.LIBCMT ref: 0042716D

Strings

noscript_uninst, xrefs: 00410A77
/noscript_uninst, xrefs: 00410A8C

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: CharH_prologNext
String ID: /noscript_uninst$noscript_uninst
API String ID: 1254179780-1242889402
Opcode ID: 09cf658ab47d38e8c1af83b8aeb448808181358c17d2ac88e94d571acdc49c92
Instruction ID: ec9330f9ada16af816ab15e1bc24ed66075be6920441b818e8c04795ce6828d4
Opcode Fuzzy Hash: 09cf658ab47d38e8c1af83b8aeb448808181358c17d2ac88e94d571acdc49c92
Instruction Fuzzy Hash: 4311BF31A04258EACB21DB51DC41BEEBB75AF45714F5041AFF106A72D1CBB85E85CB08

Function 0042D050 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?,00000000,00000000,?,?,?,00406BBB,00000003,00000000,00000000,?,00406A4F,?,00000400,00000000,00000000), ref: 0042D08C

Part of subcall function 0042CFF2: CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?), ref: 0042D028

Strings

:, xrefs: 0042D06F
\, xrefs: 0042D075

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: CreateDriveFileType
String ID: :$\
API String ID: 3443067566-1166558509
Opcode ID: 3580d22fd96494b367b7c6f0e2a81c015892bf950e8c493ac3a7786662ab168a
Instruction ID: 3a98633dd523aa603d72364c6f1129776a23f935af0199a185af83bfda4d0273
Opcode Fuzzy Hash: 3580d22fd96494b367b7c6f0e2a81c015892bf950e8c493ac3a7786662ab168a
Instruction Fuzzy Hash: 7E01F729620615A9DB119FA4E8048DFB3F8FF45318B50951FE815D3270F3749946C35E

Function 00401FBD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401FC2

Part of subcall function 0040226E: __EH_prolog.LIBCMT ref: 00402273

Part of subcall function 004024B5: __EH_prolog.LIBCMT ref: 004024BA

lstrlenW.KERNEL32(?,?,00000000,0045D464,?,00000400,0000000A,C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}), ref: 00401FFF

Strings

C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}, xrefs: 00401FCA

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: H_prolog$lstrlen
String ID: C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}
API String ID: 3243491680-3076254100
Opcode ID: 8f23e31a9d9466310422a9823bb1bf25b16ad22ac6c481f81280b7f07d670542
Instruction ID: 119cdf0ac74b8c1272ca80f91a0dd00f52e3ad48ceee422658770ec70fe96cd3
Opcode Fuzzy Hash: 8f23e31a9d9466310422a9823bb1bf25b16ad22ac6c481f81280b7f07d670542
Instruction Fuzzy Hash: 6B015E71900208AADB20EFA5DD09BDDBB34EF18714F10C12AE912761D1D7B95604DA48

Function 0042C9AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 0042CA25: wsprintfW.USER32 ref: 0042CA37
Part of subcall function 0042CA25: LoadStringW.USER32(?,0044952C,00426FD4), ref: 0042CA62

wsprintfW.USER32 ref: 0042C9E4
wvsprintfW.USER32(?,?,?), ref: 0042C9FF

Part of subcall function 0042C63D: __EH_prolog.LIBCMT ref: 0042C642

Strings

%d: %s, xrefs: 0042C9DE

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: wsprintf$H_prologLoadStringwvsprintf
String ID: %d: %s
API String ID: 2226253583-204819183
Opcode ID: 164f802ab09b2c6b33bdc4867b130a5473ae095d3d33c3968fa592d511333404
Instruction ID: 6f88192193c19b69cfa157e2c12d593f65ef33686e23a41a4b1cbc54d7f4dea4
Opcode Fuzzy Hash: 164f802ab09b2c6b33bdc4867b130a5473ae095d3d33c3968fa592d511333404
Instruction Fuzzy Hash: B1F030B690411CBACF51DB90DC45FCA77BCAB04305F4001A6F609E2091EB78EB998F99

Function 0043855D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,00434147,?), ref: 0043857B
GetStringTypeW.KERNEL32(?,?,00000000,GAC,?,?,?,?,?,?,00434147,?), ref: 0043858D

Strings

GAC, xrefs: 00438585

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ByteCharMultiStringTypeWide
String ID: GAC
API String ID: 3139900361-2351115321
Opcode ID: 55615d726b89df0946f00b299a7561ada52d61bf54cb8e411c6970bb980ea2a8
Instruction ID: 9bf79c58500b9983656ce27b8b934c5a81682b8ba8730106330b55372c3d22d2
Opcode Fuzzy Hash: 55615d726b89df0946f00b299a7561ada52d61bf54cb8e411c6970bb980ea2a8
Instruction Fuzzy Hash: 42F0583690025ABFCF218F80DC499EEBF32FB08320F044129FA25621A0C7329D20EB94

Function 0040B965 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,RunISMSISetup), ref: 0040B975
GetLastError.KERNEL32 ref: 0040B97F

Strings

RunISMSISetup, xrefs: 0040B96F

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: RunISMSISetup
API String ID: 199729137-1536503584
Opcode ID: 2239238a23bbfd727c09a9469a6b896c5994ede726e871a5810b4cac416575c7
Instruction ID: de55dc795010976e361e16307d545827c30a4c65c9e08454a376d61202356830
Opcode Fuzzy Hash: 2239238a23bbfd727c09a9469a6b896c5994ede726e871a5810b4cac416575c7
Instruction Fuzzy Hash: 7AE092B2A052202BEB206B39BC45A9737A8DB04760706497BBC45E3381D7BCDC8056DD

Function 00434CD4 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,?,00000000,00000000,00434A9C,00000000,00000000,00000000,004318C3,00000000,00000000,?,00000000,00000000,00000000), ref: 00434CFC
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00434A9C,00000000,00000000,00000000,004318C3,00000000,00000000,?,00000000,00000000,00000000), ref: 00434D30
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00434D4A
HeapFree.KERNEL32(00000000,?), ref: 00434D61

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 139a48d4c15666ca8765bee0271de1afd8a4359dbc78b1fbe2e982cdb34879f9
Instruction ID: e4665a20b4371ccd648316a611e14842113258339382828c87b45ac91448d5eb
Opcode Fuzzy Hash: 139a48d4c15666ca8765bee0271de1afd8a4359dbc78b1fbe2e982cdb34879f9
Instruction Fuzzy Hash: F6114F30200241AFD7318F19EC869A2BBB6FB85712B50092EF162C65B0E3F2A951DB59

Function 0043D160 Relevance: 5.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0043D16A
GetLastError.KERNEL32 ref: 0043D170
SetLastError.KERNEL32(?), ref: 0043D1B0
SetLastError.KERNEL32(00000000), ref: 0043D1BA

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: d432f58723582a0f53afbba318012e8453b0c07ac9744ee7f9480839a78946f9
Instruction ID: 97c1604598e71ddc9490692362fa263be91f55d809425d063e844ec8c3d76a88
Opcode Fuzzy Hash: d432f58723582a0f53afbba318012e8453b0c07ac9744ee7f9480839a78946f9
Instruction Fuzzy Hash: 2CF02435E00311A7DF216B21FC04B1F7B65BF99720F142D1BE800532A0C7AC8C46D6AA

Function 004343BE Relevance: 5.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,00433EF2,?,00432E4E), ref: 004343CB
InitializeCriticalSection.KERNEL32(?,00433EF2,?,00432E4E), ref: 004343D3
InitializeCriticalSection.KERNEL32(?,00433EF2,?,00432E4E), ref: 004343DB
InitializeCriticalSection.KERNEL32(?,00433EF2,?,00432E4E), ref: 004343E3

Memory Dump Source

Source File: 00000000.00000002.2010477884.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2010463198.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010520321.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010539253.0000000000456000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010558002.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010578479.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ALC700V1.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: c5a0521a328f347c5e258cbe90e6ab31bc4659790b9003b46ec6464be03d744c
Instruction ID: 696987ac30275fc8ce83343c77feacee49d28958e5e9bc4d57fa23c1bcbe5ada
Opcode Fuzzy Hash: c5a0521a328f347c5e258cbe90e6ab31bc4659790b9003b46ec6464be03d744c
Instruction Fuzzy Hash: C1C00231824134ABCE926F65FD058863F26EB056623010273A30452471866B5C70EFCA

Analysis Process: ISBEW64.exePID: 7204, Parent PID: 6676COMMON

Execution Graph

Execution Coverage:	6.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.3%
Total number of Nodes:	1428
Total number of Limit Nodes:	71

Executed Functions

Function 0000000140001C90 Relevance: 72.2, APIs: 39, Strings: 2, Instructions: 444
sleepmemorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32 ref: 0000000140001CBC
CoInitialize.OLE32 ref: 0000000140001CC7
GetCurrentThreadId.KERNEL32 ref: 0000000140001D4F
StringFromGUID2.OLE32 ref: 0000000140001E4D
SysAllocString.OLEAUT32 ref: 0000000140001E5B
SysStringLen.OLEAUT32 ref: 0000000140001EAA
SysStringLen.OLEAUT32 ref: 0000000140001EB7
CharUpperBuffW.USER32 ref: 0000000140001EC2
CharNextW.USER32 ref: 0000000140002012
CharNextW.USER32 ref: 0000000140002020
CharNextW.USER32 ref: 0000000140002036
lstrcmpiW.KERNELBASE ref: 000000014000205A
lstrcmpiW.KERNEL32 ref: 0000000140002072
CharNextW.USER32 ref: 00000001400020A0
CharNextW.USER32 ref: 00000001400020AE
CharNextW.USER32 ref: 00000001400020C1
CreateEventW.KERNEL32 ref: 00000001400020E2
CreateThread.KERNELBASE ref: 0000000140002115
StringFromGUID2.OLE32 ref: 0000000140002139
SysAllocString.OLEAUT32 ref: 0000000140002147
SysFreeString.OLEAUT32 ref: 0000000140002162
SysStringByteLen.OLEAUT32 ref: 000000014000216B
SysAllocStringByteLen.OLEAUT32 ref: 0000000140002176
SysFreeString.OLEAUT32 ref: 0000000140002192
SysStringLen.OLEAUT32 ref: 000000014000219B
SysStringLen.OLEAUT32 ref: 00000001400021A8
CharUpperBuffW.USER32 ref: 00000001400021B3
CreateItemMoniker.OLE32 ref: 0000000140002211
Sleep.KERNEL32 ref: 0000000140002222
GetRunningObjectTable.OLE32 ref: 000000014000225D
Sleep.KERNEL32 ref: 000000014000226E
Sleep.KERNEL32 ref: 00000001400022B5
GetMessageW.USER32 ref: 00000001400022F8
DispatchMessageW.USER32 ref: 0000000140002307
GetMessageW.USER32 ref: 000000014000231A
SleepEx.KERNEL32 ref: 0000000140002335
SysFreeString.OLEAUT32 ref: 000000014000234E
CoUninitialize.OLE32 ref: 0000000140002360
SysFreeString.OLEAUT32 ref: 0000000140002369

Strings

RegServer, xrefs: 0000000140002068
UnregServer, xrefs: 0000000140002050

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: String$Char$Next$FreeSleep$AllocCreateMessage$BuffByteFromThreadUpperlstrcmpi$CommandCurrentDispatchEventInitializeItemLineMonikerObjectRunningTableUninitialize
String ID: RegServer$UnregServer
API String ID: 1923984469-1360048911
Opcode ID: 85a4813ab7022dc429ac67cfffd61dbc087bf55bc9bad0c65078a72f5fcb438c
Instruction ID: 23b3ca9be56ede5f5ecf0718474bfe79bbac55c1f5bfd82a828c511eefa516fd
Opcode Fuzzy Hash: 85a4813ab7022dc429ac67cfffd61dbc087bf55bc9bad0c65078a72f5fcb438c
Instruction Fuzzy Hash: ED1257B2204B8082EA66DF22F8543EA63A1FB8CBD4F544126FB5A47AB5DF3DC555C700

Function 000000014000BA40 Relevance: 16.6, APIs: 11, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,00000001400088C7), ref: 000000014000BA62
GetLastError.KERNEL32(?,?,?,?,?,00000001400088C7), ref: 000000014000BA7C
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,00000001400088C7), ref: 000000014000BAA1
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,00000001400088C7), ref: 000000014000BAE4
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,00000001400088C7), ref: 000000014000BB02
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,00000001400088C7), ref: 000000014000BB19
MultiByteToWideChar.KERNEL32(?,?,?,?,?,00000001400088C7), ref: 000000014000BB47
FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,00000001400088C7), ref: 000000014000BB83
FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,00000001400088C7), ref: 000000014000BC29

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharErrorLastMultiWide
String ID:
API String ID: 1232609184-0
Opcode ID: 1eb60f839094b087be596a8ddeca814d50f08c27a7b644fd562ed98df25c15b1
Instruction ID: 6fe49219d82bb96009eeaaeac5b90e9b15c770fc4d56b41b746a9b722a1807cb
Opcode Fuzzy Hash: 1eb60f839094b087be596a8ddeca814d50f08c27a7b644fd562ed98df25c15b1
Instruction Fuzzy Hash: 83519EB130564486FA62DB27B8143AE6691BB4EBE4F484624FF2A877F5EB78C4548301

Function 0000000140008630 Relevance: 12.2, APIs: 8, Instructions: 201
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140007CB0: RtlAllocateHeap.NTDLL(?,?,00000018,000000014000863E), ref: 0000000140007D11

GetStartupInfoW.KERNEL32 ref: 00000001400086EB
GetProcessHeap.KERNEL32 ref: 00000001400086F2
HeapAlloc.KERNEL32 ref: 0000000140008703
GetVersionExA.KERNEL32 ref: 0000000140008746
GetProcessHeap.KERNEL32 ref: 0000000140008750
HeapFree.KERNEL32 ref: 000000014000875E
GetProcessHeap.KERNEL32 ref: 0000000140008782
HeapFree.KERNEL32 ref: 0000000140008790

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: Heap$Process$Free$AllocAllocateInfoStartupVersion
String ID:
API String ID: 1396710402-0
Opcode ID: 9af9052a35e952dcd2f4454c6d131a61de0213ee34b71b09edf2c544aee785e2
Instruction ID: 71efd5c9261c2b8c835efef6c9dc68d633b16a9e0ebc13901e8b34c9ea75420b
Opcode Fuzzy Hash: 9af9052a35e952dcd2f4454c6d131a61de0213ee34b71b09edf2c544aee785e2
Instruction Fuzzy Hash: 1D917AB160464286FB67EB63B8517E922A0BB8D7C4F494029FB894B2F2EF3DC545D701

Function 0000000140001450 Relevance: 9.2, APIs: 6, Instructions: 211
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00000001400014B5
GetModuleFileNameW.KERNEL32 ref: 0000000140001536
LoadTypeLib.OLEAUT32 ref: 000000014000155F
GetModuleFileNameW.KERNEL32 ref: 000000014000157B
LoadTypeLib.OLEAUT32 ref: 0000000140001591
LeaveCriticalSection.KERNEL32 ref: 000000014000177C

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: CriticalFileLoadModuleNameSectionType$EnterLeave
String ID:
API String ID: 2533399358-0
Opcode ID: 4a9a12bb8461dd1735db042b89bf14cdfacdd5ea2b4728f6e3cf28a6e99d2cb5
Instruction ID: cff457db06badd7de2fde77280f7fcd6ff9cf5f5a6f025795aad263f303079d9
Opcode Fuzzy Hash: 4a9a12bb8461dd1735db042b89bf14cdfacdd5ea2b4728f6e3cf28a6e99d2cb5
Instruction Fuzzy Hash: 16A10376209A4182EA22CF16F8943D963B0F788BD4F585216FB4E4B7B4DF3AC945C700

Function 000000014000A040 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 16
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,000000014000DEDE,?,?,00000000,000000014000DFD3,?,?,00000000,00000001400099FD,?,?,00000000,0000000140009AC8), ref: 000000014000A04F
GetProcAddress.KERNEL32(?,?,00000000,000000014000DEDE,?,?,00000000,000000014000DFD3,?,?,00000000,00000001400099FD,?,?,00000000,0000000140009AC8), ref: 000000014000A064
ExitProcess.KERNEL32 ref: 000000014000A075

Strings

CorExitProcess, xrefs: 000000014000A05A
mscoree.dll, xrefs: 000000014000A048

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: AddressExitHandleModuleProcProcess
String ID: CorExitProcess$mscoree.dll
API String ID: 75539706-1276376045
Opcode ID: b2d98241222bea0f29c8078ec183a73ade3ffb4ba9a8f1e4e217df663150a886
Instruction ID: 3d04694f3652c311b7e9a0c2fde3eaeb7be6ec19e595cf9cc0beb6bec0546b45
Opcode Fuzzy Hash: b2d98241222bea0f29c8078ec183a73ade3ffb4ba9a8f1e4e217df663150a886
Instruction Fuzzy Hash: 6FE0EC7071560492FE4B9B62AC983E82391AB4C7C0F085528E60B0B3B1DE7D9568C341

Function 0000000140001840 Relevance: 6.0, APIs: 4, Instructions: 30
synchronizationthreadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32 ref: 0000000140001857
WaitForSingleObject.KERNEL32 ref: 000000014000186A
FindCloseChangeNotification.KERNELBASE ref: 0000000140001884
PostThreadMessageW.USER32 ref: 0000000140001897

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: ObjectSingleWait$ChangeCloseFindMessageNotificationPostThread
String ID:
API String ID: 2209355829-0
Opcode ID: 092d0f5e671dfd94aa22791170872e80674b7710461a1ce5a7b5f81b8a20f23e
Instruction ID: cc7eaee8dd5e3e0b7932a5b2b8fde830996d15ddbde7091b97eef4bc8965daa8
Opcode Fuzzy Hash: 092d0f5e671dfd94aa22791170872e80674b7710461a1ce5a7b5f81b8a20f23e
Instruction Fuzzy Hash: 7CF0B43260058486FB12DF37D4047A933A3FBDEB99F045100EB194B1A4CF38C888C701

Function 0000000140001160 Relevance: 4.6, APIs: 3, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysFreeString.OLEAUT32 ref: 00000001400012DC
SysStringLen.OLEAUT32 ref: 00000001400012E8
SysFreeString.OLEAUT32 ref: 000000014000131A

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: String$Free
String ID:
API String ID: 1391021980-0
Opcode ID: 19c375e8131658e32f3622a9372f045bb05af634e2098e0606c9bb27c0f2ae26
Instruction ID: 0e504b418af489919c176ec4c38ec097f21c4e85c9c2efefc9852daeae013cb8
Opcode Fuzzy Hash: 19c375e8131658e32f3622a9372f045bb05af634e2098e0606c9bb27c0f2ae26
Instruction Fuzzy Hash: ED512972208B4082EB62CF16F8407AE77A0F789BE4F508215EFAA877A4DF38C555C704

Function 0000000140006080 Relevance: 3.1, APIs: 2, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RaiseException.KERNEL32 ref: 0000000140006124
DeleteCriticalSection.KERNEL32 ref: 000000014000617A

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: CriticalDeleteExceptionRaiseSection
String ID:
API String ID: 966263044-0
Opcode ID: 366f1d29ae095684c12bd6cc27ff780d26fb3ffe45234e5eb6e2cae3dd8ecee6
Instruction ID: 8964c85fe6c01de7cb8dbebd170f127d24480aab3209c82f06eaac0f13769bac
Opcode Fuzzy Hash: 366f1d29ae095684c12bd6cc27ff780d26fb3ffe45234e5eb6e2cae3dd8ecee6
Instruction Fuzzy Hash: 5A313A72201B4086EB26DF22E45079A73B5FB8CBC8F485526EF4A27B69DF39C461C300

Function 0000000140006590 Relevance: 3.0, APIs: 2, Instructions: 26
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetSpecialFolderPathW.SHELL32 ref: 00000001400065C2
SysAllocString.OLEAUT32 ref: 00000001400065D8

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: AllocFolderPathSpecialString
String ID:
API String ID: 997430384-0
Opcode ID: 685fda2e855656392d972b9c76de4ff3d26149357a6782c230956d72e8478cfa
Instruction ID: 97fbc6fd0a4e70832e4d0fa842c4e441b5d46de6468111c5f19d6f3a4c253774
Opcode Fuzzy Hash: 685fda2e855656392d972b9c76de4ff3d26149357a6782c230956d72e8478cfa
Instruction Fuzzy Hash: 66F0FE72614A4186FB22DB32F89979A23A1B75CB85F810015AB4E4B665DF3DC255CB00

Function 0000000140006600 Relevance: 3.0, APIs: 2, Instructions: 26
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetSpecialFolderPathW.SHELL32 ref: 0000000140006632
SysAllocString.OLEAUT32 ref: 0000000140006648

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: AllocFolderPathSpecialString
String ID:
API String ID: 997430384-0
Opcode ID: e816d509a95d9f94cb74a296bbf173e5a568208c60c6ba90499ba317352fa9f9
Instruction ID: aefdd67f44afdbc5e43e05d55acf18b7b79e083f59289599e57b291239d4c68a
Opcode Fuzzy Hash: e816d509a95d9f94cb74a296bbf173e5a568208c60c6ba90499ba317352fa9f9
Instruction Fuzzy Hash: F7F01272714A4186FB22DB32F89979A23A1F75CBC4F414015AB4E5B664EF3DC255CB00

Function 000000014000A960 Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(?,?,?,?,000000014000884C), ref: 000000014000A972
HeapSetInformation.KERNEL32 ref: 000000014000A9A1

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: Heap$CreateInformation
String ID:
API String ID: 1774340351-0
Opcode ID: f8dc1f109e156c45f9e88da837f0ffcce63a420f674a362799419e0806160282
Instruction ID: bb2aad87c993d04fb5939d3b1e1c799e542ad11b6b8022a98753b0914633e102
Opcode Fuzzy Hash: f8dc1f109e156c45f9e88da837f0ffcce63a420f674a362799419e0806160282
Instruction Fuzzy Hash: E4E04FB5B2268086EB9AAB22A8457D96390F79C780F945029FB4D43774EE7DC1958B00

Function 000000014000A250 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_lock.LIBCMT ref: 000000014000A275

Part of subcall function 0000000140009810: FlsGetValue.KERNEL32(00000000,00000000,00000000,000000014000AA65,?,?,00000018,0000000140007D63,?,?,00000018,000000014000863E), ref: 0000000140009830

Part of subcall function 0000000140009810: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,000000014000AA65,?,?,00000018,0000000140007D63,?,?,00000018,000000014000863E), ref: 000000014000984B
Part of subcall function 0000000140009810: GetModuleHandleA.KERNEL32 ref: 0000000140009872
Part of subcall function 0000000140009810: GetProcAddress.KERNEL32 ref: 00000001400098B8

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: HandleModule$AddressProcValue_lock
String ID:
API String ID: 901845335-0
Opcode ID: 9e06f51c64227f3752d58c2ada6d4e75c61838055e64e0f10f14132dfbc73ca2
Instruction ID: c8c267f541bbc997aa68729b700382e7eb43e57c785cd792ed005216b0990b1d
Opcode Fuzzy Hash: 9e06f51c64227f3752d58c2ada6d4e75c61838055e64e0f10f14132dfbc73ca2
Instruction Fuzzy Hash: 8D2186B120568085FA07EB1BF8403E9A2A4BB8E7C8F445421BB4A0B6B6DF7DC482C711

Function 0000000140007CB0 Relevance: 1.6, APIs: 1, Instructions: 51
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,?,00000018,000000014000863E), ref: 0000000140007D11

Part of subcall function 000000014000A040: GetModuleHandleA.KERNEL32(?,?,00000000,000000014000DEDE,?,?,00000000,000000014000DFD3,?,?,00000000,00000001400099FD,?,?,00000000,0000000140009AC8), ref: 000000014000A04F
Part of subcall function 000000014000A040: GetProcAddress.KERNEL32(?,?,00000000,000000014000DEDE,?,?,00000000,000000014000DFD3,?,?,00000000,00000001400099FD,?,?,00000000,0000000140009AC8), ref: 000000014000A064
Part of subcall function 000000014000A040: ExitProcess.KERNEL32 ref: 000000014000A075

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: AddressAllocateExitHandleHeapModuleProcProcess
String ID:
API String ID: 3260311492-0
Opcode ID: 6b19ef9a2f787486886a54c7ca44755c0b554df47a75c7ad6c81b4b9ebafac48
Instruction ID: d08ca600c1fd2fb3ebe7de462c83f1f74fdc2f91004bd5460db2ebc568be8672
Opcode Fuzzy Hash: 6b19ef9a2f787486886a54c7ca44755c0b554df47a75c7ad6c81b4b9ebafac48
Instruction Fuzzy Hash: 071152B1B1164086FA56EB63B941BF923A09B8E7D0F081221FF1A5B7F6DB7CC4818751

Function 0000000140009E30 Relevance: 1.3, APIs: 1, Instructions: 31
sleepCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140007CB0: RtlAllocateHeap.NTDLL(?,?,00000018,000000014000863E), ref: 0000000140007D11

Sleep.KERNEL32(?,?,00000000,000000014000DF00,?,?,00000000,000000014000DFD3,?,?,00000000,00000001400099FD,?,?,00000000,0000000140009AC8), ref: 0000000140009E6A

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: AllocateHeapSleep
String ID:
API String ID: 4201116106-0
Opcode ID: 8c30925293c7092ce80871c007c64cd5fe34afe927890f61677a438df6d432b7
Instruction ID: e8b744f55310ca35fdeb1fedd66ed690edc5f3f1de138e07ad7dc42df16d43b2
Opcode Fuzzy Hash: 8c30925293c7092ce80871c007c64cd5fe34afe927890f61677a438df6d432b7
Instruction Fuzzy Hash: 67F06272605A8486EA56DB13F5403AAB2A1E38CBE0F194225FF5D077A5CF39CC928B44

Non-executed Functions

Function 0000000140004210 Relevance: 21.3, APIs: 14, Instructions: 349stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0000000140004268
CoTaskMemFree.OLE32 ref: 00000001400042BD

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: FreeTasklstrlen
String ID:
API String ID: 3667574239-0
Opcode ID: 6216f8123fe75a82aec4ed399d19b8c07e403e9fb56a9d977dcc5e23f6f217a1
Instruction ID: 7775c13e2e12ef907fb7750a57fd1f42ac2f652963c6086e763aff4fd72a291e
Opcode Fuzzy Hash: 6216f8123fe75a82aec4ed399d19b8c07e403e9fb56a9d977dcc5e23f6f217a1
Instruction Fuzzy Hash: FCD1E2F1705B0486EB22DF17B8843A92290B74DBD9F110629FB5A477F2FB3AC455870A

Function 0000000140005230 Relevance: 16.8, APIs: 11, Instructions: 299stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140004780: CharNextW.USER32 ref: 00000001400047AA

lstrcmpiW.KERNEL32(00000000,00000000,?,?,?,00000000,?,0000000140004DA4), ref: 000000014000532B
CharNextW.USER32 ref: 000000014000537A
lstrlenW.KERNEL32 ref: 00000001400053CE
CharNextW.USER32 ref: 000000014000546A
CharNextW.USER32 ref: 000000014000548B

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: CharNext$lstrcmpilstrlen
String ID:
API String ID: 1051761657-0
Opcode ID: 54700471c30fd91a595b469e1642ed4e4071540fd5c063e15e11bc7c9e5d7e3d
Instruction ID: bb426bbcad963dd100959474d1961f746c6a0c8a29b6cae2cc9feebb7f7ef80f
Opcode Fuzzy Hash: 54700471c30fd91a595b469e1642ed4e4071540fd5c063e15e11bc7c9e5d7e3d
Instruction Fuzzy Hash: 96D17BB2214A8086EB62EB12F8543EB62A5F78E7D6F544125FB8D877B4EF39C544C700

Function 000000014000A630 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,00000000,00000000,00000001,000000014000A94C,?,?,?,?,?,?,000000014000DECC,?,?,00000000), ref: 000000014000A6FF

Strings

..., xrefs: 000000014000A761
Runtime Error!Program: , xrefs: 000000014000A6BD
<program name unknown>, xrefs: 000000014000A709
Microsoft Visual C++ Runtime Library, xrefs: 000000014000A7E4

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: FileModuleName
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 514040917-4022980321
Opcode ID: 8c23686a07612b056ebb07fc3acfa7510888288470294136635013348d9ff258
Instruction ID: 05d41856df10bdfb7860b030c3b02ef7e5bf80f1c98d98080f650b838289d5bd
Opcode Fuzzy Hash: 8c23686a07612b056ebb07fc3acfa7510888288470294136635013348d9ff258
Instruction Fuzzy Hash: 3251D2B271465046FB26DB67B8117EA2391A78E3E0F488226BF2947AF1DF3DC5568304

Function 0000000140007C20 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000014000A453
RtlLookupFunctionEntry.KERNEL32 ref: 000000014000A472
RtlVirtualUnwind.KERNEL32 ref: 000000014000A4BE
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001794), ref: 000000014000A530
SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001794), ref: 000000014000A548
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001794), ref: 000000014000A555
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001794), ref: 000000014000A56E
TerminateProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001794), ref: 000000014000A57C

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: 23762c50fc6ee50b73ea859665f64a8b770ed5520b84ee25c404c444e05ea32c
Instruction ID: e3021cc7b85dd514baf45d4788736019b7a9cd4c44c2b75eb51b3daec7b20ceb
Opcode Fuzzy Hash: 23762c50fc6ee50b73ea859665f64a8b770ed5520b84ee25c404c444e05ea32c
Instruction Fuzzy Hash: 7B31E075508B8485EA52DB56F8443DA73A0F78E394F804126EB8E4BB75DF7EC198CB00

Function 000000014000AE90 Relevance: 9.1, APIs: 6, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140009810: FlsGetValue.KERNEL32(00000000,00000000,00000000,000000014000AA65,?,?,00000018,0000000140007D63,?,?,00000018,000000014000863E), ref: 0000000140009830

RtlCaptureContext.KERNEL32 ref: 000000014000AEF6
IsDebuggerPresent.KERNEL32 ref: 000000014000AF3A
SetUnhandledExceptionFilter.KERNEL32 ref: 000000014000AF44
UnhandledExceptionFilter.KERNEL32 ref: 000000014000AF4F
GetCurrentProcess.KERNEL32 ref: 000000014000AF65
TerminateProcess.KERNEL32 ref: 000000014000AF73

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminateValue
String ID:
API String ID: 2638224479-0
Opcode ID: 4cb66c24fb9ac2740facd943cd8103a501a6971926f0f4a2f539bd80a5e14670
Instruction ID: 05039d9da7cb8ac943853f455cdf1763be597666f9886f50c2f73c98e1a72c45
Opcode Fuzzy Hash: 4cb66c24fb9ac2740facd943cd8103a501a6971926f0f4a2f539bd80a5e14670
Instruction Fuzzy Hash: 94213971208B8192EB21DB52F84439EB3A4F79DBC0F444026EB8A47B69DF3DC545CB00

Function 000000014000ADF0 Relevance: 9.0, APIs: 6, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000014000AE01
IsDebuggerPresent.KERNEL32 ref: 000000014000AE45
SetUnhandledExceptionFilter.KERNEL32 ref: 000000014000AE4F
UnhandledExceptionFilter.KERNEL32 ref: 000000014000AE5A
GetCurrentProcess.KERNEL32 ref: 000000014000AE70
TerminateProcess.KERNEL32 ref: 000000014000AE7E

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate
String ID:
API String ID: 1269745586-0
Opcode ID: e49b8ad04f778586c9b9074fc63102bc4280611a3cfff1545c945a6f8f8a8821
Instruction ID: 24e0d4224dc2eb2ab88692e91c95f032983fe989f6b14c7991017fcacbbcffc0
Opcode Fuzzy Hash: e49b8ad04f778586c9b9074fc63102bc4280611a3cfff1545c945a6f8f8a8821
Instruction Fuzzy Hash: A5012C72228A8192EB61DB62F84439E73A4FB9D785F400125EB8E47774EF3DC258CB10

Function 000000014000E8A0 Relevance: 3.3, APIs: 2, Instructions: 252COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000014000E790: GetOEMCP.KERNEL32 ref: 000000014000E830

IsValidCodePage.KERNEL32 ref: 000000014000E9A3
GetCPInfo.KERNEL32 ref: 000000014000E9B8

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: fc0d5a619f28fb694f6f438405628c6de5912a063d0802a02458264ddd9ef517
Instruction ID: f3f69ab1a1a1563fb99604cb88781105bd28ed3bdeb5757443ec0faa88d4ab5c
Opcode Fuzzy Hash: fc0d5a619f28fb694f6f438405628c6de5912a063d0802a02458264ddd9ef517
Instruction Fuzzy Hash: 91A102F2A042C08AE7A6CF36E4543BD7BA0F749B88F48801AEB85572A9DB39D544C751

Function 0000000140008E40 Relevance: 1.6, APIs: 1, Instructions: 84COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlLookupFunctionEntry.KERNEL32 ref: 0000000140008EC1

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: EntryFunctionLookup
String ID:
API String ID: 3852435196-0
Opcode ID: 24a28f2b76a9b07de3b72a733ff975e212ba4b09a3cfbcd24898da0fe7cad329
Instruction ID: 0f346e5d27ae66b539fa53c67beed96acfad918860b28e4355e0df73b2b768fc
Opcode Fuzzy Hash: 24a28f2b76a9b07de3b72a733ff975e212ba4b09a3cfbcd24898da0fe7cad329
Instruction Fuzzy Hash: 5F31AE73700A9482DB21CF1AF484B69B725F789BE8F8A8112EF5D43B59DB74D492C704

Function 0000000140005F00 Relevance: 1.5, APIs: 1, Instructions: 35comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 0000000140005F47

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: eef077ae63f33c70e37a0020ec9181df9736370b81b1de76193f31fadc54f1c5
Instruction ID: 94f36b7e7753ca297c7a305e3f1884b00e80bbdb3e5668e31b2a0157503626e0
Opcode Fuzzy Hash: eef077ae63f33c70e37a0020ec9181df9736370b81b1de76193f31fadc54f1c5
Instruction Fuzzy Hash: FB01FF76604A5182D712DF2AF440399B3A1F799BC9F598421EB8C47678DF39C5668700

Function 000000014000F420 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 152libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140009720: FlsGetValue.KERNEL32(?,?,?,000000014000F43E,?,?,?,?,00000000,00000000,000000FF,00000000,000000291DD6AE80,000000014000A7F9), ref: 000000014000973A

LoadLibraryA.KERNEL32(?,?,?,?,00000000,00000000,000000FF,00000000,000000291DD6AE80,000000014000A7F9,?,?,00000000,00000000,00000001,000000014000A94C), ref: 000000014000F462
GetProcAddress.KERNEL32(?,?,?,?,00000000,00000000,000000FF,00000000,000000291DD6AE80,000000014000A7F9,?,?,00000000,00000000,00000001,000000014000A94C), ref: 000000014000F47E

Part of subcall function 0000000140009650: FlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,000000014000DF36,?,?,00000000,000000014000DFD3), ref: 0000000140009670

GetProcAddress.KERNEL32(?,?,?,?,00000000,00000000,000000FF,00000000,000000291DD6AE80,000000014000A7F9,?,?,00000000,00000000,00000001,000000014000A94C), ref: 000000014000F4A6

Part of subcall function 0000000140009650: GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,000000014000DF36,?,?,00000000,000000014000DFD3), ref: 000000014000968B
Part of subcall function 0000000140009650: GetModuleHandleA.KERNEL32 ref: 00000001400096B2
Part of subcall function 0000000140009650: GetProcAddress.KERNEL32 ref: 00000001400096F8

GetProcAddress.KERNEL32(?,?,?,?,00000000,00000000,000000FF,00000000,000000291DD6AE80,000000014000A7F9,?,?,00000000,00000000,00000001,000000014000A94C), ref: 000000014000F4C5
GetProcAddress.KERNEL32 ref: 000000014000F513
GetProcAddress.KERNEL32 ref: 000000014000F537

Part of subcall function 000000014000ADF0: RtlCaptureContext.KERNEL32 ref: 000000014000AE01
Part of subcall function 000000014000ADF0: IsDebuggerPresent.KERNEL32 ref: 000000014000AE45
Part of subcall function 000000014000ADF0: SetUnhandledExceptionFilter.KERNEL32 ref: 000000014000AE4F
Part of subcall function 000000014000ADF0: UnhandledExceptionFilter.KERNEL32 ref: 000000014000AE5A
Part of subcall function 000000014000ADF0: GetCurrentProcess.KERNEL32 ref: 000000014000AE70
Part of subcall function 000000014000ADF0: TerminateProcess.KERNEL32 ref: 000000014000AE7E

Part of subcall function 0000000140009810: FlsGetValue.KERNEL32(00000000,00000000,00000000,000000014000AA65,?,?,00000018,0000000140007D63,?,?,00000018,000000014000863E), ref: 0000000140009830

Part of subcall function 0000000140009810: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,000000014000AA65,?,?,00000018,0000000140007D63,?,?,00000018,000000014000863E), ref: 000000014000984B
Part of subcall function 0000000140009810: GetModuleHandleA.KERNEL32 ref: 0000000140009872
Part of subcall function 0000000140009810: GetProcAddress.KERNEL32 ref: 00000001400098B8

Strings

GetActiveWindow, xrefs: 000000014000F495
MessageBoxA, xrefs: 000000014000F474
GetLastActivePopup, xrefs: 000000014000F4B4
USER32.DLL, xrefs: 000000014000F45B
GetUserObjectInformationA, xrefs: 000000014000F509
GetProcessWindowStation, xrefs: 000000014000F52D

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: AddressProc$HandleModule$Value$ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerLibraryLoadPresentTerminate
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 3160505718-232180764
Opcode ID: 9a9aa5a7e733730851ea8d634f3569e43bd5d125745588d8b562ebfc13c940ca
Instruction ID: 69d94a3fbc979c330be614c5ba831bc5e5f77180d1699a2b40dbc6daed20fb72
Opcode Fuzzy Hash: 9a9aa5a7e733730851ea8d634f3569e43bd5d125745588d8b562ebfc13c940ca
Instruction Fuzzy Hash: 0F512AB1205B4045FE67DF63B8547E92294AB8DBC0F488025BF4E47BB5EF3AC545E610

Function 00000001400101D0 Relevance: 16.9, APIs: 11, Instructions: 354COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,00000100,00000020,000000014001083A), ref: 000000014001023A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000100,00000020,000000014001083A), ref: 000000014001024A
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,00000100,00000020,000000014001083A), ref: 0000000140010304
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,00000100,00000020,000000014001083A), ref: 00000001400103B1
LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,00000100,00000020,000000014001083A), ref: 00000001400103D4
LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,00000100,00000020,000000014001083A), ref: 000000014001041D
LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,00000100,00000020,000000014001083A), ref: 00000001400104B4
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00000100,00000020,000000014001083A), ref: 00000001400104F5
LCMapStringA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100,00000020,000000014001083A), ref: 00000001400105A3
LCMapStringA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100,00000020,000000014001083A), ref: 0000000140010656
LCMapStringA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100,00000020,000000014001083A), ref: 00000001400106DC

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: String$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1775797328-0
Opcode ID: c6e8181840c89b65886977e3d32f134e7221b4ffbf213e53e80a11682acf680c
Instruction ID: 721e04b3dd483e85a3972d774accfea5862b0b72d674b55a682b5dfc806c6db1
Opcode Fuzzy Hash: c6e8181840c89b65886977e3d32f134e7221b4ffbf213e53e80a11682acf680c
Instruction Fuzzy Hash: 4EE1CE723007908AEB26DF26A4407DA77E1F74CBE8F044615FBA94BBE8DBB9C5118700

Function 00000001400098E0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 79libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,0000000140009AC8,?,?,00000000,000000014000AA19,?,?,?,?,000000014000A13E), ref: 0000000140009906
GetModuleHandleA.KERNEL32 ref: 0000000140009949
GetProcAddress.KERNEL32 ref: 0000000140009998
GetProcAddress.KERNEL32 ref: 00000001400099B0
_lock.LIBCMT ref: 00000001400099F8

Strings

DecodePointer, xrefs: 00000001400099A6
EncodePointer, xrefs: 000000014000998E
KERNEL32.DLL, xrefs: 00000001400098FF
.mixcrt, xrefs: 0000000140009970

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: AddressHandleModuleProc$_lock
String ID: .mixcrt$DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 236382262-1161742486
Opcode ID: f3b4d979310f695cfd6654d3998c7aa76878a6e42c6e437c92d00185b2b2a4b8
Instruction ID: 5e107e4c8092d86395ca8a8cc2f9309ac9805c705e9ca9dec8c4b4c35d12eb2f
Opcode Fuzzy Hash: f3b4d979310f695cfd6654d3998c7aa76878a6e42c6e437c92d00185b2b2a4b8
Instruction Fuzzy Hash: FC317672205B9082EB42DF16E888BEA73A8F74D7C4F40422AEB49473B5DF7AC555C344

Function 000000014000D4A0 Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 415COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140008E40: RtlLookupFunctionEntry.KERNEL32 ref: 0000000140008EC1

__GetUnwindTryBlock.LIBCMT ref: 000000014000D50D
__SetUnwindTryBlock.LIBCMT ref: 000000014000D535
__GetUnwindTryBlock.LIBCMT ref: 000000014000D545
_SetThrowImageBase.LIBCMT ref: 000000014000D5D6

Strings

csm, xrefs: 000000014000D5F1
bad exception, xrefs: 000000014000D67A
csm, xrefs: 000000014000D6C7
csm, xrefs: 000000014000D55F

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: BlockUnwind$BaseEntryFunctionImageLookupThrow
String ID: bad exception$csm$csm$csm
API String ID: 3766904988-820278400
Opcode ID: 5efb5521bf1f430f8650c652fbf4623fbabd68985521ac6167504c46dbc8b3e8
Instruction ID: a3e5531bba253fe5f4e5402fe7ff910b9a4afe332d9a54d22ff68bf872e27611
Opcode Fuzzy Hash: 5efb5521bf1f430f8650c652fbf4623fbabd68985521ac6167504c46dbc8b3e8
Instruction Fuzzy Hash: 6302A3B2204B8085EA72DB27B4547EA77A5F789BC5F444426FF89477AADF38C440CB10

Function 0000000140003350 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 184stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 0000000140003441
GetModuleHandleW.KERNEL32 ref: 00000001400034C4
lstrlenW.KERNEL32 ref: 000000014000355B
lstrlenW.KERNEL32 ref: 0000000140003512

Part of subcall function 00000001400039E0: lstrlenW.KERNEL32 ref: 0000000140003A2B
Part of subcall function 00000001400039E0: lstrlenW.KERNEL32 ref: 0000000140003AA4

Strings

Module, xrefs: 00000001400034DD, 0000000140003585
REGISTRY, xrefs: 000000014000360C
", xrefs: 0000000140003564
Module_Raw, xrefs: 00000001400035B9

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: lstrlen$Module$FileHandleName
String ID: "$Module$Module_Raw$REGISTRY
API String ID: 2709196087-3881418485
Opcode ID: 93f6e47194c5e69bd5d934c5477d31f93955c7092c53ba20f3b800df9e9ec9bf
Instruction ID: cf848d69e506a7b658c244de8351e55af0649f1e64503ba6142144c98d803cba
Opcode Fuzzy Hash: 93f6e47194c5e69bd5d934c5477d31f93955c7092c53ba20f3b800df9e9ec9bf
Instruction Fuzzy Hash: 53816EB2314A8196EA23DF12F8447EA6369FB8CBC4F441025FB4A5B6B9DF3AC545C740

Function 0000000140005BD0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 177stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 0000000140005CC1
GetModuleHandleW.KERNEL32 ref: 0000000140005D42
lstrlenW.KERNEL32 ref: 0000000140005DD9
lstrlenW.KERNEL32 ref: 0000000140005D90

Part of subcall function 00000001400039E0: lstrlenW.KERNEL32 ref: 0000000140003A2B
Part of subcall function 00000001400039E0: lstrlenW.KERNEL32 ref: 0000000140003AA4

Strings

", xrefs: 0000000140005DE2
Module, xrefs: 0000000140005D5B, 0000000140005E03
REGISTRY, xrefs: 0000000140005E7C
Module_Raw, xrefs: 0000000140005E33

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: lstrlen$Module$FileHandleName
String ID: "$Module$Module_Raw$REGISTRY
API String ID: 2709196087-3881418485
Opcode ID: a7c919b9679bf315281fe572831604b0e2447fd903a31fcc9999315291edeb19
Instruction ID: c1150d6800cc7ac1451ba7b9d0c3cda2ae3248cb8b5a597917bb514cac707d6f
Opcode Fuzzy Hash: a7c919b9679bf315281fe572831604b0e2447fd903a31fcc9999315291edeb19
Instruction Fuzzy Hash: 9E71B0B2214B8196EB23EF22F4447EA6365FB8DBC5F440012FB8A57AB9DB39C505C740

Function 0000000140009720 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,000000014000F43E,?,?,?,?,00000000,00000000,000000FF,00000000,000000291DD6AE80,000000014000A7F9), ref: 000000014000973A
GetModuleHandleA.KERNEL32(?,?,?,000000014000F43E,?,?,?,?,00000000,00000000,000000FF,00000000,000000291DD6AE80,000000014000A7F9), ref: 0000000140009758
GetModuleHandleA.KERNEL32 ref: 0000000140009785
GetProcAddress.KERNEL32 ref: 00000001400097D8

Strings

EncodePointer, xrefs: 00000001400097CE
KERNEL32.DLL, xrefs: 0000000140009751
.mixcrt, xrefs: 00000001400097B0

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: HandleModule$AddressProcValue
String ID: .mixcrt$EncodePointer$KERNEL32.DLL
API String ID: 2623865758-1746336069
Opcode ID: 04a82fa2b4dc97318644e544b7a3c25bda97dcaa68107be8373914f423a6f31d
Instruction ID: ae5fb41b053417639b25e2cf9ef6e8e0474738bc5279776a43872fb6f5a23f42
Opcode Fuzzy Hash: 04a82fa2b4dc97318644e544b7a3c25bda97dcaa68107be8373914f423a6f31d
Instruction Fuzzy Hash: 5B218E7272964081EA9ACF13B8903A963A0FB8CBD0F584125FB4E477B4DF39C991C300

Function 0000000140009810 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 60libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(00000000,00000000,00000000,000000014000AA65,?,?,00000018,0000000140007D63,?,?,00000018,000000014000863E), ref: 0000000140009830
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,000000014000AA65,?,?,00000018,0000000140007D63,?,?,00000018,000000014000863E), ref: 000000014000984B
GetModuleHandleA.KERNEL32 ref: 0000000140009872
GetProcAddress.KERNEL32 ref: 00000001400098B8

Strings

DecodePointer, xrefs: 00000001400098AE
KERNEL32.DLL, xrefs: 0000000140009844
.mixcrt, xrefs: 0000000140009890

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: HandleModule$AddressProcValue
String ID: .mixcrt$DecodePointer$KERNEL32.DLL
API String ID: 2623865758-2532145718
Opcode ID: c722a5086784012492d5ee2abac1855d1e56883be0d01cfe2006c32ad227457d
Instruction ID: 75ea18e8699dab9b6540fdcea537d546ae0372394f9251e9d6ba3d1e566c35d5
Opcode Fuzzy Hash: c722a5086784012492d5ee2abac1855d1e56883be0d01cfe2006c32ad227457d
Instruction Fuzzy Hash: 47216DB2605A4085FA56DF17B8803A923A0FB8EBD0F588525FB0A473B0EF39C955C310

Function 0000000140009650 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 60libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,000000014000DF36,?,?,00000000,000000014000DFD3), ref: 0000000140009670
GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,000000014000DF36,?,?,00000000,000000014000DFD3), ref: 000000014000968B
GetModuleHandleA.KERNEL32 ref: 00000001400096B2
GetProcAddress.KERNEL32 ref: 00000001400096F8

Strings

EncodePointer, xrefs: 00000001400096EE
KERNEL32.DLL, xrefs: 0000000140009684
.mixcrt, xrefs: 00000001400096D0

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: HandleModule$AddressProcValue
String ID: .mixcrt$EncodePointer$KERNEL32.DLL
API String ID: 2623865758-1746336069
Opcode ID: eb8f05a993eacb5955facd4b650662d48a7cd4898c68b99beacfa34ecbb186c6
Instruction ID: 1a4f57ea4bbfa57ff532217dcfaa5fac17cfa0951257d8e94b5f042d90b26526
Opcode Fuzzy Hash: eb8f05a993eacb5955facd4b650662d48a7cd4898c68b99beacfa34ecbb186c6
Instruction Fuzzy Hash: 9C216DB230564095EA6ADF17B8843A923A0FB8DBD1F594525FB0E472B0EF3AC955C310

Function 00000001400068D0 Relevance: 12.1, APIs: 8, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 0000000140006902
SysAllocString.OLEAUT32 ref: 0000000140006910

Part of subcall function 0000000140003D80: LoadLibraryExW.KERNEL32 ref: 0000000140003DFC

SysFreeString.OLEAUT32 ref: 0000000140006937
SysAllocString.OLEAUT32 ref: 0000000140006945
SysFreeString.OLEAUT32 ref: 000000014000696C
SysAllocString.OLEAUT32 ref: 000000014000697A
SysFreeString.OLEAUT32 ref: 00000001400069A6
SysAllocString.OLEAUT32 ref: 00000001400069B4

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: String$AllocFree$LibraryLoad
String ID:
API String ID: 336150422-0
Opcode ID: 17e4087f2d49b551f69a155f80846d24a5256065083d9264ddf015d6082900ac
Instruction ID: 13f04ccc3c4197641218a6eaf8b335fa3a6ce54e3c5af37b0787e12c1b99f4bd
Opcode Fuzzy Hash: 17e4087f2d49b551f69a155f80846d24a5256065083d9264ddf015d6082900ac
Instruction Fuzzy Hash: 52316C71201B4081EA66DF22B4507A863AAEB4CFD4F281519EF9D17B78DF78C8A0C344

Function 0000000140010BE0 Relevance: 10.7, APIs: 7, Instructions: 179COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000020,00000001,?,00000000,?,?,?), ref: 0000000140010C3A
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000020,00000001,?,00000000,?,?,?), ref: 0000000140010C59
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000020,00000001,?,00000000,?,?,?), ref: 0000000140010CFF
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000020,00000001,?,00000000,?,?,?), ref: 0000000140010D59
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000020,00000001,?,00000000,?,?,?), ref: 0000000140010D92
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000020,00000001,?,00000000,?,?,?), ref: 0000000140010DCF
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000020,00000001,?,00000000,?,?,?), ref: 0000000140010E0E

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: ByteCharMultiWide$Info
String ID:
API String ID: 1775632426-0
Opcode ID: e551bfb1a3c9b5a9b1bbc3a5e8b31f62cd28ae90f62672de15472cf0ebaf50b5
Instruction ID: 6317321582124530fb489dd5b2d0adbcef58524e8cfcd5ddd33716e986da0b9a
Opcode Fuzzy Hash: e551bfb1a3c9b5a9b1bbc3a5e8b31f62cd28ae90f62672de15472cf0ebaf50b5
Instruction Fuzzy Hash: BF61CF322006908AE762DF23A44079A76E5F74C7E8F544729BFA94BBE8DBB5C545C700

Function 0000000140004780 Relevance: 10.6, APIs: 7, Instructions: 123COMMON

Download Yara Rule

APIs

CharNextW.USER32 ref: 00000001400047AA
CharNextW.USER32 ref: 00000001400047E4
CharNextW.USER32 ref: 00000001400047FC
CharNextW.USER32 ref: 0000000140004811
CharNextW.USER32 ref: 0000000140004820
CharNextW.USER32 ref: 0000000140004883
CharNextW.USER32 ref: 00000001400048B0

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: f59abddbf1fd02cdc63a1bb2b2ae5c41e0f6d637e245e11e1186070e0f56db7b
Instruction ID: 394b6348edb067444a74d9bf7669875ca76a3c79a07af01202208422f2330148
Opcode Fuzzy Hash: f59abddbf1fd02cdc63a1bb2b2ae5c41e0f6d637e245e11e1186070e0f56db7b
Instruction Fuzzy Hash: 334160B6610A80C0EB628F26F5843BD73A1E759BC4F54D411EB89872B5EF7CC890C348

Function 0000000140006770 Relevance: 10.6, APIs: 7, Instructions: 96librarystringloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00000001400067BC
lstrlenW.KERNEL32 ref: 00000001400067DA
WideCharToMultiByte.KERNEL32 ref: 000000014000684A
GetProcAddress.KERNEL32 ref: 0000000140006868
FreeLibrary.KERNEL32 ref: 0000000140006876
GetLastError.KERNEL32 ref: 000000014000687C
FreeLibrary.KERNEL32 ref: 0000000140006897

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: Library$Free$AddressByteCharErrorLastLoadMultiProcWidelstrlen
String ID:
API String ID: 3778413393-0
Opcode ID: bce2ea9d7b4ee41ba30f3d5557932fb2a1319cae0f9dd11cc8b83f8e7cfa2978
Instruction ID: 07446b38bb8bdb0609074874d0b2edfa43dfd030d52623a524dd5c7a398b1203
Opcode Fuzzy Hash: bce2ea9d7b4ee41ba30f3d5557932fb2a1319cae0f9dd11cc8b83f8e7cfa2978
Instruction Fuzzy Hash: 39318F72700A408AEB56DF73A8503E963A1B74CBE4F588325FB2A5BBA5DF39C555C300

Function 0000000140005A20 Relevance: 10.6, APIs: 7, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000000140005A69
RegCloseKey.ADVAPI32 ref: 0000000140005A85
RegEnumKeyExW.ADVAPI32 ref: 0000000140005ACC
RegEnumKeyExW.ADVAPI32 ref: 0000000140005B27
RegCloseKey.ADVAPI32 ref: 0000000140005B3B
RegDeleteKeyW.ADVAPI32 ref: 0000000140005B4C
RegCloseKey.ADVAPI32 ref: 0000000140005B5E

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: Close$Enum$DeleteOpen
String ID:
API String ID: 3743465055-0
Opcode ID: f3fcf5deffb6c8d8a9b88af1116a3685ddaed291210e93f6a2d4586c23a9b34b
Instruction ID: b019c28b169f28f475720c538267a3a55dd21a70e5ea9b784bdb3fd0edc814e1
Opcode Fuzzy Hash: f3fcf5deffb6c8d8a9b88af1116a3685ddaed291210e93f6a2d4586c23a9b34b
Instruction Fuzzy Hash: 3941E832209B818AEB61DF56F48439AB3A4F78E7C4F540125EB8D87A29DF79C554CB00

Function 0000000140009D10 Relevance: 10.6, APIs: 7, Instructions: 65memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000A3D0: _initp_misc_winsig.LIBCMT ref: 000000014000A409

FlsFree.KERNEL32(?,?,?,?,0000000140008877), ref: 0000000140009D2D
TlsFree.KERNEL32(?,?,?,?,0000000140008877), ref: 0000000140009D48
FlsAlloc.KERNEL32(?,?,?,?,0000000140008877), ref: 0000000140009D6B
FlsSetValue.KERNEL32(?,?,?,?,0000000140008877), ref: 0000000140009DAD
GetCurrentThreadId.KERNEL32 ref: 0000000140009DC1
FlsFree.KERNEL32(?,?,?,?,0000000140008877), ref: 0000000140009DEB
TlsFree.KERNEL32(?,?,?,?,0000000140008877), ref: 0000000140009E06

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: Free$AllocCurrentThreadValue_initp_misc_winsig
String ID:
API String ID: 107886278-0
Opcode ID: b929533e0671a6e5c611aac2a6ee017ad5d7ece60e390c61d60e3c596ce1a23f
Instruction ID: 3bff2ed77edb5c191528af975eaf2a1124bc269f9bd8c9b7f766ca65d086a349
Opcode Fuzzy Hash: b929533e0671a6e5c611aac2a6ee017ad5d7ece60e390c61d60e3c596ce1a23f
Instruction Fuzzy Hash: 2A31E6B02016408AE667EB27B8543E832A2AB4D7F0F544716F7764B2F5DB3D8855C711

Function 000000014000FC70 Relevance: 9.2, APIs: 6, Instructions: 167COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,?,?,?,00000001,00000020,00000100,000000014000FFEC), ref: 000000014000FCC8
GetLastError.KERNEL32(?,?,?,?,00000001,00000020,00000100,000000014000FFEC), ref: 000000014000FCDE

Part of subcall function 0000000140007CB0: RtlAllocateHeap.NTDLL(?,?,00000018,000000014000863E), ref: 0000000140007D11

MultiByteToWideChar.KERNEL32(?,?,?,?,00000001,00000020,00000100,000000014000FFEC), ref: 000000014000FD6E
MultiByteToWideChar.KERNEL32(?,?,?,?,00000001,00000020,00000100,000000014000FFEC), ref: 000000014000FE15
GetStringTypeW.KERNEL32(?,?,?,?,00000001,00000020,00000100,000000014000FFEC), ref: 000000014000FE2C
GetStringTypeA.KERNEL32(?,?,?,?,00000001,00000020,00000100,000000014000FFEC), ref: 000000014000FE8B

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: StringType$ByteCharMultiWide$AllocateErrorHeapLast
String ID:
API String ID: 2745877085-0
Opcode ID: 2d872b0adf7ba7d2871e920d509bcad3f25c3b68bfdc671c87f031c477609bc0
Instruction ID: 16f74f7ca4b09c8b3081ba7970ef4a07ed170db65753c3d2299b50a402f20fa8
Opcode Fuzzy Hash: 2d872b0adf7ba7d2871e920d509bcad3f25c3b68bfdc671c87f031c477609bc0
Instruction Fuzzy Hash: 02616F722006408AEB62DF67A8447E967E6F75C7E4F188216FF5847BE5DB38C841E740

Function 0000000140003D80 Relevance: 9.1, APIs: 6, Instructions: 144libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140008D70: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000018,00000001400086CF), ref: 0000000140008E2E

LoadLibraryExW.KERNEL32 ref: 0000000140003DFC
FindResourceW.KERNEL32 ref: 0000000140003E24
FreeLibrary.KERNEL32 ref: 0000000140003F5A

Part of subcall function 0000000140003920: GetLastError.KERNEL32 ref: 0000000140003924

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: Library$ErrorExceptionFindFreeLastLoadRaiseResource
String ID:
API String ID: 892957270-0
Opcode ID: 59058bdeb21384eaf38344b5b9e89f3bb5ac91f8828ba5da316856deaca3f3e4
Instruction ID: 5fe4c7e5277afb93f041e64654ff3e7e9e13adc8379cbccb8c5b0abc5e1c7d80
Opcode Fuzzy Hash: 59058bdeb21384eaf38344b5b9e89f3bb5ac91f8828ba5da316856deaca3f3e4
Instruction Fuzzy Hash: 42517CB1614A8192EA23DB27B4443DA62A5B78C7D4F544225BB5E47BF5EF38C445CB00

Function 0000000140006A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000000140006ABF
GetProcAddress.KERNEL32 ref: 0000000140006AE1
FreeLibrary.KERNEL32 ref: 0000000140006AF2

Strings

DriverPackageInstallW, xrefs: 0000000140006AD7

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: DriverPackageInstallW
API String ID: 145871493-1557024896
Opcode ID: ad13ce8e90106e3d23d55296b6aa1afe08c71676569c4a0daa71f5bc84574625
Instruction ID: fc7064887699694463a3603abac31cd9421955c2c8fa4a3ec4204a6c08f8c1aa
Opcode Fuzzy Hash: ad13ce8e90106e3d23d55296b6aa1afe08c71676569c4a0daa71f5bc84574625
Instruction Fuzzy Hash: 0C212871208B8586DA61DF26B48039AB3E1F78CBD0F544225EB8E97B24DF3CC550CB04

Function 0000000140006BA0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000000140006BCF
GetProcAddress.KERNEL32 ref: 0000000140006BF1
FreeLibrary.KERNEL32 ref: 0000000140006C02

Strings

DriverPackageUninstallW, xrefs: 0000000140006BE7

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: DriverPackageUninstallW
API String ID: 145871493-4209722632
Opcode ID: e57e9ef10a0701066ad32de9108aa70aa811b964640e6cd72c7fdf24202ef75d
Instruction ID: 1096094bde0ad90953be29f6b226ca74e06b6ef831a59b7f23eb955bbaafcce9
Opcode Fuzzy Hash: e57e9ef10a0701066ad32de9108aa70aa811b964640e6cd72c7fdf24202ef75d
Instruction Fuzzy Hash: A6210875608B8586EA61DF26B4403AAB3A1F78CBD0F544125EBCE97B24DF3CD554CB04

Function 0000000140006CB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000000140006CD6
GetProcAddress.KERNEL32 ref: 0000000140006CF5
FreeLibrary.KERNEL32 ref: 0000000140006D03

Strings

DriverPackageGetPathW, xrefs: 0000000140006CEB

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: DriverPackageGetPathW
API String ID: 145871493-341743864
Opcode ID: 8de6b942fc09e176f4140ce81dac8a49f2cbfceccf5ecffd60a5886ab4385e5a
Instruction ID: f70a815cc4d76992572ae720ad04f251c621e6362f727f132fa8b7d76ca416e6
Opcode Fuzzy Hash: 8de6b942fc09e176f4140ce81dac8a49f2cbfceccf5ecffd60a5886ab4385e5a
Instruction Fuzzy Hash: BE019E70704B8181EA06DB27B4803AA63A1B74DFC0F188525FF4A4B735DE3DC550C344

Function 00000001400069F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000000140006A16
GetProcAddress.KERNEL32 ref: 0000000140006A35
FreeLibrary.KERNEL32 ref: 0000000140006A43

Strings

DriverPackagePreinstallW, xrefs: 0000000140006A2B

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: DriverPackagePreinstallW
API String ID: 145871493-4107050277
Opcode ID: 75588534261cd469da6dce99f0b67e94f3f54ff7d639e7defc3a5fcd10bf9daf
Instruction ID: a2fdc704a951cd60b19c8674131b29f1059c8ae21f451ef8ff6c0d580343bda7
Opcode Fuzzy Hash: 75588534261cd469da6dce99f0b67e94f3f54ff7d639e7defc3a5fcd10bf9daf
Instruction Fuzzy Hash: 94017C34704B4186EA46EB27B9903AA23A1A74DFD0F189124FF4A9B735EE3DC9508741

Function 000000014000BD60 Relevance: 7.7, APIs: 5, Instructions: 206COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32 ref: 000000014000BD86

Part of subcall function 0000000140009EA0: Sleep.KERNEL32(?,?,00000000,0000000140009AA3,?,?,00000000,000000014000AA19,?,?,?,?,000000014000A13E), ref: 0000000140009EF0

GetFileType.KERNEL32 ref: 000000014000BF10

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: FileInfoSleepStartupType
String ID:
API String ID: 1527402494-0
Opcode ID: 4df84c35290e4683d9bd798ff334aa7d538ef82fd7fb1af0dc37176ece914833
Instruction ID: 9471ee7449e52aeb558bd6871fa27edf9f3eb90a25fa9023bc5a9eb0fdf83c31
Opcode Fuzzy Hash: 4df84c35290e4683d9bd798ff334aa7d538ef82fd7fb1af0dc37176ece914833
Instruction Fuzzy Hash: F491BEB261578082EB16CB26E8447A937A5F7097F4F284325EB7A473F0DB39C856C702

Function 000000014000BC40 Relevance: 7.6, APIs: 5, Instructions: 74COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(?,?,?,?,?,?,00000001400088BB), ref: 000000014000BC4E
GetLastError.KERNEL32(?,?,?,?,?,?,00000001400088BB), ref: 000000014000BC6E
GetCommandLineA.KERNEL32(?,?,?,?,?,?,00000001400088BB), ref: 000000014000BCAB
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000001400088BB), ref: 000000014000BCCB

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: CommandLine$ByteCharErrorLastMultiWide
String ID:
API String ID: 3078728599-0
Opcode ID: 5006ef4a9dc5078a64f5a54dd97592bbfff0ed1973293bfb718c5239064cf407
Instruction ID: cabd106a918cf6efeb3da1629f2adf4615151986d7cd2d35520c79fe58624db5
Opcode Fuzzy Hash: 5006ef4a9dc5078a64f5a54dd97592bbfff0ed1973293bfb718c5239064cf407
Instruction Fuzzy Hash: 07318072614A8082E752DF22B84178A67E1F79DBD4F580225FB4A87BB5DF3DC415CB00

Function 000000014000C110 Relevance: 7.5, APIs: 5, Instructions: 41timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000000014000C14F
GetCurrentProcessId.KERNEL32 ref: 000000014000C15A
GetCurrentThreadId.KERNEL32 ref: 000000014000C166
GetTickCount.KERNEL32 ref: 000000014000C172
QueryPerformanceCounter.KERNEL32 ref: 000000014000C183

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: dc5e6db3c9fc569cf7ad5c5d3ad850c1dea742063448d06771bfadc1da07ed0c
Instruction ID: b162794871e20c798f093b6e039440ae69a3cec213e5525b85d6d5ec47f40e55
Opcode Fuzzy Hash: dc5e6db3c9fc569cf7ad5c5d3ad850c1dea742063448d06771bfadc1da07ed0c
Instruction Fuzzy Hash: 93011735255A4086EB92CF66F98038563A0F75DBD0F456220EF9E4B7A4DA39C9958700

Function 0000000140009B00 Relevance: 7.5, APIs: 5, Instructions: 41threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,000000014000B139,?,?,?,?,0000000140008589), ref: 0000000140009B0A
FlsGetValue.KERNEL32(?,?,?,000000014000B139,?,?,?,?,0000000140008589), ref: 0000000140009B18
SetLastError.KERNEL32(?,?,?,000000014000B139,?,?,?,?,0000000140008589), ref: 0000000140009B73

Part of subcall function 0000000140009EA0: Sleep.KERNEL32(?,?,00000000,0000000140009AA3,?,?,00000000,000000014000AA19,?,?,?,?,000000014000A13E), ref: 0000000140009EF0

FlsSetValue.KERNEL32(?,?,?,000000014000B139,?,?,?,?,0000000140008589), ref: 0000000140009B44

Part of subcall function 00000001400098E0: GetModuleHandleA.KERNEL32(?,?,00000000,0000000140009AC8,?,?,00000000,000000014000AA19,?,?,?,?,000000014000A13E), ref: 0000000140009906
Part of subcall function 00000001400098E0: GetModuleHandleA.KERNEL32 ref: 0000000140009949
Part of subcall function 00000001400098E0: GetProcAddress.KERNEL32 ref: 0000000140009998
Part of subcall function 00000001400098E0: GetProcAddress.KERNEL32 ref: 00000001400099B0
Part of subcall function 00000001400098E0: _lock.LIBCMT ref: 00000001400099F8

GetCurrentThreadId.KERNEL32 ref: 0000000140009B58

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProcValue$CurrentSleepThread_lock
String ID:
API String ID: 571222345-0
Opcode ID: d027afce3a2dbe4c94a0228fa27202679bdb9b96737eafa30790710b5944a21d
Instruction ID: eeb77941ae52406264e4807c2b5e16c59350df745ff38bdeb11929c7b9d01afc
Opcode Fuzzy Hash: d027afce3a2dbe4c94a0228fa27202679bdb9b96737eafa30790710b5944a21d
Instruction Fuzzy Hash: 0601407420460086EB47EF67B4553E872A1AB8CBE0F088624FB2A0B3F5DF3DC854C610

Function 0000000140009A70 Relevance: 7.5, APIs: 5, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000000,000000014000AA19,?,?,?,?,000000014000A13E), ref: 0000000140009A7A
FlsGetValue.KERNEL32(?,?,00000000,000000014000AA19,?,?,?,?,000000014000A13E), ref: 0000000140009A88
SetLastError.KERNEL32(?,?,00000000,000000014000AA19,?,?,?,?,000000014000A13E), ref: 0000000140009AE3

Part of subcall function 0000000140009EA0: Sleep.KERNEL32(?,?,00000000,0000000140009AA3,?,?,00000000,000000014000AA19,?,?,?,?,000000014000A13E), ref: 0000000140009EF0

FlsSetValue.KERNEL32(?,?,00000000,000000014000AA19,?,?,?,?,000000014000A13E), ref: 0000000140009AB4

Part of subcall function 00000001400098E0: GetModuleHandleA.KERNEL32(?,?,00000000,0000000140009AC8,?,?,00000000,000000014000AA19,?,?,?,?,000000014000A13E), ref: 0000000140009906
Part of subcall function 00000001400098E0: GetModuleHandleA.KERNEL32 ref: 0000000140009949
Part of subcall function 00000001400098E0: GetProcAddress.KERNEL32 ref: 0000000140009998
Part of subcall function 00000001400098E0: GetProcAddress.KERNEL32 ref: 00000001400099B0
Part of subcall function 00000001400098E0: _lock.LIBCMT ref: 00000001400099F8

GetCurrentThreadId.KERNEL32 ref: 0000000140009AC8

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProcValue$CurrentSleepThread_lock
String ID:
API String ID: 571222345-0
Opcode ID: d01c40fbfd763e388365c1118e7d9390050dd5e16c5c43d6f823a2c5e29dbbd3
Instruction ID: 0d0ac4276aebd0a7bf11c1a3b93b4b6f2caaaf0f2d9b337411a14cfd951df5ec
Opcode Fuzzy Hash: d01c40fbfd763e388365c1118e7d9390050dd5e16c5c43d6f823a2c5e29dbbd3
Instruction Fuzzy Hash: B2014F7030464086EB57DF63B8443A922A2EB4DBE0F088224FB2A073F5DE3DC854C611

Function 0000000140004000 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 131stringCOMMON

Download Yara Rule

APIs

CoTaskMemFree.OLE32(00000000,00000000,?,000000A7,0000000140003F55), ref: 00000001400040F2

Part of subcall function 0000000140004780: CharNextW.USER32 ref: 00000001400047AA

lstrcmpiW.KERNEL32(00000000,00000000,?,000000A7,0000000140003F55), ref: 00000001400040B8
CharNextW.USER32(?,000000A7,0000000140003F55), ref: 00000001400041BB

Strings

{, xrefs: 0000000140004125

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: CharNext$FreeTasklstrcmpi
String ID: {
API String ID: 1742080907-366298937
Opcode ID: bb4d96ec4c857a4eaaa59afc435f0604d2e485896decc27f88533af6628f4617
Instruction ID: f99873b7ea626a01759df4f800aa56d2989b064873774d0420cb41baa8cd81d0
Opcode Fuzzy Hash: bb4d96ec4c857a4eaaa59afc435f0604d2e485896decc27f88533af6628f4617
Instruction Fuzzy Hash: 7B5179F66047C096E722CB63B8443DA62A5FB5DBC4F404016FF4997AABEB39C594C708

Function 000000014000F2F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140009810: FlsGetValue.KERNEL32(00000000,00000000,00000000,000000014000AA65,?,?,00000018,0000000140007D63,?,?,00000018,000000014000863E), ref: 0000000140009830

Part of subcall function 000000014000ADF0: RtlCaptureContext.KERNEL32 ref: 000000014000AE01
Part of subcall function 000000014000ADF0: IsDebuggerPresent.KERNEL32 ref: 000000014000AE45
Part of subcall function 000000014000ADF0: SetUnhandledExceptionFilter.KERNEL32 ref: 000000014000AE4F
Part of subcall function 000000014000ADF0: UnhandledExceptionFilter.KERNEL32 ref: 000000014000AE5A
Part of subcall function 000000014000ADF0: GetCurrentProcess.KERNEL32 ref: 000000014000AE70
Part of subcall function 000000014000ADF0: TerminateProcess.KERNEL32 ref: 000000014000AE7E

GetModuleHandleA.KERNEL32 ref: 000000014000F35D
GetProcAddress.KERNEL32 ref: 000000014000F372

Strings

InitializeCriticalSectionAndSpinCount, xrefs: 000000014000F368
kernel32.dll, xrefs: 000000014000F356

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$AddressCaptureContextCurrentDebuggerHandleModulePresentProcTerminateValue
String ID: InitializeCriticalSectionAndSpinCount$kernel32.dll
API String ID: 1369895830-3733552308
Opcode ID: 2091817aa61ea7825bbbe569a1edacde4b7752aeb3cd27cd116cf0d0672159ad
Instruction ID: bdbf1da68d3d41dcf7f4f6d943ac6a6cbafc2df47ab970bdf34f0b970a685195
Opcode Fuzzy Hash: 2091817aa61ea7825bbbe569a1edacde4b7752aeb3cd27cd116cf0d0672159ad
Instruction Fuzzy Hash: 2E211DB1618B4082EB56DB27B8413EAA3A5B78C7D0F488426BB4947BB5EF78C550E700

Function 0000000140003780 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(?,?,?,0000000140003638), ref: 00000001400038D4
RaiseException.KERNEL32(?,?,?,0000000140003638), ref: 00000001400038EA
RaiseException.KERNEL32(?,?,?,0000000140003638), ref: 0000000140003900
RaiseException.KERNEL32(?,?,?,0000000140003638), ref: 0000000140003916

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 4a18638358b747a17dbd426da0377a8545338b3b54378e3b27b233b729e9b4cf
Instruction ID: 4a2847cc7c7aa90527958bbdbad992b62c894aca6991817683f9fbd5eb86c965
Opcode Fuzzy Hash: 4a18638358b747a17dbd426da0377a8545338b3b54378e3b27b233b729e9b4cf
Instruction Fuzzy Hash: 56415B76A0174086EB5ADF62F0917A87364EB88FC8F048556EF4907A69CF35D860C7C1

Function 0000000140006D4C Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

UnregisterClassA.USER32 ref: 0000000140006D9A
DeleteCriticalSection.KERNEL32 ref: 0000000140006DCB
RaiseException.KERNEL32 ref: 0000000140006DFA
DeleteCriticalSection.KERNEL32 ref: 0000000140006E11

Part of subcall function 0000000140007D80: HeapFree.KERNEL32(?,?,?,?,0000000140009ADF,?,?,00000000,000000014000AA19,?,?,?,?,000000014000A13E), ref: 0000000140007D95
Part of subcall function 0000000140007D80: GetLastError.KERNEL32(?,?,?,?,0000000140009ADF,?,?,00000000,000000014000AA19,?,?,?,?,000000014000A13E), ref: 0000000140007DAC

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: CriticalDeleteSection$ClassErrorExceptionFreeHeapLastRaiseUnregister
String ID:
API String ID: 1206551879-0
Opcode ID: 91435394ab6e743da923c66a5d87946990130f3ed7213a09380a91c9a3e50276
Instruction ID: 41a1e5a314865bcd39a12c66255922bda9583cab0e53e67b3947df34a3a2355f
Opcode Fuzzy Hash: 91435394ab6e743da923c66a5d87946990130f3ed7213a09380a91c9a3e50276
Instruction Fuzzy Hash: 9C31ADB2B01A50CBEBA6CF76E4403AC3362F748FD9F044512EB091B6A9DB39C495CB41

Function 0000000140002EA0 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 0000000140002EE0
SysFreeString.OLEAUT32 ref: 0000000140002EEA
SysFreeString.OLEAUT32 ref: 0000000140002EF4
SysFreeString.OLEAUT32 ref: 0000000140002EFE

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 75259e011e96797357a26998b3284095cf8c11667bddfbfe298c84a7f6ee9f82
Instruction ID: c624b3e1881ca39c98e9bf8b87058c484f9f53710e292b1df5edd0c71e5554cf
Opcode Fuzzy Hash: 75259e011e96797357a26998b3284095cf8c11667bddfbfe298c84a7f6ee9f82
Instruction Fuzzy Hash: F201EC36204A40D2D7119B17E9543AD7370F789FE4F554222EBAE47BB0CF7AD4A58305

Function 0000000140002730 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 0000000140002761
SysFreeString.OLEAUT32 ref: 000000014000276B
SysFreeString.OLEAUT32 ref: 0000000140002775
SysFreeString.OLEAUT32 ref: 000000014000277F

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: cf1a647d41d3a40fc2c7f8b2315f3acb01944462ad085d9c09299d08b6f237be
Instruction ID: 5c3e04bb9e185b1ff1418fc21a76f5ea13150d2fc584fb03f7634a595e1749a4
Opcode Fuzzy Hash: cf1a647d41d3a40fc2c7f8b2315f3acb01944462ad085d9c09299d08b6f237be
Instruction Fuzzy Hash: D2F0B236214A40A6EB059B27E9943AC6360FB8CFD4F154122EB4E47B71CF79C4A58301

Function 000000014000B7D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 181COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00000001400088D3), ref: 000000014000B7FA

Strings

b"R, xrefs: 000000014000B800
C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe, xrefs: 000000014000B7DF

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe$b"R
API String ID: 514040917-800796288
Opcode ID: ca0d4a9aec24cda91fd899d91c9d077b8397f3bcd38fba9c4c30f7c9e936448c
Instruction ID: 4faef6cd9119616019cd520f269803aadb78a8c6077b6c3bd3408ce767b2b930
Opcode Fuzzy Hash: ca0d4a9aec24cda91fd899d91c9d077b8397f3bcd38fba9c4c30f7c9e936448c
Instruction Fuzzy Hash: 9761AEF2A1524082EF6BCF56B5103EA62E4AB19BE1F489625FF55076F4EB38C981C700

Function 000000014000CD53 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140009B00: GetLastError.KERNEL32(?,?,?,000000014000B139,?,?,?,?,0000000140008589), ref: 0000000140009B0A
Part of subcall function 0000000140009B00: FlsGetValue.KERNEL32(?,?,?,000000014000B139,?,?,?,?,0000000140008589), ref: 0000000140009B18
Part of subcall function 0000000140009B00: FlsSetValue.KERNEL32(?,?,?,000000014000B139,?,?,?,?,0000000140008589), ref: 0000000140009B44
Part of subcall function 0000000140009B00: GetCurrentThreadId.KERNEL32 ref: 0000000140009B58
Part of subcall function 0000000140009B00: SetLastError.KERNEL32(?,?,?,000000014000B139,?,?,?,?,0000000140008589), ref: 0000000140009B73

RaiseException.KERNEL32 ref: 000000014000CD9D
RaiseException.KERNEL32 ref: 000000014000CDBA

Strings

csm, xrefs: 000000014000CDEE

Memory Dump Source

Source File: 0000000A.00000002.1947150744.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000A.00000002.1947109902.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947269709.0000000140019000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1947322760.000000014001C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_140000000_ISBEW64.jbxd

Similarity

API ID: ErrorExceptionLastRaiseValue$CurrentThread
String ID: csm
API String ID: 2851347870-1018135373
Opcode ID: 78ad4014457cc221843bc20e1246d3056fe9fd3c8d1c3b8d194aa845ee097230
Instruction ID: 6e6ce4621ea2cea8246a26b9b1008db0e3bc9a34be77f0225e63998a4cf643f5
Opcode Fuzzy Hash: 78ad4014457cc221843bc20e1246d3056fe9fd3c8d1c3b8d194aa845ee097230
Instruction Fuzzy Hash: A4313C7621568182E672DF12F080B9E73A5F78CBE0F144221EF9A07BA5DF39D846CB41

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ALC700V1.0.0.7a.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\4280aa.rbs

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700.application

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700.exe

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700.exe.manifest

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700.pdb

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700.xml

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.2.exe

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.3.exe

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.4.exe

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.5.exe

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.6.exe

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\AxInterop.TeeChart.dll

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\Help_CN.chm

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\Help_US.chm

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\Init.ini

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\Interop.TeeChart.dll

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\PrintConfigTemp.hgm

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\TeeChart5.ocx

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\en-US\ALC700.resources.dll

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\fonts.h

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\fonts.h.bak

C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\stdole.dll

Windows Analysis Report
ALC700V1.0.0.7a.exe